search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.46k stars 68 forks source link

Tunnel Not Passing Traffic #83

Open mlathrop-bell opened 3 years ago

mlathrop-bell commented 3 years ago

I've been banging my head on this issue for a whole day and I'm hoping someone can shed some light.

I have a ubuntu server running wireguard in docker and I can connect to that from an ubuntu machine on my network. I also have an edgerouter X on the network (it is behind a NAT. Currently just serves as a DHCP server). When I use the exact same config on the edgerouter the connection won't allow me to ping like I can from the ubuntu machine.

The config file running on the ubuntu machine that works with wg-quick up

[Interface]
Address = 192.168.55.4
PrivateKey = <redacted>
ListenPort = 51820

[Peer]
PublicKey = <redacted>
Endpoint = <server public ip>:51824
AllowedIPs = 192.168.55.0/24, 10.0.0.0/16
PersistentKeepalive = 10

However when I run the below commands on the edge router (which I just reset to factory settings other than changing the IP/network of eth0 to 192.168.113.2/24 I can see the wg0 interface get created and it shows "connected" in the GUI but I can't ping over it and it shows no traffic received when I run sudo wg show

configure
set interfaces wireguard wg0 address 192.168.55.4/24 (also tried /32 here)
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key <private_key>
set interfaces wireguard wg0 peer <redacted> endpoint <server public ip>:51824
set interfaces wireguard wg0 peer <redacted> allowed-ips 192.168.55.0/24
set interfaces wireguard wg0 peer <redacted> allowed-ips 10.0.0.0/24
set interfaces wireguard wg0 peer <redacted> persistent-keepalive 10
commit
save
exit

For reference the server config looks like this:

Address = 192.168.55.1
ListenPort = 51820 (the docker config redirects 51824->51820)
PrivateKey = <redacted>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <redacted>
AllowedIPs = 192.168.55.4/32

Any pointers would be appreciated!

dc361 commented 3 years ago

1) Did you allow port 51820 through your wan-local firewall?

set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description 'Accept Wireguard VPN server connections' set firewall name WAN_LOCAL rule 30 destination port 51820 set firewall name WAN_LOCAL rule 30 log disable set firewall name WAN_LOCAL rule 30 protocol udp set firewall name WAN_LOCAL rule 30 source address 0.0.0.0/0 set firewall name WAN_LOCAL rule 30 state established enable set firewall name WAN_LOCAL rule 30 state new enable set firewall name WAN_LOCAL rule 30 state related enable

2) The /24 is appropriate for the wg0 interface

set interfaces wireguard wg0 address 192.168.55.4/24

3) Although not truly required, I like to add a /32 for the "Server" in the allowed IPs

set interfaces wireguard wg0 peer allowed-ips 192.168.55.1/32

RealMuhko commented 3 years ago

Hello,

Try adding outbound masquerading for wg0 on your EdgeRouter X

configure set service nat rule 5000 description 'WireGuard' set service nat rule 5000 outbound-interface wg0 set service nat rule 5000 type masquerade commit save