IPv6 Wireguard ULA 路由

2024-10-28 • tag-icon

当两台设备都处于 NAT 连接时，我想在它们之间路由流量。它们都连接到 VPS 上的 wireguard VPN，但它们无法互相 ping 通。

在他们的 wireguard 接口上，我已将地址分配fd0d:87fa:c3bc:1::1给 VPS、fd0d:87fa:c3bc:5::1Alice 和fd0d:87fa:c3bc:6::1Bob。

路由表如下：

爱丽丝：

liam@alice# ip -6 route show dev wg0
fd0d:87fa:c3bc:1::/64 proto static metric 50 pref medium
fd0d:87fa:c3bc:5::/64 metric 1024 pref medium
fd0d:87fa:c3bc:6::/64 via fd0d:87fa:c3bc:1::1 metric 1024 pref medium
fe80::/64 proto kernel metric 50 pref medium
ff00::/8 metric 256 pref medium

鲍勃：

liam@bob# ip -6 route show dev wg0
fd0d:87fa:c3bc:1::/64 metric 1024 pref medium
fd0d:87fa:c3bc:5::/64 via fd0d:87fa:c3bc:1::1 metric 1024 pref medium
fd0d:87fa:c3bc:6::/64 proto kernel metric 256 pref medium

VPS：

liam@vps# ip -6 route show dev wg0
fd0d:87fa:c3bc:1::/64 proto kernel metric 256 pref medium
fd0d:87fa:c3bc:2::/64 metric 1024 pref medium
fd0d:87fa:c3bc:3::/64 metric 1024 pref medium
fd0d:87fa:c3bc:4::/64 metric 1024 pref medium
fd0d:87fa:c3bc:5::/64 metric 1024 pref medium
fd0d:87fa:c3bc:6::/64 metric 1024 pref medium

VPS 上启用了 IPv6 转发：

liam@vps# sysctl net.ipv6.conf.wg0.forwarding
net.ipv6.conf.wg0.forwarding = 1

并且所有 ip6tables 都为空，策略为 ACCEPT：

liam@{vps,alice,bob}# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Alice 和 Bob 可以 ping 通 VPS，但是他们无法互相 ping 通：

liam@alice# ping fd0d:87fa:c3bc:1::1
PING fd0d:87fa:c3bc:1::1(fd0d:87fa:c3bc:1::1) 56 data bytes
64 bytes from fd0d:87fa:c3bc:1::1: icmp_seq=1 ttl=64 time=31.8 ms
^C
liam@alice# ping fd0d:87fa:c3bc:6::1
PING fd0d:87fa:c3bc:6::1(fd0d:87fa:c3bc:6::1) 56 data bytes
From fd0d:87fa:c3bc:5::1 icmp_seq=1 Destination unreachable: Address unreachable

liam@bob# ping fd0d:87fa:c3bc:1::1
PING fd0d:87fa:c3bc:1::1(fd0d:87fa:c3bc:1::1) 56 data bytes
64 bytes from fd0d:87fa:c3bc:1::1: icmp_seq=1 ttl=64 time=58.3 ms
^C
liam@bob# ping fd0d:87fa:c3bc:5::1
PING fd0d:87fa:c3bc:5::1(fd0d:87fa:c3bc:5::1) 56 data bytes
From fd0d:87fa:c3bc:6::1 icmp_seq=1 Destination unreachable: Address unreachable

我错过了哪些步骤来让 IPv6 流量通过 wireguard 路由？

答案1

确保AllowedIPsVPS 的 wireguard 设置允许其他客户端的 IP 通过该接口。

将Alice 和 Bob 的 wireguard .conf 文件中以开头的行替换为-以开头的行：+

 [Peer]
 PublicKey = {redacted-vps-public-key}
-AllowedIPs = fd0d:87fa:c3bc:1::/64
+AllowedIPs = fd0d:87fa:c3bc::/48
 Endpoint = {vps-wireguard-uri}
 PersistentKeepalive = 60

答案1

相关内容