Vrouter wireguard

Please, describe the problem here and provide additional information below (if applicable) …

Versions of the related components and OS (frontend, hypervisors, VMs): version 7.0.1 kvm hypervisor

Steps to reproduce:create a wireguard vpn betwen two sites with vrouter using vr_wg · OpenNebula/one-apps Wiki · GitHub

Current results: if I make changes to the /etc/wireguard/wg0.conf file doesnt survive reboot

Expected results:

I have onegate working and can see the proper results if I do

onegate vm show --json | grep ‘“ONEGATE_VNF_WG_PEER0”’ | cut -d’"’ -f4 | base64 -d

but it wont show in the conf file. Can someone help me troubleshoot what I might be doing wrong? let me know if more info is needed.
TIA

-vizo-

Hello,

First of all, sorry about the late reply. Could you better execute on the frontend a

onevm show -j ${$VROUTER_VM_ID} | jq -r '.VM.USER_TEMPLATE.ONEGATE_VNF_WG_PEER0|@base64d'

That should be the peer information that you can use to connect to the private network. If you save it in your client’s /etc/wireguard/oneconn you should be able to connect with a wg-quick up oneconn.

About the problem with onegate, that may have to do about permissions. Please let me check it.

Thank you

Ok it will take a day because I started from scratch will post when I have vrouter back up this evening

Ok I see peer information with the command you supplied is that supposed to be different from what has been generated in wg0.conf file that shows up in vrouter? my goal is to have two vrouter at different sites talk to each other over wireguard how would I make the next vrouter take that peer infor it seems to genrerate something new if I straight edit wg0.conf it doesnt survive reboot or maybe I am going about it completly wrong

I think I see what I might ber doing wrong the vrouter wireguard setup seems to be geared toward clients like a laptop or phone to connect to vrouter and the networks I guess I am looking for vrouter to vrouter with different subnets should I be looking at a different approach?

Hello,

That is right, the tunnel interface is created over an an APIPA range, that is not routed. The VNF wireguard idea is allowing clients the access to a private network.

Currently, if you want to link different network segments, I think that the best you could do is setting your own wireguard server on the same network segment as the private network and open the access to it on the Virtual router setting static DNAT as indicated in vr_nat4 · OpenNebula/one-apps Wiki · GitHub , so if you have your WG server running on 10.11.12.13:43210, your public interface is on eth0 and you want to have the WG server accessible on the port 43210, you could add to the context the following line

ONEAPP_VNF_NAT4_PORT_FWD4 = "<ETH0_EP0>:43210:10.11.12.13:43210",

Both protocols TCP and UDP are forwarded in this case

Cheers

oh I get it now I am basically using vrouter outside of what is was meant for I was basically using it lieu of opnsense which I use to handle my wireguard site to site connections. This is the wrong tool for this job but you suggestion might work for my needs.
Thanks

-vizo-

Just a update for future readers, I did get OPNsense installed as firewall and works pretty well and actually chatgpt helped a lot in getting the setting just right for a working firewall but am going to try Bruno suggestion as a test on a another network. Will post the results