
我对 VPN 主题和路由总体上还不熟悉,想在设置 wireguard 时学习新的想法。但是我遇到了一个问题,一段时间内都无法解决。
如标题所示:Peer 可以连接到 VPN 服务器,但不能在它们之间连接。我在 VPN 服务器和 Peer 之间建立了连接(双向)
[root@<Peer1>]# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=3.62 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=1.62 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=1.24 ms
^C
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.239/2.160/3.620/1.043 ms
root@<VPN Server>:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.25 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.876 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.876/1.062/1.249/0.186 ms
但同辈之间则不然
[root@dev wireguard]# ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Packet filtered
From 10.0.0.1 icmp_seq=2 Packet filtered
From 10.0.0.1 icmp_seq=3 Packet filtered
^C
--- 10.0.0.3 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2003ms
其中一个主持人,我们称之为主主机正在使用以下配置运行 wireguard 服务:
[Interface]
Address = 10.0.0.1
ListenPort = 51820
PrivateKey = <mainhost_priv>
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp8s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp8s0 -j MASQUERADE
[Peer]
#DEV
PublicKey = <Peer1_pub>
AllowedIPs = 10.0.0.2/32
Endpoint = <my_pub_IP>:51820
[Peer]
#T14
PublicKey = <Peer2_pub>
AllowedIPs = 10.0.0.3/32
Endpoint = <my_pub_IP>:51820
[Peer]
#phone
PublicKey = <Peer3_pub>=
AllowedIPs = 10.0.0.4/32
Endpoint = <my_pub_IP>:51820
有路线
root@<main>:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 100 0 0 enp8s0
0.0.0.0 172.168.100.1 0.0.0.0 UG 20425 0 0 br_int
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
10.0.0.3 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
10.0.0.4 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.168.100.0 0.0.0.0 255.255.255.0 U 425 0 0 br_int
192.168.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp8s0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp8s0
root@<main>:~#
我的路由器指向主主机本地IP 192.168.0.100:5128 在同一主主机还有 kvm 主机对等点1配置如下:
[Interface]
Address = 10.0.0.2
PrivateKey = <Peer1_priv>
[Peer]
PublicKey = <mai_host_pub>
Endpoint = test.jawor.org:51820
AllowedIPs = 0.0.0.0/0
对等体 2 和对等体 3- 单独的机器 - 具有相似的配置,但地址已更改
=== 编辑 === 我发现禁用防火墙会有所帮助。但这只是一种糟糕的解决方法,而不是解决方案。
在 wg0 的 tcpdump 中我发现:
00:36:11.799053 IP <main_host>> 10.0.0.3:ICMP 主机 10.0.0.2 无法访问 - 管理员禁止过滤器,长度 68