Running 1.3 on an OVH dedicated server, I have a feeling OVH’s unique WAN IP and gateway handling and the routing config choices to make it work may be the cause of my issue. Basically the gateway of the host is on a different subnet than the failover IPs you can purchase. Have to force the interface to accept sending internet traffic through a different subnet than the public ip.
Within vyos, dns and routing works to the web. Wireguard peers find the host just fine.
All Wireguard peers are connected and able to communicate across their allowed subnets.
I can connect “phone” (10.32.99.5) and talk to anything on the local subnet of “home” (10.32.99.2 > 10.32.14.0/24).
However, when 0.0.0.0/0 is added to phone’s profile, requests are sent over the tunnel but go nowhere.
tcpdump shows dns and other requests from 10.32.99.5 to the remote IP, but no reply.
Packets show up on wg0 as coming from 10.32.99.5 and destination is the public IP (such as 8.8.8.8). Checked packets leaving eth0, nothing coming through with 10.32.99.5 as the source as I would expect if it was a NAT issue.
Why isnt the default route picking these up?
I have tried various policy based routing changes, NAT masquerades, etc. I’m obviously missing something but have spent an entire day browsing the web and this forum trying various recommendations and haven’t seen anyone in a position quite like this.
Routes:
S> 0.0.0.0/0 [1/0] via <ovh gw> (recursive), 02:50:04
* via <ovh gw>, eth0 onlink, 02:50:04
S>* 10.30.1.0/24 [1/0] is directly connected, wg0, 00:00:37
S>* 10.32.14.0/24 [1/0] is directly connected, wg0, 00:00:37
S 10.32.99.0/24 [1/0] is directly connected, wg0, 00:00:37
C>* 10.32.99.0/24 is directly connected, wg0, 4d10h42m
S>* 10.167.1.0/24 [1/0] is directly connected, wg0, 00:00:37
S>* 10.167.2.0/24 [1/0] is directly connected, wg0, 00:00:37
S>* 10.215.1.0/24 [1/0] is directly connected, wg0, 00:00:37
S>* 10.215.2.0/24 [1/0] is directly connected, wg0, 00:00:37
S>* 30.1.1.0/24 [1/0] is directly connected, wg0, 00:00:37
C>* <ovh ip>/32 is directly connected, eth0, 4d12h43m
S>* <ovh gw>/32 [1/0] is directly connected, eth0, 02:54:56
Config:
firewall {
name WAN_IN {
default-action drop
rule 10 {
action accept
description "Allow existing"
state {
established enable
related enable
}
}
rule 11 {
action drop
state {
invalid enable
}
}
}
name WAN_LOCAL {
rule 10 {
action accept
description "Allow existing"
state {
established enable
related enable
}
}
rule 11 {
action drop
description "Drop invalid"
state {
invalid enable
}
}
rule 20 {
action accept
description "Allow SSH"
destination {
port 22
}
protocol tcp
}
rule 30 {
action accept
destination {
port 51820
}
protocol tcp_udp
}
}
name WAN_OUT {
}
}
interfaces {
ethernet eth0 {
address <ovh ip>/32
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
out {
name WAN_OUT
}
}
}
loopback lo {
}
wireguard wg0 {
address 10.32.99.1/24
peer home {
allowed-ips 10.32.14.0/24
allowed-ips 10.32.99.2/32
persistent-keepalive 25
pubkey <redacted>
}
peer site3 {
address <redacted>
allowed-ips 10.32.99.13/32
allowed-ips 10.167.1.0/24
allowed-ips 10.167.2.0/24
persistent-keepalive 25
port 51820
pubkey <redacted>
}
peer site2 {
allowed-ips 10.32.99.14/32
allowed-ips 30.1.1.0/24
allowed-ips 10.30.1.0/24
persistent-keepalive 25
pubkey <redacted>
}
peer site1 {
allowed-ips 10.32.99.12/32
allowed-ips 10.215.1.0/24
allowed-ips 10.215.2.0/24
persistent-keepalive 25
pubkey <redacted>
}
peer phone {
allowed-ips 10.32.99.5/32
pubkey <redacted>
}
peer server1 {
address <redacted>
allowed-ips 10.32.99.3/32
persistent-keepalive 25
port 51820
pubkey <redacted>
}
port 51820
private-key wg0
}
}
nat {
source {
rule 10 {
outbound-interface eth0
source {
address 10.32.99.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route 10.30.1.0/24 {
next-hop-interface wg0 {
}
}
interface-route 10.32.14.0/24 {
next-hop-interface wg0 {
}
}
interface-route 10.32.99.0/24 {
next-hop-interface wg0 {
}
}
interface-route 10.167.1.0/24 {
next-hop-interface wg0 {
}
}
interface-route 10.167.2.0/24 {
next-hop-interface wg0 {
}
}
interface-route 10.215.1.0/24 {
next-hop-interface wg0 {
}
}
interface-route 10.215.2.0/24 {
next-hop-interface wg0 {
}
}
interface-route 30.1.1.0/24 {
next-hop-interface wg0 {
}
}
interface-route <ovh gateway>/32 {
next-hop-interface eth0 {
}
}
route 0.0.0.0/0 {
next-hop <ovh gateway> {
}
}
}
}
service {
ssh {
}
}
system {
config-management {
commit-revisions 100
}
console {
}
domain-name <redacted>
host-name vyos
login {
user vyos {
authentication {
encrypted-password <redacted>
plaintext-password ""
}
}
}
name-server 8.8.8.8
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone America/New_York
}