Documentation for configurating as a client

[lennykean]

Package version

1.0.20220627-1

Firmware version

v2.0.9-hotfix.4

Device

EdgeRouter Lite / PoE - e100

Issue description

I am admittedly not very experienced with wireguard. So, I'm not sure if this is an issue, or something I'm doing wrong. Either way, so a better guide for getting this set up would be really helpful.

With the following configuration, I get an error commiting

set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 peer [redacted] allowed-ips 192.168.0.0/16
set interfaces wireguard wg0 peer [redacted] endpoint [redacted]
set interfaces wireguard wg0 private-key /config/auth/wg.key
commit

Error:

[ interfaces wireguard wg0 ]
Error: Allowed IP default on interface wg0 peer [redacted] conflicts with an existing route. route-allowed-ips cannot be enabled.

This seems to be because of a static route my WAN interface is auto-creating. The only way to avoid that is to disable the interface, which leaves me with no WAN so that's a no-go.

When trying to configure with route-allowed-ips=false, I can commit the changes, but I can't figure out how to route traffic to the interface. A configure like this seems like it should work, but it does not.

set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface wg0
set service nat rule 5001 source address 192.168.0.0/16
set service nat rule 5001 type masquerade
commit
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg0
set firewall modify SOURCE_ROUTE rule 10 source address 192.168.0.0/16
set firewall modify SOURCE_ROUTE rule 10 modify table 1
set interfaces ethernet eth1 firewall in modify SOURCE_ROUTE
commit

Configuration and log output

No response

[chriscoveyduck]

Here are a set of config instructions I used recently to get ERX working as a client, routing all traffic via my Docker based Wireguard server. I found all the steps online tend to refer to EdgeRouter as a server, not the client, so I hope this config is useful.

The main issue I came across was a discrepancy in how VyoS and EdgeOS implement the routing steps. On EdgeOS defining 0.0.0.0/0 in the peers allowed-ips, and setting route-allowed-ips to true (default) causes a conflict with the default route on eth0.

To get around I set route-allowed-ips to false, and used Policy Based Routing to select traffic from INSIDE and route it across the wireguard tunnel.

Topology: EdgeRouterX (ERX) as a Wireguard client connecting to central Wireguard server.

ERX:
-eth0 (Outside DHCP)
-eth1 (Inside 192.168.1.1/24)
-wg01 (Wireguard 10.13.13.5/24)

Wireguard Server
-[fqdn/IP]:51820
-wg01 (10.13.13.1/24)

Prerequisites

1. ERX defaulted and configured for WAN access using GUI.
2. Latest firmware applied
3. Peer config generated on Wireguard server and shared

Install Wireguard on ERX

curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/${RELEASE}/${BOARD}-${RELEASE}.deb
sudo dpkg -i ${BOARD}-${RELEASE}.deb

Configure a Wireguard interface (wg01)

set interfaces wireguard wg01 address 10.13.13.5/24
set interfaces wireguard wg01 private-key [peer private key]
set interfaces wireguard wg01 port 51820
set interfaces wireguard wg01 description wg-interface
set interfaces wireguard wg01 route-allowed-ips false

Add the Wireguard server peer

set interfaces wireguard wg01 peer '[server public key]' allowed-ips 0.0.0.0/0
set interfaces wireguard wg01 peer '[server public key]' preshared-key '[preshared-key]'
set interfaces wireguard wg01 peer '[server public key]' endpoint [server fqdn/IP]:51820

Add a static route for the new wg01 interface

set protocols static route 0.0.0.0/0 interface wg01

Add the firewall rule for WAN_LOCAL to allow wireguard connections (might not be needed for one-way, check you don't already have a rule 40)

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description WireGuard_IN
set firewall name WAN_LOCAL rule 40 destination port 51820
set firewall name WAN_LOCAL rule 40 log enable
set firewall name WAN_LOCAL rule 40 protocol udp
set firewall name WAN_LOCAL rule 40 source

Configure NAT on the tunnel, required in this example as Wireguard server only defines 10.13.13.5/32 in allowed-ips for the peer

set service nat rule 5001 description 'source NAT for wireguard'
set service nat rule 5001 outbound-interface wg01
set service nat rule 5001 type masquerade
set service nat rule 5001 protocol all
set service nat rule 5001 source address 192.168.1.0/24

Configure Policy Based Routing (PBR) to route all traffic for ERX 'INSIDE' across Wireguard

set protocols static table 100 route 0.0.0.0/0 next-hop 10.13.13.1
set firewall modify PBR rule 100 description route-wireguard
set firewall modify PBR rule 100 source address 192.168.1.0/24
set firewall modify PBR rule 100 modify table 100
set interface switch switch0 firewall in modify PBR

Please note on ERX ports 1-4 are configured on a switch, if you were doing this on an ER4+ you would need to modify that last command to apply the modify PBR onto one of the interfaces, not the switch.

Commit and test the config, save when sure it's working

commit
save

[lennykean]

Thanks @chriscoveyduck! That helped get me working. Some of my settings were a little different, which I think comes down to differences between ERX and ERL. But it was a good guide to steer me in the right direction. Thanks!

It would be great to see some official documentation for this use case.

[iolate]

I succeeded with route-allowed-ips true.
(but routed only specific subnets. I didn't test with all traffic.)

configure

set interfaces wireguard wg1 address 10.13.13.5/24
set interfaces wireguard wg1 route-allowed-ips true
set interfaces wireguard wg1 private-key [omit]

set interfaces wireguard wg1 peer [omit] endpoint server-address:51820
set interfaces wireguard wg1 peer [omit] allowed-ips 10.13.13.0/24
set interfaces wireguard wg1 peer [omit] allowed-ips 192.168.0.0/24

set service nat rule 5001 description 'source NAT for wireguard'
set service nat rule 5001 outbound-interface wg1
set service nat rule 5001 type masquerade
set service nat rule 5001 protocol all
set service nat rule 5001 source address 192.168.1.0/24

commit
save

without nat config, ER itself can communicate over wireguard but devices under ER are not.
I just added nat rule, and now it works!