例行检查

  1. 在服务端观测 客户端的报文 传输状态
    如果都没有报文传输过来, 需要先把网络连通性的问题解决!
1
2
3
20001 是服务器的 wireguard 端口

tcpdump -i eth0 host 180.169.232.XXX and port 20001 -tnnX
  1. 查看 心跳/密钥交换
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    sudo modprobe wireguard
    echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control # 开启调试
    echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control # 关闭调试
    dmesg -wT


    输出结果
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving keepalive packet from peer 137 (183.193.39.167:4028)
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving handshake initiation from peer 137 (183.193.39.167:4028)
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Sending handshake response to peer 137 (183.193.39.167:4028)
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Keypair 1017269 destroyed for peer 137
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Keypair 1017275 created for peer 137
    [Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving keepalive packet from peer 137 (183.193.39.167:4028)
    [Thu Jul 1 14:40:47 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:40:49 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:40:51 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:40:53 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:40:56 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:40:56 2021] wireguard: VPN: Sending keepalive packet to peer 136 (183.193.39.167:3112)
    [Thu Jul 1 14:40:58 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
    [Thu Jul 1 14:41:00 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)

问题

问题1

NAT 内的 ubuntu_wireguard 无法与阿里云的VPS握手成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
排查
1. 在 公司局域网的WG设备上跟踪报文到底 有没有发送出去.
20001是WG的服务端口
tcpdump -i wlan0 port 20001 -tnn


2. 在 阿里云 VPS 上
20001是WG的服务端口
180.169.232.XXX 是公司局域网的WG设备NAT之后的公网IP
tcpdump -i eth0 host 180.169.232.XXX and port 20001 -tnnX


结果:
从 TCPDUMP 抓包来看, 公司局域网的WG设备 确实把报文都发出了.

但是 在阿里云的 VPS上的TCPDUMP却抓不到.

已确认TCPDUAMP抓包的可用性
鉴定为 公司局域网的WG设备 到 阿里云之间, 有设备WG的握手包丢掉了.



确认阶段:
阿里云继续抓包
tcpdump -i eth0 host 180.169.232.XXX and port 20001 -tnnX

公司局域网的WG设备 NC发包
nc -u VPS_IP 20001

惊奇的发现, 阿里云VPS能抓获 公司局域网的WG设备 用NC发送的报文.



醍醐灌顶
公司局域网的WG设备 换个源端口, 问题解决.

解决方法:
注释掉 ListenPort
root@localhost:~# cat /etc/wireguard/VPN.conf
# echo 1 > /proc/sys/net/ipv4/ip_forward
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.175.xxx/24
PostUp = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

PostUp = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#ListenPort = 5739
MTU = 1420

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 192.168.XXX.0/24
Endpoint = XXXX.XXXXXXX.XXXX:20001
PersistentKeepalive = 25
`

2022.06.24 更新

解决NAT超时问题
服务器端的每个 PEER 也要设置 PersistentKeepalive = 25