I try to redirect all wan traffic from eth1 to wg0 (wireguard interface) through eth0(wan)
I have 3 interfaces :
eth0 : 192.168.1.254 > to ma ISP 192.168.1.1
eth1 : DHCP Server Virual Machines 192.168.3.100-200 > 192.168.3.254
wg0 : client(vyos)10.205.212.10/24 - wireguard host 10.205.212.1/24
i have home made set my VPN from a dedicated server, i have test with a debian10 client it’s works (i have the ip of my dedicated server) I try to do the same with VyOS.
I have try lot of configuration (gateway on the wg0), but don’t really seem to works.
My VyOS was succefully connected to my dedicated server but i still get my real IP address on a client of dhcp server (192.168.3.0/24).
Hello @rand0m, I think this happens because you did not clarify the source nat rule, try to add set nat source rule 999 source address 192.168.3.0/24
Also if you need pass all VM traffic via WG tunnel, need an additional default interface route
set interfaces ethernet eth0 address '192.168.1.254/24'
set interfaces ethernet eth1 address '192.168.3.254/24'
set interfaces ethernet eth1 policy route 'PBR'
set interfaces wireguard wg0 address '10.205.212.10/32'
set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-172.105.244.6'
set interfaces wireguard wg0 peer PEER01 address '172.105.244.6'
set interfaces wireguard wg0 peer PEER01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer PEER01 port '12345'
set interfaces wireguard wg0 peer PEER01 pubkey 'key='
set interfaces wireguard wg0 port '12345'
set nat source rule 900 outbound-interface 'wg0'
set nat source rule 900 source address '192.168.3.0/24'
set nat source rule 900 translation address 'masquerade'
set nat source rule 999 outbound-interface 'eth0'
set nat source rule 999 translation address 'masquerade'
set policy route PBR rule 10 set table '100'
set policy route PBR rule 10 source address '192.168.3.0/24'
set protocols static interface-route 10.205.212.0/24 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
set protocols static table 100 route 0.0.0.0/0 next-hop 10.205.212.1 next-hop-interface 'wg0'
set service dhcp-server shared-network-name LAN_192 authoritative
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 default-router '192.168.3.254'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 start '192.168.3.100'
set service dhcp-server shared-network-name LAN_192 subnet 192.168.3.0/24 range RANG01 stop '192.168.3.200'
set system host-name 'r2-dhcp-s'
Configuration srv:
set interfaces ethernet eth0 address '172.105.244.6/24'
set interfaces wireguard wg0 address '10.205.212.1/24'
set interfaces wireguard wg0 description 'VPN-to-wg-PEER01-192.168.1.254'
set interfaces wireguard wg0 peer PEER01 address '192.168.1.254'
set interfaces wireguard wg0 peer PEER01 allowed-ips '10.205.212.10/32'
set interfaces wireguard wg0 peer PEER01 port '12345'
set interfaces wireguard wg0 peer PEER01 pubkey 'key='
set interfaces wireguard wg0 port '12345'
set nat source rule 10 destination address '!10.205.212.0/24'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.205.212.10'
set nat source rule 10 translation address 'masquerade'
set protocols static interface-route 10.205.212.10/32 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 172.105.244.1
set system host-name 'r-srv'
Traceroute from r1-client r5-internet-resource
vyos@r1-client# run traceroute 203.0.113.1
traceroute to 203.0.113.1 (203.0.113.1), 30 hops max, 60 byte packets
1 192.168.3.254 (192.168.3.254) 1.659 ms 14.002 ms 14.008 ms
2 10.205.212.1 (10.205.212.1) 17.274 ms 17.239 ms 17.196 ms
3 172.105.244.1 (172.105.244.1) 17.166 ms 17.154 ms 17.138 ms
4 203.0.113.1 (203.0.113.1) 17.120 ms 17.106 ms 17.074 ms
[edit]
vyos@r1-client#
Ping from r1 => r5
vyos@r1-client# run ping 203.0.113.1 count 2
PING 203.0.113.1 (203.0.113.1) 56(84) bytes of data.
64 bytes from 203.0.113.1: icmp_seq=1 ttl=61 time=6.24 ms
64 bytes from 203.0.113.1: icmp_seq=2 ttl=61 time=5.17 ms
Tcpdump on r5-internet-resource
vyos@vyos:~$ sudo tcpdump -ni eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:56.388054 IP 172.105.244.6 > 203.0.113.1: ICMP echo request, id 2402, seq 1, length 64
11:53:56.388254 IP 203.0.113.1 > 172.105.244.6: ICMP echo reply, id 2402, seq 1, length 64
11:53:57.388981 IP 172.105.244.6 > 203.0.113.1: ICMP echo request, id 2402, seq 2, length 64
11:53:57.389037 IP 203.0.113.1 > 172.105.244.6: ICMP echo reply, id 2402, seq 2, length 64
Thanks for your help, I’m not at home at moment I will try later, but i forgot to say something, my server (SRV on your network map) is a debian 9 and not an VYOS server, you think it will be cause an issue?
On the VyOS dhcp-server you need to add rules to nat on wireguard interface (rule 900)
Add policy route and additional route (route table 100) 0.0.0.0 for source ip addresses 192.168.3.0/24 network.
All configuration is attached.