首先,我的网络经验有限,但我对概念有大致的了解,并且可以阅读任何建议。
我正在尝试使用 wireguard 设置站点到站点。两个站点都使用华硕路由器,因为设置和配置对于最终用户来说很简单,但我的任务是通过路由器后面的 VPN 机器连接站点,这些路由器为站点 A 上的设备提供访问站点 B 上所有内容的功能。在路由器后面的单独机器上使用 VPN 的原因是路由器 CPU 较弱,并且通过 VPN 的传输速率在路由器上太慢,因此路由器后面的专用机器被用作 VPN。我希望坚持使用免费软件选项和廉价的备用硬件,所以最终决定在专用 ESXI 机器上的 pfsense 上使用 wireguard。
站点 A(主页):
- 华硕路由器:192.168.120.1/24,静态路由 192.168.110.0/24 至 192.168.120.55
- 带有 wireguard 的 pfSense VM:192.168.120.55
- wireguard_A 接口 10.0.8.1/24
- 对等允许的 IP:10.0.8.0/24、192.168.110.0/24
- wireguard_A 上的 Gateway_to_B:10.0.8.2,静态路由为 192.168.110.0/24
站点 B(远程):
- 华硕路由器:192.168.110.1/24,路由 192.168.120.0/24 至 192.168.110.55
- 带有 wireguard 的 pfSense VM:192.168.110.55
- wireguard_B 接口 10.0.8.2/24
- 对等允许的 IP:10.0.8.0/24、192.168.120.0/24
- wireguard_B 上的 Gateway_to_A:10.0.8.1,带有静态路由 192.168.120.0/24
有效的方法:
- 我可以和 WG 握手。
- 从每个 pfSense GUI,我可以 ping 另一个站点的 wg 接口和 pfSense IP
- 从 B 上的 pfSense,我可以 ping 和跟踪 A 的路由器和设备
无效的方法:
- 从每个 pfsense GUI,我无法跟踪其他站点的 wg 接口或 pfsense IP 的路由(但我可以 ping 它们)
- 从 A 的 pfSense GUI,我无法 ping 通或跟踪到 B 的设备或路由器的路由 - 从任一网络上的设备,我无法 ping 通另一个站点的网络
我的设置完全不对吗?我遗漏了什么吗?有什么提示或指示吗?
太感谢了!
编辑,在下面添加额外的信息请求(我修剪了一些隧道回显请求和回复):来自 pfsense A 的 tcpdump 进行 ping(ping 成功):
95 IP 10.0.8.2 > 192.168.120.50: ICMP echo request, id 46148, seq 1, length 64
13:09:04.428941 IP 192.168.120.50 > 10.0.8.2: ICMP echo reply, id 46148, seq 1, length 64
13:09:04.538993 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 18882, length 9
13:09:04.839346 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 42123, length 9
13:09:05.448670 IP 10.0.8.2 > 192.168.120.50: ICMP echo request, id 46148, seq 2, length 64
13:09:05.448840 IP 192.168.120.50 > 10.0.8.2: ICMP echo reply, id 46148, seq 2, length 64
13:09:05.598724 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 18884, length 9
下面是来自 pfsense A 的 tcpdump,traceroute(跟踪在 10.0.8.1 停止):
13:14:13.054009 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 42698, length 9
13:14:13.313649 IP 10.0.8.2.61530 > 192.168.120.50.33435: UDP, length 12
13:14:13.313689 IP 10.0.8.1 > 10.0.8.2: ICMP time exceeded in-transit, length 48
13:14:13.383640 IP 10.0.8.2.61530 > 192.168.120.50.33436: UDP, length 12
13:14:13.383679 IP 10.0.8.1 > 10.0.8.2: ICMP time exceeded in-transit, length 48
13:14:13.443543 IP 10.0.8.2.61530 > 192.168.120.50.33437: UDP, length 12
13:14:13.443569 IP 10.0.8.1 > 10.0.8.2: ICMP time exceeded in-transit, length 48
13:14:13.508499 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19460, length 9
13:14:13.508514 IP 10.0.8.1 > 10.0.8.2: ICMP echo reply, id 38069, seq 19460, length 9
13:14:13.508543 IP 10.0.8.2.61530 > 192.168.120.50.33438: UDP, length 12
13:14:13.518462 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 42699, length 9
13:14:13.584084 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 42699, length 9
13:14:13.908636 IP 10.0.8.2.40151 > 192.168.120.50.33443: UDP, length 12
13:14:14.044168 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 42700, length 9
13:14:14.044175 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19461, length 9
13:14:14.044187 IP 10.0.8.1 > 10.0.8.2: ICMP echo reply, id 38069, seq 19461, length 9
13:14:14.113502 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 42700, length 9
13:14:15.188567 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 42702, length 9
13:14:15.533688 IP 10.0.8.2.61530 > 192.168.120.50.33439: UDP, length 12
13:14:15.663551 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19464, length 9
13:14:15.663562 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 42703, length 9
13:14:15.663573 IP 10.0.8.1 > 10.0.8.2: ICMP echo reply, id 38069, seq 19464, length 9
13:14:15.728480 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 42703, length 9
13:14:15.934292 IP 10.0.8.2.40151 > 192.168.120.50.33444: UDP, length 12
13:14:16.183603 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 42704, length 9
从 pfSense B 使用 tcpdump 进行 ping(ping 不成功):
13:17:56.866941 IP 10.0.8.1 > 192.168.110.81: ICMP echo request, id 35076, seq 0, length 64
13:17:56.903449 IP 10.0.8.1 > 10.0.8.2: ICMP echo reply, id 38069, seq 19878, length 9
13:17:57.867472 IP 10.0.8.1 > 192.168.110.81: ICMP echo request, id 35076, seq 1, length 64
13:17:57.887689 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 43118, length 9
13:17:57.887709 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 43118, length 9
13:17:57.887717 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19880, length 9
13:17:57.948202 IP 10.0.8.1 > 10.0.8.2: ICMP echo reply, id 38069, seq 19880, length 9
13:17:58.901775 IP 10.0.8.1 > 192.168.110.81: ICMP echo request, id 35076, seq 2, length 64
13:17:58.970017 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19882, length 9
13:17:58.971989 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 43120, length 9
来自 pfsense A 的 tcpdump,traceroute(跟踪在 10.0.8.2 停止):
13:18:58.412887 IP 10.0.8.1.61640 > 192.168.110.81.33435: UDP, length 12
13:18:58.412921 IP 10.0.8.2 > 10.0.8.1: ICMP time exceeded in-transit, length 48
13:18:58.454527 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19993, length 9
13:18:58.471872 IP 10.0.8.1 > 10.0.8.2: ICMP echo request, id 10026, seq 43231, length 9
13:18:58.471891 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 43231, length 9
13:18:58.472828 IP 10.0.8.1.61640 > 192.168.110.81.33436: UDP, length 12
13:18:58.472867 IP 10.0.8.2 > 10.0.8.1: ICMP time exceeded in-transit, length 48
13:18:58.517860 IP 10.0.8.1 > 10.0.8.2: ICMP echo reply, id 38069, seq 19993, length 9
13:18:58.533516 IP 10.0.8.1.61640 > 192.168.110.81.33437: UDP, length 12
13:18:58.533556 IP 10.0.8.2 > 10.0.8.1: ICMP time exceeded in-transit, length 48
13:18:58.604429 IP 10.0.8.1.61640 > 192.168.110.81.33438: UDP, length 12
13:18:58.995806 IP 10.0.8.2 > 10.0.8.1: ICMP echo request, id 38069, seq 19994, length 9
13:19:00.608650 IP 10.0.8.2 > 10.0.8.1: ICMP echo reply, id 10026, seq 43235, length 9
13:19:00.609243 IP 10.0.8.1.61640 > 192.168.110.81.33439: UDP, leng