search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.46k stars 70 forks source link

Site to Site routes lost when modifying NAT rules with EdgeRouter 4 v2.0.9-hotfix.1 #76

Open inzi opened 3 years ago

inzi commented 3 years ago

Preface: I could be doing this wrong, I'm still trying to get site to site working, but here's something I've noticed.

I have two ER4s, each running 2.0.9-hotfix.1

HOME) 10.50.50.1/32 OFFICE) 10.50.50.2/32

In trying to make site to site work (which it does NOT work at this point), i've tried to add nat rules for my WG0 interfaces on both ends.

In doing so, a traceroute test that I would run from HOME to a node on OFFICE would go to gateway, OFFICE, then time out.

After adding nat rules, the home ER4 would start routing the traceroute to it's default gateway, not over WG0.

Remove the nat rule would not revert the routing back, only deleting the wg0 and recreating would resolve the issue.

TO RECREATE:

To recreate, default edgeOS config.

Setup WG tunnel:

Home

set interfaces wireguard wg0 address 10.50.50.1/32 set interfaces wireguard wg0 listen-port 51821 set interfaces wireguard wg0 peer NMJE1Lwt3/c8z+nbJnrrS6rUasdsUM9i22L/Jp9jpAk= endpoint :51822 set interfaces wireguard wg0 peer NMJE1Lwt3/c8z+nbJnrrS6rUasdsUM9i22L/Jp9jpAk= allowed-ips 10.50.50.2/32 set interfaces wireguard wg0 peer NMJE1Lwt3/c8z+nbJnrrS6rUasdsUM9i22L/Jp9jpAk= allowed-ips 10.50.5.0/24 set interfaces wireguard wg0 private-key set interfaces wireguard wg0 route-allowed-ips true set interfaces wireguard wg0 mtu 1300 set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 20 description 'WireGuard' set firewall name WAN_LOCAL rule 20 destination port 51821

Office

set interfaces wireguard wg0 address 10.50.50.2/32 set interfaces wireguard wg0 listen-port 51822 set interfaces wireguard wg0 peer Mv8dKyfRoTTpkfSjNQNy7/IKY+ktfjnFU34DsIGiUwY= endpoint :51821 set interfaces wireguard wg0 peer Mv8dKyfRoTTpkfSjNQNy7/IKY+ktfjnFU34DsIGiUwY= allowed-ips 10.50.50.1/32 set interfaces wireguard wg0 peer Mv8dKyfRoTTpkfSjNQNy7/IKY+ktfjnFU34DsIGiUwY= allowed-ips 10.50.1.0/24 set interfaces wireguard wg0 private-key set interfaces wireguard wg0 route-allowed-ips true set interfaces wireguard wg0 mtu 1300 set firewall name WAN_LOCAL rule 20 action accept set firewall name WAN_LOCAL rule 20 protocol udp set firewall name WAN_LOCAL rule 20 description 'WireGuard' set firewall name WAN_LOCAL rule 20 destination port 51822

Once established, verify you can ping each end and their eth1 interface.

Do a traceroute to remote wg0 IP.

Create a nat rule on one end for the wg0 interface.

Do traceroute to remote wg IP, will go out default gateway.

remove nat rule

Do traceroute to remote wg IP, will go out default gateway.

-- on a side note, if anyone on this planet has a sanitized example boot.config of a simple site to site Wireguard-vyatta-ubnt tunnel routing the two networks to each other I'd be most appreciative. I know I'm missing some core concepts, or misunderstanding some basics, and there is nowhere that I've found that provides steps to make this work.

whiskerz007 commented 3 years ago

Try the following. Make sure you remove the /32 addresses also.

Home:

set interfaces wireguard wg0 address 10.50.50.1/24

Office:

set interfaces wireguard wg0 address 10.50.50.2/24
inzi commented 3 years ago

Thanks for the information - I got my Wireguard site to site working!

FossoresLP commented 3 years ago

Great to hear you got it to work. I'll close this issue then.

inzi commented 3 years ago

Just an FYI - I opened the issue because adding nat rules around the WG0 interface causes EdgeOS to mangle routes to the WG0 interface.

FossoresLP commented 3 years ago

Ok, thanks for the clarification. In that case I'll reopen the issue.

whiskerz007 commented 3 years ago

@inzi Please share a reproducible process for the fault you are describing. If you can, share what is expected and what is actual. This will greatly help with the debugging process.

inzi commented 3 years ago

I'll try, but now that I'm up and running... I may have to try and recreate steps when I can bring tunnel down... but IIRC

Base config - ER4s, each running 2.0.9-hotfix.1.

Add WG interface at both end.

Verify devices can ping each other.

Check routing, note remote network route.

On one end, add an outbound NAT rule for internal network, with target being WG0.

Check routing, if they're changed, Delete NAT rule.

Changed routing doesn't revert back to pre nat rule state.

Apologies, when I found this I was trying all sorts of things to get hosts to ping each other (and it was totally not a WG related issue), so I was likely doing things never intended to be attempted. And I tried a lot of very likely stupid things.

Will attempt to recreate when opportunity presents itself.

whiskerz007 commented 3 years ago

@inzi Please share the commands you used and resulting outputs. In order for other people to recreate the environment, when need to see actual configuration used.