Unable to get wireguard client-to-server configuration working

ddiguru · January 14, 2020, 11:07pm

I am trying to set up a VPN server on VyOS 1.3 using wiregaurd with a single client, an iPad Pro as the other end. I’m using the following:

Version:          VyOS 1.3-rolling-201912271900
Built by:         autobuild@vyos.net
Built on:         Fri 27 Dec 2019 19:00 UTC
Build UUID:       95437501-980e-48ea-aa3f-2e6182f9532c
Build Commit ID:  ef122b630db38e

My server configuration is as follows:

set interfaces wireguard wg0 address '192.168.254.1/24'
set interfaces wireguard wg0 description 'wireguard vpn server'
set interfaces wireguard wg0 peer ipad allowed-ips '192.168.254.10/32'
set interfaces wireguard wg0 peer ipad persistent-keepalive '15'
set interfaces wireguard wg0 peer ipad pubkey '<redacted pub key>'
set interfaces wireguard wg0 port '12345'

On my client, an Apple iPad Pro, I’m using the Wireguard VPN client. I’ve exported it’s configuration and have the following:

[Interface]
PrivateKey = <redacted private key of ipad client>
Address = 192.168.254.10/24

[Peer]
PublicKey = <redacted pub key of the server>
AllowedIPs = 192.168.254.1/32
Endpoint = <public_ip_address_of_vyos_device>:12345

According to the iPad client, i’m establishing a tunnel.

[NET] peer (yEjv...ti1A) - Starting...
[NET] peer (yEjv...ti1A) - Routine: sequential receiver - started
[NET] peer (yEjv...ti1A) - Routine: nonce worker - started
[NET] peer (yEjv...ti1A) - Routine: sequential sender - started
[NET] Device started
[APP] Tunnel 'wg1' connection status changed to 'connected'

I’m not able to ping client->server OR server->client.

When i attempt to ping from VyOS to the iPAD, i’m getting an odd message:

ping 192.168.254.10
PING 192.168.254.10 (192.168.254.10): 56 data bytes
/bin/ping: sending packet: Destination address required

When i ping from iPAD to VyOS, i get no response.

Show interface reveals errors and drops on the VyOS side:

show interfaces wireguard wg0
interface: wg0
  description: wireguard vpn server
  address: 192.168.254.1/24
  public key: <redacted key of vyos>
  private key: (hidden)
  listening port: 12345

  peer: ipad
    public key: <redacted key of ipad>
    allowed ips: 192.168.254.10/32
    persistent keepalive: every 15 seconds

  RX:
    bytes    packets    errors    dropped    overrun    mcast
        0          0         0          0          0        0

  TX:
    bytes    packets    errors    dropped    carrier    collisions
        0          0       597         49          0             0

Additionally,

sudo wg show
interface: wg0
  public key: <redacted pubkey of vyos>
  private key: (hidden)
  listening port: 12345

peer: <redacted pubkey of ipad>
  allowed ips: 192.168.254.10/32
  persistent keepalive: every 15 seconds

I have the following firewall rule as well… applied to eth0, my WAN interface

set firewall name WAN_IN rule 80 action 'accept'
set firewall name WAN_IN rule 80 destination port '12345'
set firewall name WAN_IN rule 80 protocol 'udp'

Any thoughts on this? Troubleshooting tips? I’m stumped… Thanks

PS… Is this a NAT thing?

s.lorente · January 15, 2020, 12:43am

Hi @ddiguru

At VyOS, did you define an interface-route for network 192.168.254.0/24 to get through wg0 interface?

set protocols static interface-route 192.168.254.0/24 next-hop-interface wg0

hagbard · January 15, 2020, 1:08am

see WireGuard — VyOS 1.4.x (sagitta) documentation
, as @s.lorente already suggested, looks like you don’t have a route. You will only keepalive set if your endpoint connection is via NAT. So if you endpoint is <public_ip:port> and not a RFC1918 or something like that , you won’t need NAT at all.

ddiguru · January 15, 2020, 5:17am

I did not, since it looked like i already had a route for it due to:

redistribute connected

I show the following in my routing table w/o the interface-route:

O   192.168.254.0/24 [110/10] is directly connected, wg0, 00:10:32
C>* 192.168.254.0/24 is directly connected, wg0, 00:10:32

And clients from the inside can ping 192.168.254.1 w/o any problem.

I have removed the unneeded keepalive, but still am unable to ping in the tunnel. I tried the above command for adding the static interface-route, but still to no avail.

s.lorente · January 15, 2020, 12:55pm

Can’t you ping from your client to your VyOS server?
What’s the outcome?
It’d be nice to check with Wireshark.

I have emulated your environment in a lab and everything worked ok.

You have a Road Warrior VPN setup, so when your VyOS server is the first one trying to start communications, it is normal if you get

ping 192.168.254.10
PING 192.168.254.10 (192.168.254.10): 56 data bytes
/bin/ping: sending packet: Destination address required

Just let your client ping your VyOS server first, and then your VyOS server will be able to ping your client too.

If you want your VyOS server to be able to be the first one starting the communications, you would need to go for a standard configuration in which you would have to let VyOS know the endpoint address (your client address), as explained at https://vyos.readthedocs.io/en/latest/vpn/wireguard.html

ddiguru · January 15, 2020, 2:04pm

@s.lorente, yes i want to have the RoadWarrior set up since my F/W and gateway to my network has a static public IP, and the “clients” will eventually be my laptop(s) and/or iPhone and iPad devices. This will let me be away from the office but allow me to connect to internal resources. When I tried pinging from the Client to the VyOS IP, i get no response.

Q: Should my firewall rule that permits udp traffic to 51820 be applied to WAN_IN or WAN_LOCAL? With regard to IPv6 it’s slightly different since i’m using HE.NET tunnel… eg. TUN_IN or TUN_LOCAL for that… Curious if it matters. I once had OpenVPN configured and functioning, and i believe that i used WAN_LOCAL for the IPv4 firewall rule supporting that.

Q: if i was to set up pcap, should i sniff traffic on eth0 or wg0?

ddiguru · January 15, 2020, 2:59pm

Success!

show interfaces wireguard wg0
interface: wg0
  description: wireguard vpn server
  address: 192.168.254.1/24, 2001:470:8759:254::1/64
  public key: **********
  private key: (hidden)
  listening port: 51820

  peer: ipad
    public key: **********
    latest handshake: 0:00:17
    status: active
    endpoint: [2600:1:960f:ef7:e9ec:1c4f:a552:e21a]:65290
    allowed ips: 192.168.254.10/32, 2001:470:8759:254::10/128
    transfer: 740 KB received, 2 MB sent
    persistent keepalive: every 15 seconds

  peer: iphone
    public key: **********
    allowed ips: 192.168.254.20/32, 2001:470:8759:254::20/128
    persistent keepalive: every 15 seconds

  RX:
    bytes    packets    errors    dropped    overrun    mcast
   758300       4767         0          0          0        0

  TX:
    bytes    packets    errors    dropped    carrier    collisions
  2790836       4673       261         23          0             0

My problem(s) were mostly on the client side and had to do with Cell vs Wifi connectivity and assumptions. I focused on Cell only, which meant IPv6 from my carrier. I will have to create a couple of Wireguard Interfaces or profiles on the iPhone and iPad - one for v4 the other v6.

FYI - i put my IPv6 f/w rule on TUN_LOCAL and the IPv4 rule on WAN_LOCAL as i had done w/ OpenVPN. Not sure if that is best way or not.

I’ll have to continue to play with this, as i want to ensure that i properly secure it. I think what i’m tripping on most is that it is not private, and with “set firewall all-ping ‘enable’”, you can ping IPv6 addresses inside the wg0 tunnel w/o being in it.

Thanks for ideas, help and suggestions!

s.lorente · January 16, 2020, 7:14am

You are welcome. Enjoy your VPN!