wirdguard 的配置,自问很仔细,不知道哪里出问题了,代码贴出,大家帮忙看看?
SteveRogers · 2020-11-26 12:01:58 +08:00 · 1996 次点击这是一个创建于 1456 天前的主题,其中的信息可能已经有所发展或是发生改变。
详细信息如下
开启 TCP 转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
生成公钥和私钥
cd /etc/wireguard/
umask 077
wg genkey | tee privatekey | wg pubkey > publickey
umask 022
cat privatekey
kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
cat publickey
Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
书写服务器配置文件
vim wg0.conf
[Interface]
Address = 10.0.1.1/16
PrivateKey = kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
ListenPort = 8006
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
AllowedIPs = 10.0.1.2/32
wg-quick up wg0
Client 配置
[Interface]
PrivateKey = kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
Address = 10.0.1.2/16
DNS = 223.6.6.6
MTU = 1420
[Peer]
PublicKey = Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
AllowedIPs = 10.0.1.0/22
Endpoint = xx.adc.com:8006
PersistentKeepalive = 30
客户端连接日志如下
2020-11-26 12:02:17.742234: [NET] App version: 0.0.20191105 (16); Go backend version: 0.0.20191013
2020-11-26 12:02:17.742626: [NET] Starting tunnel from the app
2020-11-26 12:02:18.523714: [NET] Tunnel interface is utun2
2020-11-26 12:02:18.524107: [NET] Attaching to interface
2020-11-26 12:02:18.524639: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.524717: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.524828: [NET] Routine: event worker - started
2020-11-26 12:02:18.524886: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.524933: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.524962: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.524988: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.525033: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.525084: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525127: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.525210: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.525236: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.525262: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525289: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.525324: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.525350: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525376: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.525403: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.525429: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525461: [NET] Routine: handshake worker - started
2020-11-26 12:02:18.525487: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525540: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525581: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.525613: [NET] Routine: encryption worker - started
2020-11-26 12:02:18.525642: [NET] Routine: TUN reader - started
2020-11-26 12:02:18.525697: [NET] Routine: decryption worker - started
2020-11-26 12:02:18.525807: [NET] UAPI: Updating private key
2020-11-26 12:02:18.525906: [NET] UAPI: Removing all peers
2020-11-26 12:02:18.525939: [NET] UAPI: Transition to peer configuration
2020-11-26 12:02:18.526149: [NET] peer(AAAA…AAAA) - UAPI: Updating endpoint
2020-11-26 12:02:18.526218: [NET] peer(AAAA…AAAA) - UAPI: Updating persistent keepalive interval
2020-11-26 12:02:18.526310: [NET] peer(AAAA…AAAA) - UAPI: Removing all allowedips
2020-11-26 12:02:18.526349: [NET] peer(AAAA…AAAA) - UAPI: Adding allowedip
2020-11-26 12:02:18.526636: [NET] Routine: receive incoming IPv6 - started
2020-11-26 12:02:18.526688: [NET] Routine: receive incoming IPv4 - started
2020-11-26 12:02:18.526819: [NET] UDP bind has been updated
2020-11-26 12:02:18.526868: [NET] Device started
2020-11-26 12:02:18.527599: [APP] Tunnel 'test' connection status changed to 'connected'
2020-11-26 12:02:22.573923: [APP] Status update notification timeout for tunnel 'test'. Tunnel status is now 'connected'.
第 1 条附言 · 2020-11-26 17:27:02 +08:00
调整后依然不行,服务器上执行wg,能看到连接,但是网络不通,两个客户端都不通,单独一个客户端也不行
服务器配置
[Interface]
Address = 10.0.1.1/16
PrivateKey = kH+D4tV+2MJ0r3Pz0ZcfaAKdtW6JGHw1pxcRhWfXGW8=
ListenPort = 8006
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE
[Peer]
PublicKey = KYhBEfe76T3V2wMPNYqfH67+6KL85WVVMo8NhcFj+xw=
AllowedIPs = 10.0.1.2/32
[Peer]
PublicKey = 1MRN8OEUQZ5HSaB0jy907zUjl+Z9zQPyVJQruEg2GCI=
AllowedIPs = 10.0.1.3/32
客户端的配置
[Interface]
PrivateKey = 0OG59gIjuXJzciFFrxBkNDWQzfQoO4p5QkegoxdIv0s=
Address = 10.0.1.2/16
DNS = 223.6.6.6
MTU = 1420
[Peer]
PublicKey = Na5BMpCXuG0wmyXZH1GE3Uic+hvkq4865lIR+RTJjUU=
AllowedIPs = 10.0.0.0/22, 172.16.31.0/22
Endpoint = 116.30.111.111:8006
PersistentKeepalive = 30
第 2 条附言 · 2020-11-26 18:59:00 +08:00
补充路由表
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default link#20 UCS utun2
default 10.101.128.1 UGScI en0
8.8.8.8 link#20 UHW3I utun2 19
10.0.1.2 10.0.1.2 UH utun2
10.101.128/20 link#8 UCS en0 !
10.101.128.1/32 link#8 UCS en0 !
10.101.128.1 f4:74:88:87:59:c5 UHLWIir en0 1200
10.101.136.225/32 link#8 UCS en0 !
52.87.201.4 link#20 UHWIi utun2
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#8 UCS en0 !
172.16.31.1 link#20 UHWIi utun2
223.6.6.6 link#20 UHWIi utun2
224.0.0/4 link#20 UmCS utun2
224.0.0/4 link#8 UmCSI en0 !
239.255.255.250 link#20 UHmW3I utun2 26
255.255.255.255/32 link#20 UCS utun2
255.255.255.255/32 link#8 UCSI en0 !
netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default link#20 UCS utun2
default 10.101.128.1 UGScI en0
8.8.8.8 link#20 UHW3I utun2 19
10.0.1.2 10.0.1.2 UH utun2
10.101.128/20 link#8 UCS en0 !
10.101.128.1/32 link#8 UCS en0 !
10.101.128.1 f4:74:88:87:59:c5 UHLWIir en0 1200
10.101.136.225/32 link#8 UCS en0 !
52.87.201.4 link#20 UHWIi utun2
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
169.254 link#8 UCS en0 !
172.16.31.1 link#20 UHWIi utun2
223.6.6.6 link#20 UHWIi utun2
224.0.0/4 link#20 UmCS utun2
224.0.0/4 link#8 UmCSI en0 !
239.255.255.250 link#20 UHmW3I utun2 26
255.255.255.255/32 link#20 UCS utun2
255.255.255.255/32 link#8 UCSI en0 !
18 条回复 • 2020-11-27 05:04:21 +08:00
 |
1
bitdust 2020-11-26 12:31:58 +08:00
client 的 privatekey 要自己生成,不要和 server 的 key 相同
|
 |
2
301 2020-11-26 12:34:28 +08:00 via Android
你客户端和服务端用了相同的一对密钥,我没见过这样的配置,要不用两对试试看,即服务端配置文件用私钥 A 和公钥 B,客户端配置文件用私钥 B 和公钥 A
|
 |
3
SteveRogers OP |
 |
4
zro 2020-11-26 13:27:17 +08:00
楼主,你从客户端 tracert 的时候中间路程都是* * *吗,我设置的除了开头和最后一跳有显示,其他都是显示* * *,想不出是什么原因。。
 |
|
5
SteveRogers OP @zro 其实我还没有通,我 wg 状态都显示两台终端了,但是网络没有互通,这个目前日志也不成熟,可能要放弃这个工具
|
|
6
zro 2020-11-26 16:28:31 +08:00
刚开始看别人的 WG 配置也是云里雾里的,但现在配多几次感觉很好用~
我发现你的配置有个问题,客户端的 AllowedIPs = 10.0.1.0/22,其实是等价 10.0.0.0/22 的。。 另外可能要配合 ip route 命令来查互通不了的问题~ |
|
7
SteveRogers OP |
|
8
zro 2020-11-26 18:14:02 +08:00
@SteveRogers #7 key 是直接复制粘贴的吗,又或者会是小写的 L 跟 I 搞混了吗?我就试过。。。
 |
|
9
bitdust 2020-11-26 18:17:12 +08:00
盲猜你客户端没有加路由信息。
你的客户端 是运行在哪里的? 需要进入其网络配置端口,添加路由信息,即把所有流量全部路由到 wireguard 的虚拟网卡上 |
|
10
301 2020-11-26 18:20:15 +08:00 via Android
@SteveRogers 客户端 AllowedIPs 改成 0.0.0.0/0,那个配置是用来决定哪些流量发往服务端的
|
|
11
SteveRogers OP |
|
12
zro 2020-11-26 18:47:25 +08:00
@SteveRogers #11 你还是把 ip route 帖上吧。。感觉有冲突
|
|
13
301 2020-11-26 19:00:49 +08:00
@SteveRogers 用了你的配置,在 vps 和本地搭了下,可以通
|
 |
14
jasonyang9 2020-11-26 19:07:29 +08:00 via Android
wg 服务端上的网络接口名字到底是 eth0 还是 eth1 还是其它?
|
|
16
SteveRogers OP |
 |
17
openmynet 2020-11-26 23:26:37 +08:00
|
 |
18
irytu 2020-11-27 05:04:21 +08:00 via iPhone
server 以及每个客户端自带一“对” key,本质就是交换 public key 进行 end to end 验证
|
Select Language