::qWireguard 无法从一个方向发起握手站点到站点 VPN

::qWireguard 无法从一个方向发起握手站点到站点 VPN

我正在尝试在 SiteA(OpenWrt 路由器)和 SiteB(具有公共 IP 的 Oracle 实例)之间设置站点到站点 VPN

由于 SiteA 是 OpenWRT,因此我使用 GUI

OpenWRT_Server_Conf_屏幕截图

OpenWRT_Peer_Conf_屏幕截图

以下是wg showconfSiteA 的输出:

[Interface]
ListenPort = 51821
PrivateKey = REDACTED

[Peer]
PublicKey = BY...Cwo=
AllowedIPs = 10.2.0.0/16, 192.168.100.0/30
Endpoint = SITE_B_PUBLIC_IP:51821

以下是 SiteB 的配置:

[Interface]
Address = 192.168.100.2/30
ListenPort = 51821
PrivateKey = REDACTED

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o  enp0s3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE

[Peer]
PublicKey = ZX...z4=
AllowedIPs = 192.168.100.0/30, 172.16.1.0/24, 172.16.255.0/24
Endpoint = SITE_A_PUBLIC_IP:51821

我遇到了一个非常奇怪的问题。从站点 B,如果我 ping 站点 A 上的任何地址,隧道就会建立,并且它们之间将有流量,没有任何问题。

但是,如果没有提前从站点 B 建立隧道,我无法从 A ping 通任何内容到 B。我看到有流量从 A 到 B,端口为 51821。我假设这些是握手包,但似乎 B 上的 Wireguard 对此没有响应

root@ubuntu:~# tcpdump -v port 51821
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:23:59.004307 IP (tos 0x20, ttl 49, id 2251, offset 0, flags [none], proto UDP (17), length 176)
    SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:04.052134 IP (tos 0x20, ttl 49, id 2467, offset 0, flags [none], proto UDP (17), length 176)
    SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:09.102989 IP (tos 0x20, ttl 49, id 2658, offset 0, flags [none], proto UDP (17), length 176)
    SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:14.152403 IP (tos 0x20, ttl 49, id 2769, offset 0, flags [none], proto UDP (17), length 176)
    SITE_A_PUBLIC_IP.51821 > SITE_B_PUBLIC_IP.51821: UDP, length 148
09:24:19.202805 IP (tos 0x20, ttl 49, id 3187, offset 0, flags [none], proto UDP (17), length 176)

我已经启用了 Wireguard 调试,但似乎没有相关日志

Jan 09 09:31:14 ubuntu wg-quick[868]: [#] ip link add wgA type wireguard
Jan 09 09:31:14 ubuntu kernel: wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
Jan 09 09:31:14 ubuntu kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.
Jan 09 09:31:15 ubuntu wg-quick[868]: [#] wg set wgA private-key /etc/wireguard/wgA.key

答案1

将 PostUp 和 Postdown 替换为以下内容

PostUp = iptables -t nat -I POSTROUTING 1 -o $(route | grep '^default' | grep -o '[^ ]*$') -j MASQUERADE; iptables -I INPUT 1 -i %i -j ACCEPT; iptables -I FORWARD 1 -i $(route | grep '^default' | grep -o '[^ ]*$') -o %i -j ACCEPT; iptables -I FORWARD 1 -i %i -o $(route | grep '^default' | grep -o '[^ ]*$') -j ACCEPT; iptables -I INPUT 1 -i $(route | grep '^default' | grep -o '[^ ]*$') -p udp --dport 51821 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o $(route | grep '^default' | grep -o '[^ ]*$') -j MASQUERADE; iptables -D INPUT -i %i -j ACCEPT; iptables -D FORWARD -i $(route | grep '^default' | grep -o '[^ ]*$') -o %i -j ACCEPT; iptables -D FORWARD -i %i -o $(route | grep '^default' | grep -o '[^ ]*$') -j ACCEPT; iptables -D INPUT -i $(route | grep '^default' | grep -o '[^ ]*$') -p udp --dport 51821 -j ACCEPT

此处注明来源https://www.reddit.com/r/WireGuard/comments/oxmcvx/comment/h7nl24o/?utm_source=share&utm_medium=web2x&context=3

相关内容