这个站点到站点的 Wireguard 链接上正确的“允许的 IP”是什么——这应该是显而易见的,但对我来说显然不是:_)
[英]What are the correct "allowed IPs" on this site-to-site Wireguard link -- it should be obvious, but obviously not to me :_)
问题描述
I've almost got it working, but not quite, and I've tried nearly everything except dark forces of magic.
我几乎已经开始工作了,但还不完全是,而且我几乎尝试了所有方法,除了黑暗的魔法力量。 I have thought of another idea, but I didn't think crying would help.我又想到了另一个主意,但我认为哭也无济于事。
It's a site-to-site link (happens to be two Mikrotik CHR routers).这是一个站点到站点的链接(恰好是两个 Mikrotik CHR 路由器)。 Looks somehting like this:看起来像这样:
- 199.181.204.128/26-R2-Public InternetIP-R1--199.181.204.0/26---R1--Internet
The Wireguard link between R2 and R1 is up and I have a private IP space (192.168.89.0/30) between them. R2 和 R1 之间的 Wireguard 链路已启动,它们之间有一个私有 IP 空间 (192.168.89.0/30)。 Both sites can ping.两个站点都能ping通。 (192.168.89.1<->192.168.89.2). (192.168.89.1<->192.168.89.2)。 However , R2 can't seem to pass traffic the Private IP space to 199.181.204.128.但是,R2 似乎无法将流量从 Private IP 空间传递到 199.181.204.128。 No firewalls are active for testing.没有防火墙处于活动状态以进行测试。
It seems to be related to AllowedIPs but I have no idea how or why.它似乎与AllowedIPs有关,但我不知道如何或为什么。 What I think I'm supposed to do is:我认为我应该做的是:
R2 AllowedIPs = 199.181.204.128/26 -- Meaning pass all of this traffic R1 AllowedIPs = 0.0.0.0/0 -- Pass everything if it gets there R2 AllowedIPs = 199.181.204.128/26 -- 意思是通过所有这些流量 R1 AllowedIPs = 0.0.0.0/0 -- 如果它到达那里,通过一切
What I really want is to say, just pass it, don't think about it like OpenVPN would do.我真正想说的是,通过它,不要像 OpenVPN 那样胡思乱想。 Don't filter, just pass packets from one interface to another.不要过滤,只是将数据包从一个接口传递到另一个接口。
Can I turn this feature off and make Wireguard "dumb" or what do I put in this?我可以关闭此功能并使 Wireguard 变“哑巴”或者我可以在其中添加什么吗?
2 个解决方案
解决方案1
1 2022-03-11 10:26:18
You must have a great sense of humor.the AllowedIPs means the destination.network segment that the local end can access,For example, if R1 wants to access the address 192.168.1.1/32, it needs to add this IP address to the allowips of R1.你一定很有幽默感,AllowedIPs是指本端可以访问的目的网段,比如R1要访问地址192.168.1.1/32,就需要把这个IP地址添加到allowips中R1的。 The easiest way is to set both sides to 0.0.0.0/0最简单的方法是将两边都设置为 0.0.0.0/0
解决方案2
0 2022-05-02 10:31:56
This is configuration to get Inte.net through WireGuard commercial VPN provider这是通过 WireGuard 商业 VPN 提供商获取 Inte.net 的配置
/interface wireguard add listen-port=51820 name=wireguard-inet private-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25m \
preshared-key="xxx" public-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface list member add interface=wireguard-inet list=WAN comment="Internet through WireGuard commercial VPN provider"
###
# Instead of xxx.xxx.xxx.xxx/32(from VPN provider) use xxx.xxx.xxx.xxx/24
/ip address add address=xxx.xxx.xxx.xxx/24 interface=wireguard-inet comment="Internet through WireGuard commercial VPN provider"
/routing table add name=wireguard-wan fib comment="Internet through WireGuard commercial VPN provider"
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# xxx.xxx.xxx.xxx/24 replace to your local network
/routing rule add action=lookup src-address=192.168.xxx.0/24 table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# Add DNS from VPN service
/ip/dhcp-server/network/set dns-server=10.xxx.0.1 0
# Need to reconnect your device(PC, PHONE) for receive new DNS server from router
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.