VyOS利用WireGuard配置hub和spoke VPN测试
备注:
1.如果hub配置两个wireguard接口并用不同的监听端口,分别与两个spoke连接,这时可以跑ospf,spoke之间可以通过hub中转进行互联。 2.如果用下面的只配置一个wireguard接口,使用多个证书的情况,测试的时候,hub只能与一个spoke建立osp邻居,即使像DMVPN第三阶段,修改OSPF优先级,或者更改网络类型hub也不能同时与两个spoke建立邻居. 3..因此动态路由使用了BGP,并且hub发布汇总路由。
二.配置步骤
1.基本配置
A.PC1路由器 interface Ethernet0/0
ip address 172.16.100.1 255.255.255.0
no shutdownip route 0.0.0.0 0.0.0.0 172.16.100.254 B.Spoke1 set system host-name 'Spoke1' set interfaces ethernet eth1 address '202.100.1.1/24' set interfaces ethernet eth2 address '172.16.100.254/24' set protocols static route 0.0.0.0/0 next-hop '202.100.1.10' set nat source rule 20 outbound-interface 'eth1' set nat source rule 20 source address '172.16.100.0/24' set nat source rule 20 translation address 'masquerade' C.Internet路由器 interface Ethernet0/0
ip address 202.100.1.10 255.255.255.0interface Ethernet0/1
ip address 61.128.1.10 255.255.255.0interface Ethernet0/2
ip address 201.100.1.10 255.255.255.0D.Spoke2 set system host-name 'Spoke2' set interfaces ethernet eth1 address '61.128.1.1/24' set interfaces ethernet eth2 address '172.16.200.254/24' set protocols static route 0.0.0.0/0 next-hop '61.128.1.10' set nat source rule 20 outbound-interface 'eth1' set nat source rule 20 source address '172.16.200.0/24' set nat source rule 20 translation address 'masquerade' E.PC2路由器 interface Ethernet0/0
ip address 172.16.200.1 255.255.255.0
no shutdownip route 0.0.0.0 0.0.0.0 172.16.200.254 F:HUB set system host-name 'hub' set interfaces ethernet eth1 address '201.100.1.1/24' set interfaces ethernet eth2 address '172.16.1.254/24' set protocols static route 0.0.0.0/0 next-hop '201.100.1.10' G:PC3 interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
no shutdownip route 0.0.0.0 0.0.0.0 172.16.1.254
2.WireGuard配置
A.创建密钥对 ①hub vyos@hub# run generate wireguard named-keypairs hub vyos@hub# run show wireguard keypairs pubkey hub dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0= ②Spoke1 vyos@vyos1# run generate wireguard named-keypairs vyos1 vyos@vyos1# run show wireguard keypairs pubkey vyos1 ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk= ③Spoke2 vyos@vyos2# run generate wireguard named-keypairs vyos2 vyos@vyos2# run show wireguard keypairs pubkey vyos2 BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0= B.配置wireguard接口 ①hub set interfaces wireguard wg01 address '10.1.1.100/24' set interfaces wireguard wg01 peer to-spoke1 allowed-ips '172.16.100.0/24' set interfaces wireguard wg01 peer to-spoke1 allowed-ips '10.1.1.1/32' set interfaces wireguard wg01 peer to-spoke1 pubkey 'ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk=' set interfaces wireguard wg01 peer to-spoke2 allowed-ips '172.16.200.0/24' set interfaces wireguard wg01 peer to-spoke2 allowed-ips '10.1.1.2/32' set interfaces wireguard wg01 peer to-spoke2 pubkey 'BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0=' set interfaces wireguard wg01 port '12345' set interfaces wireguard wg01 private-key 'hub' 备注:跑BGP路由才需要allowed-ips放行10.1.1.1和10.1.1.2 ②Spok1 set interfaces wireguard wg01 address '10.1.1.1/24' set interfaces wireguard wg01 description 'VPN-to-hub' set interfaces wireguard wg01 peer to-hub allowed-ips '0.0.0.0/0' set interfaces wireguard wg01 peer to-hub endpoint '201.100.1.1:12345' set interfaces wireguard wg01 peer to-hub pubkey 'dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0=' set interfaces wireguard wg01 port '12345' set interfaces wireguard wg01 private-key 'vyos1' ③Spoke2 set interfaces wireguard wg01 address '10.1.1.2/24' set interfaces wireguard wg01 description 'VPN-to-hub' set interfaces wireguard wg01 peer to-hub allowed-ips '0.0.0.0/0' set interfaces wireguard wg01 peer to-hub endpoint '201.100.1.1:12345' set interfaces wireguard wg01 peer to-hub pubkey 'dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0=' set interfaces wireguard wg01 port '12345' set interfaces wireguard wg01 private-key 'vyos2' C.配置动态路由或静态路由 ①动态路由 --hub set protocols bgp 65541 address-family ipv4-unicast network 172.16.0.0/16 set protocols bgp 65541 neighbor 10.1.1.1 remote-as '65541' set protocols bgp 65541 neighbor 10.1.1.1 update-source '10.1.1.100' set protocols bgp 65541 neighbor 10.1.1.2 remote-as '65541' set protocols bgp 65541 neighbor 10.1.1.2 update-source '10.1.1.100' --Spke1 set protocols bgp 65541 address-family ipv4-unicast network 172.16.100.0/24 set protocols bgp 65541 neighbor 10.1.1.100 remote-as '65541' set protocols bgp 65541 neighbor 10.1.1.100 update-source '10.1.1.1' set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01 备注:hub因为配置了allowed-ips,不用配置上面的静态路由。 --Spke2 set protocols bgp 65541 address-family ipv4-unicast network 172.16.200.0/24 set protocols bgp 65541 neighbor 10.1.1.100 remote-as '65541' set protocols bgp 65541 neighbor 10.1.1.100 update-source '10.1.1.2' set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01 备注:hub因为配置了allowed-ips,不用配置上面的静态路由。 ②或者静态路由 --hub set protocols static interface-route 172.16.100.0/24 next-hop-interface wg01 set protocols static interface-route 172.16.200.0/24 next-hop-interface wg01 --Spke1和Spoke2 set protocols static interface-route 172.16.0.0/24 next-hop-interface wg01
三.验证
1.ping对端网络正常
PC1#ping 172.16.200.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds: !!!!!
2.如果跑动态路由协议bgp,hub上可以看到邻居正常,也能学习到路由
vyos@hub# run show ip bgp summary
IPv4 Unicast Summary: BGP router identifier 201.100.1.1, local AS number 65541 vrf-id 0 BGP table version 7 RIB entries 3, using 552 bytes of memory Peers 2, using 41 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.1 4 65541 54 47 0 0 0 00:09:59 1 10.1.1.2 4 65541 30 32 0 0 0 00:26:08 1
Total number of neighbors 2 [edit] vyos@hub# run show ip route bgp Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected routeB>* 172.16.100.0/24 [200/0] via 10.1.1.1, wg01, 00:10:29 B>* 172.16.200.0/24 [200/0] via 10.1.1.2, wg01, 00:26:39 [edit]
3.如果跑动态路由协议bgp,spoke上可以看到邻居正常,也能学习到路由
vyos@Spoke1# run show ip bgp summary
IPv4 Unicast Summary: BGP router identifier 202.100.1.1, local AS number 65541 vrf-id 0 BGP table version 6 RIB entries 2, using 368 bytes of memory Peers 1, using 20 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.100 4 65541 90 64 0 0 0 00:11:21 1
Total number of neighbors 1 [edit] vyos@Spoke1# run show ip route bgp Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected routeB>* 172.16.0.0/16 [200/0] via 10.1.1.100, wg01, 00:11:32 [edit] vyos@Spoke1#