Passing Traffic - Firewall rules

[Nimda11]

I have it working (WG 0.0.20190913 on USG3 4.4.44.5213844) but I am unable to pass any traffic (ping dns or http/s).

is there a firewall configuration that I am missing? If so can I assume that the WG interfaces don't use the native Vyatta firewall configuration and I'll need to modify ip tables?

Not sure if this is a bug or a feature.

Best,

• Sam

[mbwmbw1337]

What do you have for the allowed-ips directive? You will likely need to write firewall/iptables rules to force traffic from specific hosts over the interfaces in question. vyatta does not allow 0.0.0.0/0 rules typically as that'd overwrite the entire route table and thus the router could not communicate with the VPN server.

My suggestion is to establish a VLAN that you want to route through your WireGuard interfaces and set up rules to do so.

[Nimda11]

Thanks for the reply.

My Allowed-IPs directive is True

I'm not trying to route 0,0,0,0/0 just a few subnets on my home lab that I need access to.

Regarding vlaning; are you saying I should create a vlan interface attached to wg0 and configuring it like any other ethernet interface?

[mbwmbw1337]

If you are not routing all traffic you do not need to create a separate vlan.

Here's what you need to do:
ensure "route-allowed-ips" is set to "true"
then under peer make sure you set the "allowed-ips" which should contain the subnets you want to route to that specific wireguard (wg) interface.

At that point you the subnets should be routing. Try pinging a remote VPN host from your the router directly once you confirm that "wg" is showing up.

[Nimda11]

Thats how I am/was setup. No worky, why I was asking about firewall rules etc.

[mbwmbw1337]

Did you create a masquerade for wg0 on the source NAT page? You’ll need that most likely depending on how you have the setup. Are you able to ping from the router to a remote VPN host (using the private IP)?

_{Sent with GitHawk}

[mbwmbw1337]

Following up on this... did the masquerade fix your issue?

[Nimda11]

I have been away from the lab for a week, will be another week until I return to it. Will update then. Thanks! - Sam From: Michael Williams <notifications@github.com> Sent: Saturday, October 19, 2019 9:44 AM To: Lochnair/vyatta-wireguard <vyatta-wireguard@noreply.github.com> Cc: Sam Forma <Sam@formatech-it.com>; Author <author@noreply.github.com> Subject: Re: [Lochnair/vyatta-wireguard] Passing Traffic - Firewall rules (#120) Following up on this... did the masquerade fix your issue? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgh.neting.cc%2FLochnair%2Fvyatta-wireguard%2Fissues%2F120%3Femail_source%3Dnotifications%26email_token%3DACDIL52GPJ6JZLAIVARBUHTQPM2MNA5CNFSM4JAV4SZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBXWEFI%23issuecomment-544170517&data=02%7C01%7C%7C4c5e0ca05d134dde7f0e08d754b3856a%7Cfe91af0f59e74c44bd0a656df0f54a20%7C1%7C0%7C637071002327676784&sdata=hehyPJYEg1s%2F7q%2FX4kuS%2BaqmGYLIFuFN3jTmyKfaTMo%3D&reserved=0>, or unsubscribe<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgh.neting.cc%2Fnotifications%2Funsubscribe-auth%2FACDIL5ZIDL2A6GFOJROKAOTQPM2MNANCNFSM4JAV4SZA&data=02%7C01%7C%7C4c5e0ca05d134dde7f0e08d754b3856a%7Cfe91af0f59e74c44bd0a656df0f54a20%7C1%7C0%7C637071002327676784&sdata=o7Tv9VfPuH2DrNBAYCNgNPE0CUEnTFiowalK38wunFc%3D&reserved=0>.