我遇到了一个非常奇怪的问题。我在 VPS 和我的 MacBook 上运行 WG。我在 Debian 主机上的 LinuxServer 容器上运行 WG。连接很好,速度很快,一切都运行良好。但我注意到,每隔一段时间(比如每 10-20 分钟)就会发生一次握手,然后我的互联网连接就会立即断开。我仍然可以访问内部服务,所以我知道我的 MacBook 仍然连接到服务器。在下一次握手之前,我无法访问互联网 16 秒,然后互联网会立即恢复。
在此期间,我监控了服务器,发现在下载种子时有很多kworker/1:1-wg-crypt-wg0进程在运行,而当这种情况发生时,所有这些进程都会被终止。这几乎就像服务器正在重新启动或 WG 正在重新启动一样,但我知道情况并非如此,因为我仍然可以访问内部容器,因此连接仍然存在,WG 没有中断。
我确实知道其他设备上仍然可以上网,所以这与 wireguard 有关。
不管我是在进行密集的网络操作(如下载种子)还是只是浏览网页,都会发生这种情况。看起来不是 VPS 丢失了连接。我一直在 ping google,当这种情况发生时,VPS 会继续 ping google,而我的 MacBook 无法 ping google
我正在寻求帮助,看看这可能是什么问题,我应该研究什么,以及我该如何处理这个问题……这可能与我的路由器有关吗?这可能是配置问题吗?
这是我的配置:
服务器
[Interface]
# Core settings
PrivateKey = xxxxx
Address = 10.6.0.0/24
# Misc. settings (optional)
ListenPort = 51820
# Interface hooks (optional)
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
MTU = 1400
#
# Peers
#
[Peer]
PublicKey = xxxxx
PresharedKey = xxxx
AllowedIPs = 10.6.0.2/32
PersistentKeepalive = 16
苹果笔记本
[Interface]
# Core settings
PrivateKey = xxxxx
Address = 10.6.0.2/32
# Misc. settings (optional)
DNS = xxxxx
MTU = 1400
[Peer]
PublicKey = xxxx
Endpoint = xxxx:51820
AllowedIPs = 10.6.0.1/32, 0.0.0.0/0
PresharedKey = xxxx
PersistentKeepalive = 16
更新:
这些是我在服务器端获取的日志modprobe wireguard。
Mar 16 13:55:54 [ +2.156106] wireguard: wg0: Receiving handshake initiation from peer 315 (<my-client-ip>:16235)
Mar 16 13:55:54 [ +0.000003] wireguard: wg0: Sending handshake response to peer 315 (<my-client-ip>)
Mar 16 13:55:54 [ +0.000165] wireguard: wg0: Keypair 10604 destroyed for peer 315
Mar 16 13:55:54 [ +0.000002] wireguard: wg0: Keypair 10606 created for peer 315
Mar 16 13:56:10 [ +2.451426] wireguard: wg0: Receiving handshake initiation from peer 315 (<my-client-ip>)
Mar 16 13:56:10 [ +0.000003] wireguard: wg0: Sending handshake response to peer 315 (<my-client-ip>)
Mar 16 13:56:10 [ +0.000185] wireguard: wg0: Keypair 10605 destroyed for peer 315
Mar 16 13:56:10 [ +0.000001] wireguard: wg0: Keypair 10607 created for peer 315
Mar 16 13:56:10 [ +0.161195] wireguard: wg0: Receiving keepalive packet from peer 315 (<my-client-ip>)
从客户端,ping google.com 来检查互联网连接
Mar 16 10:55:54 64 bytes from <google-ip>: icmp_seq=187 ttl=108 time=161.723 ms
Mar 16 10:55:56 Request timeout for icmp_seq 188
Mar 16 10:55:57 Request timeout for icmp_seq 189
Mar 16 10:55:58 Request timeout for icmp_seq 190
Mar 16 10:55:59 Request timeout for icmp_seq 191
Mar 16 10:56:00 Request timeout for icmp_seq 192
Mar 16 10:56:01 Request timeout for icmp_seq 193
Mar 16 10:56:02 Request timeout for icmp_seq 194
Mar 16 10:56:03 Request timeout for icmp_seq 195
Mar 16 10:56:04 Request timeout for icmp_seq 196
Mar 16 10:56:05 Request timeout for icmp_seq 197
Mar 16 10:56:06 Request timeout for icmp_seq 198
Mar 16 10:56:07 Request timeout for icmp_seq 199
Mar 16 10:56:08 Request timeout for icmp_seq 200
Mar 16 10:56:09 Request timeout for icmp_seq 201
Mar 16 10:56:10 Request timeout for icmp_seq 202
Mar 16 10:56:11 Request timeout for icmp_seq 203
Mar 16 10:56:11 64 bytes from <google-ip>: icmp_seq=204 ttl=108 time=161.172 ms
因此有两次成功的握手,但在这两次握手之间我无法访问网络
更新2:
设法在客户端 (macbook) 上获得一定程度的日志记录。通过运行
sudo LOG_LEVEL=verbose wg show
当 MacBook 接收握手响应并发起握手时,我会收到日志。
在这个新示例中,服务器记录:
~INTERNET GOES DOWN HERE~
Mar 16 16:47:09 [ +0.393175] wireguard: wg0: Receiving handshake initiation from peer 315 (<client-ip>)
Mar 16 16:47:09 [ +0.000003] wireguard: wg0: Sending handshake response to peer 315 (<client-ip>)
Mar 16 16:47:09 [ +0.000175] wireguard: wg0: Keypair 10790 destroyed for peer 315
Mar 16 16:47:09 [ +0.000001] wireguard: wg0: Keypair 10793 created for peer 315
Mar 16 16:47:09 [ +0.280476] wireguard: wg0: Receiving keepalive packet from peer 315 (<client-ip>)
~INTERNET GOES BACK UP RIGHT AFTER THE NEXT LINES~
Mar 16 16:47:25 [ +1.391045] wireguard: wg0: Receiving handshake initiation from peer 315 (<client-ip>)
Mar 16 16:47:25 [ +0.000003] wireguard: wg0: Sending handshake response to peer 315 (<client-ip>)
Mar 16 16:47:25 [ +0.000166] wireguard: wg0: Keypair 10792 destroyed for peer 315
Mar 16 16:47:25 [ +0.000002] wireguard: wg0: Keypair 10794 created for peer 315
Mar 16 16:47:25 [ +0.159758] wireguard: wg0: Receiving keepalive packet from peer 315 (<client-ip>)
在客户端我看到
DEBUG: (utun6) 2023/03/16 13:42:35 peer(xxxx) - Received handshake response
DEBUG: (utun6) 2023/03/16 13:42:35 peer(xxxx) - Sending keepalive packet
DEBUG: (utun6) 2023/03/16 13:44:35 peer(xxxx) - Sending handshake initiation
DEBUG: (utun6) 2023/03/16 13:44:35 peer(xxxx) - Received handshake response
DEBUG: (utun6) 2023/03/16 13:44:35 peer(xxxx) - Sending keepalive packet
DEBUG: (utun6) 2023/03/16 13:46:35 peer(xxxx) - Sending handshake initiation
DEBUG: (utun6) 2023/03/16 13:46:35 peer(xxxx) - Received handshake response
DEBUG: (utun6) 2023/03/16 13:46:35 peer(xxxx) - Sending keepalive packet
DEBUG: (utun6) 2023/03/16 13:47:24 peer(xxxx) - Retrying handshake because we stopped hearing back after 15 seconds
DEBUG: (utun6) 2023/03/16 13:47:24 peer(xxxx) - Sending handshake initiation
DEBUG: (utun6) 2023/03/16 13:47:24 peer(xxxx) - Received handshake response
DEBUG: (utun6) 2023/03/16 13:47:24 peer(xxxx) - Sending keepalive packet
我发现一个Retrying handshake because we stopped hearing back after 15 seconds有趣的原因是当互联网断线时。那么握手失败,客户端重试然后它就正常工作了?但为什么呢?
更新:
我发现握手端口故障发生了一些问题。
我watch wg show all在服务器上有一个,我可以看到我的 macbook 对等配置是<my-ip>:16918。每当握手失败并且我失去连接时,我都会在服务器端看到如下日志:
Mar 16 18:17:19 [ +1.217668] wireguard: wg0: Receiving handshake initiation from peer 318 (<client-ip>:16235)
Mar 16 18:17:19 [ +0.000004] wireguard: wg0: Sending handshake response to peer 318 (<client-ip>:16235)
Mar 16 18:17:19 [ +0.000191] wireguard: wg0: Keypair 10893 destroyed for peer 318
Mar 16 18:17:19 [ +0.000002] wireguard: wg0: Keypair 10896 created for peer 318
Mar 16 18:17:19 [ +0.275182] wireguard: wg0: Receiving keepalive packet from peer 318 (<client-ip>:16235)
Mar 16 18:17:34 [ +0.687921] wireguard: wg0: Receiving handshake initiation from peer 318 (<client-ip>:16918)
Mar 16 18:17:34 [ +0.000004] wireguard: wg0: Sending handshake response to peer 318 (<client-ip>:16918)
Mar 16 18:17:34 [ +0.000250] wireguard: wg0: Keypair 10894 destroyed for peer 318
Mar 16 18:17:34 [ +0.000002] wireguard: wg0: Keypair 10897 created for peer 318
Mar 16 18:17:34 [ +0.164268] wireguard: wg0: Receiving keepalive packet from peer 318 (<client-ip>:16918)
由于某种原因,握手来自不同的端口,因此服务器响应同一端口,但客户端未监听该端口
答案1
您需要确保的第一件事是:是否有另一个具有相同客户端配置文件的设备。(另一台计算机、电话)如果是这样,即使它应该处于睡眠状态,也可能存在问题,因此请为该设备配置另一个配置文件。
第二点是:您的超时时间为 15 秒,保持连接时间为 16 秒。您可以尝试将保持连接时间降低到 14 秒(或更短)以查看是否能解决问题吗?
那么,您的配置中存在一些问题,可能不相关,但最好修复它们以确保万无一失。
- 在服务器配置中,在
[interface]块中,Address参数是10.6.0.0/24。它应该是10.6.0.1/24: 10.6.0.0/24 是子网地址,不能使用。那么客户端安装的路由可能有错误。 - 在客户端配置中,在
[peer]块中,AllowedIPs参数同时具有“全部”(0.0.0.0/0)和 IP 地址(10.6.0.1/32)。您应该0.0.0.0/0只有,或者多个 IP 地址/子网,但没有0.0.0.0/0。如果您只有0.0.0.0/0,wireguard 将为您的端点 IP 地址设置排除路由。如果您有多个AllowedIPs,则必须确保没有任何子网与您的端点 IP 地址匹配。您有多个条目,包括0.0.0.0/0,wireguard 可能不会进行排除,但0.0.0.0/0会包含您的端点 IP 地址。
答案2
我尝试了此帖子中的所有方法,但似乎都无法真正改变问题。最后,我恢复了原始帖子中显示的配置,一段时间后问题消失了。我相信这可能与我使用的 ISP 或 ISP 的路由器有关。我没有做任何更改……也许是断电并重新启动路由器导致的,但我不知道。
这些答案仍然很有用,所以如果你遇到同样的问题,一定要遵循它们,我建议你在朋友家试一试,看看它是否仍然存在