我的wireguard 設定遇到了奇怪的情況。
我的設定: Wireguard 透過隧道存取我的網路。 Active Directory 網域控制站提供 DNS。用戶端透過隧道使用 DNS 伺服器。 Linux 用戶端使用網域控制站作為 DNS 伺服器,透過wireguard 隧道解析 DNS 查詢沒有問題。
問題: Windows 用戶端無法使用活動的wireguard 隧道進行瀏覽。 Ping 失敗,但 nslookup 有效。我可以 ping DNS 伺服器(透過 IP 位址)。我可以 ping 通外部 IP 位址(例如 1.1.1.1)。 Wireshark 顯示 DNS 查詢已發出但沒有回應。 wireguard 伺服器上的防火牆不會顯示查詢被封鎖。
我究竟做錯了什麼?
這是我的配置:
Wireguard伺服器
# cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.101.0.1/16
SaveConfig = true
PostUp = ufw route allow in on wg0 out on enp6s0
PostUp = ufw route allow in on enp6s0 out on wg0
PostUp = ufw route allow in on wg0 out on enp1s0
PostUp = ufw route allow in on enp1s0 out on wg0
PostUp = iptables -t nat -I POSTROUTING -o enp6s0 -j MASQUERADE
PostUp = iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp6s0
PreDown = ufw route delete allow in on wg0 out on enp1s0
PreDown = ufw route delete allow in on enp6s0 out on wg0
PreDown = ufw route delete allow in on enp1s0 out on wg0
PreDown = iptables -t nat -D POSTROUTING -o enp6s0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = <snipped>
Wireguard 伺服器上的路由表
# ip route
default via <wan_gateway> dev enp1s0 proto static
10.0.0.0/16 dev enp6s0 proto kernel scope link src 10.0.25.20
10.0.0.0/16 via 10.0.1.254 dev enp6s0 proto static metric 100
10.101.0.0/16 dev wg0 proto kernel scope link src 10.101.0.1
<wan_ip_block>/22 dev enp1s0 proto kernel scope link src <wireguard_public_ip>
WireguardServer 上的防火牆規則
# ufw status
Status: active
To Action From
-- ------ ----
51820/udp ALLOW Anywhere
22/tcp ALLOW Anywhere
3389 ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
135/tcp ALLOW Anywhere
389/tcp ALLOW Anywhere
636/tcp ALLOW Anywhere
3268/tcp ALLOW Anywhere
3269/tcp ALLOW Anywhere
53/tcp ALLOW Anywhere
88/tcp ALLOW Anywhere
445/tcp ALLOW Anywhere
123/tcp ALLOW Anywhere
464/tcp ALLOW Anywhere
137/tcp ALLOW Anywhere
138/tcp ALLOW Anywhere
139/tcp ALLOW Anywhere
135/udp ALLOW Anywhere
137/udp ALLOW Anywhere
138/udp ALLOW Anywhere
389/udp ALLOW Anywhere
445/udp ALLOW Anywhere
1512/udp ALLOW Anywhere
42/udp ALLOW Anywhere
42/tcp ALLOW Anywhere
1512/tcp ALLOW Anywhere
500/udp ALLOW Anywhere
49152:65535/tcp ALLOW Anywhere
49152:65535/udp ALLOW Anywhere
464 ALLOW Anywhere
5985:5986/tcp ALLOW Anywhere
53/udp ALLOW Anywhere
51820/udp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
3389 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
135/tcp (v6) ALLOW Anywhere (v6)
389/tcp (v6) ALLOW Anywhere (v6)
636/tcp (v6) ALLOW Anywhere (v6)
3268/tcp (v6) ALLOW Anywhere (v6)
3269/tcp (v6) ALLOW Anywhere (v6)
53/tcp (v6) ALLOW Anywhere (v6)
88/tcp (v6) ALLOW Anywhere (v6)
445/tcp (v6) ALLOW Anywhere (v6)
123/tcp (v6) ALLOW Anywhere (v6)
464/tcp (v6) ALLOW Anywhere (v6)
137/tcp (v6) ALLOW Anywhere (v6)
138/tcp (v6) ALLOW Anywhere (v6)
139/tcp (v6) ALLOW Anywhere (v6)
135/udp (v6) ALLOW Anywhere (v6)
137/udp (v6) ALLOW Anywhere (v6)
138/udp (v6) ALLOW Anywhere (v6)
389/udp (v6) ALLOW Anywhere (v6)
445/udp (v6) ALLOW Anywhere (v6)
1512/udp (v6) ALLOW Anywhere (v6)
42/udp (v6) ALLOW Anywhere (v6)
42/tcp (v6) ALLOW Anywhere (v6)
1512/tcp (v6) ALLOW Anywhere (v6)
500/udp (v6) ALLOW Anywhere (v6)
49152:65535/tcp (v6) ALLOW Anywhere (v6)
49152:65535/udp (v6) ALLOW Anywhere (v6)
464 (v6) ALLOW Anywhere (v6)
5985:5986/tcp (v6) ALLOW Anywhere (v6)
53/udp (v6) ALLOW Anywhere (v6)
Anywhere on enp6s0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on enp6s0
Anywhere on enp1s0 ALLOW FWD Anywhere on wg0
Anywhere on wg0 ALLOW FWD Anywhere on enp1s0
Anywhere (v6) on enp6s0 ALLOW FWD Anywhere (v6) on wg0
Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp6s0
Anywhere (v6) on enp1s0 ALLOW FWD Anywhere (v6) on wg0
Anywhere (v6) on wg0 ALLOW FWD Anywhere (v6) on enp1s0
Windows用戶端
[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32
[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820
答案1
問題是:
- 顯然,wireguard vpns 會自動配置比客戶端上所有其他連線更低的指標
- 我在有線/Wi-Fi 連線上配置了客戶端 DNS 伺服器,而不是在wireguard 連線上
- Windows 透過具有最低指標的連線發送 DNS 查詢
解決方案:將 DNS 伺服器新增至wireguard 用戶端設定:
DNS = <ip_address_of_dns_server>, <ip_address_of_dns_server>
完整的客戶端配置
[Interface]
PrivateKey = <snipped>
Address = 10.101.0.4/32
DNS = <ip_address_of_dns_server>, <ip_address_of_dns_server>
[Peer]
PublicKey = <snipped>
AllowedIPs = 10.101.0.0/16, 10.0.0.0/16, <wan_ip_block>/22
Endpoint = <snipped>:51820