Hello again!
Back with another possibly-weird, but hopefully not, issue. Ran it by a few friends just to make sure I wasn’t missing anything dumb, and I’m going to include the same info here… Don’t worry about the keys pasted here - they’re all going to be rotated before things end up being deployed.
For those who saw my last post - I ended up ditching the plan to use MikroTik for the network rework and sticking to VyOS as it turns out, more of my friends are familiar with VyOS than MikroTik, so this is part of that project now, haha.
As a matter of convention here - in any logs and config snippets, 1.2.3.4 will be used for the public IP for the WG server, and 6.7.8.9 as the public IP of the client.
So, the issue I’m having is that my wireguard connections seem to not be working at all - the interface’s stats don’t show anything:
[edit]
vyos@main# run show interfaces wireguard wg0
wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.100.0.1/22 brd 10.100.3.255 scope global wg0
valid_lft forever preferred_lft forever
inet6 fe80::f849:f8ff:fe7b:8d17/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collisions
0 0 0 0 0 0
[edit]
vyos@main#
Although the firewall rule - which will be shown below - to allow the wireguard connection is getting matched, as shown by this log line (which i have plenty of logs similar to, i’m just showing one line since they’re all close):
Jun 14 05:02:43 kernel: [ipv4-NAM-WAN-LOCAL-1-A]IN=eth0 OUT= MAC=bc:24:11:f5:a5:b3:00:e0:ed:90:d1:22:08:00 SRC=6.7.8.9 DST=1.2.3.4 LEN=176 TOS=0x00 PREC=0x00 TTL=49 ID=17484 PROTO=UDP SPT=53137 DPT=51820 LEN=156
On the client, I’m seeing that packets are getting sent through the tunnel as well:
root@new-network-wg-test:~# wg
interface: wg
public key: YZueU8kBeGNVHCmOQKVYs552EREUawJpCZwEMuKbMgc=
private key: (hidden)
listening port: 36795
peer: pwYgKnuirIC8vTTlXOTCFHMhCSczi0w0PIr0z/kIrWQ=
preshared key: (hidden)
endpoint: 1.2.3.4:51820
allowed ips: 172.20.0.0/16, 10.100.0.0/22
transfer: 0 B received, 10.55 KiB sent
persistent keepalive: every 5 seconds
root@new-network-wg-test:~#
With this config:
[Interface]
Address = 10.100.0.2/32
PrivateKey = aH+kubsNi6UXHcFyQ23u9Ijk8LiPTjbUEP8G/7ZZE24=
[Peer]
PublicKey = pwYgKnuirIC8vTTlXOTCFHMhCSczi0w0PIr0z/kIrWQ=
PresharedKey = zETkN+ZyVoVQuxE1fxGDIoURxrfUd5fCI8YmpKgSu/s=
AllowedIPs = 172.20.0.0/16,10.100.0.0/22
Endpoint = 1.2.3.4:51820
PersistentKeepalive = 5
As for the firewall rules involved (and other WG config, including NAT)…
It’s a bit verbose - all auto-generated by a script I’m working on that does it (and eventually planning on writing an actually-good terraform provider for VyOS) - but it should include the info needed for it (and probably a bit more - but I didn’t want to accidentally remove information that would be relevant):
firewall {
group {
network-group all-lan {
description "All LAN networks"
include user-test-lan
}
network-group user-test {
description "test | Access control group"
include user-test-lan
include user-test-wg
}
network-group user-test-lan {
description "test | LAN subnets"
network 172.20.255.0/24
}
network-group user-test-snat {
description "test | SNATed subnets"
include user-test-lan
}
network-group user-test-wg {
description "test | WG peers with access"
}
}
ipv4 {
name LOCAL-WAN {
default-action accept
default-log
}
name LOCAL-WIREGUARD {
default-action accept
}
name USER_test-WAN {
default-action accept
description "test | allow all connections to internet"
}
name WAN-LOCAL {
default-action drop
default-log
rule 1 {
action accept
destination {
address 1.2.3.4
port 51820
}
log
protocol tcp_udp
}
}
name WAN-USER_test {
description "test | internet to local"
rule 1 {
action accept
description "allow related/established"
state related
state established
}
rule 2 {
action accept
connection-status {
nat destination
}
description "allow DNATed connections"
}
}
name WIREGUARD-LOCAL {
default-action accept
}
}
zone LOCAL {
from WAN {
firewall {
name WAN-LOCAL
}
}
from WIREGUARD {
firewall {
name WIREGUARD-LOCAL
}
}
local-zone
}
zone USER_test {
from WAN {
firewall {
name WAN-USER_test
}
}
member {
interface eth1.50
}
}
zone WAN {
from LOCAL {
firewall {
name LOCAL-WAN
}
}
from USER_test {
firewall {
name USER_test-WAN
}
}
member {
interface eth0
}
}
zone WIREGUARD {
from LOCAL {
firewall {
name LOCAL-WIREGUARD
}
}
member {
interface wg0
}
}
}
interfaces {
ethernet eth0 {
address 1.2.3.4/24
description WAN
hw-id bc:24:11:f5:a5:b3
offload {
gro
gso
sg
tso
}
}
ethernet eth1 {
hw-id bc:24:11:d6:c6:66
offload {
gro
gso
sg
tso
}
vif 50 {
address 172.20.255.1/24
description "test | wan: 1.2.3.4"
}
}
ethernet eth2 {
address 10.255.255.2/24
description mgmt-lab
hw-id bc:24:11:5f:0a:51
offload {
gro
gso
sg
tso
}
}
loopback lo {
}
wireguard wg0 {
address 10.100.0.1/22
peer asdf {
allowed-ips 10.100.0.2/32
persistent-keepalive 5
preshared-key zETkN+ZyVoVQuxE1fxGDIoURxrfUd5fCI8YmpKgSu/s=
public-key Oo7SmzOBvK7a2UcEi/tBnmw+yRjak8cNdruyU6Ny9is=
}
port 51820
private-key ONwbxEm2sCQKVXPy8cFYhqDmgKprKJG9mE10Hyb97GM=
}
}
nat {
destination {
rule 1 {
description "exclude wg"
destination {
address 1.2.3.4
port 51820
}
exclude
inbound-interface {
name eth0
}
protocol udp
}
rule 2 {
description "test | 1.2.3.4:2922-2922 -> 172.20.255.3:22-22"
destination {
address 1.2.3.4
port 2922-2922
}
inbound-interface {
name eth0
}
protocol tcp
translation {
address 172.20.255.3
port 22-22
}
}
rule 3 {
description "test | 1.2.3.4 -> 172.20.255.2"
destination {
address 1.2.3.4
}
inbound-interface {
name eth0
}
log
translation {
address 172.20.255.2
}
}
}
source {
rule 1 {
description "test | Outgoing from 1.2.3.4"
destination {
address 0.0.0.0/0
}
outbound-interface {
name eth0
}
source {
group {
network-group user-test-snat
}
}
translation {
address 1.2.3.4
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 1.2.3.1 {
}
}
}
}