Wireguard; unable to route LAN traffic through

Setup Overview:

• VyOS 1.5-Rolling router

• WireGuard interface wg0 connected to a remote WireGuard VPN server

• Tunnel is active, and I can successfully ping the remote endpoint

• Remote LAN: 192.168.2.0/24

• Local LAN: 10.10.1.0/24

• Default route: 0.0.0.0/0 via eth0

Problem:

• Traffic from the local LAN (10.10.1.0/24) to the remote LAN (192.168.2.0/24) is not routing through the WireGuard tunnel.

• When I ping from the VyOS router, traffic goes out the correct interface (wg0), confirmed by ping and tcpdump on wg0.

• However, when I run a traceroute from a laptop on the local subnet, the traffic goes out via the default route (eth0).

Configuration Adjustments Made:

  1. Set allowed-ips for the WireGuard peer to 192.168.2.0/24 instead of 0.0.0.0/0.

  2. Added a source NAT rule 200

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 description 'Prime WAN'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:12'
set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 description 'LAN'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:ca'

set interfaces wireguard wg0 address '10.49.0.32/24'
set interfaces wireguard wg0 description 'WG to USEAST1'
set interfaces wireguard wg0 peer useast1-mp address 'xxx.xxx.195.192'
set interfaces wireguard wg0 peer useast1-mp allowed-ips '10.49.0.0/24'
set interfaces wireguard wg0 peer useast1-mp allowed-ips '192.168.2.0/24'
set interfaces wireguard wg0 peer useast1-mp persistent-keepalive '25'
set interfaces wireguard wg0 peer useast1-mp port '51820'
set interfaces wireguard wg0 peer useast1-mp preshared-key '***'
set interfaces wireguard wg0 peer useast1-mp public-key '***'
set interfaces wireguard wg0 private-key xxxxxx

set protocols static route 192.168.2.0/24 interface wg0

set nat source rule 200 description 'NAT for LAN to wg0'
set nat source rule 200 destination address '192.168.2.0/24'
set nat source rule 200 outbound-interface name 'wg0'
set nat source rule 200 source address '10.10.1.0/24'
set nat source rule 200 translation address 'masquerade'

set service dhcp-server shared-network-name xxxxxx authoritative
set service dhcp-server shared-network-name xxxxxx option default-router 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx option name-server 'xxx.xxx.1.1'
set service dhcp-server shared-network-name xxxxxx option name-server 'xxx.xxx.2.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range w start 'xxx.xxx.2.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 range w stop 'xxx.xxx.2.250'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.3.0/24 subnet-id '2'

Issue Persisting:

• Despite these changes, traffic from the local LAN (when tracerouted from a laptop) still routes out via the default gateway (eth0) instead of the WireGuard tunnel (wg0).

Request for Assistance:

• Has anyone encountered a similar issue and found a solution?

• Any insights or additional configuration steps would be greatly appreciated.

Thank you for your help!

Edit: The below is incorrect, please ignore.

Try removing the static route - I’m pretty sure WG installs routes based on the “allowed-ips” you don’t need a static.
If that doesn’t work, remove the “interface wg0” and put a static route towards the actual IP.

This is false, VyOS does not install routes based on allowed-ips, that is handled by wg-quick on a linux-end-system, but is not used in vyos as this does not work with eg dynamic routing protocols that often uses allowed-ips 0.0.0.0/0. on VyOS you need to install your static routes in parallel with setting the allowed-ips statement

Also, using interface based routes should work in this configuration.
@alewhit do you have wan load-balancing activated on this system? if that is the case it will take precedence over normal routing statements as long as you dont exclude any traffic from it.

Apologies for the incorrect information @runar and thank you for correcting it.

Yes @runar, that was it. My wan load-balancing was taking precedence. Thank you!

For others, here is a config. Note the that exclude rule should be before the wan load-balancing.

set load-balancing wan rule 100 description 'Route traffic destined to remote LAN from the WAN load balancing'
set load-balancing wan rule 100 destination address '192.168.2.0/24'
set load-balancing wan rule 100 exclude
set load-balancing wan rule 100 inbound-interface 'eth1'

set load-balancing wan rule 200 description 'LAN traffic priority to the wired WAN connection'
set load-balancing wan rule 200 failover
set load-balancing wan rule 200 inbound-interface 'eth1'
set load-balancing wan rule 200 interface eth0 weight '100'
set load-balancing wan rule 200 interface eth2 weight '1'

set load-balancing wan rule 300 description 'WLAN traffic priority to the wired WAN connection'
set load-balancing wan rule 300 failover
set load-balancing wan rule 300 inbound-interface 'wlan0'
set load-balancing wan rule 300 interface eth0 weight '100'
set load-balancing wan rule 300 interface eth2 weight '1'

set interfaces wireguard wg0 address '10.49.0.32/24'
set interfaces wireguard wg0 description 'WG to USEAST1'
set interfaces wireguard wg0 peer useast1-mp address ''
set interfaces wireguard wg0 peer useast1-mp allowed-ips '10.49.0.0/24'
set interfaces wireguard wg0 peer useast1-mp allowed-ips '10.10.1.0/24'
set interfaces wireguard wg0 peer useast1-mp persistent-keepalive '25'
set interfaces wireguard wg0 peer useast1-mp port '51820'
set interfaces wireguard wg0 peer useast1-mp preshared-key ''
set interfaces wireguard wg0 peer useast1 public-key ''
set interfaces wireguard wg0 private-key ''

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.