我已在路由器 (FritzBox) 上设置 WireGuard VPN 并将 VPN 配置添加到我的 Manjaro Gnome 笔记本中。
我家局域网中的路由器在192.168.0.1上可用。
[Interface]
PrivateKey = xxxx
Address = 192.168.0.201/24
DNS = 192.168.0.1
DNS = fritz.box
[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 192.168.0.0/24,0.0.0.0/0
Endpoint = xxx.myfritz.net:58130
PersistentKeepalive = 25
从我在内核中找到的 WireGuard 日志来看,握手似乎成功了。
sudo dmesg -wT | grep wireguard
[Mo, 16. Okt 2023, 00:43:25] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[Mo, 16. Okt 2023, 00:43:25] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.
[Mo, 16. Okt 2023, 00:55:29] wireguard: wg_config: Interface created
[Mo, 16. Okt 2023, 00:55:29] wireguard: wg_config: Peer 5 created
[Mo, 16. Okt 2023, 00:55:29] wireguard: wg_config: Sending keepalive packet to peer 5 ((einval))
[Mo, 16. Okt 2023, 00:55:29] wireguard: wg_config: Sending handshake initiation to peer 5 ((einval))
[Mo, 16. Okt 2023, 00:55:34] wireguard: wg_config: Peer 5 ((einval)) destroyed
[Mo, 16. Okt 2023, 00:55:34] wireguard: wg_config: Peer 6 created
[Mo, 16. Okt 2023, 00:55:34] wireguard: wg_config: Sending keepalive packet to peer 6 (remote-ip:58130)
[Mo, 16. Okt 2023, 00:55:34] wireguard: wg_config: Sending handshake initiation to peer 6 (remote-ip:58130)
[Mo, 16. Okt 2023, 00:55:35] wireguard: wg_config: Receiving handshake response from peer 6 (remote-ip:58130)
[Mo, 16. Okt 2023, 00:55:35] wireguard: wg_config: Keypair 2 created for peer 6
[Mo, 16. Okt 2023, 00:55:35] wireguard: wg_config: Receiving keepalive packet from peer 6 (remote-ip:58130)
[Mo, 16. Okt 2023, 00:55:45] wireguard: wg_config: Receiving keepalive packet from peer 6 (remote-ip:58130)
[Mo, 16. Okt 2023, 00:55:56] wireguard: wg_config: Receiving keepalive packet from peer 6 (remote-ip:58130)
但我仍然无法访问路由器页面或家里 LAN 中的任何其他服务,甚至无法进行 ping 操作。
请求刚刚超时。
我读到过我需要检查通过 WireGuard 接口是否有到 192.168.0.1 路由器的路由,但对我来说,似乎有一个:
ip route get 192.168.0.1 ✔
192.168.0.1 dev wg_config src 192.168.0.201 uid 1000
cache
知道那里发生了什么吗?我可以提供任何其他日志/信息吗?
我知道这个配置可以在另一台电脑上运行。
编辑:这是 VPN 处于活动状态时的输出sudo wg show,但我认为它没有显示任何令人惊讶的内容。
sudo wg show ✔
interface: wg_config
public key: xxxx
private key: (hidden)
listening port: 51820
fwmark: 0xcaed
peer: xxxx
preshared key: (hidden)
endpoint: public-ip:58130
allowed ips: 192.168.0.0/24, 0.0.0.0/0
latest handshake: 2 seconds ago
transfer: 124 B received, 19.25 KiB sent
persistent keepalive: every 25 seconds
编辑#2:附加信息
ip -br link; ip -br addr; ip route; ip rule ✔
lo UNKNOWN 00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
wlp0s20f3 UP 34:7d:f6:8e:6e:a3 <BROADCAST,MULTICAST,UP,LOWER_UP>
virbr0 DOWN 52:54:00:1b:79:e3 <NO-CARRIER,BROADCAST,MULTICAST,UP>
br-b70272889e99 DOWN 02:42:cf:67:52:3b <NO-CARRIER,BROADCAST,MULTICAST,UP>
docker0 DOWN 02:42:cf:d9:9e:e6 <NO-CARRIER,BROADCAST,MULTICAST,UP>
wg_config UNKNOWN <POINTOPOINT,NOARP,UP,LOWER_UP>
lo UNKNOWN 127.0.0.1/8 ::1/128
wlp0s20f3 UP 192.168.0.62/24 fe80::a493:410e:53d0:9d48/64
virbr0 DOWN 192.168.122.1/24
br-b70272889e99 DOWN 172.26.1.1/24
docker0 DOWN 172.26.0.1/24
wg_config UNKNOWN 192.168.0.201/24
default via 192.168.0.1 dev wlp0s20f3 proto dhcp src 192.168.0.62 metric 600
default via 192.168.0.1 dev wg_config proto static metric 20050
172.26.0.0/24 dev docker0 proto kernel scope link src 172.26.0.1 linkdown
172.26.1.0/24 dev br-b70272889e99 proto kernel scope link src 172.26.1.1 linkdown
192.168.0.0/24 dev wg_config proto static scope link metric 50
192.168.0.0/24 dev wg_config proto kernel scope link src 192.168.0.201 metric 50
192.168.0.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.0.62 metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
0: from all lookup local
30960: from all lookup main suppress_prefixlength 0
30961: not from all fwmark 0xcaed lookup 51949
32766: from all lookup main
32767: from all lookup default
ip route show table 0 ✔
default dev wg_config table 51949 proto static scope link metric 20050
default via 192.168.0.1 dev wlp0s20f3 proto dhcp src 192.168.0.62 metric 600
default via 192.168.0.1 dev wg_config proto static metric 20050
172.26.0.0/24 dev docker0 proto kernel scope link src 172.26.0.1 linkdown
172.26.1.0/24 dev br-b70272889e99 proto kernel scope link src 172.26.1.1 linkdown
192.168.0.0/24 dev wg_config proto static scope link metric 50
192.168.0.0/24 dev wg_config proto kernel scope link src 192.168.0.201 metric 50
192.168.0.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.0.62 metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.26.0.1 dev docker0 table local proto kernel scope host src 172.26.0.1
broadcast 172.26.0.255 dev docker0 table local proto kernel scope link src 172.26.0.1 linkdown
local 172.26.1.1 dev br-b70272889e99 table local proto kernel scope host src 172.26.1.1
broadcast 172.26.1.255 dev br-b70272889e99 table local proto kernel scope link src 172.26.1.1 linkdown
local 192.168.0.62 dev wlp0s20f3 table local proto kernel scope host src 192.168.0.62
local 192.168.0.201 dev wg_config table local proto kernel scope host src 192.168.0.201
broadcast 192.168.0.255 dev wlp0s20f3 table local proto kernel scope link src 192.168.0.62
broadcast 192.168.0.255 dev wg_config table local proto kernel scope link src 192.168.0.201
local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1
broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 linkdown
fe80::/64 dev wlp0s20f3 proto kernel metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::a493:410e:53d0:9d48 dev wlp0s20f3 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wlp0s20f3 table local proto kernel metric 256 pref medium
编辑 #4:将远程网络的网络配置更改为 192.168.1.0/24 后,新输出如下所示:
default dev wg_config table 51949 proto static scope link metric 20050
default via 192.168.1.1 dev wlp0s20f3 proto dhcp src 192.168.1.58 metric 600
default via 192.168.0.1 dev wg_config proto static metric 20050
172.26.0.0/24 dev docker0 proto kernel scope link src 172.26.0.1 linkdown
172.26.1.0/24 dev br-b70272889e99 proto kernel scope link src 172.26.1.1 linkdown
192.168.0.0/24 dev wg_config proto static scope link metric 50
192.168.0.0/24 dev wg_config proto kernel scope link src 192.168.0.201 metric 50
192.168.1.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.1.58 metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.26.0.1 dev docker0 table local proto kernel scope host src 172.26.0.1
broadcast 172.26.0.255 dev docker0 table local proto kernel scope link src 172.26.0.1 linkdown
local 172.26.1.1 dev br-b70272889e99 table local proto kernel scope host src 172.26.1.1
broadcast 172.26.1.255 dev br-b70272889e99 table local proto kernel scope link src 172.26.1.1 linkdown
local 192.168.0.201 dev wg_config table local proto kernel scope host src 192.168.0.201
broadcast 192.168.0.255 dev wg_config table local proto kernel scope link src 192.168.0.201
local 192.168.1.58 dev wlp0s20f3 table local proto kernel scope host src 192.168.1.58
broadcast 192.168.1.255 dev wlp0s20f3 table local proto kernel scope link src 192.168.1.58
local 192.168.122.1 dev virbr0 table local proto kernel scope host src 192.168.122.1
broadcast 192.168.122.255 dev virbr0 table local proto kernel scope link src 192.168.122.1 linkdown
fe80::/64 dev wlp0s20f3 proto kernel metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::a493:410e:53d0:9d48 dev wlp0s20f3 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev wlp0s20f3 table local proto kernel metric 256 pref medium
答案1
这是 FritzBox 通过此过程为您生成的 WireGuard 配置吗?:
如果是这样,当您的笔记本电脑使用 FritzBox WiFi 时,您将无法对其进行测试 - 您必须在不同的网络上对其进行测试。您的家庭网络使用192.168.0.0/24子网,因此您无法从同一(或另一个)192.168.0.0/24网络访问 Internet 并同时使用 FritzBox WireGuard 配置。
编辑:如果您对正在测试的网络进行更改后,并且您再次尝试通过 WireGuard 隧道(例如ping 192.168.0.1)和 FritzBox 网络上的其他设备对 FritzBox 本身执行 ping 操作,但没有响应,您是否仍然这样做看到与之前类似的输出wg show,表明握手已成功并且一些数据已通过隧道发送到 FritzBox - 但实际上没有收到任何数据?:
latest handshake: 2 seconds ago
transfer: 124 B received, 19.25 KiB sent
如果握手成功,则意味着进出 WireGuard 侦听端口的 UDP 数据包正在笔记本电脑和 FritzBox 之间来回传输,这排除了笔记本电脑和 FritzBox 之间公共网络连接上的防火墙/路由或其他网络问题。 FritzBox(或者至少不是迫在眉睫的问题);这也意味着 WireGuard 密钥是正确的。
如果您看到通过 WireGuard 隧道发送到 FritzBox 的数据多于接收的数据(最初收到的 124 字节只是握手的结果,在没有任何其他流量的情况下,您应该看到发送和接收的字节数)由于 PersistentKeepalive 设置,每 25 秒接收到的爬升约 100 字节),这强烈表明 FritzBox 本身存在某些防火墙或路由配置,阻止接收或回复隧道数据包。
不幸的是,我认为您在 FritzBox 上对此无能为力,但您可能需要检查各种管理 UI 页面,看看是否有任何与其防火墙/路由相关的设置可以调整;或者查看分配给您的笔记本电脑 ( 192.168.0.201) 的 WireGuard 地址是否正被其他主机使用或在 FritzBox 网络上保留用于其他目的。