What firewall/other rules need to wireguard work properly?


#1

Hello there,

I would like to try new wireguard funktion in Vyos. I follow this article: https://wiki.vyos.net/wiki/Wireguard

But i would like to ask some things:

  1. the “pubkey” field need to full public key with “=” or not?

  2. I think need to other firewall / routre rules that i able to access it to outside, right? Somebody able to write it what is this rules?

Thanks guys!


#2

Hi Vamp,

  1. yes.
  2. i don’t understand what you mean with that.

In general you need to do the following:

  1. generate a keypair
  2. send your public key to the opposite side, you need the public key from the other side.
  3. setup wireguard and an interface route and enjoy.

Here is an example, please note that fwmark and pre-shared key isn’t currently merged into the vyos, but it’s coming soon.

Run on both sides:

run generate wireguard keypair
run show wireguard pubkey

host wg01
set interfaces wireguard wg01 address ‘10.1.1.1/24’
set interfaces wireguard wg01 listen-port ‘12345’
set interfaces wireguard wg01 peer peer-wg02 allowed-ips ‘10.2.0.0/24’
set interfaces wireguard wg01 peer peer-wg02 pubkey ‘6LGjQmlNS5s8htMwF9m4Kg9DyOsQurGK35aAkl0QIwE=’
set protocols static interface-route 10.2.0.0/24 next-hop-interface wg01

host wg02
set interfaces wireguard wg01 address ‘10.2.0.1/24’
set interfaces wireguard wg01 peer peer-wg01 allowed-ips ‘10.1.1.1/24’
set interfaces wireguard wg01 peer peer-wg01 endpoint ‘192.168.0.117:12345’
set interfaces wireguard wg01 peer peer-wg01 pubkey ‘rdRgPBjEnE44jJwlL9Vonvg3dcOKLus8Agt+mgepdFs=’
set protocols static interface-route 10.1.1.0/24 next-hop-interface wg01

Enjoy:
vyos@wg02# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=4.62 ms
[…]

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:49:43.022428 08:00:27:dd:80:a1 > 08:00:27:85:a9:41, ethertype IPv4 (0x0800), length 170: 192.168.0.118.54147 > 192.168.0.117.12345: UDP, length 128
17:49:43.022677 08:00:27:85:a9:41 > 08:00:27:dd:80:a1, ethertype IPv4 (0x0800), length 170: 192.168.0.117.12345 > 192.168.0.118.54147: UDP, length 128

listening on wg01, link-type RAW (Raw IP), capture size 262144 bytes
17:50:05.060921 ip: 10.2.0.1 > 10.1.1.1: ICMP echo request, id 3538, seq 39, length 64
17:50:05.060968 ip: 10.1.1.1 > 10.2.0.1: ICMP echo reply, id 3538, seq 39, length 64


#3

Not need any other thing that i able to Wireguard?

Here my firewall rules:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ip-src-route 'disable'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall log-martians 'enable'
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-IN rule 20 action 'accept'
set firewall name OUTSIDE-IN rule 20 destination address '192.168.31.105'
set firewall name OUTSIDE-IN rule 20 destination port '22'
set firewall name OUTSIDE-IN rule 20 protocol 'tcp_udp'
set firewall name OUTSIDE-IN rule 20 state new 'enable'
set firewall name OUTSIDE-IN rule 21 action 'accept'
set firewall name OUTSIDE-IN rule 21 destination address '192.168.31.105'
set firewall name OUTSIDE-IN rule 21 destination port '8081'
set firewall name OUTSIDE-IN rule 21 protocol 'tcp_udp'
set firewall name OUTSIDE-IN rule 21 state new 'enable'
set firewall name OUTSIDE-IN rule 22 action 'accept'
set firewall name OUTSIDE-IN rule 22 destination address '192.168.31.105'
set firewall name OUTSIDE-IN rule 22 destination port '123'
set firewall name OUTSIDE-IN rule 22 protocol 'tcp_udp'
set firewall name OUTSIDE-IN rule 22 state new 'enable'
set firewall name OUTSIDE-IN rule 23 action 'accept'
set firewall name OUTSIDE-IN rule 23 destination address '192.168.31.105'
set firewall name OUTSIDE-IN rule 23 destination port '60145'
set firewall name OUTSIDE-IN rule 23 protocol 'tcp_udp'
set firewall name OUTSIDE-IN rule 23 state new 'enable'
set firewall name OUTSIDE-IN rule 24 action 'accept'
set firewall name OUTSIDE-IN rule 24 destination address '192.168.31.105'
set firewall name OUTSIDE-IN rule 24 destination port '8084'
set firewall name OUTSIDE-IN rule 24 protocol 'tcp_udp'
set firewall name OUTSIDE-IN rule 24 state new 'enable'
set firewall name OUTSIDE-IN rule 25 action 'accept'
set firewall name OUTSIDE-IN rule 25 destination address '192.168.31.105'
set firewall name OUTSIDE-IN rule 25 destination port '32400'
set firewall name OUTSIDE-IN rule 25 protocol 'tcp'
set firewall name OUTSIDE-IN rule 25 state new 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'

Not need any new one, if i able to access Wireguard outside my local network like on 123 udp port?


#4

You need to open at least the port you have wireguard listen on.
Would be
set firewall name OUTSIDE-IN rule 24 proto udp
set firewall name OUTSIDE-IN rule 24 destination port 12345
or similar.


#5

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.