So I've read and tried all I could find on the interwebs and I stil can't get my head around this. I'm trying to accomplish something super easy with OpenVPN on my EdgeRouter X that seems impossible with WireGuard for me: Routing all traffic from LAN over the VPN interface and through to the internet.
Both ends connect fine using wg show showing handshakes and all. On one end the EdgeRouter, on the other a Wireguard Server on AWS EC2.
Basic routing plan is/was (worked with OpenVPN):
- 0.0.0.0/0 goes to eth0 (local ISP)
- 0.0.0.0/1 goes to wg0 (VPN)
- 128.0.0.0/1 goes to wg0 (VPN)
Switching the 2 routes to enabled will drop all internet traffic but LAN devices stay accessible. Router can't even ping 1.1.1.1. Disabling the 2 routes brings back traffic instantly.
One odd thing is wg0 Tx spikes to ~80Mbps when I turn both routes on but nothing for Rx. wg show on the AWS server shows not much packets sent/received and router's show increasing Tx packets, no Rx. I feel like I have something wrong with ports on my router. I tried (not shown in config) to port fwd 54321 to wg0 without success.
Here's my EdgeRouter Config Dump:
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow WG"
destination {
port 54321
}
log disable
protocol udp
}
rule 30 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WG_LOCAL {
default-action drop
description "WG to router"
enable-default-log
rule 10 {
action accept
description "Allow WG Port"
destination {
port 54321
}
log enable
protocol udp
}
}
options {
mss-clamp {
interface-type wg
mss 1380
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Switch
duplex auto
speed auto
}
ethernet eth2 {
description Wifi
duplex auto
speed auto
}
ethernet eth3 {
description Office
duplex auto
speed auto
}
ethernet eth4 {
description Local
disable
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 10.0.0.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
wireguard wg0 {
address 10.50.0.2/32
description "Wireguard VPN"
listen-port 54321
mtu 1420
peer <peer hash> {
allowed-ips 0.0.0.0/0
endpoint 1.2.3.4:54321
persistent-keepalive 25
preshared-key /config/auth/preshared.key
}
private-key /config/auth/priv.key
route-allowed-ips false
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
wan-interface eth0
}
protocols {
static {
interface-route 0.0.0.0/1 {
next-hop-interface wg0 {
description "All Local to VPN"
}
}
interface-route 128.0.0.0/1 {
next-hop-interface wg0 {
description "All Local to VPN"
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
lease 86400
start 10.0.0.38 {
stop 10.0.0.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
name-server 1.1.1.1
name-server 1.0.0.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5011 {
description "masquerade for WG"
log disable
outbound-interface wg0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
analytics-handler {
send-analytics-report false
}
crash-handler {
send-crash-report false
}
host-name my-net
login {
user admin {
authentication {
encrypted-password <hash>
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Montreal
}
traffic-control {
smart-queue default {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 105mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 35mbit
}
wan-interface eth0
}
}
Did you add the
0.0.0.0/1and128.0.0.0/1to the main route table?What is the IP of the wireguard server you connected to? if you have those 3 routes, and nothing else, then how is your wireguard client going to reach the remote? If you put everything on the main table, then you must also add a static route that goes out your main interface for the IP of the wireguard server.
Your OpenVPN server is probably pushing a route for the special remote_host which the OpenVPN client resolves to whatever IP that it connected to.
If you set the
AllowedIPs = 0.0.0.0/0in your wireguard configuration, wg-quick actually does some magic for you to handle this that is pretty neat and easy.These ip rules are added, and an additional route table is added.
The wireguard will by default add a fwmark to all the packets to the value 51820 (51820 is 0xca6c in hex).
The rule
from all lookup main suppress_prefixlength 0will ignore the default route on your main table..Traffic directly to the wireguard peer external IP will not be marked with the fwmark so it will use the 32766 and go out the default route.
Anyway the point is, you probably don't need or want the
0.0.0.0/1and128.0.0.0/1with wireguard on Linux. It has better ways of handling redirecting the default gateway then what OpenVPN has out of the box.