已解决 - 路由器作为 WireGuard 客户端 | 外部用户 IP 在家庭服务器上显示为 WireGuard 隧道的本地 IP

已解决 - 路由器作为 WireGuard 客户端 | 外部用户 IP 在家庭服务器上显示为 WireGuard 隧道的本地 IP

我已将我的 EdgeRouter-X 设置为 WireGuard 客户端(使用 IPv6),以便我的公共 IP 显示为 WireGuard 服务器的公共 IP。

这是因为我想使用 OVH 的 IP 和 Anti-DDoS 来托管家庭服务器,而不是使用我自己的不受保护的公共 IP。

我有 4 个公网 IP:

22.22.22.22

33.33.33.33

44.44.44.44

55.55.55.55

我的连接图如下:

OVH VPS Wireguard Server WG0 Tunnel (LOCAL Tunnel 10.0.0.1) [Port forwarding with IPTables] <-----> (LOCAL Tunnel 10.0.0.2) EdgeRouter X

EdgeRouter-X (LOCAL 192.168.1.1) [Port forwarding with EdgeRouter] <-----> (LOCAL 192.168.1.10) HOME-SERVER

我正在通过 wg0 隧道将 OVH 的 VPS(1-65535)的所有端口与 IPTables 转发到我的 EdgeRouter,然后再转发到我的家庭服务器,这样就可以了。

问题是,当用户连接到 22.22.22.22:80 时,他会成功显示网页,但他到服务器的 IP 结果是 10.0.0.1,而不是用户公共 IP。

这是我的 WG 服务器配置:

[Interface]

Address = 10.0.0.1/30

ListenPort = 51821

PrivateKey = CENSORED




### Client vpn

[Peer]

PublicKey = CENSORED

PresharedKey = CENSORED

AllowedIPs = 10.0.0.2/30

这是我的 WG 服务器 IPTables 配置,用于通过 WG0 将端口转发到 EdgeRouter:

# Generated by iptables-save v1.8.7 on Sun Jan  9 11:04:33 2022
*filter
:INPUT ACCEPT [971:145912]
:FORWARD ACCEPT [920:137172]
:OUTPUT ACCEPT [637:108812]
:f2b-sshd - [0:0]
COMMIT
# Completed on Sun Jan  9 11:04:33 2022
# Generated by iptables-save v1.8.7 on Sun Jan  9 11:04:33 2022
*nat
:PREROUTING ACCEPT [133:6792]
:INPUT ACCEPT [61:2272]
:OUTPUT ACCEPT [3:228]
:POSTROUTING ACCEPT [66:4011]
-A PREROUTING -i ens3 -p udp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p udp -m multiport --dports 51822:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 51822:65534 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 1000:51820 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p tcp -m multiport --dports 80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -i ens3 -p udp -m multiport --dports 80,25,995,110,443,465,993,143 -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Sun Jan  9 11:04:33 2022

这是我的 EdgeRouter-X 配置,带有 WG0 客户端和到家庭服务器的端口转发:

 firewall {
     all-ping enable
     broadcast-ping disable
     group {
         address-group MY_PUBLIC {
             address 22.22.22.22
             address 33.33.33.33
             address 44.44.44.44
             address 55.55.55.55
         }
     }
     ipv6-name WANv6_IN {
         default-action drop
         description "WAN inbound traffic forwarded to LAN"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     ipv6-name WANv6_LOCAL {
         default-action drop
         description "WAN inbound traffic to the router"
         enable-default-log
         rule 10 {
             action accept
             description "Allow established/related sessions"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
         rule 30 {
             action accept
             description "Allow IPv6 icmp"
             protocol ipv6-icmp
         }
         rule 40 {
             action accept
             description "allow dhcpv6"
             destination {
                 port 546
             }
             protocol udp
             source {
                 port 547
             }
         }
     }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     modify wireguard_route {
         rule 5 {
             action modify
             destination {
                 group {
                     address-group MY_PUBLIC
                 }
             }
             modify {
                 table main
             }
         }
         rule 10 {
             action modify
             description wireguard-vpn
             modify {
                 table 1
             }
             source {
                 address 192.168.1.0/24
             }
         }
     }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     name WAN_LOCAL {
         default-action drop
         description "WAN to router"
         rule 10 {
             action accept
             description "Allow established/related"
             state {
                 established enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop invalid state"
             state {
                 invalid enable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         dhcpv6-pd {
             pd 0 {
                 interface eth1 {
                     service dhcpv6-stateful
                 }
                 interface eth2 {
                     service dhcpv6-stateful
                 }
                 interface eth3 {
                     service dhcpv6-stateful
                 }
                 interface switch0 {
                     host-address ::1
                     service slaac
                 }
                 prefix-length /64
             }
             rapid-commit enable
         }
         duplex auto
         firewall {
             in {
                 ipv6-name WANv6_IN
                 name WAN_IN
             }
             local {
                 ipv6-name WANv6_LOCAL
                 name WAN_LOCAL
             }
         }
         ipv6 {
             address {
                 autoconf
             }
             dup-addr-detect-transmits 1
         }
         speed auto
     }
     ethernet eth1 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description Local
         duplex auto
         poe {
             output off
         }
         speed auto
     }
     loopback lo {
     }
     switch switch0 {
         address 192.168.1.1/24
         description Local
         firewall {
             in {
                 modify wireguard_route
             }
         }
         mtu 1500
         switch-port {
             interface eth1 {
             }
             interface eth2 {
             }
             interface eth3 {
             }
             interface eth4 {
             }
             vlan-aware disable
         }
     }
     wireguard wg0 {
         address 10.0.0.2/30
         description Wireguard
         listen-port 51821
         mtu 1420
         peer CENSORED {
             allowed-ips 0.0.0.0/0
             endpoint [2001:41d0:52:400::6e3]:51821
             persistent-keepalive 25
             preshared-key /config/auth/wg-preshared.key
         }
         private-key /config/auth/wg.key
         route-allowed-ips false
     }
 }
 port-forward {
     auto-firewall enable
     hairpin-nat enable
     lan-interface switch0
     rule 1 {
         description "Allow ALL"
         forward-to {
             address 192.168.1.10
         }
         original-port 1-65535
         protocol tcp_udp
     }
     wan-interface wg0
 }
 protocols {
     static {
         table 1 {
             description "table to force wg0:aws"
             interface-route 0.0.0.0/0 {
                 next-hop-interface wg0 {
                 }
             }
             route 0.0.0.0/0 {
                 blackhole {
                     distance 255
                 }
             }
         }
     }
 }
 service {
     dhcp-server {
         disabled false
         hostfile-update disable
         shared-network-name LAN {
             authoritative enable
             subnet 192.168.1.0/24 {
                 default-router 192.168.1.1
                 dns-server 192.168.1.1
                 lease 86400
                 start 192.168.1.38 {
                     stop 192.168.1.243
                 }
                 static-mapping Node2 {
                     ip-address 192.168.1.10
                     mac-address 90:b1:1c:44:f6:da
                 }
                 static-mapping iDRAC {
                     ip-address 192.168.1.120
                     mac-address E0:DB:55:06:2D:14
                 }
             }
         }
         static-arp disable
         use-dnsmasq disable
     }
     dns {
         forwarding {
             cache-size 150
             listen-on switch0
         }
     }
     gui {
         http-port 80
         https-port 443
         older-ciphers enable
     }
     nat {
         rule 5002 {
             description wireguard-nat
             log disable
             outbound-interface wg0
             protocol all
             source {
                 address 192.168.1.0/24
             }
             type masquerade
         }
         rule 5003 {
             description "masquerade for WAN"
             log disable
             outbound-interface eth0
             protocol all
             type masquerade
         }
     }
     ssh {
         port 22
         protocol-version v2
     }
     unms {
     }
 }
 system {
     analytics-handler {
         send-analytics-report false
     }
     crash-handler {
         send-crash-report false
     }
     host-name EdgeRouter-X-5-Port
     login {
         user ubnt {
             authentication {
                 encrypted-password 
             }
             level admin
         }
     }
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
         server 1.ubnt.pool.ntp.org {
         }
         server 2.ubnt.pool.ntp.org {
         }
         server 3.ubnt.pool.ntp.org {
         }
     }
     offload {
         hwnat enable
         ipsec enable
     }
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
     time-zone UTC
 }

答案1

通过更改解决:

-A POSTROUTING -j MASQUERADE

和:

-A POSTROUTING -o ens3 -j MASQUERADE

相关内容