WireGuard with OSPF between Vyos and Edge. Vyos shared subnet is not pingable from Edgeos. Vyos can ping shared subnet from edgeos

I have a working configuration between some Edgeos routers.

Now im trying to connect Edgeos to Vyos using wireguard and ospf for routing.

Edgeos is sharing 10.20.15.0/24 and 10.0.0.32/30
Vyos is sharing 10.20.2.0/24 and 10.0.0.32/30

ospf seems to be working. Vyos can ping ip in subnet 10.20.15.0/24, but Edgeos can not ping ip in subnet 10.20.2.0/24

On the Edgeos i did a traceroute to 10.20.2.1 and it gets a respond from 10.0.0.34 that is the wireguard tunnell interface on Vyos.

Is it maybe something blocking the traffic in vyos from going from 10.0.0.34 to 10.20.2.1?

Any ideas how to fix this?

VyOS config:

vyos@vyos# show interfaces wireguard wg15
 address 10.0.0.34/30
 mtu 1420
 peer VPN {
     allowed-ips 224.0.0.5/32
     allowed-ips 224.0.0.6/32
     allowed-ips 10.20.0.0/16
     allowed-ips 10.0.0.0/24
     public-key xxxx
 }
 port 51820
 private-key xxxx

ospf

vyos@vyos# show protocols ospf
 area 0 {
     network 10.20.2.0/24
     network 10.0.0.32/30
 }

Edgeos config:

edgeos@edgeos# show interfaces wireguard wg2
 address 10.0.0.33/30
 mtu 1420
 peer xxxx {
     allowed-ips 224.0.0.5/32
     allowed-ips 10.20.0.0/16
     allowed-ips 224.0.0.6/32
     allowed-ips 10.0.0.0/24
     endpoint xxxx:51820
     persistent-keepalive 25
 }
 private-key xxxx
 route-allowed-ips false
[edit]

ospf

edgeos@edgeos# show protocols ospf
 area 0 {
     network 10.20.15.0/24
     network 10.0.0.8/30
     network 10.0.0.16/30
     network 10.0.0.20/30
     network 10.0.0.24/30
     network 10.0.0.28/30
     network 10.0.0.32/30
 }
 passive-interface default
 passive-interface-exclude wg25
 passive-interface-exclude wg11
 passive-interface-exclude wg3
 passive-interface-exclude wg12
 passive-interface-exclude wg14
 passive-interface-exclude wg2
[edit]

Traceroute from edgeos to vyos

edgeos@edgeos:/config/auth$ traceroute 10.20.2.1
traceroute to 10.20.2.1 (10.20.2.1), 30 hops max, 38 byte packets
 1  10.0.0.34 (10.0.0.34)  30.041 ms  29.987 ms  29.949 ms
 2  *  *  *
 3  *  *  *

Traceroute from vyos to edgeos

vyos@vyos:/config/auth$ traceroute 10.20.15.1
traceroute to 10.20.15.1 (10.20.15.1), 30 hops max, 60 byte packets
 1  10.20.15.1 (10.20.15.1)  30.074 ms  30.024 ms  30.172 ms
vyos@vyos:/config/auth$

vyos ip route:

vyos@vyos:/config/auth$ show ip route ospf
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

O>* 10.0.0.8/30 [110/11] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.0.0.12/30 [110/21] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.0.0.16/30 [110/11] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.0.0.20/30 [110/11] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.0.0.24/30 [110/11] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.0.0.28/30 [110/11] via 10.0.0.33, wg15, weight 1, 02:16:12
O   10.0.0.32/30 [110/1] is directly connected, wg15, weight 1, 02:16:23
O   10.20.2.0/24 [110/1] is directly connected, eth0, weight 1, 03:04:24
O>* 10.20.3.0/24 [110/21] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.20.11.0/24 [110/21] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.20.12.0/24 [110/21] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.20.14.0/24 [110/21] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.20.15.0/24 [110/11] via 10.0.0.33, wg15, weight 1, 02:16:12
O>* 10.20.25.0/24 [110/21] via 10.0.0.33, wg15, weight 1, 02:16:12

edgeos ip route ospf:

edgeos@edgeos:/config/auth$ show ip route ospf
IP Route Table for VRF "default"
O    *> 10.0.0.12/30 [110/20] via 10.0.0.18, wg11, 1d19h31m
     *>              [110/20] via 10.0.0.10, wg25, 1d19h31m
O    *> 10.20.2.0/24 [110/11] via 10.0.0.34, wg2, 02:14:57
O    *> 10.20.3.0/24 [110/20] via 10.0.0.22, wg3, 1d19h01m
O    *> 10.20.11.0/24 [110/20] via 10.0.0.18, wg11, 1d19h31m
O    *> 10.20.12.0/24 [110/20] via 10.0.0.26, wg12, 1d18h40m
O    *> 10.20.14.0/24 [110/20] via 10.0.0.30, wg14, 18:02:31
O    *> 10.20.25.0/24 [110/20] via 10.0.0.10, wg25, 1d21h00m

You should try a tcpdump on the wireguard interfaces. Most of the time the ping is sourced from any IP address that’s not shared via your routing table. Using tcpdump you can see where it’s coming from

I found out now that edgeos and machines in 10.20.15.0/24 subnet can ping 10.20.2.12. This is the ip of eth0 in vyos router.
All other addresses in 10.20.2.0/24 will not repsond on ping

This is the output when i ping 10.20.2.1 from a machine in the 10.20.15.0/24 subnet.

wireguard interface on vyos:

vyos@vyos:~$ sudo tcpdump -i wg15 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg15, link-type RAW (Raw IP), snapshot length 262144 bytes
19:22:09.528425 IP 10.0.0.33 > 224.0.0.5: OSPFv2, Hello, length 48
19:22:12.751980 IP 10.0.0.34 > 224.0.0.5: OSPFv2, Hello, length 48
19:22:14.128252 IP 10.20.15.137 > 10.20.2.1: ICMP echo request, id 1, seq 5239, length 40
19:22:18.529214 IP 10.0.0.33 > 224.0.0.5: OSPFv2, Hello, length 48
19:22:18.825576 IP 10.20.15.137 > 10.20.2.1: ICMP echo request, id 1, seq 5240, length 40
19:22:22.751996 IP 10.0.0.34 > 224.0.0.5: OSPFv2, Hello, length 48
19:22:23.831591 IP 10.20.15.137 > 10.20.2.1: ICMP echo request, id 1, seq 5241, length 40
19:22:28.530729 IP 10.0.0.33 > 224.0.0.5: OSPFv2, Hello, length 48
19:22:28.827140 IP 10.20.15.137 > 10.20.2.1: ICMP echo request, id 1, seq 5242, length 40
19:22:32.752012 IP 10.0.0.34 > 224.0.0.5: OSPFv2, Hello, length 48
19:22:33.835854 IP 10.20.15.137 > 10.20.2.1: ICMP echo request, id 1, seq 5243, length 40
19:22:38.824609 IP 10.20.15.137 > 10.20.2.1: ICMP echo request, id 1, seq 5244, length 40
19:22:39.531402 IP 10.0.0.33 > 224.0.0.5: OSPFv2, Hello, length 48

I found the solution.
The vyos router is not the router sharing internet in the 10.20.2.0/24.
I had to add static routes in the gateway for the subnets located in the vpn