侧边栏壁纸
  • 累计撰写 64 篇文章
  • 累计创建 46 个标签
  • 累计收到 96 条评论

目 录CONTENT

文章目录

基于wireguard的多场景接管IPV4&IPV6的分流设置(*Ray+warp)

草莓牛奶
2022-11-21 / 0 评论 / 2 点赞 / 2,131 阅读 / 1,804 字 / 正在检测是否收录...
温馨提示:
「博客文章out of date 会及时更新,无特殊说明仍然有效,欢迎指正内容中的错误」

关于wiregrad的路由表的基础知识,详见WireGuard 基础教程:wg-quick 路由策略解读

Q:不使用warp-go?

A:原生wireguard性能最优,warp-go对CPU不友好。

Q:不使用*Ray的wireguard?

A:RPRX表示历史原因导致UDP性能低下,未来可能优化。

Q:不使用sing-box的wireguard?

A:懒得换。

适用场景

1.通过Cloudflare的WARP能够为VPS添加IPV4与IPV6,但是只想使用其中一个情况

2.*Ray不直接阻止访问国内的域名和IP,改为由WARP访问

3.通过warp进行数据的分流

4…………

关于为什么不用warp client或者socks5 模式,主要由于速度和稳定性不及wireguard,详见测速,同时对于IPV4&IPV6的双栈支持存在问题

关于为什么不IPV4&IPV6均不接管全局路由,因为Xray能够通过routing规则制定interface,但是仍然有许多不支持的内核存在

一、四种不同应用场景

<table>为自定义的wireguard的路由表
Linux 系统中,可以自定义从 1-252 个路由表。Linux 系统默认维护了 4 个路由表:
0:系统保留表。
253:defulte table。没特别指定的默认路由都放在该表。
254:main table。没指明路由表的所有路由放在该表。
255:locale table。保存本地接口地址,广播地址、NAT 地址,由系统维护,用户不得更改。
<mark>为流入的wireguard的数据包的标签
流出wireguard的数据包的标签,通过wg set wgcf fwmark <table>设置

以下设置以网口为wgcf为例

1、IPV4&IPV6均不接管全局路由

Table = off

PostUP = wg set wgcf fwmark <table>

PostUP = ip -4 rule add fwmark <mark> lookup <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete fwmark <mark> lookup <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0

PostUP = ip -6 rule add not fwmark <table> table <table> prio 40000
PostUP = ip -6 rule add fwmark <mark> lookup <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete fwmark <mark> lookup <table>
PostDown = ip -6 rule delete not fwmark <table> table <table> prio 40000
PostDown = ip -6 rule delete table main suppress_prefixlength 0

2、IPV4&IPV6接管全局路由

Table = off

PostUP = wg set wgcf fwmark <table>

PostUP = ip -4 rule add not fwmark <table> table <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete not fwmark <table> table <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0

PostUP = ip -6 rule add not fwmark <table> table <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
#PostUp = ip -6 rule add from '$LAN6' lookup main #ipv6地址无法访问时添加
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete not fwmark <table> table <table>
PostDown = ip -6 rule delete table main suppress_prefixlength 0
#PostDown = ip -6 rule delete from '$LAN6' lookup main

或者不使用Table = off,让其自动配置路由规则

PostUp = ip -4 rule add from '$LAN4' lookup main
PostDown = ip -4 rule delete from '$LAN4' lookup main
PostUp = ip -6 rule add from '$LAN6' lookup main
PostDown = ip -6 rule delete from '$LAN6' lookup main

3、IPV4不接管全局路由,IPV6接管全局路由

Table = off

PostUP = wg set wgcf fwmark <table>

PostUP = ip -4 rule add fwmark <mark> lookup <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete fwmark <mark> lookup <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0

PostUP = ip -6 rule add not fwmark <table> table <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
#PostUp = ip -6 rule add from '$LAN6' lookup main #ipv6地址无法访问时添加
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete not fwmark <table> table <table>
PostDown = ip -6 rule delete table main suppress_prefixlength 0
#PostDown = ip -6 rule delete from '$LAN6' lookup main

4、IPV4接管全局路由,IPV6不接管全局路由

Table = off

PostUP = wg set wgcf fwmark <table>

PostUP = ip -4 rule add not fwmark <table> table <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete not fwmark <table> table <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0

PostUP = ip -6 rule add not fwmark <table> table <table> prio 40000
PostUP = ip -6 rule add fwmark <mark> lookup <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete fwmark <mark> lookup <table>
PostDown = ip -6 rule delete not fwmark <table> table <table> prio 40000
PostDown = ip -6 rule delete table main suppress_prefixlength 0

二、*Ray的Outbounds设置

1.根据fwmark

{
  "outbounds": [
    {
      "protocol": "freedom",
      "streamSettings": {
          "sockopt": {
              "tcpFastOpen": true,
              "mark":<mark>
              //设置fwmark为<mark>需要与wireguard中一致
          }
      },
      "settings": {
        "domainStrategy": "UseIP"
          //设置fwmark为<mark>的用户走指定方式”UseIPv6、UseIPv4、UseIP”
      },
      "tag": "warp-out"
    }
  ]
}

2.根据interface

{
  "outbounds": [
    {
      "protocol": "freedom",
      "streamSettings": {
          "sockopt": {
              "tcpFastOpen": true,
              "interface":"wgcf"
              //wireguard网口为wgcf为例
          }
      },
      "settings": {
        "domainStrategy": "AsIs"
          //设置f的用户走指定方式”AsIs、UseIPv6、UseIPv4、UseIP”
      },
      "tag": "warp-out"
    }
  ]
}

三、验证方式

#验证IP地址
curl ip.gs -4
curl ip.gs -4 --interface wgcf
curl ip.gs -6
curl ip.gs -6 --interface wgcf

#连通性测试
ping 8.8.8.8
ping 8.8.8.8 -I wgcf
ping 2001:4860:4860::8888
ping 2001:4860:4860::8888 -I wgcf

#查看路由
ip -4 route get 8.8.8.8
ip -4 route get 8.8.8.8 dev wgcf
ip -6 route get 2001:4860:4860::8888
ip -6 route get 2001:4860:4860::8888 dev wgcf

#查看ip规则
ip -4 rule
ip -6 rule

#查看路由表
ip -4 route show table main
ip -4 route show table local
ip -4 route show table <table>
ip -6 route show table main
ip -6 route show table local
ip -6 route show table <table>

四、常见问题

1.IPV6无法连接

如果在IPV6不接管全局路由时,发生无法访问IPV6网络的情况,可能是因为wireguard接口的RA 广播没有被禁用

cat /proc/sys/net/ipv6/conf/wgcf/accept_ra

#0 Do not accept Router Advertisements
#1 Accept Router Advertisements if forwarding is disabled
#2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled

#0 不接受路由器 RA 广播
#1 如果转发被禁用,则接受路由器 RA 广播
#2 无视转发行为,即使启用了转发,也接受路由器 RA 广播 

解决方法

echo "net.ipv6.conf.wgcf.accept_ra = 0" >> /etc/sysctl.conf

sysctl -p /etc/sysctl.conf

#reboot #如果无效,总之就是多重启几次

2.无法通过IPV6连接

这种情况很大概率发生在IPV6接管全局路由时,外部无法通过IPV6地址连接,可能是因为IPV6和IPV4并不使用同一个接口,只需要在wiregrad的配置中加入

PostUp = ip -6 rule add from '$LAN6' lookup main
PostDown = ip -6 rule delete from '$LAN6' lookup main
2

评论区