V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
SteveRogers
V2EX  ›  问与答

wirdguard 的配置,自问很仔细,不知道哪里出问题了,代码贴出,大家帮忙看看?

  •  
  •   SteveRogers · 2020-11-26 12:01:58 +08:00 · 1998 次点击
    这是一个创建于 1456 天前的主题,其中的信息可能已经有所发展或是发生改变。

    详细信息如下

    开启 TCP 转发

    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

    生成公钥和私钥

    cd /etc/wireguard/ umask 077 wg genkey | tee privatekey | wg pubkey > publickey umask 022 cat privatekey

    kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
    
    

    cat publickey

    Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
    

    书写服务器配置文件

    vim wg0.conf

    [Interface]
    Address = 10.0.1.1/16
    PrivateKey = kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
    ListenPort = 8006
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
    
    [Peer]
    PublicKey = Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
    AllowedIPs = 10.0.1.2/32
    

    wg-quick up wg0

    Client 配置

    [Interface]
    PrivateKey = kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
    Address = 10.0.1.2/16
    DNS = 223.6.6.6
    MTU = 1420
    
    [Peer]
    PublicKey = Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
    AllowedIPs = 10.0.1.0/22
    Endpoint = xx.adc.com:8006
    PersistentKeepalive = 30
    

    客户端连接日志如下

    2020-11-26 12:02:17.742234: [NET] App version: 0.0.20191105 (16); Go backend version: 0.0.20191013
    2020-11-26 12:02:17.742626: [NET] Starting tunnel from the app
    2020-11-26 12:02:18.523714: [NET] Tunnel interface is utun2
    2020-11-26 12:02:18.524107: [NET] Attaching to interface
    2020-11-26 12:02:18.524639: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.524717: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.524828: [NET] Routine: event worker - started
    2020-11-26 12:02:18.524886: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.524933: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.524962: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.524988: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.525033: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.525084: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525127: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.525210: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.525236: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.525262: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525289: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.525324: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.525350: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525376: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.525403: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.525429: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525461: [NET] Routine: handshake worker - started
    2020-11-26 12:02:18.525487: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525540: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525581: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.525613: [NET] Routine: encryption worker - started
    2020-11-26 12:02:18.525642: [NET] Routine: TUN reader - started
    2020-11-26 12:02:18.525697: [NET] Routine: decryption worker - started
    2020-11-26 12:02:18.525807: [NET] UAPI: Updating private key
    2020-11-26 12:02:18.525906: [NET] UAPI: Removing all peers
    2020-11-26 12:02:18.525939: [NET] UAPI: Transition to peer configuration
    2020-11-26 12:02:18.526149: [NET] peer(AAAA…AAAA) - UAPI: Updating endpoint
    2020-11-26 12:02:18.526218: [NET] peer(AAAA…AAAA) - UAPI: Updating persistent keepalive interval
    2020-11-26 12:02:18.526310: [NET] peer(AAAA…AAAA) - UAPI: Removing all allowedips
    2020-11-26 12:02:18.526349: [NET] peer(AAAA…AAAA) - UAPI: Adding allowedip
    2020-11-26 12:02:18.526636: [NET] Routine: receive incoming IPv6 - started
    2020-11-26 12:02:18.526688: [NET] Routine: receive incoming IPv4 - started
    2020-11-26 12:02:18.526819: [NET] UDP bind has been updated
    2020-11-26 12:02:18.526868: [NET] Device started
    2020-11-26 12:02:18.527599: [APP] Tunnel 'test' connection status changed to 'connected'
    2020-11-26 12:02:22.573923: [APP] Status update notification timeout for tunnel 'test'. Tunnel status is now 'connected'.
    
    第 1 条附言  ·  2020-11-26 17:27:02 +08:00

    调整后依然不行,服务器上执行wg,能看到连接,但是网络不通,两个客户端都不通,单独一个客户端也不行

    服务器配置

    [Interface]
    Address = 10.0.1.1/16
    PrivateKey = kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
    ListenPort = 8006
    PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
    
    [Peer]
    PublicKey = KYhBEfe76T3V2wMPNYqfH67+6KL85WVVMo8NhcFj+xw=
    AllowedIPs = 10.0.1.2/32
    
    [Peer]
    PublicKey = 1MRN8OEUQZ5HSaB0jy907zUjl+Z9zQPyVJQruEg2GCI=
    AllowedIPs = 10.0.1.3/32
    

    客户端的配置

    [Interface]
    PrivateKey = 0OG59gIjuXJzciFFrxBkNDWQzfQoO4p5QkegoxdIv0s=
    Address = 10.0.1.2/16
    DNS = 223.6.6.6
    MTU = 1420
    
    [Peer]
    PublicKey = Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
    AllowedIPs = 10.0.0.0/22, 172.16.31.0/22
    Endpoint = 116.30.111.111:8006
    PersistentKeepalive = 30
    
    第 2 条附言  ·  2020-11-26 18:59:00 +08:00
    补充路由表
    netstat -nr

    Routing tables

    Internet:

    Destination Gateway Flags Netif Expire

    default link#20 UCS utun2

    default 10.101.128.1 UGScI en0

    8.8.8.8 link#20 UHW3I utun2 19

    10.0.1.2 10.0.1.2 UH utun2

    10.101.128/20 link#8 UCS en0 !

    10.101.128.1/32 link#8 UCS en0 !

    10.101.128.1 f4:74:88:87:59:c5 UHLWIir en0 1200

    10.101.136.225/32 link#8 UCS en0 !

    52.87.201.4 link#20 UHWIi utun2

    127 127.0.0.1 UCS lo0

    127.0.0.1 127.0.0.1 UH lo0

    169.254 link#8 UCS en0 !

    172.16.31.1 link#20 UHWIi utun2

    223.6.6.6 link#20 UHWIi utun2

    224.0.0/4 link#20 UmCS utun2

    224.0.0/4 link#8 UmCSI en0 !

    239.255.255.250 link#20 UHmW3I utun2 26

    255.255.255.255/32 link#20 UCS utun2

    255.255.255.255/32 link#8 UCSI en0 !
    18 条回复    2020-11-27 05:04:21 +08:00
    bitdust
        1
    bitdust  
       2020-11-26 12:31:58 +08:00
    client 的 privatekey 要自己生成,不要和 server 的 key 相同
    301
        2
    301  
       2020-11-26 12:34:28 +08:00 via Android
    你客户端和服务端用了相同的一对密钥,我没见过这样的配置,要不用两对试试看,即服务端配置文件用私钥 A 和公钥 B,客户端配置文件用私钥 B 和公钥 A
    SteveRogers
        3
    SteveRogers  
    OP
       2020-11-26 13:02:40 +08:00
    @bitdust
    @301 一语惊醒梦中人,搞定,在群晖里用第三方编译的套件完成连接
    zro
        4
    zro  
       2020-11-26 13:27:17 +08:00
    楼主,你从客户端 tracert 的时候中间路程都是* * *吗,我设置的除了开头和最后一跳有显示,其他都是显示* * *,想不出是什么原因。。
    SteveRogers
        5
    SteveRogers  
    OP
       2020-11-26 16:10:50 +08:00
    @zro 其实我还没有通,我 wg 状态都显示两台终端了,但是网络没有互通,这个目前日志也不成熟,可能要放弃这个工具
    zro
        6
    zro  
       2020-11-26 16:28:31 +08:00
    刚开始看别人的 WG 配置也是云里雾里的,但现在配多几次感觉很好用~

    我发现你的配置有个问题,客户端的 AllowedIPs = 10.0.1.0/22,其实是等价 10.0.0.0/22 的。。

    另外可能要配合 ip route 命令来查互通不了的问题~
    SteveRogers
        7
    SteveRogers  
    OP
       2020-11-26 17:28:05 +08:00
    @zro 大佬看看我更新了配置,能连上但是网络不通
    @301 大佬看看我更新了配置,能连上但是网络不通
    @bitdust 大佬看看我更新了配置,能连上但是网络不通
    zro
        8
    zro  
       2020-11-26 18:14:02 +08:00
    @SteveRogers #7 key 是直接复制粘贴的吗,又或者会是小写的 L 跟 I 搞混了吗?我就试过。。。
    bitdust
        9
    bitdust  
       2020-11-26 18:17:12 +08:00
    盲猜你客户端没有加路由信息。

    你的客户端 是运行在哪里的?
    需要进入其网络配置端口,添加路由信息,即把所有流量全部路由到 wireguard 的虚拟网卡上
    301
        10
    301  
       2020-11-26 18:20:15 +08:00 via Android
    @SteveRogers 客户端 AllowedIPs 改成 0.0.0.0/0,那个配置是用来决定哪些流量发往服务端的
    SteveRogers
        11
    SteveRogers  
    OP
       2020-11-26 18:39:08 +08:00
    @zro 复制铁站的,肯定不会手工输滴


    @bitdust 这个客户端有两个 一个是手机、一个是电脑,没有单独加路由,需要怎么加呢
    @301 这个也尝试过,客户端 peer 允许 0.0.0.0/0,不行,用路由跟踪,全部都是*,并且不可达
    zro
        12
    zro  
       2020-11-26 18:47:25 +08:00
    @SteveRogers #11 你还是把 ip route 帖上吧。。感觉有冲突
    301
        13
    301  
       2020-11-26 19:00:49 +08:00
    @SteveRogers 用了你的配置,在 vps 和本地搭了下,可以通
    jasonyang9
        14
    jasonyang9  
       2020-11-26 19:07:29 +08:00 via Android
    wg 服务端上的网络接口名字到底是 eth0 还是 eth1 还是其它?
    zro
        15
    zro  
       2020-11-26 19:08:56 +08:00
    @301 #13 我感觉是楼主设的 WG 子网 /16 太大了,可能跟原有的内网有冲突。。他的配置确实看不出有问题~
    SteveRogers
        16
    SteveRogers  
    OP
       2020-11-26 19:47:00 +08:00
    @jasonyang9 eth1 就是我当前服务器的内网 ip,也就是群晖的局域网 ip 地址 172.16.31.xx
    @301 那我用 docker 试试,估计群晖的套件问题了
    openmynet
        17
    openmynet  
       2020-11-26 23:26:37 +08:00
    irytu
        18
    irytu  
       2020-11-27 05:04:21 +08:00 via iPhone
    server 以及每个客户端自带一“对” key,本质就是交换 public key 进行 end to end 验证
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   4999 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 34ms · UTC 03:50 · PVG 11:50 · LAX 19:50 · JFK 22:50
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.