我有一个具有静态外部 IP 和 Ubuntu 22.04 的 VPS。我配置了 Wireguard VPN 连接到我的服务器,通过 VPS 隧道传输所有流量。我还启用了 UFW。我想在有 VPN 连接的情况下解析一些域,所以我在同一台服务器上安装了 bind9。但不幸的是,解析不起作用。例如,假设我想解析我的私人域名。
我的 Wireguard 配置是:
[Interface]
Address = 10.8.0.1/24
MTU = 1500
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <PRIVATE_KEY>
DNS = 1.1.1.1, 8.8.8.8
[Peer]
....
我已在 etc/sysctl.conf 中启用了 IP 转发:
...
net.ipv4.ip_forward=1
...
我的/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
allow-recursion { 127.0.0.1; 10.8.0.0/24; };
version "guess";
};
以及bind9区域配置。/etc/bind/named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "myprivatedomain" {
type master;
file "/etc/bind/zones/db.myprivatedomain";
};
和区域文件/etc/bind/zones/db.myprivatedomain:
$TTL 86400
@ IN SOA ns1.myprivatedomain. admin.myprivatedomain. (
2023092301 ; Serial (YYYYDDMM plus 2 digit serial)
86400 ; refresh (1 day)
7200 ; retry (2 hours)
8640000 ; expire (100 days)
86400) ; minimum (1 day)
; Name Servers
@ IN NS ns1.myprivatedomain.
; A records
@ IN A 10.8.0.1
; A records
ns1 IN A 10.8.0.1
以下是一些服务状态:
root@blablabla:/etc/bind# systemctl status [email protected]
● [email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (exited) since Sat 2023-09-23 16:49:13 CEST; 13min ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 82319 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 82319 (code=exited, status=0/SUCCESS)
CPU: 544ms
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] ip link add wg0 type wireguard
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] wg setconf wg0 /dev/fd/63
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] ip -4 address add 10.8.0.1/24 dev wg0
Sep 23 16:49:12 blablabla.dev wg-quick[82319]: [#] ip link set mtu 1500 up dev wg0
Sep 23 16:49:12 blablabla.dev wg-quick[82338]: [#] resolvconf -a tun.wg0 -m 0 -x
Sep 23 16:49:13 blablabla.dev wg-quick[82319]: [#] ufw route allow in on wg0 out on eth0
Sep 23 16:49:13 blablabla.dev wg-quick[82414]: Rule added
Sep 23 16:49:13 blablabla.dev wg-quick[82414]: Rule added (v6)
Sep 23 16:49:13 blablabla.dev wg-quick[82319]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Sep 23 16:49:13 blablabla.dev systemd[1]: Finished WireGuard via wg-quick(8) for wg0.
root@blablabla:/etc/bind# systemctl status bind9
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2023-09-23 17:01:36 CEST; 3min 27s ago
Docs: man:named(8)
Process: 82997 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 82998 (named)
Tasks: 14 (limit: 19101)
Memory: 6.9M
CPU: 85ms
CGroup: /system.slice/named.service
└─82998 /usr/sbin/named -u bind -4
Sep 23 17:01:36 blablabla.dev named[82998]: zone 0.in-addr.arpa/IN: loaded serial 1
Sep 23 17:01:36 blablabla.dev named[82998]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 23 17:01:36 blablabla.dev named[82998]: zone localhost/IN: loaded serial 2
Sep 23 17:01:36 blablabla.dev named[82998]: zone 255.in-addr.arpa/IN: loaded serial 1
Sep 23 17:01:36 blablabla.dev named[82998]: zone myprivatedomain/IN: loaded serial 2023092301
Sep 23 17:01:36 blablabla.dev named[82998]: all zones loaded
Sep 23 17:01:36 blablabla.dev named[82998]: running
Sep 23 17:01:36 blablabla.dev systemd[1]: Started BIND Domain Name Server.
Sep 23 17:01:36 blablabla.dev named[82998]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Sep 23 17:01:36 blablabla.dev named[82998]: resolver priming query complete: success
我可以连接到 VPN,也可以上网,但无法访问我的私人域名。ping 也不起作用。但是,我可以使用 IP 10.8.0.1 访问 Web 服务器。此外,我的公共域名(由 Namecheap DNS 服务器解析)可以正常工作,我可以访问它们。
以下是 ping 和 dig 的答案:
root@blablabla:/etc/bind# ping myprivatedomain
ping: myprivatedomain: Name or service not known
root@blablabla:/etc/bind# dig myprivatedomain
; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> myprivatedomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37129
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;myprivatedomain. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023092100 1800 900 604800 86400
;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Sep 23 17:15:04 CEST 2023
;; MSG SIZE rcvd: 119
你能帮我解决这个问题吗?
更新 1。
似乎问题出在 bind9 配置和客户端的配置文件中。
我删除了 listen-on-v6 { any; }; (因为我无论如何禁用了 ipv6)并添加了 listen-on { 10.8.0.1; };:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on { 10.8.0.1; };
allow-recursion { 127.0.0.1; 10.8.0.0/24; };
version "guess";
};
我有以下配置客户端的 wireguard 配置:
[Interface]
Address = 10.8.0.102/32
PrivateKey = <PRIVATEKEY>
DNS = 1.1.1.1, 213.136.95.10, 213.136.95.11
[Peer]
PublicKey = <PUBLICKEY>
AllowedIPs = 0.0.0.0/0 # Route all traffic through the VPN server
Endpoint = <IP>:<PORT>
我将其替换为 DNS = 10.8.0.1, 1.1.1.1 并且一切正常。
据我了解,我无法将 DNS 设置从服务器推送到客户端,但也许我错了?
答案1
据我了解,我无法将 DNS 设置从服务器推送到客户端,但也许我错了?
您实际上无法使用 WG 推送任何设置。Wireguard 根据两端的配置创建隧道。WG 是一个低级系统,其配置由某个单独的层处理。