When moving from rc6 to epa2 I have a vrf that breaks. The scenario is a vrf with wireguard and a local 802.1q ethernet interface. All traffic going upstream through WG is NATed. ICMP still works properly, so NAT should be semi-working atleast. However both DNS/SSH/HTTP fails.
Relevant VyOS config:
set interfaces wireguard wg2 address '10.33.33.11/32' set interfaces wireguard wg2 peer vpn address '1.2.3.4' set interfaces wireguard wg2 peer vpn allowed-ips '0.0.0.0/0' set interfaces wireguard wg2 peer vpn port '1234' set interfaces wireguard wg2 peer vpn pubkey '1234' set interfaces wireguard wg2 private-key 'vpnprivkey' set interfaces wireguard wg2 vrf 'vpn' (rule 50 is for the non-vrf traffic, rule 100 is for the VRF traffic) set nat source rule 50 outbound-interface 'eth0' set nat source rule 50 protocol 'all' set nat source rule 50 source address '10.0.0.0/8' set nat source rule 50 translation address 'masquerade' set nat source rule 100 outbound-interface 'wg2' set nat source rule 100 protocol 'all' set nat source rule 100 source address '10.100.100.0/24' set nat source rule 100 translation address 'masquerade' set interfaces ethernet eth1 vif 50 address '10.100.100.1/24' set interfaces ethernet eth1 vif 50 vrf 'vpn' set protocols vrf vpn static interface-route 0.0.0.0/0 next-hop-interface wg2
5.5.5.5 is a linux host out on the internet, WG2 has to be traversed to reach it
10.100.100.10 is a local linux host running a ssh client, eth1 vif 50 as default gw
RC6
In this test 10.100.100.10 SSHs to 5.5.5.5.
SSH works, so does ICMP.
[NEW] tcp 6 120 SYN_SENT src=10.100.100.10 dst=5.5.5.5 sport=46436 dport=22 [UNREPLIED] src=5.5.5.5 dst=10.33.33.11 sport=22 dport=46436 [UPDATE] tcp 6 60 SYN_RECV src=10.100.100.10 dst=5.5.5.5 sport=46436 dport=22 src=5.5.5.5 dst=10.33.33.11 sport=22 dport=46436 [UPDATE] tcp 6 432000 ESTABLISHED src=10.100.100.10 dst=5.5.5.5 sport=46436 dport=22 src=5.5.5.5 dst=10.33.33.11 sport=22 dport=46436 [ASSURED]
EPA2
In this test 10.100.100.10 SSHs to 5.5.5.5.
SSH fails, ICMP works
[NEW] tcp 6 120 SYN_SENT src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=22 [UNREPLIED] src=5.5.5.5 dst=10.33.33.11 sport=22 dport=46478 [UPDATE] tcp 6 432000 ESTABLISHED src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=22 src=5.5.5.5 dst=10.33.33.11 sport=22 dport=46478 [ASSURED] [NEW] tcp 6 300 ESTABLISHED src=5.5.5.5 dst=10.100.100.10 sport=22 dport=46478 [UNREPLIED] src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=42 [DESTROY] tcp 6 src=5.5.5.5 dst=10.100.100.10 sport=22 dport=46478 [UNREPLIED] src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=42 [UPDATE] tcp 6 10 CLOSE src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=22 src=5.5.5.5 dst=10.33.33.11 sport=22 dport=46478 [ASSURED] [NEW] tcp 6 300 ESTABLISHED src=5.5.5.5 dst=10.100.100.10 sport=22 dport=46478 [UNREPLIED] src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=19 [DESTROY] tcp 6 src=5.5.5.5 dst=10.100.100.10 sport=22 dport=46478 [UNREPLIED] src=10.100.100.10 dst=5.5.5.5 sport=46478 dport=19
I can boot between rc6 and epa2 to get more details if required.