Routing all traffic eth1 through wireguard interface wg0 - V1.3

rand0m · September 19, 2020, 10:42pm

Hi everybody, I’m new on VyOS.

I try to redirect all wan traffic from eth1 to wg0 (wireguard interface) through eth0(wan)

I have 3 interfaces :
eth0 : 192.168.1.254 > to ma ISP 192.168.1.1
eth1 : DHCP Server Virual Machines 192.168.3.100-200 > 192.168.3.254
wg0 : client(vyos)10.205.212.10/24 - wireguard host 10.205.212.1/24

i have home made set my VPN from a dedicated server, i have test with a debian10 client it’s works (i have the ip of my dedicated server) I try to do the same with VyOS.

I have try lot of configuration (gateway on the wg0), but don’t really seem to works.
My VyOS was succefully connected to my dedicated server but i still get my real IP address on a client of dhcp server (192.168.3.0/24).

my conf - V1.3:
vyos@vyos:~$ sh conf
interfaces {
ethernet eth0 {
address 192.168.1.254/24
}
ethernet eth1 {
address 192.168.3.254/24
}
loopback lo {
}
wireguard wg0 {
address 10.205.212.10/32
peer SRV {
address 172.105.244.6
allowed-ips 0.0.0.0/0
persistent-keepalive 25
port 27367
preshared-key ****************
pubkey ****************
}
}
}
nat {
source {
rule 999 {
outbound-interface eth0
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route 10.205.212.0/24 {
next-hop-interface wg0 {
}
}
interface-route 192.168.1.1/32 {
next-hop-interface eth0 {
}
}
route 0.0.0.0/0 {
next-hop 192.168.1.1 {
}
}
}
}
service {
dhcp-server {
shared-network-name testeth3 {
authoritative
subnet 192.168.3.0/24 {
default-router 192.168.3.254
dns-server 8.8.8.8
lease 86400
range 3 {
start 192.168.3.100
stop 192.168.3.200
}
}
}
}
ssh {
listen-address 192.168.1.254
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

Any help or tips would be greatly appreciated

Dmitry · September 21, 2020, 10:41am

Hello @rand0m, I think this happens because you did not clarify the source nat rule, try to add
set nat source rule 999 source address 192.168.3.0/24
Also if you need pass all VM traffic via WG tunnel, need an additional default interface route

Viacheslav · September 21, 2020, 11:56am

@rand0m You need PBR
For example network map.
wireguard

Configuration dhcp-s

set interfaces ethernet eth0 address '192.168.1.254/24'
set interfaces ethernet eth1 address '192.168.3.254/24'
set interfaces ethernet eth1 policy route 'PBR'
set interfaces wireguard wg0 address '10.205.212.10/32'
set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-172.105.244.6'
set interfaces wireguard wg0 peer PEER01 address '172.105.244.6'
set interfaces wireguard wg0 peer PEER01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer PEER01 port '12345'
set interfaces wireguard wg0 peer PEER01 pubkey 'key='
set interfaces wireguard wg0 port '12345'
set nat source rule 900 outbound-interface 'wg0'
set nat source rule 900 source address '192.168.3.0/24'
set nat source rule 900 translation address 'masquerade'
set nat source rule 999 outbound-interface 'eth0'
set nat source rule 999 translation address 'masquerade'
set policy route PBR rule 10 set table '100'
set policy route PBR rule 10 source address '192.168.3.0/24'
set protocols static interface-route 10.205.212.0/24 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set protocols static table 100 route 0.0.0.0/0 next-hop 10.205.212.1 next-hop-interface 'wg0'
set service dhcp-server shared-network-name LAN_192 authoritative
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 default-router '192.168.3.254'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 start '192.168.3.100'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 stop '192.168.3.200'
set system host-name 'r2-dhcp-s'

Configuration srv:

set interfaces ethernet eth0 address '172.105.244.6/24'
set interfaces wireguard wg0 address '10.205.212.1/24'
set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-192.168.1.254'
set interfaces wireguard wg0 peer PEER01 address '192.168.1.254'
set interfaces wireguard wg0 peer PEER01 allowed-ips '10.205.212.10/32'
set interfaces wireguard wg0 peer PEER01 port '12345'
set interfaces wireguard wg0 peer PEER01 pubkey 'key='
set interfaces wireguard wg0 port '12345'
set nat source rule 10 destination address '!10.205.212.0/24'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.205.212.10'
set nat source rule 10 translation address 'masquerade'
set protocols static interface-route 10.205.212.10/32 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 172.105.244.1
set system host-name 'r-srv'

Traceroute from r1-client r5-internet-resource

vyos@r1-client# run traceroute 203.0.113.1
traceroute to 203.0.113.1 (203.0.113.1), 30 hops max, 60 byte packets
 1  192.168.3.254 (192.168.3.254)  1.659 ms  14.002 ms  14.008 ms
 2  10.205.212.1 (10.205.212.1)  17.274 ms  17.239 ms  17.196 ms
 3  172.105.244.1 (172.105.244.1)  17.166 ms  17.154 ms  17.138 ms
 4  203.0.113.1 (203.0.113.1)  17.120 ms  17.106 ms  17.074 ms
[edit]
vyos@r1-client#

Ping from r1 => r5

vyos@r1-client# run ping 203.0.113.1 count 2
PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data.
64 bytes from 203.0.113.1: icmp_seq=1 ttl=61 time=6.24 ms
64 bytes from 203.0.113.1: icmp_seq=2 ttl=61 time=5.17 ms

Tcpdump on r5-internet-resource

vyos@vyos:~$ sudo tcpdump -ni eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:56.388054 IP 172.105.244.6 > 203.0.113.1: ICMP echo request, id 2402, seq 1, length 64
11:53:56.388254 IP 203.0.113.1 > 172.105.244.6: ICMP echo reply, id 2402, seq 1, length 64
11:53:57.388981 IP 172.105.244.6 > 203.0.113.1: ICMP echo request, id 2402, seq 2, length 64
11:53:57.389037 IP 203.0.113.1 > 172.105.244.6: ICMP echo reply, id 2402, seq 2, length 64

rand0m · September 21, 2020, 12:58pm

Thanks for your help, I’m not at home at moment I will try later, but i forgot to say something, my server (SRV on your network map) is a debian 9 and not an VYOS server, you think it will be cause an issue?

Thanks again the VyOS community is incredible

Viacheslav · September 21, 2020, 1:39pm

On the VyOS dhcp-server you need to add rules to nat on wireguard interface (rule 900)
Add policy route and additional route (route table 100) 0.0.0.0 for source ip addresses 192.168.3.0/24 network.
All configuration is attached.

rand0m · September 21, 2020, 5:28pm

I’ve tried and it’s working perfectly !

system · September 23, 2020, 5:28pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.