問題:我在 Docker 中有一個有效的 WireGuard 設定(請參閱指南:關聯)但在透過主機網路將設定移植到 Kubernetes 時,我很難實現客戶端的網際網路存取。我可以進行握手,甚至可以 ping 通主機的 LAN IP,但似乎無法到達預設閘道。
請注意,我使用 21421 作為外部連接埠並將流量轉送到 51820。我的 LAN 子網路是 10.0.0.0/24 和 2601:204:xxxx:xxx0::/64。
配置映射.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: wireguard-config
data:
PUID: "1000"
PGID: "1000"
TZ: "America/Los_Angeles"
SERVERURL: my.website.addr
SERVERPORT: "21421"
PEERS: pphone,wphone,tablet,laptop,trouter
PEERDNS: 75.75.75.75,75.75.76.76,2001:558:feed::1,2001:558:feed::2
INTERNAL_SUBNET: 10.14.14.0/24
ALLOWEDIPS: 0.0.0.0/0, ::/0
PERSISTENTKEEPALIVE_PEERS: all
部署.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: wireguard
spec:
selector:
matchLabels:
app: wireguard
replicas: 1
template:
metadata:
labels:
app: wireguard
spec:
nodeSelector:
kubernetes.io/hostname: obsidiana
hostNetwork: true
containers:
- name: wireguard
image: linuxserver/wireguard:latest
securityContext:
privileged: true
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
volumeMounts:
- name: wireguard-configfiles
mountPath: /config
- name: lib-modules
mountPath: /lib/modules
envFrom:
- configMapRef:
name: wireguard-config
volumes:
- name: wireguard-configfiles
hostPath:
path: /srv/wireguard/config
- name: lib-modules
hostPath:
path: /lib/modules
此外,以下是主機上的 IP 路由(請注意存在wireguard 子網路 10.14.14.0/24 和 2601:204:xxxx:xxxc::/64):
atom@obsidiana [10:53:18] [/srv/wireguard]
-> % ip -c route
default via 10.0.0.1 dev enp3s0
default via 10.0.0.1 dev enp3s0 proto dhcp src 10.0.0.238 metric 100
10.0.0.0/24 dev enp3s0 proto kernel scope link src 10.0.0.238 metric 100
10.0.0.1 dev enp3s0 proto dhcp scope link src 10.0.0.238 metric 100
10.14.14.2 dev wg0 scope link
10.14.14.3 dev wg0 scope link
10.14.14.4 dev wg0 scope link
10.14.14.5 dev wg0 scope link
10.14.14.6 dev wg0 scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-1b4d200d1cbb proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-a1be084c54c9 proto kernel scope link src 172.19.0.1 linkdown
172.21.0.0/16 dev br-4d301d3707dd proto kernel scope link src 172.21.0.1
172.25.0.0/16 dev br-8745f19da673 proto kernel scope link src 172.25.0.1
172.26.0.0/16 dev br-d9ec277ec93b proto kernel scope link src 172.26.0.1
172.27.0.0/16 dev br-8a6e7b3004eb proto kernel scope link src 172.27.0.1
192.168.48.0/20 dev br-45b26225ad0a proto kernel scope link src 192.168.48.1 linkdown
192.168.67.0/24 dev br-2fe8a6223784 proto kernel scope link src 192.168.67.1 linkdown
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
blackhole 192.168.139.128/26 proto 80
192.168.139.154 dev cali151eafd1c9f scope link
192.168.139.160 dev calia50db85314e scope link
192.168.139.164 dev calia28aed46668 scope link
192.168.139.166 dev calib00d4512918 scope link
192.168.139.167 dev cali2018d45df2e scope link
192.168.139.168 dev cali339a2a73fab scope link
192.168.139.169 dev calia8fc0d7cff4 scope link
192.168.139.170 dev cali5d667b293c0 scope link
192.168.139.172 dev calic7ba6791d16 scope link
192.168.139.173 dev calif47c6967706 scope link
192.168.139.174 dev caliaeb0ffaab04 scope link
192.168.139.175 dev caliaf5a7cc0076 scope link
192.168.139.176 dev cali4497ec7f2ec scope link
192.168.176.0/20 dev br-3606b1dbef9e proto kernel scope link src 192.168.176.1
192.168.190.64/26 via 10.0.0.1 dev enp3s0 proto 80 onlink
atom@obsidiana [10:57:51] [/srv/wireguard]
-> % ip -c -6 route
::1 dev lo proto kernel metric 256 pref medium
2601:204:xxxx:xxx0::/64 dev enp3s0 proto ra metric 100 expires 3588sec pref medium
2601:204:xxxx:xxxc::1 dev wg0 proto kernel metric 256 pref medium
2601:204:xxxx:xxxc::2 dev wg0 metric 1024 pref medium
2601:204:xxxx:xxxc::3 dev wg0 metric 1024 pref medium
2601:204:xxxx:xxxc::4 dev wg0 metric 1024 pref medium
2601:204:xxxx:xxxc::5 dev wg0 metric 1024 pref medium
2601:204:xxxx:xxxc::6 dev wg0 metric 1024 pref medium
fd2b:938d:7743:1::/64 proto ra metric 100 expires 1655sec pref medium
nexthop via fe80::d358:7828:fa79:4a97 dev enp3s0 weight 1
nexthop via fe80::d9c7:c6cc:58c8:1181 dev enp3s0 weight 1
fe80::/64 dev enp3s0 proto kernel metric 256 pref medium
fe80::/64 dev br-45b26225ad0a proto kernel metric 256 linkdown pref medium
fe80::/64 dev br-4d301d3707dd proto kernel metric 256 pref medium
fe80::/64 dev br-8745f19da673 proto kernel metric 256 pref medium
fe80::/64 dev vethca97195 proto kernel metric 256 pref medium
fe80::/64 dev br-d9ec277ec93b proto kernel metric 256 pref medium
fe80::/64 dev veth3e9a2b2 proto kernel metric 256 pref medium
fe80::/64 dev br-3606b1dbef9e proto kernel metric 256 pref medium
fe80::/64 dev veth5f2e53f proto kernel metric 256 pref medium
fe80::/64 dev br-8a6e7b3004eb proto kernel metric 256 pref medium
fe80::/64 dev veth42b0ce5 proto kernel metric 256 pref medium
fe80::/64 dev veth4730c27 proto kernel metric 256 pref medium
fe80::/64 dev cali151eafd1c9f proto kernel metric 256 pref medium
fe80::/64 dev calia50db85314e proto kernel metric 256 pref medium
fe80::/64 dev calib00d4512918 proto kernel metric 256 pref medium
fe80::/64 dev cali2018d45df2e proto kernel metric 256 pref medium
fe80::/64 dev cali339a2a73fab proto kernel metric 256 pref medium
fe80::/64 dev calia28aed46668 proto kernel metric 256 pref medium
fe80::/64 dev cali5d667b293c0 proto kernel metric 256 pref medium
fe80::/64 dev calia8fc0d7cff4 proto kernel metric 256 pref medium
fe80::/64 dev calif47c6967706 proto kernel metric 256 pref medium
fe80::/64 dev caliaeb0ffaab04 proto kernel metric 256 pref medium
fe80::/64 dev caliaf5a7cc0076 proto kernel metric 256 pref medium
fe80::/64 dev cali4497ec7f2ec proto kernel metric 256 pref medium
fe80::/64 dev calic7ba6791d16 proto kernel metric 256 pref medium
fe80::/64 dev veth3c7f6d9 proto kernel metric 256 pref medium
default via fe80::6cf2:67ff:fed0:9b95 dev enp3s0 proto ra metric 100 expires 1788sec pref medium
我調整了主機上的防火牆規則以適應主機網路(請注意 wg0 的存在,以及wireguard 子網路 10.14.14.0/24、2601:204:xxxx:xxxc::/64)。
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: enp3s0 wg0
sources: 2601:204:xxxx:xxx0::/64 2601:204:xxxx:xxxc::/64 10.14.14.0/24 10.0.0.0/24 192.168.0.0/16
services:
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
在具有活動用戶端的網關/路由器上執行tcpdump -i br0 udp and port 51820顯示雙向流量(br0 是 LAN iface,obsidiana 是託管 WireGuard 的 PC):
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:10:52.858477 IP obsidiana.51820 > 172.56.168.229.41909: UDP, length 32
16:10:52.858919 IP obsidiana.51820 > 172.56.168.229.41909: UDP, length 148
16:10:53.810684 IP 172.56.168.229.41909 > obsidiana.51820: UDP, length 92
16:10:53.810900 IP obsidiana.51820 > 172.56.168.229.41909: UDP, length 32
16:10:55.867321 IP 108.147.99.17.35334 > obsidiana.51820: UDP, length 148
16:10:55.867700 IP obsidiana.51820 > 108.147.99.17.35334: UDP, length 92
16:10:55.948070 IP 108.147.99.17.35334 > obsidiana.51820: UDP, length 96
16:10:55.948476 IP 108.147.99.17.35334 > obsidiana.51820: UDP, length 96
16:10:56.272068 IP 108.147.99.17.35334 > obsidiana.51820: UDP, length 128
我還可以使用以下命令查看來自路由器的雙向流量tcpdump -i enp10s0 udp and port 21421(enp10s0 是 WAN,21421 是wireguard 的外部連接埠):
18:03:54.241853 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 112
18:03:54.248918 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 112
18:03:54.669307 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:54.679954 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:55.269114 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 96
18:03:55.285552 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 96
18:03:55.758942 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:55.774862 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:55.835307 IP c-73-151-158-xxx.hsd1.ca.comcast.net.21421 > 172.56.168.229.41909: UDP, length 32
18:03:56.769571 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:56.774526 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:56.859496 IP c-73-151-158-xxx.hsd1.ca.comcast.net.21421 > 108.147.99.18.60458: UDP, length 32
18:03:57.688746 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:57.691103 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:58.776023 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:58.776023 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:59.791058 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
18:03:59.791058 IP 108.147.99.18.60458 > c-73-151-158-xxx.hsd1.ca.comcast.net.21421: UDP, length 128
最後但並非最不重要的一點是,以下是預設閘道(firewalld)的相關防火牆設定:
➜ ~ sudo firewall-cmd --list-all --zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: br0 wg0
sources: 192.168.0.0/16 10.0.0.0/24 2601:204:xxxx:xxx0::/64 2601:204:xxxx:xxxc::/64
services: dhcp dhcpv6-client dns dropbox-lansync elasticsearch grafana http iperf kibana kube-apiserver kube-repo kubelet mdns netbootxyz plex remote-wireguard samba-client ssh upnp wireguard
ports: 6667/udp 49152/tcp 9101/tcp 9093/tcp 5353/udp
protocols: igmp
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
➜ ~ sudo firewall-cmd --list-all --zone=external
external (active)
target: default
icmp-block-inversion: no
interfaces: enp10s0
sources:
services: dhcpv6-client shadowsocks
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
port=21421:proto=udp:toport=51820:toaddr=10.0.0.238
source-ports:
icmp-blocks:
rich rules:
關於可能出什麼問題有什麼想法嗎?