wireguard-vyatta-ubnt icon indicating copy to clipboard operation
wireguard-vyatta-ubnt copied to clipboard

Published 20 hours ago verified publisher icon WireGuard

Clients can access LAN but not internet

Open JSaterdalen opened this issue 3 years ago • 2 comments
trafficstars

Package version

1.0.20220627

Firmware version

4.4.56

Device

UniFi Security Gateway - UGW3

Issue description

Using the setup in the wiki guide, clients can connect to the USG and access LAN devices. Clients cannot hit the internet.

I am using UI firewall rules instead of the one in the server config example.

Client config:

[Interface]
PrivateKey = <private key>
DNS = 10.2.1.1
MTU = 1500

[Peer]
PublicKey = <public key>
AllowedIPs = ::/0, 0.0.0.0/0
Endpoint = <fqdn>:51820
PersistentKeepalive = 25

Configuration and log output

{
  "interfaces": {
    "wireguard": {
      "wg0": {
        "address": ["10.2.1.1/24"],
        "firewall": {
          "in": {
            "name": "LAN_IN"
          },
          "local": {
            "name": "LAN_LOCAL"
          },
          "out": {
            "name": "LAN_OUT"
          }
        },
        "listen-port": "51820",
        "mtu": "1500",
        "peer": [
          {
            "<public-key>": {
              "allowed-ips": ["10.2.1.10/32"],
              "persistent-keepalive": 25
            }
          }
        ],
        "private-key": "/config/auth/wireguard/wg_private.key",
        "route-allowed-ips": "true"
      }
    }
  }
}

JSaterdalen avatar Aug 10 '22 20:08 JSaterdalen

Have you configured the NAT rule for the output to the Internet?

jasimancas avatar Aug 11 '22 09:08 jasimancas

@jasimancas I created the firewall rule on "Internet Local" with a destination port of 51820, per the guide. Didn't think there would be anything else to do, but I did try adding an "Internet Out" rule with a source of the wireguard subnet, and that didn't seem to work.

How would you configure the NAT rule on the USG?

JSaterdalen avatar Aug 11 '22 15:08 JSaterdalen

Try with this @JSaterdalen : set service nat rule 6004 type masquerade set service nat rule 6004 description "MASQ wireward_network to WAN" set service nat rule 6004 protocol all set service nat rule 6004 log disable set service nat rule 6004 source address XXX.XXX.XXX.XXX/XX (LAN wireguard) set service nat rule 6004 outbound-interface XXXXX (in my case it is pppoe2 but in yours it may be another one) commit save exit

I have put the rule 6004 because I had already 6001, 6002 and 6003 used for nat and it corresponded to the 4, you can see the configuration with the command mca-ctrl -t dump-cfg there you will see the NAT rules that you have for the USG networks, it is simply the same for the Wireguard network.

jasimancas avatar Aug 12 '22 14:08 jasimancas

I removed my firewall rule in the UI, and added the firewall rule and network group section from the wiki back to the config. It's working now! Having the network group must have done it.

JSaterdalen avatar Aug 13 '22 19:08 JSaterdalen

Hello @jasimancas , I am a bit lagging on the firewall configurations on my UDM SE, slightly new to networking in general and that's part of building my first home lab. I have A UDM SE, I've set up wireguard and trying to configure the required firewall rules on UDM SE at the moment.

Is it possible to explain the same steps but based on the UI, i am trying to document everything based on the UI rather than the terminal please.

Many thanks!

mshahat avatar Sep 03 '22 22:09 mshahat