Hey guys,
I’ve been building a site-to-site vpn topology using wireguard and ospf on vyos over the last days, and everything is working splendid, except two tunnels which originate from a DSL connection.
The tunnels are configured with persistent keepalive, and handshakes are successful. However, that’s where things are getting weird:
The box sitting on the DSL end (which is performing source nat if that matters?) receives the udp traffic from the wg tunnel remote end (it’s visible in a packetcapture on the WAN interface) but it just doesn’t seem to recognize it as wireguard tunnel traffic. My best guess is that it has something to do with connection tracking, but I don’t know how to debug this any further… Maybe one of you has an idea? It’d be much appreciated 
Here are the relevant config parts:
r1 (dsl, dynamic wan w/ source nat):
VyOS 1.3-rolling-202001120217 (same result with 1.3-rolling-202006141853)
set interfaces wireguard wg1 address '10.1.0.3/31'
set interfaces wireguard wg1 address 'fe80::10/64'
set interfaces wireguard wg1 description 'r2'
set interfaces wireguard wg1 mtu '1400'
set interfaces wireguard wg1 peer r2 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg1 peer r2 allowed-ips '::/0'
set interfaces wireguard wg1 peer r2 endpoint 'remote-wan-ip:12006'
set interfaces wireguard wg1 peer r2 persistent-keepalive '10'
set interfaces wireguard wg1 peer r2 pubkey 'pubkey'
set interfaces wireguard wg1 port '12006'
set interfaces wireguard wg1 private-key 'r2'
set protocols static interface-route 10.1.0.2/31 next-hop-interface wg1
set firewall name wan-local default-action 'drop'
set firewall name wan-local enable-default-log
set firewall name wan-local rule 10 action 'accept'
set firewall name wan-local rule 10 protocol 'icmp'
set firewall name wan-local rule 20 action 'accept'
set firewall name wan-local rule 20 destination port '12006-12007'
set firewall name wan-local rule 20 log 'enable'
set firewall name wan-local rule 20 protocol 'udp'
set firewall name wan-local rule 20 source port '12006-12007'
Lots of dropped rx packets here
vyos@r1# run sh int wireguard wg1
interface: wg1
description: r2
address: 10.1.0.3/31, fe80::10/64
public key: pubkey
private key: (hidden)
listening port: 12006
peer: r2
public key: pubkey
latest handshake: 0:01:15
status: active
endpoint: remote-wan-ip:12006
allowed ips: 0.0.0.0/0, ::/0
transfer: 431 KB received, 99 KB sent
persistent keepalive: every 10 seconds
RX:
bytes packets errors dropped overrun mcast
442280 4052 0 3556 0 0
TX:
bytes packets errors dropped carrier collisions
101624 2568 0 0 0 0
r2 (static ip, no nat)
VyOS 1.3-rolling-202006111456
set interfaces wireguard wg0 address '10.1.0.2/31'
set interfaces wireguard wg0 address 'fe80::1/64'
set interfaces wireguard wg0 description 'r1'
set interfaces wireguard wg0 mtu '1400'
set interfaces wireguard wg0 peer r1 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer r1 allowed-ips '::/0'
set interfaces wireguard wg0 peer r1 pubkey 'pubkey'
set interfaces wireguard wg0 port '12006'
set interfaces wireguard wg0 private-key 'r1'
set protocols static interface-route 10.1.0.2/31 next-hop-interface wg0 distance '1'
vyos@r2:~$ sh inter wireg wg0
interface: wg0
description: r1
address: 10.1.0.2/31, fe80::1/64
public key: pubkey
private key: (hidden)
listening port: 12006
peer: r1
public key: pubkey
latest handshake: 0:01:54
status: active
endpoint: dynamic-remote-ip:12006
allowed ips: 0.0.0.0/0, ::/0
transfer: 3 MB received, 3 MB sent
RX: bytes packets errors dropped overrun mcast
3208152 38164 0 0 0 0
TX: bytes packets errors dropped carrier collisions
3777236 36056 68 1620 0 0