VyOS利用WireGuard配置hub和spoke VPN测试

备注：

1.如果hub配置两个wireguard接口并用不同的监听端口，分别与两个spoke连接，这时可以跑ospf，spoke之间可以通过hub中转进行互联。
2.如果用下面的只配置一个wireguard接口，使用多个证书的情况，测试的时候，hub只能与一个spoke建立osp邻居，即使像DMVPN第三阶段，修改OSPF优先级，或者更改网络类型hub也不能同时与两个spoke建立邻居.
3..因此动态路由使用了BGP，并且hub发布汇总路由。

二.配置步骤

1.基本配置

A.PC1路由器
interface Ethernet0/0

ip address 172.16.100.1 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.100.254
B.Spoke1
set system host-name 'Spoke1'
set interfaces ethernet eth1 address '202.100.1.1/24'
set interfaces ethernet eth2 address '172.16.100.254/24'
set protocols static route 0.0.0.0/0 next-hop '202.100.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.100.0/24'
set nat source rule 20 translation address 'masquerade'
C.Internet路由器
interface Ethernet0/0

ip address 202.100.1.10 255.255.255.0

interface Ethernet0/1

ip address 61.128.1.10 255.255.255.0

interface Ethernet0/2

ip address 201.100.1.10 255.255.255.0

D.Spoke2
set system host-name 'Spoke2'
set interfaces ethernet eth1 address '61.128.1.1/24'
set interfaces ethernet eth2 address '172.16.200.254/24'
set protocols static route 0.0.0.0/0 next-hop '61.128.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.200.0/24'
set nat source rule 20 translation address 'masquerade'
E.PC2路由器
interface Ethernet0/0

ip address 172.16.200.1 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.200.254
F:HUB
set system host-name 'hub'
set interfaces ethernet eth1 address '201.100.1.1/24'
set interfaces ethernet eth2 address '172.16.1.254/24'
set protocols static route 0.0.0.0/0 next-hop '201.100.1.10'
G:PC3
interface Ethernet0/0

ip address 172.16.1.1 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.254

2.WireGuard配置

A.创建密钥对
①hub
vyos@hub# run generate wireguard named-keypairs hub
vyos@hub# run show wireguard keypairs pubkey hub
dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0=
②Spoke1
vyos@vyos1# run generate wireguard named-keypairs vyos1
vyos@vyos1# run show wireguard keypairs pubkey vyos1
ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk=
③Spoke2
vyos@vyos2# run generate wireguard named-keypairs vyos2
vyos@vyos2# run show wireguard keypairs pubkey vyos2
BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0=
B.配置wireguard接口
①hub
set interfaces wireguard wg01 address '10.1.1.100/24'
set interfaces wireguard wg01 peer to-spoke1 allowed-ips '172.16.100.0/24'
set interfaces wireguard wg01 peer to-spoke1 allowed-ips '10.1.1.1/32'
set interfaces wireguard wg01 peer to-spoke1 pubkey 'ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk='
set interfaces wireguard wg01 peer to-spoke2 allowed-ips '172.16.200.0/24'
set interfaces wireguard wg01 peer to-spoke2 allowed-ips '10.1.1.2/32'
set interfaces wireguard wg01 peer to-spoke2 pubkey 'BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'hub'
备注：跑BGP路由才需要allowed-ips放行10.1.1.1和10.1.1.2
②Spok1
set interfaces wireguard wg01 address '10.1.1.1/24'
set interfaces wireguard wg01 description 'VPN-to-hub'
set interfaces wireguard wg01 peer to-hub allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer to-hub endpoint '201.100.1.1:12345'
set interfaces wireguard wg01 peer to-hub pubkey 'dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'vyos1'
③Spoke2
set interfaces wireguard wg01 address '10.1.1.2/24'
set interfaces wireguard wg01 description 'VPN-to-hub'
set interfaces wireguard wg01 peer to-hub allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer to-hub endpoint '201.100.1.1:12345'
set interfaces wireguard wg01 peer to-hub pubkey 'dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'vyos2'
C.配置动态路由或静态路由
①动态路由
--hub
set protocols bgp 65541 address-family ipv4-unicast network 172.16.0.0/16
set protocols bgp 65541 neighbor 10.1.1.1 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.1 update-source '10.1.1.100'
set protocols bgp 65541 neighbor 10.1.1.2 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.2 update-source '10.1.1.100'
--Spke1
set protocols bgp 65541 address-family ipv4-unicast network 172.16.100.0/24
set protocols bgp 65541 neighbor 10.1.1.100 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.100 update-source '10.1.1.1'
set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01
备注：hub因为配置了allowed-ips，不用配置上面的静态路由。
--Spke2
set protocols bgp 65541 address-family ipv4-unicast network 172.16.200.0/24
set protocols bgp 65541 neighbor 10.1.1.100 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.100 update-source '10.1.1.2'
set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01
备注：hub因为配置了allowed-ips，不用配置上面的静态路由。
②或者静态路由
--hub
set protocols static interface-route 172.16.100.0/24 next-hop-interface wg01
set protocols static interface-route 172.16.200.0/24 next-hop-interface wg01
--Spke1和Spoke2
set protocols static interface-route 172.16.0.0/24 next-hop-interface wg01

三.验证

1.ping对端网络正常

PC1#ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!

2.如果跑动态路由协议bgp，hub上可以看到邻居正常，也能学习到路由

vyos@hub# run show ip bgp summary

IPv4 Unicast Summary:
BGP router identifier 201.100.1.1, local AS number 65541 vrf-id 0
BGP table version 7
RIB entries 3, using 552 bytes of memory
Peers 2, using 41 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.1.1 4 65541 54 47 0 0 0 00:09:59 1
10.1.1.2 4 65541 30 32 0 0 0 00:26:08 1

Total number of neighbors 2
[edit]
vyos@hub# run show ip route bgp
Codes: K - kernel route, C - connected, S - static, R - RIP,

   O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
   T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
   F - PBR, f - OpenFabric,
   > - selected route, * - FIB route, q - queued route, r - rejected route

B>* 172.16.100.0/24 [200/0] via 10.1.1.1, wg01, 00:10:29
B>* 172.16.200.0/24 [200/0] via 10.1.1.2, wg01, 00:26:39
[edit]

3.如果跑动态路由协议bgp，spoke上可以看到邻居正常，也能学习到路由

vyos@Spoke1# run show ip bgp summary

IPv4 Unicast Summary:
BGP router identifier 202.100.1.1, local AS number 65541 vrf-id 0
BGP table version 6
RIB entries 2, using 368 bytes of memory
Peers 1, using 20 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.1.100 4 65541 90 64 0 0 0 00:11:21 1

Total number of neighbors 1
[edit]
vyos@Spoke1# run show ip route bgp
Codes: K - kernel route, C - connected, S - static, R - RIP,

   O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
   T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
   F - PBR, f - OpenFabric,
   > - selected route, * - FIB route, q - queued route, r - rejected route

B>* 172.16.0.0/16 [200/0] via 10.1.1.100, wg01, 00:11:32
[edit]
vyos@Spoke1#