If you are looking for traffic engineering your traffic into Torguard’s WireGuard server, I hope this post will be some kind of help or at least help point you to what you are looking for. What we have done from the previous post, we have enabled WireGuard and configured VyOS WireGuard to establish a secure tunnel from our VyOS router/firewall to Torguard WireGuard.
The firewall rules examples shown in this post are the zone-based firewall instead of the typical interface firewalling. I use zone-based because it is easier to manage and I use zone base firewalls at my day-to-day job.
I am going to use my test Emby server as a guinea pig. The scenario is route normally locally, but for Internet access, route via Torguard. The traceroute below shows the paths.
# Local routing [email protected]:~# traceroute 10.0.20.10 traceroute to 10.0.20.10 (10.0.20.10), 30 hops max, 60 byte packets 1 10.0.7.1 (10.0.7.1) 0.236 ms 0.599 ms 0.585 ms 2 10.0.20.10 (10.0.20.10) 1.167 ms 0.993 ms * [email protected]:~# # Internet access [email protected]:~# traceroute -n 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 10.0.7.1 0.220 ms 0.266 ms 0.284 ms 2 96.120.104.209 13.351 ms 13.339 ms 13.344 ms 3 68.87.139.9 13.088 ms 13.297 ms 13.709 ms 4 68.86.205.173 22.035 ms 22.025 ms 22.003 ms 5 96.110.40.29 18.495 ms 23.169 ms 96.110.40.25 23.737 ms 6 96.110.37.134 17.027 ms 96.110.37.142 17.624 ms 96.110.37.134 17.558 ms 7 173.167.57.102 17.534 ms 15.219 ms 14.944 ms 8 1.1.1.1 14.674 ms 14.451 ms 14.652 ms [email protected]:~#
To complete to our objectives in our scenario, we need to implement are the following:
- Source NAT
- Firewall policy
- Policy-based routing
Let’s create a source NAT. Since Torguard only provided a single 10.29.0.x IP address for our WireGuard interface, we need to masquerade our internal IP address(es) to tunnel through the WireGuard tunnel.
set nat source rule 1500 description 'torguard source nat' set nat source rule 1500 outbound-interface 'wg1000' set nat source rule 1500 source address '10.0.0.0/14' set nat source rule 1500 translation address 'masquerade'
Since the zone-based statefull firewall is enabled, we need to create firewall rules to allow traffic from one zone to torguard zone. We need to create firewall rules then create a zone for Torguard and add the WireGuard interface wg1000 that was created previously to the Torguard zone.
# Create a firewall rules set firewall name all_to_torguard default-action 'drop' set firewall name all_to_torguard rule 100 action 'accept' # Create zone and add the firewall rules and wg1000 interface to the zone set zone-policy zone torguard default-action 'drop' set zone-policy zone torguard from server firewall name 'all_to_torguard' set zone-policy zone torguard from trust firewall name 'all_to_torguard' set zone-policy zone torguard interface 'wg1000'
Now that we have source NAT and firewall rules that will allow the traffic. We need to traffic engineer the Emby traffic. The objectives are local routes should be routed normally and Internet routes should be routed to the Torguard. To accomplish this, we need to create two rules – one for the local routes and the other for the Internet routes.
set policy route torguard rule 2000 description 'route normally' set policy route torguard rule 2000 destination address '10.0.0.0/14' set policy route torguard rule 2000 set table 'main' set policy route torguard rule 2000 source address '10.0.7.106/32' set policy route torguard rule 2001 description 'destination torguard' set policy route torguard rule 2001 destination address '0.0.0.0/0' set policy route torguard rule 2001 set table '1' set policy route torguard rule 2001 source address '10.0.7.106/32' set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface wg1000
Once the policy and static route have been created, we need to apply the policy to the inbound interface.
set interfaces bonding bond0 vif 7 policy route 'torguard'
Once completed, verify the traffic path with traceroute. As you can see, the local routing is being routed normally. However, the traceroute to 1.1.1.1 took a different path compare to the example previously.
# Local routing [email protected]:~# traceroute -n 10.0.20.10 traceroute to 10.0.20.10 (10.0.20.10), 30 hops max, 60 byte packets 1 10.0.7.1 0.400 ms 0.780 ms 0.740 ms 2 10.0.20.10 0.524 ms * * [email protected]:~# # Internet access [email protected]:~# traceroute -n 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets 1 10.0.7.1 0.428 ms 0.720 ms 0.697 ms 2 10.29.0.1 89.258 ms 94.975 ms 94.817 ms 3 128.199.32.253 95.464 ms 95.368 ms 95.261 ms 4 138.197.250.120 95.701 ms 138.197.250.114 96.016 ms 138.197.250.98 95.632 ms 5 138.197.250.80 95.293 ms 138.197.250.92 95.357 ms 138.197.250.94 95.402 ms 6 80.249.211.140 106.648 ms 111.388 ms 116.864 ms 7 1.1.1.1 95.392 ms 91.034 ms 91.958 ms [email protected]:~#
We can also use the show policy route statistics
command to verify that it is working.
$ show policy route statistics ------------------------ Firewall Global Settings ------------------------ Firewall state-policy for all IPv4 and Ipv6 traffic state action log ----- ------ --- invalid drop enabled established accept disabled related accept disabled ----------------------------- Rulesets Information ----------------------------- -------------------------------------------------------------------------------- IPv4 Policy Route "torguard": Active on (bond0.7,ROUTE) rule packets bytes action source destination ---- ------- ----- ------ ------ ----------- 2000 474 36.75K 10.0.7.106/32 10.0.0.0/14 2001 891 216.17K 10.0.7.106/32 0.0.0.0/0 10000 9.10M 10.39G DROP 0.0.0.0/0 0.0.0.0/0
That should complete this post. Hope you’ll find this helpful.
Cheers!
Hello, what is the “vif 7” here? If my vyos is acting as a router and receiving packets on eth1 from local network, how can I bond the policy to eth1?
The VyOS router I was using was a router-on-a-stick. Meaning, there are multiple VLANs between the router and a switch. In the example, I was using the interface that was tagged as VLAN 7. In your case, you will implement your policy under “set interfaces ethernet eth1 policy route “