首先,我并不完全精通网络或服务器管理,所以如果这对你们中的一些人来说似乎很简单,请耐心听我说。
我使用 Debian 在 VPS 上设置了一个 Wireguard 实例。我打算用它来保护互联网隐私,因为我目前可用的选项不够。
我尝试过多次让 Wireguard 正常运行,但都失败了,因为我的客户端设备无法连接到互联网。我可以正常连接到服务器,Wireguard 显示客户端已连接,并且无论何时连接,我都能够从客户端设备顺利通过 SSH 进入服务器。我尝试添加 DNS,特别是 Google 的 DNS(8.8.8.8、8.8.4.4),但这也无济于事。设置 DNS 后,我甚至无法 ping 通它。
以下是我当前的服务器和客户端配置:
客户:
[Interface]
PrivateKey = [redacted]
Address = 10.0.0.2/32
[Peer]
PublicKey = [redacted]
Endpoint = [redacted]:51820
AllowedIPs = 0.0.0.0/0
服务器:
PrivateKey = [redacted]
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = [redacted]
AllowedIPs = 10.0.0.2/32
任何对此的帮助都将不胜感激,我为此已经绞尽脑汁一段时间了。
服务器路由表:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet [redacted]/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether [redacted] brd ff:ff:ff:ff:ff:ff
inet [redacted]/25 brd [redacted] scope global dynamic enp1s0
valid_lft 73624sec preferred_lft 73624sec
inet6 [redacted]/64 scope link
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
服务器 IP 表输出:
Chain INPUT (policy DROP 989 packets, 54363 bytes)
pkts bytes target prot opt in out source destination
630K 320M ufw-before-logging-input 0 -- * * 0.0.0.0/0
0.0.0.0/0
630K 320M ufw-before-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
213K 12M ufw-after-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
212K 12M ufw-after-logging-input 0 -- * * 0.0.0.0/0
0.0.0.0/0
212K 12M ufw-reject-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
212K 12M ufw-track-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 5286 packets, 1038K bytes)
pkts bytes target prot opt in out source destination
7518 1184K ufw-before-logging-forward 0 -- * * 0.0.0.0/0
0.0.0.0/0
7518 1184K ufw-before-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5286 1038K ufw-after-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5286 1038K ufw-after-logging-forward 0 -- * * 0.0.0.0/0
0.0.0.0/0
5286 1038K ufw-reject-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5286 1038K ufw-track-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 225 packets, 20892 bytes)
pkts bytes target prot opt in out source destination
370K 75M ufw-before-logging-output 0 -- * * 0.0.0.0/0
0.0.0.0/0
370K 75M ufw-before-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3564 350K ufw-after-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3564 350K ufw-after-logging-output 0 -- * * 0.0.0.0/0
0.0.0.0/0
3564 350K ufw-reject-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3564 350K ufw-track-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
363 36318 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:138
2 84 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
6 308 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:68
4 8908 ufw-skip-to-policy-input 0 -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
327 46259 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
219 11136 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
1927 126K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 12
305 19540 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8
5286 1038K ufw-user-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
211K 188M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
56 19597 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
56 19597 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 12
11 626 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:67 dpt:68
20848 1252K ufw-not-local 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 17 -- * * 0.0.0.0/0 224.0.0.251
udp dpt:5353
0 0 ACCEPT 17 -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
20848 1252K ufw-user-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
193K 42M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1960 219K ufw-user-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
56 19597 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID limit: avg 3/min burst 10
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
20844 1243K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type LOCAL
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
4 8908 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
12 9300 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
10 600 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate NEW
1362 162K ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0
ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
19757 1175K ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
90 13764 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:51820
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK]
"
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
根据用户 Davidgo 的建议,添加iptables -t nat -A POSTROUTING -o [YOUR ETHERNET INTERFACE] -j MASQUERADE(enp1s0我的情况是界面)和添加iptables -I FORWARD -j ACCEPT暂时解决了该问题。服务器重启后,这些更改将被恢复。我将尝试研究如何永久添加这些规则。