我在两个不同的地方(德国和法国)有两台 Raspberry Pi,我想用它们作为 VPN 服务器来从不同的设备访问互联网。
为了避免从本地路由器进行端口转发,我在 Azure 中设置了一个带有两个网络接口卡的 VPS(Debian),并为每个接口分配了一个公共 IP。我试图在 VPS 中设置两个 wireguard 接口,以便第一个接口wg0
将所有流量路由到德国的 Raspberry Pi,第二个接口路由wg1
到法国的 Raspberry Pi。
设置如下 -
- (设备 1..N)-> Azure VPS(公共 IP #1)(VNET:10.2.0.4/24)-> wg0(10.6.0.1)-> Raspberry Pi 德国(10.6.0.15)-> 互联网
- (设备 1..N)-> Azure VPS(公共 IP #2)(VNET:10.4.0.4/24)-> wg1(10.7.0.1)-> Raspberry Pi France(10.7.0.15)-> 互联网
VPS eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 60:45:bd:0f:03:27 brd ff:ff:ff:ff:ff:ff
inet 10.2.0.4/24 brd 10.2.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::6245:bdff:fe0f:327/64 scope link
valid_lft forever preferred_lft forever
VPS eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 60:45:bd:d2:5e:54 brd ff:ff:ff:ff:ff:ff
inet 10.4.0.4/24 brd 10.4.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::6245:bdff:fed2:5e54/64 scope link
valid_lft forever preferred_lft forever
互联网在第二个公共 IP(eth1)上无法正常工作,我按照这个指南操作 -https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System让它发挥作用
cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
150 rt2
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.0.1 0.0.0.0 UG 0 0 0 eth0
10.2.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.4.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
ip rule show
0: from all lookup local
32764: from all to 10.4.0.4 lookup rt2
32765: from 10.4.0.4 lookup rt2
32766: from all lookup main
32767: from all lookup default
ip route show
default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
启动 wg0
VPS wg0 配置
[Interface]
PrivateKey = <Private Key>
Address = 10.6.0.1/24
ListenPort = 51820
### Route requests to Raspberry Pi Germany ###
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward
PostUp = echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
PostUp = ip rule add not from 10.6.0.0/24 table main # This is needed to allow SSH access after enabling connection
PostUp = iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
### PostDown ###
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostDown = ip rule del not from 10.6.0.0/24 table main
PostDown = echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward
### begin Raspberry Pi Germany ###
[Peer]
PublicKey = <Public Key>
PresharedKey = <Private Key>
AllowedIPs = 10.6.0.15/32, 0.0.0.0/0
### end Raspberry Pi Germany ###
...
wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.6.0.1/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
[#] echo 1 > /proc/sys/net/ipv4/ip_forward
[#] echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
[#] ip rule add not from 10.6.0.0/24 table main
[#] iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
[#] iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip route show
default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
ip rule show
0: from all lookup local
32761: not from 10.6.0.0/24 lookup main
32762: from all lookup main suppress_prefixlength 0
32763: not from all fwmark 0xca6c lookup 51820
32764: from all to 10.4.0.4 lookup rt2
32765: from 10.4.0.4 lookup rt2
32766: from all lookup main
32767: from all lookup default
结果:来自我的设备的所有请求都已成功路由至 Raspberry Pi Germany
启动 wg1
VPS wg1 配置
[Interface]
PrivateKey = <Private Key>
Address = 10.7.0.1/24
ListenPort = 51821
PostUp = ip rule add not from 10.6.0.0/24 table main # This is needed to allow SSH access after enabling connection
PostUp = iptables -A FORWARD -i wg1 -o wg1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg1 -o wg1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
PostDown = ip rule del not from 10.6.0.0/24 table main
### begin Raspberry Pi France ###
[Peer]
PublicKey = <Public Key>
PresharedKey = <Private Key>
AllowedIPs = 10.7.0.15/32, 0.0.0.0/0
### end Raspberry Pi France ###
ip rule show
0: from all lookup local
32758: not from 10.6.0.0/24 lookup main
32759: from all lookup main suppress_prefixlength 0
32760: not from all fwmark 0xca6d lookup 51821
32761: not from 10.6.0.0/24 lookup main
32763: not from all fwmark 0xca6c lookup 51820
32764: from all to 10.4.0.4 lookup rt2
32765: from 10.4.0.4 lookup rt2
32766: from all lookup main
32767: from all lookup default
ip route show
default via 10.2.0.1 dev eth0
10.2.0.0/24 dev eth0 proto kernel scope link src 10.2.0.4
10.4.0.0/24 dev eth1 proto kernel scope link src 10.4.0.4
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1
10.7.0.0/24 dev wg1 proto kernel scope link src 10.7.0.1
结果:从我的设备连接wg0
不再起作用,并且所有请求wg1
现在都被路由到Azure Public IP #1
我是网络和 wireguard 的新手,不知道哪里出了问题。救命!
编辑:我找到了一个比每个 WireGuard 服务器使用一个网络接口更简单的解决方案。我最终使用以下方法设置了多个 WireGuard 服务器码头工人并将不同的 VPS 端口映射到每个容器。我发现这个关联有用。