RouterOS Wireguard+OSPF Mesh組網 YuS

  Routers配置     |      2023-03-29 21:46

關于Wireguard的Mesh組網問題,Wireguard只是作為隧道連接實現遠端的通道,而這個通道我們可以選擇其他任何的隧道協議,視乎Wireguard更受歡迎。如何實現Mesh的路徑選擇和網絡動態自愈能力,才是關鍵,就像無線網絡的802.11s,考慮到這個問題整個網絡建立在三層路由通信需要實現路徑選擇和網絡自愈能力,自然就想到了使用OSPF建立動態路由。

該實例為了保證網絡的冗余,采用多個Wireguard實例,因為單個Wireguard接口實例無法實現多Peer允許相同IP通過,網絡拓撲如下:

RouterOS Wireguard+OSPF Mesh組網 YuS

使用Wireguard建立3臺路由器的遠端隧道連接,3臺通過OSP使用Area0建立路由關系,其中R3路由器發布192.168.10.0/24的LAN網絡路由到OSPF。

基礎網絡配置

R1路由器
配置IP地址:

[admin@R1] > /ip address [admin@R1] /ip/address>add address=192.168.88.30/24 interface=ether1

創建2個Wireguard接口,分別對應R2和R3,監聽端口分別使用13231和13232

[admin@R1] /ip/address>/interface wireguard [admin@R1] /interface/wireguard >add listen-port=13231 name=wireguard1-R2 [admin@R1] /interface/wireguard >add listen-port=13232 name=wireguard2-R3

創建完成后自行查看public key,用于對端連接,這里不再贅述

R2路由器

配置IP地址:

[admin@R2] > /ip address [admin@R2] /ip/address>add address=192.168.88.31/24 interface=ether1

創建2個Wireguard接口,分別對應R1和R3,監聽端口分別使用13231和13230

[admin@R2] /ip/address>/interface wireguard [admin@R2] /interface/wireguard >add listen-port=13231 name=wireguard1-R1 [admin@R2] /interface/wireguard >add listen-port=13230 name=wireguard2-R3

創建完成后自行查看public key,用于對端連接,這里不再贅述
R3路由器
配置IP地址,在R3路由器添加bridge-lan的192.168.10.1:

[admin@R3] > /ip address [admin@R3] /ip/address>add address=192.168.88.32/24 interface=ether1 [admin@R3] /ip/address>add address=192.168.10.1/24 interface=bridge-lan

創建Wireguard接口

[admin@R3] /ip/address>/interface wireguard [admin@R3] /interface/wireguard > add listen-port=13232 name=wireguard1-R1 [admin@R3] /interface/wireguard > add listen-port=13230 mtu=1420 name=wireguard2-R2

創建完成后自行查看public key,用于對端連接,這里不再贅述

Wireguard連接

3臺路由器的創建兩個Wireguard接口,分別和遠端的兩臺連接,組成一個環形網絡 ,多接口的wireguard實例才能讓peer通過相同的IP段,多點的OSPF組播通信允許224.0.0.5通過才能實現
R1路由器

[admin@R1] /interface/wireguard >/ip address [admin@R1] /ip/address> add address=172.16.0.1/30 interface=wireguard1-R2 [admin@R1] /ip/address> add address=172.17.0.1/30 interface=wireguard2-R3

R2路由器

[admin@R2] /interface/wireguard >/ip address [admin@R2] /ip/address> add address=172.16.0.2/30 interface=wireguard1-R1 [admin@R2] /ip/address> add address=172.18.0.1/30 interface=wireguard2-R3

R3路由器

[admin@R3] /interface/wireguard >/ip address [admin@R3] /ip/address> add address=172.17.0.2/30 interface=wireguard1-R1 [admin@R3] /ip/address> add address=172.18.0.2/30 interface=wireguard2-R2

R1路由器
連接R2和R3路由器,R2連接IP192.168.88.31,指定端口13231和對端的Public key, R3連接192.168.88.32使用13232連接 ,設置相應的allowed-address通過

[admin@R1] /interface/wireguard >peer [admin@R1] /interface/wireguard/peers> add allowed-address=172.16.0.0/30,192.168.10.0/24,224.0.0.5/32 \ comment=R2 endpoint-address=192.168.88.31 endpoint-port=13231 \ interface=wireguard1-R2 persistent-keepalive=10s public-key=\ "EZlREKCgf4bwS+kEwzKXsVoayai9LfEVwG+tTghLhTA=" [admin@R1] /interface/wireguard/peers>add allowed-address=172.17.0.0/30,192.168.10.0/24,224.0.0.5/32 \ comment=R3 endpoint-address=192.168.88.32 endpoint-port=13232 \ interface=wireguard2-R3 persistent-keepalive=10s public-key=\ "WB/NYqr4y/9IyedhOb9/UYLwBet+kG6B7ROHD56h+FE="

R2路由器
連接R1和R3路由器,R1連接IP192.168.88.30,指定端口13231和對端的Public key, R3連接192.168.88.32使用13230連接 ,設置相應的allowed-address通過

[admin@R2] /interface/wireguard >peer [admin@R2] /interface/wireguard/peers> add allowed-address=172.16.0.0/30,192.168.10.0/24,224.0.0.5/32 comment=R1 endpoint-address=192.168.99.30 endpoint-port=13231 interface=wireguard1-R1 \ persistent-keepalive=10s public-key= "znDZo7Jotu2Vlgk3Iu8ZNfQoelG5bTnUvssHpOiJPTQ=" [admin@R2] /interface/wireguard/peers> add allowed-address=172.18.0.0/30,192.168.10.0/24,224.0.0.5/32 comment=R3 endpoint-address=192.168.99.32 endpoint-port=13230 interface=wireguard2-R3 \ persistent-keepalive=10s public-key= "s9DJhc+43ryGaUgqwhW2NVDrAJFOQz0aPX4Eoo2Up1U="