Wireguard Site-to-Site Vyos 1.4

SCCFIT · September 14, 2021, 7:11am

Hi all… I’m trying to get Wireguard working on Vyos 1.4, but I’m new to Vyos… and routing… and Wireguard… so probably just over my head.

What I’m trying to do is as follows:

My configs are below. At the moment, I can’t even ping either end of the tunnel from the respective routers, let alone route traffic over it… I’m guessing it might have something to do with firewall rules but I can’t figure what else is needed?

What are the tools/commands that I can use to debug a wireguard connection?

Thanks!

Local

local@vyos# run show wireguard keypairs pubkey default
***gnTo=

local@vyos# show interfaces wireguard
 wireguard wg50 {
     address 1.2.50.1/28
     description MEDIA
     peer Remote {
         address {ISP2 WAN IP}
         allowed-ips 10.31.50.0/24
         allowed-ips 10.70.50.0/24
         port 51820
         pubkey ***aeTE=
     }
     port 51820
 }

local@vyos# show firewall name WAN-LOCAL
 default-action reject
 rule 200 {
     action accept
     description "Wireguard 50 In"
     destination {
         port 51820
     }
     protocol udp
     source {
         address {ISP2 WAN IP}
     }
 }

local@vyos# show protocols static route
 route 10.31.50.0/24 {
     interface wg50 {
     }
 }

And on the Remote side

remote@vyos# run show wireguard keypairs pubkey default
***aeTE=

remote@vyos# show interfaces wireguard
 wireguard wg50 {
     address 1.2.50.2/28
     description MEDIA
     peer Local {
         address {ISP1 WAN IP}
         allowed-ips 10.70.50.0/24
         allowed-ips 10.31.50.0/24
         port 51820
         pubkey ***gnTo=
     }
     port 51820
 }

remote@vyos# show firewall name WAN-LOCAL
 default-action drop
 rule 200 {
     action accept
     description "Wireguard 50 In"
     destination {
         port 51820
     }
     protocol udp
     source {
         address {ISP1 WAN IP}
     }
 }

remote@vyos# show protocols static route
 route 10.70.50.0/24 {
     interface wg50 {
     }
 }

Viacheslav · September 14, 2021, 8:03am

On local site add allowed ips 1.2.50.0/28 or 1.2.50.2/32

allowed-ips 1.2.50.0/28

On the remote site add allowed ips 1.2.5.0/28 or 1.2.50.1/32

16again · September 14, 2021, 9:55am

On allowed-ips, only specify remote networks, not local

SCCFIT · September 14, 2021, 10:38am

Thank you for your tips; I’ve added the /32 addresses for the interface on the appropriate sides and removed the local addresses. Makes sense now that I’ve had it pointed out.

It’s trying to work now… running

$ show interfaces wireguard detail

shows that packets are being exchanged, the packet count matches on both the local and remote side, but the pings aren’t getting a reply. That has to be a firewall issue, yes?

I’ve created firewalls on both sides with default-action accept from interface wg50 to interface vlan50 and vice-versa on both sides… is there anything else needed?

SCCFIT · September 14, 2021, 11:03pm

OK, calling this one solved thanks… I’ve got full communication between the 2 remote subnets now, but can’t ping the remote wg interface address from either side but not too concerned about that.

16again · September 15, 2021, 6:25am

afaik: If you’re using zone based firewall, wg0 interface needs to be member of a zone to make it pingable

system · September 17, 2021, 6:25am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.