Vyos 1.5 rolling Wireguard peer cannot be accessed by local devices

I’m trying to establish a bidirectional Wireguard connection to a remote server (running Ubuntu 24.04). I want it to be accessible to each device on the network.

This is my current Wireguard config on the Vyos router, with firewall and static routing:

set interfaces wireguard wg01 address '10.1.0.1/31'
set interfaces wireguard wg01 description 'home-dns-tunnel'
set interfaces wireguard wg01 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces wireguard wg01 mtu '1412'
set interfaces wireguard wg01 peer proxy address 'Ubuntu-address'
set interfaces wireguard wg01 peer proxy allowed-ips '10.1.0.2/31'
set interfaces wireguard wg01 peer proxy persistent-keepalive '15'
set interfaces wireguard wg01 peer proxy port '51820'
set interfaces wireguard wg01 peer proxy preshared-key 'shared-key'
set interfaces wireguard wg01 peer proxy public-key 'Ubuntu-pubkey'
set interfaces wireguard wg01 per-client-thread
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key 'vyos-private-key'

set protocols static route 10.0.0.0/16 interface wg01
set protocols static route 10.0.0.0/16 next-hop 10.1.0.1

set firewall ipv4 name WIREGUARD rule 10 action 'accept'
set firewall ipv4 name WIREGUARD rule 10 description 'Allow established/related'
set firewall ipv4 name WIREGUARD rule 10 state 'established'
set firewall ipv4 name WIREGUARD rule 10 state 'related'
set firewall ipv4 name WIREGUARD rule 20 action 'accept'
set firewall ipv4 name WIREGUARD rule 20 description 'WireGuard_IN'
set firewall ipv4 name WIREGUARD rule 20 destination port '51820'
set firewall ipv4 name WIREGUARD rule 20 inbound-interface group 'WAN'
set firewall ipv4 name WIREGUARD rule 20 log
set firewall ipv4 name WIREGUARD rule 20 protocol 'udp'
set firewall ipv4 name WIREGUARD rule 20 source
set firewall ipv4 name WIREGUARD rule 30 action 'accept'
set firewall ipv4 name WIREGUARD rule 30 description 'Allow traffic from 10.0.0.0/16 to 10.1.0.0/31'
set firewall ipv4 name WIREGUARD rule 30 destination address '10.1.0.2/31'
set firewall ipv4 name WIREGUARD rule 30 protocol 'all'
set firewall ipv4 name WIREGUARD rule 30 source address '10.0.0.0/16'

And this is my remote Wireguard config:

[Interface]
Address = 10.1.0.2/32
PrivateKey = Ubuntu-private-key
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens1 -j MASQUERADE

[Peer]
PublicKey = vyos-pubkey
PresharedKey = pre-shared-key
Endpoint = vyos-address
AllowedIPs = 10.1.0.1/32
PersistentKeepalive = 15

The remote Ubuntu server can acces any device the 10.0.0.0/16 subnet, but none of the devices can acces the peer.

Connectivity wise I have added a second peer in the Ubuntu server’s config, that can acces it, so I ruled out connectivity issue. I also triple check-ed every key so that they are correct.

Is there a error in my configuration, that blocks acces to the remote device from my local network?

Change AllowedIPs = 10.1.0.1/32 to AllowedIPs = 10.0.0.0/16

[Interface]
Address = 10.1.0.2/32
PrivateKey = Ubuntu-private-key
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens1 -j MASQUERADE

[Peer]
PublicKey = vyos-pubkey
PresharedKey = pre-shared-key
Endpoint = vyos-address
AllowedIPs = 10.0.0.0/16
PersistentKeepalive = 15

I modified my AllowedIPs form 10.1.0.1/32 to 10.0.0.0/16, but sadly no change:
I can still acces with the remote peer my devices in the internal network, but from the same internal network devices I can’t acces the remote peer.

delete all firewall settings for wireguard firstly. then check connection.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.