我正在尝试在 SiteA(OpenWrt 路由器)和 SiteB(具有公共 IP 的 Oracle 实例)之间设置站点到站点 VPN
由于 SiteA 是 OpenWRT,因此我使用 GUI
以下是wg showconfSiteA 的输出:
[Interface]
ListenPort = 51821
PrivateKey = REDACTED
[Peer]
PublicKey = BY...Cwo=
AllowedIPs = 10.2.0.0/16, 192.168.100.0/30
Endpoint = SITE_B_PUBLIC_IP:51821
以下是 SiteB 的配置:
[Interface]
Address = 192.168.100.2/30
ListenPort = 51821
PrivateKey = REDACTED
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
[Peer]
PublicKey = ZX...z4=
AllowedIPs = 192.168.100.0/30, 172.16.1.0/24, 172.16.255.0/24
Endpoint = SITE_A_PUBLIC_IP:51821
我遇到了一个非常奇怪的问题。从站点 B,如果我 ping 站点 A 上的任何地址,隧道就会建立,并且它们之间将有流量,没有任何问题。
但是,如果没有提前从站点 B 建立隧道,我无法从 A ping 通任何内容到 B。我看到有流量从 A 到 B,端口为 51821。我假设这些是握手包,但似乎 B 上的 Wireguard 对此没有响应
root@ubuntu:~# tcpdump -v port 51821
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:23:59.004307 IP (tos 0x20, ttl 49, id 2251, offset 0, flags [none], proto UDP (17), length 176)
SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:04.052134 IP (tos 0x20, ttl 49, id 2467, offset 0, flags [none], proto UDP (17), length 176)
SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:09.102989 IP (tos 0x20, ttl 49, id 2658, offset 0, flags [none], proto UDP (17), length 176)
SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:14.152403 IP (tos 0x20, ttl 49, id 2769, offset 0, flags [none], proto UDP (17), length 176)
SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:19.202805 IP (tos 0x20, ttl 49, id 3187, offset 0, flags [none], proto UDP (17), length 176)
我已经启用了 Wireguard 调试,但似乎没有相关日志
Jan 09 09:31:14 ubuntu wg-quick[868]: [#] ip link add wgA type wireguard
Jan 09 09:31:14 ubuntu kernel: wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
Jan 09 09:31:14 ubuntu kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.
Jan 09 09:31:15 ubuntu wg-quick[868]: [#] wg set wgA private-key /etc/wireguard/wgA.key
答案1
将 PostUp 和 Postdown 替换为以下内容
PostUp = iptables -t nat -I POSTROUTING 1 -o $(route | grep '^default' | grep -o '[^ ]*$') -j MASQUERADE; iptables -I INPUT 1 -i %i -j ACCEPT; iptables -I FORWARD 1 -i $(route | grep '^default' | grep -o '[^ ]*$') -o %i -j ACCEPT; iptables -I FORWARD 1 -i %i -o $(route | grep '^default' | grep -o '[^ ]*$') -j ACCEPT; iptables -I INPUT 1 -i $(route | grep '^default' | grep -o '[^ ]*$') -p udp --dport 51821 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o $(route | grep '^default' | grep -o '[^ ]*$') -j MASQUERADE; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i $(route | grep '^default' | grep -o '[^ ]*$') -o %i -j ACCEPT; iptables -D FORWARD -i %i -o $(route | grep '^default' | grep -o '[^ ]*$') -j ACCEPT; iptables -D INPUT -i $(route | grep '^default' | grep -o '[^ ]*$') -p udp --dport 51821 -j ACCEPT