Linux WireGuard VPN 入坑指南 3 内网穿透

|

Wireguard NAT穿透配置

如下图所示:

家庭网 的出口是一个 NAT路由器 设备

公司网 的出口是一个 NAT路由器 设备

当 家庭网 主机 访问 公司网 主机, 就相当于 一个内网在访问 另一个远程内网.
当 公司网 主机 访问 家庭网 主机, 就相当于 一个内网在访问 另一个远程内网.

一般情况下, 外网设备 访问 内网设备, 是不可能的.
比如: 你什么时候见过 百度的服务器 能主动访问你的 电脑?

使用 wireguard NAT 穿透技术, 如你所愿!

在家里访问公司网络.
在公司访问家庭网络.
网络 拓扑图下图:

公网节点配置示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
root@shenzhen:~/wg# cat VPN.conf
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf; sysctl -p
# wg-quick up ./VPN.conf ;   wg-quick down ./VPN.conf
# /etc/wireguard/VPN.conf;   systemctl   restart wg-quick@VPN

[Interface]
PrivateKey = YE2/ALgVldYaztYGISHDOUAteO2FgerpqelDn29XXXX=
Address    = 192.168.175.100/24
PostUp     = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown   = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 20001
MTU = 1420

[peer]
PublicKey  = EhcINyIRiiqcCrSbCAPdvVNJFgZbnOk/7qesy7AXXXX=
AllowedIPs = 192.168.175.101/32,192.168.88.0/24
PersistentKeepalive = 25

[peer]
PublicKey  = k8K8ZqB6ejAQib+ILze8/9ts1KsG9hFesKDQjP+XXXX=
AllowedIPs = 192.168.175.102/32
PersistentKeepalive = 25

[peer]
PublicKey  = 002CLnEGEbqGo05I3l9awFTVZEh9D5N19vG/GEFXXXX=
AllowedIPs = 192.168.175.103/32
PersistentKeepalive = 25

[peer]
PublicKey  = ONEQmsMnSjCzuUoGk08+dIHqfTjyVi9mCroRWY9XXXX=
AllowedIPs = 192.168.175.104/32
PersistentKeepalive = 25

[peer]
PublicKey  = R4FH4nqGGnHiL1mGU8+pvoD2hB6s2SLpoWJAjCpXXXX=
AllowedIPs = 192.168.175.105/32
PersistentKeepalive = 25

[peer]
PublicKey  = p/PkWzu7eRo3PuZzdBYYUrg3K462L7I0Yc2kosGXXXX=
AllowedIPs = 192.168.175.106/32
PersistentKeepalive = 25
root@shenzhen:~/wg#

NAT 节点配置示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@ubuntu:~# cat wg/client.conf
# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf; sysctl -p
# wg-quick up ./VPN.conf ;   wg-quick down ./VPN.conf
# /etc/wireguard/VPN.conf;   systemctl   restart wg-quick@VPN
[Interface]
PostUp     = iptables -A FORWARD -i client -j ACCEPT; iptables -A FORWARD -o client -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown   = iptables -D FORWARD -i client -j ACCEPT; iptables -D FORWARD -o client -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

PrivateKey = uCYSx/TOreOr13MRTKeD3NaF1APc/9OgeqcYMTtXXXX=
Address = 192.168.175.101/24
MTU = 1420

[Peer]
PublicKey = sRtKLuV+9h/elGd/4uI/elOMDx0yStjARJ8jcdwXXXX=
AllowedIPs = 192.168.175.0/24
Endpoint = fly.li-chunli.top:20001
PersistentKeepalive = 25

root@ubuntu:~#

手机节点配置示例

1
2
3
4
5
6
7
8
9
10
11
12
root@shenzhen:~/wg# cat 192.168.175.103.conf
[Interface]
PrivateKey = QNmVNTJ/p/etgujAZ4tClEidxdJisquYnPhmfrwXXXX=
Address = 192.168.175.103/24
MTU = 1420

[Peer]
PublicKey = sRtKLuV+9h/elGd/4uI/elOMDx0yStjARJ8jcdwXXXX=
AllowedIPs = 192.168.175.0/24,192.168.88.0/24
Endpoint = fly.li-chunli.top:20001
PersistentKeepalive = 25
root@shenzhen:~/wg#

测试

  1. 手机ping 192.168.175.100
  2. 手机ping 192.168.88.1