I have two public interfaces on the vyos router. Only one is the default route, with a route out to 0.0.0.0 thru it. But there is a second interface on the same router and wireguard clients in the field are configured to reach the router through this interface.
My problem is the outbound traffic - the unencrypted wireguard traffic - is transiting outbound through the primary eth0 interface with the default route.
I have obviously thought about putting a route on the second interface, eth1, but they could be coming from any IP and so there is no defined route that I could apply.
I have tried somethign like this:
set policy local-route rule 10 destination port β51799β
set policy local-route rule 10 protocol βudpβ
set policy local-route rule 10 set table β2β
set policy local-route rule 20 protocol βudpβ
set policy local-route rule 20 set table β2β
set policy local-route rule 20 source port β51799β
set policy route pub rule 1000 set table β1β
set interfaces ethernet eth0 policy route pub
set interfaces ethernet eth1 policy route pub
(51799 is the wireguard UDP port). no dice. traffic still is trying to leave the router through the primary 0.0.0.0 route.
I also tried creating local routes. No dice.
Does anyone have any idea how to solve this problem? Iβm just trying to get wiregard traffic that comes in via eth1 to also leave via eth1. Iβm talking public network unencrypted client-router traffiic obviously.
I could not find a way to make it work. I tried everything I could think of. I ended up setting up another router just for wireguard. If anyone has a better idea please jump in. thank you much
If I understand correctly, you want traffic destined for the local router directed at a certain WAN interface to leave the router from that particular interface, ignoring the default route.
I have something like this to get VyOS to answer packets directed at a certain WAN interface from that particular WAN interface:
set local-route rule 10 set table '124'
set local-route rule 10 source address <pub_ip_wan_1>
set local-route rule 20 set table '125'
set local-route rule 20 source address <pub_ip_wan_2>
set table 124 description 'Route traffic through WAN1'
set table 124 route 0.0.0.0/0 interface x
# OR: set table 124 route 0.0.0.0/0 next-hop x.x.x.x
set table 125 description 'Route traffic through WAN2'
set table 125 route 0.0.0.0/0 interface x
# OR: set table 125 route 0.0.0.0/0 next-hop x.x.x.x
Depending on the WAN setup, you need to specify a next-hop or an interface. For pppoe, use interface, for DHCP WAN links, use next-hop (static for now, unfortunately, dynamic nexthops arenβt yet available).
If you have DHCP, the source IP in the local-route rules 10 and 20 will change, so Iβve got scripts in place to handle that.