Wireguard VPN one-way

andrei.leib · February 19, 2019, 11:54pm

Hi,

I am experiencing VPN issues using Wireguard. I have the tunnel up between office and data centre and I can ping anything in the data centre from any of the office machines except from the office VyOS itself, VyOS itself cannot ping anything in the data centre including the remote tunnel ip (10.1.0.1)

None of the machines in the data centre can ping anything in the office. My office-dc tunnel is effectively one-way. The DC VyOS cannot ping anything in the office including the remote tunnel ip (10.2.0.1)

Here is my config:

office VyOS config:

wireguard wg01 {
address 10.2.0.1/24
description VPN-to-DC
peer to-dc {
allowed-ips 10.42.0.0/16
endpoint DC_VYOS_PUBLIC_IP:34447
persistent-keepalive 15
pubkey ****************
}
port 34447
}

office VyOS routing table:

S>* 0.0.0.0/0 [1/0] via OFFICE_PUBLIC_UPSTREAM_GATEWAY, eth0, 1d01h35m

C>* 10.2.0.0/24 is directly connected, wg01, 1d01h35m

S>* 10.42.0.0/16 [1/0] is directly connected, wg01, 1d01h35m

C>* 10.52.36.0/22 is directly connected, eth1, 1d01h35m

C>* OFFICE_PUBLIC_IP_BLOCK/30 is directly connected, eth0, 1d01h35m

DC VyOS config:

wireguard wg01 {
address 10.1.0.1/24
description VPN-DC
peer to-office {
allowed-ips 10.52.37.0/24
endpoint VYOS_OFFICE_PUBLIC_IP:34447
persistent-keepalive 15
pubkey ****************
}
port 34447
}

DC VyOS routing table:

S>* 0.0.0.0/0 [1/0] via DC_PUBLIC_UPSTREAM_GATEWAY, eth0, 41w3d21h

C>* 10.1.0.0/24 is directly connected, wg01, 41w3d21h

C>* 10.42.0.0/16 is directly connected, eth1, 41w3d21h

S>* 10.52.37.0/24 [1/0] is directly connected, wg01, 41w3d18h

C>* DC_PUBLIC_IP_BLOCK/29 is directly connected, eth0, 41w3d21h

I’ve tried adding 0.0.0.0/0 to allowed ips on both sides without success.

Any ideas/suggestions on why this setup is one-way are welcome.

Regards,
Andrei.

Matt · February 20, 2019, 1:02am

Andrei,

What version of VyOS are you using, also, what is the output of:

show interfaces wireguard peers

andrei.leib · February 20, 2019, 3:13am

Hi Matt,

I am using nightly build on both office VyOS and DC VyOS.

here is the output of show version:

DC:
Version: VyOS 1.2.0-rolling+201902170337
Built by: autobuild@vyos.net
Built on: Sun 17 Feb 2019 03:37 UTC
Build ID: ddb51bc0-010d-4fcd-8531-f8dd8bf12c7e

OFFICE:
Version: VyOS 1.2.0-rolling+201902170337
Built by: autobuild@vyos.net
Built on: Sun 17 Feb 2019 03:37 UTC
Build ID: ddb51bc0-010d-4fcd-8531-f8dd8bf12c7e

Output of show interfaces wireguard wg01

DC:
interface: wg01
public key: DC_VYOS_PUBLIC_KEY
private key: (hidden)
listening port: 34447

peer: OFFICE_VYOS_PUBLIC_KEY
endpoint: OFFICE_PUBLIC_IP:34447
allowed ips: 10.52.37.0/24
latest handshake: 21 seconds ago
transfer: 9.88 GiB received, 82.84 GiB sent
persistent keepalive: every 15 seconds

OFFICE:
interface: wg01
public key: OFFICE_VYOS_PUBLIC_KEY
private key: (hidden)
listening port: 34447

peer: DC_VYOS_PUBLIC_KEY
endpoint: DC_VYOS_PUBLIC_IP:34447
allowed ips: 10.42.0.0/16
latest handshake: 1 minute, 1 second ago
transfer: 44.35 GiB received, 6.09 GiB sent
persistent keepalive: every 15 seconds

hagbard · February 20, 2019, 6:37pm

Check you allowed IPs config.

DC VyOS config:
wireguard wg01 {
address 10.1.0.1/24

Shouldn’t be the address within 10.42.0.0/16 and your office one within 10.52.37.0/24?
you can also have them in the same subnet if you’d like and set your routes with with the wg address from the other side as next hop.
You also need persistent keepalive only if you are using NAT.

hagbard · February 20, 2019, 7:13pm

e.g. like this:

set interfaces wireguard wg01 address ‘10.2.0.1/24’
set interfaces wireguard wg01 peer office-to-dc allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg01 peer office-to-dc endpoint ‘10.1.1.201:12345’
set interfaces wireguard wg01 peer office-to-dc pubkey ‘9zZZWcrPKUxlsNsHDnKYuAGAWDSCnktJPMAquhiO50k=’
set interfaces wireguard wg01 port ‘12345’
set protocols static interface-route 10.2.0.2/32 next-hop-interface wg01

set interfaces wireguard wg01 address ‘10.2.0.2/24’
set interfaces wireguard wg01 peer office-to-dc allowed-ips ‘0.0.0.0/0’
set interfaces wireguard wg01 peer office-to-dc endpoint ‘10.1.1.200:12345’
set interfaces wireguard wg01 peer office-to-dc pubkey ‘V0V0u3jbI8V2i6+/xiFe5mQXvb+ar1khx368wq+3xhw=’
set interfaces wireguard wg01 port ‘12345’
set protocols static interface-route 10.2.0.1/32 next-hop-interface wg01

You can either filter with allowed-ips for the destinations, but since you just have 1 tunnel on the interface I would do that via routing table.