@Tiamon

WireGuard нет пинга от клиента к серверу Destination Host Unreachable почему?

Не могу сам разобраться в чем проблема, вроде всё перепробовал.

Сервер виртуалка на hetzner.cloud ubuntu server 20
WireGuard
/etc/wireguard/wg0.conf

[Interface]
Address = 192.168.2.0/24
ListenPort = 51820
PrivateKey = ***
[Peer]
PublicKey = ***
AllowedIPs = 192.168.2.5/32


Сеть

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 95.****  netmask 255.255.255.255  broadcast 95.217.216.27
        inet6 ****  prefixlen 64  scopeid 0x0<global>
        inet6 f****  prefixlen 64  scopeid 0x20<link>
        ether ****  txqueuelen 1000  (Ethernet)
        RX packets 2628633  bytes 267355939 (267.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2868851  bytes 2423794900 (2.4 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 95.****  netmask 255.255.255.255  broadcast 0.0.0.0
        ether ****  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 143389020  bytes 300907498907 (300.9 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 143389020  bytes 300907498907 (300.9 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1360
        inet 192.168.2.0  netmask 255.255.255.0  destination 192.168.2.0
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 25  bytes 1264 (1.2 KB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 11  bytes 1376 (1.3 KB)
        TX errors 7  dropped 0 overruns 0  carrier 0  collisions 0


Маршруты

routel
         target            gateway          source    proto    scope    dev tbl
        default         172.31.1.1                                     eth0
     172.31.1.1                                                 link   eth0
   192.168.2.0/ 24                     192.168.2.0   kernel     link    wg0
   95.**8              local    95.**8   kernel     host   eth0 local
  95.**7              local   95.**7   kernel     host   eth0 local
  95.**7          broadcast   95.**7   kernel     link   eth0 local
      127.0.0.0          broadcast       127.0.0.1   kernel     link     lo local
     127.0.0.0/ 8            local       127.0.0.1   kernel     host     lo local
      127.0.0.1              local       127.0.0.1   kernel     host     lo local
127.255.255.255          broadcast       127.0.0.1   kernel     link     lo local
    192.168.2.0              local     192.168.2.0   kernel     host    wg0 local
    192.168.2.0          broadcast     192.168.2.0   kernel     link    wg0 local
  192.168.2.255          broadcast     192.168.2.0   kernel     link    wg0 local
            ::1              local                   kernel              lo
2**4::/ 64                                   kernel            eth0
        fe80::/ 64                                   kernel            eth0
        default            fe80::1                                     eth0
            ::1              local                   kernel              lo local
2**4::1              local                   kernel            eth0 local
fe**c              local                   kernel            eth0 local
        ff00::/ 8                                                      eth0 local
        ff00::/ 8


IPTables

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# 
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#
*filter
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 2.****.2 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 51820 -j ACCEPT
#
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
COMMIT
#



Клиент, по сложнее, это роутер домашней сети на ubuntu server 20

WireGuard

[Interface]
PrivateKey = ****
Address = 192.168.2.5/32

[Peer]
PublicKey = *****
Endpoint = 95.****7:51820
AllowedIPs = 192.168.2.0/24
PersistentKeepalive = 20


Сеть

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.*.*.*  netmask 255.255.255.192  broadcast 10.*.*.255
        inet6 fe80::***3  prefixlen 64  scopeid 0x20<link>
        ether ****  txqueuelen 1000  (Ethernet)
        RX packets 19271715  bytes 11632872490 (11.6 GB)
        RX errors 0  dropped 14715  overruns 0  frame 0
        TX packets 34385445  bytes 22939419548 (22.9 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enxd03745808a81: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::d237:45ff:fe80:8a81  prefixlen 64  scopeid 0x20<link>
        ether d0:37:45:80:8a:81  txqueuelen 1000  (Ethernet)
        RX packets 3479852  bytes 447509307 (447.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5774541  bytes 6861799687 (6.8 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 113657  bytes 13774350 (13.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 113657  bytes 13774350 (13.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1456
        inet 2***2  netmask 255.255.255.255  destination 1***7
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 15995507  bytes 10613692732 (10.6 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 34373520  bytes 21151140776 (21.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1376
        inet 192.168.2.5  netmask 255.255.255.255  destination 192.168.2.5
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 18  bytes 2020 (2.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 89  bytes 4796 (4.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


enxd03745808a81 смотрит в локальную сеть
enp2s0 к провайдеру
подключение к интернету через L2TP интерфейс ppp0

Настройки сети

# This is the network config written by 'subiquit
network:
  ethernets:
    enp2s0:
      addresses:
      - 10.*.*.*/26
      gateway4: 10.*.*.*
      dhcp4: false
      nameservers:
        addresses:
        - *.*.*.*
        - *.*.*.*
      routes:
        - to: 192.168.149.0/24
          via: 10.*.*.*
    enxd03745808a81:
      addresses:
      - 192.168.1.1/24
      dhcp4: false
      nameservers:
        addresses:
        - 8.8.8.8
        - 8.8.4.4
        search: [home]
  version: 2



Далее в комментарии, не влезло в пост, ограничения на длинну

ip_forward включен на обоих машинах

С сервера клиент пингуется, с клиента пинг сервера:

# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
From 192.168.2.0 icmp_seq=1 Destination Host Unreachable
From 192.168.2.0 icmp_seq=2 Destination Host Unreachable
From 192.168.2.0 icmp_seq=3 Destination Host Unreachable
From 192.168.2.0 icmp_seq=4 Destination Host Unreachable
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms


Четвертый день не могу разобраться с этой ерундой, такое впечатление, что перепробовал всё. Видимо глаз замылился, надеюсь на вашу помощь.
  • Вопрос задан
  • 4963 просмотра
Решения вопроса 1
@Tiamon Автор вопроса
Сам разобрался
Ошибка была в конфиге на сервере
Было:
[Interface]
Address = 192.168.2.0/24

Должно быть:
[Interface]
Address = 192.168.2.1/24

Ну и в nat должно быть:
-A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o wg+ -j MASQUERADE

или
-A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j SNAT --to-source 2***2
-A POSTROUTING -s 192.168.1.0/24 -o wg+ -j SNAT --to-source "локальный адрес клиента в моём случае 192.168.2.5
Ответ написан
Комментировать
Пригласить эксперта
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы