chriscoveyduck
commented
1 year ago Here are a set of config instructions I used recently to get ERX working as a client, routing all traffic via my Docker based Wireguard server. I found all the steps online tend to refer to EdgeRouter as a server, not the client, so I hope this config is useful.
The main issue I came across was a discrepancy in how VyoS and EdgeOS implement the routing steps. On EdgeOS defining 0.0.0.0/0 in the peers allowed-ips, and setting route-allowed-ips to true (default) causes a conflict with the default route on eth0.
To get around I set route-allowed-ips to false, and used Policy Based Routing to select traffic from INSIDE and route it across the wireguard tunnel.
Topology: EdgeRouterX (ERX) as a Wireguard client connecting to central Wireguard server.
ERX: -eth0 (Outside DHCP) -eth1 (Inside 192.168.1.1/24) -wg01 (Wireguard 10.13.13.5/24)
Wireguard Server -[fqdn/IP]:51820 -wg01 (10.13.13.1/24)
Prerequisites
- ERX defaulted and configured for WAN access using GUI.
- Latest firmware applied
- Peer config generated on Wireguard server and shared
Install Wireguard on ERX
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb
Configure a Wireguard interface (wg01)
set interfaces wireguard wg01 address 10.13.13.5/24
set interfaces wireguard wg01 private-key [peer private key]
set interfaces wireguard wg01 port 51820
set interfaces wireguard wg01 description wg-interface
set interfaces wireguard wg01 route-allowed-ips false
Add the Wireguard server peer
set interfaces wireguard wg01 peer '[server public key]' allowed-ips 0.0.0.0/0
set interfaces wireguard wg01 peer '[server public key]' preshared-key '[preshared-key]'
set interfaces wireguard wg01 peer '[server public key]' endpoint [server fqdn/IP]:51820
Add a static route for the new wg01 interface
set protocols static route 0.0.0.0/0 interface wg01
Add the firewall rule for WAN_LOCAL to allow wireguard connections (might not be needed for one-way, check you don't already have a rule 40)
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description WireGuard_IN
set firewall name WAN_LOCAL rule 40 destination port 51820
set firewall name WAN_LOCAL rule 40 log enable
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 40 source
Configure NAT on the tunnel, required in this example as Wireguard server only defines 10.13.13.5/32 in allowed-ips for the peer
set service nat rule 5001 description 'source NAT for wireguard'
set service nat rule 5001 outbound-interface wg01
set service nat rule 5001 type masquerade
set service nat rule 5001 protocol all
set service nat rule 5001 source address 192.168.1.0/24
Configure Policy Based Routing (PBR) to route all traffic for ERX 'INSIDE' across Wireguard
set protocols static table 100 route 0.0.0.0/0 next-hop 10.13.13.1
set firewall modify PBR rule 100 description route-wireguard
set firewall modify PBR rule 100 source address 192.168.1.0/24
set firewall modify PBR rule 100 modify table 100
set interface switch switch0 firewall in modify PBR
Please note on ERX ports 1-4 are configured on a switch, if you were doing this on an ER4+ you would need to modify that last command to apply the modify PBR onto one of the interfaces, not the switch.
Commit and test the config, save when sure it's working
commit
save
lennykean
iolate
Package version
1.0.20220627-1
Firmware version
v2.0.9-hotfix.4
Device
EdgeRouter Lite / PoE - e100
Issue description
I am admittedly not very experienced with wireguard. So, I'm not sure if this is an issue, or something I'm doing wrong. Either way, so a better guide for getting this set up would be really helpful.
With the following configuration, I get an error commiting
Error:
This seems to be because of a static route my WAN interface is auto-creating. The only way to avoid that is to disable the interface, which leaves me with no WAN so that's a no-go.
When trying to configure with route-allowed-ips=false, I can commit the changes, but I can't figure out how to route traffic to the interface. A configure like this seems like it should work, but it does not.
Configuration and log output
No response