Ping 失败,但 Nslookup 可通过 Wireguard VPN 运行

Ping 失败,但 Nslookup 可通过 Wireguard VPN 运行

我在设置 wireguard 时遇到了一个奇怪的情况。

我的设置: Wireguard 通过隧道访问我的网络。Active Directory 域控制器提供 DNS。客户端通过隧道使用 DNS 服务器。Linux 客户端使用域控制器作为 DNS 服务器,通过 Wireguard 隧道解析 DNS 查询时没有任何问题。

问题: Windows 客户端无法使用活动的 wireguard 隧道进行浏览。Ping 失败但 nslookup 可以工作。我可以 ping DNS 服务器(通过 IP 地址)。我可以 ping 外部 IP 地址(例如 1.1.1.1)。Wireshark 显示 DNS 查询已发出但没有回复。wireguard 服务器上的防火墙未显示查询被阻止。

我究竟做错了什么?

这是我的配置:

Wireguard 服务器

# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.101.0.1/16
SaveConfig = true
PostUp = ufw route allow in on wg0 out on enp6s0
PostUp = ufw route allow in on enp6s0 out on wg0
PostUp = ufw route allow in on wg0 out on enp1s0
PostUp = ufw route allow in on enp1s0 out on wg0
PostUp = iptables -t nat -I POSTROUTING -o enp6s0 -j MASQUERADE
PostUp = iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp6s0
PreDown = ufw route delete allow in on wg0 out on enp1s0
PreDown = ufw route delete allow in on enp6s0 out on wg0
PreDown = ufw route delete allow in on enp1s0 out on wg0
PreDown = iptables -t nat -D POSTROUTING -o enp6s0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <snipped>

Wireguard 服务器上的路由表

# ip route
default via <wan_gateway> dev enp1s0 proto static 
10.0.0.0/16 dev enp6s0 proto kernel scope link src 10.0.25.20 
10.0.0.0/16 via 10.0.1.254 dev enp6s0 proto static metric 100 
10.101.0.0/16 dev wg0 proto kernel scope link src 10.101.0.1 
<wan_ip_block>/22 dev enp1s0 proto kernel scope link src <wireguard_public_ip>

WireguardServer 上的防火墙规则

# ufw status
Status: active

To                         Action      From
--                         ------      ----
51820/udp                  ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
3389                       ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
135/tcp                    ALLOW       Anywhere                  
389/tcp                    ALLOW       Anywhere                  
636/tcp                    ALLOW       Anywhere                  
3268/tcp                   ALLOW       Anywhere                  
3269/tcp                   ALLOW       Anywhere                  
53/tcp                     ALLOW       Anywhere                  
88/tcp                     ALLOW       Anywhere                  
445/tcp                    ALLOW       Anywhere                  
123/tcp                    ALLOW       Anywhere                  
464/tcp                    ALLOW       Anywhere                  
137/tcp                    ALLOW       Anywhere                  
138/tcp                    ALLOW       Anywhere                  
139/tcp                    ALLOW       Anywhere                  
135/udp                    ALLOW       Anywhere                  
137/udp                    ALLOW       Anywhere                  
138/udp                    ALLOW       Anywhere                  
389/udp                    ALLOW       Anywhere                  
445/udp                    ALLOW       Anywhere                  
1512/udp                   ALLOW       Anywhere                  
42/udp                     ALLOW       Anywhere                  
42/tcp                     ALLOW       Anywhere                  
1512/tcp                   ALLOW       Anywhere                  
500/udp                    ALLOW       Anywhere                  
49152:65535/tcp            ALLOW       Anywhere                  
49152:65535/udp            ALLOW       Anywhere                  
464                        ALLOW       Anywhere                  
5985:5986/tcp              ALLOW       Anywhere                  
53/udp                     ALLOW       Anywhere                  
51820/udp (v6)             ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
3389 (v6)                  ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
135/tcp (v6)               ALLOW       Anywhere (v6)             
389/tcp (v6)               ALLOW       Anywhere (v6)             
636/tcp (v6)               ALLOW       Anywhere (v6)             
3268/tcp (v6)              ALLOW       Anywhere (v6)             
3269/tcp (v6)              ALLOW       Anywhere (v6)             
53/tcp (v6)                ALLOW       Anywhere (v6)             
88/tcp (v6)                ALLOW       Anywhere (v6)             
445/tcp (v6)               ALLOW       Anywhere (v6)             
123/tcp (v6)               ALLOW       Anywhere (v6)             
464/tcp (v6)               ALLOW       Anywhere (v6)             
137/tcp (v6)               ALLOW       Anywhere (v6)             
138/tcp (v6)               ALLOW       Anywhere (v6)             
139/tcp (v6)               ALLOW       Anywhere (v6)             
135/udp (v6)               ALLOW       Anywhere (v6)             
137/udp (v6)               ALLOW       Anywhere (v6)             
138/udp (v6)               ALLOW       Anywhere (v6)             
389/udp (v6)               ALLOW       Anywhere (v6)             
445/udp (v6)               ALLOW       Anywhere (v6)             
1512/udp (v6)              ALLOW       Anywhere (v6)             
42/udp (v6)                ALLOW       Anywhere (v6)             
42/tcp (v6)                ALLOW       Anywhere (v6)             
1512/tcp (v6)              ALLOW       Anywhere (v6)             
500/udp (v6)               ALLOW       Anywhere (v6)             
49152:65535/tcp (v6)       ALLOW       Anywhere (v6)             
49152:65535/udp (v6)       ALLOW       Anywhere (v6)             
464 (v6)                   ALLOW       Anywhere (v6)             
5985:5986/tcp (v6)         ALLOW       Anywhere (v6)             
53/udp (v6)                ALLOW       Anywhere (v6)             

Anywhere on enp6s0         ALLOW FWD   Anywhere on wg0           
Anywhere on wg0            ALLOW FWD   Anywhere on enp6s0        
Anywhere on enp1s0         ALLOW FWD   Anywhere on wg0           
Anywhere on wg0            ALLOW FWD   Anywhere on enp1s0        
Anywhere (v6) on enp6s0    ALLOW FWD   Anywhere (v6) on wg0      
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on enp6s0   
Anywhere (v6) on enp1s0    ALLOW FWD   Anywhere (v6) on wg0      
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on enp1s0

Windows 客户端

[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32

[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820

答案1

问题是:

  • wireguard vpns 显然会自动配置一个比客户端上所有其他连接更低的指标
  • 我在有线/Wi-Fi 连接上配置了客户端 DNS 服务器,而不是在 wireguard 连接上配置
  • windows 通过具有最低度量的连接发送 DNS 查询

解决方案:将 DNS 服务器添加到 wireguard 客户端配置中:

DNS = <ip_address_of_dns_server>, <ip_address_of_dns_server>

完整客户端配置

[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32
DNS = <ip_address_of_dns_server>, <ip_address_of_dns_server>

[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820

相关内容