我的 PiVPN wireguard 服务器已经运行了一年多,没有出现任何问题。我使用“pivpn -a”添加客户端,然后将其配置复制到我尝试连接的任何设备上。
由于某种原因,我完全无法让我的 Arch 笔记本电脑通过 VPN 成功连接并访问互联网。我想也许我的 iptables 中存在某种错误……尽管这是 Arch 的几乎全新安装,甚至还没有安装防火墙。
我尝试过使用笔记本电脑的新配置... 我也尝试过使用我知道可以正常工作的另一台设备的配置。结果相同。
我几乎可以肯定这是客户端设备上的问题,因为我的所有其他设备都运行正常并且能够正常连接……可以访问本地 LAN 设备和公共互联网。
使用“sudo wg-quick up home”后,Arch 终端显示以下内容:
[#] ip link add home type wireguard
[#] wg setconf home /dev/fd/63
[#] ip -4 address add 10.6.0.4/24 dev home
[#] ip link set mtu 1420 up dev home
[#] resolvconf -a home -m 0 -x
[#] wg set home fwmark 51820
[#] ip -6 route add ::/0 dev home table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
[#] ip -4 route add 0.0.0.0/0 dev home table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] nft -f /dev/fd/63
以下是我正在连接的 WG 配置:
[Interface]
PrivateKey = *private key that matches same key on server*
Address = 10.6.0.4/24
DNS = 10.6.0.1
[Peer]
PublicKey = *private key that matches same key on server*
PresharedKey = *redacted*
Endpoint = *redacted*:24454
AllowedIPs = 0.0.0.0/0, ::0/0
我尝试以 sudo 和普通用户身份运行 wg-quick... 没什么区别。我真的很困惑,因为我不知道我应该在哪里寻找解决方案。就像我说的... 这个 Wireguard 服务器已经运行了一年多... 很奇怪,我在使用这个客户端时遇到了问题,即使是在相当新的 Arch 安装上。
此时我的最后手段就是重新安装 Arch...因为我以前从未遇到过这个问题,而且我以前曾在其他 Arch 安装上使用过 wg 连接。
非常感谢您的帮助,我会用任何日志或你们需要查看的内容更新此主帖。
以下是更多 iptables 输出:
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether b0:3c:dc:6f:7b:56 brd ff:ff:ff:ff:ff:ff
inet 172.20.20.20/24 brd 172.20.20.255 scope global dynamic noprefixroute wlan0
valid_lft 3353sec preferred_lft 2903sec
inet6 2601:586:d032:3ec:7933:1220:847c:2fd6/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 3347sec preferred_lft 1547sec
inet6 fe80::743a:4f6c:81e2:f365/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:14:6e:67:d5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: br-f046ca5e5c8d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:74:37:ca:f5 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-f046ca5e5c8d
valid_lft forever preferred_lft forever
inet6 fe80::42:74ff:fe37:caf5/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
7: veth7f1f937@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-f046ca5e5c8d state UP group default
link/ether d2:10:6b:28:65:96 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::c0ac:691c:559f:9018/64 scope link
valid_lft forever preferred_lft forever
# ip -4 route show table all
default via 172.20.20.1 dev wlan0 proto dhcp src 172.20.20.20 metric 3003
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.19.0.0/16 dev br-f046ca5e5c8d proto kernel scope link src 172.19.0.1
172.20.20.0/24 dev wlan0 proto dhcp scope link src 172.20.20.20 metric 3003
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 linkdown
local 172.19.0.1 dev br-f046ca5e5c8d table local proto kernel scope host src 172.19.0.1
broadcast 172.19.255.255 dev br-f046ca5e5c8d table local proto kernel scope link src 172.19.0.1
local 172.20.20.20 dev wlan0 table local proto kernel scope host src 172.20.20.20
broadcast 172.20.20.255 dev wlan0 table local proto kernel scope link src 172.20.20.20
# ip -4 rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# ip -6 route show table all
2601:586:d032:3ec::/64 via fe80::ff:fe02:202 dev wlan0 proto ra metric 3003 mtu 1280 pref medium
fe80::/64 dev br-f046ca5e5c8d proto kernel metric 256 pref medium
fe80::/64 dev veth7f1f937 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
default via fe80::ff:fe02:202 dev wlan0 proto ra metric 3003 mtu 1280 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local 2601:586:d032:3ec:7933:1220:847c:2fd6 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::42:74ff:fe37:caf5 dev br-f046ca5e5c8d table local proto kernel metric 0 pref medium
local fe80::743a:4f6c:81e2:f365 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::c0ac:691c:559f:9018 dev veth7f1f937 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-f046ca5e5c8d table local proto kernel metric 256 pref medium
multicast ff00::/8 dev veth7f1f937 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
# ip -6 rule show
0: from all lookup local
32766: from all lookup main
# wg
# ip netconf
inet lo forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet wlan0 forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet docker0 forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet br-f046ca5e5c8d forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet veth7f1f937 forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet all forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet default forwarding on rp_filter loose mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 lo forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 wlan0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 docker0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 br-f046ca5e5c8d forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 veth7f1f937 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 all forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 default forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
# iptables-save -c
# Generated by iptables-save v1.8.9 on Fri Sep 8 11:20:09 2023
*nat
:PREROUTING ACCEPT [80:10293]
:INPUT ACCEPT [74:8365]
:OUTPUT ACCEPT [961:75284]
:POSTROUTING ACCEPT [961:75284]
:DOCKER - [0:0]
[74:8365] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-f046ca5e5c8d -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 5432 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-f046ca5e5c8d -j RETURN
[0:0] -A DOCKER ! -i br-f046ca5e5c8d -p tcp -m tcp --dport 5432 -j DNAT --to-destination 172.19.0.2:5432
COMMIT
# Completed on Fri Sep 8 11:20:09 2023
# Generated by iptables-save v1.8.9 on Fri Sep 8 11:20:09 2023
*filter
:INPUT ACCEPT [10231:6567188]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [8540:1276935]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[0:0] -A FORWARD -j DOCKER-USER
[0:0] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o br-f046ca5e5c8d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-f046ca5e5c8d -j DOCKER
[0:0] -A FORWARD -i br-f046ca5e5c8d ! -o br-f046ca5e5c8d -j ACCEPT
[0:0] -A FORWARD -i br-f046ca5e5c8d -o br-f046ca5e5c8d -j ACCEPT
[0:0] -A DOCKER -d 172.19.0.2/32 ! -i br-f046ca5e5c8d -o br-f046ca5e5c8d -p tcp -m tcp --dport 5432 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i br-f046ca5e5c8d ! -o br-f046ca5e5c8d -j DOCKER-ISOLATION-STAGE-2
[0:0] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-f046ca5e5c8d -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[0:0] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Sep 8 11:20:09 2023
# nft list ruleset