我在设置 wireguard 时遇到了一个奇怪的情况。
我的设置: Wireguard 通过隧道访问我的网络。Active Directory 域控制器提供 DNS。客户端通过隧道使用 DNS 服务器。Linux 客户端使用域控制器作为 DNS 服务器,通过 Wireguard 隧道解析 DNS 查询时没有任何问题。
问题: Windows 客户端无法使用活动的 wireguard 隧道进行浏览。Ping 失败但 nslookup 可以工作。我可以 ping DNS 服务器(通过 IP 地址)。我可以 ping 外部 IP 地址(例如 1.1.1.1)。Wireshark 显示 DNS 查询已发出但没有回复。wireguard 服务器上的防火墙未显示查询被阻止。
我究竟做错了什么?
这是我的配置:
Wireguard 服务器
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.101.0.1/16
SaveConfig = true
PostUp = ufw route allow in on wg0 out on enp6s0
PostUp = ufw route allow in on enp6s0 out on wg0
PostUp = ufw route allow in on wg0 out on enp1s0
PostUp = ufw route allow in on enp1s0 out on wg0
PostUp = iptables -t nat -I POSTROUTING -o enp6s0 -j MASQUERADE
PostUp = iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp6s0
PreDown = ufw route delete allow in on wg0 out on enp1s0
PreDown = ufw route delete allow in on enp6s0 out on wg0
PreDown = ufw route delete allow in on enp1s0 out on wg0
PreDown = iptables -t nat -D POSTROUTING -o enp6s0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <snipped>
Wireguard 服务器上的路由表
# ip route
default via <wan_gateway> dev enp1s0 proto static
10.0.0.0/16 dev enp6s0 proto kernel scope link src 10.0.25.20
10.0.0.0/16 via 10.0.1.254 dev enp6s0 proto static metric 100
10.101.0.0/16 dev wg0 proto kernel scope link src 10.101.0.1
<wan_ip_block>/22 dev enp1s0 proto kernel scope link src <wireguard_public_ip>
WireguardServer 上的防火墙规则
# ufw status
Status: active
To Action From
-- ------ ----
51820/udp ALLOW Anywhere
22/tcp ALLOW Anywhere
3389 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
135/tcp ALLOW Anywhere
389/tcp ALLOW Anywhere
636/tcp ALLOW Anywhere
3268/tcp ALLOW Anywhere
3269/tcp ALLOW Anywhere
53/tcp ALLOW Anywhere
88/tcp ALLOW Anywhere
445/tcp ALLOW Anywhere
123/tcp ALLOW Anywhere
464/tcp ALLOW Anywhere
137/tcp ALLOW Anywhere
138/tcp ALLOW Anywhere
139/tcp ALLOW Anywhere
135/udp ALLOW Anywhere
137/udp ALLOW Anywhere
138/udp ALLOW Anywhere
389/udp ALLOW Anywhere
445/udp ALLOW Anywhere
1512/udp ALLOW Anywhere
42/udp ALLOW Anywhere
42/tcp ALLOW Anywhere
1512/tcp ALLOW Anywhere
500/udp ALLOW Anywhere
49152:65535/tcp ALLOW Anywhere
49152:65535/udp ALLOW Anywhere
464 ALLOW Anywhere
5985:5986/tcp ALLOW Anywhere
53/udp ALLOW Anywhere
51820/udp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
3389 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
135/tcp (v6) ALLOW Anywhere (v6)
389/tcp (v6) ALLOW Anywhere (v6)
636/tcp (v6) ALLOW Anywhere (v6)
3268/tcp (v6) ALLOW Anywhere (v6)
3269/tcp (v6) ALLOW Anywhere (v6)
53/tcp (v6) ALLOW Anywhere (v6)
88/tcp (v6) ALLOW Anywhere (v6)
445/tcp (v6) ALLOW Anywhere (v6)
123/tcp (v6) ALLOW Anywhere (v6)
464/tcp (v6) ALLOW Anywhere (v6)
137/tcp (v6) ALLOW Anywhere (v6)
138/tcp (v6) ALLOW Anywhere (v6)
139/tcp (v6) ALLOW Anywhere (v6)
135/udp (v6) ALLOW Anywhere (v6)
137/udp (v6) ALLOW Anywhere (v6)
138/udp (v6) ALLOW Anywhere (v6)
389/udp (v6) ALLOW Anywhere (v6)
445/udp (v6) ALLOW Anywhere (v6)
1512/udp (v6) ALLOW Anywhere (v6)
42/udp (v6) ALLOW Anywhere (v6)
42/tcp (v6) ALLOW Anywhere (v6)
1512/tcp (v6) ALLOW Anywhere (v6)
500/udp (v6) ALLOW Anywhere (v6)
49152:65535/tcp (v6) ALLOW Anywhere (v6)
49152:65535/udp (v6) ALLOW Anywhere (v6)
464 (v6) ALLOW Anywhere (v6)
5985:5986/tcp (v6) ALLOW Anywhere (v6)
53/udp (v6) ALLOW Anywhere (v6)
Anywhere on enp6s0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on enp6s0
Anywhere on enp1s0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on enp1s0
Anywhere (v6) on enp6s0 ALLOW FWD Anywhere (v6) on wg0
Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp6s0
Anywhere (v6) on enp1s0 ALLOW FWD Anywhere (v6) on wg0
Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp1s0
Windows 客户端
[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32
[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820
答案1
问题是:
- wireguard vpns 显然会自动配置一个比客户端上所有其他连接更低的指标
- 我在有线/Wi-Fi 连接上配置了客户端 DNS 服务器,而不是在 wireguard 连接上配置
- windows 通过具有最低度量的连接发送 DNS 查询
解决方案:将 DNS 服务器添加到 wireguard 客户端配置中:
DNS = <ip_address_of_dns_server>, <ip_address_of_dns_server>
完整客户端配置
[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32
DNS = <ip_address_of_dns_server>, <ip_address_of_dns_server>
[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820