Trying to get my vyos box to connect to remote wireguard peer. This peer works with many other clients. No handshake is ever made.
Here’s the Wireguard config:
Actually realized I had not put wg0 in any zone. I added it to the WAN zone, along with eth0, and boom, traffic. Is that the recommended approach, put it in the WAN zone?
zone WAN {
default-action drop
from IOT2 {
firewall {
name IOT2-WAN
}
}
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
interface eth0
interface wg0
}
Also, to get traffic to go over it, I seem to need a static route, is that right? For example, after I got it working, I put 8.8.8.8/32 in the allowed-ips of the peer. But traceroute to 8.8.8.8 still went over WAN. Then, I added a static route of 8.8.8.8 to wg0, and then traceroute shows it going out wg0.
On other things like my desktop linux, just adding the allowed-ips forces traffic to those IP’s to go over the tunnel.
Also, I got traffic from LOCAL (vyos box) to wg0. But, I can’t get it from LAN to wg0. I’ve tried what I can think of for now on the rules. Here is the whole firewall, I know it’s long, just not sure what’s wrong:
firewall {
name IOT2-LAN {
default-action drop
enable-default-log
rule 5 {
action accept
description "Allow Est/Related traffic"
state {
established enable
related enable
}
}
}
name IOT2-LOCAL {
default-action drop
enable-default-log
rule 5 {
action accept
description "Allow Est/Related traffic"
state {
established enable
related enable
}
}
rule 53 {
action accept
description "DNS Server"
destination {
port 53
}
protocol udp
state {
new enable
}
}
rule 67 {
action accept
description "DHCP Server"
destination {
port 67-68
}
protocol udp
state {
new enable
}
}
}
name IOT2-WAN {
default-action accept
}
name LAN-IOT2 {
default-action accept
enable-default-log
}
name LAN-LOCAL {
default-action accept
enable-default-log
}
name LAN-WAN {
default-action accept
enable-default-log
}
name LOCAL-IOT2 {
default-action accept
enable-default-log
}
name LOCAL-LAN {
default-action accept
enable-default-log
}
name LOCAL-WAN {
default-action accept
}
name WAN-IOT2 {
default-action drop
rule 5 {
action accept
description "Allow Est/Related traffic"
state {
established enable
related enable
}
}
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
description "Allow Est/Related traffic"
state {
established enable
related enable
}
}
rule 51820 {
action accept
description "Allow Wireguard to LAN Clients"
destination {
port 51820
}
log enable
protocol udp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
enable-default-log
rule 5 {
action accept
description "Allow Est/Related Traffic"
state {
established enable
related enable
}
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 22 {
action accept
description SSH
destination {
port 22
}
log enable
protocol tcp
state {
new enable
}
}
rule 51820 {
action accept
description Wireguard
destination {
port 51820
}
log enable
protocol udp
state {
new enable
}
}
}
zone IOT2 {
default-action drop
from LAN {
firewall {
name LAN-IOT2
}
}
from LOCAL {
firewall {
name LOCAL-IOT2
}
}
from WAN {
firewall {
name WAN-IOT2
}
}
interface eth1.2
}
zone LAN {
default-action drop
from IOT2 {
firewall {
name LAN-IOT2
}
}
from LOCAL {
firewall {
name LOCAL-LAN
}
}
from WAN {
firewall {
name WAN-LAN
}
}
interface eth1
}
zone LOCAL {
default-action drop
from IOT2 {
firewall {
name IOT2-LOCAL
}
}
from LAN {
firewall {
name LAN-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from IOT2 {
firewall {
name IOT2-WAN
}
}
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
interface eth0
interface wg0
}
}
If I monitor log LAN-WAN and then initiate a ping from LAN client, I see every ping attempt in the monitor. But if I monitor WAN-LAN or any other rule, I see nothing when ping is ongoing. Who’s dropping it? Ping is never successful.