备注:

1. 如果 hub 配置两个 wireguard 接口并用不同的监听端口,分别与两个 spoke 连接,这时可以跑 ospf,spoke 之间可以通过 hub 中转进行互联。
2. 如果用下面的只配置一个 wireguard 接口,使用多个证书的情况,测试的时候,hub 只能与一个 spoke 建立 osp 邻居,即使像 DMVPN 第三阶段,修改 OSPF 优先级,或者更改网络类型 hub 也不能同时与两个 spoke 建立邻居.
3.. 因此动态路由使用了 BGP,并且 hub 发布汇总路由。

二.配置步骤

1. 基本配置

A.PC1 路由器
interface Ethernet0/0

ip address 172.16.100.1 255.255.255.0
no shutdown
Plain text

ip route 0.0.0.0 0.0.0.0 172.16.100.254
B.Spoke1
set system host-name 'Spoke1'
set interfaces ethernet eth1 address '202.100.1.1/24'
set interfaces ethernet eth2 address '172.16.100.254/24'
set protocols static route 0.0.0.0/0 next-hop '202.100.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.100.0/24'
set nat source rule 20 translation address 'masquerade'
C.Internet 路由器
interface Ethernet0/0

ip address 202.100.1.10 255.255.255.0
Plain text

interface Ethernet0/1

ip address 61.128.1.10 255.255.255.0
Plain text

interface Ethernet0/2

ip address 201.100.1.10 255.255.255.0
Plain text

D.Spoke2
set system host-name 'Spoke2'
set interfaces ethernet eth1 address '61.128.1.1/24'
set interfaces ethernet eth2 address '172.16.200.254/24'
set protocols static route 0.0.0.0/0 next-hop '61.128.1.10'
set nat source rule 20 outbound-interface 'eth1'
set nat source rule 20 source address '172.16.200.0/24'
set nat source rule 20 translation address 'masquerade'
E.PC2 路由器
interface Ethernet0/0

ip address 172.16.200.1 255.255.255.0
no shutdown
Plain text

ip route 0.0.0.0 0.0.0.0 172.16.200.254
F:HUB
set system host-name 'hub'
set interfaces ethernet eth1 address '201.100.1.1/24'
set interfaces ethernet eth2 address '172.16.1.254/24'
set protocols static route 0.0.0.0/0 next-hop '201.100.1.10'
G:PC3
interface Ethernet0/0

ip address 172.16.1.1 255.255.255.0
no shutdown
Plain text

ip route 0.0.0.0 0.0.0.0 172.16.1.254

2.WireGuard 配置

A. 创建密钥对
①hub
vyos@hub# run generate wireguard named-keypairs hub
vyos@hub# run show wireguard keypairs pubkey hub
dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0=
②Spoke1
vyos@vyos1# run generate wireguard named-keypairs vyos1
vyos@vyos1# run show wireguard keypairs pubkey vyos1
ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk=
③Spoke2
vyos@vyos2# run generate wireguard named-keypairs vyos2
vyos@vyos2# run show wireguard keypairs pubkey vyos2
BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0=
B. 配置 wireguard 接口
①hub
set interfaces wireguard wg01 address '10.1.1.100/24'
set interfaces wireguard wg01 peer to-spoke1 allowed-ips '172.16.100.0/24'
set interfaces wireguard wg01 peer to-spoke1 allowed-ips '10.1.1.1/32'
set interfaces wireguard wg01 peer to-spoke1 pubkey 'ezDV+um91Cg21EV6a6iVQm0V9Mr0TWvdl3yWpSY3DTk='
set interfaces wireguard wg01 peer to-spoke2 allowed-ips '172.16.200.0/24'
set interfaces wireguard wg01 peer to-spoke2 allowed-ips '10.1.1.2/32'
set interfaces wireguard wg01 peer to-spoke2 pubkey 'BdMMAjLcudZBTBitiMmx5JfSb4Z6Ffake/dQJHtdPm0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'hub'
备注:跑 BGP 路由才需要 allowed-ips 放行 10.1.1.1 和 10.1.1.2
②Spok1
set interfaces wireguard wg01 address '10.1.1.1/24'
set interfaces wireguard wg01 description 'VPN-to-hub'
set interfaces wireguard wg01 peer to-hub allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer to-hub endpoint '201.100.1.1:12345'
set interfaces wireguard wg01 peer to-hub pubkey 'dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'vyos1'
③Spoke2
set interfaces wireguard wg01 address '10.1.1.2/24'
set interfaces wireguard wg01 description 'VPN-to-hub'
set interfaces wireguard wg01 peer to-hub allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer to-hub endpoint '201.100.1.1:12345'
set interfaces wireguard wg01 peer to-hub pubkey 'dzuyoFkjfp1OCthgedPVmeQwumu8cTX4pC+pNsFxDU0='
set interfaces wireguard wg01 port '12345'
set interfaces wireguard wg01 private-key 'vyos2'
C. 配置动态路由或静态路由
①动态路由
--hub
set protocols bgp 65541 address-family ipv4-unicast network 172.16.0.0/16
set protocols bgp 65541 neighbor 10.1.1.1 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.1 update-source '10.1.1.100'
set protocols bgp 65541 neighbor 10.1.1.2 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.2 update-source '10.1.1.100'
--Spke1
set protocols bgp 65541 address-family ipv4-unicast network 172.16.100.0/24
set protocols bgp 65541 neighbor 10.1.1.100 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.100 update-source '10.1.1.1'
set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01
备注:hub 因为配置了 allowed-ips,不用配置上面的静态路由。
--Spke2
set protocols bgp 65541 address-family ipv4-unicast network 172.16.200.0/24
set protocols bgp 65541 neighbor 10.1.1.100 remote-as '65541'
set protocols bgp 65541 neighbor 10.1.1.100 update-source '10.1.1.2'
set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01
备注:hub 因为配置了 allowed-ips,不用配置上面的静态路由。
②或者静态路由
--hub
set protocols static interface-route 172.16.100.0/24 next-hop-interface wg01
set protocols static interface-route 172.16.200.0/24 next-hop-interface wg01
--Spke1 和 Spoke2
set protocols static interface-route 172.16.0.0/24 next-hop-interface wg01

三.验证

1.ping 对端网络正常

PC1#ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!

2. 如果跑动态路由协议 bgp,hub 上可以看到邻居正常,也能学习到路由

vyos@hub# run show ip bgp summary

IPv4 Unicast Summary:
BGP router identifier 201.100.1.1, local AS number 65541 vrf-id 0
BGP table version 7
RIB entries 3, using 552 bytes of memory
Peers 2, using 41 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.1.1 4 65541 54 47 0 0 0 00:09:59 1
10.1.1.2 4 65541 30 32 0 0 0 00:26:08 1

Total number of neighbors 2
[edit]
vyos@hub# run show ip route bgp
Codes: K - kernel route, C - connected, S - static, R - RIP,

   O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
   T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
   F - PBR, f - OpenFabric,
   > - selected route, * - FIB route, q - queued route, r - rejected route
Plain text

B>* 172.16.100.0/24 [200/0] via 10.1.1.1, wg01, 00:10:29
B>* 172.16.200.0/24 [200/0] via 10.1.1.2, wg01, 00:26:39
[edit]

3. 如果跑动态路由协议 bgp,spoke 上可以看到邻居正常,也能学习到路由

vyos@Spoke1# run show ip bgp summary

IPv4 Unicast Summary:
BGP router identifier 202.100.1.1, local AS number 65541 vrf-id 0
BGP table version 6
RIB entries 2, using 368 bytes of memory
Peers 1, using 20 KiB of memory

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.1.1.100 4 65541 90 64 0 0 0 00:11:21 1

Total number of neighbors 1
[edit]
vyos@Spoke1# run show ip route bgp
Codes: K - kernel route, C - connected, S - static, R - RIP,

   O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
   T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
   F - PBR, f - OpenFabric,
   > - selected route, * - FIB route, q - queued route, r - rejected route
Plain text

B>* 172.16.0.0/16 [200/0] via 10.1.1.100, wg01, 00:11:32
[edit]
vyos@Spoke1#