VyOs Router 1.3 WireGuard VPN cannot ping Client Peer on Tablet

jcusimano · April 25, 2023, 10:39pm

I have a Vyos WireGuard server config interface: wg0 and cannot ping from server to client. Also the logs show no handshake.

I am new to WireGuard and VyOs and cannot get it to work. Here is the Config

Server

address: 10.1.40.21/24
public key: UowO3EIpY5+BevQMiz0rT+lZlj0R5L38ZbXhVYSdWhw=
private key: (hidden)
listening port: 51820

peer: IIT
public key: 2HMtQ1SCcFk6B3AA3p4P78HRRsT6NXXWVRZkRycy5k0=
allowed ips: 10.1.40.0/24, 10.1.40.24/32
persistent keepalive: every 15 seconds

Client

[Interface]
Address = 10.1.40.24/24
DNS = 10.1.40.250
ListenPort = 51820
PrivateKey = YCoOCa4QABmmoDOvhKtZ+roeGAiRAd5pDZ/WXWWQBko=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 64.131.109.245:5180
PersistentKeepalive = 15
PublicKey = Uow03EIpY5+BevQMizOrT+1z1jOR5L38ZbXhVYSdWhw=

echowings · April 26, 2023, 2:02am

did you setup any routing policy?
Without any of it , sure you can’t ping each other

jcusimano · April 26, 2023, 1:51pm

I have static routes built and firewall opened. I have other VPNs IPSEC and L2TP established in the router as well.

Here is my firewall setting

set firewall name wan-local rule 60 description ‘allow wireguard’
set firewall name wan-local rule 60 destination port ‘51820’
set firewall name wan-local rule 60 protocol ‘udp’

jcusimano · April 28, 2023, 3:42pm

I did not set up PBR and not sure how. I have other VPNs IPSEC and L2TP working in the router.

a.hajiyev · May 1, 2023, 6:56am

Hi @jcusimano
Can you reach from client side to your Wireguard endpoint (64.131.109.245)
If yes.
Then in your client side:
Remove line: ListenPort = 51820
Chage line: Endpoint = 64.131.109.245:5180 to Endpoint = 64.131.109.245:51820
Down/Up interface and check it

jcusimano · May 1, 2023, 1:48pm

Thanks for your reply. Any help is appreciated. I am beginning to believe there is a conflict with my other router IPSEC and L2TP configurations.

Here is my new configuration. I used a different subnet so it does not conflict with my other IPSEC VPN subnets.

I still cannot ping either direction.

set nat source rule 19 destination address ‘10.15.99.0/24’
set nat source rule 19 exclude
set nat source rule 19 outbound-interface ‘eth1’
set nat source rule 19 source
set nat source rule 19 translation address ‘masquerade’

set firewall name wan-local rule 60 action ‘accept’
set firewall name wan-local rule 60 description ‘allow wireguard’
set firewall name wan-local rule 60 destination port ‘51820’
set firewall name wan-local rule 60 protocol ‘udp’

interface: wg0
address: 10.1.99.3/24
public key: UowO3EIpY5+BevQMiz0rT+lZlj0R5L38ZbXhVYSdWhw=
private key: (hidden)
listening port: 51820

peer: IIT
public key: o2guA4PjufIQSRrB06KJFYSjVJSsjGkPjx57VHuh2Xc=
allowed ips: 10.1.99.4/32
persistent keepalive: every 15 seconds

peer: tab
public key: Fq82+u6tU/GK0lkj/d3EWlDwsohpFRsfQaTgOZ9NTwQ=
allowed ips: 10.1.99.5/32
persistent keepalive: every 15 seconds

RX:  bytes  packets  errors  dropped  overrun       mcast
         0        0       0        0        0           0
TX:  bytes  packets  errors  dropped  carrier  collisions
         0        0   71406     5898        0           0

vyos@vyos:~$

[Interface]
Address = 10.1.99.4/24
DNS = 10.1.40.250
ListenPort = 51820
PrivateKey = o2guA4PjufIQSRrB06KJFYSjVJSsjGkPjx57VHuh2Xc=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 64.131.109.245:51820
PersistentKeepalive = 15
PublicKey = Uow03EIpY5+BevQMizOrT+1z1jOR5L38ZbXhVYSdWhw=

echowings · May 2, 2023, 2:33am

Where is the static routing/ dynamic routing for wireguard network?

jcusimano · May 2, 2023, 2:46am

set protocols static interface-route 10.1.99.0/24 next-hop-interface wg0
set protocols static interface-route 10.1.99.4/32 next-hop-interface wg0

a.hajiyev · May 2, 2023, 5:58am

@jcusimano can you please share your full configuration and connection diagram?

jcusimano · May 2, 2023, 2:10pm

Here is my WireGuard configuration. My router config is large with many IPSEC and l2tp VPNs.

Let me know if I should share as a next step.

Thanks,

Joe

set firewall name wan-local rule 60 action ‘accept’
set firewall name wan-local rule 60 description ‘allow wireguard’
set firewall name wan-local rule 60 destination port ‘51820’
set firewall name wan-local rule 60 protocol ‘udp’

set interfaces wireguard wg0 address ‘10.1.99.3/24’
set interfaces wireguard wg0 peer IIT allowed-ips ‘10.1.99.4/32’
set interfaces wireguard wg0 peer IIT persistent-keepalive ‘15’
set interfaces wireguard wg0 peer IIT pubkey o2guA4PjufIQSRrB06KJFYSjVJSsjGkPjx57VHuh2Xc=

set interfaces wireguard wg0 peer tab allowed-ips ‘10.1.99.5/32’
set interfaces wireguard wg0 peer tab persistent-keepalive ‘15’
set interfaces wireguard wg0 peer tab pubkey ‘Fq82+u6tU/GK0lkj/d3EWlDwsohpFRsfQaTgOZ9NTwQ=’
set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 private-key ‘default’

set protocols static interface-route 10.1.99.0/24 next-hop-interface wg0

set nat source rule 17 destination
set nat source rule 17 outbound-interface ‘eth1’
set nat source rule 17 source address ‘10.15.99.0/24’
set nat source rule 17 translation a

jcusimano · May 2, 2023, 2:12pm

This was the last line of config. It was cut off

Set nat source rule 17 translation address masquerade.

echowings · May 2, 2023, 5:18pm

# Server
set protocols static interface-route 10.1.99.0/24 next-hop-interface wg0
set interfaces wireguard wg0 peer tab allowed-ips ‘10.1.99.0/24’

# Client
[Interface]
Address = 10.1.99.4/32
DNS = 10.1.40.250
PrivateKey = o2guA4PjufIQSRrB06KJFYSjVJSsjGkPjx57VHuh2Xc=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 64.131.109.245:51820
PersistentKeepalive = 3
PublicKey = Uow03EIpY5+BevQMizOrT+1z1jOR5L38ZbXhVYSdWhw=

jcusimano · May 2, 2023, 8:16pm

Thanks for the input. I set the config to your suggestions. Still cannot ping. I get
PING 10.1.99.4 (10.1.99.4) 56(84) bytes of data.
From 10.1.99.3 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

a.hajiyev · May 3, 2023, 4:29am

Hi @jcusimano I have created a lab according information that you have shared:
Here is all configuration. I have checked both clients and server working without any problem
-------------- The Keys -----------------------------

privkey default
EAIljv6wUPTfrgG1Gwon8a+GIzqZuRRmve2kgVJIFEM=

pubkey default
nOp1gE2ZtJQbvl1a2YsGQbQfqfhojjLsNls8ZVczzhY=

=============================================

privkey IIT
ELqtft2PAuoPN+CbkOV0etfUvhpzEgh5ncYMeYLZt3Y=

pubkey IIT
p+lPs+DZMgtkh6PrOLXb8sidkWmXR5u2XNMAEHp2lRc=

=============================================

privkey tab
AEo0N9QclevtVfl+jVrd5mhRlJ5d4uG8yWqrqUBrNmw=

pubkey tab
qtC90rW0tyd8yq5IdG9YWIrQS5faF/fhTOPJW6f8LhI=

----------------- Server Configuration -------------------------

set firewall name wan-local rule 60 action ‘accept’
set firewall name wan-local rule 60 description ‘allow wireguard’
set firewall name wan-local rule 60 destination port ‘51820’
set firewall name wan-local rule 60 protocol ‘udp’

set interfaces ethernet eth0 address ‘64.131.109.245/24’
set interfaces ethernet eth0 description ‘WAN’
set interfaces ethernet eth0 firewall local name ‘wan-local’

set interfaces ethernet eth1 address ‘10.15.99.1/24’
set interfaces ethernet eth1 description ‘LAN’

set interfaces wireguard wg0 address ‘10.1.99.3/24’
set interfaces wireguard wg0 description ‘Test’
set interfaces wireguard wg0 port ‘51820’

set interfaces wireguard wg0 peer IIT allowed-ips ‘10.1.99.4/32’
set interfaces wireguard wg0 peer IIT persistent-keepalive ‘15’
set interfaces wireguard wg0 peer IIT pubkey ‘p+lPs+DZMgtkh6PrOLXb8sidkWmXR5u2XNMAEHp2lRc=’

set interfaces wireguard wg0 peer tab allowed-ips ‘10.1.99.5/32’
set interfaces wireguard wg0 peer tab persistent-keepalive ‘15’
set interfaces wireguard wg0 peer tab pubkey ‘qtC90rW0tyd8yq5IdG9YWIrQS5faF/fhTOPJW6f8LhI=’

set nat source rule 17 outbound-interface ‘eth0’
set nat source rule 17 source address ‘10.15.99.0/24’
set nat source rule 17 translation address ‘masquerade’
set protocols static interface-route 10.1.99.0/24 next-hop-interface wg0

----------------------- Client IIT configuration -----------------------

[Interface]
Address = 10.1.99.4/32
DNS = 10.1.40.250
PrivateKey = ELqtft2PAuoPN+CbkOV0etfUvhpzEgh5ncYMeYLZt3Y=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 64.131.109.245:51820
PersistentKeepalive = 25
PublicKey = nOp1gE2ZtJQbvl1a2YsGQbQfqfhojjLsNls8ZVczzhY=

--------------------------------- Client Tab configuration ------------------------

[Interface]
Address = 10.1.99.5/32
DNS = 10.1.40.250
PrivateKey = AEo0N9QclevtVfl+jVrd5mhRlJ5d4uG8yWqrqUBrNmw=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 64.131.109.245:51820
PersistentKeepalive = 25
PublicKey = nOp1gE2ZtJQbvl1a2YsGQbQfqfhojjLsNls8ZVczzhY=

PS. Subnet mask and interface number can be different in your system.

a.hajiyev · May 3, 2023, 4:33am

Checking via ‘ping’

IIT#

ping 10.1.99.3
PING 10.1.99.3 (10.1.99.3) 56(84) bytes of data.
64 bytes from 10.1.99.3: icmp_seq=1 ttl=64 time=2.01 ms
64 bytes from 10.1.99.3: icmp_seq=2 ttl=64 time=3.54 ms
64 bytes from 10.1.99.3: icmp_seq=3 ttl=64 time=2.67 ms

ping 10.15.99.1
PING 10.15.99.1 (10.15.99.1) 56(84) bytes of data.
64 bytes from 10.15.99.1: icmp_seq=1 ttl=64 time=4.02 ms
64 bytes from 10.15.99.1: icmp_seq=2 ttl=64 time=3.25 ms
64 bytes from 10.15.99.1: icmp_seq=3 ttl=64 time=3.71 ms

===========================================================

Tab#

ping 10.1.99.3
PING 10.1.99.3 (10.1.99.3) 56(84) bytes of data.
64 bytes from 10.1.99.3: icmp_seq=1 ttl=64 time=6.20 ms
64 bytes from 10.1.99.3: icmp_seq=2 ttl=64 time=3.69 ms
64 bytes from 10.1.99.3: icmp_seq=3 ttl=64 time=3.65 ms

vyos@Tab# ping 10.15.99.1
PING 10.15.99.1 (10.15.99.1) 56(84) bytes of data.
64 bytes from 10.15.99.1: icmp_seq=1 ttl=64 time=2.06 ms
64 bytes from 10.15.99.1: icmp_seq=2 ttl=64 time=3.12 ms
64 bytes from 10.15.99.1: icmp_seq=3 ttl=64 time=3.77 ms

a.hajiyev · May 3, 2023, 4:37am

$ sh version
Version: VyOS 1.3.2

Please apply all configuration above and check.
If you see an extra problem please share your all configuration.

jcusimano · May 3, 2023, 1:57pm

Yes the interfaces are different. Here are mine. I will try the config. Thanks for all your help!

set interfaces ethernet eth0 address ‘10.1.40.1/24’
set interfaces ethernet eth0 description ‘40net’
set interfaces ethernet eth0 hw-id ‘00:50:56:ac:7d:97’
set interfaces ethernet eth0 mirror egress ‘eth4’
set interfaces ethernet eth0 mirror ingress ‘eth4’
set interfaces ethernet eth1 address ‘64.131.109.245/25’
set interfaces ethernet eth1 address ‘66.170.45.30/32’
set interfaces ethernet eth1 description ‘109net’
set interfaces ethernet eth1 hw-id ‘00:50:56:ac:7c:83’
set interfaces ethernet eth1 mirror egress ‘eth4’
set interfaces ethernet eth1 mirror ingress ‘eth4’
set interfaces ethernet eth2 address ‘66.170.45.62/26’
set interfaces ethernet eth2 hw-id ‘00:0c:29:1c:8d:fb’
set interfaces ethernet eth3 hw-id ‘00:0c:29:1c:8d:05’
set interfaces ethernet eth4 hw-id ‘00:0c:29:1c:8d:0f’
set interfaces loopback lo
set interfaces wireguard wg0 address ‘10.1.99.3/24’
set interfaces wireguard wg0 peer IIT allowed-ips ‘10.1.99.0/24’
set interfaces wireguard wg0 peer IIT persistent-keepalive ‘15’
set interfaces wireguard wg0 peer IIT pubkey ‘o2guA4PjufIQSRrB06KJFYSjVJSsjGkPjx57VHuh2Xc=’
set interfaces wireguard wg0 peer tab allowed-ips ‘10.1.99.5/32’
set interfaces wireguard wg0 peer tab persistent-keepalive ‘15’
set interfaces wireguard wg0 peer tab pubkey ‘Fq82+u6tU/GK0lkj/d3EWlDwsohpFRsfQaTgOZ9NTwQ=’
set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 private-key ‘default’

jcusimano · May 4, 2023, 4:53pm

I applied the Firewall rule Wan-Local to my outbound interface eth1 and lost the other IPSEC Vpns in my router. Am I going to need another public interface for WireGuard
?

Also I do not see were you nset the Keys for the WG0 interface.

Thanks,

Joe

i lost teh existing

jcusimano · May 6, 2023, 1:32am

Here is my config. Following this config is part of my router config.

set firewall name wan-local rule 60 action ‘accept’
set firewall name wan-local rule 60 description ‘allow wireguard’
set firewall name wan-local rule 60 destination port ‘51820’
set firewall name wan-local rule 60 protocol ‘udp’
set interfaces ethernet eth1 firewall local name ‘wan-local’
set interfaces wireguard wg0 address ‘10.1.99.3/24’
set interfaces wireguard wg0 peer IIT allowed-ips ‘10.1.99.4/32’
set interfaces wireguard wg0 peer IIT persistent-keepalive ‘15’
set interfaces wireguard wg0 peer IIT pubkey p+lPs+DZMgtkh6PrOLXb8sidkWmXR5u2XNMAEHp2lRc=

set interfaces wireguard wg0 peer tab allowed-ips ‘10.1.99.5/32’
set interfaces wireguard wg0 peer tab persistent-keepalive ‘15’
set interfaces wireguard wg0 peer tab pubkey qtC90rW0tyd8yq5IdG9YWIrQS5faF/fhTOPJW6f8LhI=

set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 private-key ‘default’

set protocols static interface-route 10.1.99.0/24 next-hop-interface wg0

[Interface]
Address = 10.1.99.4/32
DNS = 10.1.40.250
PrivateKey = ELqtft2PAuoPN+CbkOV0etfUvhpzEgh5ncYMeYLZt3Y=

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = 64.131.109.245:51820
PersistentKeepalive = 25
PublicKey =UowO3EIpY5+BevQMiz0rT+lZlj0R5L38ZbXhVYSdWhw=

interface: wg0
address: 10.1.99.3/24
public key: UowO3EIpY5+BevQMiz0rT+lZlj0R5L38ZbXhVYSdWhw=
private key: (hidden)
listening port: 51820

peer: IIT
public key: p+lPs+DZMgtkh6PrOLXb8sidkWmXR5u2XNMAEHp2lRc=
allowed ips: 10.1.99.4/32
persistent keepalive: every 15 seconds

peer: tab
public key: qtC90rW0tyd8yq5IdG9YWIrQS5faF/fhTOPJW6f8LhI=
allowed ips: 10.1.99.5/32
persistent keepalive: every 15 seconds

RX:  bytes  packets  errors  dropped  overrun       mcast
         0        0       0        0        0           0
TX:  bytes  packets  errors  dropped  carrier  collisions
         0        0      25     3128        0           0

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name OUTSIDE-LOCAL default-action ‘drop’
set firewall name OUTSIDE-LOCAL rule 32 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 32 source address ‘10.0.0.0/24’
set firewall name OUTSIDE-LOCAL rule 33 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 33 destination port ‘2222’
set firewall name OUTSIDE-LOCAL rule 33 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 34 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 34 source address ‘66.170.45.0/26’
set firewall name wan-local default-action ‘drop’
set firewall name wan-local rule 60 action ‘accept’
set firewall name wan-local rule 60 description ‘allow wireguard’
set firewall name wan-local rule 60 destination port ‘51820’
set firewall name wan-local rule 60 protocol ‘udp’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘10.1.40.1/24’
set interfaces ethernet eth0 description ‘40net’
set interfaces ethernet eth0 hw-id ‘00:50:56:ac:7d:97’
set interfaces ethernet eth0 mirror egress ‘eth4’
set interfaces ethernet eth0 mirror ingress ‘eth4’
set interfaces ethernet eth1 address ‘64.131.109.245/25’
set interfaces ethernet eth1 address ‘66.170.45.30/32’
set interfaces ethernet eth1 description ‘109net’
set interfaces ethernet eth1 firewall
set interfaces ethernet eth1 hw-id ‘00:50:56:ac:7c:83’
set interfaces ethernet eth1 mirror egress ‘eth4’
set interfaces ethernet eth1 mirror ingress ‘eth4’
set interfaces ethernet eth2 address ‘66.170.45.62/26’
set interfaces ethernet eth2 hw-id ‘00:0c:29:1c:8d:fb’
set interfaces ethernet eth3 hw-id ‘00:0c:29:1c:8d:05’
set interfaces ethernet eth4 hw-id ‘00:0c:29:1c:8d:0f’
set interfaces loopback lo
set interfaces wireguard wg0 address ‘10.1.99.3/24’
set interfaces wireguard wg0 peer IIT allowed-ips ‘10.1.99.4/32’
set interfaces wireguard wg0 peer IIT persistent-keepalive ‘15’
set interfaces wireguard wg0 peer IIT pubkey ‘p+lPs+DZMgtkh6PrOLXb8sidkWmXR5u2XNMAEHp2lRc=’
set interfaces wireguard wg0 peer tab allowed-ips ‘10.1.99.5/32’
set interfaces wireguard wg0 peer tab persistent-keepalive ‘15’
set interfaces wireguard wg0 peer tab pubkey ‘qtC90rW0tyd8yq5IdG9YWIrQS5faF/fhTOPJW6f8LhI=’
set interfaces wireguard wg0 port ‘51820’
set nat source rule 1 destination address ‘10.0.0.0/14’
set nat source rule 1 exclude
set nat source rule 1 outbound-interface ‘eth1’
set nat source rule 1 source
set nat source rule 1 translation address ‘masquerade’
set nat source rule 2 destination address ‘10.100.0.0/16’
set nat source rule 2 exclude
set nat source rule 2 outbound-interface ‘eth1’
set nat source rule 2 translation address ‘masquerade’
set nat source rule 3 destination address ‘10.101.0.0/16’
set nat source rule 3 exclude
set nat source rule 3 outbound-interface ‘eth1’
set nat source rule 3 translation address ‘masquerade’
set nat source rule 4 destination address ‘172.24.0.0/16’
set nat source rule 4 exclude
set nat source rule 4 outbound-interface ‘eth1’
set nat source rule 4 translation address ‘masquerade’
set nat source rule 5 destination address ‘192.168.180.0/23’
set nat source rule 5 exclude
set nat source rule 5 outbound-interface ‘eth1’
set nat source rule 5 translation address ‘masquerade’
set nat source rule 6 destination address ‘198.226.45.80/28’
set nat source rule 6 exclude
set nat source rule 6 outbound-interface ‘eth1’
set nat source rule 6 source
set nat source rule 6 translation address ‘masquerade’
set nat source rule 7 destination address ‘216.221.132.64/26’
set nat source rule 7 outbound-interface ‘eth1’
set nat source rule 7 source address ‘10.0.0.0/14’
set nat source rule 7 translation address ‘66.170.45.30’
set nat source rule 8 destination address ‘216.221.132.64/26’
set nat source rule 8 exclude
set nat source rule 8 outbound-interface ‘eth1’
set nat source rule 8 source
set nat source rule 8 translation address ‘masquerade’
set nat source rule 17 destination
set nat source rule 17 outbound-interface ‘eth1’
set nat source rule 17 source address ‘66.170.45.0/26’
set nat source rule 17 translation address ‘masquerade’
set nat source rule 18 destination address ‘10.15.98.0’
set nat source rule 18 exclude
set nat source rule 18 outbound-interface ‘eth1’
set nat source rule 18 source
set nat source rule 18 translation address ‘masquerade’
set nat source rule 19 destination address ‘10.15.99.0/24’
set nat source rule 19 exclude
set nat source rule 19 outbound-interface ‘eth1’
set nat source rule 19 source
set nat source rule 19 translation address ‘masquerade’
set nat source rule 100 outbound-interface ‘eth1’
set nat source rule 100 source address ‘10.1.40.0/24’
set nat source rule 100 translation address ‘masquerade’
set policy prefix-list AS65260-IN rule 10 action ‘permit’
set policy prefix-list AS65260-IN rule 10 prefix ‘10.1.40.0/24’
set policy prefix-list AS65260-OUT rule 10 action ‘permit’
set policy prefix-list AS65260-OUT rule 10 prefix ‘0.0.0.0/0’
set policy prefix-list AS65260-OUT rule 20 action ‘permit’
set policy prefix-list AS65260-OUT rule 20 prefix ‘64.131.109.128/25’
set policy route-map AS65260-IN rule 10 action ‘deny’
set policy route-map AS65260-IN rule 10 match ip address prefix-list ‘AS65260-IN’
set policy route-map AS65260-IN rule 20 action ‘permit’
set policy route-map AS65260-OUT rule 10 action ‘deny’
set policy route-map AS65260-OUT rule 10 match ip address prefix-list ‘AS65260-OUT’
set policy route-map AS65260-OUT rule 20 action ‘permit’
set protocols bgp 65260 address-family ipv4-unicast redistribute connected
set protocols bgp 65260 address-family ipv4-unicast redistribute static
set protocols bgp 65260 neighbor 10.1.40.7 address-family ipv4-unicast nexthop-self
set protocols bgp 65260 neighbor 10.1.40.7 address-family ipv4-unicast route-map export ‘AS65260-OUT’
set protocols bgp 65260 neighbor 10.1.40.7 address-family ipv4-unicast route-map import ‘AS65260-IN’
set protocols bgp 65260 neighbor 10.1.40.7 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 65260 neighbor 10.1.40.7 remote-as ‘65141’
set protocols bgp 65260 neighbor 10.1.40.7 update-source ‘10.1.40.1’
set protocols bgp 65260 parameters router-id ‘10.1.40.1’
set protocols static interface-route 10.1.99.0/24 next-hop-interface wg0
set protocols static route 0.0.0.0/0 next-hop 64.131.109.129
set protocols static route 10.0.0.0/14 blackhole
set protocols static route 10.1.0.0/16 blackhole

set service dhcp-server shared-network-name LAN subnet 10.1.40.0/24 default-router ‘10.1.40.1’
set service dhcp-server shared-network-name LAN subnet 10.1.40.0/24 dns-server ‘10.1.40.1’
set service dhcp-server shared-network-name LAN subnet 10.1.40.0/24 domain-name ‘ng911test.iit.edu’
set service dhcp-server shared-network-name LAN subnet 10.1.40.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 10.1.40.0/24 range 0 start ‘10.1.40.215’
set service dhcp-server shared-network-name LAN subnet 10.1.40.0/24 range 0 stop ‘10.1.40.245’
set service dns forwarding allow-from ‘10.1.0.0/16’
set service dns forwarding cache-size ‘0’

a.hajiyev · May 8, 2023, 6:27am

Hi @jcusimano
I checked your configuration part in my lab
This part is no interfering to wireguard and all 2 peers (IIT and Tab) can connect to server without any problem.
Is it possible to share another part?