Pi-OS가 설치된 Raspberry Pi 3B에서 WireGuard를 실행하려고 하는데 NAT가 작동하지 않습니다.
WireGuard를 시작하면 다음과 같은 결과가 나타납니다.
root@raspberrypi:/home/pi# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.10.10.1 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@raspberrypi:/home/pi#
iptables는 다음과 같습니다:
root@raspberrypi:/home/pi# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@raspberrypi:/home/pi#
하지만 wg0 10.10.10.2에서 192.168.188.0/24 네트워크에 연결할 수 없습니다. 어떤 생각이 있나요?
10.10.10.1/32 IP에 연결할 수 있지만 192.168.188.0/24의 어떤 장치에도 ping을 보낼 수 없습니다
패킷 전달
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1
그리고 요청된 NAT
root@raspberrypi:/home/pi# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 49 packets, 14332 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 49 packets, 14332 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 490 packets, 32962 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 427 packets, 28720 bytes)
pkts bytes target prot opt in out source destination
63 4242 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
root@raspberrypi:/home/pi#
IP 경로 출력
root@raspberrypi:/home/pi# ip route
default via 192.168.188.1 dev eth0 src 192.168.188.45 metric 202
default via 192.168.188.1 dev wlan0 src 192.168.188.20 metric 303
192.168.188.0/24 dev eth0 proto kernel scope link src 192.168.188.45 metric 202
192.168.188.0/24 dev wlan0 proto kernel scope link src 192.168.188.20 metric 303
출력 워크로드:
root@raspberrypi:/home/pi# wg
interface: wg0
public key: Deleted
private key: (hidden)
listening port: 51820
fwmark: 0xca6c
peer:deleted
preshared key: (hidden)
endpoint: 80.142.204.XXX:62046
allowed ips: 0.0.0.0/0, ::/0
transfer: 25.44 KiB received, 3.63 MiB sent
Emma Luo 업데이트 날짜: 2019년 12월 24일
root@raspberrypi:/home/pi# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
root@raspberrypi:/home/pi# sysctl -a | grep net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1