但是前者在iptable里为default dev wg1,后者为两条0.0.0.0/1 dev wg1和128.0.0.0/1 dev wg1。
由于路由的ip匹配遵循最长前缀匹配规则,如果路由表里原本有一条efault dev eth0。使用前者会导致混乱。但是使用后者,由于两条的优先级会更高,会屏蔽掉原本的default规则。
前者的iptable修改如下:(macbook上)
1 2 3 4 5 6 7 8
> ip route default via link#18 dev utun3 default via 192.168.233.1 dev en0 10.0.233.5/32 via 10.0.233.5 dev utun3 224.0.0.0/4 dev utun3 scope link 224.0.0.0/4 dev en0 scope link 255.255.255.255/32 dev utun3 scope link 255.255.255.255/32 dev en0 scope link
后者的iptable修改如下
1 2 3 4 5 6 7 8 9 10
> ip route 0.0.0.0/1 dev utun3 scope link default via 192.168.233.1 dev en0 default via link#18 dev utun3 10.0.233.5/32 via 10.0.233.5 dev utun3 128.0.0.0/1 dev utun3 scope link 224.0.0.0/4 dev en0 scope link 224.0.0.0/4 dev utun3 scope link 255.255.255.255/32 dev en0 scope link 255.255.255.255/32 dev utun3 scope link
> ip route 1.0.0.0/8 via 198.18.0.1 dev utun3 2.0.0.0/7 via 198.18.0.1 dev utun3 4.0.0.0/6 via 198.18.0.1 dev utun3 8.0.0.0/5 via 198.18.0.1 dev utun3 16.0.0.0/4 via 198.18.0.1 dev utun3 32.0.0.0/3 via 198.18.0.1 dev utun3 64.0.0.0/2 via 198.18.0.1 dev utun3 128.0.0.0/1 via 198.18.0.1 dev utun3 #前面接受所有的ip,然后转换成198.18.0.1 198.18.0.1/32 via 198.18.0.1 dev utun3 #接受转换后的198.18.0.1,由于最长前缀匹配
明显有代理死循环问题,如何解决???
1 2 3 4 5 6
shaojiemike@shaojiemikedeMacBook-Air ~/github/hugoMinos (main*) [10:59:32] > ip route get 198.18.0.42 198.18.0.42 via 198.18.0.1 dev utun3 src 198.18.0.1 shaojiemike@shaojiemikedeMacBook-Air ~/github/hugoMinos (main*) [10:59:38] > ip route get 198.18.0.1 198.18.0.1 dev utun3 src 198.18.0.1
Wireguard 环境配置
wireguard-go: 安装客户端 wg-quick up config wireguard-tools: 安装服务端 wg
sh-4.4# ip ro default via 222.195.90.254 dev eth0 src 222.195.90.2 10.0.233.0/24 dev wg1 proto kernel scope link src 10.0.233.3 222.195.90.0/24 dev eth0 proto kernel scope link src 222.195.90.2
sh-4.4# ip ro s t eth0-table 222.195.90.0/24 via 222.195.90.2 dev eth0
# 重要项如下 sh-4.4# ip rule 3: from 222.195.90.2 lookup eth0-table (ping 和 ssh ip 222.195.90.2的会使用这个规则) 32766: from all lookup main (ping 和 ssh 其余ip 比如wg的10.0.233.3的会使用这个规则)
# 1. 设置本地ssh eth0的222.195.90.2的高优先级,不至于开启wg断开ssh # 使用命令添加: ip ro add default via 222.195.90.254 dev eth0 table eth0-table sh-4.4# ip route show table eth0-table default via 222.195.90.254 dev eth0 222.195.90.0/24 via 222.195.90.2 dev eth0
# 2. 为了使得除开本地ssh网络走wg,需要删除屏蔽default的wg的DHCP(如果提前删,导致机器ssh连接不上了,重新插拔网线,让DHCP重新配置): # 使用命令添加:ip ro d default via 222.195.90.254 dev eth0 src 222.195.90.2 table main, # 3. 防止服务端重启,Nas的wg客户端失联 # 使用命令添加:ip ro a 114.214.233.0/24 via 222.195.90.254 dev eth0 src 222.195.90.2 table main # 4. 测试: ping域名能正常运行
# 其余方法:为了使得除开本地ssh网络走wg,也可以不删除,在DHCP的前面添加wg的网络通路 # 使用命令添加: ip ro add default dev wg1 proto kernel scope link src 10.0.233.3 table main sh-4.4# ip r s t main default dev wg1 proto kernel scope link src 10.0.233.3
# shaojiemike @ node5 in ~ [22:30:33] $ ip rule 0: from all lookup local 2: from 202.38.73.217 lookup 1 32766: from all lookup main 32767: from all lookup default # 也可以手动添加 ip rule add from 202.38.73.217 table 1 pref 2 或者 ip rule add from 202.38.73.217 lookup 1 pref 2
$ ip route show table 1 default via 202.38.73.254 dev eno0 proto static # 也可以通过`ip route add` $ ip route add default via 202.38.73.254 dev eno0 proto static table 1
衍生问题:网络请求的源地址不是自己吗?怎么确定的
开启wg后,网络请求源地址变成了10.0.33.2。不是202.38.73.217
1 2
root@node5:/home/shaojiemike# ip ro 10.0.33.0/24 dev wg2 proto kernel scope link src 10.0.33.2
# RESTful web API listening address external-controller:127.0.0.1:9090
# DNS server settings # This section is optional. When not present, the DNS server will be disabled. dns: enable:false listen:0.0.0.0:53 ipv6:false# when the false, response to AAAA questions will be empty
# These nameservers are used to resolve the DNS nameserver hostnames below. # 默认只支持ip default-nameserver: -8.8.8.8
# 支持 UDP, TCP, DoT, DoH. 和指定端口 # 所有DNS请求都会不经过代理被转发到这些服务器,Clash会选择一个最快的返回结果 nameserver: -https://223.5.5.5/dns-query# 阿里云 -https://doh.pub/dns-query#腾讯云 -tls://dns.rubyfish.cn:853# DNS over TLS -https://1.1.1.1/dns-query# DNS over HTTPS -dhcp://en0# dns from dhcp
# 对于所有DNS请求,fallback和nameserver内的服务器都会同时查找 # 如果DNS结果为非国内IP(GEOIP country is not `CN`),会使用fallback内的服务器的结果 # 因为nameserver内为国内服务器,对国外域名可能有DNS污染。fallback内是国外服务器,能防止国外域名被DNS污染 fallback: -https://162.159.36.1/dns-query -https://dns.google/dns-query -tls://8.8.8.8:853
# DNS污染攻击的对策 fallback-filter: geoip:false# If geoip is true, when geoip matches geoip-code, clash will use nameserver results. Otherwise, Clash will only use fallback results. # geoip-code: CN ipcidr:# IPs in these subnets will be considered polluted, when nameserver results match these ip, clash will use fallback results. -0.0.0.0/8 -10.0.0.0/8 -100.64.0.0/10 -127.0.0.0/8 -169.254.0.0/16 -172.16.0.0/12 -192.0.0.0/24 -192.0.2.0/24 -192.88.99.0/24 -192.168.0.0/16 -198.18.0.0/15 -198.51.100.0/24 -203.0.113.0/24 -224.0.0.0/4 -240.0.0.0/4 -255.255.255.255/32 domain:#Domains in these list will be considered polluted, when lookup these domains, clash will use fallback results. -+.google.com -+.facebook.com -+.youtube.com -+.githubusercontent.com