求助:将VPS特定端口的入站流量通过WireGuard VPN隧道路由至游戏服务器
2026-4-23
求助:将VPS特定端口的入站流量通过WireGuard VPN隧道路由至游戏服务器
我最近在折腾把Steam游戏服务器通过VPS暴露到公网,遇到了个棘手的问题,想请教下各位大佬:我需要把VPS公网IP上27016和3202端口的入站流量,通过WireGuard VPN隧道路由到我的游戏服务器上。先给大家说下具体背景:
我用DigitalOcean搭了个Ubuntu 22.10的VPS,目的是给Proxmox上的Windows Server 22游戏服务器提供静态公网IP。目前游戏服务器已经成功通过WireGuard连到VPS了——游戏服务器到外网的流量都能正常走VPS,但入站流量(比如服务器查询)没法通过VPN到达游戏服务器,我已经用Wireshark在游戏服务器上抓包确认了这一点。
现有网络信息
IP地址清单
- VPS公网IP:
162.243.164.xxx - WireGuard VPN网关(VPS端):
192.168.69.1 - 游戏服务器VPN端IP:
192.168.69.2 - 游戏服务器本地内网IP:
10.11.12.150
VPS上的WireGuard配置(/etc/wireguard/wg0.conf)
[Interface] PrivateKey = KEY Address = 192.168.69.1/24 ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = KEY AllowedIPs = 192.168.69.2 PersistentKeepalive = 25
VPS路由表(ip route输出)
default via 162.243.164.1 dev eth0 proto static 10.10.0.0/16 dev eth0 proto kernel scope link src 10.10.0.5 10.116.0.0/20 dev eth1 proto kernel scope link src 10.116.0.2 162.243.164.0/24 dev eth0 proto kernel scope link src 162.243.164.xxx 192.168.69.0/24 dev wg0 proto kernel scope link src 192.168.69.1
VPS网卡信息(ip addr输出)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 6a:24:cf:89:d5:04 brd ff:ff:ff:ff:ff:ff altname enp0s3 altname ens3 inet 162.243.164.xxx/24 brd 162.243.164.255 scope global eth0 valid_lft forever preferred_lft forever inet 10.10.0.5/16 brd 10.10.255.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::6824:cfff:fe89:d504/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether ce:21:97:e6:06:14 brd ff:ff:ff:ff:ff:ff altname enp0s4 altname ens4 inet 10.116.0.2/20 brd 10.116.15.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::cc21:97ff:fee6:614/64 scope link valid_lft forever preferred_lft forever 5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000 link/none inet 192.168.69.1/24 scope global wg0 valid_lft forever preferred_lft forever
抓包结果(tcpdump -i any -n udp and port 27016)
当我从公网查询162.243.164.xxx:27016时,抓包能看到流量确实到了VPS的eth0接口,但就是没继续转发到VPN隧道:
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 18:10:47.290457 eth0 In IP 162.55.52.17.52424 > 162.243.164.xxx.27016: UDP, length 25 18:10:55.926653 eth0 In IP 141.94.81.117.35441 > 162.243.164.xxx.27016: UDP, length 25
游戏服务器(WireGuard客户端)配置
[Interface] PrivateKey = KEY Address = 192.168.69.2/24 DNS = 1.1.1.1 [Peer] PublicKey = KEY AllowedIPs = 0.0.0.0/0 Endpoint = VPS PUBLIC IP
我已经尝试过的方法(但没效果)
- 修改VPS的WireGuard PostUp规则,添加DNAT和转发规则:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 27016 -j DNAT --to-destination 192.168.69.1:27016; iptables -A FORWARD -i eth0 -o wg0 -p udp --dport 27016 -j ACCEPT;
- 添加专门的路由表和规则:
ip route add table 80 192.168.69.0/24 dev wg0 src 192.168.69.1 ip rule add ipproto udp dport 27016 lookup 80
我还在学习网络相关的知识,实在摸不着头绪了,有没有大佬能给点指导或者解决办法?非常感谢!
备注:内容来源于stack exchange,提问作者depoultry
