我非常绝望。我试图让我的站点到站点 VPN 设置正常工作,但到目前为止还没有成功。请不要评判我,我对路由问题还很陌生。
我有一个 VPS,公共 IP 为 123.456.789,上面有一个 docker 堆栈,运行着linux服务器swag容器和一些其他容器。因为我的家庭网络没有 IPv4 地址,只有来自 ISP 的 DS-Lite 连接,所以我想通过 wireguard VPN 连接到服务器,以便所有服务都可以在 swag 容器后面使用。
此外,如果我以后可以添加更多可以访问我家庭网络的客户端,那将是有益的。
我正在使用linux服务器 wireguard容器既作为服务器,又作为客户端,并包含以下文件:
服务器端
version: "3"
services:
# WireGuard VPN service
wireguard:
image: linuxserver/wireguard:latest
container_name: wireguard
networks:
swag-network:
ipv4_address: 172.19.0.10
cap_add:
- NET_ADMIN
- SYS_MODULE
volumes:
- ./config:/config
ports:
# Port of the WireGuard VPN server
- "51820:51820/udp"
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Amsterdam
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
# WireGuard-UI service
wireguard-ui:
image: ngoduykhanh/wireguard-ui:latest
container_name: wireguard-ui
depends_on:
- wireguard
cap_add:
- NET_ADMIN
# Use the network of the 'wireguard' service
# This enables to show active clients in the status page
network_mode: service:wireguard
environment:
- SENDGRID_API_KEY
- EMAIL_FROM_ADDRESS
- EMAIL_FROM_NAME
- SESSION_SECRET
- WGUI_USERNAME=${wgui_username}
- WGUI_PASSWORD=${wgui_password}
- WG_CONF_TEMPLATE
- WGUI_MANAGE_START=true
- WGUI_MANAGE_RESTART=true
logging:
driver: json-file
options:
max-size: 50m
volumes:
- ./db:/app/db
- ./config:/etc/wireguard
restart: unless-stopped
networks:
swag-network:
external: true
和 wg0.conf
# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui)
# Please don't modify it manually, otherwise your change might get replaced.
# Address updated at: 2023-07-09 07:59:28.178966655 +0000 UTC
# Private Key updated at: 2023-07-09 07:44:46.69833353 +0000 UTC
[Interface]
Address = 10.21.2.0/24
ListenPort = 51820
PrivateKey = *secret*
DNS = 1.1.1.1
MTU = 1450
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUP = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
PostUp = iptables -A FORWARD -o eth0 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -D FORWARD -o eth0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
PostUp = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Table = auto
[Peer]
PublicKey = *secret*
PresharedKey = *secret*
AllowedIPs = 10.21.2.0/24,10.21.0.0/23
在客户端
version: "3"
services:
wireguard:
image: lscr.io/linuxserver/wireguard:latest
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1001
- PGID=1001
- TZ=Europe/Amsterdam
volumes:
- ./config:/config
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv4.ip_forward=1
restart: unless-stopped
networks:
default:
ipam:
config:
- subnet: 172.18.7.0/24
gateway: 172.18.7.1
使用 wg0.conf
[Interface]
Address = 10.21.2.1/32
PrivateKey = *secret*
DNS = 1.1.1.1
MTU = 1450
#PostUp = iptables -A FORWARD -i %i -j ACCEPT
#PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUP = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i eth0 -j ACCEPT
PostUp = iptables -A FORWARD -o eth0 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT
#PostDown = iptables -D FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i eth0 -j ACCEPT
PostDown = iptables -D FORWARD -o eth0 -j ACCEPT
#PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = *secret*
PresharedKey = *secret*
AllowedIPs = 10.21.2.0/32,172.19.0.0/16
Endpoint = 123.456.789:51820
PersistentKeepalive = 25
使用此配置,在服务器端
ip route add 10.21.0.0/23 via 172.19.0.10
客户端也一样。我在家里的路由器里添加了一条静态路由,并在客户端机器上添加了一条类似的到 VPN 的路由。
例如,我可以在 swag 容器内部和服务器主机外部(例如我的本地网络)进行 ping,并且ping 10.21.0.10都docker exec swag ping 10.21.0.10可以正常工作。但是当我尝试反向代理到服务时,我就会超时。我还尝试了命令
docker exec swag nc -vz 10.21.0.10 8443
Connection to 10.21.0.10 8443 port [tcp/*] succeeded!
但我从主持人那里得到
nc -vz 10.21.0.10 8443
10.21.0.10: inverse host lookup failed: Unknown host
(UNKNOWN) [10.21.0.10] 8443 (?) open
正如您在配置文件中看到的,我尝试了一些 iptable 配置,但没有成功。我认为这是某种路由问题。
总结一下:
| 家庭网络 | 服务器网络 | |
|---|---|---|
| 公共 IP | 不适用 | 123.456.789 |
| 私有子网 | 10.21.0.0/23 | 不适用 |
| 私有 IP | 10.21.0.10 | 不适用 |
| Docker 子网 | 172.18.7.0/24 | 172.19.0.0/24 |
| Docker IP | 172.18.7.10 | 172.19.0.10 |
| VPN IP | 10.21.2.1 | 10.21.0.0 |
通过上述配置,可以从两个网络对两个网络内的每个客户端进行 ping 操作,但 SSH、HTTP、HTTPS 等 TCP 服务不起作用。