假設有一台wireguard vpn server,上面有vpnc (cisco vpn client)連到了其它vpn,現在希望連到這台wireguard vpn server的client,也能同時走vpnc建立的介面路由,以連到 cisco vpn 網段,以下假設vpnc 建立的是tun0,wireguard建立的是wg0 (可用route查看),那麼就照以下步驟設定:
1.修改 /etc/sysctl.conf,允許封包在網卡介面互通:
net.ipv4.ip_forward=1
修改完再sudo sysctl -p
2.修改 /etc/wireguard/wg0.conf,在 [Interface] 區段加入:
# nat forward to tun 0
PostUp = iptables -A FORWARD -i wg0 -o tun0 -j ACCEPT
PostUp = iptables -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# clear nat rules
PostDown = iptables -D FORWARD -i wg0 -o tun0 -j ACCEPT
PostDown = iptables -D FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
3.重啟wiregurad服務:
sudo systemctl restart wg-quick@wg0
或
sudo wg-quick down wg0
sudo wg-quick up wg0
4.client設定檔的 [Peer] 區段加入允許的ip網段(用route查看tun0有哪些網段):
AllowedIPs = 10.0.0.0/24, 163.16.1.0/24
或懶惰點,改為全部允許:
AllowedIPs = 0.0.0.0/0, ::/0
5. 設定vpnc的systemd自啟動(假設設定檔已寫在/etc/vpnc/default.conf):
sudo vi /etc/systemd/system/vpnc.service
===================
[Unit]
Description=Cisco Compatible VPN Client (vpnc) - default profile
After=network.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/vpnc
ExecStop=/usr/sbin/vpnc-disconnect
RemainAfterExit=yes
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
====================
sudo systemctl daemon-reload
sudo systemctl enable vpnc.service
sudo systemctl start vpnc.service
6.讓wireguard在vpnc服務後再啟動:
sudo systemctl edit wg-quick@wg0
==============
[Unit]
After=vpnc.service
Wants=vpnc.service
==============
sudo systemctl daemon-reload
sudo systemctl restart wg-quick@wg0
沒有留言:
張貼留言