Wireguard Fails

Trying to get my vyos box to connect to remote wireguard peer. This peer works with many other clients. No handshake is ever made.
Here’s the Wireguard config:

wireguard wg0 {
	address 10.0.6.2/24
	peer dosfo2 {
		address --publicipofpeer--
		allowed-ips 10.0.6.0/24
		port 51820
		public-key --publickeyishere--
	}
	port 51820
	private-key --privatekeyishere--
}

This is my firewall rule for WAN to LOCAL:

rule 51820 {
	action accept
	description Wireguard
	destination {
		port 51820
	}
	log enable
	protocol udp
	state {
		new enable
	}
}

Show output:

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L 
---------        ----------                        ---  
wg0              10.0.6.2/24                       u/u

Thanks!

I see your WAN->LOCAL rule, but are you allowing new traffic out from LOCAL to WAN on port 51820 to the remote peer’s IP address?

Allowing established/related outbound is necessary, but you’ll also need to allow new outgoing connections from LOCAL to WAN as well.

Actually realized I had not put wg0 in any zone. I added it to the WAN zone, along with eth0, and boom, traffic. Is that the recommended approach, put it in the WAN zone?

zone WAN {
	default-action drop
	from IOT2 {
		firewall {
			name IOT2-WAN
		}
	}
	from LAN {
		firewall {
			name LAN-WAN
		}
	}
	from LOCAL {
		firewall {
			name LOCAL-WAN
		}
	}
	interface eth0
	interface wg0
}

Also, to get traffic to go over it, I seem to need a static route, is that right? For example, after I got it working, I put 8.8.8.8/32 in the allowed-ips of the peer. But traceroute to 8.8.8.8 still went over WAN. Then, I added a static route of 8.8.8.8 to wg0, and then traceroute shows it going out wg0.

On other things like my desktop linux, just adding the allowed-ips forces traffic to those IP’s to go over the tunnel.

Also, I got traffic from LOCAL (vyos box) to wg0. But, I can’t get it from LAN to wg0. I’ve tried what I can think of for now on the rules. Here is the whole firewall, I know it’s long, just not sure what’s wrong:

firewall {
    name IOT2-LAN {
        default-action drop
        enable-default-log
        rule 5 {
            action accept
            description "Allow Est/Related traffic"
            state {
                established enable
                related enable
            }
        }
    }
    name IOT2-LOCAL {
        default-action drop
        enable-default-log
        rule 5 {
            action accept
            description "Allow Est/Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 53 {
            action accept
            description "DNS Server"
            destination {
                port 53
            }
            protocol udp
            state {
                new enable
            }
        }
        rule 67 {
            action accept
            description "DHCP Server"
            destination {
                port 67-68
            }
            protocol udp
            state {
                new enable
            }
        }
    }
    name IOT2-WAN {
        default-action accept
    }
    name LAN-IOT2 {
        default-action accept
        enable-default-log
    }
    name LAN-LOCAL {
        default-action accept
        enable-default-log
    }
    name LAN-WAN {
        default-action accept
        enable-default-log
    }
    name LOCAL-IOT2 {
        default-action accept
        enable-default-log
    }
    name LOCAL-LAN {
        default-action accept
        enable-default-log
    }
    name LOCAL-WAN {
        default-action accept
    }
    name WAN-IOT2 {
        default-action drop
        rule 5 {
            action accept
            description "Allow Est/Related traffic"
            state {
                established enable
                related enable
            }
        }
    }
    name WAN-LAN {
        default-action drop
        rule 5 {
            action accept
            description "Allow Est/Related traffic"
            state {
                established enable
                related enable
            }
        }
        rule 51820 {
            action accept
            description "Allow Wireguard to LAN Clients"
            destination {
                port 51820
            }
            log enable
            protocol udp
            state {
                new enable
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        enable-default-log
        rule 5 {
            action accept
            description "Allow Est/Related Traffic"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            protocol icmp
            state {
                new enable
            }
        }
        rule 22 {
            action accept
            description SSH
            destination {
                port 22
            }
            log enable
            protocol tcp
            state {
                new enable
            }
        }
        rule 51820 {
            action accept
            description Wireguard
            destination {
                port 51820
            }
            log enable
            protocol udp
            state {
                new enable
            }
        }
    }
    zone IOT2 {
        default-action drop
        from LAN {
            firewall {
                name LAN-IOT2
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-IOT2
            }
        }
        from WAN {
            firewall {
                name WAN-IOT2
            }
        }
        interface eth1.2
    }
    zone LAN {
        default-action drop
        from IOT2 {
            firewall {
                name LAN-IOT2
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface eth1
    }
    zone LOCAL {
        default-action drop
        from IOT2 {
            firewall {
                name IOT2-LOCAL
            }
        }
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone WAN {
        default-action drop
        from IOT2 {
            firewall {
                name IOT2-WAN
            }
        }
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        interface eth0
        interface wg0
    }
}

If I monitor log LAN-WAN and then initiate a ping from LAN client, I see every ping attempt in the monitor. But if I monitor WAN-LAN or any other rule, I see nothing when ping is ongoing. Who’s dropping it? Ping is never successful.

Try adding a rule for new traffic, like this:
set firewall name IOT2-LOCAL rule 10 state new enable