一.测试拓扑
.png)
二.配置步骤
1.基本配置
A.PC1路由器
interface Ethernet0/0
ip address 172.16.100.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.100.254
B.Site1(VyOS1)
set system host-name 'vyos1'
set ethernet eth1 address '202.100.1.1/24'
set ethernet eth2 address '172.16.100.254/24'
set protocols static route 0.0.0.0/0 next-hop '202.100.1.10'
set nat source rule 20 outbound-interface 'eth0'
set nat source rule 20 source address '172.16.100.0/24'
set nat source rule 20 translation address 'masquerade'
C.Internet路由器
interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0
interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0
D.Site2(VyOS2)
set system host-name 'vyos2'
set ethernet eth1 address '61.128.1.1/24'
set ethernet eth2 address '172.16.200.254/24'
set protocols static route 0.0.0.0/0 next-hop '61.128.1.1'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.200.0/24'
set nat source rule 20 translation address 'masquerade'
E.PC2路由器
interface Ethernet0/0
ip address 172.16.200.1 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.200.254
2.WireGuard配置
A.创建密钥对
①Site1(VyOS1)
vyos@vyos1# run generate wireguard named-keypairs vyos1
vyos@vyos1# run show wireguard keypairs pubkey vyos1
ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk=
②Site2(VyOS2)
vyos@vyos2# run generate wireguard named-keypairs vyos2
vyos@vyos2# run show wireguard keypairs pubkey vyos1
BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0=
B.配置wireguard接口
①Site1(VyOS1)
set interfaces wireguard wg01 address '10.1.1.1/24'
set interfaces wireguard wg01 description 'VPN-to-wg02'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer to-wg02 endpoint '61.128.1.1:12345'
set interfaces wireguard wg01 peer to-wg02 pubkey 'BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'vyos1'
②Site2(VyOS2)
set interfaces wireguard wg02 address '10.1.1.2/24'
set interfaces wireguard wg02 description 'VPN-to-wg01'
set interfaces wireguard wg02 peer to-wg01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg02 peer to-wg01 endpoint '202.100.1.1:12345'
set interfaces wireguard wg02 peer to-wg01 pubkey 'ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk='
set interfaces wireguard wg02 port '12345'
set interfaces wireguard wg02 private-key 'vyos2'
C.配置动态路由或静态路由
①动态路由
--Site1(VyOS1)
set protocols ospf area 0.0.0.0 network '10.1.1.0/24'
set protocols ospf area 0.0.0.0 network '172.16.100.0/24'
--Site2(VyOS2)
set protocols ospf area 0.0.0.0 network '10.1.1.0/24'
set protocols ospf area 0.0.0.0 network '172.16.200.0/24'
②或者静态路由
--Site1(VyOS1)
set protocols static interface-route 172.16.200.0/24 next-hop-interface wg01
--Site2(VyOS2)
set protocols static interface-route 172.16.100.0/24 next-hop-interface wg02
三.验证
1.ping对端网络正常
PC1#ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
2.如果跑动态路由协议ospf,可以看到邻居正常,也能学习到路由
yos@vyos1:~$ show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
192.168.10.145 1 Full/DROther 39.471s 10.1.1.2 wg01:10.1.1.1 0 0 0
vyos@vyos1:~$ show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
O 10.1.1.0/24 [110/10] is directly connected, wg01, 00:38:15
O 172.16.100.0/24 [110/100] is directly connected, eth2, 00:38:15
O>* 172.16.200.0/24 [110/110] via 10.1.1.2, wg01, 00:10:07
3.抓包里面的数据确实无法解密
.png)
