Reply
New Member
Posts: 24
Registered: ‎02-11-2018
Kudos: 1

Re: Release: WireGuard for EdgeRouter


@karog wrote:

 

@aaomidi wrote:

Does anyone have a writeup of putting the entire internet traffic through Wireguard? For example if I've purchased a package from Mullvad.

 


Set the AllowedIPs for the peer (MULVAD) to 0.0.0.0/0


If you care about IPv6 too:

AllowedIPs = 0.0.0.0/0, ::/0

For example I found that on T-Mobile LTE some traffic will bypass the VPN because they use IPv6 by default if you don't mess with the APN settings to set it to IPv4.

Highlighted
Member
Posts: 164
Registered: ‎01-30-2014
Kudos: 97
Solutions: 3

Re: Release: WireGuard for EdgeRouter

OK ! On 1.10.8 !

Factory defaulted,

flashed older FW,

fixed eth0 ip to not conflict (i'll use me er-lite as a wireguard server inside my LAN, port forwarded from my USG, to route VPN to the LAN)

Did a static route to 0.0.0.0/0 next hop 192.168.1.1 to tell the ERlite where to go for internet.

Set system nameserver

ping is working fine.

 

 

sudo apt-get update
...
sudo apt-get install wget
...
wget https://github.com/Lochnair/vyatta-wireguard/releases/download/0.0.20181007-1/wireguard-e100-0.0.20181007-1.deb
...
sudo dpkg -i wireguard-e100-0.0.20181007-1.deb
...
Setting up wireguard (0.0.20181007-1) ...

 

So, here I am now. Any pointers on my next step ?

 

 

@ubnt:~$ show configuration
interfaces {
    ethernet eth0 {
        address 192.168.1.225/24
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address dhcp
        duplex auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.1.1 {
            }
        }
    }
}
@ubnt:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         192.168.1.225/24                  u/u
eth1         -                                 u/D
eth2         -                                 u/D
lo           127.0.0.1/8                       u/u
             ::1/128

 

So all looks shiny clean.

 

 

set interfaces wireguard
Possible completions:
  <wgN>         WireGuard interface name

 

Command is there Man Happy

 

Now what ? XD

 

Essentially, I have a cellphone (Official App) and a laptop (Windows 10, Ill use Tunsafe, I know the TAP stuff and not official, but as long as the Go Project ain't done ...)

 

I want to, wherever I am on whatever IP on the net, be able to VPN inside my LAN and route to stuff as If I was on my LAN (ALL traffic going trough the VPN Except for the Local LAN where my client is.

 

I get (Ibelieve) that I need to create de WG interface a bit like that (mydomainresolvingtomyerlite.ip being my dynamic DNS service), so the endpoint ... but when I look at : https://www.wireguard.com/quickstart/ Heh... it doesn't look like the commands I have on EdgeOS XD

 

Help Man Very Happy

 

 

configure

set interfaces wireguard wg0 address 192.168.33.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true

set interfaces wireguard wg0 peer privatekey1= endpoint mydomainresolvingtomyerlite.ip:29922
set interfaces wireguard wg0 peer privatekey1= allowed-ips 0.0.0.0/0

commit

 

New Member
Posts: 22
Registered: ‎05-20-2016
Kudos: 1

Re: Release: WireGuard for EdgeRouter

[ Edited ]

my replies gets somehow deleted ??
why??

 

trying again:

 

@zx2c4 Hey man, I hope you are well!

@Lochnair 

 

I've recently updated my tunnel between my two houses, both endpoints with dynamic IPs and found a peculiar intermittent problem.

First, about my setup:

got my domain with two A records endpoint-A.domain.ro and endpoint-B.domain.ro served up by afraid dyndns and setup on both locations using the integrated dynamic dns clients in EdgeOS

 

so on endpoint B I have :

dns {
     dynamic {
         interface pppoe0 {
             service afraid {
                 host-name endpoint-B.domain.ro
                 login <user>
                 password <pass>
                 protocol dyndns2
             }
         }
     }

and on endpoint-A I have the same but with the hostname changed to endpoint-A.domain.ro obviously. 

 

And this works rather well. Both records are updated when the routers connect or the pppoe resets/changes IP addresses.

 

the wireguard interface is setup on both endpoints like this:

 

 wireguard wg0 {
     address 10.30.0.2/24
     description Tunn
     listen-port 51820
     mtu 1420
     peer <PubPeerKeyfForEndPointA> {
         allowed-ips 10.0.0.0/8
         endpoint endpointA.domain.ro:51820
         persistent-keepalive 25
     }
     private-key <PrivKeyForEndPointB>
     route-allowed-ips true
 }

And all this usually works ok but a few circumstances.

 

-->> 1st, I noticed that if both endpoints changes IP address at the same time (more or less) the tunnel never gets updated 

sudo wg show  command would show both endpoints trying to connect to the older IP addresses of the endpoints even though the hostnames are properly updated and points to the new IP addresses (doesn't keepalive have a function to re resolve the endpoint hostname to IP ?)

 

-->> 2nd, and this is much more important, there are times (40-50% of the times) when one endpoint comes online (for example manually rebooted) and it's wireguard interface misses the endpoint hostname : port entirely. and it actually looks like this :

 

 wireguard wg0 {
     address 10.30.0.2/24
     description Tunn
     listen-port 51820
     mtu 1420
     peer <PubPeerKeyfForEndPointA> {
         allowed-ips 10.0.0.0/8
         persistent-keepalive 25
     }
     private-key <PrivKeyForEndPointB>
     route-allowed-ips true
 }

 

and needless to say I have to issue a

set interface wireguard wg0 peer <peer> endpoint endpointX.domain.ro:51820 

commit

before the tunnel works again. 

I have no clue why this is but my first guess would be that the pppoe interface sometimes takes a bit longer to connect and the set interface wg0.... endpoint command fails if the param hostname is not resolvable ?? 

 

Thank you! 

Best regards,

Bogdan Dumitru

 

P.S. Thanks for the stickers! 

New Member
Posts: 5
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

I'm working on a site-to-site implementation of wireguard between an ER Pro-8 and an ERX.  ERX is on a 250/250 connection and ER Pro-8 is on a 1G/1G connection.  IPSEC maxes out around 110Mbps so I'm looking to see if Wireguard on this hardware can get me more.

I've followed a few guides online and the hardware appears to connect but no data is passing.  I'm hoping someone can give me a quick pointer on what I missed so I can get up and running.  Thanks!

ER 8 Port configuration:

    wireguard wg0 {
        address 10.100.100.1/24
        listen-port 51820
        mtu 1492
        peer bvs= {
            allowed-ips 10.0.0.0/8
            endpoint A.B.C.D:51820
            persistent-keepalive 15
        }
        private-key ****************
        route-allowed-ips true
    }


And for the ERX:

    wireguard wg0 {
        address 10.100.100.2/24
        listen-port 51820
        mtu 1492
        peer V4k= {
            allowed-ips 10.0.0.0/8
            endpoint A.B.C.D:51820
            persistent-keepalive 15
        }
        private-key ****************
        route-allowed-ips true
    }


sudo wg on the er8

interface: wg0
  public key: V4k=
  private key: (hidden)
  listening port: 51820

peer: bvs=
  endpoint: A.B.C.D:51820
  allowed ips: 10.0.0.0/8
  transfer: 2.61 KiB received, 6.56 KiB sent
  persistent keepalive: every 15 seconds

and sudo wg on the erx

interface: wg0
  public key: bvs=
  private key: (hidden)
  listening port: 51820

peer: V4k=
  endpoint: A.B.C.D:51820
  allowed ips: 10.0.0.0/8
  latest handshake: 58 seconds ago
  transfer: 5.71 KiB received, 2.91 KiB sent
  persistent keepalive: every 15 seconds


The local network on the ER8 is 10.0.1.0/24 and on the ERX it's 10.1.1.0/24

What am I missing?

Thanks!

New Member
Posts: 7
Registered: ‎02-20-2016

Re: Release: WireGuard for EdgeRouter


@@Lanthade wrote:


The local network on the ER8 is 10.0.1.0/24 and on the ERX it's 10.1.1.0/24

What am I missing?

Thanks!


Do you have firewall rule sets in place to allow traffic from wg0 IN so that it will be able to talk to things on each end? That's the first thing that popped into my head. I think you need at leasts a firewall_IN bound to each wg0 interface, with etiher a default allow, or default drop with rules to allow what ever traffic/ports you want to allow.

 

You're trying to allow the entire private class A between the two sites? I'm trying to convince myselef, becuase I'm not sure, that you can have the end points think they are in the same class C subnet the way you do, or if that's going to confuse the heck out of them because they both think 10.100.100.0/24 is their own local subnet.

Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lanthade@JasonColeman

 

At first I thought the AllowedIPs would be the problem but maybe not. In any case, though they might work in your case, it is not the best choice.

 

First, it is important to understand what AllowedIPs is doing. First and formost, it is a filter on what packets it will accept by requiring any received packets to have a source address that is subsumed by AllowedIPs, otherwise the packet is dropped. Given your local nets, this should be true. Optionally, AllowedIPs creates routing rules to route any packets with desitnation address subsumed by AllowedIPs to be directed over the wg interface. On the ERs, the route-allowed-ips controls this option. Again, in your case, that should route all 10..0/8 over but not the local subnet since that is handled by layer 2 and never sees the router.

 

If it were me, I would set the AllowedIPs as

 

ER8: 10.100.100.2/32,10.1.1.0/24

ERX: 10.100.100.1/32,10.0.1.0/24

 

As @JasonColeman remarks, make sure any firewalls let appropriate traffic for the endpoint address available but on WAN_LOCAL, not _IN.

New Member
Posts: 33
Registered: ‎11-18-2016
Kudos: 11
Solutions: 1

Re: Release: WireGuard for EdgeRouter

Do you have firewall rules on your WAN port to allow port 51820 IN?  Though based on your output of the wg command it appears like the erx side does as it's seen the handshake, you might want to double check the firewall rules on the ER8 side.

 

Similar to @Lanthade, do you have appropriate firewall rules for the wg interface on both ends.  If you use the zone based firewall, the wg interface needs to be added to the same zone as your LAN, or you need a new zone for wg and rules to allow it to talk with your LAN zone (and others you want to allow it to).

 

If you're not using zone based firewall, then you might need to look at your firewall rules to be sure you don't have one blocking traffic to your LAN.

 

Your config in general looks good to me, and should work. (I'm assuming your peer public keys are obfuscated and not really only 4 chars long.)

 

One other thing to check is the routing table on both ends to be sure the route-allowed-ips actually setup the routes correctly.

 

New Member
Posts: 5
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@JasonColeman@karog @evildog

 

Thanks for your quick replies.  You're probably on to something with the firewall.  I've spent very little time learning how EdgeOS firewall rule sets really work and have mostly just followed other people's writeups.  Here's the firewall section of my ER8:

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Plex remote access"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
                port 32400
            }
            log disable
            protocol tcp_udp
            source {
                group {
                }
                port 32400
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 30 {
            action accept
            description "Allow ESP"
            log disable
            protocol esp
        }
        rule 40 {
            action accept
            description "Allow Wireguard"
            destination {
                port 51820
            }
            log disable
            protocol udp
            source {
                port 51820
            }
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}


The ERX is identical. 

As far as the allowed ips - that's just from following a set of instructions on edgeos site-to-site wireguard.  I'll tweak it as you suggest.  I was just trying to follow what was there exactly to get it working before tweaking it to be more precise.

@evildog Yeah, the keys (as well as public addresses) are obfuscated, they are NOT that short.  Man Happy

Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

[ Edited ]

@Lanthade

 

Remove the source clause in rule 40 of WAN_LOCAL.

 

Also, in WAN_IN, your rule 30 should precede rule 20. Do the invalid check first. Don't put rules before est/rel and invalid unless you have a very good reason.

New Member
Posts: 5
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@karog

Done, still no change in functionality. I'm tesing by running iperf from the er8 side to a server on the erx side and by trying to web browse from the erx side to a server on the er8 side. Neither work.

Thanks.
Established Member
Posts: 1,618
Registered: ‎05-03-2016
Kudos: 554
Solutions: 155

Re: Release: WireGuard for EdgeRouter

@Lanthade


@Lanthade wrote:
@karog

Done, still no change in functionality. I'm tesing by running iperf from the er8 side to a server on the erx side and by trying to web browse from the erx side to a server on the er8 side. Neither work.

Thanks.

Yes, I was just in the process of editing my post as I relaized since you define the ports at both ends, that source clause is probably ok. In most cases, you don't know the source port so generally do not include it. In this case, you do.

 

Looking back at your post 264, it seems your firewall is ok as both ends have tx and rx data.

 

Do you have other local subnets from which you are running these tests? Do they overlap between the two sides? The info you have provided so far looks ok. The problem might lie in someting you have not told us.

 

What about pings from router to router using their wg addresses?

 

You should probably try tcpdump to see what is happening.

 

New Member
Posts: 5
Registered: ‎10-24-2018

Re: Release: WireGuard for EdgeRouter

@karog

I did just try pings from the ER8. I can successfully ping the 10.100.100.2, 10.1.1.1, and 10.1.1.101 so ping traffic from the ER8 is getting to the other side. Interestingly from the ERX I can ping 10.100.100.1 but not 10.0.1.1. That's probably something right there. Routing tables look right but I'm probably just missing something when I look.

I'll post up the interfaces part of my config and the routing tables ASAP. Gotta go spend some time with my overworked wife now.

Thanks again!
New Member
Posts: 33
Registered: ‎11-18-2016
Kudos: 11
Solutions: 1

Re: Release: WireGuard for EdgeRouter

In your original post you just say traffic is not passing, but you did not say how you were testing it.  Did you try pinging from router to router? Or was it host to host, or host to remote router?

 

Try pinging from one router to the other router's wg interface address. If this works, then wireguard is setup and it's something with the routing table.

 

"Have you tried turning it off an back on again?"  I've been in a place in the past where everything appeard correct, but it didn't work. After rebooting the router it started working just fine.  This was in the earlier days of the wireguard package for ER, so it might not help you.

Reply