如何使用 Wireguard 设置双 VPN?

编程问答 2022-05-11

问题描述

我正在尝试通过 NordVPN 路由一个家庭 VPN,但我无法让它工作。

基本上,我希望我的互联网请求通过:电话 -> 主页 -> NordVPN。 原因是我想要一个分离式 VPN,它可以访问我的家庭设备,同时还可以访问 Internet,而无需提供我的 IP。

硬件

树莓派 4

Debian 10

$ uname -srvmpio
Linux 5.10.0-0.bpo.4-arm64 #1 SMP Debian 5.10.19-1~bpo10+1 (2021-03-13) aarch64 unknown unknown GNU/Linux

软件

Rootless Docker

linuxserver/wireguard

bubuntux/nordvpn

docker-compose.yml

version: "3.8"
services:
  vpn:
    image: bubuntux/nordvpn
    cap_add:
      - NET_ADMIN               # Required
      - SYS_MODULE              # Required for NordLynx
    sysctls:
      - net.ipv4.conf.all.rp_filter=2 # Required for Nordlynx
    devices:
      - /dev/net/tun            # Required
    environment:
      - USER=${NORDVPN_USERNAME}
      - PASS=${NORDVPN_PASSWORD}
      - CONNECT=${NORDVPN_CONNECT}
      - TECHNOLOGY=NordLynx
      - TZ=${TZ}
      - PORTS=64444;51820
      - CYBER_SEC=Enable
    ports:
      - 64444:51820
  
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      TZ: ${TZ}
      SERVERURL: ${URL}
      PEERS: peer1,peer2
      # INTERNAL_SUBNET: 10.13.13.0 #optional
    depends_on:
      - vpn
    volumes:
      - ${DOCKERCONFIG}/wireguard:/config
      - /lib/modules:/lib/modules:ro
    network_mode: service:vpn

由于端口转发,它可以在没有 vpn 的情况下工作。

有人知道如何进行这项工作吗?

非常感谢:)

解决方法

https://unix.stackexchange.com/a/365296 - 是我的答案。通过为 Wireguard 添加路由限额,以便在回复连接时通过 NordVPN 容器的桥接网络,而不是尝试通过 NordVPN 的服务器进行路由,我能够连接一个客户端,该客户端然后通过 Wireguard 将流量路由到 NordVPN。>

首先,我给出了一个定义好的私有IP子网172.18.0.0/24:

networks:
  private:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.18.0.0/24

然后将其附加到 NordVPN 容器:

networks:
    private:
      ipv4_address: 172.18.0.2

这允许我在 Wireguard 容器上定义路由:

ip rule add from 172.18.0.2 table 128 # interface IP for container eth0 on the NordVPN network stack we specified in networks -> private -> ipv4_address
ip route add table 128 to 172.18.0.0/24 dev eth0 # the subnet range for NordVPN container eth0 interface
ip route add table 128 default via 172.18.0.1 # the default gateway

要保持此配置,您可以在 [Interface] 标签下的 Wireguard 接口设置文件 config/wg0.conf 中添加另一个 PostUp & PostDown 参数,并使用 docker-compose restart 首次申请em>。 注意:Wireguard 接受多个 PostUp 和 PostDown 参数,保留由 Wireguard 生成的已经存在的 PostUp 和 PostDown。

PostUp = ip rule add from 172.18.0.2 table 128; ip route add table 128 to 172.18.0.0/24 dev eth0; ip route add table 128 default via 172.18.0.1
PostDown = ip rule del from 172.18.0.2 table 128; ip route del table 128 to 172.18.0.0/24 dev eth0; ip route del table 128 default via 172.18.0.1

为后代共享 Compose 文件:

---
version: "3.3"
services:
  vpn:
    image: ghcr.io/bubuntux/nordvpn
    container_name: nordvpn
    cap_add:
      - NET_ADMIN               # Required
      - SYS_MODULE
    ports:
      - $EXTERNAL_WG_PORT:51820/udp
    environment:                # Review https://github.com/bubuntux/nordvpn#environment-variables
      - USER=$NORDUSR          # Required
      - PASS=$NORDPW            # Required
      - CONNECT=$COUNTRY
      - TECHNOLOGY=NordLynx
      - NETWORK=172.18.0.0/24  # So it can be accessed within the local network
      - PORTS=$EXTERNAL_WG_PORT;51820
      - FIREWALL=Enable
      - KILLSWITCH=Enable
      - CYBER_SEC=Enable
      - DNS=$NV_DNS
    sysctls:
      - net.ipv4.conf.eth0.rp_filter=2
    devices:
      - /dev/net/tun
    restart: unless-stopped
    networks:
        private:
          ipv4_address: 172.18.0.2

  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - TZ=$TZ
      - SERVERURL=$FQDN #optional
      - SERVERPORT=$EXTERNAL_WG_PORT #optional
      - PEERS=3 #optional
      - PEERDNS=$WG_DNS #optional
      - INTERNAL_SUBNET=172.21.88.0/24 #optional
      - ALLOWEDIPS=$ALLOWEDIPS
    volumes:
      - ./config:/config
      - ./modules:/lib/modules
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    network_mode: service:nordvpn
    restart: unless-stopped
    depends_on:
      - nordvpn

networks:
  private:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.18.0.0/24
dockerdocker-composerootlessvpnwireguard

相关问答

matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd impor...
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:...
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon:...
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Alt...
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirem...