WireGuard VPS 双网络接口允许所有流量到达两个不同的位置（对等点）

我在两个不同的地方（德国和法国）有两台 Raspberry Pi，我想用它们作为 VPN 服务器来从不同的设备访问互联网。

为了避免从本地路由器进行端口转发，我在 Azure 中设置了一个带有两个网络接口卡的 VPS（Debian），并为每个接口分配了一个公共 IP。我试图在 VPS 中设置两个 wireguard 接口，以便第一个接口wg0将所有流量路由到德国的 Raspberry Pi，第二个接口路由wg1到法国的 Raspberry Pi。

设置如下 -

• （设备 1..N）-> Azure VPS（公共 IP #1）（VNET：10.2.0.4/24）-> wg0（10.6.0.1）-> Raspberry Pi 德国（10.6.0.15）-> 互联网
• （设备 1..N）-> Azure VPS（公共 IP #2）（VNET：10.4.0.4/24）-> wg1（10.7.0.1）-> Raspberry Pi France（10.7.0.15）-> 互联网

VPS eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 60:45:bd:0f:03:27 brd ff:ff:ff:ff:ff:ff
    inet 10.2.0.4/24 brd 10.2.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::6245:bdff:fe0f:327/64 scope link
       valid_lft forever preferred_lft forever

VPS eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 60:45:bd:d2:5e:54 brd ff:ff:ff:ff:ff:ff
    inet 10.4.0.4/24 brd 10.4.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::6245:bdff:fed2:5e54/64 scope link
       valid_lft forever preferred_lft forever

互联网在第二个公共 IP（eth1）上无法正常工作，我按照这个指南操作 -https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System让它发挥作用

cat /etc/iproute2/rt_tables

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
150 rt2

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.2.0.1        0.0.0.0         UG    0      0        0 eth0
10.2.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.4.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1

ip rule show

0:      from all lookup local
32764:  from all to 10.4.0.4 lookup rt2
32765:  from 10.4.0.4 lookup rt2
32766:  from all lookup main
32767:  from all lookup default

ip route show

default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4

启动 wg0

VPS wg0 配置

[Interface]
PrivateKey = <Private Key>
Address = 10.6.0.1/24
ListenPort = 51820

### Route requests to Raspberry Pi Germany ###
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
PostUp = ip rule add not from 10.6.0.0/24 table main # This is needed to allow SSH access after enabling connection
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

### PostDown ###
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostDown = ip rule del not from 10.6.0.0/24 table main
PostDown = echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward

### begin Raspberry Pi Germany ###
[Peer]
PublicKey = <Public Key>
PresharedKey = <Private Key>
AllowedIPs = 10.6.0.15/32, 0.0.0.0/0
### end Raspberry Pi Germany ###

...

wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] echo 1 > /proc/sys/net/ipv4/ip_forward
[#] echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
[#] ip rule add not from 10.6.0.0/24 table main
[#] iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ip route show

default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1

ip rule show

0:      from all lookup local
32761:  not from 10.6.0.0/24 lookup main
32762:  from all lookup main suppress_prefixlength 0
32763:  not from all fwmark 0xca6c lookup 51820
32764:  from all to 10.4.0.4 lookup rt2
32765:  from 10.4.0.4 lookup rt2
32766:  from all lookup main
32767:  from all lookup default

结果：来自我的设备的所有请求都已成功路由至 Raspberry Pi Germany

启动 wg1

VPS wg1 配置

[Interface]
PrivateKey = <Private Key>
Address = 10.7.0.1/24
ListenPort = 51821

PostUp = ip rule add not from 10.6.0.0/24 table main # This is needed to allow SSH access after enabling connection
PostUp = iptables -A FORWARD -i wg1 -o wg1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg1 -o wg1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostDown = ip rule del not from 10.6.0.0/24 table main

### begin Raspberry Pi France ###
[Peer]
PublicKey = <Public Key>
PresharedKey = <Private Key>
AllowedIPs = 10.7.0.15/32, 0.0.0.0/0
### end Raspberry Pi France ###

ip rule show
0:      from all lookup local
32758:  not from 10.6.0.0/24 lookup main
32759:  from all lookup main suppress_prefixlength 0
32760:  not from all fwmark 0xca6d lookup 51821
32761:  not from 10.6.0.0/24 lookup main
32763:  not from all fwmark 0xca6c lookup 51820
32764:  from all to 10.4.0.4 lookup rt2
32765:  from 10.4.0.4 lookup rt2
32766:  from all lookup main
32767:  from all lookup default

ip route show
default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
10.7.0.0/24 dev wg1 proto kernel scope link src 10.7.0.1

结果：从我的设备连接wg0不再起作用，并且所有请求wg1现在都被路由到Azure Public IP #1

我是网络和 wireguard 的新手，不知道哪里出了问题。救命！

编辑：我找到了一个比每个 WireGuard 服务器使用一个网络接口更简单的解决方案。我最终使用以下方法设置了多个 WireGuard 服务器码头工人并将不同的 VPS 端口映射到每个容器。我发现这个关联有用。