Closed jhspyhard closed 2 years ago
Hi @jhspyhard,
With regards to the firewall rules, the problem is Ubiquiti only forwards interfaces it created to its rules. If you want to also forward the wireguard interface to the Ubiquiti rules, you can add custom rules to jump to the correct chains like this in SSH:
iptables -A FORWARD -i wg0 -j UBIOS_LAN_IN_USER
iptables -A FORWARD -o wg0 -j UBIOS_LAN_OUT_USER
iptables -A INPUT -i wg0 -j UBIOS_LAN_LOCAL_USER
Make sure to change wg0
to your interface name if different. This will add the jumps for LAN IN, LAN OUT, and LAN LOCAL for the wireguard interface, which will make it honour the rules.
You can also add it to PostUp/PreDown like so:
PostUp = iptables -A FORWARD -i %i -j UBIOS_LAN_IN_USER; iptables -A FORWARD -o %i -j UBIOS_LAN_OUT_USER; iptables -A INPUT -i %i -j UBIOS_LAN_LOCAL_USER
PreDown = iptables -D FORWARD -i %i -j UBIOS_LAN_IN_USER; iptables -D FORWARD -o %i -j UBIOS_LAN_OUT_USER; iptables -D INPUT -i %i -j UBIOS_LAN_LOCAL_USER
With regards to the client list, you will not be able to see WG clients on your Unifi dashboard. Ubiquiti most likely uses the neighbour protocol to find clients on the network. However, the WireGuard protocol does not support the neighbour protocol (nor any broadcast/multicast traffic). In addition, Ubiquiti might configure their detection to only work on the networks they created. So in any case, this is not supported.
This definitely did the trick. Thank you so much for taking the time to reply with a great explanation of what was happening, and the steps to fix it!
No problem! I'll close this issue now since it's been answered, but if you have any more questions, please feel free to open another issue! Have a nice day.
I had a bit of follow up on this ticket. I have been struggling to get my wireguard connection to survive reboots and I spent a bit of time troubleshooting and eventually ended up pulling the following error output from the wg-quick up wg0
command being run by the on_boot.d
code:
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.26.1/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 192.168.26.4/32 dev wg0
[#] ip -4 route add 192.168.26.3/32 dev wg0
[#] ip -4 route add 192.168.26.2/32 dev wg0
[#] iptables -A FORWARD -i wg0 -j UBIOS_LAN_IN_USER; iptables -A FORWARD -o wg0 -j UBIOS_LAN_OUT_USER; iptables -A INPUT -i wg0 -j UBIOS_LAN_LO CAL_USER
iptables v1.6.2: Couldn't load target `UBIOS_LAN_IN_USER':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
It looks like I have some timing issues occurring where IPTables is trying to apply the Ubiquiti firewall chain rules to the wireguard connection, but the chains don't yet exist in this point of the boot-up processing.
I currently have my script set to a reasonably late priority 70_wireguard_connection.sh
in the on_boot.d
directory. Do you have any other suggestions in terms of delaying running the wg-quick up wg0
command until the UBIOS_LAN_IN_USER
, UBIOS_LAN_OUT_USER
and UBIOS_LAN_LOCAL_USER
IPTables chains have come to exist?
Hi @jhspyhard,
On my UDMP it seems those chains exist when the script is run at boot even when it's the first script to run. Are you on the latest on-boot-script?
Anyhow maybe I'm just not encountering the timing issue. But just to be safe, you could add this snippet to your wireguard_connection.sh
boot script before you run wg-quick.
for i in $(seq 300 -1 0); do
(
iptables -L UBIOS_LAN_IN_USER && \
iptables -L UBIOS_LAN_OUT_USER && \
iptables -L UBIOS_LAN_LOCAL_USER
) >/dev/null 2>&1 && break
if [ "$i" = "0" ]; then
echo "Timeout reached. Exiting."
exit 1
fi
sleep 1
done
Hey @peacey
I think there must have been something not quite right with my install of udm-utilities
. I reinstalled it, and it appears like now all of my scripts are consistently being run with no issues on boot.
I appreciate you spending a bit of your Saturday evening thinking through suggestions on things to try. Thank you - as always - and have a great rest of your weekend!
I have been having a couple of issues with WireGuard which are probably configuration related, so please be gentle :).
Issue 1: I have set up VPN connectivity from my external smart phone into my UDMP's
192.168.26.0/24
VLAN, via WG. One of the problems that I running into, is that the WGwg0
interface seems to be side-stepping all of the other Ubiquiti LAN-IN type firewall rules that should apply to a machine sending requests originating from my192.168.26.0/24
VLAN. For instance, from the connecting Peer device I am able to access some isolated hosts in my192.168.5.0/24
VLAN which should be unable to reach each other.My Wireguard configuration is as follows:
And info on the active
wg0
connection:I had some
PostUp
andPostDown
IPTables rules that I thought might be responsible for this expanded access, but having removed them completely the behavior seemed to continue.Issue 2: The second problem may or may not be related to the first issue or maybe the UDMP's handling of non-DHCP set static IPs... I would have expected my clients connecting into the network via WG to show up in the Ubiquiti Network Controller's Clients list. They are NOT showing up for me. Do WG peers normally show up in that list and if so, any thoughts what I might need to change to get that working?
I've interacted a bit with you guys in r/Ubiquiti and you are awesome! Thanks so much for your time spent extending the UDMP with these sorts of useful functionalities, and your time in fielding networking-newbie posts like this.