Setup Overview:
• VyOS 1.5-Rolling router
• WireGuard interface wg0 connected to a remote WireGuard VPN server
• Tunnel is active, and I can successfully ping the remote endpoint
• Remote LAN: 192.168.2.0/24
• Local LAN: 10.10.1.0/24
• Default route: 0.0.0.0/0 via eth0
Problem:
• Traffic from the local LAN (10.10.1.0/24) to the remote LAN (192.168.2.0/24) is not routing through the WireGuard tunnel.
• When I ping from the VyOS router, traffic goes out the correct interface (wg0), confirmed by ping and tcpdump on wg0.
• However, when I run a traceroute from a laptop on the local subnet, the traffic goes out via the default route (eth0).
Configuration Adjustments Made:
-
Set allowed-ips for the WireGuard peer to 192.168.2.0/24 instead of 0.0.0.0/0.
-
Added a source NAT rule 200
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'Prime WAN'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:12'
set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:ca'
set interfaces wireguard wg0 address '10.49.0.32/24'
set interfaces wireguard wg0 description 'WG to USEAST1'
set interfaces wireguard wg0 peer useast1-mp address 'xxx.xxx.195.192'
set interfaces wireguard wg0 peer useast1-mp allowed-ips '10.49.0.0/24'
set interfaces wireguard wg0 peer useast1-mp allowed-ips '192.168.2.0/24'
set interfaces wireguard wg0 peer useast1-mp persistent-keepalive '25'
set interfaces wireguard wg0 peer useast1-mp port '51820'
set interfaces wireguard wg0 peer useast1-mp preshared-key '***'
set interfaces wireguard wg0 peer useast1-mp public-key '***'
set interfaces wireguard wg0 private-key xxxxxx
set protocols static route 192.168.2.0/24 interface wg0
set nat source rule 200 description 'NAT for LAN to wg0'
set nat source rule 200 destination address '192.168.2.0/24'
set nat source rule 200 outbound-interface name 'wg0'
set nat source rule 200 source address '10.10.1.0/24'
set nat source rule 200 translation address 'masquerade'
set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx option default-router 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx option name-server 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx option name-server 'xxx.xxx.2.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range w start 'xxx.xxx.2.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range w stop 'xxx.xxx.2.250'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 subnet-id '2'
Issue Persisting:
• Despite these changes, traffic from the local LAN (when tracerouted from a laptop) still routes out via the default gateway (eth0) instead of the WireGuard tunnel (wg0).
Request for Assistance:
• Has anyone encountered a similar issue and found a solution?
• Any insights or additional configuration steps would be greatly appreciated.
Thank you for your help!