[英]What are the correct "allowed IPs" on this site-to-site Wireguard link -- it should be obvious, but obviously not to me :_)
I've almost got it working, but not quite, and I've tried nearly everything except dark forces of magic.我几乎已经开始工作了,但还不完全是,而且我几乎尝试了所有方法,除了黑暗的魔法力量。 I have thought of another idea, but I didn't think crying would help.
我又想到了另一个主意,但我认为哭也无济于事。
It's a site-to-site link (happens to be two Mikrotik CHR routers).这是一个站点到站点的链接(恰好是两个 Mikrotik CHR 路由器)。 Looks somehting like this:
看起来像这样:
- 199.181.204.128/26-R2-Public InternetIP-R1--199.181.204.0/26---R1--Internet
The Wireguard link between R2 and R1 is up and I have a private IP space (192.168.89.0/30) between them. R2 和 R1 之间的 Wireguard 链路已启动,它们之间有一个私有 IP 空间 (192.168.89.0/30)。 Both sites can ping.
两个站点都能ping通。 (192.168.89.1<->192.168.89.2).
(192.168.89.1<->192.168.89.2)。 However , R2 can't seem to pass traffic the Private IP space to 199.181.204.128.
但是,R2 似乎无法将流量从 Private IP 空间传递到 199.181.204.128。 No firewalls are active for testing.
没有防火墙处于活动状态以进行测试。
It seems to be related to AllowedIPs but I have no idea how or why.它似乎与AllowedIPs有关,但我不知道如何或为什么。 What I think I'm supposed to do is:
我认为我应该做的是:
R2 AllowedIPs = 199.181.204.128/26 -- Meaning pass all of this traffic R1 AllowedIPs = 0.0.0.0/0 -- Pass everything if it gets there R2 AllowedIPs = 199.181.204.128/26 -- 意思是通过所有这些流量 R1 AllowedIPs = 0.0.0.0/0 -- 如果它到达那里,通过一切
What I really want is to say, just pass it, don't think about it like OpenVPN would do.我真正想说的是,通过它,不要像 OpenVPN 那样胡思乱想。 Don't filter, just pass packets from one interface to another.
不要过滤,只是将数据包从一个接口传递到另一个接口。
Can I turn this feature off and make Wireguard "dumb" or what do I put in this?我可以关闭此功能并使 Wireguard 变“哑巴”或者我可以在其中添加什么吗?
You must have a great sense of humor.the AllowedIPs means the destination.network segment that the local end can access,For example, if R1 wants to access the address 192.168.1.1/32, it needs to add this IP address to the allowips of R1.你一定很有幽默感,AllowedIPs是指本端可以访问的目的网段,比如R1要访问地址192.168.1.1/32,就需要把这个IP地址添加到allowips中R1的。 The easiest way is to set both sides to 0.0.0.0/0
最简单的方法是将两边都设置为 0.0.0.0/0
This is configuration to get Inte.net through WireGuard commercial VPN provider这是通过 WireGuard 商业 VPN 提供商获取 Inte.net 的配置
/interface wireguard add listen-port=51820 name=wireguard-inet private-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25m \
preshared-key="xxx" public-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface list member add interface=wireguard-inet list=WAN comment="Internet through WireGuard commercial VPN provider"
###
# Instead of xxx.xxx.xxx.xxx/32(from VPN provider) use xxx.xxx.xxx.xxx/24
/ip address add address=xxx.xxx.xxx.xxx/24 interface=wireguard-inet comment="Internet through WireGuard commercial VPN provider"
/routing table add name=wireguard-wan fib comment="Internet through WireGuard commercial VPN provider"
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# xxx.xxx.xxx.xxx/24 replace to your local network
/routing rule add action=lookup src-address=192.168.xxx.0/24 table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# Add DNS from VPN service
/ip/dhcp-server/network/set dns-server=10.xxx.0.1 0
# Need to reconnect your device(PC, PHONE) for receive new DNS server from router
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.