Hello all,
I’m trying to set up a wireguard road warrior connection so that I can access my LAN/VLANs when I am away from the home. I have successfully created a wireguard connection and am able to connect from outside of my network. VyOS end of the tunnel has a 10.0.100.1 ip while the client has a 10.0.100.2. I am able to ping each device from the other side of the tunnel with no problems. However, I am unable to access my LAN/VLAN networks for cameras, NAS, and other services. I figure I am missing a static route or something but haven’t been able to successfully put anything in place that gets me access. Would someone be able to throw me a bone? I am using VyOS 1.2.5 at this time.
Well, I’m hoping I haven’t succeeded in a convoluted manner. What I ended up doing was adding NAT rules from my wireguard tunnel IP (10.0.100.0/24) with an outbound-interface for each of the network segments I wanted to be able to access. Then I created policy based routing rules that catch any traffic directed from my wireguard tunnel IP to my local network segment and set it to the main table. Access has been gained at this time. I
If anyone sees this later and there’s a more efficient way to do this, please do let me know.
Thanks!
Just discovered that I don’t have internet access this way. I guess I could do another policy and nat rule.
Happy to share my wireguard config. It allows me to connect in to my home network from any external network. Is that what are trying to achieve?
Might be worth posting your config.
That’s exactly what I’m trying to accomplish. Remote access from anywhere I might be. It’s working the way I set it up at this point but I’d greatly welcome seeing your config to see if I could do things more efficiently. I’m learning this as I go so I have no pretense that my way is the best way. If you wouldn’t mind, please share.
remember that your LAN needs to know how to get back to that 10.0.100.0/24 network that you’re using for the WireGuard segment. If you have a main router somewhere other than your vyos wireguard VPN concentrator, you’ll need to put a route in there to forward 10.0.100.0/24 traffic to your vyos router.
In this case, my vyos router is the only router on the network. With that being the case, are static routes or nat and policy based routing normally required? I’m not trying to use this connection to get to the internet. I just want to access access home network services from a remote location. On pfsense, I never had to create nat for ipsec or openvpn connections to get to network services. I HAVE had to create static routes or tell the connection which subnets are accessible via that connection. So I feel like I’m missing something or have done something odd.
config (it’s a bit of a mess as I’m just trying to get things to work; will clean up later) info follows:
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
address-group CameraTabs {
address 10.20.20.17-10.20.20.18
}
address-group KidsLaptops {
address 10.20.20.22-10.20.20.23
}
address-group Streaming {
address 10.20.20.30
address 10.20.20.31
address 10.20.2.3
address 10.20.2.4
}
network-group Cameras {
network 10.20.40.0/24
}
network-group Isolated {
network 10.20.20.0/24
}
network-group LocalSubnets {
network 10.20.2.0/24
network 10.20.20.0/24
network 10.20.40.0/24
}
network-group Trusted {
network 10.20.2.0/24
}
network-group HomeNetworks {
network 192.168.1.0/24
network 192.168.10.0/24
network 192.168.30.0/24
network 192.168.50.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
}
name WAN_OUT {
default-action accept
}
name WAN_local {
default-action drop
enable-default-log
rule 10 {
action accept
destination {
port 2223
}
protocol udp
}
rule 20 {
action accept
protocol icmp
state {
new enable
}
}
rule 100 {
action accept
description ssh
destination {
port 512
}
protocol tcp_udp
}
rule 200 {
action accept
destination {
port 22222
}
protocol tcp_udp
}
rule 300 {
action accept
destination {
port 22225
}
protocol tcp_udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address 10.20.2.1/24
description LAN
duplex auto
hw-id 00:90:0b:58:84:10
policy {
route LAN_policy
}
smp-affinity auto
speed auto
traffic-policy {
out shape-27mbil
}
vif 20 {
address 10.20.20.1/24
description VLAN20
policy {
route Isolated_policy
}
traffic-policy {
out shape-27mbil
}
}
vif 40 {
address 10.20.40.1/24
description VLAN40
policy {
route Cameras_policy
}
traffic-policy {
out shape-27mbil
}
}
}
ethernet eth1 {
duplex auto
hw-id 00:90:0b:58:84:11
smp-affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:90:0b:58:84:12
smp-affinity auto
speed auto
}
ethernet eth3 {
duplex auto
hw-id 00:90:0b:58:84:13
smp-affinity auto
speed auto
}
ethernet eth4 {
description DSL
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_local
}
out {
name WAN_OUT
}
}
hw-id 00:90:0b:58:84:0e
pppoe 0 {
default-route force
mtu 1492
name-server none
password oGUnhL20
policy {
route MSS
}
user-id ME@ttnet
}
smp-affinity auto
speed auto
traffic-policy {
out shape-4_5mbit
}
}
ethernet eth5 {
disable
duplex auto
hw-id 00:90:0b:58:84:0f
smp-affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
authentication {
password MINE
username ME
}
description ExpressVPN_DC
encryption aes256
hash sha512
mode client
openvpn-option --fast-io
openvpn-option "--tls-auth /config/auth/tls1.key"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option --nobind
openvpn-option --pull
openvpn-option --remote-random
openvpn-option "--comp-lzo no"
openvpn-option --tls-client
openvpn-option "--ns-cert-type server"
openvpn-option "--verify-x509-name Server name-prefix"
openvpn-option "--key-direction 1"
openvpn-option "--route-delay 2"
openvpn-option "--tun-mtu 1500"
openvpn-option "--fragment 1300"
openvpn-option "--mssfix 11200"
openvpn-option "--verb 3"
openvpn-option "--sndbuf 524288"
openvpn-option "--rcvbuf 524288"
openvpn-option --route-noexec
persistent-tunnel
protocol udp
remote-host usa-washingtondc-2-ca-version-2.expressnetw.com
remote-port 1195
tls {
ca-cert-file /config/auth/ca1.crt
cert-file /config/auth/client1.crt
key-file /config/auth/host1.key
}
traffic-policy {
out shape-27mbil
}
}
openvpn vtun1 {
authentication {
password MINE
username ME
}
description UtahVyosStreaming
disable
encryption aes128
hash sha256
mode client
openvpn-option "--tls-auth /cofig/auth/utahtls.key"
openvpn-option "--tls-auth /config/auth/utahtls.key"
openvpn-option "--key-direction 1"
openvpn-option "--comp-lzo adaptive"
openvpn-option "--remote-cert-tls server"
openvpn-option --client
openvpn-option --tls-client
openvpn-option --persist-tun
openvpn-option --persist-key
openvpn-option "--cipher AES-128-CBC"
openvpn-option "--auth SHA256"
persistent-tunnel
protocol udp
remote-host HOME
remote-port 2222
tls {
ca-cert-file /config/auth/utahca.crt
cert-file /config/auth/utahclient.crt
key-file /config/auth/utahhost.key
}
}
openvpn vtun2 {
description UtahSitetoSite
encryption aes128
firewall {
}
hash sha256
local-address 10.0.210.2 {
}
local-port 2223
mode site-to-site
openvpn-option "comp-lzo adaptive"
protocol udp
remote-address 10.0.210.1
remote-host HOME
remote-port 2223
shared-secret-key-file /config/auth/utahsite.psk
}
wireguard wg0 {
address 10.0.100.1/24
description RoadWarrior
peer Ipad {
allowed-ips 10.0.100.3/32
persistent-keepalive 15
pubkey MINE
}
peer NickPhone {
allowed-ips 10.0.100.2/32
persistent-keepalive 15
pubkey MINE
}
port 22222
}
}
nat {
source {
rule 5 {
outbound-interface pppoe0
source {
address 10.20.0.0/16
}
translation {
address masquerade
}
}
rule 10 {
outbound-interface vtun0
source {
address 10.20.0.0/16
}
translation {
address masquerade
}
}
rule 15 {
outbound-interface vtun1
source {
address 10.20.0.0/16
}
translation {
address masquerade
}
}
rule 20 {
outbound-interface vtun2
source {
address 10.20.0.0/16
}
translation {
address masquerade
}
}
rule 25 {
destination {
}
outbound-interface eth0
source {
address 10.0.100.0/24
}
translation {
address masquerade
}
}
rule 30 {
outbound-interface eth0.20
source {
address 10.0.100.0/24
}
translation {
address masquerade
}
}
rule 35 {
outbound-interface eth0.40
source {
address 10.0.100.0/24
}
translation {
address masquerade
}
}
}
}
policy {
route Cameras_policy {
rule 40 {
destination {
address 10.20.40.0/24
}
set {
table main
}
source {
address 10.0.100.0/24
}
}
rule 100 {
set {
table main
}
source {
address 10.20.40.0/24
}
}
}
route Isolated_policy {
rule 20 {
destination {
address 10.20.20.0/24
}
set {
table main
}
source {
address 10.0.100.0/24
}
}
rule 40 {
destination {
group {
network-group LocalSubnets
}
}
set {
table main
}
source {
address 10.20.20.0/24
}
}
rule 60 {
set {
table 150
}
source {
group {
address-group Streaming
}
}
}
rule 100 {
set {
table 100
}
source {
address 10.20.20.0/24
}
}
}
route LAN_policy {
rule 20 {
destination {
address 10.20.2.0/24
}
set {
table main
}
source {
address 10.0.100.0/24
}
}
rule 40 {
destination {
group {
network-group LocalSubnets
}
}
set {
table main
}
source {
address 10.20.2.0/24
}
}
rule 50 {
set {
table main
}
source {
address 10.20.2.6
}
}
rule 60 {
set {
table 150
}
source {
group {
address-group Streaming
}
}
}
rule 80 {
destination {
group {
network-group UtahNetworks
}
}
set {
table 150
}
source {
address 10.20.2.0/24
}
}
rule 100 {
set {
table 100
}
source {
address 10.20.2.0/24
}
}
}
route MSS {
description "TCP MSS clamping for PPPoE"
rule 5 {
protocol tcp
set {
tcp-mss 1452
}
tcp {
flags SYN
}
}
}
}
protocols {
static {
route 192.168.1.0/24 {
next-hop 10.0.210.1 {
}
}
route 192.168.30.0/24 {
next-hop 10.0.210.1 {
}
}
route 192.168.50.0/24 {
next-hop 10.0.210.1 {
}
}
table 100 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 150 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun2 {
}
}
}
table 200 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun1 {
}
}
}
}
}
service {
dhcp-server {
shared-network-name Cameras {
subnet 10.20.40.0/24 {
default-router 10.20.40.1
dns-server 10.20.2.2
domain-name overseas
lease 86400
range 0 {
start 10.20.40.100
stop 10.20.40.200
}
static-mapping DiskStationNVR {
ip-address 10.20.40.21
mac-address 00:11:32:21:54:00
}
static-mapping ElenaRoom {
ip-address 10.20.40.30
mac-address fc:ec:da:1f:60:af
}
static-mapping Entrance {
ip-address 10.20.40.32
mac-address fc:ec:da:1f:5f:c8
}
static-mapping JoshuaRoom {
ip-address 10.20.40.31
mac-address f0:9f:c2:13:59:4e
}
static-mapping NVROverseas {
ip-address 10.20.40.20
mac-address 00:e0:67:09:9e:64
}
}
}
shared-network-name KidsNetwork {
subnet 10.20.20.0/24 {
default-router 10.20.20.1
dns-server 10.20.2.2
domain-name overseas
lease 86400
range 0 {
start 10.20.20.100
stop 10.20.20.200
}
static-mapping AmazonTablet1 {
ip-address 10.20.20.30
mac-address 4c:ef:c0:94:b9:c5
}
static-mapping AmazonTablet2 {
ip-address 10.20.20.31
mac-address fc:a1:83:54:98:b1
}
static-mapping BrotherPrinter {
ip-address 10.20.20.5
mac-address 30:05:5c:5b:41:57
}
static-mapping KatieLaptop {
ip-address 10.20.20.22
mac-address 9c:da:3e:ae:5d:9e
}
static-mapping KatiePhone {
ip-address 10.20.20.21
mac-address 74:f6:1c:08:dd:ed
}
static-mapping KatieiPad {
ip-address 10.20.20.20
mac-address b8:63:4d:9d:54:d7
}
static-mapping NexusTablet {
ip-address 10.20.20.17
mac-address 74:d0:2b:63:43:0f
}
static-mapping SamsungTablet {
ip-address 10.20.20.18
mac-address 68:5a:cf:00:22:4c
}
static-mapping TylerLaptop {
ip-address 10.20.20.23
mac-address 9c:da:3e:ad:e1:84
}
static-mapping TylerPhone {
ip-address 10.20.20.16
mac-address 72:70:ca:ab:a0:29
}
static-mapping TyleriPad {
ip-address 10.20.20.15
mac-address b8:63:4d:b7:fe:0f
}
}
}
shared-network-name LAN {
description LAN_DHCP
subnet 10.20.2.0/24 {
default-router 10.20.2.1
dns-server 10.20.2.2
domain-name overseas
lease 86400
range 0 {
start 10.20.2.100
stop 10.20.2.200
}
static-mapping 8PortSwitch60 {
ip-address 10.20.2.13
mac-address f0:9f:c2:c3:16:de
}
static-mapping 8PortSwitch150 {
ip-address 10.20.2.12
mac-address 80:2a:a8:de:f4:4a
}
static-mapping Chromecast {
ip-address 10.20.2.4
mac-address 44:09:b8:51:f4:e0
}
static-mapping CloudKey {
ip-address 10.20.2.10
mac-address 80:2a:a8:4d:2c:8b
}
static-mapping DiskStation {
ip-address 10.20.2.5
mac-address 00:11:32:21:53:fd
}
static-mapping FireTV {
ip-address 10.20.2.3
mac-address 60:6d:3c:17:00:fd
}
static-mapping FrontAP {
ip-address 10.20.2.20
mac-address 80:2a:a8:53:77:89
}
static-mapping MasterAP {
ip-address 10.20.2.22
mac-address 80:2a:a8:d9:67:7e
}
static-mapping MirzaPhone {
ip-address 10.20.2.74
mac-address 5e:89:64:12:ba:48
}
static-mapping NickPhone {
ip-address 10.20.2.72
mac-address ce:68:33:6a:aa:5f
}
static-mapping NickiPad {
ip-address 10.20.2.73
mac-address 34:42:62:7d:c7:f6
}
static-mapping Plex {
ip-address 10.20.2.6
mac-address 00:e0:67:0b:8a:88
}
static-mapping RaspeberryPi {
ip-address 10.20.2.2
mac-address b8:27:eb:51:b0:6e
}
static-mapping RearAP {
ip-address 10.20.2.21
mac-address 80:2a:a8:96:41:cb
}
static-mapping SonosFoyer {
ip-address 10.20.2.57
mac-address 94:9f:3e:fe:cf:d8
}
static-mapping SonosKitchen {
ip-address 10.20.2.51
mac-address 94:9f:3e:fe:cb:b0
}
static-mapping SonosLivingRoom1 {
ip-address 10.20.2.50
mac-address 94:9f:3e:fe:d1:ec
}
static-mapping SonosLivingRoom2 {
ip-address 10.20.2.56
mac-address 94:9f:3e:fe:d3:b2
}
static-mapping SonosMasterBed1 {
ip-address 10.20.2.52
mac-address 94:9f:3e:fe:c0:b2
}
static-mapping SonosMasterBed2 {
ip-address 10.20.2.55
mac-address 94:9f:3e:fe:bf:a8
}
static-mapping SonosPlayBar {
ip-address 10.20.2.53
mac-address 78:28:ca:53:1d:91
}
static-mapping SonosSub {
ip-address 10.20.2.54
mac-address 94:9f:3e:a0:10:d0
}
static-mapping SurfaceLaptop {
ip-address 10.20.2.70
mac-address b8:31:b5:92:69:d2
}
static-mapping SurfaceLaptop2 {
ip-address 10.20.2.71
mac-address a0:ce:c8:03:63:49
}
static-mapping Unifi24Port {
ip-address 10.20.2.11
mac-address 80:2a:a8:1d:a1:3f
}
}
}
}
dns {
forwarding {
allow-from 10.0.200.0/24
allow-from 10.0.210.0/24
allow-from 10.0.100.0/24
allow-from 10.20.0.0/16
cache-size 3000
listen-address 10.20.20.1
listen-address 10.20.2.1
listen-address 10.20.40.1
listen-address 10.20.2.2
listen-address 10.0.200.1
listen-address 10.0.200.2
listen-address 10.0.100.1
name-server 10.20.2.2
system
}
}
ssh {
port 512
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
domain-name overseas
host-name VyosOverseas
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone Asia/Kuwait
}
traffic-policy {
shaper shape-4_5mbit {
bandwidth 4.7mbit
default {
bandwidth 100%
burst 15k
queue-type fq-codel
}
description "4.5Mb/s WAN OUT"
}
shaper shape-27mbil {
bandwidth 29mbit
default {
bandwidth 100%
burst 15k
queue-type fq-codel
}
description "27Mb/s with WAN IN"
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@9:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.5 */
Appreciate any guidance, suggestions, corrections any might have. Also, would greatly appreciate seeing someone else’s wireguard config. Again, I am only trying to gain remote access to my network. I am not trying to route internet traffic through my router.
Thanks!
So, sorry for the delay. Upgraded my rolling config and it killed my router. Seems some handcrafted changes I made to config.boot were not well-liked.
I have the following setup (the bits you would be interested in).
wg0 - a peer connection to a mullvad VPN interface
wg1 - this is listening wireguard interface that allows connections into my LAN from external networks. It gives me full LAN access. Additionally using PBR, all WAN bound traffic is routed via an outbound mullvad VPN interface.
wg2 - this is listening wireguard interface that allows connections into my LAN from external networks. It gives me full LAN access. Uses my native ISP connection for WAN bound traffic.
I run a VLAN (64 vlan ID) on my network that allows me to route via the wg0 mullvad interface for devices that do not support wireguard.
I also use zone-based firewall policies as they are much more logical to manage for me at least.
Config supporting this is attached.
config.txt (29.6 KB)
@phillipmcmahon absolutely no worries about the delay. Sounds like you had your hands full! Looking at your configuration, it is certainly not like mine which undoubtedly means I’ve wandered astray. I’ll poke around a bit and try to figure out what I’ve done wrong. You’ve also given me some ideas for ways to clean up my configuration. Thanks! If you see anything in my configuration that immediately screams wrong!, please let me know.
Seem a missing config “node” caused my whole user configuration to be dropped, meaning I couldn’t log in via SSH or serial connection.
Fortunately I take a daily backup, so once I tracked down the missing node I was up and running.
Deleting those sections of my config you won’t need (mostly the NAT section which is the largest part), makes it a little easier.
Ping me directly if you needed.
Phill
I also couldn’t work out how to get my whole config to be indented, which is why I went with the attachment.
No sweat. I already started butchering your config to remove the parts that aren’t related to the issue at hand. Once you remove the firewall declarations, zones, destination nat and hairpin source nat, it’s certainly easier on the eyes.
Removed all but the important parts. This isn’t a working config, of course.
firewall {
group {
network-group mullvad-routed {
network 192.168.32.0/24
network 192.168.128.0/24
}
network-group private-nets {
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
}
}
interfaces {
ethernet eth0 {
address 172.31.255.6/30
description wan
duplex full
speed 1000
}
ethernet eth2 {
address 192.168.68.1/24
description lan
duplex auto
policy {
route vpn-routing
}
speed auto
vif 64 {
address 192.168.128.1/24
description "mullvad (lan)"
policy {
route vpn-routing
}
}
}
wireguard wg0 {
address 10.65.140.116/32
description mullvad
mtu 1420
peer mullvad-us60 {
address 89.45.90.93
allowed-ips 0.0.0.0/0
port 51820
pubkey ****************
}
private-key ****************
}
wireguard wg1 {
address 192.168.32.1/24
description "vpn +lan +mullvad"
mtu 1420
peer inuc {
allowed-ips 192.168.32.102/32
pubkey ****************
}
peer iphone {
allowed-ips 192.168.32.103/32
pubkey ****************
}
peer laptop {
allowed-ips 192.168.32.101/32
pubkey ****************
}
peer pixel3a {
allowed-ips 192.168.32.100/32
pubkey ****************
}
policy {
route vpn-routing
}
port 51820
private-key ****************
}
wireguard wg2 {
address 10.0.10.1/24
description "vpn +lan +swisscom"
mtu 1420
peer inuc {
allowed-ips 10.0.10.102/32
pubkey ****************
}
peer iphone {
allowed-ips 10.0.10.103/32
pubkey ****************
}
peer laptop {
allowed-ips 10.0.10.101/32
pubkey ****************
}
peer pixel3a {
allowed-ips 10.0.10.100/32
pubkey ****************
}
policy {
route vpn-routing
}
port 51822
private-key ****************
}
}
nat {
source {
rule 5000 {
outbound-interface eth0
protocol all
translation {
address masquerade
}
}
rule 5100 {
outbound-interface wg0
protocol all
translation {
address masquerade
}
}
}
}
policy {
route vpn-routing {
rule 10 {
destination {
group {
network-group private-nets
}
}
set {
table main
}
}
rule 100 {
set {
table 100
}
source {
group {
network-group mullvad-routed
}
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 172.31.255.5 {
}
}
route 10.0.0.0/8 {
blackhole {
}
}
route 172.16.0.0/12 {
blackhole {
}
}
route 192.168.0.0/16 {
blackhole {
}
}
table 100 {
interface-route 0.0.0.0/0 {
next-hop-interface wg0 {
}
}
route 0.0.0.0/0 {
blackhole {
distance 255
}
}
}
}
}
service {
dhcp-server {
shared-network-name mullvad-lan {
subnet 192.168.128.0/24 {
default-router 192.168.128.1
dns-server 192.168.68.22
domain-name phillipmcmahon.com
lease 3600
range mullvad-lan {
start 192.168.128.100
stop 192.168.128.163
}
}
}
}
}
Got this sorted out. As my default policy route is over an expressVPN connection, I had to add a policy route rule to send anything destined for my wireguard subnet via the main table. Once I added that, problem was solved. Loving everything I’ve learned so far with VyOS. Thanks to @phillipmcmahon for his time!
@ngoehring
Great to hear you have all things sorted. Always nice to get to that point.
Did you optimise anything else of your set up?
system
May 27, 2020, 11:52am
16
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
