在以下场景中,我设置了一台机器 (a),它位于一个简单的 NAT 后面,无需进一步配置,建立了到另一台机器 (b) 的 Wireguard 隧道 (wg0),该机器使用静态 IP 连接到互联网,没有 NAT。 (所有机器都在 Debian 10 上运行)
机器(a)通过 Wireguard 向机器(b)公开 SSH 和 HTTP 服务。
当我在本地机器(a)上时,一切都运行正常,机器会立即对任何 SSH 命令和 HTTP 请求做出反应。
隧道 (wg0) 似乎也运行良好,握手正常,机器 (a) 可以 ping 机器 (b),反之亦然,机器 (b) 可以通过 SSH 连接到机器 (b) 上公开的服务;但是,例如,当我在机器 (a) 上通过 Wireguard (wg0) 使用 VIM 时,实际上需要几分钟才能加载 tui,而 nano 可以立即加载。当我跟踪日志时,输出非常大,可能需要几秒到几分钟才能显示出来。最后,从机器 (b) 通过 Wireguard (wg0) 向机器 (a) 发出 HTTP 请求大约需要 30 秒才能成功。
Machine (a)'s wg0 IP: 10.200.1.7
Machine (a)'s HTTP Port: 9500
Machine (b)'s wg0 IP: 10.200.1.1
以下是机器 (a) 的 wg0 接口上的 HTTP 请求的 tcpdump 示例,大约需要 35 秒才能成功:
01:05:53.261678 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [S], seq 592157087, win 27600, options [mss 1380,sackOK,TS val 4192760482 ecr 0,nop,wscale 7], length 0
01:05:53.261809 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [S.], seq 1181067477, ack 592157088, win 28960, options [mss 1460,sackOK,TS val 1595828258 ecr 4192760482,nop,wscale 7], length 0
01:05:53.284094 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 1, win 216, options [nop,nop,TS val 4192760502 ecr 1595828258], length 0
01:05:53.284163 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [P.], seq 1:80, ack 1, win 216, options [nop,nop,TS val 4192760502 ecr 1595828258], length 79
01:05:53.284295 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], ack 80, win 227, options [nop,nop,TS val 1595828280 ecr 4192760502], length 0
01:05:53.312174 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:2737, ack 80, win 227, options [nop,nop,TS val 1595828308 ecr 4192760502], length 2736
01:05:53.312195 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [P.], seq 2737:4240, ack 80, win 227, options [nop,nop,TS val 1595828308 ecr 4192760502], length 1503
01:05:53.312241 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [P.], seq 4240:5310, ack 80, win 227, options [nop,nop,TS val 1595828308 ecr 4192760502], length 1070
01:05:53.312284 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [P.], seq 5310:5315, ack 80, win 227, options [nop,nop,TS val 1595828308 ecr 4192760502], length 5
01:05:53.335447 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 1, win 224, options [nop,nop,TS val 4192760554 ecr 1595828280,nop,nop,sack 1 {4105:4240}], length 0
01:05:53.335498 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 1, win 241, options [nop,nop,TS val 4192760554 ecr 1595828280,nop,nop,sack 1 {4105:5310}], length 0
01:05:53.335507 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 1, win 241, options [nop,nop,TS val 4192760554 ecr 1595828280,nop,nop,sack 1 {4105:5315}], length 0
01:05:53.335548 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595828331 ecr 4192760554], length 1368
01:05:53.567095 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595828563 ecr 4192760554], length 1368
01:05:54.043110 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595829039 ecr 4192760554], length 1368
01:05:54.971106 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595829967 ecr 4192760554], length 1368
01:05:56.794963 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595831791 ecr 4192760554], length 1368
01:05:58.299595 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [F.], seq 5315, ack 80, win 227, options [nop,nop,TS val 1595833295 ecr 4192760554], length 0
01:05:58.320249 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 1, win 241, options [nop,nop,TS val 4192765540 ecr 1595828280,nop,nop,sack 1 {4105:5316}], length 0
01:05:58.320392 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595833316 ecr 4192765540], length 1368
01:05:58.547111 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595833543 ecr 4192765540], length 1368
01:05:59.003093 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595833999 ecr 4192765540], length 1368
01:05:59.931111 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595834927 ecr 4192765540], length 1368
01:06:01.755118 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595836751 ecr 4192765540], length 1368
01:06:05.595114 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595840591 ecr 4192765540], length 1368
01:06:13.019153 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595848015 ecr 4192765540], length 1368
01:06:27.611117 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1:1369, ack 80, win 227, options [nop,nop,TS val 1595862607 ecr 4192765540], length 1368
01:06:27.634605 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 1369, win 263, options [nop,nop,TS val 4192794853 ecr 1595862607,nop,nop,sack 1 {4105:5316}], length 0
01:06:27.634721 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 1369:2737, ack 80, win 227, options [nop,nop,TS val 1595862630 ecr 4192794853], length 1368
01:06:27.634755 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], seq 2737:4105, ack 80, win 227, options [nop,nop,TS val 1595862630 ecr 4192794853], length 1368
01:06:27.656603 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 2737, win 284, options [nop,nop,TS val 4192794876 ecr 1595862630,nop,nop,sack 1 {4105:5316}], length 0
01:06:27.656683 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [.], ack 5316, win 305, options [nop,nop,TS val 4192794877 ecr 1595862630], length 0
01:06:27.658916 IP 10.200.1.1.58062 > 10.200.1.7.9500: Flags [F.], seq 80, ack 5316, win 305, options [nop,nop,TS val 4192794877 ecr 1595862630], length 0
01:06:27.659043 IP 10.200.1.7.9500 > 10.200.1.1.58062: Flags [.], ack 81, win 227, options [nop,nop,TS val 1595862655 ecr 4192794877], length 0
我还通过另一条隧道(wg1)从机器(c)进行了测试,机器(a)上的行为也相同......
您知道是什么原因导致这些问题吗?非常感谢您的建议!
答案1
当我减少 MTU(数据包长度)时,一切正常
ip link set dev wg0 mtu 1200