Wireguard configuration issue

General questions
1

Dear Team

i am trying to use wireguard setup in my infra and iam using 1.4.3 version. iam facing some confguration related issue .as i run command “generate pki wireguard key-pair“ i got server public and private key and each time it changes when i run the command again.

but this is not about server public and Private key . i want to know what about client public and private key .How i can generate it and use wireguard functionality as remote SSL vpn

below are my config :-

vyos:~$ generate pki wireguard key-pair

Server
Private key: CHTeozOgF1IPHH0rYcY1/jTpjhYHBcLLlsSG9adOx3w=
Public key: Cn95R3j55zzW54duUczURGQd7UsX9DkXWij1oAY/kk0=

set interfaces wireguard wg0 address ‘10.90.1.1/24’
set interfaces wireguard wg0 description ‘wireguard-vpn’
set interfaces wireguard wg0 ip adjust-mss ‘1380’
set interfaces wireguard wg0 mtu ‘1420’
set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 peer Raghu address ‘10.90.0.2’
set interfaces wireguard wg0 peer Raghu allowed-ips ‘10.90.1.2/32’
set interfaces wireguard wg0 peer Raghu port ‘51820’
set interfaces wireguard wg0 peer Raghu public-key ‘vSicyU+cuZGm5Kie303lXVBqQI5ie5KnA+mSxA6ehgI=’ ‘${CLIENT_PUBLIC_KEY}’
set interfaces wireguard wg0 private-key ‘CHTeozOgF1IPHH0rYcY1/jTpjhYHBcLLlsSG9adOx3w=’

On my config i set client public key as randome generated key .

vyos:~$ generate wireguard client-config Raghu interface wg0 server 115.166.136.247 address 10.90.1.2/24

when i run the above command it give me to change the “client public key” with below command and provide below config.

=== VyOS (server) configurtation ===

set interfaces wireguard wg0 peer deva allowed-ips ‘10.80.1.2/32’
set interfaces wireguard wg0 peer deva public-key ‘e/EK/Zl6sG+8lleNkJ9PgNd1cms/T/b0cm9gFR2y3l4=’ ‘${CLIENT_PUBLIC_KEY}’

=== RoadWarrior (client) configuration ===

[Interface]
PrivateKey = 6Fjm8Q/q9s6LSwgFRaKx1Ustqs2sGEgyG4iNdU8/mHo= ${CLIENT_PRIVATE_KEY}
Address = 10.80.1.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = FIdZUXPKW2KipaQ+AXeofKyv/VNeHgs7LYbdtv0kqW8= ${SERVER_PUBLIC_KEY}
Endpoint = 115.166.136.248:51820
AllowedIPs = 0.0.0.0/0, ::/0

even though i used wireguard software and import conf file with above information my vpn shwoing activated but connectivity will not work. please let me know the client public and private key genration method or do i miss something

please help me to reslove the issue . i want to run wireguard as SSL remote vpn. please dont provide document link of vyos because it has improper information about wireguard

2

You use the generate command once to generate the keys for your VyOS router. You add the private key to your VyOS config and then the public key is the key that gets given to the remote peers. It’s not a secret, thus the “public” in the name.

You can then use the generate command one more time to generate keys for your peer. On your peer goes the private key, and into the VyOS config goes the public key for that peer.

The generate command is just that, a generator. Each time you run it, it generates new random keys. It’s not saving them into your config or anything, that’s on you to do.

Regarding your config, unless you plan to route everything out the WG peer 15.166.136.248 then “AllowedIPs = 0.0.0.0/0, ::/0” might not be what you want.

You don’t mention any other config, like how you expect connectivity to work. Are you trying to NAT everything out your WG peer to the Internet? If so you’ll need NAT rules.

You don’t really provide enough information at all to know what is and isn’t working, but the first thing to do is to make sure when the WG tunnel is up you can ping the remote end - whatever the address you’ve got configured on the remote peer is, can you ping that? If so then Wireguard is working you have a routing/NAT/Firewall problem. If you can’t ping it then you need to figure out why.

3

thanks for the reply .

below are my config :-

vyos:~$ generate pki wireguard key-pair

Server
Private key: +Ctj7mr92HaCbFeicX74wB1Q9/c8PBuQHQhmLvkWZ08=
Public key: 2It4W00hUHKdhAeUHSSrlYmdlsxicBiAudNDu8RF82k=

For client Rajeev Public and Private key generation :-

wg genkey | tee /config/auth/Rajeev-private.key | wg pubkey > /config/auth/Rajeev-public.key

Client Rajeev public key =====> cat /config/auth/Rajeev-public.key
g0ItcZ67bdk/buFjpnaLjVGvk+o7phg6uYiL2bREumg=

Client Rajeev private key =====> cat /config/auth/Rajeev-private.key
IDr/GoM4n0ZHZrYSbWmoFJ93Ps9P/kR9gWjGXzNLJ2E=

#######################################
#######################################

set firewall ipv4 name FIREWALL_IN rule 20 action ‘accept’
set firewall ipv4 name FIREWALL_IN rule 20 description ‘WireGuard_IN’
set firewall ipv4 name FIREWALL_IN rule 20 destination port ‘51820’
set firewall ipv4 name FIREWALL_IN rule 20 protocol udp

set firewall ipv4 name FIREWALL_OUT rule 20 action ‘accept’
set firewall ipv4 name FIREWALL_OUT rule 20 description ‘WireGuard_OUT’
set firewall ipv4 name FIREWALL_OUT rule 20 destination port ‘51820’
set firewall ipv4 name FIREWALL_OUT rule 20 protocol udp

set nat source rule 100 description ‘NAT for WireGuard’
set nat source rule 100 outbound-interface name ‘eth1’
set nat source rule 100 source address ‘10.110.1.0/24’
set nat source rule 100 translation address ‘masquerade’

set interfaces wireguard wg0 address ‘10.110.1.1/24’
set interfaces wireguard wg0 description ‘wireguard-vpn’
set interfaces wireguard wg0 ip adjust-mss ‘1380’
set interfaces wireguard wg0 mtu ‘1420’
set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 private-key ‘+Ctj7mr92HaCbFeicX74wB1Q9/c8PBuQHQhmLvkWZ08=’ ‘${SERVER_PRIVATE_KEY}’
set interfaces wireguard wg0 peer Rajeev address ‘10.110.0.2’
set interfaces wireguard wg0 peer Rajeev allowed-ips ‘10.110.1.2/32’
set interfaces wireguard wg0 peer Rajeev port ‘51820’
set interfaces wireguard wg0 peer Rajeev public-key ‘g0ItcZ67bdk/buFjpnaLjVGvk+o7phg6uYiL2bREumg=’ ‘${CLIENT_PUBLIC_KEY}’

#####################################################################
#####################################################################

i have generated server and client public and private key via above mentioned command on top with the help of that generated key i configured my wireguard configuration which is mentioned above.

##########################

my first concern is below

generate wireguard client-config Rajeev interface wg0 server 115.166.136.240 address 10.110.1.2/24

when i run the above command it give me QR code and below configuration with different “client private key” which is not even generated by us . public key is same but the client private key is different than what we generated . i want why its happening ???

__###########################________________

WireGuard client configuration for interface: wg0

To enable this configuration on a VyOS router you can use the following commands:

=== VyOS (server) configurtation ===

set interfaces wireguard wg0 peer deva allowed-ips ‘10.110.1.2/32’
set interfaces wireguard wg0 peer deva public-key ‘e/EK/Zl6sG+8lleNkJ9PgNd1cms/T/b0cm9gFR2y3l4=’ ‘${CLIENT_PUBLIC_KEY}’

=== RoadWarrior (client) configuration ===

[Interface]
PrivateKey = IDr/GoM4n0ZHZrYSbWmoFJ93Ps9P/kR9gWjGXzNLJ2E= ${CLIENT_PRIVATE_KEY}
Address = 10.110.1.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 2It4W00hUHKdhAeUHSSrlYmdlsxicBiAudNDu8RF82k= ${SERVER_PUBLIC_KEY}
Endpoint = 115.166.136.240:51820
AllowedIPs = 0.0.0.0/0, ::/0

__________#########################__________________

##################

my second concern is :-

when i change the configuration on wireguard confguration according to the key generated by me via command mentioned on top . my vpn is working fine . but when i scan the bar code which is generated by below command iam unable to connect.

generate wireguard client-config Rajeev interface wg0 server 115.166.136.240 address 10.110.1.2/24.

#################

my third concern is : -

when i connect wireguard vpn on my laptop . my all internet going through my vpn gateway means which i dont want . i want to use my internet even after connecting the vpn.

please help me to resolve all above my concern and please dont share and doc. link because this type of troubleshooting is not found anywhere on your vyos document.

4

I really think you need to step back and read/learn/understand how Wireguard works. You questions show you don’t understand how the Public/Private keypairs of Wireguard are designed.

The VyOS router gets its own public key and private key. The public key is NOT configured anywhere on the VyOS router. You only give it to clients.

A client generates its own Public Key and Private key. The client NEVER confgures his public key anywhere. He only gives it to remote peers, i.e. the VyOS router.

Yes, when you run:

generate wireguard client-config Rajeev interface wg0 server 115.166.136.240 address 10.110.1.2/24

it generates a new private key. That’s normal expected. It’s a new private key for your client not for the VyOS router. Each time you ask it to generate a new config, it generates it for a new client. The generate command is an operational command only. The config it generates you must apply to the router.

Notice how it’s also generating a new set interfaces wireguard wg0 peer deva public-key ‘e/EK/Zl6sG+8lleNkJ9PgNd1cms/T/b0cm9gFR2y3l4=’ ‘${CLIENT_PUBLIC_KEY}’ as well every time?

That gets configured on the VyOS router - it’s the public key of the client not of the VyOS router’s Wireguard instance.

Then adjust the allowed-ips statement on your client so it only routes the routes you want via the Wireguard VPN.

Again: Once you generate a client config using the generate command, you must then put the configuration on your VyOS router

=== VyOS (server) configurtation ===

set interfaces wireguard wg0 peer deva allowed-ips ‘10.110.1.2/32’
set interfaces wireguard wg0 peer deva public-key ‘e/EK/Zl6sG+8lleNkJ9PgNd1cms/T/b0cm9gFR2y3l4=’ ‘${CLIENT_PUBLIC_KEY}’

You have to commit it, and then the generated peer will work.

Again, I really recommend stepping back and reading up on how Wireguard works, what allowed-ip means and how it works etc. This link might help with understanding allowed-ips. Reading the whole of the front page of Wireguard.com might also help.

5

thanks for the information.

after allowing the allowed IPs my internet is not go via vpn gateway and iam able to ping my server .

now i have created another client who is getting 10.110.1.3 IP .

now i want my client 1 whose ip 10.110.1.2 must reachable to client 3 whose ip is 10.110.1.3 ,

they seprately reachable to server 10.110.1.1 but they cannot reach each other .

what configuration should i use even though i create a zone rule as well but they cannot reachable to each other .

6

You don’t provide any config, so it’s hard to know.

What subnet masks are you using for your clients, what allowed-ip rules do you have on the VyOS instance?

This “just works” on my setup, each peer/client as a /32 configured on it, and on my VyOS router I have an “allowed-ip” of just that /32

On my VyOS router:

show configuration commands | match wg0| match allowed-ip
set interfaces wireguard wg0 peer xxx allowed-ips '192.168.10.24/32'
set interfaces wireguard wg0 peer xxxxxx allowed-ips '192.168.10.11/32'
set interfaces wireguard wg0 peer xxxxxx allowed-ips '192.168.10.10/32'
set interfaces wireguard wg0 peer xxx allowed-ips '192.168.10.17/32'
set interfaces wireguard wg0 peer xxx-xxx allowed-ips '192.168.10.25/32'
set interfaces wireguard wg0 peer xxx-xxx allowed-ips '192.168.10.23/32'
set interfaces wireguard wg0 peer xxxxxxxxx allowed-ips '192.168.10.26/32'
set interfaces wireguard wg0 peer xxx allowed-ips '192.168.10.20/32'
7

Thanks for the reply

below are my config : -

Rajeev got 10.110.1.2

Sanjeev got 10.110.1.3

my LAN infra behind my firewall is 192.168.50.0/24 and iam able to access it via wireguard vpn but the concern is both peer unable to ping each other means 10.110.1.2 unable to ping 10.110.1.3

set interfaces wireguard wg0 address ‘10.110.1.1/24’
set interfaces wireguard wg0 description ‘wireguard-vpn’
set interfaces wireguard wg0 ip adjust-mss ‘1380’
set interfaces wireguard wg0 mtu ‘1420’
set interfaces wireguard wg0 peer Rajeev address ‘10.110.0.2’
set interfaces wireguard wg0 peer Rajeev allowed-ips ‘10.110.1.2/32’

set interfaces wireguard wg0 peer Rajeev allowed-ips ‘192.168.50.0/24’
set interfaces wireguard wg0 peer Rajeev port ‘51820’
set interfaces wireguard wg0 peer Rajeev public-key ‘g0ItcZ67bdk/buFjpnaLjVGvk+o7phg6uYiL2bREumg=’
set interfaces wireguard wg0 peer Sanjeev address ‘10.110.0.3’
set interfaces wireguard wg0 peer Sanjeev allowed-ips ‘10.110.1.3/32’

set interfaces wireguard wg0 peer Sanjeev allowed-ips ‘192.168.50.0/24’
set interfaces wireguard wg0 peer Sanjeev port ‘51820’
set interfaces wireguard wg0 peer Sanjeev public-key ‘MqfUtvzPLDhi1UOYBLQR8AqiHQgxYAZgW1Az25ytX14=’
set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 private-key ‘+Ctj7mr92HaCbFeicX74wB1Q9/c8PBuQHQhmLvkWZ08=’

for traffic peer to peer i have created a separate below rule as well but still communication not working : -

set firewall zone wireguard_VPN interface ‘wg0’
set firewall ipv4 name WG-INTRA default-action ‘drop’
set firewall ipv4 name WG-INTRA rule 10 action ‘accept’
set firewall ipv4 name WG-INTRA rule 10 description ‘Allow inter-client VPN traffic’
set firewall ipv4 name WG-INTRA rule 10 destination address ‘10.110.1.0/24’
set firewall ipv4 name WG-INTRA rule 10 source address ‘10.110.1.0/24’
set firewall zone wireguard_VPN from wireguard_VPN firewall name ‘WG-INTRA’

Rajeev configuration

[Interface]
PrivateKey = IDr/GoM4n0ZHZrYSbWmoFJ93Ps9P/kR9gWjGXzNLJ2E=
Address = 10.110.1.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 2It4W00hUHKdhAeUHSSrlYmdlsxicBiAudNDu8RF82k=
AllowedIPs = 10.110.1.0/24, 192.168.50.0/24
Endpoint = 115.166.136.240:51820

##########

Sanjeev configuration : -

[Interface]
PrivateKey = COjR8wog+1e/b7E2AZjzWRB+UXX5fJKVUV28Z4Ps+G4=
Address = 10.110.1.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = 2It4W00hUHKdhAeUHSSrlYmdlsxicBiAudNDu8RF82k=
AllowedIPs = 10.110.1.0/24, 192.168.50.0/24
Endpoint = 115.166.136.240:51820

Please check the config and let me what i missed here because after all above config still peer rajeev unable to reach peer sanjeev

8

I’m not sure what the issue is I’m sorry - I can’t see anything wrong. In my config I don’t put addresses for the clients, mine just looks like this:

wireguard wg0 {
address 192.168.10.1/24
description “Z Wireguard”
ip {
adjust-mss 1380
source-validation strict
}
peer Y {
allowed-ips 192.168.10.5/32
description “Y”
persistent-keepalive 25
preshared-key ****************
public-key ****************
}
peer X {
allowed-ips 192.168.10.30/32
allowed-ips 192.168.5.0/24
description “X”
persistent-keepalive 25
preshared-key ****************
public-key ****************
}

The peer sets their address themselves. I might have that wrong actually, prehaps I’m also supposed to set address on the VyOS router itself. Regardless that’s what I do and it works fine.

But one thing i can tell you is, sadly, you need to redo all your wireguard keys now because they’ve been public on this site for some time, along with your endpoint IP address. :frowning:

You need to ensure you’re posting the config from “show config” which will remove all the secrets.

9

on your above configuration you have mentioned multiple allowed IP even not identified which peer you have allowed .

my configuration is like below : -

set interfaces wireguard wg0 address ‘10.110.1.1/24’
set interfaces wireguard wg0 description ‘wireguard-vpn’
set interfaces wireguard wg0 ip adjust-mss ‘1380’
set interfaces wireguard wg0 mtu ‘1420’
set interfaces wireguard wg0 peer Rajeev address ‘10.110.0.2’
set interfaces wireguard wg0 peer Rajeev allowed-ips ‘10.110.1.2/32’
set interfaces wireguard wg0 peer Rajeev allowed-ips ‘10.110.1.0/24’
set interfaces wireguard wg0 peer Rajeev port ‘51820’
set interfaces wireguard wg0 peer Rajeev public-key ‘g0ItcZ67bdk/buFjpnaLjVGvk+o7phg6uYiL2bREumg=’
set interfaces wireguard wg0 peer Sanjeev address ‘10.110.0.3’
set interfaces wireguard wg0 peer Sanjeev allowed-ips ‘10.110.1.3/32’
set interfaces wireguard wg0 peer Sanjeev allowed-ips ‘10.110.1.0/24’
set interfaces wireguard wg0 peer Sanjeev port ‘51820’
set interfaces wireguard wg0 peer Sanjeev public-key ‘MqfUtvzPLDhi1UOYBLQR8AqiHQgxYAZgW1Az25ytX14=’
set interfaces wireguard wg0 port ‘51820’
set interfaces wireguard wg0 private-key ‘+Ctj7mr92HaCbFeicX74wB1Q9/c8PBuQHQhmLvkWZ08=’

is the below command required if on allowed IPs i already allowed it with /32 subnet ???

set interfaces wireguard wg0 peer Rajeev address ‘10.110.0.2’

set interfaces wireguard wg0 peer Sanjeev address ‘10.110.0.3’

can you please correct my config it its wrong somewhere.

10

please reply for the reference of my config

11

Your addresses for the peers/client are incorrect. The wg0 interface is in the network 10.110.1.0/24 while your Wireguard peers/clients are on 10.110.0.0/24. Once you make sure that the subnet configuration for the server and client is in proper order, your connection should come through. You want the peers/clients addresses to be in 10.110.1.0/24 as well because you already have the NAT source rules in place.

12

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.