Routing/firewall/VLAN issue with Wireguard VPN

trombone · July 19, 2023, 7:01pm

More update: I installed a fresh VyOS image on a fresh VM and this also has the errors in /var/log/vyatta/cfg-stdout.log:

vyos@vyos:/var/log/vyatta$ head -n 5 cfg-stdout.log 
vyos@vyos:/var/log/vyatta$ head -n 5 cfg-stdout.log 
cp[/opt/vyatta/config/tmp/new_config_1549]->[/opt/vyatta/config/tmp/tmp_1549/work]
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/syslog/global/facility/local7/level/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/syslog/global/facility/local7/level/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/syslog/global/facility/all/level/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/syslog/global/facility/all/level/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/login/user/vyos/authentication/encrypted-password/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/login/user/vyos/authentication/encrypted-password/node.val" in copy_file. Falling back to internal stream_file
recursive_copy_dir failed due to boost::filesystem::copy_file: Invalid cross-device link: "/opt/vyatta/config/tmp/new_config_1549/system/host-name/node.val", "/opt/vyatta/config/tmp/tmp_1549/work/system/host-name/node.val" in copy_file. Falling back to internal stream_file

I made a separate topic on this.

However, while the firewall works, the logging somehow still doesn’t work (I’m hoping this gives more clues on the Wireguard issue). I have logging enabled for FW_WAN2LOCAL, there are packets going through it, but it doesn’t show up in the logs:

firewall {
    name FW_WAN2LOCAL {
        default-action drop
        enable-default-log
        rule 200 {
            action accept
            description "accept established/related"
            log enable
            state {
                established enable
                related enable
            }
        }
        rule 210 {
            action accept
            description wireguard
            destination {
                port 51820
            }
            log enable
            protocol udp
            state {
                new enable
            }
        }
    }
}

vyos@vyos:/var/log$ show firewall statistics
[...]
IPv4 Firewall "FW_WAN2LOCAL"

Rule       Packets    Bytes  Action    Source     Destination
-------  ---------  -------  --------  ---------  -------------
200           2359   742017  accept    0.0.0.0/0  0.0.0.0/0
210              4      704  accept    0.0.0.0/0  0.0.0.0/0
default        236    17655  drop      0.0.0.0/0  0.0.0.0/0

vyos@vyos:/var/log$ grep FW_WAN2LOCAL /var/log/messages
vyos@vyos:/var/log$

vyos@vyos:/var/log$ show log firewall name FW_WAN2LOCAL
vyos@vyos:/var/log$

Update: also, looking at the underlying iptables config I don’t see any configuration(?):

vyos@vyos:/var/log/vyatta$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination