我需要确保来自特定 (Docker) 容器的出站流量通过我的 (WireGuard) VPN(在我的 VPS 上运行)进行隧道传输,以使用我的 VPS 外部 IP 退出到 Internet,但我没有成功。
这是我的环境:
- 虚拟专用服务器:
- WireGuard 网关接口打开
wg010.0.80.1/24 - 面向互联网的接口
eth0,启用伪装 - 已启用 IP 转发
- WireGuard 网关接口打开
- 家庭服务器:
- 到 VPS 的 WireGuard 隧道开启
wg010.0.80.200/24 - 面向 LAN 的接口
enp45s010.0.1.200,可通过10.0.1.1 docker8210.0.82.1/24:Docker 容器的桥梁10.0.82.14需要挖隧道的容器- Docker iptables 被禁用,伪装和转发是使用 nftables 手动设置的,在下面描述的内容之前确认工作正常
- 已启用 IP 转发
- 到 VPS 的 WireGuard 隧道开启
我已经使用 WireGuard 在其他设备上使用 VPS 作为默认网关进行了测试AllowedIPs = 0.0.0.0/0, ::/0,因此我知道 VPS 上的伪装和转发确实有效。
我尝试在我的家庭服务器上设置基于源的路由,如下所示:
echo "100 wireguard" >>/etc/iproute2/rt_tables
ip rule add from 10.0.82.14 table wireguard
ip route add default via 10.0.80.1 dev wg0 table wireguard
ip route add 10.0.1.1 dev enp45s0 table wireguard # needed for Docker DNS resolver
在容器 ( 10.0.82.14) 内,我确实可以访问,10.0.80.1但 ping 公共 IP 会导致目标主机无法访问响应:
a468bb1b5494:~# ip route
default via 10.0.82.1 dev eth0
10.0.82.0/24 dev eth0 proto kernel scope link src 10.0.82.14
a468bb1b5494:~# ping 10.0.80.1
PING 10.0.80.1 (10.0.80.1) 56(84) bytes of data.
64 bytes from 10.0.80.1: icmp_seq=1 ttl=63 time=9.06 ms
64 bytes from 10.0.80.1: icmp_seq=2 ttl=63 time=9.28 ms
^C
--- 10.0.80.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 9.057/9.170/9.284/0.113 ms
a468bb1b5494:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.0.82.1 icmp_seq=1 Destination Host Unreachable
From 10.0.82.1 icmp_seq=2 Destination Host Unreachable
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1016ms
tcpdumpdocker82从容器主机(主服务器)启动:
laxis@nuc:~$ sudo tcpdump -n -i docker82 icmp
listening on docker82, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:21:41.229730 IP 10.0.82.14 > 10.0.80.1: ICMP echo request, id 28, seq 1, length 64
14:21:41.351761 IP 10.0.80.1 > 10.0.82.14: ICMP echo reply, id 28, seq 1, length 64
14:21:42.231232 IP 10.0.82.14 > 10.0.80.1: ICMP echo request, id 28, seq 2, length 64
14:21:42.241748 IP 10.0.80.1 > 10.0.82.14: ICMP echo reply, id 28, seq 2, length 64
14:21:43.488539 IP 10.0.82.14 > 8.8.8.8: ICMP echo request, id 29, seq 1, length 64
14:21:43.488686 IP 10.0.82.1 > 10.0.82.14: ICMP host 8.8.8.8 unreachable, length 92
14:21:44.515474 IP 10.0.82.14 > 8.8.8.8: ICMP echo request, id 29, seq 2, length 64
14:21:44.515576 IP 10.0.82.1 > 10.0.82.14: ICMP host 8.8.8.8 unreachable, length 92
tcpdumpwg0从家庭服务器上:
laxis@nuc:~$ sudo tcpdump -n -i wg0 icmp
listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:23:40.848287 IP 10.0.82.14 > 10.0.80.1: ICMP echo request, id 30, seq 1, length 64
14:23:40.857968 IP 10.0.80.1 > 10.0.82.14: ICMP echo reply, id 30, seq 1, length 64
14:23:41.849639 IP 10.0.82.14 > 10.0.80.1: ICMP echo request, id 30, seq 2, length 64
14:23:41.859707 IP 10.0.80.1 > 10.0.82.14: ICMP echo reply, id 30, seq 2, length 64
14:23:43.230307 IP 10.0.82.14 > 8.8.8.8: ICMP echo request, id 31, seq 1, length 64
14:23:44.259534 IP 10.0.82.14 > 8.8.8.8: ICMP echo request, id 31, seq 2, length 64
wg0VPS 侧的接口看不到 的任何回显请求数据包8.8.8.8。
目前我不明白自定义路由表是否有任何作用;看起来网络堆栈确实以某种方式通过 发送数据包wg0,但仍然在内部进行回复,就好像主机无法访问一样。
有谁知道这可能与什么有关?
谢谢
答案1
解决方案比预期更明显......我的灵感来自这个答案最后评论了AllowedIPsWireGuard 对等配置的设置0.0.0.0/0。
最终的配置更加简单,甚至作为示例包含在wg-quick手动的:只需将 WireGuard 配置为使用单独的路由表(以避免替换系统的默认网关路由,在本例中我不希望这样做),然后使用该表进行基于源的路由。
/etc/wireguard/wg0.conf:
[Interface]
PrivateKey = ...
Address = 10.0.80.200/32, fd80::200/128
Table = 100 # 100 = wireguard table
PostUp = ip route add 10.0.1.1 dev enp45s0 table wireguard
PostUp = ip rule add from 10.0.82.14 table wireguard
PreDown = ip rule del from 10.0.82.14 table wireguard
PreDown = ip route del 10.0.1.1 dev enp45s0 table wireguard
[Peer]
PublicKey = ...
Endpoint = ...
AllowedIPs = 0.0.0.0/0, ::/0