I setup a tunnel to a remote WG instance. I have other clients on that side of the tunnel that I work with. Randomly, but frequently, I will lose access to those instances. I will ssh in to a box on that side, and all be working, then all of a sudden lose my session. I tested it with ping, and I see this pattern over and over:
PING 10.0.6.3 (10.0.6.3): 56 data bytes
64 bytes from 10.0.6.3: icmp_seq=0 ttl=62 time=27.737 ms
64 bytes from 10.0.6.3: icmp_seq=1 ttl=62 time=25.056 ms
64 bytes from 10.0.6.3: icmp_seq=2 ttl=62 time=24.426 ms
64 bytes from 10.0.6.3: icmp_seq=3 ttl=62 time=24.478 ms
64 bytes from 10.0.6.3: icmp_seq=4 ttl=62 time=24.931 ms
64 bytes from 10.0.6.3: icmp_seq=5 ttl=62 time=25.199 ms
64 bytes from 10.0.6.3: icmp_seq=6 ttl=62 time=24.346 ms
64 bytes from 10.0.6.3: icmp_seq=7 ttl=62 time=24.064 ms
64 bytes from 10.0.6.3: icmp_seq=8 ttl=62 time=24.749 ms
64 bytes from 10.0.6.3: icmp_seq=9 ttl=62 time=24.363 ms
64 bytes from 10.0.6.3: icmp_seq=10 ttl=62 time=23.786 ms
Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
Request timeout for icmp_seq 13
Request timeout for icmp_seq 14
Request timeout for icmp_seq 15
Request timeout for icmp_seq 16
Request timeout for icmp_seq 17
64 bytes from 10.0.6.3: icmp_seq=18 ttl=62 time=24.136 ms
64 bytes from 10.0.6.3: icmp_seq=19 ttl=62 time=24.655 ms
64 bytes from 10.0.6.3: icmp_seq=20 ttl=62 time=24.910 ms
64 bytes from 10.0.6.3: icmp_seq=21 ttl=62 time=24.587 ms
64 bytes from 10.0.6.3: icmp_seq=22 ttl=62 time=24.245 ms
64 bytes from 10.0.6.3: icmp_seq=23 ttl=62 time=24.518 ms
64 bytes from 10.0.6.3: icmp_seq=24 ttl=62 time=24.197 ms
This rate of dropped packets is common:
--- 10.0.6.3 ping statistics ---
135 packets transmitted, 112 received, 17.037% packet loss, time 134745ms
rtt min/avg/max/mdev = 24.818/32.591/258.612/26.369 ms
I’m not sure where to start diagnosing, because it seems my tunnel config and nat and firewall rules are good, or it wouldn’t work at all. When I use other connections to the same remote tunnel, like the wireguard client on Mac, iOS, or even directly from Linux laptop, no such issue. Only when routing through vyos. Which configs would be helpful to see? Here’s what I can think of:
nat {
source {
rule 100 {
outbound-interface eth0
translation {
address masquerade
}
}
rule 101 {
outbound-interface wg0
translation {
address masquerade
}
}
}
}
wireguard wg0 {
address 10.0.6.2/24
description "DO VPN SFO2"
peer dosfo2 {
address 'remoteserverip'
allowed-ips 0.0.0.0/0
persistent-keepalive 15
port 51820
public-key 'key'
}
port 51821
private-key 'key'
}
policy {
local-route {
rule 10 {
destination 10.0.6.0/24
set {
table 10
}
}
}
}