对等端可以连接到 VPN 服务器,但不能在它们之间建立连接(数据包已过滤)

tag-icon tag-icon routing fedora iptables wireguard firewalld
对等端可以连接到 VPN 服务器,但不能在它们之间建立连接(数据包已过滤)

我对 VPN 主题和路由总体上还不熟悉,想在设置 wireguard 时学习新的想法。但是我遇到了一个问题,一段时间内都无法解决。

如标题所示:Peer 可以连接到 VPN 服务器,但不能在它们之间连接。我在 VPN 服务器和 Peer 之间建立了连接(双向)

[root@<Peer1>]# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=3.62 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=1.62 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=1.24 ms
^C
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.239/2.160/3.620/1.043 ms

root@<VPN Server>:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.25 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.876 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.876/1.062/1.249/0.186 ms

但同辈之间则不然

[root@dev wireguard]# ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Packet filtered
From 10.0.0.1 icmp_seq=2 Packet filtered
From 10.0.0.1 icmp_seq=3 Packet filtered
^C
--- 10.0.0.3 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms

其中一个主持人,我们称之为主主机正在使用以下配置运行 wireguard 服务:

[Interface]
Address = 10.0.0.1
ListenPort = 51820
PrivateKey = <mainhost_priv>

PostUp   = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp8s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp8s0 -j MASQUERADE

[Peer]
#DEV
PublicKey = <Peer1_pub>
AllowedIPs = 10.0.0.2/32
Endpoint = <my_pub_IP>:51820
[Peer]
#T14
PublicKey = <Peer2_pub>
AllowedIPs = 10.0.0.3/32
Endpoint = <my_pub_IP>:51820
[Peer]
#phone
PublicKey = <Peer3_pub>=
AllowedIPs = 10.0.0.4/32
Endpoint = <my_pub_IP>:51820

有路线

root@<main>:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp8s0
0.0.0.0         172.168.100.1   0.0.0.0         UG    20425  0        0 br_int
10.0.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
10.0.0.3        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
10.0.0.4        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.168.100.0   0.0.0.0         255.255.255.0   U     425    0        0 br_int
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp8s0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp8s0
root@<main>:~#

我的路由器指向主主机本地IP 192.168.0.100:5128 在同一主主机还有 kvm 主机对等点1配置如下:

[Interface]
Address = 10.0.0.2
PrivateKey = <Peer1_priv>

[Peer]
PublicKey = <mai_host_pub>
Endpoint = test.jawor.org:51820
AllowedIPs = 0.0.0.0/0

对等体 2 和对等体 3- 单独的机器 - 具有相似的配置,但地址已更改

=== 编辑 === 我发现禁用防火墙会有所帮助。但这只是一种糟糕的解决方法,而不是解决方案。

在 wg0 的 tcpdump 中我发现:

00:36:11.799053 IP <main_host>> 10.0.0.3:ICMP 主机 10.0.0.2 无法访问 - 管理员禁止过滤器,长度 68

相关内容