Help me get started.... WireGuard

kjellon · August 23, 2022, 3:34pm

Hi all, I’m completely new to this and I would like to start of with setting my VyOS router (PC with 2 NICs) between my router providing internet and a client(TV) not capable of connecting to a WireGuard tunnel on it’s own.
A perfect scenario would be RJ45 from TV to Vyos-Router(INSIDE) eth1 and then RJ45 from Vyos router(OUTSIDE) eth0 to ASUS router providing Internet.
No firewalling or anything else just a “simple” tunnel for 1 client would be great…

Am I dreaming or is this possible?
I have further plans on keep building a solution with my Vyos as primary router toward Internet, but I would love if I could start this way and keep building my config on this.
Anyone with a nice config for this.
I’m using OVPN.com as my WireGuard provider.

Please be gentle

reg
Kjell

tjh · August 23, 2022, 6:30pm

Yes, this is doable.
First of all setup your Vyos router with a “WAN” interface that’s connected to your current router’s LAN network.
Then setup a Wireguard Tunnel on your Vyos Router that routes all traffic via that tunnel. Then create a “LAN” interface on the Vyos router that you connect your TV to - you’ll want to enable a DHCP server on this Interface probably, unless you are going to statically address your TV.
You’ll have to make sure you create a NAT rule that NATs all traffic coming from the TV to the IP address of the Wireguard tunnel - i.e. all traffic leaving through the Wireguard Tunnel has to get NAT’d to the Wireguard Tunnel’s address - standard NAT masquarade.

kjellon · August 29, 2022, 9:30am

I can’t get below config to work…

Anyone with ideas on what I’m made wrong or missed?
When running “show interfaces wireguard wg01” it seems as if I’m connected and indicating that the tunnel is open and ready for usage.

{
  "interfaces": {
    "ethernet": {
      "eth0": {
        "address": [
          "192.168.10.1/24"
        ],
        "description": "INSIDE",
        "hw-id": "80:ee:73:77:de:f0"
      },
      "eth1": {
        "address": [
          "dhcp"
        ],
        "description": "OUTSIDE",
        "hw-id": "80:ee:73:77:de:f1"
      }
    },
    "loopback": {
      "lo": {}
    },
    "wireguard": {
      "wg01": {
        "address": [
          "172.22.137.115/32",
          "fd00:0000:1337:cafe:1111:1111:939b:f9ed/128"
        ],
        "description": "OVPN",
        "peer": {
          "OVPN": {
            "address": "193.187.91.195",
            "allowed-ips": [
              "0.0.0.0/0",
              "::/0"
            ],
            "persistent-keepalive": "15",
            "port": "9929",
            "public-key": "MY_PUBLIC_KEY"
          }
        },
        "port": "9929",
        "private-key": "MY_PRIVATE_KEY"
      }
    },
    "wireless": {
      "wlan0": {
        "hw-id": "64:5a:04:aa:f0:fa",
        "physical-device": "phy0"
      }
    }
  },
  "nat": {
    "source": {
      "rule": {
        "50": {
          "outbound-interface": "wg01",
          "source": {
            "address": "192.168.10.0/24"
          },
          "translation": {
            "address": "masquerade"
          }
        }
      }
    }
  },
  "protocols": {
    "static": {
      "route": {
        "0.0.0.0/0": {},
        "192.168.0.0/16": {
          "interface": {
            "wg01": {}
          }
        }
      }
    }
  },
  "service": {
    "dhcp-server": {
      "shared-network-name": {
        "LAN": {
          "subnet": {
            "192.168.10.0/24": {
              "default-router": "192.168.10.1",
              "domain-name": "MY_DOMAIN_NAME",
              "lease": "86400",
              "name-server": [
                "192.168.10.1"
              ],
              "range": {
                "0": {
                  "start": "192.168.10.30",
                  "stop": "192.168.10.254"
                }
              }
            }
          }
        }
      }
    },
    "dns": {
      "forwarding": {
        "allow-from": [
          "192.168.10.0/24"
        ],
        "cache-size": "0",
        "listen-address": [
          "192.168.10.1"
        ]
      }
    },
    "ssh": {
      "port": [
        "22"
      ]
    }
  },
  "system": {
    "config-management": {
      "commit-revisions": "100"
    },
    "conntrack": {
      "modules": {
        "ftp": {},
        "h323": {},
        "nfs": {},
        "pptp": {},
        "sip": {},
        "sqlnet": {},
        "tftp": {}
      }
    },
    "console": {
      "device": {
        "ttyS0": {
          "speed": "115200"
        }
      }
    },
    "host-name": "vyos",
    "login": {
      "user": {
        "MY_USER_NAME": {
          "authentication": {
            "encrypted-password"MY_USER_PASSWORD",
            "plaintext-password": ""
          }
        }
      }
    },
    "syslog": {
      "global": {
        "facility": {
          "all": {
            "level": "info"
          },
          "protocols": {
            "level": "debug"
          }
        }
      }
    },
    "time-zone": "UTC"
  }
}

tjh · August 29, 2022, 6:28pm

Hi,
I reformtted your paste so it was readable, I hope you don’t mind

What exactly does’t work? Does the WG Tunnel show packets both coming and going?

The only thing that jumps out at me is that you have a static route for 0.0.0.0 out your tunnel, so how is the router going to know how to route to the 193.187.91.195 address of your WG peer? What’s the route to that peer? It can’t be over the wireguard tunnel!

kjellon · August 30, 2022, 8:33am

Thanks for you fixing my paste…

The image illustrates the traffic on my wg interface.

The thing is that I’m new at this and I’m trying to understand how to get my one client on the inside interface to communicate with internet via my wg01 interface.
The 0.0.0.0-route is there only because the example files I found contains this route

Are you saying that I need to add a route to 193.187.91.195 in some manner, I’m sorry for my newbie questions.

Thanks for you putting time into this!

reg
Kjell

tjh · August 31, 2022, 10:59pm

What does your routing table look like?

show ip route 193.187.91.195

To me it seems like you don’t have a route to that set somewhere. I might be wrong. But if you have a default OUT your Wireguard instance, you need to be sure you have a more specific route to your Wireguard endpoint somewhere else otherwise you’re going to cut yourself off.

edan · September 20, 2022, 11:53pm

For what it’s worth, I got Vyos working with OpenVPN to ExpressVPN. Most importantly, I discovered how to use Policy Based Routing (PBR) to route my LAN traffic over the VPN. When I naively tried to set Vyo’s default route to ExpressVPN… It appeared ExpressVPN could not route to itself

Here’s a couple configuration snippets. I hope this helps!

set policy route VPN-FOR-YOU-ROUTING rule 100 description 'Use ExpressVPN'
set policy route VPN-FOR-YOU-ROUTING rule 100 set table '90'
set policy route VPN-FOR-YOU-ROUTING rule 100 source address '10.10.1.0/24'```

set protocols static table 90 route 0.0.0.0/0 interface vtun1
set protocols static table 90 route 0.0.0.0/0 interface vtun2

tjh · September 21, 2022, 12:16am

Great to hear!
Yes it’s a common mistake to route ALL traffic out your VPN interface forgetting that doing so will stop you being able to route to your VPN provider

system · September 23, 2022, 12:16am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.