我的 wireguard 连接稳定性有问题。我设置了 3 个 VPN 网络(如下所述),但我们先集中讨论第一个网络(wg0)。一切正常,但过了一段时间后连接失败,客户端尝试初始化新的握手,服务器响应,但由于某种原因,响应从未到达客户端。重置连接可以解决问题,直到再次中断。

我试过:

1. Setting policy ACCEPT on chain input to check if firewall is a issue on server.
2. Setting policy ACCEPT on chain forward to check if firewall is a issue on server.
3. Disabling windows firewall.
4. Lowering MTU on both client and server.
5. Setting PersistentKeepalive on both client and server.
6. Settiing very low PersistentKeepalive on client.

语境:

1. Client is a windows PC behind NAT in home network.
2. Server is a linux VPS with public IP on hetzner hosting.

Wireshark 捕获(图像):

1. Successfull handshake, then few times client manages to make few handshakes again. 
2. Issue with connection.
3. I disconect client.
4. I ping client from server, server tries to initialize handshakes,
they get throught to client but client is disabled thus they do not succeed.
This proves no network or firewall block on client side.

客户端 wireguard 日志:

Handshake for peer 1 (REDACTED:10000) did not complete after 5 seconds, retrying (try 2)
Sending handshake initiation to peer 1 (REDACTED:10000)
Handshake for peer 1 (REDACTED:10000) did not complete after 5 seconds, retrying (try 3)
Sending handshake initiation to peer 1 (REDACTED:10000)
Handshake for peer 1 (REDACTED:10000) did not complete after 5 seconds, retrying (try 4)

客户端配置:

[Interface]
PrivateKey = REDACTED
Address = 10.0.0.2/24
DNS = 8.8.8.8
MTU = 1280

[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.0/16
Endpoint = REDACTED:10000
PersistentKeepalive = 25

服务器配置:

[Interface]
Address = 10.0.0.1/24

ListenPort = 10000
PrivateKey = REDACTED
MTU = 1280

#pc
[Peer]
PublicKey = REDACTED
AllowedIPs = 10.0.0.2/32

Iptables 规则(脚本):

iptables -F -t filter
iptables -F -t nat
iptables -F -t mangle
iptables -X -t filter
iptables -X -t nat
iptables -X -t mangle

#Set policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Group rules into chains
iptables -N _INPUT
iptables -N _OUTPUT
iptables -N _FORWARD
iptables -N _POSTROUTING -t nat

#Append chains
iptables -A INPUT -j _INPUT
iptables -A OUTPUT -j _OUTPUT
iptables -A FORWARD -j _FORWARD
iptables -A POSTROUTING -t nat -j _POSTROUTING

#Allow related and established connections
iptables -A _INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A _FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#Allow loopback
iptables -A _INPUT -i lo -j ACCEPT

#Wireguard [wg0] (10.0.0.0/24) -------------------------------------------------------------------------

#Allow all trafic from devices in this network
iptables -I _FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -I _INPUT -s 10.0.0.0/24 -j ACCEPT

#Open port for this network network
iptables -A _INPUT -i eth0 -p udp --dport 10000 -j ACCEPT

#Allow internet access
iptables -A _POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE

#Wireguard [wg1] (10.0.1.0/24) -------------------------------------------------------------------------

#Allow traffic to other devices in wg1 and wg2
iptables -A _FORWARD -i wg1 -o wg1 -j ACCEPT
iptables -A _FORWARD -i wg1 -o wg2 -j ACCEPT

#Open port for this network
iptables -A _INPUT -i eth0 -p udp --dport 10010 -j ACCEPT

#Allow internet access
iptables -A _FORWARD -i wg1 -o eth0 -j ACCEPT
iptables -A _POSTROUTING -t nat -s 10.0.1.0/24 -o eth0 -j MASQUERADE

#Wireguard [wg2] (10.0.2.0/24) -------------------------------------------------------------------------

iptables -A _INPUT -i eth0 -p udp --dport 10020 -j ACCEPT

#Logging -----------------------------------------------------------------------------------------------

#Log new accepted on wireguard ports
#iptables -I _INPUT -i eth0 -p udp --dport 10000 -m conntrack --ctstate NEW -m limit --limit 1/s -j LOG --log-prefix "WIREGUARD_NEW_WG0: " --log-level 7
#iptables -I _INPUT -i eth0 -p udp --dport 10010 -m conntrack --ctstate NEW -m limit --limit 1/s -j LOG --log-prefix "WIREGUARD_NEW_WG1: " --log-level 7
#iptables -I _INPUT -i eth0 -p udp --dport 10020 -m conntrack --ctstate NEW -m limit --limit 1/s -j LOG --log-prefix "WIREGUARD_NEW_WG2: " --log-level 7

#Log dropped on _FORWARD
iptables -A _FORWARD -m limit --limit 1/s -j LOG --log-prefix "IPTABLES_FRWD_DROP: " --log-level 7

网络解释:

[wg0] – 最高信任度

此网络的子网: 10.0.0.0/24
接口地址: 10.0.0.1
客户端地址:从 10.0.0.2 到 10.0.0.254
监听端口: 10000

该网络中的设备可以访问:

  1. 互联网
  2. 网络 wg0 中的设备
  3. 网络 wg1 中的设备
  4. 网络 wg2 中的设备

[wg1] – 有限/有条件信托

此网络的子网: 10.0.1.0/24
接口地址: 10.0.1.1
客户端地址:从 10.0.1.2 到 10.0.1.254
监听端口: 10010

该网络中的设备可以访问:

  1. 互联网
  2. 网络 wg1 中的设备
  3. 网络 wg2 中的设备

[wg2] – 不信任

此网络的子网: 10.0.2.0/24
接口地址: 10.0.2.1
客户端地址:从 10.0.2.2 到 10.2.0.254
监听端口: 10020

该网络中的设备可以访问:

  1. 没有什么

6

  • Disabling windows firewall.你尝试过禁用 Linux 防火墙吗


    – 

  • 是的,请看一下“我试过”部分中的前两点。


    – 

  • 家庭 IP 是否会改变或者您是否位于 CGNAT 之后?


    – 

  • @JuliePelletier 我现在已经检查过了,我的路由器仅支持 IPv6(无法更改),但我有公共 IPv4 IP。此外,我的公共 IPv6 与路由器提供的 IPv6 不匹配。所以我猜是的,我落后于 CGNAT。


    – 


  • my public IPv6 does not match IPv6 my router was given. So I guess yes, am behind CGNAT… 但 CGNAT 是 IPv4 的东西,所以


    – 

0