我无法在 AWS EC2 实例和 OVH 公共云之间建立 VPN 连接。/var/log/syslog没有错误 - 只有一些wg-quick有关添加路由等操作的信息。
AWS EC2 实例:
操作系统:
Ubuntu 20.04.2 LTS内部 IP 地址:例如。
10.0.22.22/16ens4公共 IP 地址:例如。
123.123.123.123/32aws public interface端口
12345/udp并12345/tcp通过打开Security group配置
/etc/wireguard/wg0.conf::[Interface] Address = 10.10.0.1/24 SaveConfig = false PrivateKey = <aws-private-key> ListenPort = 12345 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE; PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE; [Peer] PublicKey = <ovh-public-key> AllowedIPs = 10.10.0.2/24, 192.168.10.0/16 Endpoint = 321.321.321.321:12345
OVH 公共云实例:
操作系统:
Ubuntu 21.04内部 IP 地址:例如。
192.168.10.100/16enp0s2公共 IP 地址:例如。
321.321.321.321/32enp0s1端口
12345/udp并12345/tcp通过打开ufw配置
/etc/wireguard/wg0.conf::[Interface] Address = 10.10.0.2/24 SaveConfig = false PrivateKey = <ovh-private-key> ListenPort = 12345 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s1 -j MASQUERADE; PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s1 -j MASQUERADE; [Peer] PublicKey = <aws-public-key> AllowedIPs = 10.10.0.1/24, 10.0.0.0/16 Endpoint = 123.123.123.123:12345
两种情况:
net.ipv4.ip_forward=1在/etc/sysctl.conf- 命令:
wg-quick up /etc/wireguard/wg0.conf - 两者都在运行,并已创建了
wg0来自以下 IP 的接口wg0.conf
概括:
curl监听打开的端口的应用程序80/tcp在双方都不起作用。
我是不是漏掉了什么?我该如何调试?我读了几篇文章,但还是搞不懂。
更新:
按照@Tom Yan 的建议,修改为/etc/wireguard/wg0.conf:
从AllowedIPs = 10.10.0.x/24, (...)到 后,通信就可以正常工作了。AllowedIPs = 10.10.0.x/32, (...)
但我在路由方面遇到了麻烦。这是对与 VPN 服务器位于同一网络中的其他服务器执行 ping 操作时的情况。
在AWS我在路由表中添加了以下规则:
192.168.10.0/16通过AWS-VPN-interface
在OVH-某些实例我跑了:
ip route add 10.0.0.0/16 via 192.168.10.100 dev eno4
ping 操作概要:
OVH-VPN -> AWS-VPN OK
OVH-VPN -> AWS-some-instance timeout
OVH-some-instance -> AWS-VPN OK
OVH-some-instance -> AWS-some-instance timeout
AWS-VPN -> OVH-VPN OK
AWS-VPN -> OVH-some-instance OK
AWS-some-instance -> OVH-VPN timeout
AWS-some-instance -> OVH-some-instance timeout
在日志中我只能看到信息:
$: dmesg -wH
[Jul20 13:40] wireguard: wg0: Receiving keepalive packet from peer 5 (123.123.123.123:12345)
IPTables 和路由
AWS-VPN:
$: iptables-save
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
$: ip route
default via 10.0.22.1 dev ens4 proto dhcp src 10.0.22.22 metric 100
10.0.22.0/19 dev ens4 proto kernel scope link src 10.0.22.22
10.0.22.1 dev ens4 proto dhcp scope link src 10.0.22.22 metric 100
10.10.0.2 dev wg0 scope link
192.168.10.0/16 dev wg0 scope link
### AWS Console Panel rules for AWS-VPN server
Custom TCP TCP 12345 321.321.321.321/32
Custom UDP UDP 12345 321.321.321.321/32
All traffic All All 321.321.321.321/32
All traffic All All 10.0.0.0/16
All traffic All All 192.168.10.0/16
All traffic All All 10.10.0.2/32
OVH-VPN:
$: iptables-save
*filter
:INPUT ACCEPT [26612:55893110]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34036:3715836]
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [69:5450]
-A POSTROUTING -o enp0s1 -j MASQUERADE
COMMIT
$: ip route
default via 321.321.321.1 dev enp0s1 proto dhcp src 321.321.321.321 metric 100
10.0.0.0/16 dev wg0 scope link
321.321.321.1 dev enp0s2 proto dhcp scope link src 321.321.321.321 metric 100
169.254.169.254 via 192.168.10.2 dev enp0s2 proto dhcp src 192.168.10.100 metric 100
10.10.0.1 dev wg0 scope link
192.168.10.0/16 dev enp0s2 proto kernel scope link src 192.168.10.100
$: firewall-cmd --list-all-zones
# I removed empty lines
internal (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 10.0.0.0/16 10.10.0.1/32 123.123.123.123/32
services: dhcpv6-client mdns ssh
ports: 12345/tcp 12345/udp
public (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 123.123.123.123/32
services: dhcpv6-client ssh
ports: 12345/tcp 12345/udp
我还应该做什么才能使其发挥作用?