Wireguard Encapsulation Issues with Public VPN

Hello everyone,

I am contacting you because I am encountering difficulties in encapsulating a network inside a Wireguard VPN.
The Wireguard client configuration is correct and appears to be connected to the provider.

interface: wg01
public key: **************************************
private key: (hidden)
listening port: ****

peer: ******************************************
endpoint: PUBLICVPNPROVIDER:51820

allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 22 seconds ago
transfer: 125.95 KiB received, 501.52 KiB sent
persistent keepalive: every 21 seconds

However, when I try to route the machines from the 10.40.10.0/24 network into the VPN using either a routing rule or via SNAT.

set nat source rule 110 outbound-interface name ‘wg01’
set nat source rule 110 source address ‘10.40.10.0/24’
set nat source rule 110 translation address ‘masquerade’

set protocols static route 10.40.10.0/24 interface wg01

It does not work, and despite all my attempts, it remains unsuccessful. I would like to specify that I am able to route Internet to the concerned network through the following rules.
set protocols static route 0.0.0.0/0 next-hop 10.99.10.1
et nat source rule 112 outbound-interface name ‘eth0’
set nat source rule 112 source address ‘10.40.10.0/24’
set nat source rule 112 translation address ‘masquerade’

vyos.config (5,6 Ko)

Thank you for your assistance.

Hi Blotto. Welcome to the Vyos forums!

Are you trying to ONLY route devices in the 10.40.10.0/24 network down your Wireguard instance?

If so, you’re trying to do Policy Based Routing

You will need to SNAT as well. But no traffic from 10.40.10.0/24 will use your WG instance as its default route unless you policy route it.

.

Hello tjh, and thank you for your welcome.:blush:

Yes, exactly. I would only the 10.40.10.0/24 network to access internet on Wireguard, while the other networks connected to the router use the default route leading to the vmbr proxmox.

I need the default route on the router so that it can connect to the public Wireguard VPN. I think it’s indeed the default route that might be causing the issue, but I’m not sure how to overcome it. I’m open to any proposition ?

Thank you for your assistance.

Hi again tjh,

You help me a lot many thanks to you with Policy Based Routing .

I researched policy-based routing, I created some rules to route my network through the WireGuard interface

Solution for people in need

# Policy for network 10.40.20.0/24 can join machines in 10.0.0.0/8 
set policy route VPN rule 50 destination address '10.0.0.0/8'
set policy route VPN rule 50 set table 'main'
set policy route VPN rule 50 source address 10.40.10.0/24

# Policy to route traffic from 10.40.10.0/24 to table 100
set policy route VPN rule 100 destination address '0.0.0.0/0'
set policy route VPN rule 100 set table '100'
set policy route VPN rule 100 source address 10.40.10.0/24

# Apply this policy only on eth2
set policy route VPN interface eth2

# Table 100: Static route to go through WireGuard interface
set protocols static table 100 route 0.0.0.0/0 interface wg01

# SNAT rule
set nat source rule 110 outbound-interface name 'wg01'
set nat source rule 110 source address '10.40.10.0/24'
set nat source rule 110 translation address 'masquerade'

Source that helped me
vyos-policy-based-routing-with-wireguard

1 Like