多家庭互联网络搭建教程（WireGuard+OSPF+IPSec）

graph TB
    Internet[互联网]
    MainHome[主家<br/>公网IP:100.64.1.100<br/>华为路由]
    MyHome[小王家<br/>动态IP+IPSec]
    ZhangHome[小张家<br/>动态IP+IPSec]
    AliCloud[公有云<br/>公网IP:100.64.2.200]
    
    subgraph 主家内网
        MainRouter[华为路由]
        Debian[Debian:192.168.10.3]
        VLAN10[服务器:192.168.10.0/26]
        VLAN11[用户:192.168.11.0/24]
        MainRouter --- VLAN10 & VLAN11
        VLAN10 --- Debian
    end
    
    MyHomeLAN[小王家:192.168.12.0/24]
    ZhangHomeLAN[小张家:192.168.13.0/24]

    Internet --- MainHome & MyHome & ZhangHome & AliCloud
    MainHome --- MainRouter
    MyHome --- MyHomeLAN
    ZhangHome --- ZhangHomeLAN
    Debian <-->|WireGuard 50193| AliCloud
    MainRouter <-->|IPSec| MyHome & ZhangHome
    Debian <-->|OSPF| MainRouter & AliCloud

apt update && apt install -y wireguard bird2 nftables

wg genkey > /etc/wireguard/private.key
wg pubkey < /etc/wireguard/private.key > /etc/wireguard/public.key

[Interface]
Address = 192.168.20.254/28
ListenPort = 50193
PrivateKey = <本地private.key内容>
Table = off
PostUp = sysctl -w net.ipv4.ip_forward=1; nft add table ip nat; nft add chain ip nat postrouting { type nat hook postrouting priority 100; }; nft add rule ip nat postrouting ip saddr 192.168.20.240/28 oifname "ens192" masquerade
PostDown = nft delete table ip nat

[Peer]
PublicKey = <公有云public.key内容>
AllowedIPs = 0.0.0.0/0
Endpoint = ali.example.com:50193
PersistentKeepalive = 25

router id 192.168.10.3;
protocol device { scan time 10; }
protocol kernel { ipv4 { export all; import all; }; }
protocol ospf v2 {
    area 0 {
        interface "ens192" { cost 10; };
        interface "wg0" { cost 5; type ptp; };
    };
}

wg-quick up wg0
systemctl start bird2
systemctl enable wg-quick@wg0 bird2

[Interface]
Address = 192.168.20.253/28
ListenPort = 50193
PrivateKey = <本地private.key内容>
Table = off
PostUp = sysctl -w net.ipv4.ip_forward=1; nft add table ip nat; nft add chain ip nat postrouting { type nat hook postrouting priority 100; }; nft add rule ip nat postrouting ip saddr 192.168.20.240/28 oifname "eth0" masquerade
PostDown = nft delete table ip nat

[Peer]
PublicKey = <Debian的public.key内容>
AllowedIPs = 0.0.0.0/0
Endpoint = wg.example.com:50193
PersistentKeepalive = 25

router id 192.168.20.253;
protocol device { scan time 10; }
protocol kernel { ipv4 { export all; }; }
protocol ospf v2 {
    area 0 { interface "wg0" { cost 5; type ptp; }; }
}

# 基础
sysname HomeRouter
clock timezone beijing add 08:00:00
dhcp enable
undo info-center enable

# VLAN
interface GigabitEthernet0/0/11
 ip address 192.168.0.9 255.255.255.252
interface GigabitEthernet0/0/11.10
 dot1q termination vid 10
 ip address 192.168.10.1 255.255.255.192
 dhcp select interface
 dhcp server static-bind ip-address 192.168.10.3 mac-address 00:0c:29:xx:xx:xx
interface GigabitEthernet0/0/11.11
 dot1q termination vid 11
 ip address 192.168.11.1 255.255.255.0
 dhcp select interface

# 公网口
interface GigabitEthernet0/0/7
 ip address 100.64.1.100 255.255.255.0
 nat outbound 3000
 zone untrust

# ACL
acl name Internet_nat 3000
 rule 1000 permit ip
acl name inport 3600
 rule 401 permit udp destination-port eq 50193
 rule 501 permit ip source 192.168.12.0 0.0.1.255

# IPSec
ipsec proposal ipsec128
 esp authentication-algorithm sha1
 esp encryption-algorithm aes-128
ike proposal default
 encryption-algorithm aes-128
 dh group14
 authentication-algorithm sha2-256
 authentication-method pre-share
ike peer ikep
 version 2
 pre-shared-key cipher <预共享密钥>
 dpd type periodic
ipsec policy-template ipsecpt 10
 security acl 3800
 ike-peer ikep
 proposal ipsec128
 route inject dynamic preference 55
ipsec policy ipsecHome 10 isakmp template ipsecpt

# OSPF
ospf 1
 import-route unr
 area 0
  network 192.168.10.0 0.0.0.63
  network 192.168.11.0 0.0.0.255
  network 192.168.12.0 0.0.1.255

# 路由
ip route-static 0.0.0.0 0.0.0.0 100.64.1.1
save

gdoc_arrow_left_alt 华环H9设备笔记 宽带换算 gdoc_arrow_right_alt