Page MenuHomeVyOS Platform

Route leaking to default VRF in Wireguard
Open, NormalPublicBUG

Description

Hi everyone,

i'm currently working on a setup to build a redundant connection with as little failover impact as possible based on 2 ISPs (one DHCP, one PPPoE) and Wireguard.

The Setup consists of 2 Uplink Interfaces in 2 differnt VRFs:

interfaces {
    ethernet eth1 {
        vif 10 {
            address dhcp
            vrf red
        }
    pppoe pppoe1 {
        authentication {
            password $PASSWD
            user $USER
        }
        vrf blue
        default-route auto
        source-interface eth0
    }

Through each of these interfaces there shall be a wireguard tunnel to another vyos instance in the cloud, each tunnel has as different endpoint:

wireguard wg0 {
    address 198.51.100.1/32
    peer A {
        address 192.0.2.1
        allowed-ips 0.0.0.0/0
        port 51820
        pubkey ****************
    }
    private-key ****************
}
wireguard wg1 {
    address 198.51.100.3/32
    peer A {
        address 192.0.2.3
        allowed-ips 0.0.0.0/0
        port 51820
        pubkey ****************
    }
    private-key ****************
}

Because you cannot define a VRF for a wireguard peer or define a source interface, there is a route leak to the default vrf configured for each endpoint:

protocols {
    static {
        interface-route 192.0.2.1/32 {
            next-hop-interface eth1.10 {
                next-hop-vrf red
            }
        }
        interface-route 192.0.2.3/32 {
            next-hop-interface pppoe1 {
                next-hop-vrf blue
            }
        }
    }
}

Now to the Issues with this setup:

  • Ping to 192.0.2.1 within vrf red is working
  • Ping to 192.0.2.3 within vrf blue is working
  • Ping to 192.0.2.1 (connected through eth1.10) within default vrf is not working
  • Ping to 192.0.2.3 (connected through pppoe1) within default vrf is working
  • None of each wireguard tunnels is working.

Routing Table is looking fine to me:

vyos@home:~$ show ip route

S>* 192.0.2.1/32 [1/0] is directly connected, eth1.10 (vrf red), weight 1, 01:33:36
S>* 192.0.2.3/32 [1/0] is directly connected, pppoe1 (vrf blue), weight 1, 01:33:36

I'm not sure if i made a config mistake here or is this is a VRF related bug.
Regarding the wireguard tunnel i based my config on this forum entry: https://forum.vyos.io/t/vpn-tunnel-underlay-vrf-support/5611

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-rolling-202012250217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

erkin renamed this task from Route Leaking to Default VRF not working properly to Route leaking to default VRF in Wireguard.Aug 29 2021, 11:51 AM
erkin set Issue type to Bug (incorrect behavior).
erkin removed a subscriber: Active contributors.