hi there,
I am trying to configure a simple WireGuard RoadWarrior, so as to be able to connect to my local LAN when not at home and access local services running on another machine in the LAN.
I am unable to test whether the config works because I don’t know how to point to VyOS.
I am on VyOS 1.5-rolling-202310060022 on bare metal and have a very basic setup (below full config). The topology is pretty simple: internet → (eth0) VyOS > (eth1) unamnaged switch → LAN
I looked at the latest docs and run this:
set interfaces wireguard wg0 address 10.172.24.1/24
set interfaces wireguard wg0 address 2001:db8:470:22::1/64
set interfaces wireguard wg0 port 2224
- Then generated the PEER-PUBLIC-KEY with
run generate pki wireguard key-pairand added the rest of the client info:
set interfaces wireguard wg0 peer iPhone public-key PEER-PUBLIC-KEY
set interfaces wireguard wg0 peer iPhone allowed-ips 10.172.24.20/32
set interfaces wireguard wg0 peer iPhone allowed-ips 2001:db8:470:22::20/128
set interfaces wireguard wg0 peer iPhone persistent-keepalive 15
run generate pki wireguard preshared-key install interface wg0 peer iPhone
- Finally, I opened the iPhone WireGuard app and provided:
- private key: VYOS-PRIVATE-KEY
- adresses: 10.172.24.20/32, 2001:db8:470:22::20/128
And added a peer with:
- public key: PEER-PUBLIC-KEY
- preshared-key: PEER-PRESHSARED-KEY
- Allowed IPs: 0.0.0.0/0, ::0
My issue is the endpoint. I guess I need to put the VyOS ip, but as I am behind CGN, the only way is to connect directly via IPv6. I do this for a number of services via CloudFlare on another machine in my network, but as far as I understand that wouldn’t work if I want to obfuscate my ip. Also whilst I do get an IPv6 from a LAN machine, I do not seem to be able to get an address with curl -6 ifconfig.io from VyOS itself (I do get the IPv4 address though).
Is there anything else I am missing? Am I right thinking I need to find a way to connect directly to VyOS? Should I add some config to get eth0 to also get an ipv6?
Many thanks and apologies if this is a dumb question. Also I know I need to setup the firewall, but haven’t quite cracked the guide yet - that’s another story.
This is the full config:
container {
name adguardhome {
allow-host-networks
cap-add net-bind-service
image docker.io/adguard/adguardhome:latest
restart always
volume adguardhome-conf {
destination /opt/adguardhome/conf
source /config/adguardhome/conf
}
volume adguardhome-hosts {
destination /etc/hosts
mode ro
source /etc/hosts
}
volume adguardhome-work {
destination /opt/adguardhome/work
source /config/adguardhome/work
}
}
}
interfaces {
ethernet eth0 {
address dhcp
address dhcpv6
description WAN
dhcpv6-options {
pd 0 {
interface eth1 {
sla-id 1
}
length 56
}
}
hw-id ...
}
ethernet eth1 {
address 10.32.0.1/24
description LAN
hw-id ...
ipv6 {
address {
autoconf
}
}
}
wireguard wg0 {
address 10.172.24.1/24
address 2001:db8:470:22::1/64
peer iPhone {
allowed-ips 10.172.24.20/32
allowed-ips 2001:db8:470:22::20/128
persistent-keepalive 15
preshared-key PEER-PRESHSARED-KEY
public-key PEER-PUBLIC-KEY
}
port 2224
private-key VYOS-PRIVATE-KEY
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 10.32.0.0/24
}
translation {
address masquerade
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
subnet 10.32.0.0/24 {
default-router 10.32.0.1
name-server 10.32.0.1
range 0 {
start 10.32.0.50
stop 10.32.0.125
}
}
}
}
ntp {
...
}
router-advert {
interface eth1 {
other-config-flag
prefix ::/64 {
}
}
}
ssh {
...
}
}
system {
...
}