Docker 中的 Wireguard 站点到站点连接可以 ping 工作,但 TCP 不工作

Docker 中的 Wireguard 站点到站点连接可以 ping 工作,但 TCP 不工作

我非常绝望。我试图让我的站点到站点 VPN 设置正常工作,但到目前为止还没有成功。请不要评判我,我对路由问题还很陌生。
我有一个 VPS,公共 IP 为 123.456.789,上面有一个 docker 堆栈,运行着linux服务器swag容器和一些其他容器。因为我的家庭网络没有 IPv4 地址,只有来自 ISP 的 DS-Lite 连接,所以我想通过 wireguard VPN 连接到服务器,以便所有服务都可以在 swag 容器后面使用。
此外,如果我以后可以添加更多可以访问我家庭网络的客户端,那将是有益的。

我正在使用linux服务器 wireguard容器既作为服务器,又作为客户端,并包含以下文件:

服务器端

version: "3"

services:

  # WireGuard VPN service
  wireguard:
    image: linuxserver/wireguard:latest
    container_name: wireguard
    networks:
      swag-network:
        ipv4_address: 172.19.0.10
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    volumes:
      - ./config:/config
    ports:
      # Port of the WireGuard VPN server
      - "51820:51820/udp"
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/Amsterdam
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

  # WireGuard-UI service
  wireguard-ui:
    image: ngoduykhanh/wireguard-ui:latest
    container_name: wireguard-ui
    depends_on:
      - wireguard
    cap_add:
      - NET_ADMIN
    # Use the network of the 'wireguard' service
    # This enables to show active clients in the status page
    network_mode: service:wireguard
    environment:
      - SENDGRID_API_KEY
      - EMAIL_FROM_ADDRESS
      - EMAIL_FROM_NAME
      - SESSION_SECRET
      - WGUI_USERNAME=${wgui_username}
      - WGUI_PASSWORD=${wgui_password}
      - WG_CONF_TEMPLATE
      - WGUI_MANAGE_START=true
      - WGUI_MANAGE_RESTART=true
    logging:
      driver: json-file
      options:
        max-size: 50m
    volumes:
      - ./db:/app/db
      - ./config:/etc/wireguard
    restart: unless-stopped

networks:
  swag-network:
    external: true

和 wg0.conf

# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui)
# Please don't modify it manually, otherwise your change might get replaced.

# Address updated at:     2023-07-09 07:59:28.178966655 +0000 UTC
# Private Key updated at: 2023-07-09 07:44:46.69833353 +0000 UTC
[Interface]
Address = 10.21.2.0/24
ListenPort = 51820
PrivateKey = *secret*
DNS = 1.1.1.1
MTU = 1450

#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUP = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
PostUp = iptables -A FORWARD -o eth0 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -D FORWARD -o eth0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
PostUp = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Table = auto

[Peer]
PublicKey = *secret*
PresharedKey = *secret*
AllowedIPs = 10.21.2.0/24,10.21.0.0/23

在客户端

version: "3"

services:
  wireguard:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/Amsterdam
    volumes:
      - ./config:/config
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    restart: unless-stopped

networks:
  default:
    ipam:
      config:
        - subnet: 172.18.7.0/24
          gateway: 172.18.7.1

使用 wg0.conf

[Interface]
Address = 10.21.2.1/32
PrivateKey = *secret*
DNS = 1.1.1.1
MTU = 1450

#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUP = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
PostUp = iptables -A FORWARD -o eth0 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -D FORWARD -o eth0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = *secret*
PresharedKey = *secret*
AllowedIPs = 10.21.2.0/32,172.19.0.0/16
Endpoint = 123.456.789:51820
PersistentKeepalive = 25

使用此配置,在服务器端

ip route add 10.21.0.0/23 via 172.19.0.10

客户端也一样。我在家里的路由器里添加了一条静态路由,并在客户端机器上添加了一条类似的到 VPN 的路由。

例如,我可以在 swag 容器内部和服务器主机外部(例如我的本地网络)进行 ping,并且ping 10.21.0.10docker exec swag ping 10.21.0.10可以正常工作。但是当我尝试反向代理到服务时,我就会超时。我还尝试了命令

docker exec swag nc -vz 10.21.0.10 8443
Connection to 10.21.0.10 8443 port [tcp/*] succeeded!

但我从主持人那里得到

nc -vz 10.21.0.10 8443
10.21.0.10: inverse host lookup failed: Unknown host
(UNKNOWN) [10.21.0.10] 8443 (?) open

正如您在配置文件中看到的,我尝试了一些 iptable 配置,但没有成功。我认为这是某种路由问题。


总结一下:

家庭网络 服务器网络
公共 IP 不适用 123.456.789
私有子网 10.21.0.0/23 不适用
私有 IP 10.21.0.10 不适用
Docker 子网 172.18.7.0/24 172.19.0.0/24
Docker IP 172.18.7.10 172.19.0.10
VPN IP 10.21.2.1 10.21.0.0

通过上述配置,可以从两个网络对两个网络内的每个客户端进行 ping 操作,但 SSH、HTTP、HTTPS 等 TCP 服务不起作用。

相关内容