我希望你能幫助我解決我的問題。我正在建立一個供個人使用的網絡,我發現了一些問題,我沒有網絡經驗。我將使用附圖進行解釋:
問題: 我無法使用 Wireguard 和基於 Raspberry 的 VPN 路由器存取本地網路上的設備,其中包括本地網路內的服務(攝影機、個人 Web 伺服器、資料庫)。
目標:
從遠端伺服器和客戶端存取設備及其服務。我一直在搜尋和更改配置,但沒有任何效果。有時從10.6.0.1,我可以到達IP 172.16.0.1,僅此而已。
基礎設施說明:
Wireguard 伺服器 (a) 位於 Oracle 實例上,如圖所示,它具有以下功能:
公共IP 158.43.56.3(IP範例)
ens3 介面上的內部 IP 10.0.0.183
透過 wg0 介面的 Wireguard 伺服器 IP 10.6.0.1
Wireguard 連接埠 51820
透過pivpn安裝Wireward
在本地網路中,數據機提供 192.168.100.XX 網路(wifi 或乙太網路)
在提供數據機的網路中,有一個帶有 Ubuntu 20.04 的 Raspberry Pi 4 (b),用作有線路由器,具有以下功能:
- eth0 介面上的本機 IP 192.168.100.182
- IP Wireguard 透過 wg0 介面作為對等 10.6.0.5
- 透過介面 eth1(USB 乙太網路轉接器)的本機子網路 IP 172.16.0.1
- 介面 eth1 上的 DHCP 伺服器
交換器連接到eth1接口
不同的設備(伺服器、IP 攝影機、DVR)連接到交換機,DHCP 為它們提供 172.16.0.XX 格式的 IP,範圍在 172.16.0.10 到 172.16.0.200 之間(例如 ba、bb、bc)
連接VPN的其他網路設備(以10.6.0.3為例)
我目前的設定如下(如你所見,我一直在嘗試):
線衛伺服器:
[Interface]
PrivateKey = yL743NyU0M1z7guWxA9kekW7DAOXzO8EDfkAaG+jSGQ=
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT;
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT;
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = sysctl -q -w net.ipv4.ip_forward=1
#PostUp = route del -net 172.16.0.0/24 dev wg0
#iptables -t nat -A PREROUTING -d 172.16.0.0/24 -j DNAT --to-destination 10.6.0.1
#PostUp = iptables -t nat -A PREROUTING -d 172.16.0.0/24 -j DNAT --to-destination 10.6.0.1
#PostUp = iptables -t filter -A FORWARD -s 10.6.0.0/24 -d 172.16.0.0/24 -j ACCEPT
#PostUp = iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -d 172.16.0.0/24 -j MASQUERADE
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
##PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens3 -j TCPMSS --clamp-mss-to-pmtu
##PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
##PostUp = iptables -A FORWARD -i ens3 -j ACCEPT
##PostUp = sysctl -q -w net.ipv4.ip_forward=1
##PostDown = sysctl -q -w net.ipv4.ip_forward=0
##PostDown = iptables -D FORWARD -i ens3 -j ACCEPT
##PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
##PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens3 -j TCPMSS --clamp-mss-to-pmtu
### begin huawei-device ###
[Peer]
PublicKey = WaP0UPdQWKE0uy3F750cOEeLmLkikdtw0XAw/eGcrFI=
PresharedKey = fMqhe7jxsC9ukEhymPOXCogWMWo82TzIx6Veg+8lslc=
AllowedIPs = 10.6.0.2/24
### end huawei-device ###
### begin mac ###
[Peer]
PublicKey = ZCAV6xDLswBuqYWs38JYwvx2fwvmR1uEFRIAD760pxI=
PresharedKey = JdtJFaWUG2ECAfLX05WCyz/rrcs6VWFkVgnvEqnqhHo=
AllowedIPs = 10.6.0.3/32
AllowedIPs = 172.16.0.10/32
PersistentKeepalive = 15
### end mac ###
### begin rasprouter ###
[Peer]
PublicKey = r56sl4HNKHFkz8/r+aGqOHClMuXUt9lGE34gpktP5Q4=
PresharedKey = ukAcmfZUaMuVq53ruIYWmADwDYq0W+0KNjgAQ/ojqH4=
AllowedIPs = 10.6.0.5/32
AllowedIPs = 172.16.0.10/32
PersistentKeepalive = 15
### end rasprouter ###
樹莓派有線路由器
[Interface]
PrivateKey = SJXlysVGPfvodzG98EbwrZNvuPqo4sATLKaTB3Kqe20=
Address = 10.6.0.5/24
DNS = 1.1.1.1
###PostUp = sysctl -w net.ipv4.ip_forward=1
###PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
###PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
###PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
###PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
###PostDown = sysctl -w net.ipv4.ip_forward=0
###PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
###PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
###PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
###PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE; iptables -D FORWARD -o wg0 -j ACCEPT
[Peer]
PublicKey = mCK/FAHGtXFBNLS5WpHhSPEBvZRwY09HohD1YkNCNSI=
PresharedKey = ukAcmfZUaMuVq53ruIYWmADwDYq0W+0KNjgAQ/ojqH4=
Endpoint = 158.43.56.3:51820
#AllowedIPs = 0.0.0.0/0, ::/1
AllowedIPs = 172.16.0.10/32
AllowedIPs = 10.6.0.0/24
PersistentKeepalive = 25
位於遠處的另一個 LAN 上的其他用戶端(圖中的 Mac)
[Interface]
PrivateKey = YH+51/x6MoErmogdOs0UUzIF6W6Oz56t7BhhW9dFvXM=
Address = 10.6.0.3/24
DNS = 1.1.1.1
[Peer]
PublicKey = mCK/FAHGtXFBNLS5WpHhSPEBvZRwY09HohD1YkNCNSI=
PresharedKey = JdtJFaWUG2ECAfLX05WCyz/rrcs6VWFkVgnvEqnqhHo=
Endpoint = 158.43.56.3:51820
### AllowedIPs = 0.0.0.0/0, ::0/0
AllowedIPs = 172.16.0.10/32
AllowedIPs = 10.6.0.0/24
PersistentKeepalive = 25
接下來我分享一下基礎設施的狀況
來自伺服器Pastebin伺服器狀態
來自樹莓派有線路由器Pastebin Raspberry 狀態
測試
從a到b作品
ubuntu@instance-20210915-wireguard:~$ ping 10.6.0.5
PING 10.6.0.5 (10.6.0.5) 56(84) bytes of data.
64 bytes from 10.6.0.5: icmp_seq=1 ttl=64 time=75.1 ms
64 bytes from 10.6.0.5: icmp_seq=2 ttl=64 time=74.8 ms
^C
--- 10.6.0.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 74.772/74.920/75.069/0.148 ms
從 a 到 ba 不起作用
ubuntu@instance-20210915-wireguard:~$ ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
^C
--- 172.16.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3075ms
從a到c的作品
ubuntu@instance-20210915-wireguard:~$ ping 10.6.0.3
PING 10.6.0.3 (10.6.0.3) 56(84) bytes of data.
64 bytes from 10.6.0.3: icmp_seq=1 ttl=64 time=78.5 ms
64 bytes from 10.6.0.3: icmp_seq=2 ttl=64 time=119 ms
64 bytes from 10.6.0.3: icmp_seq=3 ttl=64 time=77.9 ms
^C
--- 10.6.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 77.888/91.816/119.047/19.256 ms
從b到a作品
ubuntu@ubuntu:~$ ping 10.6.0.1
PING 10.6.0.1 (10.6.0.1) 56(84) bytes of data.
64 bytes from 10.6.0.1: icmp_seq=1 ttl=64 time=74.3 ms
64 bytes from 10.6.0.1: icmp_seq=2 ttl=64 time=74.5 ms
^C
--- 10.6.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 74.334/74.396/74.459/0.062 ms
從c到a作品
user@MacBook-Pro-user Downloads % ping 10.6.0.1
PING 10.6.0.1 (10.6.0.1): 56 data bytes
64 bytes from 10.6.0.1: icmp_seq=0 ttl=64 time=80.921 ms
64 bytes from 10.6.0.1: icmp_seq=1 ttl=64 time=78.086 ms
64 bytes from 10.6.0.1: icmp_seq=2 ttl=64 time=91.625 ms
^C
--- 10.6.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 78.086/83.544/91.625/5.830 ms
從b到c不行
ubuntu@ubuntu:~$ ping 10.6.0.3
PING 10.6.0.3 (10.6.0.3) 56(84) bytes of data.
From 10.6.0.1 icmp_seq=1 Destination Host Prohibited
From 10.6.0.1 icmp_seq=2 Destination Host Prohibited
^C
--- 10.6.0.3 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms
從c到b不行
user@MacBook-Pro-user Downloads % ping 10.6.0.5
PING 10.6.0.5 (10.6.0.5): 56 data bytes
92 bytes from 10.6.0.1: Dest Unreachable, Bad Code: 10
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 25f3 0 0000 3f 01 41a3 10.6.0.3 10.6.0.5
Request timeout for icmp_seq 0
92 bytes from 10.6.0.1: Dest Unreachable, Bad Code: 10
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 a5cc 0 0000 3f 01 c1c9 10.6.0.3 10.6.0.5
Request timeout for icmp_seq 1
^C
--- 10.6.0.5 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
從 b 到 ba 有效!
ubuntu@ubuntu:~$ ping 172.16.0.10
PING 172.16.0.10 (172.16.0.10) 56(84) bytes of data.
64 bytes from 172.16.0.10: icmp_seq=1 ttl=64 time=74.6 ms
64 bytes from 172.16.0.10: icmp_seq=2 ttl=64 time=74.5 ms
^C
--- 172.16.0.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 74.455/74.541/74.627/0.086 ms
好吧,目標是至少能夠從 IP 10.6.0.1 到達 172.16.0.XX。
使用 OpenVPN,我可以毫無問題地定義基礎設施,但頻寬很糟糕。
抱歉,我不擅長使用網路基礎架構。
下一步是什麼?
使用 Nginx 來使用服務並部署 Apache Airflow,以處理我在 LAN 中產生的資訊。
先致謝
編輯:我之前發佈在錯誤的網站上