I have a site-to-site VPN between my Ubiquiti USG Pro-4 and an OpenWRT device over wireguard . It’s worked great until I got a secondary WAN connection as a failover connection since my primary cable connection has been flaky lately.
When you introduce dual-WAN on Ubiquiti devices you have to manually configure everything since the GUI assumes only one WAN connection. I configured my manual DNAT (port forwards) for each interface successfully but struggled to figure out why suddenly my Wireguard VPN between my two sites only went one way (remote side could ping all hosts on local side, but not visa-versa.)
After some troubleshooting I realized the firewall itself could ping the remote subnet just fine, it just wasn’t allowing local hosts to do so. I couldn’t find anything in firewall logs. Eventually I came across this very helpful page from hackad.nu that helped me to solve my problem.
The solution was to add a Firewall Modify rule specifically for the eth0 interface (where all my LAN traffic is routed through) to allow the source address of the subnets I want to traverse the VPN, then apply that modifier to the LAN_IN firewall rule for that interface. I had to do it for any VLANs I wanted to be able to use the Wireguard tunnel as well (vifs of eth0, VLAN 50 in my case)
Here is the relevant config.gateway.json sections, namely “firewall” and “interfaces”:
{
"firewall": {
"modify": {
"Wireguard": {
"rule": {
"10": {
"action": "modify",
"description": "Allow Wireguard traffic",
"modify": {
"table": "10"
},
"source": {
"address": "10.1.0.0/16"
}
}
}
}
},
"interfaces": {
"ethernet": {
"eth0": {
"firewall": {
"in": {
"ipv6-name": "LANv6_IN",
"modify": "Wireguard",
"name": "LAN_IN"
}
},
"vif": {
"50": {
"firewall": {
"in": {
"ipv6-name": "LANv6_IN",
"modify": "Wireguard",
"name": "LAN_IN"
}
}
}
}
}
}
}
}
}
This did the trick! Wireguard is working both directions again, this time with my dual WAN connections.