<\/p>\n
\u786e\u4fdd A \u548c B \u8def\u7531\u5668\u4e4b\u95f4\u5efa\u7acb\u7a33\u5b9a\u7684 WireGuard \u96a7\u9053\u3002<\/p>\n
\/interface wireguard add name=wg1 listen-port=51820 private-key=\"A_PRIVATE_KEY\"\r\n\/interface wireguard peers add interface=wg1 public-key=\"B_PUBLIC_KEY\" allowed-address=192.168.10.2\/32 endpoint=\"B_PUBLIC_IP:51820\"\r\n<\/code><\/pre>\n<\/li>\n- \u5728 B \u8def\u7531\u5668\u4e0a\uff1a\n
\/interface wireguard add name=wg1 listen-port=51820 private-key=\"B_PRIVATE_KEY\"\r\n\/interface wireguard peers add interface=wg1 public-key=\"A_PUBLIC_KEY\" allowed-address=192.168.10.1\/32 endpoint=\"A_PUBLIC_IP:51820\"\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n\u9a8c\u8bc1\u8fde\u63a5<\/h4>\n
\u786e\u4fdd WireGuard \u96a7\u9053\u6b63\u5e38\u5de5\u4f5c\uff0c\u5e76\u5728\u4e24\u4e2a\u8def\u7531\u5668\u4e0a\u76f8\u4e92 ping WireGuard \u7684\u865a\u62df IP\u3002<\/p>\n
\n2. \u914d\u7f6e VXLAN over WireGuard<\/strong><\/h3>\n\u5229\u7528 VXLAN \u6784\u5efa\u4e8c\u5c42\u7f51\u7edc\u3002<\/p>\n
\u914d\u7f6e VXLAN \u63a5\u53e3<\/h4>\n\n- \u5728 A \u8def\u7531\u5668\u4e0a\uff1a\n
\/interface vxlan add name=vxlan1 vxlan-id=42 mtu=1450 dst-port=4789 remote-address=192.168.10.2 local-address=192.168.10.1\r\n<\/code><\/pre>\n<\/li>\n- \u5728 B \u8def\u7531\u5668\u4e0a\uff1a\n
\/interface vxlan add name=vxlan1 vxlan-id=42 mtu=1450 dst-port=4789 remote-address=192.168.10.1 local-address=192.168.10.2\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n\u521b\u5efa\u6865\u63a5\u7f51\u7edc<\/h4>\n\n- \u5728 A \u8def\u7531\u5668\u4e0a\uff1a\n
\/interface bridge add name=bridge1\r\n\/interface bridge port add bridge=bridge1 interface=vxlan1\r\n<\/code><\/pre>\n<\/li>\n- \u5728 B \u8def\u7531\u5668\u4e0a\uff1a\n
\/interface bridge add name=bridge1\r\n\/interface bridge port add bridge=bridge1 interface=vxlan1\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n
\n3. \u914d\u7f6e\u4e09\u5c42\u7f51\u7edc\u8def\u7531<\/strong><\/h3>\n\u901a\u8fc7 VXLAN \u5c06 B \u8def\u7531\u5668\u7684\u6240\u6709\u6d41\u91cf\u8def\u7531\u5230 A \u8def\u7531\u5668\uff0c\u5e76\u901a\u8fc7 A \u8def\u7531\u5668\u8bbf\u95ee\u4e92\u8054\u7f51\u3002<\/p>\n
\u8bbe\u7f6e\u9ed8\u8ba4\u8def\u7531<\/h4>\n\n- \u5728 B \u8def\u7531\u5668\u4e0a\uff1a\n
\/ip route add dst-address=0.0.0.0\/0 gateway=192.168.10.1\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n\u914d\u7f6e A \u8def\u7531\u5668\u7684 NAT<\/h4>\n
\u5728 A \u8def\u7531\u5668\u4e0a\u914d\u7f6e NAT\uff0c\u4ee5\u4fbf\u901a\u8fc7 A \u8def\u7531\u5668\u8bbf\u95ee\u4e92\u8054\u7f51\uff1a<\/p>\n
\/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade\r\n<\/code><\/pre>\n
\n4. \u4f18\u5316\u8de8\u56fd\u7f51\u7edc\u6027\u80fd<\/strong><\/h3>\na. MTU \u8c03\u6574<\/strong><\/h4>\n\u7531\u4e8e VXLAN \u548c WireGuard \u90fd\u4f1a\u589e\u52a0\u5c01\u5305\u5934\uff0c\u786e\u4fdd\u8c03\u6574 MTU \u4ee5\u907f\u514d\u5206\u7247\u95ee\u9898\uff1a<\/p>\n
\n- WireGuard \u63a5\u53e3 MTU\uff1a\n
\/interface wireguard set wg1 mtu=1400\r\n<\/code><\/pre>\n<\/li>\n- VXLAN \u63a5\u53e3 MTU\uff1a\n
\/interface vxlan set vxlan1 mtu=1350\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\nb. QoS\uff08\u6d41\u91cf\u4f18\u5148\u7ea7\uff09<\/strong><\/h4>\n\u8bbe\u7f6e QoS \u89c4\u5219\uff0c\u786e\u4fdd\u5173\u952e\u4e1a\u52a1\u6d41\u91cf\u4f18\u5148\u901a\u8fc7\u96a7\u9053\uff1a<\/p>\n
\/queue simple add name=\"priority\" target=192.168.10.0\/24 max-limit=100M\/100M priority=1\r\n<\/code><\/pre>\nc. TCP BBR<\/strong><\/h4>\n\u542f\u7528 TCP BBR \u62e5\u585e\u63a7\u5236\u7b97\u6cd5\uff0c\u5728\u8def\u7531\u5668\u51fa\u53e3\u4f18\u5316 TCP \u6027\u80fd\uff1a<\/p>\n
\/ip firewall mangle add chain=forward action=set-priority new-priority=6\r\n<\/code><\/pre>\nd. \u52a0\u901f\u52a0\u5bc6\u6027\u80fd<\/strong><\/h4>\n\n- \u5982\u679c Mikrotik \u8def\u7531\u5668\u652f\u6301\u786c\u4ef6\u52a0\u5bc6\u52a0\u901f\uff08\u5982 CCR \u7cfb\u5217\uff09\uff0c\u786e\u4fdd\u542f\u7528\u76f8\u5173\u529f\u80fd\u3002<\/li>\n
- \u4f18\u5316 WireGuard \u7684\u52a0\u5bc6\u7b97\u6cd5\u9009\u62e9\u3002<\/li>\n<\/ul>\n
e. DNS \u4f18\u5316<\/strong><\/h4>\n\u914d\u7f6e\u516c\u5171 DNS\uff08\u5982 Google DNS\u3001Cloudflare DNS\uff09\u4ee5\u51cf\u5c11\u8de8\u56fd\u57df\u540d\u89e3\u6790\u5ef6\u8fdf\uff1a<\/p>\n
\/ip dns set servers=8.8.8.8,8.8.4.4\r\n<\/code><\/pre>\n
\n\u9002\u5408\u7684\u5e94\u7528\u573a\u666f<\/strong><\/h2>\n\n- \u4f01\u4e1a\u7ea7\u8de8\u56fd\u5206\u652f\u4e92\u8054<\/strong>\uff1a\u786e\u4fdd\u5b50\u7f51\u4e4b\u95f4\u7684\u5e7f\u64ad\u3001ARP \u7b49\u4e8c\u5c42\u6d41\u91cf\u900f\u660e\u4f20\u8f93\u3002<\/li>\n
- \u865a\u62df\u673a\u6216\u5bb9\u5668\u96c6\u7fa4\u6269\u5c55<\/strong>\uff1a\u9700\u8981\u8de8\u5730\u57df\u7684\u4e8c\u5c42\u8fde\u63a5\u6765\u4fdd\u8bc1\u670d\u52a1\u4e00\u81f4\u6027\u3002<\/li>\n
- \u96c6\u4e2d\u51fa\u53e3\u7ba1\u7406<\/strong>\uff1a\u5229\u7528 A \u8def\u7531\u5668\u7684\u5f3a\u5927\u51fa\u53e3\u80fd\u529b\u548c\u5e26\u5bbd\u96c6\u4e2d\u7ba1\u7406\u8de8\u56fd\u6d41\u91cf\u3002<\/li>\n<\/ul>\n
\n\u4f18\u5316\u7684\u6ce8\u610f\u4e8b\u9879<\/strong><\/h2>\n\n- \u5ef6\u8fdf\u4e0e\u5e26\u5bbd\u6298\u4e2d<\/strong>\uff1a\u8de8\u56fd\u94fe\u8def\u4e0d\u53ef\u907f\u514d\u5730\u589e\u52a0\u5ef6\u8fdf\uff0c\u5e94\u6839\u636e\u4e1a\u52a1\u573a\u666f\u4f18\u5316\u8def\u5f84\u9009\u62e9\u3002<\/li>\n
- \u96a7\u9053\u53ef\u9760\u6027<\/strong>\uff1a\u8003\u8651\u914d\u7f6e\u5907\u7528\u96a7\u9053\uff08\u5982 IPsec \u6216 GRE over WireGuard\uff09\u4ee5\u63d0\u4f9b\u9ad8\u53ef\u7528\u6027\u3002<\/li>\n
- \u94fe\u8def\u76d1\u63a7<\/strong>\uff1a\u542f\u7528\u5de5\u5177\uff08\u5982 Netwatch\uff09\u76d1\u63a7\u94fe\u8def\u72b6\u6001\uff0c\u53ca\u65f6\u54cd\u5e94\u8fde\u63a5\u4e2d\u65ad\u3002<\/li>\n
- \u6210\u672c\u8003\u91cf<\/strong>\uff1a\u5c3d\u91cf\u9009\u62e9\u7a33\u5b9a\u3001\u4f4e\u5ef6\u8fdf\u7684\u8de8\u56fd\u7ebf\u8def\uff08\u5982\u4e13\u7ebf\u6216\u4f18\u5316\u7684\u4e91\u670d\u52a1\u7f51\u7edc\uff09\u3002<\/li>\n<\/ol>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u65b9\u6848\u5b9e\u73b0\u6b65\u9aa4 1. \u5728 A \u548c B \u8def\u7531\u5668\u4e0a\u914d\u7f6e WireGuard \u786e\u4fdd A \u548c B \u8def\u7531\u5668\u4e4b […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,2],"tags":[],"class_list":["post-12124","post","type-post","status-publish","format-standard","hentry","category-mikrotik","category-network"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12124","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12124"}],"version-history":[{"count":1,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12124\/revisions"}],"predecessor-version":[{"id":12125,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12124\/revisions\/12125"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12124"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}