Wireguard "wg0: 패킷에 소스 IP가 허용되지 않습니다."

tag-icon tag-icon wireguard
Wireguard "wg0: 패킷에 소스 IP가 허용되지 않습니다."

사용https://github.com/angristan/wireguard-install프로젝트 서버를 구성했습니다. 다음 위치에 서버 구성 파일이 생성되었습니다 /etc/wireguard/wg0.conf.

[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 51202
PrivateKey = ***************
PostUp = iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

### Client chris
[Peer]
PublicKey = ***************
PresharedKey = ****************
AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128,209.250.230.114/32

그리고 다음 클라이언트 파일:

[Interface]
PrivateKey = ******************
Address = 10.66.66.2/32,fd42:42:42::2/128
DNS = 94.140.14.14,94.140.15.15

[Peer]
PublicKey = 8ZF6U0mHKvMtVw2A4jha4mZR+a0GP5W85unV05zJIyw=
PresharedKey = **************************
Endpoint = 192.248.162.216:51202
AllowedIPs = 0.0.0.0/0,::/0

이것은 클라이언트에 있는 내 파일입니다. 클라이언트에서 실행하면 다음과 wg-quick up server같은 결과가 발생합니다.

root@vultr:~# wg-quick up server
[#] ip link add server type wireguard
[#] wg setconf server /dev/fd/63
[#] ip -4 address add 10.66.66.2/32 dev server
[#] ip -6 address add fd42:42:42::2/128 dev server
[#] ip link set mtu 1420 up dev server
[#] resolvconf -a tun.server -m 0 -x
[#] wg set server fwmark 51820
[#] ip -6 route add ::/0 dev server table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add 0.0.0.0/0 dev server table 51820
[#] ip -4 rule add not fwmark 51820 table 51820

그 후 클라이언트에 대한 네트워크 연결이 끊어졌습니다(이전 SSH 연결을 의미합니다).

서버에는 다음 디버그 로그가 표시됩니다.

Feb 14 18:14:21 car kernel: wireguard: wg0: Packet has unallowed src IP (209.250.230.114) from peer 1 (209.250.230.114:56584)
Feb 14 18:14:22 car kernel: wireguard: wg0: Sending keepalive packet to peer 1 (209.250.230.114:56584)
Feb 14 18:14:23 car kernel: wireguard: wg0: Packet has unallowed src IP (209.250.230.114) from peer 1 (209.250.230.114:56584)
Feb 14 18:14:26 car kernel: wireguard: wg0: Packet has unallowed src IP (209.250.230.114) from peer 1 (209.250.230.114:56584)
Feb 14 18:14:33 car kernel: wireguard: wg0: Sending keepalive packet to peer 1 (209.250.230.114:56584)

물론 AllowedIPs = 0.0.0.0/0,::/0모든 IP가 허용됩니까? IP가 허용되지 않는다는 오류가 발생하는 이유는 무엇입니까?

209.250.230.114아래 서버 구성에 클라이언트 IP()를 추가하고 AllowedIpsWireguard systemd 서비스를 다시 시작해 보았습니다. 이제 동작이 약간 변경되었습니다. 키 쌍을 계속 다시 생성하고 핸드셰이크를 보내는 것 같습니다.[Peer]/etc/wireguard/wg0.conf

Feb 14 18:27:15 car kernel: wireguard: wg0: Sending handshake response to peer 2 (209.250.230.114:46777)
Feb 14 18:27:15 car kernel: wireguard: wg0: Keypair 40 destroyed for peer 2
Feb 14 18:27:15 car kernel: wireguard: wg0: Keypair 41 created for peer 2
Feb 14 18:27:20 car kernel: wireguard: wg0: Receiving handshake initiation from peer 2 (209.250.230.114:46777)
Feb 14 18:27:20 car kernel: wireguard: wg0: Sending handshake response to peer 2 (209.250.230.114:46777)
Feb 14 18:27:20 car kernel: wireguard: wg0: Keypair 41 destroyed for peer 2
Feb 14 18:27:20 car kernel: wireguard: wg0: Keypair 42 created for peer 2
Feb 14 18:27:25 car kernel: wireguard: wg0: Receiving handshake initiation from peer 2 (209.250.230.114:46777)
Feb 14 18:27:25 car kernel: wireguard: wg0: Sending handshake response to peer 2 (209.250.230.114:46777)
Feb 14 18:27:25 car kernel: wireguard: wg0: Keypair 42 destroyed for peer 2
Feb 14 18:27:25 car kernel: wireguard: wg0: Keypair 43 created for peer 2

tshark -i any다음은 실행 후 클라이언트가 출력한 일부 패킷 로그 입니다 wg-quick up.... 이제 IP가 이전 질문과 다릅니다(처음부터 다시 설정해 보았습니다. 따라서 새 IP가 되었습니다).

80 30.827763166 87.246.7.226 <E2><86><92> 192.248.154.136 TCP 76 [TCP Retransmission] 57034 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=342868104 TSecr=0 WS=128
   81 30.827859690 192.248.154.136 <E2><86><92> 87.246.7.226 TCP 56 25 <E2><86><92> 57034 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   82 33.439281276 192.248.154.136 <E2><86><92> 192.248.152.91 UDP 192 59054 <E2><86><92> 58338 Len=148
   83 36.811164287 192.248.154.136 <E2><86><92> 108.61.73.244 NTP 92 NTP Version 4, client
   84 38.146118476 87.246.7.243 <E2><86><92> 192.248.154.136 TCP 76 6076 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=211747651 TSecr=0 WS=1024
   85 38.146182173 192.248.154.136 <E2><86><92> 87.246.7.243 TCP 56 25 <E2><86><92> 6076 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   86 38.559280480 192.248.154.136 <E2><86><92> 192.248.152.91 UDP 192 59054 <E2><86><92> 58338 Len=148
   87 38.852121979 87.246.7.226 <E2><86><92> 192.248.154.136 TCP 76 [TCP Retransmission] 57034 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=342876128 TSecr=0 WS=128
   88 38.852220458 192.248.154.136 <E2><86><92> 87.246.7.226 TCP 56 25 <E2><86><92> 57034 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   89 39.146306580 87.246.7.243 <E2><86><92> 192.248.154.136 TCP 76 [TCP Retransmission] 6076 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=211748652 TSecr=0 WS=1024
   90 39.146388276 192.248.154.136 <E2><86><92> 87.246.7.243 TCP 56 25 <E2><86><92> 6076 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   91 41.150763667 87.246.7.243 <E2><86><92> 192.248.154.136 TCP 76 [TCP Retransmission] 6076 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=211750656 TSecr=0 WS=1024
   92 41.150880444 192.248.154.136 <E2><86><92> 87.246.7.243 TCP 56 25 <E2><86><92> 6076 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   93 41.630158997 212.70.149.54 <E2><86><92> 192.248.154.136 TCP 76 46658 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=42893859 TSecr=0 WS=1024
   94 41.630236617 192.248.154.136 <E2><86><92> 212.70.149.54 TCP 56 25 <E2><86><92> 46658 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   95 41.811177910 192.248.154.136 <E2><86><92> 108.61.73.243 NTP 92 NTP Version 4, client
   96 42.630885040 212.70.149.54 <E2><86><92> 192.248.154.136 TCP 76 [TCP Retransmission] 46658 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=42894860 TSecr=0 WS=1024
   97 42.630953128 192.248.154.136 <E2><86><92> 212.70.149.54 TCP 56 25 <E2><86><92> 46658 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
   98 43.353963530 fe:00:03:35:d7:65 <E2><86><92>              ARP 44 Who has 192.248.154.136? Tell 104.238.168.72
   99 43.354021247 56:00:03:35:d7:65 <E2><86><92>              ARP 44 192.248.154.136 is at 56:00:03:35:d7:65
  100 43.679313102 192.248.154.136 <E2><86><92> 192.248.152.91 UDP 192 59054 <E2><86><92> 58338 Len=148
  101 44.634917692 212.70.149.54 <E2><86><92> 192.248.154.136 TCP 76 [TCP Retransmission] 46658 <E2><86><92> 25 [SYN] Seq=0 Win=29200 Len

답변1

Packet has unallowed src IP"제 경우에는 재부팅으로 인해 클라우드 공급자의 방화벽이 완전히 구성되지 않았기 때문에 문제가 발생했습니다. 실행 wg-quick downwg-quick up스크립트에 필요한 방화벽 규칙이 추가되었습니다. 이것이 누군가에게 도움이 되기를 바랍니다.

관련 정보