Wireguard - Direct one networks traffic over the tunnel

Hi Community,

I first off want to say how really awesome VyOS is and I am learning a lot from it. I originally started off with EdgeOS but then quickly found VyOS and not long after I completely switched to using it for my home routing.

What have I done so far:

1. I have four VyOS VM’s in multiple physical locations. What I want to focus on is only two of them so we’ll call my Primary router (HomeVyOS) and we’ll call the Secondary router (CloudVyOS).
2. I have created the wireguard interfaces and have the CloudVyOS setup as the VPN server. HomeVyOS then connects to CloudVyOS. (I have the other two VyOS routers connecting to the server as well and I can pass traffic across all of them internally as if its one big private network)

What I want to do and have not figured out.

1. I want to direct one of the many networks on my HomeVyOS to send all of its internet traffic over the wireguard tunnel as if the CloudVyOS is my gateway to the internet.
2. I then also would like to use the CloudVyOS as my public IP and entry point for some things I want to over to any one of the other VyOS routers. (Think of it as a big mess network that all connects to one central point which then handles all of the routing.)

So far my attempts to make this work have been not successful so I want to start from scratch so I have no static routes other than for each VyOS routers internal networks so that they can communicate across the tunnel.

Any help would be appreciated so I can wrap my head around this and get this working.

Just going to add as I have been googling for hours now.

I keep finding write ups on how to do this with EdgeRouters but they use the following command which I cannot seem to find the equivalent command in VyOS.

set firewall modify

They use this to modify traffic packets as it passes through the firewall in order to allow routing to work.

You need to combine your WG set up with policy based routing. More information here;

https://wiki.vyos.net/wiki/User_Guide#Policy_Routing

@anhyzer5525

Did you manage to get anything working with WG + PBR?

@phillipmcmahon - I have had no such luck so far with the policy based routing.

I do apologize for the delayed response as I have been away for a couple days so I have not been able to work on this as much as I would have liked.

I’ll post what my config looks like for the policy routing later and maybe we can figure out what I am doing wrong here.

No need for the apology just checking in to see if you’d had any luck.

I’ll try converting my ER config to Vyos with WG and PBR in the meantime.

Here is the configs sections I have so far that are not working for me.

Home VyOS:

ethernet eth5 {
        address 192.168.3.1/24
        description "Hosted Network"
        duplex auto
        firewall {
            in {
                name Hosted_Network
            }
            local {
                name Hosted_Network
            }
        }
        hw-id 00:15:5d:01:7a:0c
        policy {
            route Filter-Hosted
        }
        smp-affinity auto
        speed auto

nat {
    source {
        rule 5000 {
            outbound-interface eth2
            protocol all
            translation {
                address masquerade
            }
        }
    }
}
policy {
    route Filter-Hosted {
        rule 1000 {
            set {
                table 100
            }
            source {
                address 192.168.3.0/24
            }
        }
    }
}

protocols {
    static {
        interface-route 10.0.51.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 10.0.53.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.75.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.80.0/24 {
            next-hop-interface wg01 {
            }
        }
        table 100 {
            route 0.0.0.0/0 {
                next-hop 10.0.51.1 {
                    next-hop-interface wg01
                }
            }
        }
    }
}

CloudVyOS

protocols {
    static {
        interface-route 10.0.53.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 10.0.54.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.1.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.3.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.80.0/24 {
            next-hop-interface wg01 {
            }
        }
    }
}

Everything I have provided above is what I have written in my configs so far trying to get this to work. I know I have to be missing something.

Right now my traffic on 192.168.3.0/24 goes out on the NAT interface on HomeVyOS. I want the traffic from 192.168.3.0/24 to transverse the wg01 interface and then be routed through CloudVyOS and go out via its NAT interface.

There are other networks present on HomeVyOS so I need this to apply only to the network on Eth5/192.168.3.0/24

What’s your wireguard definition?

@zsdc - Thank you for cleaning up my config posting. I figured out how you did it and that has changed my life on this forum

I actually got my setup half working last night .
I had to change my table configuration so it now looks like this.

protocols {
    static {
        interface-route 10.0.51.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 10.0.53.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.75.0/24 {
            next-hop-interface wg01 {
            }
        }
        interface-route 192.168.80.0/24 {
            next-hop-interface wg01 {
            }
        }
        table 100 {
            interface-route 0.0.0.0/0 {
                next-hop-interface wg01 {
                }
            }
        }
    }
}

So now my 192.168.3.0/24 network is now routing traffic over my VPN and reports back the public IP of the CloudVyOS VM when I hit up whatsmyip or ipchicken.

Now for the fun part… I cannot seem to get traffic to route back when trying to establish new connections by hitting my Public IP in the CloudVyOS instance.

So far I have tried just adjusting my WAN_IN firewall rules and setting up a destination nat in my CloudVyOS but I do not get successful connections back on the ports that open up. I also have no policy based routing created in the CloudVyOS instance. Only HomeVyOS has that PBR in the config as shared earlier.

Here is the example of the rules I created on CloudVyOS to open ports.

name WAN_IN {
        default-action drop
        description "Wan to Internal"
        rule 20 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
        rule 40 {
            action accept
            destination {
                address 192.168.3.100
                port 7777,27015
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 50 {
            action accept
            description "Conan Exile Server"
            destination {
                address 192.168.3.101
                port 7778,7779,27016
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
    }

nat {
    destination {
        rule 10 {
            description "TCP/UDP to 192.168.3.50 for Ark Server 7777"
            destination {
                port 7777,27015
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address 192.168.3.100
            }
        }
        rule 30 {
            description "TCP/UDP to 192.168.3.101 for Conan Exiles Server 7778"
            destination {
                port 7778,7779,27016
            }
            inbound-interface eth0
            protocol tcp_udp
            translation {
                address 192.168.3.101
            }
        }
    }
    source {
        rule 5000 {
            outbound-interface eth0
            protocol all
            translation {
                address masquerade
            }
        }
    }
}

@hagbard - I think you are looking for this. CLIENT3 is my primary VPN connection and is where most of my network is found so I set the allowed ip to everything.

CloudVyOS

 wireguard wg01 {
        address 10.0.51.1/24
        description "Wireguard VPN Server"
        peer CLIENT2 {
            allowed-ips 192.168.80.0/24
            allowed-ips 10.0.53.0/24
            persistent-keepalive 15
            pubkey ****************
        }
        peer CLIENT3 {
            allowed-ips 0.0.0.0/0
            persistent-keepalive 15
            pubkey ****************
        }
        port 51820
    }
}

HomeVyOS (Server address removed as to not expose my public IP for obvious reasons)

 wireguard wg01 {
        address 10.0.54.1/24
        description "Wireguard VPN Server"
        firewall {
            in {
                name Wireguard_Network
            }
            local {
                name Wireguard_Network
            }
        }
        peer SERVER {
            allowed-ips 0.0.0.0/0
            endpoint ***************
            persistent-keepalive 15
            pubkey ****************
        }
        port 51820
    }
}

Just to add here is the firewall rule that is attached to my Wireguard interface on HomeVyOS

name Wireguard_Network {
        default-action accept
        rule 10 {
            action drop
            description "Block Management Access"
            destination {
                address 192.168.100.0/24
            }
        }
        rule 11 {
            action drop
            description "Block ISCSI Access"
            destination {
                address 10.0.1.0/24
            }
        }
        rule 13 {
            action drop
            description "Block Guest Network Access"
            destination {
                address 192.168.2.0/24
            }
        }
    }

And here is the firewall rule on my hosted network interface

name Hosted_Network {
        default-action accept
        rule 10 {
            action drop
            description "Block Management Access"
            destination {
                address 192.168.100.0/24
            }
        }
        rule 11 {
            action drop
            description "Block Internal Lan Access"
            destination {
                address 192.168.1.0/24
            }
        }
        rule 12 {
            action drop
            description "Block ISCSI Access"
            destination {
                address 10.0.1.0/24
            }
        }
        rule 13 {
            action drop
            description "Block Guest Network Access"
            destination {
                address 192.168.2.0/24
            }
        }
    }

Alright I guess I figured out the issue on my own. The problem was with the application and not VyOS after I got the routing working.

So my example configs above do work!

This would be a wonderful knowledge base article for future reference. Do I have the ability to create one?

https://vyos.readthedocs.io/en/latest/contributing/development.html#

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.