wiregurad VPN에 연결되어 있을 때 내 컴퓨터의 모든 트래픽이 어떻게 wireguard를 통해 라우팅되는지 이해하려고 합니다. 아래 ip route ip a s, 및 의 출력을 참조하세요 ip rule.
mullvad connect내 VPN은 도구를 설치하고 내 계정과 연결한 후 공급자의 CLI 도구를 사용하여 설정되었습니다.https://mulvad.net/en/help/how-use-mulvad-cli
나는 라우팅 테이블을 통해 dev wlp0s20f3의 소스 192.168.44.83에서 오는 모든 것이 기본값이 될 것임을 이해합니다. 하지만 이 트래픽이 Wiregurad 네트워크 인터페이스에서 어떻게 끝나는지 알 수 없는 것 같습니다. 어떻게 이런일이 일어 났습니까?
$ ip -c route
default via 192.168.44.1 dev wlp0s20f3 proto dhcp src 192.168.44.83 metric 600
10.64.0.1 dev wg-mullvad proto static
192.168.44.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.44.83 metric 600
$ ip -c rule show
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0x6d6f6c65 lookup 1836018789
32766: from all lookup main
32767: from all lookup default
$ ip -c a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f0:20:ff:a7:68:db brd ff:ff:ff:ff:ff:ff
inet 192.168.44.83/24 brd 192.168.44.255 scope global dynamic noprefixroute wlp0s20f3
valid_lft 259023sec preferred_lft 259023sec
inet6 fe80::9f4e:c306:9e3d:8e8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
9: wg-mullvad: <POINTOPOINT,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.147.23.252/32 scope global wg-mullvad
valid_lft forever preferred_lft forever
출력 ip route show table 1836018789:
$ ip route show table 1836018789
default dev wg-mullvad proto static
출력 nft list ruleset:
# nft list ruleset
table inet mullvad {
chain prerouting {
type filter hook prerouting priority -199; policy accept;
iif != "wg-mullvad" ct mark 0x00000f41 meta mark set 0x6d6f6c65
ip saddr 185.195.233.76 udp sport 19955 meta mark set 0x6d6f6c65
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
ip daddr 185.195.233.76 udp dport 19955 meta mark 0x6d6f6c65 accept
oif "wg-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
oif "wg-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg-mullvad" accept
reject
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
ct mark 0x00000f41 accept
udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
ip saddr 185.195.233.76 udp sport 19955 ct state established accept
iif "wg-mullvad" accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
oif "wg-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
oif "wg-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg-mullvad" accept
iif "wg-mullvad" ct state established accept
reject
}
chain mangle {
type route hook output priority mangle; policy accept;
oif "wg-mullvad" udp dport 53 ip daddr 10.64.0.1 accept
oif "wg-mullvad" tcp dport 53 ip daddr 10.64.0.1 accept
meta cgroup 5087041 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain nat {
type nat hook postrouting priority srcnat; policy accept;
oif "wg-mullvad" ct mark 0x00000f41 drop
oif != "lo" ct mark 0x00000f41 masquerade
}
}