例行检查
- 在服务端观测 客户端的报文 传输状态
如果都没有报文传输过来, 需要先把网络连通性的问题解决!
1
2
3
| 20001 是服务器的 wireguard 端口
tcpdump -i eth0 host 180.169.232.XXX and port 20001 -tnnX
|
- 查看 心跳/密钥交换
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| sudo modprobe wireguard
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control # 开启调试
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control # 关闭调试
dmesg -wT
输出结果
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving keepalive packet from peer 137 (183.193.39.167:4028)
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving handshake initiation from peer 137 (183.193.39.167:4028)
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Sending handshake response to peer 137 (183.193.39.167:4028)
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Keypair 1017269 destroyed for peer 137
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Keypair 1017275 created for peer 137
[Thu Jul 1 14:40:45 2021] wireguard: VPN: Receiving keepalive packet from peer 137 (183.193.39.167:4028)
[Thu Jul 1 14:40:47 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:40:49 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:40:51 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:40:53 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:40:56 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:40:56 2021] wireguard: VPN: Sending keepalive packet to peer 136 (183.193.39.167:3112)
[Thu Jul 1 14:40:58 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
[Thu Jul 1 14:41:00 2021] wireguard: VPN: Receiving keepalive packet from peer 138 (180.169.232.173:2115)
|
问题
问题1
NAT 内的 ubuntu_wireguard 无法与阿里云的VPS握手成功
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| 排查
1. 在 公司局域网的WG设备上跟踪报文到底 有没有发送出去.
20001是WG的服务端口
tcpdump -i wlan0 port 20001 -tnn
2. 在 阿里云 VPS 上
20001是WG的服务端口
180.169.232.XXX 是公司局域网的WG设备NAT之后的公网IP
tcpdump -i eth0 host 180.169.232.XXX and port 20001 -tnnX
结果:
从 TCPDUMP 抓包来看, 公司局域网的WG设备 确实把报文都发出了.
但是 在阿里云的 VPS上的TCPDUMP却抓不到.
已确认TCPDUAMP抓包的可用性
鉴定为 公司局域网的WG设备 到 阿里云之间, 有设备WG的握手包丢掉了.
确认阶段:
阿里云继续抓包
tcpdump -i eth0 host 180.169.232.XXX and port 20001 -tnnX
公司局域网的WG设备 NC发包
nc -u VPS_IP 20001
惊奇的发现, 阿里云VPS能抓获 公司局域网的WG设备 用NC发送的报文.
醍醐灌顶
公司局域网的WG设备 换个源端口, 问题解决.
解决方法:
注释掉 ListenPort
root@localhost:~# cat /etc/wireguard/VPN.conf
# echo 1 > /proc/sys/net/ipv4/ip_forward
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.175.xxx/24
PostUp = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
PostUp = iptables -A FORWARD -i VPN -j ACCEPT; iptables -A FORWARD -o VPN -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i VPN -j ACCEPT; iptables -D FORWARD -o VPN -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#ListenPort = 5739
MTU = 1420
[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 192.168.XXX.0/24
Endpoint = XXXX.XXXXXXX.XXXX:20001
PersistentKeepalive = 25
`
|
2022.06.24 更新
解决NAT超时问题
服务器端的每个 PEER 也要设置 PersistentKeepalive = 25
