已连接到 WireGuard 但无法访问互联网

tag-icon tag-icon networking server vpn wireguard
已连接到 WireGuard 但无法访问互联网

我尝试在我的Ubuntu 20.04 LTS具有此配置的服务器:

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 64129
PrivateKey = xxxxx

PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;

PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;


[Peer]
PublicKey = xxxxx
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128

然后,在我的 Windows 操作系统中尝试使用 WireGuard 应用程序作为客户端并采用以下配置:

[Interface]
PrivateKey = xxxxx
Address = 10.66.66.2/32, fd42:42:42::2/128

[Peer]
PublicKey = xxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xx.xx.xx.xx:64129
PersistentKeepalive = 25

我还从我的客户端检查了 ping10.66.66.1并得到了正确的响应。8.8.8.84.2.2.4

当我写入wg服务器终端时会发生这种情况:

interface: wg0
  public key: xxxxxx
  private key: (hidden)
  listening port: 64129

peer: xxxxxx
  endpoint: xx.xx.xx.xx:56698
  allowed ips: 10.66.66.2/32, fd42:42:42::2/128
  latest handshake: 9 minutes, 23 seconds ago
  transfer: 33.54 KiB received, 13.87 KiB sent

我改成ip_forward一个:

ssh@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1

这是我的ufw status

ssh@ubuntu:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
64129/udp                  ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
64129/udp (v6)             ALLOW       Anywhere (v6)

Anywhere on eth0           ALLOW FWD   Anywhere on wg0
Anywhere on wg0            ALLOW FWD   Anywhere on eth0
Anywhere (v6) on eth0      ALLOW FWD   Anywhere (v6) on wg0
Anywhere (v6) on wg0       ALLOW FWD   Anywhere (v6) on eth0

但是,我仍然无法在浏览器中打开任何 URL。

结果如下ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:0c:b8:2c brd ff:ff:ff:ff:ff:ff
    inet xx.xx.xx.xx/32 brd xx.xx.xx.xx scope global eth0
       valid_lft forever preferred_lft forever
    inet6 xxx::xx:xx:xx:xxx/64 scope link
       valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.66.66.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fd42:42:42::1/64 scope global
       valid_lft forever preferred_lft forever

答案1

请像这样更改Address客户端(Windows)配置中的行:

Address = 10.66.66.2/24, fd42:42:42::2/64

另外,要使用IPv6 转发,则应设置net.ipv6.conf.all.forwarding1。要使所有转发设置持久化,请使用以下命令:

$ sudo -i
# echo -e 'net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/10-wireguard.conf

由于iptablesand命令可能很长,我对andip6tables使用以下脚本(/etc/wireguard/helper/add-rem_nat_routing.sh在我的情况下命名):PostUpPostDown

重要提示:请在下面输入正确的 IPv6 子网地址,或者删除与 IPv6 相关的内容:

#!/bin/bash
OPT="$1"
case "$OPT" in
  "-I" )
    OPT2="1"
    ;;
  "-D" )
    OPT2=""
    ;;
  * )
    echo "Unknown option: $OPT" >&2
    exit 2
    ;;
esac
IPT="/usr/sbin/iptables"
IPT6="/usr/sbin/ip6tables"
IN_FACE="eth0"          ## NIC connected to the internet
WG_FACE="$2"            ## WG NIC
SUB_NET="10.66.66.0/24" ## WG IPv4 sub/net aka CIDR
WG_PORT="64129"         ## WG udp port
SUB_NET_6="fd42:42:42::/112" ## WG IPv6 sub/net CORRECT THIS!!!
### IPv4 ###
$IPT -t nat $OPT POSTROUTING $OPT2 -s $SUB_NET -o $IN_FACE -j MASQUERADE
$IPT $OPT INPUT   $OPT2 -i $WG_FACE -j ACCEPT
$IPT $OPT FORWARD $OPT2 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT $OPT FORWARD $OPT2 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT $OPT INPUT   $OPT2 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT
### IPv6 (comment these if you DO NOT have IPv6) ###
$IPT6 -t nat $OPT POSTROUTING $OPT2 -s $SUB_NET_6 -o $IN_FACE -j MASQUERADE
$IPT6 $OPT INPUT   $OPT2 -i $WG_FACE -j ACCEPT
$IPT6 $OPT FORWARD $OPT2 -i $IN_FACE -o $WG_FACE -j ACCEPT
$IPT6 $OPT FORWARD $OPT2 -i $WG_FACE -o $IN_FACE -j ACCEPT
$IPT6 $OPT INPUT   $OPT2 -i $IN_FACE -p udp --dport $WG_PORT -j ACCEPT

并在服务器配置中像这样调用它:

PostUp = /etc/wireguard/helper/add-rem_nat_routing.sh -I "%i"
PostDown = /etc/wireguard/helper/add-rem_nat_routing.sh -D "%i"

注意:您应该systemctl restart wg-quick@wg0在更改服务器配置后运行。

请在服务器上测试以下内容:

$ traceroute 1.1.1.1

客户端上的内容如下(WireGuard 连接之后):

C:\> tracert 1.1.1.1

相关内容