关于wiregrad的路由表的基础知识,详见WireGuard 基础教程:wg-quick 路由策略解读
Q:不使用warp-go?
A:原生wireguard性能最优,warp-go对CPU不友好。
Q:不使用*Ray的wireguard?
A:RPRX表示历史原因导致UDP性能低下,未来可能优化。
Q:不使用sing-box的wireguard?
A:懒得换。
适用场景
1.通过Cloudflare的WARP能够为VPS添加IPV4与IPV6,但是只想使用其中一个情况
2.*Ray不直接阻止访问国内的域名和IP,改为由WARP访问
3.通过warp进行数据的分流
4…………
关于为什么不用warp client或者socks5 模式,主要由于速度和稳定性不及wireguard,详见测速,同时对于IPV4&IPV6的双栈支持存在问题
关于为什么不IPV4&IPV6均不接管全局路由,因为Xray能够通过routing规则制定interface,但是仍然有许多不支持的内核存在
一、四种不同应用场景
<table>为自定义的wireguard的路由表
Linux 系统中,可以自定义从 1-252 个路由表。Linux 系统默认维护了 4 个路由表:
0:系统保留表。
253:defulte table。没特别指定的默认路由都放在该表。
254:main table。没指明路由表的所有路由放在该表。
255:locale table。保存本地接口地址,广播地址、NAT 地址,由系统维护,用户不得更改。
<mark>为流入的wireguard的数据包的标签
流出wireguard的数据包的标签,通过wg set wgcf fwmark <table>设置
以下设置以网口为wgcf为例
1、IPV4&IPV6均不接管全局路由
Table = off
PostUP = wg set wgcf fwmark <table>
PostUP = ip -4 rule add fwmark <mark> lookup <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete fwmark <mark> lookup <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0
PostUP = ip -6 rule add not fwmark <table> table <table> prio 40000
PostUP = ip -6 rule add fwmark <mark> lookup <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete fwmark <mark> lookup <table>
PostDown = ip -6 rule delete not fwmark <table> table <table> prio 40000
PostDown = ip -6 rule delete table main suppress_prefixlength 0
2、IPV4&IPV6接管全局路由
Table = off
PostUP = wg set wgcf fwmark <table>
PostUP = ip -4 rule add not fwmark <table> table <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete not fwmark <table> table <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0
PostUP = ip -6 rule add not fwmark <table> table <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
#PostUp = ip -6 rule add from '$LAN6' lookup main #ipv6地址无法访问时添加
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete not fwmark <table> table <table>
PostDown = ip -6 rule delete table main suppress_prefixlength 0
#PostDown = ip -6 rule delete from '$LAN6' lookup main
或者不使用Table = off,让其自动配置路由规则
PostUp = ip -4 rule add from '$LAN4' lookup main
PostDown = ip -4 rule delete from '$LAN4' lookup main
PostUp = ip -6 rule add from '$LAN6' lookup main
PostDown = ip -6 rule delete from '$LAN6' lookup main
3、IPV4不接管全局路由,IPV6接管全局路由
Table = off
PostUP = wg set wgcf fwmark <table>
PostUP = ip -4 rule add fwmark <mark> lookup <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete fwmark <mark> lookup <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0
PostUP = ip -6 rule add not fwmark <table> table <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
#PostUp = ip -6 rule add from '$LAN6' lookup main #ipv6地址无法访问时添加
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete not fwmark <table> table <table>
PostDown = ip -6 rule delete table main suppress_prefixlength 0
#PostDown = ip -6 rule delete from '$LAN6' lookup main
4、IPV4接管全局路由,IPV6不接管全局路由
Table = off
PostUP = wg set wgcf fwmark <table>
PostUP = ip -4 rule add not fwmark <table> table <table>
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -4 route add default dev wgcf table <table>
PostDown = ip -4 rule delete not fwmark <table> table <table>
PostDown = ip -4 rule delete table main suppress_prefixlength 0
PostUP = ip -6 rule add not fwmark <table> table <table> prio 40000
PostUP = ip -6 rule add fwmark <mark> lookup <table>
PostUP = ip -6 rule add table main suppress_prefixlength 0
PostUP = ip -6 route add default dev wgcf table <table>
PostDown = ip -6 rule delete fwmark <mark> lookup <table>
PostDown = ip -6 rule delete not fwmark <table> table <table> prio 40000
PostDown = ip -6 rule delete table main suppress_prefixlength 0
二、*Ray的Outbounds设置
1.根据fwmark
{
"outbounds": [
{
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"tcpFastOpen": true,
"mark":<mark>
//设置fwmark为<mark>需要与wireguard中一致
}
},
"settings": {
"domainStrategy": "UseIP"
//设置fwmark为<mark>的用户走指定方式”UseIPv6、UseIPv4、UseIP”
},
"tag": "warp-out"
}
]
}
2.根据interface
{
"outbounds": [
{
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"tcpFastOpen": true,
"interface":"wgcf"
//wireguard网口为wgcf为例
}
},
"settings": {
"domainStrategy": "AsIs"
//设置f的用户走指定方式”AsIs、UseIPv6、UseIPv4、UseIP”
},
"tag": "warp-out"
}
]
}
三、验证方式
#验证IP地址
curl ip.gs -4
curl ip.gs -4 --interface wgcf
curl ip.gs -6
curl ip.gs -6 --interface wgcf
#连通性测试
ping 8.8.8.8
ping 8.8.8.8 -I wgcf
ping 2001:4860:4860::8888
ping 2001:4860:4860::8888 -I wgcf
#查看路由
ip -4 route get 8.8.8.8
ip -4 route get 8.8.8.8 dev wgcf
ip -6 route get 2001:4860:4860::8888
ip -6 route get 2001:4860:4860::8888 dev wgcf
#查看ip规则
ip -4 rule
ip -6 rule
#查看路由表
ip -4 route show table main
ip -4 route show table local
ip -4 route show table <table>
ip -6 route show table main
ip -6 route show table local
ip -6 route show table <table>
四、常见问题
1.IPV6无法连接
如果在IPV6不接管全局路由时,发生无法访问IPV6网络的情况,可能是因为wireguard接口的RA 广播没有被禁用
cat /proc/sys/net/ipv6/conf/wgcf/accept_ra
#0 Do not accept Router Advertisements
#1 Accept Router Advertisements if forwarding is disabled
#2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled
#0 不接受路由器 RA 广播
#1 如果转发被禁用,则接受路由器 RA 广播
#2 无视转发行为,即使启用了转发,也接受路由器 RA 广播
解决方法
echo "net.ipv6.conf.wgcf.accept_ra = 0" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
#reboot #如果无效,总之就是多重启几次
2.无法通过IPV6连接
这种情况很大概率发生在IPV6接管全局路由时,外部无法通过IPV6地址连接,可能是因为IPV6和IPV4并不使用同一个接口,只需要在wiregrad的配置中加入
PostUp = ip -6 rule add from '$LAN6' lookup main
PostDown = ip -6 rule delete from '$LAN6' lookup main
评论区