Wireguard vyos 1.3 not working

Unable to get wireguard to work. Wireguard works on client (with a non-vyos based wireguard server). Using vyos 1.3.

Client config:
[Interface]
Address = 10.10.1.26/24
SaveConfig = true
ListenPort = 36261
PrivateKey = <PRIVATE_KEY>

[Peer]
PublicKey = /i0eNKVzlJcwYBN5yFBtISU0kcMCmaClTFqINaHzmVM=
AllowedIPs = 10.11.0.17/32
Endpoint = <VYOS_IP>:51820

Client:
interface: wg0
public key: fCJ6BSlJ2fwZgMknnRiOKR4JYiPpyza7JkddppdLCXQ=
private key: (hidden)
listening port: 36261

peer: /i0eNKVzlJcwYBN5yFBtISU0kcMCmaClTFqINaHzmVM=
endpoint: <VYOS_IP>:51820
allowed ips: 10.11.0.17/32, 192.168.17.0/24
transfer: 10.26 KiB received, 12.16 KiB sent

Vyos wireguard config:

Wireguard

set interfaces wireguard wg0 address ‘10.11.0.17/24’
set interfaces wireguard wg0 description ‘VPN-to-monitor’
set interfaces wireguard wg0 peer to-monitor allowed-ips ‘10.10.1.26/32’
set interfaces wireguard wg0 peer to-monitor address ‘<MONITOR_IP>’
set interfaces wireguard wg0 peer to-monitor port ‘36261’
set interfaces wireguard wg0 peer to-monitor pubkey ‘fCJ6BSlJ2fwZgMknnRiOKR4JYiPpyza7JkddppdLCXQ=’
set interfaces wireguard wg0 port ‘51820’
set protocols static interface-route 10.10.1.26/32 next-hop-interface wg0
set interfaces wireguard wg0 private-key KP01

vyos@vyos# show interfaces wireguard
wireguard wg0 {
address 10.11.0.17/24
description VPN-to-monitor
peer to-monitor {
address <MONITOR_IP>
allowed-ips 10.10.1.26/32
port 36261
pubkey fCJ6BSlJ2fwZgMknnRiOKR4JYiPpyza7JkddppdLCXQ=
}
port 51820
private-key KP01
}

From vyos:
vyos@vyos# ping 10.10.1.26
PING 10.10.1.26 (10.10.1.26) 56(84) bytes of data.
^C
— 10.10.1.26 ping statistics —
10 packets transmitted, 0 received, 100% packet loss, time 184ms

From client (aka, monitor)
ping 10.11.0.17
PING 10.11.0.17 (10.11.0.17) 56(84) bytes of data.
^C
— 10.11.0.17 ping statistics —
3 packets transmitted, 0 received, 100% packet loss, time 2031ms

Try to to dump on client site. Do you see icmp request?

This looks like VyOS 1.3 config nodes. Can you probably try using the default keypair over a named one here? Maybe there is a config bug in non default keypairs.

My bad. I’m on 1.3, VyOS 1.3-rolling-202007020438.

@Viacheslav There is traffic from the client on the wg0 interface to the Vyos wireguard server but no traffic on the Vyos server wg0 interface.

On a different wireguard server, the following lines are set.

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

Is iptables correctly set up in Vyos? There is no ‘MASQUERADE’ chain in Vyos so I’m not able to add the above manually.

Note, that I’m actually on 1.3 per the comment above.

@alpha23 Can you attach a simple network diagram?
Which type of client? debian/centos/ubuntu?
If you need source nat on vyos you can use section “set nat”
https://docs.vyos.io/en/latest/configuration/nat/

@Viacheslav There’s not much of a network diagram. It is client (ubuntu) <–> sever (vyos). IPs and ports are per the above provided configs.

Regarding nat, the above is referenced in the standard wireguard setup and I do not necessarily need to do that at this time. Right now, the client and server will not even ping one another so there is something more fundamentally wrong. Are the config files correct? Is there anything additional that needs to be set in the vyos config, e.g. iptables?

can you share your full config.

Not without going through and stripping out the confidential information; most of the config will be irrelevant. Is the configuration above correct to configure wireguard? Is there anything additional that needs to be set in the vyos config, e.g. iptables? Where are the logs for wireguard?

well no idea if you having something blocked at the firewall for example. I believe that should all be set up automatically, but I explicitly open the listening ports up.

What is your default route and how are you pushing traffic down the tunnels, I use PBR to push certain address ranges through my wg tunnels for example.

show configuration commands | strip-private
show configuration | strip-private

On the vyos server:

ip route show:
10.10.1.26 dev wg0 proto static metric 20
10.11.0.0/24 dev wg0 proto kernel scope link src 10.11.0.17

Unable to ping 10.10.1.26 from vyos server. There is nothing showing in /var/log/messages indicating that traffic to/from 10.10.1.26 is denied.

Where are the logs for wireguard?

Can anyone on the Vyos Team provide assistance to resolve this issue?

@alpha23 is that still an issue for you?

It is still an issue given that no one has answered the question as to “Where are the logs for wireguard?”

Where are the logs for wireguard?

way to get help.

you’ve been asked to submit a stripped-down config. see above.

My stripped down config related to WG was submitted in initial.

Simple question - 3rd time asking - Where are the logs for wireguard?

I can create a separate issue asking the same question but that seems silly.

Share the output of that. It will help those still interested in helping you out.

It should log to syslog,however I believe you need to turn on debugging first before you would see any messages. There are easier ways to check what’s going wrong.
Can you share your config and explain your setup, I can test it in a lab then and check what’s going wrong.

I have updated the original post to reflect it’s 1.3 not 1.2.

In the configuration 'set system syslog file <filename> facility <keyword> level ’ what it the facility?

debug. But again it is very minimal and shows you only rekeying and keepalices and the such, which is easier to see via tcpdump.