1.3 Wiregaurd would not show two peers with allow ips 0.0.0.0/0

elico · February 15, 2024, 7:27am

I have the next setup:
1 VyOS 1.3 and 2 wireguard peers.
The main WG server has the ip 192.168.110.254
The peers has the ips 192.168.110.1 and 192.168.110.5.
The WG config on the .254 is:

vyos@vyos# show interfaces wireguard wg0 
 address 192.168.99.1/24
 peer client2 {
     allowed-ips 0.0.0.0/0
     persistent-keepalive 20
     pubkey TD/hplu0Xo4scK0jrNXPGRaOXw6dicF/6TWuF5bLqTQ=
 }
 peer mullvad {
     allowed-ips 0.0.0.0/0
     persistent-keepalive 10
     pubkey Pookh06aS25jss/zX5aUcnsDtR3qwj30Xnh6F9Gn5hA=
 }
 port 51820
 private-key t_test1

And the summery of the WG interface is:

vyos@vyos# run show interfaces wireguard wg0 summary 
interface: wg0
  public key: y3x54xJY4kuJ8N54CqK5yrNmOLypQxrm1zbwr3KM/GY=
  private key: (hidden)
  listening port: 51820

peer: TD/hplu0Xo4scK0jrNXPGRaOXw6dicF/6TWuF5bLqTQ=
  endpoint: 192.168.110.5:58784
  allowed ips: (none)
  latest handshake: 3 seconds ago
  transfer: 1.28 KiB received, 308 B sent
  persistent keepalive: every 20 seconds

peer: Pookh06aS25jss/zX5aUcnsDtR3qwj30Xnh6F9Gn5hA=
  endpoint: 192.168.110.1:13231
  allowed ips: 0.0.0.0/0
  latest handshake: 53 seconds ago
  transfer: 6.57 KiB received, 5.33 KiB sent
  persistent keepalive: every 10 seconds

peer: EiMmRBXdwkEzpDaNOkMieNsu30MXpN3vszdBCWM5VH0=
  allowed ips: (none)
  persistent keepalive: every 10 seconds
[edit]

As you can see the peers are connected but in the summary there is only one peer that is allowed 0.0.0.0/0
Another issue is that despite to the fact that I removed one peer he is still present.

I think this is a bug since on plain Debian and other Linux and routing systems I am able to set this up properly.

patient0 · February 15, 2024, 4:02pm

In the docu for 1.3 Interface configuration it states:

“You can not assign the same allowed-ips statement to multiple WireGuard peers. This a design decision. For more information please check the WireGuard mailing list.”

Can you really set that up on a Debian?

But: I never set it up like that: I set allowed-ips to 0.0.0.0/0 on the client so that all traffic is routed through the Wireguard tunnel. And on the server allowed-ips is set the the Wireguard IP of the client (a …/32).

The Remote Access “RoadWarrior” Example does it like that.

elico · February 15, 2024, 11:09pm

I must admit I didn’t understood the allowed-ips to be like that.
I also read the mailing list details and it makes sense that you will have only one route per subnet/cidr to one peer.
But, there is a big difference between routing and ACL.
The allowed-ips is an ACL which allows all IPs to be routed via this tunnel and not to set a route via this tunnel.
The issue is that routes should be setup manually on VyOS and not automatically via the allow-ips (to my opinion).

If I understand right then if I will use the WG tunnel as a GW I need to allow-ips of the specific client ip and the remote network if it’s a S2S.

Thanks for the details!!

L0crian · February 15, 2024, 11:43pm

That’s how it works right now; it won’t add a route in there. I recommend using multiple tunnels. You can have one for remote access, setup like @patient0 mentioned, and then other tunnels for S2S, which allows you to have “allowed-ips 0.0.0.0/0” per tunnel. I run BGP over mine just fine doing it this way.

system · March 16, 2024, 11:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.