网络互联

graph TD
    %% --- 全局定义 ---
    Internet((互联网))
    
    %% --- 云端 HUB 层 ---
    subgraph Cloud [云端中转 Hub]
        direction TB
        LinuxHub["Linux 云服务器 (FRR)<br/><b>WG IP: 10.0.9.1/24</b><br/>Role: BGP Reflector"]
    end

    %% --- Site A 层 (复杂节点) ---
    subgraph SiteA [Site A - 核心节点]
        direction TB
        MTA["<b>MikroTik A</b><br/>WG IP: 10.0.9.2/24<br/>LAN GW: 192.168.88.1<br/>协议: BGP + OSPF"]
        
        subgraph SiteA_LAN [内网: 192.168.88.0/24]
            OPA["<b>OpenWrt (旁路)</b><br/>IP: 192.168.88.2<br/>协议: OSPF + OpenVPN"]
            PCA("<b>电脑 A</b><br/>IP: 192.168.88.123<br/>GW: 192.168.88.1")
        end
    end

    %% --- Site B 层 (分支节点) ---
    subgraph SiteB [Site B - 分支节点]
        direction TB
        MTB["<b>MikroTik B</b><br/>WG IP: 10.0.9.3/24<br/>LAN GW: 192.168.98.1<br/>协议: BGP + OSPF"]
        
        subgraph SiteB_LAN [内网: 192.168.98.0/24]
            OPB["<b>OpenWrt (旁路)</b><br/>IP: 192.168.98.2<br/>协议: OSPF + OpenVPN"]
            PCB("<b>电脑 B</b><br/>IP: 192.168.98.55<br/>GW: 192.168.98.1")
        end
    end

    %% --- 外部服务 ---
    VPNServer["外部 OpenVPN 服务端<br/>(Target Network)"]

    %% --- 连接关系 ---
    
    %% 物理连接
    Internet --- LinuxHub
    Internet --- VPNServer

    %% 隧道连接 (WireGuard - 核心骨干)
    LinuxHub == "WireGuard 隧道<br/>(iBGP AS65000)" ==> MTA
    LinuxHub == "WireGuard 隧道<br/>(iBGP AS65000)" ==> MTB

    %% Site A 内部逻辑连接
    MTA -- "OSPF 路由交换" --- OPA
    MTA --- PCA
    
    %% Site B 内部逻辑连接
    MTB -- "OSPF 路由交换" --- OPB
    MTB --- PCB

    %% OpenVPN 隧道 (业务出口)
    OPA -. "OpenVPN 隧道<br/>(NAT masquerade)" .-> VPNServer
    OPB -. "OpenVPN 隧道<br/>(NAT masquerade)" .-> VPNServer

    %% 样式定义
%%    style Internet 
    style OPA fill:#d5f5e3,stroke:#2ecc71,stroke-width:2px
    style OPB fill:#d5f5e3,stroke:#2ecc71,stroke-width:2px
    style LinuxHub fill:#fdedec,stroke:#e74c3c,stroke-width:2px
    style VPNServer fill:#eaecee,stroke:#333,stroke-dasharray:5