Routing all traffic through wireguard interface

wilderness · June 12, 2020, 6:14pm

Hello there. I’m pretty new to vyos and it suits my needs pretty much.
But right now I want to try to make in my wireguard gateway for my home network.

What I have rn: freshly installed vyos with 2 interfaces (wan and lan). WAN got it address from dhcp and LAN got dhcp server running on it. Everything works.

So, what I want to do is: route all traffic that coming from my home subnet (i.e. 10.1.0.0/24) through wg0 interface (10.100.0.0/24).
What I’ve tried:
set protocols static interface-route 0.0.0.0/0 next-hop-interface wg0 (not working, could not even ping anything)
set protocols static route 0.0.0.0/0 next-hop 10.100.0.1 (10.100.0.1 is my wg server ip, not working as well)

Any suggestions here?

Some additional info:

show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description

eth0 10.1.0.213/24 u/u
eth1 10.100.254.254/24 u/u
lo 127.0.0.1/8 u/u
::1/128
wg0 10.100.253.2/24 u/u

netstat -r
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.100.253.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.100.254.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

ngoehring · June 13, 2020, 5:26am

Did you set a nat rule using the wireguard interface as your outbound? Your static interface route would be needed as well. If you don’t want to use the wan interface as an outbound then you’d need to disable or delete the nat rule for that interface.

wilderness · June 13, 2020, 5:38am

Yes, all routes set up correctly at wireguard server and vyos peer.
at wireguard server allowed-ips is 10.100.253.2/32 (vyos wireguard interface IP address)
at vyos wireguard interfaces allowed-ips is 0.0.0.0/0

ngoehring · June 13, 2020, 5:45am

Sorry major fail on my phone. Let me get the laptop.

ngoehring · June 13, 2020, 5:49am

You need a source nat rule like this:

rule 60 {
outbound-interface wg20
translation {
address masquerade
}
}

Be sure to remove the one that should have been created for your wan interface unless you want to do policy based routing which is what I do.

wilderness · June 13, 2020, 5:53am

I don’t want to add srcnat masquerade for interface because I want to be able to route dynamically at the wireguard server. Wireguard server is notified about my local subnet and I can ping any VM on LAN subnet from wireguard server.

ngoehring · June 13, 2020, 5:58am

I guess I’m confused about what exactly you are trying to accomplish. You said initially that:

So, what I want to do is: route all traffic that coming from my home subnet (i.e. 10.1.0.0/24) through wg0 interface (10.100.0.0/24).

This would normally be done by taking your LAN subnet and nat’ing it out through the WG interface. Maybe you are trying to do something else? Sorry, I’m just not following.

wilderness · June 13, 2020, 6:17am

So, how it should look like (i did the same thing on debian via iptables)

I have distant wireguard server: public ip: 2.2.2.2, wireguard interface ip: 10.100.253.1 ( iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT;)
I have wireguard peer on vyos (10.100.253.2)

Behind vyos I have local subnet (which can reach internet, have it’s own addresses 10.100.254.0/24, and which can reach wireguard server by it’s wireguard tunnel ip address)

What I want to do is: be able to reach any of those VMs behind vyos. I can route single address through wireguard such as 8.8.8.8 and it does it correctly, but when I’m trying to add 0.0.0.0/0 as a static route everything stops to work as expected (i can’t ping anything, etc).

wilderness · June 13, 2020, 9:17am

What I’ve tried:
PBR with a separate routing table. Didn’t worked as expected.

ngoehring · June 13, 2020, 12:00pm

Sorry, was away for a bit. So you are trying to access the VMs behind vyos from the remote wireguard server? Can you post your vyos configuration (minus sensitive info)?

wilderness · June 13, 2020, 12:18pm

It’s pretty basic configuration for a homelab.

Configuration

interfaces {
ethernet eth0 {
address 10.66.1.151/24
duplex full
speed 1000
}
ethernet eth1 {
address 10.100.254.254/24
duplex full
speed 1000
}
loopback lo {
}
wireguard wg0 {
address 10.100.253.2/24
peer SERVER {
address (some public ip)
allowed-ips 10.100.253.0/24 (wg net)
allowed-ips 0.0.0.0/0
persistent-keepalive 25
port 31030
pubkey ****************
}
}
}
nat {
source {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.66.1.254 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN {
authoritative
subnet 10.100.254.0/24 {
default-router 10.100.254.254
dns-server 10.100.254.254
domain-name example
lease 86400
range 0 {
start 10.100.254.1
stop 10.100.254.200
}
}
}
}
dns {
forwarding {
allow-from 10.100.254.0/24
listen-address 10.100.254.254
name-server 10.100.254.254
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
login {
user wilderness {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
name-server 10.66.1.168
name-server 8.8.8.8
ntp {
server 0 {
}
server 1 {
}
server 2 {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
}

ngoehring · June 13, 2020, 12:24pm

So I’m confused yet again. Your first post said your WAN is assigned via dhcp, but you have it set static in your configuration. You also have no source nat for LAN outbound but instead have a static route. Why? From where are you trying to access the VMs behind VyOS? From the other end of the wireguard connection?

wilderness · June 13, 2020, 12:38pm

I changed it from dhcp few minutes away after i reset the whole config on the vyos.
Why I do not have source rule because I have a static route on my main router which allows me to reach devices behind a vyos (add distance=1 dst-address=10.100.254.0/24 gateway=10.66.1.151).

So, what is required: Every VM in 10.100.254.0/24 subnet must go to internet through distant wireguard server (10.100.253.1).

ngoehring · June 13, 2020, 2:48pm

Ok. That all makes much more sense now. So if I were you, I would create a source nat rule with the wireguard Interface as the outbound. Then I’d create a new routing table (let’s say 100) with a static interface route of 0.0.0.0/0 to wg0. Then I’d put the VMs in a firewall group(address if it’s just individual machines or ips). Lasty I would make a policy route (let’s name it MyRouting), add a rule (let’s say 10) which says essentially, if source address is from devices in the VMs firewall address group, then set table 100. I would then apply that policy to your LAN interface. If there are any other devices that you don’t want to use the wireguard route, then I’d maybe make another rule (number 20) and say, if source address ! VMs firewall address group, set table main. Anything from the VMs would be sent over wireguard, everything else would be sent over regular internet route.

ngoehring · June 13, 2020, 2:53pm

I have a very similar setup with my network and Mullvad VPN. I policy route a number of devices or groups of devices on a few vlans over Mullvad. A number of other devices simply route out via my ISP.

wilderness · June 13, 2020, 4:14pm

It worked like a charm. Even without NAT Thanks so much. Now I can reverse proxy anything I want from my local subnet.

ngoehring · June 13, 2020, 4:57pm

Outstanding! Glad I was able to help you out. What’s more, the more I explain things to others, the more sense it makes to me! Enjoy!

system · June 15, 2020, 4:57pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.