Почему этот маршрут Wireguard не работает?

Я установил три узла Wireguard - a, b и c (Vagrantfile ниже). Оба b и c подключаются к a и могут пропинговать a через туннель Wireguard. Но b и c не могут пинговать друг друга - почему?

Vagrant.configure("2") do |config|
  [
    {
      name: "a",
      wgcfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50031
Address=192.168.234.65/26

[Peer]
PublicKey=5T5HdEaGxtDLCoC4QTb3B1e0suer4IadTEwWZ5Je7w0=
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25

[Peer]
PublicKey=1nYwoKaMswzdiM/2UNDDJf/DRX5m/6M27dLMOeqaxwk=
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
    },
    {
      name: "b",
      wgcfg: <<-WGCFG
[Interface]
PrivateKey=KFsOZmkbHUmPNQmjgWn4lJa/MiszGcAuFNJb8HSda2M=
Address=192.168.234.66/26

[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
    },
    {
      name: "c",
      wgcfg: <<-WGCFG
[Interface]
PrivateKey=6Gl/ZbyOKJHhQUSLaMrShU/ukNfvvDdiwz1a7t45Q3I=
Address=192.168.234.67/26

[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
    }
  ].each do |specs|
    config.vm.define specs[:name] do |config|
      config.vm.box = "ubuntu/bionic64"
      config.vm.network "private_network", type: "dhcp"

      config.vm.provider "virtualbox" do |vb|
        vb.memory = "1024"
      end

      config.vm.provision "shell", inline: <<-SHELL
sudo add-apt-repository -y ppa:wireguard/wireguard
sudo bash -c 'DEBIAN_FRONTEND=noninteractive apt-get -y install wireguard tshark'
sudo bash -exo pipefail -c 'cat <<<"$0" >/etc/wireguard/wg1.conf' '#{specs[:wgcfg]}'
sudo systemctl enable [email protected]
sudo systemctl restart [email protected]
sudo bash -exo pipefail -c 'cat <<<'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-router.conf'
sudo sysctl -w net.ipv4.ip_forward=1
SHELL
    end
  end
end

1 ответ

Решение

Сделайте одну /30 подсетей для ab и одну для ac. Включите подсеть ab в AllowedIPs на c и подсеть ac в AllowedIPs на b. То есть:

Vagrant.configure("2") do |config|
  [
    {
      name: "a",
      wgcfgs: [
        {
      nic: "wg0",
      cfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50031
Address=192.168.234.65/30

[Peer]
PublicKey=5T5HdEaGxtDLCoC4QTb3B1e0suer4IadTEwWZ5Je7w0=
AllowedIPs=192.168.234.66/32
PersistentKeepalive=25
WGCFG
    },
        {
      nic: "wg1",
      cfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50032
Address=192.168.234.69/30

[Peer]
PublicKey=1nYwoKaMswzdiM/2UNDDJf/DRX5m/6M27dLMOeqaxwk=
AllowedIPs=192.168.234.70/32
PersistentKeepalive=25
WGCFG
    }
      ]
    },
    {
      name: "b",
      wgcfgs: [
        {
      nic: "wg0",
      cfg: <<-WGCFG
[Interface]
PrivateKey=KFsOZmkbHUmPNQmjgWn4lJa/MiszGcAuFNJb8HSda2M=
Address=192.168.234.66/30

[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.65/32, 192.168.234.68/30
PersistentKeepalive=25
WGCFG
    }
      ]
    },
    {
      name: "c",
      wgcfgs: [
        {
      nic: "wg0",
      cfg: <<-WGCFG
[Interface]
PrivateKey=6Gl/ZbyOKJHhQUSLaMrShU/ukNfvvDdiwz1a7t45Q3I=
Address=192.168.234.70/30

[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50032
AllowedIPs=192.168.234.69/32, 192.168.234.64/30
PersistentKeepalive=25
WGCFG
    }
      ]
    }
  ].each do |specs|
    config.vm.define specs[:name] do |config|
      config.vm.box = "ubuntu/bionic64"
      config.vm.network "private_network", type: "dhcp"

      config.vm.provider "virtualbox" do |vb|
        vb.memory = "1024"
      end

      config.vm.provision "shell", inline: <<-SHELL
sudo add-apt-repository -y ppa:wireguard/wireguard
sudo bash -c 'DEBIAN_FRONTEND=noninteractive apt-get -y install wireguard'
sudo bash -exo pipefail -c 'cat <<<'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-router.conf'
sudo sysctl -w net.ipv4.ip_forward=1

#{specs[:wgcfgs].map{|wgcfg|<<-WG
sudo bash -exo pipefail -c 'cat <<<"$0" >/etc/wireguard/#{wgcfg[:nic]}.conf' '#{wgcfg[:cfg]}'
sudo systemctl enable wg-quick@#{wgcfg[:nic]}.service
sudo systemctl restart wg-quick@#{wgcfg[:nic]}.service
WG
}.join}
SHELL
    end
  end
end
Другие вопросы по тегам