search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.45k stars 68 forks source link

Clients can access LAN but not internet #126

Closed JSaterdalen closed 1 year ago

JSaterdalen commented 1 year ago

Package version

1.0.20220627

Firmware version

4.4.56

Device

UniFi Security Gateway - UGW3

Issue description

Using the setup in the wiki guide, clients can connect to the USG and access LAN devices. Clients cannot hit the internet.

I am using UI firewall rules instead of the one in the server config example.

Client config:

[Interface]
PrivateKey = <private key>
DNS = 10.2.1.1
MTU = 1500

[Peer]
PublicKey = <public key>
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = <fqdn>:51820
PersistentKeepalive = 25

Configuration and log output

{
  "interfaces": {
    "wireguard": {
      "wg0": {
        "address": ["10.2.1.1/24"],
        "firewall": {
          "in": {
            "name": "LAN_IN"
          },
          "local": {
            "name": "LAN_LOCAL"
          },
          "out": {
            "name": "LAN_OUT"
          }
        },
        "listen-port": "51820",
        "mtu": "1500",
        "peer": [
          {
            "<public-key>": {
              "allowed-ips": ["10.2.1.10/32"],
              "persistent-keepalive": 25
            }
          }
        ],
        "private-key": "/config/auth/wireguard/wg_private.key",
        "route-allowed-ips": "true"
      }
    }
  }
}
jasimancas commented 1 year ago

Have you configured the NAT rule for the output to the Internet?

JSaterdalen commented 1 year ago

@jasimancas I created the firewall rule on "Internet Local" with a destination port of 51820, per the guide. Didn't think there would be anything else to do, but I did try adding an "Internet Out" rule with a source of the wireguard subnet, and that didn't seem to work.

How would you configure the NAT rule on the USG?

jasimancas commented 1 year ago

Try with this @JSaterdalen : set service nat rule 6004 type masquerade set service nat rule 6004 description "MASQ wireward_network to WAN" set service nat rule 6004 protocol all set service nat rule 6004 log disable set service nat rule 6004 source address XXX.XXX.XXX.XXX/XX (LAN wireguard) set service nat rule 6004 outbound-interface XXXXX (in my case it is pppoe2 but in yours it may be another one) commit save exit

I have put the rule 6004 because I had already 6001, 6002 and 6003 used for nat and it corresponded to the 4, you can see the configuration with the command mca-ctrl -t dump-cfg there you will see the NAT rules that you have for the USG networks, it is simply the same for the Wireguard network.

JSaterdalen commented 1 year ago

I removed my firewall rule in the UI, and added the firewall rule and network group section from the wiki back to the config. It's working now! Having the network group must have done it.

mshahat commented 1 year ago

Hello @jasimancas , I am a bit lagging on the firewall configurations on my UDM SE, slightly new to networking in general and that's part of building my first home lab. I have A UDM SE, I've set up wireguard and trying to configure the required firewall rules on UDM SE at the moment.

Is it possible to explain the same steps but based on the UI, i am trying to document everything based on the UI rather than the terminal please.

Many thanks!