Wireguard tunnel only passing traffic one way

Hey guys,

I’ve been building a site-to-site vpn topology using wireguard and ospf on vyos over the last days, and everything is working splendid, except two tunnels which originate from a DSL connection.
The tunnels are configured with persistent keepalive, and handshakes are successful. However, that’s where things are getting weird:

The box sitting on the DSL end (which is performing source nat if that matters?) receives the udp traffic from the wg tunnel remote end (it’s visible in a packetcapture on the WAN interface) but it just doesn’t seem to recognize it as wireguard tunnel traffic. My best guess is that it has something to do with connection tracking, but I don’t know how to debug this any further… Maybe one of you has an idea? It’d be much appreciated :slight_smile:

Here are the relevant config parts:

r1 (dsl, dynamic wan w/ source nat):
VyOS 1.3-rolling-202001120217 (same result with 1.3-rolling-202006141853)

set interfaces wireguard wg1 address '10.1.0.3/31'
set interfaces wireguard wg1 address 'fe80::10/64'
set interfaces wireguard wg1 description 'r2'
set interfaces wireguard wg1 mtu '1400'
set interfaces wireguard wg1 peer r2 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer r2 allowed-ips '::/0'
set interfaces wireguard wg1 peer r2 endpoint 'remote-wan-ip:12006'
set interfaces wireguard wg1 peer r2 persistent-keepalive '10'
set interfaces wireguard wg1 peer r2 pubkey 'pubkey'
set interfaces wireguard wg1 port '12006'
set interfaces wireguard wg1 private-key 'r2'
set protocols static interface-route 10.1.0.2/31 next-hop-interface wg1

set firewall name wan-local default-action 'drop'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 10 action 'accept'
set firewall name wan-local rule 10 protocol 'icmp'
set firewall name wan-local rule 20 action 'accept'
set firewall name wan-local rule 20 destination port '12006-12007'
set firewall name wan-local rule 20 log 'enable'
set firewall name wan-local rule 20 protocol 'udp'
set firewall name wan-local rule 20 source port '12006-12007'

Lots of dropped rx packets here

vyos@r1# run sh int wireguard wg1
interface: wg1
  description: r2
  address: 10.1.0.3/31, fe80::10/64
  public key: pubkey
  private key: (hidden)
  listening port: 12006

  peer: r2
    public key: pubkey
    latest handshake: 0:01:15
    status: active
    endpoint: remote-wan-ip:12006
    allowed ips: 0.0.0.0/0, ::/0
    transfer: 431 KB received, 99 KB sent
    persistent keepalive: every 10 seconds

  RX:
    bytes    packets    errors    dropped    overrun    mcast
   442280       4052         0       3556          0        0

  TX:
    bytes    packets    errors    dropped    carrier    collisions
   101624       2568         0          0          0             0

r2 (static ip, no nat)
VyOS 1.3-rolling-202006111456

set interfaces wireguard wg0 address '10.1.0.2/31'
set interfaces wireguard wg0 address 'fe80::1/64'
set interfaces wireguard wg0 description 'r1'
set interfaces wireguard wg0 mtu '1400'
set interfaces wireguard wg0 peer r1 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer r1 allowed-ips '::/0'
set interfaces wireguard wg0 peer r1 pubkey 'pubkey'
set interfaces wireguard wg0 port '12006'
set interfaces wireguard wg0 private-key 'r1'
set protocols static interface-route 10.1.0.2/31 next-hop-interface wg0 distance '1'


vyos@r2:~$ sh inter wireg wg0
interface: wg0
  description: r1
  address: 10.1.0.2/31, fe80::1/64
  public key: pubkey
  private key: (hidden)
  listening port: 12006

  peer: r1
    public key: pubkey
    latest handshake: 0:01:54
    status: active
    endpoint: dynamic-remote-ip:12006
    allowed ips: 0.0.0.0/0, ::/0
    transfer: 3 MB received, 3 MB sent

    RX:    bytes  packets  errors  dropped  overrun       mcast
         3208152    38164       0        0        0           0
    TX:    bytes  packets  errors  dropped  carrier  collisions
         3777236    36056      68     1620        0           0

I did some more testing:
When I ping from r2 to the r1 wg1 address (10.1.0.3), a packet capture on r1 wg1 shows the ICMP echo requests. But no replies are sent.
When I try pinging from r1 to r2 wg0 (10.1.0.2) I get /bin/ping: sending packet: Operation not permitted. But when I ping 10.1.0.2 from a client behind r1 the ping goes trough tunnel without issue and reaches r2.

These message generate firewall.

Well that brought me onto the right track. I’ve got a zone based firewall implemented and did not realize that the default-action drop on the local zone applies to all incoming traffic, even if it’s not coming from a configured from-zone. In hindsight it’s pretty obvious, but I totally forgot to check that.
After adding the wg interfaces to the appropriate zone everything is working great. Thank you!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.