Hi everyone,
i'm currently working on a setup to build a redundant connection with as little failover impact as possible based on 2 ISPs (one DHCP, one PPPoE) and Wireguard.
The Setup consists of 2 Uplink Interfaces in 2 differnt VRFs:
interfaces {
ethernet eth1 {
vif 10 {
address dhcp
vrf red
}
pppoe pppoe1 {
authentication {
password $PASSWD
user $USER
}
vrf blue
default-route auto
source-interface eth0
}Through each of these interfaces there shall be a wireguard tunnel to another vyos instance in the cloud, each tunnel has as different endpoint:
wireguard wg0 {
address 198.51.100.1/32
peer A {
address 192.0.2.1
allowed-ips 0.0.0.0/0
port 51820
pubkey ****************
}
private-key ****************
}
wireguard wg1 {
address 198.51.100.3/32
peer A {
address 192.0.2.3
allowed-ips 0.0.0.0/0
port 51820
pubkey ****************
}
private-key ****************
}Because you cannot define a VRF for a wireguard peer or define a source interface, there is a route leak to the default vrf configured for each endpoint:
protocols {
static {
interface-route 192.0.2.1/32 {
next-hop-interface eth1.10 {
next-hop-vrf red
}
}
interface-route 192.0.2.3/32 {
next-hop-interface pppoe1 {
next-hop-vrf blue
}
}
}
}Now to the Issues with this setup:
- Ping to 192.0.2.1 within vrf red is working
- Ping to 192.0.2.3 within vrf blue is working
- Ping to 192.0.2.1 (connected through eth1.10) within default vrf is not working
- Ping to 192.0.2.3 (connected through pppoe1) within default vrf is working
- None of each wireguard tunnels is working.
Routing Table is looking fine to me:
vyos@home:~$ show ip route S>* 192.0.2.1/32 [1/0] is directly connected, eth1.10 (vrf red), weight 1, 01:33:36 S>* 192.0.2.3/32 [1/0] is directly connected, pppoe1 (vrf blue), weight 1, 01:33:36
I'm not sure if i made a config mistake here or is this is a VRF related bug.
Regarding the wireguard tunnel i based my config on this forum entry: https://forum.vyos.io/t/vpn-tunnel-underlay-vrf-support/5611