Help with Wireguard not routing Internet traffic

groovenarula · September 7, 2024, 9:10am

Hi all,

I have setup VYOS 1.4 as my Internet router. I have been trying to get the ‘Road Warrior’ setup going for several hours now using Wireguard and am struggling with configuring it work with routing all traffic from the client through the Wireguard interface.

When the tunnel is activated, I am able to connect and reach all my internal hosts, but I am unable to access the ‘Internet’ .

The relevant sections of my setup (vyos) are a

Wireguard Interface : wg02

[edit interfaces wireguard wg02]
set address 'xxx.xxx.250.1/24'
set description 'WG Road Warrior - via spectrum'
set ip adjust-mss '1380'
set mtu '1420'
set port '51820'
set private-key xxxxxx
set peer macbook~pro allowed-ips 'xxx.xxx.250.10/32'
set peer macbook~pro public-key 'fErItH0e5N1KzGJzVL6g4y7Mo7iAs8E5ucQw8WLlfVI='

The wireguard interface wg02 is in the ‘trust zone’ :

[edit firewall zone trust]
set default-action 'drop'
set from local firewall name 'local-trust'
set from untrust firewall name 'untrust-trust'
set interface 'br0.172'
set interface 'br0'
set interface 'pod-cniBridge'
set interface 'br0.254'
set interface 'wg02'

The relevant firewall sections are as follows:

[edit firewall ipv4 name untrust-trust]
set default-action 'drop'
set rule 5 action 'return'
set rule 5 description 'Allow EST/Related Traffic'
set rule 5 state 'established'
set rule 5 state 'related'
set rule 20 action 'return'
set rule 20 description 'Allow ICMP traffic'
set rule 20 protocol 'icmp'
set rule 20 state 'new'

[edit firewall ipv4 name local-trust]
set default-action 'return'

Source NAT:

[edit nat source]
set rule 100 outbound-interface name 'eth3'
set rule 100 source address 'xxx.xxx.2.0/24'
set rule 100 translation address 'masquerade'
set rule 200 outbound-interface name 'eth3'
set rule 200 source address 'xxx.xxx.0.0/12'
set rule 200 translation address 'masquerade'
set rule 300 outbound-interface name 'eth1'
set rule 300 source address 'xxx.xxx.5.0/24'
set rule 300 translation address 'masquerade'
set rule 500 outbound-interface name 'eth1'
set rule 500 source address 'xxx.xxx.250.0/24'
set rule 500 translation address 'masquerade'

And finally route :

[edit protocols static]
set route xxx.xxx.250.0/24 interface wg02

The client running on Macbook pro is setup as peer using the following config:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 10.254.250.10/32
DNS = 192.168.2.1

[Peer]
PublicKey = 0njksBa7HA7KcJM0Zq0tXGhkiqFpIg4+YoCh+D4AfkU=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xx.xx.18.217:51820

Would appreciate some help with resolving why the Internet stop’s working when the tunnel is activated.

I am running Vyos version :

Version:          VyOS 1.4-rolling-202403042245
Release train:    sagitta

Built by:         [email protected]
Built on:         Mon 04 Mar 2024 22:45 UTC
Build UUID:       b2f926d2-e65f-4973-b0cb-070616cea02f
Build commit ID:  d42f7e8a9e79da

Architecture:     x86_64
Boot via:         installed image

Thanks in advance.

L0crian · September 7, 2024, 11:50am

This isn’t needed since the interface coming up will create a connected route for the same subnet:

[edit protocols static]
set route xxx.xxx.250.0/24 interface wg02

What are the actual prefixes for these 2 lines? Any chance they overlap and the wrong NAT is getting applied?:

set rule 200 source address 'xxx.xxx.0.0/12'
set rule 500 source address 'xxx.xxx.250.0/24'

groovenarula · September 7, 2024, 12:36pm

Thanks for the response - I will remove the static route.

Regarding the source NAT rules - they do not overlap - it’s 172.16 and 10.254 respectively.

groovenarula · September 8, 2024, 1:21am

I removed the static route - but still the same behavior - I can connect to any of my internal hosts - but no Internet connectivity.

tjh · September 8, 2024, 2:50am

Do you mean you lose all Internet connectivity, or just your external WG hosts can’t connect to the Internet?

I assume you mean your WG host can’t access the Internet. You’ve provided only some of your config, so it’s hard to really figure it out, what you’ve provided looks fine.

I would

a) Check the routing table on your WG client when its VPN is connected.
b) Put in a bunch of “log” rules on your Firewall and see if one of them is dropping/denying your traffic
c) Check your conntrack table to verify the right flow(s) are being established.

16again · September 8, 2024, 8:02pm

I see you have masq rules both on eth1 and eth3. Do you have some load balance setup?
Maybe you need policy handling packets coming in on wg too, so they exit on correct interface.
note: tcpdump and conntrack might help figuring out where packets end up. And if they’re NATted

skynw · September 10, 2024, 4:21pm

Whats your WAN interface?
You wrote that the WG tunnel itself is working and you can reach your internal host,
but I didnt see any FW rule matching your WG port.

If only your Internet through the WG tunnel is not working, its highly usual, that the NAT masquerade rule is missing for the WG tunnel subnet.
Yoour tunnel subnet is:
xxx.xxx.250.1/24
so you need a NAT rule for it too.
You have your NAT rule 500 outgoing interface eth1
but you have also rule 100 and 200 pointing to eth3

Where’s your default route pointing to?
Or like 16again mentioned, are you using both intf as outgoing interface?

cheers
Marcel

groovenarula · September 11, 2024, 12:11am

Thanks Mark - you were right - I had defined the wrong outbound interface - changing that to eth3 resolved the issue.

Thanks for catching my error.

Regarding the fw rules - for now I included the WG interface right in the ‘trust’ zone - treating the WG interface as part of my LAN.

Thanks again.

system · September 13, 2024, 12:12am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.