Wireguard vyos 1.3 STILL not working

See Wireguard vyos 1.3 not working for history. This was closed without confirmation.

I’m now able to ping the IP of the wireguard interface, wg0. I’m not able to ping IPs accessible on the LAN interface, eth1, e.g. 192.168.x.x/16. which is also the same interface of the wireguard endpoint.

Wireguard states to add the following to the ‘[Interface]’ config section:

‘iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE’

I’ve executed the 1st command but the 2nd command cannot be executed because the ‘MASQUERADE’ iptables chain does not exist.

Why are LAN IPs unable to be pinged from the client? Is there something additional that needed to be added in addition to the following configuration?

set interfaces wireguard wg0 address ‘10.11.0.17/24’
set interfaces wireguard wg0 description ‘VPN-to-monitor’
set interfaces wireguard wg0 peer to-monitor allowed-ips ‘10.10.1.26/32’
set interfaces wireguard wg0 peer to-monitor address ‘<MONITOR_IP>’
set interfaces wireguard wg0 peer to-monitor port ‘36261’
set interfaces wireguard wg0 peer to-monitor pubkey ‘fCJ6BSlJ2fwZgMknnRiOKR4JYiPpyza7JkddppdLCXQ=’
set interfaces wireguard wg0 port ‘51820’
set protocols static interface-route 10.10.1.26/32 next-hop-interface wg0
set interfaces wireguard wg0 private-key KP01

Example config for VyOS that works fine:
r1 server, VyOS 1.4-rolling-202102010218
r2 client, VyOS 1.4-rolling-202102020218

server config:

set interfaces dummy dum0 address '100.64.0.1/24'
set interfaces dummy dum0 description 'LAN'
set interfaces wireguard wg01 address '10.11.0.17/24'
set interfaces wireguard wg01 description 'RoadWarrior'
set interfaces wireguard wg01 peer PEER001 allowed-ips '10.10.1.26/32'
set interfaces wireguard wg01 peer PEER001 pubkey 'xxxw='
set interfaces wireguard wg01 port '51820'
set protocols static interface-route 10.10.1.26/32 next-hop-interface wg01

Client config:

set interfaces wireguard wg01 address '10.10.1.26/32'
set interfaces wireguard wg01 description 'Server-SERVER-203.0.113.1'
set interfaces wireguard wg01 peer SERVER address '203.0.113.1'
set interfaces wireguard wg01 peer SERVER allowed-ips '10.11.0.0/24'
set interfaces wireguard wg01 peer SERVER allowed-ips '100.64.0.0/24'
set interfaces wireguard wg01 peer SERVER port '51820'
set interfaces wireguard wg01 peer SERVER pubkey 'yyy4='
set nat source rule 10 outbound-interface 'wg01'
set nat source rule 10 source address '100.64.22.0/24'
set nat source rule 10 translation address 'masquerade'
set protocols static interface-route 10.11.0.0/24 next-hop-interface wg01
set protocols static interface-route 100.64.0.0/24 next-hop-interface wg01

Ping from server

vyos@r1-roll:~$ show ip route 10.10.1.26
Routing entry for 10.10.1.26/32
Known via “static”, distance 1, metric 0, best
Last update 00:06:42 ago

  • directly connected, wg01, weight 1

    vyos@r1-roll:~$ ping 10.10.1.26 count 1
    PING 10.10.1.26 (10.10.1.26) 56(84) bytes of data.
    64 bytes from 10.10.1.26: icmp_seq=1 ttl=64 time=0.438 ms

    — 10.10.1.26 ping statistics —
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.438/0.438/0.438/0.000 ms

Ping from client site to address of server and LAN network on server:

vyos@r2-roll:~$ show ip route | match wg
C>* 10.10.1.26/32 is directly connected, wg01, 00:14:42
S>* 10.11.0.0/24 [1/0] is directly connected, wg01, 00:08:40
S>* 100.64.0.0/24 [1/0] is directly connected, wg01, 00:08:40

vyos@r2-roll:~$ ping 10.11.0.17 count 1
PING 10.11.0.17 (10.11.0.17) 56(84) bytes of data.
64 bytes from 10.11.0.17: icmp_seq=1 ttl=64 time=0.356 ms

--- 10.11.0.17 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.356/0.356/0.356/0.000 ms
vyos@r2-roll:~$ 
vyos@r2-roll:~$ ping 100.64.0.1 count 1
PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.
64 bytes from 100.64.0.1: icmp_seq=1 ttl=64 time=0.518 ms

--- 100.64.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.518/0.518/0.518/0.000 ms
vyos@r2-roll:~$ 

As you can see, all works correctly.

On the VyOS site, you don’t need any directly iptables commands like

iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Try to check on the client site for example if enabled port-forwarding/routing?

sudo sysctl net.ipv4.ip_forward
sudo ip route get 10.11.0.17

To clarify, the server is Ubuntu and the client is Vyos per your example; I view this the other way in that Ubuntu is the client connecting to the Vyos server for connection to the LAN but that may not matter. Should the interface ‘dummy’ in your example be ‘eth1’? That is eth1 on Vyos is 192.168.8.9/24 and from the Ubuntu machine I need to be able to ping 192.168.8.6.

Regarding the settings on the Ubuntu machine:

$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ sudo ip route get 192.168.8.6
192.168.8.6 dev wg0 src 10.10.1.26 uid 0 
    cache

I checked with ubuntu LTS, all works fine, vyos VyOS 1.4-rolling-202102010218

root@ubnt-client:/etc/wireguard# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"

There is an example of client configuration

# cat /etc/wireguard/wg0.conf 
[Interface]
## Client private key ##
PrivateKey = FU=
 
## Client ip address ##
Address = 10.10.1.26/24
 
[Peer]
## VyOS server public key ##
PublicKey = kci4=
 
## set allowed addresses ##
AllowedIPs = 10.11.0.0/24,192.168.8.0/24
 
## VyOS server endpoint address and port ##
Endpoint = 1xx.x.x.x:51820
 
##  Key connection alive ##
PersistentKeepalive = 15

Start interface

systemctl start wg-quick@wg0

Check status

root@ubnt-client:/home/sever# systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
     Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
     Active: active (exited) since Wed 2021-02-03 12:49:23 UTC; 4s ago
       Docs: man:wg-quick(8)
             man:wg(8)
             https://www.wireguard.com/
             https://www.wireguard.com/quickstart/
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
             https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
    Process: 20486 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
   Main PID: 20486 (code=exited, status=0/SUCCESS)

Feb 03 12:49:23 ubnt-client systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Feb 03 12:49:23 ubnt-client wg-quick[20486]: [#] ip link add wg0 type wireguard
Feb 03 12:49:23 ubnt-client wg-quick[20486]: [#] wg setconf wg0 /dev/fd/63
Feb 03 12:49:23 ubnt-client wg-quick[20486]: [#] ip -4 address add 10.10.1.26/24 dev wg0
Feb 03 12:49:23 ubnt-client wg-quick[20486]: [#] ip link set mtu 1420 up dev wg0
Feb 03 12:49:23 ubnt-client wg-quick[20486]: [#] ip -4 route add 192.168.8.0/24 dev wg0
Feb 03 12:49:23 ubnt-client wg-quick[20486]: [#] ip -4 route add 10.11.0.0/24 dev wg0
Feb 03 12:49:23 ubnt-client systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

Check routes

root@ubnt-client:/home/sever# ip route | grep wg
10.10.1.0/24 dev wg0 proto kernel scope link src 10.10.1.26 
10.11.0.0/24 dev wg0 scope link 
192.168.8.0/24 dev wg0 scope link 

Ping

# ping 192.168.8.6
PING 192.168.8.6 (192.168.8.6) 56(84) bytes of data.
64 bytes from 192.168.8.6: icmp_seq=1 ttl=64 time=1.32 ms

# ping 10.11.0.17
PING 10.11.0.17 (10.11.0.17) 56(84) bytes of data.
64 bytes from 10.11.0.17: icmp_seq=1 ttl=64 time=1.50 ms
1 Like

Adding the following on the Vyos server (Ubuntu being the client) resolved the issue. I appreciate your help.

set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '10.10.1.0/24'
set nat source rule 10 translation address 'masquerade'

That’s why it is helpful to share your sanitised config when troubleshooting. The lack of a masquerade rule didn’t show up until someone took the time to write out a full client config, including the nat rules, and would have been spotted straight away on your original post some weeks back.

@phillipmcmahon If the nat rules were missing, but required, you could have been easily spotted that weeks ago in my original post as I posted all the configs relevant to wireguard (see original post). Moreover, the nat configuration is not in the documentation, WireGuard — VyOS 1.4.x (sagitta) documentation

If you want to assist people, you may want to review all the information that someone posts rather than looking to merely antagonize them by requesting useless information so that you can appear to be helping.

Asking to see your config isn’t meant to antagonise, it’s pretty essential in order to understand the whole config and whether you might have missing or conflicting items. See most posts, they ask for the same thing.

Fortunately, @Viacheslav went the extra mile to provide the information he did.

@phillipmcmahon Thanks for not helping. Go bother someone else.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.