问完这个问题后,我得到了一个wireguard vpn 设置,它将所有流量从我的本地局域网转发到远程服务器。从wireguard 客户端主机连接很快。但是,来自局域网上的客户端的连接要慢得多,并且会断开很多连接。Traceroutes 显示客户端和 LAN 客户端都通过 VPN 连接并正确退出
在wireguard客户端主机上,我得到一个糟糕的ping,但速度不错
curl -s https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py | python -
Retrieving speedtest.net configuration...
Testing from Spectrum (68.187.109.97)...
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Bertram Communications (Iron Ridge, WI) [185.33 km]: 598.9 ms
Testing download speed................................................................................
Download: 4.65 Mbit/s
Testing upload speed................................................................................................
Upload: 4.97 Mbit/s
但是这段代码只是挂在局域网客户端上,它甚至无法下载运行所需的脚本。一些简单的网站将加载,但任何实质性的超时。
我该如何开始调试呢?我的第一个问题是我的 iptables 规则可能配置错误
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b8:27:eb:84:56:f5 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.104/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe84:56f5/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:d1:03:a0 brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether b8:27:eb:84:56:f5 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global noprefixroute eth0.2
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe84:56f5/64 scope link
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1120 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.99.17/24 scope global wg0
valid_lft forever preferred_lft forever
# ip -4 route show table all
default dev wg0 table 51820 scope link
default via 192.168.1.1 dev eth0 src 192.168.1.104 metric 202 mtu 1200
10.0.0.0/24 dev eth0.2 proto dhcp scope link src 10.0.0.1 metric 204 mtu 1200
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.104 metric 202 mtu 1200
192.168.99.0/24 dev wg0 proto kernel scope link src 192.168.99.17
broadcast 10.0.0.0 dev eth0.2 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev eth0.2 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev eth0.2 table local proto kernel scope link src 10.0.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.104
local 192.168.1.104 dev eth0 table local proto kernel scope host src 192.168.1.104
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.104
broadcast 192.168.99.0 dev wg0 table local proto kernel scope link src 192.168.99.17
local 192.168.99.17 dev wg0 table local proto kernel scope host src 192.168.99.17
broadcast 192.168.99.255 dev wg0 table local proto kernel scope link src 192.168.99.17
# ip -4 rule show
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
32766: from all lookup main
32767: from all lookup default
# ip -6 route show table all
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:fe84:56f5 dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:fe84:56f5 dev eth0 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
# ip -6 rule show
0: from all lookup local
32766: from all lookup main
# wg
interface: wg0
public key: XR9UASLZXCjRZKa9MnmBxebfP6jxfBaaQOa5BJEFsX8=
private key: (hidden)
listening port: 48767
fwmark: 0xca6c
peer: M37O/lE0ZWZ0uzYVGu17ZAZmdbnLyd5RuiAVvF/bqwE=
endpoint: 68.187.109.97:51820
allowed ips: 0.0.0.0/0
latest handshake: 2 minutes, 20 seconds ago
transfer: 2.42 MiB received, 8.45 MiB sent
# ip netconf
inet lo forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet eth0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet wlan0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet eth0.2 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet wg0 forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet all forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet default forwarding on rp_filter off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 lo forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 eth0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 wlan0 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 eth0.2 forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 all forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
inet6 default forwarding off mc_forwarding off proxy_neigh off ignore_routes_with_linkdown off
# iptables-save
# Generated by xtables-save v1.8.2 on Thu Apr 2 19:11:02 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.99.17/32 ! -i wg0 -m addrtype ! --src-type LOCAL -m comment --comment "wg-quick(8) rule for wg0" -j DROP
COMMIT
# Completed on Thu Apr 2 19:11:02 2020
# Generated by xtables-save v1.8.2 on Thu Apr 2 19:11:02 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m mark --mark 0xca6c -m comment --comment "wg-quick(8) rule for wg0" -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Thu Apr 2 19:11:02 2020
# Generated by xtables-save v1.8.2 on Thu Apr 2 19:11:02 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i wg0 -o eth0.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0.2 -o wg0 -j ACCEPT
COMMIT
# Completed on Thu Apr 2 19:11:02 2020
# Generated by xtables-save v1.8.2 on Thu Apr 2 19:11:02 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o wg0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 2 19:11:02 2020
WireGuard 的默认 MTU 为 1420,而其他设备的通常大小为 1492 或 1500。
这将导致任何认为它正在向 WireGuard 发送完整数据包的设备实际上发送多个 WireGuard 数据包,因为数据包将被分成两个,第二个几乎是空的。
由于 TCP/IP 中的主要因素是数据包的数量,因为每个都需要同步和确认,这将减慢所有通信。
解决方案是将 WireGuard 设置为与网络其余部分相同的 MTU 大小。
有关更多信息,请参阅:
对我来说,我不得不将我的 MTU 设置得更低(至 1400)。
我使用的命令是:
此外,如果您想检查您是否有 MTU 错误并且您通过双栈连接 (= IPv4 + IPv6) 连接使用 IPv6 而不是 IPv4,那么 - 如果其 MTU 相关 - 问题不应该再出现。