OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备,比如各种路由器上的系统,换成一个有更多可能性可以折腾的 Linux 系统。 OpenWrt 官方网站
在 Openwrt 系统中部署 Tailscale,没有 luci 的情况下,防火墙的正确配置方法?
HOMO114514 2023-12-08 14:49:46 +08:00 1842 次点击这是一个创建于 675 天前的主题,其中的信息可能已经有所发展或是发生改变。
特殊情况说明:这个 Openwrt 操作系统实际上是一个服务器,或者 NAS ,并没有 LAN ,也没有路由功能
我在系统里部署了 Tailscale ,然后发现同样的 LAN 环境里,我的 PC 电脑能够很高成功率地建立 P2P 连接,但是面向纯 IPV4 的时候 NAS 的打洞失败概率很大,可以说基本上打不通,被迫走直连。所以肯定是防火墙或者什么地方出了问题。
在 V2EX 上搜了一下有人有类似的问题,不过他的路由器是标准 OpenWrt ,照着教程过就行了。我这个垃圾 NAS 碰巧用的是 Openwrt 系统,没有 luci ,只能靠 uci 手动编辑防火墙规则,但是尝试了一下发现好像穿透能力并没有什么改善,怀疑是防火墙规则没写对
OpenWrt 官方的教程:
Create a new unmanaged interface via LuCI: Network → Interfaces → Add new interface
- Name: tailscale
- Protocol: Unmanaged
- Device: tailscale0
Create a new firewall zone via LuCI: Network → Firewall → Zones → Add
- Name: tailscale
- Input: ACCEPT (default)
- Output: ACCEPT (default)
- Forward: ACCEPT
- Masquerading: on
- MSS Clamping: on
- Covered networks: tailscale
- Allow forward to destination zones: Select your LAN (and/or other internal zones or WAN if you plan on using this device as an exit node)
- Allow forward from source zones: Select your LAN (and/or other internal zones or leave it blank if you do not want to route LAN traffic to other tailscale hosts)
Click Save & Apply
本机的相关环境,原厂 network:
network.loopback=interface network.loopback.device='lo' network.loopback.proto='static' network.loopback.ipaddr='127.0.0.1' network.loopback.netmask='255.0.0.0' network.globals=globals network.globals.ula_prefix='fdb3:5d24:4bbe::/48' network.wan1=interface network.wan1.ifname='eth0' network.wan1.proto='dhcp' network.wan2=interface network.wan2.ifname='eth1' network.wan2.proto='dhcp' network.wan26=interface network.wan26.proto='dhcpv6' network.wan26.device='@wan2' network.wan26.disabled='1' network.wan16=interface network.wan16.proto='dhcpv6' network.wan16.device='@wan1' network.wan16.disabled='0' 原厂 zone 和 forwarding:
firewall.@defaults[0]=defaults firewall.@defaults[0].syn_flood='1' firewall.@defaults[0].input='ACCEPT' firewall.@defaults[0].output='ACCEPT' firewall.@defaults[0].forward='REJECT' firewall.@zone[0]=zone firewall.@zone[0].name='lan' firewall.@zone[0].network='lan' firewall.@zone[0].input='ACCEPT' firewall.@zone[0].output='ACCEPT' firewall.@zone[0].forward='ACCEPT' firewall.@zone[1]=zone firewall.@zone[1].name='wan' firewall.@zone[1].network='wan' 'wan6' firewall.@zone[1].input='ACCEPT' firewall.@zone[1].output='ACCEPT' firewall.@zone[1].forward='REJECT' firewall.@zone[1].masq='1' firewall.@zone[1].mtu_fix='1' firewall.@forwarding[0]=forwarding firewall.@forwarding[0].src='lan' firewall.@forwarding[0].dest='wan' 原厂 rules:
firewall.@rule[0]=rule firewall.@rule[0].name='Allow-DHCP-Renew' firewall.@rule[0].src='wan' firewall.@rule[0].proto='udp' firewall.@rule[0].dest_port='68' firewall.@rule[0].target='ACCEPT' firewall.@rule[0].family='ipv4' firewall.@rule[1]=rule firewall.@rule[1].name='Allow-Ping' firewall.@rule[1].src='wan' firewall.@rule[1].proto='icmp' firewall.@rule[1].icmp_type='echo-request' firewall.@rule[1].family='ipv4' firewall.@rule[1].target='ACCEPT' firewall.@rule[2]=rule firewall.@rule[2].name='Allow-IGMP' firewall.@rule[2].src='wan' firewall.@rule[2].proto='igmp' firewall.@rule[2].family='ipv4' firewall.@rule[2].target='ACCEPT' firewall.@rule[3]=rule firewall.@rule[3].name='Allow-DHCPv6' firewall.@rule[3].src='wan' firewall.@rule[3].proto='udp' firewall.@rule[3].dest_port='546' firewall.@rule[3].family='ipv6' firewall.@rule[3].target='ACCEPT' firewall.@rule[4]=rule firewall.@rule[4].name='Allow-MLD' firewall.@rule[4].src='wan' firewall.@rule[4].proto='icmp' firewall.@rule[4].src_ip='fe80::/10' firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' firewall.@rule[4].family='ipv6' firewall.@rule[4].target='ACCEPT' firewall.@rule[5]=rule firewall.@rule[5].name='Allow-ICMPv6-Input' firewall.@rule[5].src='wan' firewall.@rule[5].proto='icmp' firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' firewall.@rule[5].limit='1000/sec' firewall.@rule[5].family='ipv6' firewall.@rule[5].target='ACCEPT' firewall.@rule[6]=rule firewall.@rule[6].name='Allow-ICMPv6-Forward' firewall.@rule[6].src='wan' firewall.@rule[6].dest='*' firewall.@rule[6].proto='icmp' firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' firewall.@rule[6].limit='1000/sec' firewall.@rule[6].family='ipv6' firewall.@rule[6].target='ACCEPT' firewall.@rule[7]=rule firewall.@rule[7].name='Allow-IPSec-ESP' firewall.@rule[7].src='wan' firewall.@rule[7].dest='lan' firewall.@rule[7].proto='esp' firewall.@rule[7].target='ACCEPT' firewall.@rule[8]=rule firewall.@rule[8].name='Allow-ISAKMP' firewall.@rule[8].src='wan' firewall.@rule[8].dest='lan' firewall.@rule[8].dest_port='500' firewall.@rule[8].proto='udp' firewall.@rule[8].target='ACCEPT' firewall.@rule[9]=rule firewall.@rule[9].name='Support-UDP-Traceroute' firewall.@rule[9].src='wan' firewall.@rule[9].dest_port='33434:33689' firewall.@rule[9].proto='udp' firewall.@rule[9].family='ipv4' firewall.@rule[9].target='REJECT' firewall.@rule[9].enabled='false' /config/network的配置信息:
config interface 'loopback' option device 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdb3:5d24:4bbe::/48' config interface 'wan1' option ifname 'eth0' option proto 'dhcp' config interface 'wan2' option ifname 'eth1' option proto 'dhcp' config interface 'wan26' option proto 'dhcpv6' option device '@wan2' option disabled '1' config interface 'wan16' option proto 'dhcpv6' option device '@wan1' option disabled '0' ifconfig:
eth0 Link encap:Ethernet HWaddr 98:6E:E8:28:CD:13 inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 240e:3b5:34e1:edd0::20/128 Scope:Global inet6 addr: 240e:3b5:34e1:edd0:9a6e:e8ff:fe28:cd13/64 Scope:Global inet6 addr: fe80::9a6e:e8ff:fe28:cd13/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9108961 errors:0 dropped:0 overruns:0 frame:0 TX packets:19775610 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1086087055 (1.0 GiB) TX bytes:24185129426 (22.5 GiB) Memory:7fe00000-7fefffff eth1 Link encap:Ethernet HWaddr 98:6E:E8:28:CD:14 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Memory:7fc00000-7fcfffff lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:336526 errors:0 dropped:0 overruns:0 frame:0 TX packets:336526 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:35845496 (34.1 MiB) TX bytes:35845496 (34.1 MiB) tailscale0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:100.64.32.34 P-t-P:100.64.32.34 Mask:255.255.255.255 inet6 addr: fe80::5f8b:6f05:140c:eaa7/64 Scope:Link inet6 addr: fd7a:115c:a1e0::22/128 Scope:Global UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1 RX packets:1255346 errors:0 dropped:0 overruns:0 frame:0 TX packets:1060667 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:70650430 (67.3 MiB) TX bytes:4456946163 (4.1 GiB) 我尝试添加的规则:
uci add network interface uci set network.@interface[-1].name='tailscale' uci set network.@interface[-1].proto='unmanaged' uci set network.@interface[-1].ifname='tailscale0' uci commit network uci add firewall zone uci set firewall.@zone[-1].name='tailscale' uci set firewall.@zone[-1].input='ACCEPT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='ACCEPT' uci set firewall.@zone[-1].network='tailscale' uci commit firewall uci add firewall forwarding uci set firewall.@forwarding[-1].src='tailscale' uci set firewall.@forwarding[-1].dest='lan' uci commit firewall uci add firewall forwarding uci set firewall.@forwarding[-1].src='tailscale' uci set firewall.@forwarding[-1].dest='wan' uci commit firewall /etc/init.d/firewall restart 重启防火墙时发现有类似的 warning:
Warning: Unable to locate ipset utility, disabling ipset support Warning: Section @zone[0] (lan) cannot resolve device of network 'lan' Warning: Section @zone[1] (wan) cannot resolve device of network 'wan' Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6' Warning: Section @zone[2] (tailscale) cannot resolve device of network 'tailscale' Warning: Section @zone[0] (lan) has no device, network, subnet or extra options Warning: Section @zone[1] (wan) has no device, network, subnet or extra options Warning: Section @zone[2] (tailscale) has no device, network, subnet or extra options 感觉还是没配置对,有什么头绪吗?
 | 1 sy1989 2023-12-08 14:59:54 +08:00 可以装个 luci |
 | 2 HOMO114514 OP @sy1989 这个定制的 openwrt 编译的时候把通用库 glibc 去掉了,导致通过正常 opkg 渠道安装的 executable 全都无法运行,所以应该没办法靠安装一个 luci 解决问题 |
| 3 sy1989 2023-12-08 17:24:54 +08:00 打洞没研究过。不过你机器的网络接口名字不是 lan wan 和 wan6 |
 | 4 ysc3839 2023-12-08 17:48:32 +08:00 via Android @chowdpa02k413 OpenWrt 本来就不依赖 glibc ,用的是 musl libc 。无法运行大概是 libc 版本不对,你得找相同版本的环境进行编译。 |
| 5 HOMO114514 OP @ysc3839 固件闭源私有编译,已经无解了 |
| 6 ysc3839 2023-12-08 18:40:27 +08:00 via Android @chowdpa02k413 不需要有固件源代码,只要相关依赖库版本一致一般就没问题的 |
Select Language