我试图了解当我连接到wiregurad VPN 时,我的计算机上的所有流量如何通过wireguard 路由。请参阅下面的ip route
ip a s
、 和 的输出ip rule
。
mullvad connect
我的 VPN 是在安装该工具并将其与我的帐户关联后使用提供商的 CLI 工具设置的:https://mulvad.net/en/help/how-use-mulvad-cli
我从路由表中了解到,dev wlp0s20f3 上来自源 192.168.44.83 的任何内容都注定是默认的。但我似乎看不到该流量如何最终出现在wiregurad 网络接口上。这是怎么发生的?
$ ip -c route
default via 192.168.44.1 dev wlp0s20f3 proto dhcp src 192.168.44.83 metric 600
10.64.0.1 dev wg-mullvad proto static
192.168.44.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.44.83 metric 600
$ ip -c rule show
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0x6d6f6c65 lookup 1836018789
32766: from all lookup main
32767: from all lookup default
$ ip -c a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f0:20:ff:a7:68:db brd ff:ff:ff:ff:ff:ff
inet 192.168.44.83/24 brd 192.168.44.255 scope global dynamic noprefixroute wlp0s20f3
valid_lft 259023sec preferred_lft 259023sec
inet6 fe80::9f4e:c306:9e3d:8e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
9: wg-mullvad: <POINTOPOINT,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.147.23.252/32 scope global wg-mullvad
valid_lft forever preferred_lft forever
输出来自ip route show table 1836018789
:
$ ip route show table 1836018789
default dev wg-mullvad proto static
输出来自nft list ruleset
:
# nft list ruleset
table inet mullvad {
chain prerouting {
type filter hook prerouting priority -199; policy accept;
iif != "wg-mullvad" ct mark 0x00000f41 meta mark set 0x6d6f6c65
ip saddr 185.195.233.76 udp sport 19955 meta mark set 0x6d6f6c65
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
ip daddr 185.195.233.76 udp dport 19955 meta mark 0x6d6f6c65 accept
oif "wg-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
oif "wg-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg-mullvad" accept
reject
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
ct mark 0x00000f41 accept
udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
ip saddr 185.195.233.76 udp sport 19955 ct state established accept
iif "wg-mullvad" accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
oif "wg-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
oif "wg-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg-mullvad" accept
iif "wg-mullvad" ct state established accept
reject
}
chain mangle {
type route hook output priority mangle; policy accept;
oif "wg-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
oif "wg-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
meta cgroup 5087041 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain nat {
type nat hook postrouting priority srcnat; policy accept;
oif "wg-mullvad" ct mark 0x00000f41 drop
oif != "lo" ct mark 0x00000f41 masquerade
}
}