Я установил три узла Wireguard - a, b и c (файл Vagrantfile ниже). Оба b и c подключаются к a и могут отправлять эхо-запрос через туннель Wireguard. Но b и c не могут пинговать друг друга - почему?
Vagrant.configure("2") do |config|
[
{
name: "a",
wgcfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50031
Address=192.168.234.65/26
[Peer]
PublicKey=5T5HdEaGxtDLCoC4QTb3B1e0suer4IadTEwWZ5Je7w0=
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
[Peer]
PublicKey=1nYwoKaMswzdiM/2UNDDJf/DRX5m/6M27dLMOeqaxwk=
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
},
{
name: "b",
wgcfg: <<-WGCFG
[Interface]
PrivateKey=KFsOZmkbHUmPNQmjgWn4lJa/MiszGcAuFNJb8HSda2M=
Address=192.168.234.66/26
[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
},
{
name: "c",
wgcfg: <<-WGCFG
[Interface]
PrivateKey=6Gl/ZbyOKJHhQUSLaMrShU/ukNfvvDdiwz1a7t45Q3I=
Address=192.168.234.67/26
[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.0/26
PersistentKeepalive=25
WGCFG
}
].each do |specs|
config.vm.define specs[:name] do |config|
config.vm.box = "ubuntu/bionic64"
config.vm.network "private_network", type: "dhcp"
config.vm.provider "virtualbox" do |vb|
vb.memory = "1024"
end
config.vm.provision "shell", inline: <<-SHELL
sudo add-apt-repository -y ppa:wireguard/wireguard
sudo bash -c 'DEBIAN_FRONTEND=noninteractive apt-get -y install wireguard tshark'
sudo bash -exo pipefail -c 'cat <<<"$0" >/etc/wireguard/wg1.conf' '#{specs[:wgcfg]}'
sudo systemctl enable wg-quick@wg1.service
sudo systemctl restart wg-quick@wg1.service
sudo bash -exo pipefail -c 'cat <<<'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-router.conf'
sudo sysctl -w net.ipv4.ip_forward=1
SHELL
end
end
end
Сделайте одну подсеть / 30 для a-b и одну для a-c. Включите подсеть a-b в AllowedIPs на c и подсеть a-c в AllowedIPs на b. То есть:
Vagrant.configure("2") do |config|
[
{
name: "a",
wgcfgs: [
{
nic: "wg0",
cfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50031
Address=192.168.234.65/30
[Peer]
PublicKey=5T5HdEaGxtDLCoC4QTb3B1e0suer4IadTEwWZ5Je7w0=
AllowedIPs=192.168.234.66/32
PersistentKeepalive=25
WGCFG
},
{
nic: "wg1",
cfg: <<-WGCFG
[Interface]
PrivateKey=gCQW9uFhkiFwXAOfVINXm+BF4s8fZcTWAfxJboAg01I=
ListenPort=50032
Address=192.168.234.69/30
[Peer]
PublicKey=1nYwoKaMswzdiM/2UNDDJf/DRX5m/6M27dLMOeqaxwk=
AllowedIPs=192.168.234.70/32
PersistentKeepalive=25
WGCFG
}
]
},
{
name: "b",
wgcfgs: [
{
nic: "wg0",
cfg: <<-WGCFG
[Interface]
PrivateKey=KFsOZmkbHUmPNQmjgWn4lJa/MiszGcAuFNJb8HSda2M=
Address=192.168.234.66/30
[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50031
AllowedIPs=192.168.234.65/32, 192.168.234.68/30
PersistentKeepalive=25
WGCFG
}
]
},
{
name: "c",
wgcfgs: [
{
nic: "wg0",
cfg: <<-WGCFG
[Interface]
PrivateKey=6Gl/ZbyOKJHhQUSLaMrShU/ukNfvvDdiwz1a7t45Q3I=
Address=192.168.234.70/30
[Peer]
PublicKey=5U5KqwaEA3I9nMYAfVA6thA2XUwOUVU8Y4C8CzeRzVo=
Endpoint=172.28.128.3:50032
AllowedIPs=192.168.234.69/32, 192.168.234.64/30
PersistentKeepalive=25
WGCFG
}
]
}
].each do |specs|
config.vm.define specs[:name] do |config|
config.vm.box = "ubuntu/bionic64"
config.vm.network "private_network", type: "dhcp"
config.vm.provider "virtualbox" do |vb|
vb.memory = "1024"
end
config.vm.provision "shell", inline: <<-SHELL
sudo add-apt-repository -y ppa:wireguard/wireguard
sudo bash -c 'DEBIAN_FRONTEND=noninteractive apt-get -y install wireguard'
sudo bash -exo pipefail -c 'cat <<<'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-router.conf'
sudo sysctl -w net.ipv4.ip_forward=1
#{specs[:wgcfgs].map{|wgcfg|<<-WG
sudo bash -exo pipefail -c 'cat <<<"$0" >/etc/wireguard/#{wgcfg[:nic]}.conf' '#{wgcfg[:cfg]}'
sudo systemctl enable wg-quick@#{wgcfg[:nic]}.service
sudo systemctl restart wg-quick@#{wgcfg[:nic]}.service
WG
}.join}
SHELL
end
end
end