RouterOS v7 WireGuard + OSPF
0x00 前言
云端 (Cloud-ROS):
公网 IP: 36.133.163.133
WireGuard 端口: 13231 (UDP)
WireGuard 接口 IP: 100.100.100.18/24
内网网段: 172.18.0.0/16
家庭端 (Home2-ROS):
公网 IP: home2.itho.cn (DDNS)
WireGuard 接口 IP: 100.100.100.17/24
内网网段: 172.17.0.0/160x01 配置wireguard
# 配置wireguard接口
[admin@CloudROS] /interface/wireguard> add listen-port=13231 name=wireguard1 comment="to-home2"
[admin@CloudROS] /interface/wireguard> /interface wireguard print
Flags: X - disabled; R - running
0 R ;;; to-home2
name="wireguard1" mtu=1420 listen-port=13231
private-key="EHbdNxlxyNAX6r6m04CCpkP1bMK5tMdvLw4JjiKbnE0="
public-key="snFT2YkrFgxLYr9BOJH3T2mGonK7KCtC9PK19fZyJQw="
[admin@HOME2-ROS] /interface/wireguard> add listen-port=13231 name=wireguard1 comment="to-cloud"
[admin@HOME2-ROS] /interface/wireguard> /interface wireguard print
Flags: X - disabled; R - running
0 R ;;; to-cloud
name="wireguard1" mtu=1420 listen-port=13231
private-key="kIYA1Q/gwfBKcB2cwnbz9aRDGbfqNwCVMIltvk32Y2g="
public-key="WBXrKxKAHjzOdW6HUSBb8DiNMIRv9flMelWjdkcNMH8="
# 配置peers
# 因为要配置ospf,路由表是动态生成的,如果不把 allowed-address 改为 0.0.0.0/0,OSPF 学习到的其他路由或者 OSPF 自身的组播/单播报文可能会被 WireGuard 拦截。
[admin@CloudROS] /interface/wireguard/peers> add allowed-address=0.0.0.0/0 endpoint-address="home2.itho.cn" endpoint-port=13231 interface=wireguard1 comment="home2-ros" public-key="WBXrKxKAHjzOdW6HUSBb8DiNMIRv9flMelWjdkcNMH8="
[admin@HOME2-ROS] /interface/wireguard/peers> add allowed-address=0.0.0.0/0 endpoint-address=36.133.163.133 endpoint-port=13231 interface=wireguard1 comment="cloud-ros" public-key="snFT2YkrFgxLYr9BOJH3T2mGonK7KCtC9PK19fZyJQw="
# 配置wireguard接口ip
[admin@CloudROS] /ip/address> add address=100.100.100.18/24 interface=wireguard1 network=100.100.100.0
[admin@HOME2-ROS] /interface/wireguard/peers> /ip address/ add address=100.100.100.17/24 interface=wireguard1 network=100.100.100.0
# 测试接口ip
[admin@CloudROS] > ping 100.100.100.17
0 100.100.100.17 56 64 19ms493us
[admin@HOME2-ROS] > ping 100.100.100.18
0 100.100.100.18 56 64 19ms389us
0x02 配置ospf
Passive:就相当于华为交换机里面的静默接口 (Silent-Interface),OSPF 不会在这个接口发 Hello 包,但是它会把这个网段的信息(172.17.x.x)悄悄记下来,通过 WireGuard 告诉对面的云端路由器。
# 配置路由器id
[admin@CloudROS] /routing/id> add name=ospf-id id=100.100.100.18
[admin@HOME2-ROS] /routing/id> add name=ospf-id id=100.100.100.17
# 配置ospf
# 为什么 /interface-template要分成2条?第一条只要叫 wireguard1 就启动(用来建隧道)。第二条只要 IP 属于 172.17.x.x 就通告,不管它在哪个物理接口上。
[admin@CloudROS] /routing/ospf/instance> add name=ospf-inst-1 version=2 router-id=ospf-id
[admin@CloudROS] /routing/ospf/area> add name=backbone instance=ospf-inst-1 area-id=0.0.0.0
[admin@CloudROS] /routing/ospf/interface-template> add area=backbone interfaces=wireguard1 type=ptp
[admin@CloudROS] /routing/ospf/interface-template> add area=backbone networks=172.18.0.0/16 type=ptp passive
[admin@HOME2-ROS] /routing/ospf/instance> add name=ospf-inst-1 version=2 router-id=ospf-id
[admin@HOME2-ROS] /routing/ospf/area> add name=backbone instance=ospf-inst-1 area-id=0.0.0.0
[admin@HOME2-ROS] /routing/ospf/interface-template> add area=backbone interfaces=wireguard1 type=ptp
[admin@HOME2-ROS] /routing/ospf/interface-template> add area=backbone networks=172.17.10.0/24,172.17.200.0/24 type=ptp passive验证
# 查看邻居状态,状态为 Full
[admin@CloudROS] /ip/route> /routing/ospf/neighbor/print
Flags: V - virtual; D - dynamic
0 D instance=ospf-inst-1 area=backbone address=100.100.100.17 router-id=100.100.100.17 state="Full" state-changes=6 adjacency=2m29s
timeout=37s
# 查看路由表,可以看到ospf路由
[admin@CloudROS] /ip/route> /ip/route/print where ospf
Flags: D - DYNAMIC; A - ACTIVE; o - OSPF
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAo 172.17.10.0/24 100.100.100.17%wireguard1 main 110
DAo 172.17.200.0/24 100.100.100.17%wireguard1 main 110