Wireguard Encapsulation Issues with Public VPN

blotto · March 29, 2024, 7:45am

Hello everyone,

I am contacting you because I am encountering difficulties in encapsulating a network inside a Wireguard VPN.
The Wireguard client configuration is correct and appears to be connected to the provider.

interface: wg01
public key: **************************************
private key: (hidden)
listening port: ****

peer: ******************************************
endpoint: PUBLICVPNPROVIDER:51820

allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 22 seconds ago
transfer: 125.95 KiB received, 501.52 KiB sent
persistent keepalive: every 21 seconds

However, when I try to route the machines from the 10.40.10.0/24 network into the VPN using either a routing rule or via SNAT.

set nat source rule 110 outbound-interface name ‘wg01’
set nat source rule 110 source address ‘10.40.10.0/24’
set nat source rule 110 translation address ‘masquerade’

set protocols static route 10.40.10.0/24 interface wg01

It does not work, and despite all my attempts, it remains unsuccessful. I would like to specify that I am able to route Internet to the concerned network through the following rules.
set protocols static route 0.0.0.0/0 next-hop 10.99.10.1
et nat source rule 112 outbound-interface name ‘eth0’
set nat source rule 112 source address ‘10.40.10.0/24’
set nat source rule 112 translation address ‘masquerade’

vyos.config (5,6 Ko)

Thank you for your assistance.

tjh · March 29, 2024, 8:59am

Hi Blotto. Welcome to the Vyos forums!

Are you trying to ONLY route devices in the 10.40.10.0/24 network down your Wireguard instance?

If so, you’re trying to do Policy Based Routing

You will need to SNAT as well. But no traffic from 10.40.10.0/24 will use your WG instance as its default route unless you policy route it.

.

blotto · March 29, 2024, 11:41am

Hello tjh, and thank you for your welcome.

Yes, exactly. I would only the 10.40.10.0/24 network to access internet on Wireguard, while the other networks connected to the router use the default route leading to the vmbr proxmox.

I need the default route on the router so that it can connect to the public Wireguard VPN. I think it’s indeed the default route that might be causing the issue, but I’m not sure how to overcome it. I’m open to any proposition ?

Thank you for your assistance.

blotto · March 29, 2024, 3:38pm

Hi again tjh,

You help me a lot many thanks to you with Policy Based Routing .

I researched policy-based routing, I created some rules to route my network through the WireGuard interface

Solution for people in need

# Policy for network 10.40.20.0/24 can join machines in 10.0.0.0/8 
set policy route VPN rule 50 destination address '10.0.0.0/8'
set policy route VPN rule 50 set table 'main'
set policy route VPN rule 50 source address 10.40.10.0/24

# Policy to route traffic from 10.40.10.0/24 to table 100
set policy route VPN rule 100 destination address '0.0.0.0/0'
set policy route VPN rule 100 set table '100'
set policy route VPN rule 100 source address 10.40.10.0/24

# Apply this policy only on eth2
set policy route VPN interface eth2

# Table 100: Static route to go through WireGuard interface
set protocols static table 100 route 0.0.0.0/0 interface wg01

# SNAT rule
set nat source rule 110 outbound-interface name 'wg01'
set nat source rule 110 source address '10.40.10.0/24'
set nat source rule 110 translation address 'masquerade'

Source that helped me
vyos-policy-based-routing-with-wireguard

system · April 28, 2024, 3:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.