You can enable debug output manually (will be implemented as option in the future).
When you are logged in to a sudo echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control to enable it. To disable you can pass -p like: echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control
Did you set a route? (set protocol static <allowd-ip(s)> interface ...., once done try to ping the other side and see what’s in the logs and check via tcpdump if your wg01 interface carries any traffic.
I see packets coming but not going. And i only see them on one of my upstream interface (eth3) whereas i am trying to bind the tunnel on my public IP (internal side) set on eth0.
vyos@router# tcpdump -i eth3 udp port 4000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:40.204331 IP 183.182.114.95.7244 > 103.10.24.2.4000: UDP, length 148
09:25:43.354174 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:25:48.378260 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:25:53.400523 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:25:58.418652 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:03.441891 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:08.585301 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:13.720190 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:18.867208 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:23.920439 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:28.955403 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
09:26:34.018207 IP 183.182.114.95.7249 > 103.10.24.2.4000: UDP, length 148
^C
12 packets captured
12 packets received by filter
Do a sudo /bin/bash beofre the module call. Vbash seems not to have root permissions. If no traffic hits your interface, either you don’t have a route or you key setup is incorrect or your allowed-ips doesn’t fit the subnet you want to use. Check that at least 1 side can reach the wg port you opened (check your fw rules), if that’s the case with the debug command you should see successful key exchanges. If that works, let’s have a look at your setup in general. Can you post your wg config and your routes? (Don’t post private keys).
wireguard wg01 {
address 122.16.100.1/24
peer Mat {
allowed-ips 122.16.100.3/32
persistent-keepalive 15
pubkey ****************
}
port 4000
}
Your allowed IPs won’t be routed into wg01 unless you set a host route as it is part of the external address. You can do address 122.16.100.1/32, that is going to be the address wg open port 4000 on.
You don’t need keepalive, only necessary if you have NAT and you have only the chance to do the handshake from one site. Your allowed-ips is basically the host or network which will be encapsulated, that why you need the /32 netmask in your case on address
The you need an interface route for 122.16.100.3/32 like protocols static interface-route 122.16.100.3/32 next-hop-interface wg01.
As soon as you initiate traffic (ping 122.16.100.3), wg will connect to the other side and should do a key exchange. You can watch the log and verify with tcpdump, if that fails, needs to be fixed first. If that works, verify with tcpdump the traffic in wg01. tcpdump -nne -i wg01 for instance, if there is no traffic, your key setup is faulty (should also show you error message with HMAC etc. in syslog).