Wireguard:从服务器返回的数据包被丢弃

Wireguard:从服务器返回的数据包被丢弃

我现在在一台服务器(启用了 NAT)和一台客户端(ubuntu)上设置了 wireguard。当我不通过隧道路由所有流量时,一切都正常。一旦我开始通过隧道路由所有流量,如中所述https://www.wireguard.com/netns/#improved-rule-based-routing不再可能进行任何通信,我甚至无法从客户端 ping 服务器的内部隧道地址。

服务器上的路由显然有效。在客户端上,流量似乎也得到了正确的路由。来自客户端的数据包出现在服务器的 wireguard 中,但来自服务器的数据包没有出现在客户端的 wireguard 网络中。在客户端和服务器之间的物理链路上,udb 流量是双向发生的。

我还在 Android 设备上设置了一个客户端,运行良好。所有流量都通过 wireguard 隧道路由。所以这一定是我的 ubuntu 客户端的问题。

以下是我迄今为止所做的所有相关信息和分析。


我使用 tcpdump 做了一些调查。因此,我不断地从客户端 ping 以下三个地址:8.8.8.8、192.168.137.1(wireguard 网络中的服务器)和 aaa.bbb.cc.dd(现实世界中的服务器)。

主办方如下:

  • 本地网络中的客户端192.168.1.103/24
  • wireguard网络中的客户端:192.168.137.23/24
  • wireguard 网络中的服务器:192.168.138.1/24
  • 全球服务器:aaa.bbb.ccc.dd

在 wireguard 接口的服务器上进行 TCPDump:

11:25:18.141089 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 4997, length 64
11:25:18.141120 IP 192.168.137.1 > 192.168.137.23: ICMP echo reply, id 7162, seq 4997, length 64
11:25:18.654894 IP 192.168.137.23 > aaa.bbb.cc.dd: ICMP echo request, id 8772, seq 2625, length 64
11:25:18.654917 IP aaa.bbb.cc.dd > 192.168.137.23: ICMP echo reply, id 8772, seq 2625, length 64
11:25:18.654928 IP 192.168.137.23 > 8.8.8.8: ICMP echo request, id 7116, seq 5023, length 64
11:25:18.658361 IP 8.8.8.8 > 192.168.137.23: ICMP echo reply, id 7116, seq 5023, length 64
11:25:19.163161 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 4998, length 64
11:25:19.163197 IP 192.168.137.1 > 192.168.137.23: ICMP echo reply, id 7162, seq 4998, length 64
11:25:19.677354 IP 192.168.137.23 > aaa.bbb.cc.dd: ICMP echo request, id 8772, seq 2626, length 64
11:25:19.677382 IP aaa.bbb.cc.dd > 192.168.137.23: ICMP echo reply, id 8772, seq 2626, length 64
11:25:19.677393 IP 192.168.137.23 > 8.8.8.8: ICMP echo request, id 7116, seq 5024, length 64
11:25:19.680897 IP 8.8.8.8 > 192.168.137.23: ICMP echo reply, id 7116, seq 5024, length 64
11:25:20.185851 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 4999, length 64

回显请求到达并得到正确答复。

现在在客户端的 wireguard 界面上:

10:48:33.129645 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 2799, length 64
10:48:33.961380 IP 192.168.137.23 > 8.8.8.8: ICMP echo request, id 7116, seq 2825, length 64
10:48:33.961393 IP 192.168.137.23 > aaa.bbb.cc.dd: ICMP echo request, id 8772, seq 427, length 64
10:48:34.153335 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 2800, length 64
10:48:34.985387 IP 192.168.137.23 > aaa.bbb.cc.dd: ICMP echo request, id 8772, seq 428, length 64
10:48:34.985434 IP 192.168.137.23 > 8.8.8.8: ICMP echo request, id 7116, seq 2826, length 64
10:48:35.177511 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 2801, length 64
10:48:36.009515 IP 192.168.137.23 > 8.8.8.8: ICMP echo request, id 7116, seq 2827, length 64
10:48:36.009539 IP 192.168.137.23 > aaa.bbb.cc.dd: ICMP echo request, id 8772, seq 429, length 64
10:48:36.201508 IP 192.168.137.23 > 192.168.137.1: ICMP echo request, id 7162, seq 2802, length 64
10:48:37.033320 IP 192.168.137.23 > aaa.bbb.cc.dd: ICMP echo request, id 8772, seq 430, length 64
10:48:37.033360 IP 192.168.137.23 > 8.8.8.8: ICMP echo request, id 7116, seq 2828, length 64

仅回应请求,没有回复 :(

现在客户端物理接口上的 udp 流量:

10:50:12.265631 IP 192.168.1.103.52635 > aaa.bbb.cc.dd.51820: UDP, length 148
10:50:12.294673 IP aaa.bbb.cc.dd.51820 > 192.168.1.103.52635: UDP, length 92
10:50:17.385691 IP 192.168.1.103.52635 > aaa.bbb.cc.dd.51820: UDP, length 148
10:50:17.422843 IP aaa.bbb.cc.dd.51820 > 192.168.1.103.52635: UDP, length 92
10:50:22.441620 IP 192.168.1.103.52635 > aaa.bbb.cc.dd.51820: UDP, length 148
10:50:22.472414 IP aaa.bbb.cc.dd.51820 > 192.168.1.103.52635: UDP, length 92
10:50:27.625664 IP 192.168.1.103.52635 > aaa.bbb.cc.dd.51820: UDP, length 148
10:50:27.748373 IP aaa.bbb.cc.dd.51820 > 192.168.1.103.52635: UDP, length 92
10:50:32.745569 IP 192.168.1.103.52635 > aaa.bbb.cc.dd.51820: UDP, length 148

因此数据包来自并发往 wireguard 服务器。

客户端上的 wireguard 配置:

root@kaksi:~# wg
interface: wireguard
  public key: eJIcjMR6/M73mPI8AvvzAr9hV2qFarMwXEWDiOH+Pzk=
  private key: (hidden)
  listening port: 52635
  fwmark: 0x926

peer: 0bseDMk5UFx+j+6Zk8FDYv4OXakOIfZj7UTdMQPtsXM=
  endpoint: aaa.bbb.cc.dd:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 6 minutes, 34 seconds ago
  transfer: 134.99 KiB received, 322.50 KiB sent

服务器上的 wireguard 配置:

interface: wg0
  public key: 0bseDMk5UFx+j+6Zk8FDYv4OXakOIfZj7UTdMQPtsXM=
  private key: (hidden)
  listening port: 51820

peer: eJIcjMR6/M73mPI8AvvzAr9hV2qFarMwXEWDiOH+Pzk=
  endpoint: <client's-global-ip>:52635
  allowed ips: 192.168.137.0/24
  latest handshake: 49 seconds ago
  transfer: 781.02 KiB received, 791.92 KiB sent

客户端上的路由:

root@kaksi:~# ip route show table all
default dev wireguard table 2468 scope link 
default via 192.168.1.254 dev wlp58s0 proto dhcp metric 600 
169.254.0.0/16 dev wlp58s0 scope link metric 1000 
192.168.1.0/24 dev wlp58s0 proto kernel scope link src 192.168.1.103 metric 600 
192.168.137.0/24 dev wireguard proto kernel scope link src 192.168.137.23 metric 50 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev wlp58s0 table local proto kernel scope link src 192.168.1.103 
local 192.168.1.103 dev wlp58s0 table local proto kernel scope host src 192.168.1.103 
broadcast 192.168.1.255 dev wlp58s0 table local proto kernel scope link src 192.168.1.103 
broadcast 192.168.137.0 dev wireguard table local proto kernel scope link src 192.168.137.23 
local 192.168.137.23 dev wireguard table local proto kernel scope host src 192.168.137.23 
broadcast 192.168.137.255 dev wireguard table local proto kernel scope link src 192.168.137.23 
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev wlp58s0 proto kernel metric 600 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::b6ac:1f:5294:7a4b dev wlp58s0 table local proto kernel metric 0 pref medium
ff00::/8 dev wireguard table local metric 256 pref medium
ff00::/8 dev wlp58s0 table local metric 256 pref medium

客户端的路由表规则:

root@kaksi:~# ip rule show all
0:      from all lookup local 
32764:  from all lookup main suppress_prefixlength 0 
32765:  not from all fwmark 0x926 lookup 2468 
32766:  from all lookup main 
32767:  from all lookup default 

两台主机上均没有 IP 表规则,除了服务器上的 nat 规则外。

该服务器是 debian buster,带有 debian stable (0.0.20190913-1) 的 wireguard 包。

客户端是 ubuntu 18.04,带有 ubuntu eoan(0.0.20190913-1ubuntu1)的 wireguard 包。

答案1

我刚刚修复了一个非常类似的问题

iptables -A FORWARD -o wg0 -j ACCEPT

相关内容