I have Rocky Linux 8.4 (Green Obsidian) aarch64 installed on my Raspberry Pi 3 model B, using an image supplied by a community member here. I enabled EPEL, but because of the Pi’s ARM arch I couldn’t use elrepo. As such, I added the jdoss/wireguard
COPR repo to install wireguard-dkms
.
Everything is working perfectly on the WireGuard side. I have the Pi set up as ‘server’ (in as much as WireGuard is actually P2P), and firewalld is enabled to provide masquerade for clients. Since the Public zone is default, both interfaces (eth0
and wg0
) had been added to it, and clients are able to connect and use the Internet via WG/the Pi as you’d expect.
When I move the eth0
interface to another zone, such as Trusted or Home, the remote WireGuard clients stop having Internet access, and receive no data back from the Pi/server. They can ping the VPN server address (172.16.37.1) but not the wider non-VPN LAN or Internet. Moving back the eth0
interface to Public alongside wg0
restores connectivity.
I am more used to running WireGuard on Debian and Arch, and as such don’t normally use firewalld. Can anyone help me out with some pointers please? I’m wondering if it’s because masquerade is only enabled on Public, but the traffic needs to hit Home (for example) to see my main network and the router out to the wider Internet? That doesn’t really make sense to me, however, as the whole point of masquerade on Public is to allow it to route out clients to other zones/interfaces.
Or perhaps there’s a setting related to inter-zone communication I haven’t read about yet, similar to how policies work in Shorewall? I did do a test run using Fedora 34 in a VM, before setting up the ‘real’ WG server on Rocky in production. On my Fedora VM, the traffic passes just fine even with the two interfaces in separate zones. On Rocky this isn’t the case.
Ideally, I want the two interfaces on separate zones. Since the WG server only needs to listen on its own port (51820/udp) and nothing else, that’s all the zone needs to allow (plus masquerade). My main eth0
interface on the other hand is connected to my physical LAN and needs to listen on other ports (including SSH, MDNS, DHCP etc). I’d rather not leave all those ports exposed on the WireGuard zone, but for now I’ve had to.
Thanks in advance for any pointers, help or support.
My /etc/wireguard/wg0.conf
-
[Interface]
Address = 172.16.37.1/24
ListenPort = 51820
PrivateKey = (redacted)
#PublicKey = (redacted)
MTU = 1420
[Peer]
PublicKey = (redacted)
AllowedIPs = 172.16.37.2/32
[Peer]
PublicKey = (redacted)
AllowedIPs = 172.16.37.3/32
Output for firewall-cmd
:
root@raspi > firewall-cmd --zone=public --list-ports
51820/udp
root@raspi > firewall-cmd --zone=public --list-services
cockpit ssh
root@raspi > firewall-cmd --get-active-zones
public
interfaces: wg0 eth0