Wireguard VPN connection from client - no internet access

Moderator Edit: I have formatted your config to be readable :slight_smile:

When I connect via Wireguard to mullvad on my laptop (linux), I can no longer browse the internet.
I can connect to my internal (LAN) interface, and connect to it via ssh.
I am pretty new to linux, and very new to VyOS. I see that packets are being dropped by the kernel when I monitor the WAN interface.

Oh, Laptop is on the LAN - .20 network.

I know this has to be something simple, but I am not skilled enough yet to troubleshoot it myself. Thoughts?

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN-LOCAL {
        default-action accept
    }
    name LAN-MGMT {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related Traffic"
            state {
                established enable
                related enable
            }
        }
    }
    name LAN-WAN {
        default-action accept
    }
    name LOCAL-LAN {
        default-action accept
    }
    name LOCAL-MGMT {
        default-action accept
    }
    name LOCAL-WAN {
        default-action accept
    }
    name MGMT-LAN {
        default-action accept
    }
    name MGMT-LOCAL {
        default-action accept
    }
    name MGMT-WAN {
        default-action accept
    }
    name WAN-LAN {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related Traffic"
            state {
                established enable
                related enable
            }
        }
    }
    name WAN-LOCAL {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related Traffic"
            state {
                established enable
                related enable
            }
        }
    }
    name WAN-MGMT {
        default-action drop
        rule 5 {
            action accept
            description "Allow EST/Related Traffic"
            state {
                established enable
                related enable
            }
        }
    }
    options {
        interface eth1 {
            adjust-mss 1452
        }
        interface pppoe0 {
            adjust-mss 1452
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Blah
        duplex auto
        hw-id 00:e0:67:1f:b2:12
        speed auto
    }
    ethernet eth1 {
        address 172.16.20.1/24
        description LAN
        hw-id 00:e0:67:1f:b2:13
        vif 10 {
            address 172.16.10.1/24
            description Management
        }
    }
    ethernet eth2 {
        address 172.21.20.1/24
        description NEWLAN
        hw-id 00:e0:67:1f:b2:14
    }
    ethernet eth3 {
        hw-id 00:e0:67:1f:b2:15
    }
    ethernet eth4 {
        hw-id 00:e0:67:1f:b2:16
    }
    ethernet eth5 {
        hw-id 00:e0:67:1f:b2:17
    }
    loopback lo {
    }
    pppoe pppoe0 {
        authentication {
            password 
            user 
        }
        default-route auto
        description WAN
        mtu 1492
        source-interface eth0
    }
}
nat {
    source {
        rule 100 {
            outbound-interface pppoe0
            source {
                address 172.16.20.0/24
            }
            translation {
                address masquerade
            }
        }
        rule 110 {
            outbound-interface pppoe0
            source {
                address 172.16.10.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name LAN {
            subnet 172.16.20.0/24 {
                default-router 172.16.20.1
                dns-server 172.16.20.1
                range 0 {
                    start 172.16.20.200
                    stop 172.16.20.250
                }
            }
        }
        shared-network-name Management {
            subnet 172.16.10.0/24 {
                default-router 172.16.10.1
                dns-server 172.16.20.1
                dns-server 172.16.10.1
                range 0 {
                    start 172.16.10.200
                    stop 172.16.10.220
                }
            }
        }
    }
    dns {
        forwarding {
            allow-from 172.16.20.0/24
            allow-from 172.16.10.0/24
            cache-size 0
            dnssec process
            listen-address 172.16.20.1
            listen-address 172.16.10.1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user {
            authentication {
                encrypted-password 
            }
        }
    }
    name-server 172.16.20.1
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}
zone-policy {
    zone LAN {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-LAN
            }
        }
        from MGMT {
            firewall {
                name MGMT-LAN
            }
        }
        from WAN {
            firewall {
                name WAN-LAN
            }
        }
        interface eth1
    }
    zone LOCAL {
        default-action drop
        from LAN {
            firewall {
                name LAN-LOCAL
            }
        }
        from MGMT {
            firewall {
                name MGMT-LOCAL
            }
        }
        from WAN {
            firewall {
                name WAN-LOCAL
            }
        }
        local-zone
    }
    zone MGMT {
        default-action drop
        from LOCAL {
            firewall {
                name LOCAL-MGMT
            }
        }
        from WAN {
            firewall {
                name WAN-MGMT
            }
        }
        interface eth1.10
    }
    zone WAN {
        default-action drop
        from LAN {
            firewall {
                name LAN-WAN
            }
        }
        from LOCAL {
            firewall {
                name LOCAL-WAN
            }
        }
        from MGMT {
            firewall {
                name MGMT-WAN
            }
        }
        interface eth0
        interface pppoe0
    }
}

Hi,
I formatted your config to make it readable.

You say you have a laptop that can access the Internet fine, but when you connect it to a 3rd party VPN provider, it can’t access the Internet?

That honestly sounds like you’ve mis-configured Wireguard on your laptop towards your provider - mismatched keys, or forgotten to add a preshared key or similar.

I can’t see anything else obvious in your config that would stop it working.

Thank you! Is there a code… oh, I see it! Sorry about that.

So, I can confirm that my connections to the 3rd party provider works fine on another firewall product. Same setup, key etc… I can blow it away and give it another shot, but I thought it odd that it worked under that FW and not on VyOS.

No worries on the formatting, sorry I wasn’t trying to sound crabby. It’s easy to miss how to format it as it looks OK in the preview editor.

Ok if the same laptop works via another firewall and not Vyos then there must be something in the config that’s not working right.

Wireguard is a UDP protocol - do other UDP protocols work fine via Vyos? Can you run a UDP iperf test between your laptop and something else on the other side of the Vyos box?

True. I am not using that network yet. I was starting to plan moving to different subnets, but I decided to stick to getting things tweaked first.

I found some public Iperf servers to hit, so testing that now.

Yea sorry, I misread your config, you’re not using that Interface yet (they’ve both got .20 as the third octet, thus my confusion)

I have read your config front to back twice now and honestly, I can’t fault it. I still honestly think you must have some problem with your VPN provider.

Still my suggestion if you’re still sure it’s a Vyos problem, to add “enable-default-log” to your Firewall rules and then it’ll log any packets being dropped.

Thanks for all your input.
Here’s a test;
Before VPN connection;
5] local 172.16.20.101 port 38384 connected to 89.84.1.222 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-10.00 sec 10.8 MBytes 9.10 Mbits/sec 5 191 KBytes
[ 5] 10.00-20.00 sec 10.4 MBytes 8.71 Mbits/sec 7 184 KBytes

Failed after connection;
iperf3 -i 10 -t 60 -c bouygues.iperf.fr
iperf3: error - unable to send control message: Bad file descriptor

I can’t resolve names once connected. I’ll keep snooping. Thanks for the logging cmd!

Well, I feel like a fool. I regenerated a new key and pulled down the connection files. All working now. Sorry for the noise, and thanks again for the prompt response.

One last thing… is there a good site with info on how to read the logs?

Great to hear it’s working :slight_smile:

As for readings the logs, maybe this site will help.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.