So I've read and tried all I could find on the interwebs and I stil can't get my head around this. I'm trying to accomplish something super easy with OpenVPN on my EdgeRouter X that seems impossible with WireGuard for me: Routing all traffic from LAN over the VPN interface and through to the internet.
Both ends connect fine using wg show showing handshakes and all. On one end the EdgeRouter, on the other a Wireguard Server on AWS EC2.
Basic routing plan is/was (worked with OpenVPN):
- 0.0.0.0/0 goes to eth0 (local ISP)
- 0.0.0.0/1 goes to wg0 (VPN)
- 128.0.0.0/1 goes to wg0 (VPN)
Switching the 2 routes to enabled will drop all internet traffic but LAN devices stay accessible. Router can't even ping 1.1.1.1. Disabling the 2 routes brings back traffic instantly.
One odd thing is wg0 Tx spikes to ~80Mbps when I turn both routes on but nothing for Rx. wg show on the AWS server shows not much packets sent/received and router's show increasing Tx packets, no Rx. I feel like I have something wrong with ports on my router. I tried (not shown in config) to port fwd 54321 to wg0 without success.
Here's my EdgeRouter Config Dump:
firewall {
all-ping enable
broadcast-ping disable
ipv6-name WANv6_IN {
default-action drop
description "WAN inbound traffic forwarded to LAN"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
ipv6-name WANv6_LOCAL {
default-action drop
description "WAN inbound traffic to the router"
enable-default-log
rule 10 {
action accept
description "Allow established/related sessions"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 30 {
action accept
description "Allow IPv6 icmp"
protocol ipv6-icmp
}
rule 40 {
action accept
description "allow dhcpv6"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 20 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow WG"
destination {
port 54321
}
log disable
protocol udp
}
rule 30 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WG_LOCAL {
default-action drop
description "WG to router"
enable-default-log
rule 10 {
action accept
description "Allow WG Port"
destination {
port 54321
}
log enable
protocol udp
}
}
options {
mss-clamp {
interface-type wg
mss 1380
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Internet
duplex auto
firewall {
in {
ipv6-name WANv6_IN
name WAN_IN
}
local {
ipv6-name WANv6_LOCAL
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
description Switch
duplex auto
speed auto
}
ethernet eth2 {
description Wifi
duplex auto
speed auto
}
ethernet eth3 {
description Office
duplex auto
speed auto
}
ethernet eth4 {
description Local
disable
duplex auto
poe {
output off
}
speed auto
}
loopback lo {
}
switch switch0 {
address 10.0.0.1/24
description Local
mtu 1500
switch-port {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
wireguard wg0 {
address 10.50.0.2/32
description "Wireguard VPN"
listen-port 54321
mtu 1420
peer <peer hash> {
allowed-ips 0.0.0.0/0
endpoint 1.2.3.4:54321
persistent-keepalive 25
preshared-key /config/auth/preshared.key
}
private-key /config/auth/priv.key
route-allowed-ips false
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0
wan-interface eth0
}
protocols {
static {
interface-route 0.0.0.0/1 {
next-hop-interface wg0 {
description "All Local to VPN"
}
}
interface-route 128.0.0.0/1 {
next-hop-interface wg0 {
description "All Local to VPN"
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 10.0.0.0/24 {
default-router 10.0.0.1
dns-server 10.0.0.1
lease 86400
start 10.0.0.38 {
stop 10.0.0.243
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on switch0
name-server 1.1.1.1
name-server 1.0.0.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
rule 5011 {
description "masquerade for WG"
log disable
outbound-interface wg0
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
analytics-handler {
send-analytics-report false
}
crash-handler {
send-crash-report false
}
host-name my-net
login {
user admin {
authentication {
encrypted-password <hash>
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Montreal
}
traffic-control {
smart-queue default {
download {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 105mbit
}
upload {
ecn enable
flows 1024
fq-quantum 1514
limit 10240
rate 35mbit
}
wan-interface eth0
}
}
