Keepalived VIP 与 WireGuard VPN

Keepalived VIP 与 WireGuard VPN

配置 WireGuard 和 KeepAlived 后,VIP 会在 VPN 之间切换。VPS 之间的地址为 10.0.0.X,但当我尝试通过 VIP 联系时,出现错误。ChatGPT 建议将每个对等点添加到 AllowedIPs

但是当我这样做时,这个地址只会分配给一个对等方。

# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = xxx
ListenPort = 51820

[Peer]
PublicKey = xxx
AllowedIPs = 10.0.0.2/32, 10.0.0.100/32
Endpoint = 161.97.128.186:51820

[Peer]
PublicKey = xxx
AllowedIPs = 10.0.0.3/32, 10.0.0.100/32 
Endpoint = 91.229.245.198:51820

After restart 

# sudo wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: 91.229.245.198:51820
  allowed ips: 10.0.0.3/32, 10.0.0.100/32
  latest handshake: 8 seconds ago
  transfer: 3.29 KiB received, 4.41 KiB sent

peer: xxx
  endpoint: 161.97.128.186:51820
  allowed ips: 10.0.0.2/32
  latest handshake: 12 seconds ago
  transfer: 1.11 MiB received, 1.35 MiB sent

VIP 地址最终只分配给了一个对等体

当 KeepAlived 将 VIP 分配给 VPS1 时,当我尝试从 VPS 2 或 3 进行 ping 时,出现错误

# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
From 10.0.0.3 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.0.3 icmp_seq=2 Destination Host Unreachable
ping: sendmsg: Required key not available
From 10.0.0.3 icmp_seq=3 Destination Host Unreachable
ping: sendmsg: Required key not available
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2047ms

有了这个建议,当在一个点上指定 VIP 时,如果当时 VIP 与他在一起,那么就会与它建立连接。

在我上面指出的例子中,地址 10.0.0.100/32 位于 VPS3,如果 VIP 在那里,那么从 VPS1 就会有到它的连接,但如果它转到 VPS2,那么我将无法通过 VIP 从 VPS1 连接到 VPS 2

下面我将给出我的没有chatGPT建议的标准配置

VPS 1 配置 keepalived

# cat /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
    state MASTER
    interface wg0
    virtual_router_id 51
    priority 101
    advert_int 1
    unicast_src_ip 10.0.0.1
    unicast_peer {
        10.0.0.2
        10.0.0.3
    }
    authentication {
        auth_type PASS
        auth_pass vTrHveEXSnoIo5NE
    }
    virtual_ipaddress {
        10.0.0.100
    }
}

WireGuard 会议 VPS1

# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.1/24
PrivateKey = xxx
ListenPort = 51820

[Peer]
PublicKey = xxx
AllowedIPs = 10.0.0.2/32
Endpoint = 161.97.128.186:51820

[Peer]
PublicKey = xxx
AllowedIPs = 10.0.0.3/32
Endpoint = 91.229.245.198:51820

VPS1:

# sudo wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: 91.229.245.198:51820
  allowed ips: 10.0.0.3/32
  latest handshake: 8 seconds ago
  transfer: 3.29 KiB received, 4.41 KiB sent

peer: xxx
  endpoint: 161.97.128.186:51820
  allowed ips: 10.0.0.2/32
  latest handshake: 12 seconds ago
  transfer: 1.11 MiB received, 1.35 MiB sent

VPS2:

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: 38.242.222.170:51820
  allowed ips: 10.0.0.1/32
  latest handshake: 19 seconds ago
  transfer: 25.32 KiB received, 18.43 KiB sent

peer: xxx
  endpoint: 91.229.245.198:51820
  allowed ips: 10.0.0.3/32
  latest handshake: 35 seconds ago
  transfer: 252.19 KiB received, 350.48 KiB sent

VPS3:

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  endpoint: 38.242.222.170:51820
  allowed ips: 10.0.0.1/32
  latest handshake: 1 minute, 18 seconds ago
  transfer: 2.00 MiB received, 1.66 MiB sent

peer: xxx
  endpoint: 161.97.128.186:51820
  allowed ips: 10.0.0.2/32
  latest handshake: 1 minute, 26 seconds ago
  transfer: 489.45 KiB received, 273.22 KiB sent

在所有 VPS 上运行 keepalived

VPS1

# ip addr show wg0
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet 10.0.0.100/32 scope global wg0
       valid_lft forever preferred_lft forever

当 VPS 1 停止时,它会转到 VPS2,等等。

我正在寻找见解或解决方案,以确保在 WireGuard 设置中所有已配置的 VPS 上都能一致地识别和访问 VIP。如果您能就出现这种差异的原因以及如何解决它提出任何建议,我将不胜感激。

相关内容