* FreeBSD wireguard wg-quick remote IP address assignment is incorrect
@ 2020-02-23 8:00 Peter Libassi
2020-02-23 11:37 ` Jason A. Donenfeld
0 siblings, 1 reply; 6+ messages in thread
From: Peter Libassi @ 2020-02-23 8:00 UTC (permalink / raw)
To: wireguard
[-- Attachment #1.1: Type: text/plain, Size: 1109 bytes --]
local wg interface does not respond due to the wg-quick script sets up the interface by reusing the local address as the remote address in the ifconfig command:
root@bsd2:~ # wg-quick up wg0
[#] wireguard-go wg0
INFO: (wg0) 2020/02/20 09:45:16 Starting wireguard-go version 0.0.20200121
[#] wg setconf wg0 /tmp/tmp.87viEAsK/sh-np.YdRfI6
[#] ifconfig wg0 inet 192.168.2.2 192.168.2.2 alias
On linux setting up an IP address on a tun interface does not require a remote address:
[root@vpn2 wireguard]# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.2.2/24 dev wg0
In the wg-quick script function add_addr() is where the assignment is made:
cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
I verifed this by replacing remote address with localhost:
cmd ifconfig "$INTERFACE" inet "$1" "127.0.0.1" alias
Now local ping works. You can give any address I suppose since the ”remote address” of the ifconfig of a tun interface is not really used by wireguard.
I also filed this as FreeBSD bug 244330.
/Peter
[-- Attachment #1.2: Type: text/html, Size: 1619 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect
2020-02-23 8:00 FreeBSD wireguard wg-quick remote IP address assignment is incorrect Peter Libassi
@ 2020-02-23 11:37 ` Jason A. Donenfeld
2020-02-23 13:25 ` Peter Libassi
0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2020-02-23 11:37 UTC (permalink / raw)
To: Peter Libassi; +Cc: WireGuard mailing list
We tried this already and it didn't work. See the below commit.
Perhaps you can update that bug report you filed?
commit 2c6cabd73dfb23990c245250ef2e502bdb33d189
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Thu Feb 28 19:03:11 2019 +0100
wg-quick: freebsd: rebreak interface loopback, while fixing localhost
The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was
supposed to make things better, but actually it just started sending
legitimate localhost traffic over the WireGuard interface, which is
really quite bad.
This reverts commit 7c833642dfa342218602ab18e7091e86408d2982.
Reported-by: Matt Smith <matt.xtaz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash
index 93f1a3b7..e83dbef0 100755
--- a/src/wg-quick/freebsd.bash
+++ b/src/wg-quick/freebsd.bash
@@ -158,7 +158,7 @@ add_addr() {
if [[ $1 == *:* ]]; then
cmd ifconfig "$INTERFACE" inet6 "$1" alias
else
- cmd ifconfig "$INTERFACE" inet "$1" 127.0.0.1 alias
+ cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
fi
}
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect
2020-02-23 11:37 ` Jason A. Donenfeld
@ 2020-02-23 13:25 ` Peter Libassi
2020-02-23 15:32 ` Jason A. Donenfeld
0 siblings, 1 reply; 6+ messages in thread
From: Peter Libassi @ 2020-02-23 13:25 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
[-- Attachment #1.1: Type: text/plain, Size: 2207 bytes --]
Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else.
How about adding a directive for the remote interface address in wg.conf? Like this:
# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <->
ListenPort = 7777
Address = 192.168.2.1/32
RemoteAddress = 192.168.2.2
[Peer]
PublicKey = <->
AllowedIPs = 192.168.2.0/24
Endpoint = 172.16.0.23:7777
# diff /usr/local/bin/wg-quick.org ./wg-quick
17a18
> REMOTE_ADDRESS=""
86a88
> RemoteAddress) REMOTEADDRESS="$value"; continue ;;
175c177,181
< cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
---
> if [[ -n $REMOTEADDRESS ]]; then
> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias
> else
> cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
> fi
/Peter
> 23 feb. 2020 kl. 12:37 skrev Jason A. Donenfeld <Jason@zx2c4.com>:
>
> We tried this already and it didn't work. See the below commit.
> Perhaps you can update that bug report you filed?
>
> commit 2c6cabd73dfb23990c245250ef2e502bdb33d189
> Author: Jason A. Donenfeld <Jason@zx2c4.com>
> Date: Thu Feb 28 19:03:11 2019 +0100
>
> wg-quick: freebsd: rebreak interface loopback, while fixing localhost
>
> The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was
> supposed to make things better, but actually it just started sending
> legitimate localhost traffic over the WireGuard interface, which is
> really quite bad.
>
> This reverts commit 7c833642dfa342218602ab18e7091e86408d2982.
>
> Reported-by: Matt Smith <matt.xtaz@gmail.com>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
>
> diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash
> index 93f1a3b7..e83dbef0 100755
> --- a/src/wg-quick/freebsd.bash
> +++ b/src/wg-quick/freebsd.bash
> @@ -158,7 +158,7 @@ add_addr() {
> if [[ $1 == *:* ]]; then
> cmd ifconfig "$INTERFACE" inet6 "$1" alias
> else
> - cmd ifconfig "$INTERFACE" inet "$1" 127.0.0.1 alias
> + cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
> fi
> }
[-- Attachment #1.2: Type: text/html, Size: 8792 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect
2020-02-23 13:25 ` Peter Libassi
@ 2020-02-23 15:32 ` Jason A. Donenfeld
2020-02-25 6:07 ` Peter Libassi
0 siblings, 1 reply; 6+ messages in thread
From: Jason A. Donenfeld @ 2020-02-23 15:32 UTC (permalink / raw)
To: Peter Libassi; +Cc: WireGuard mailing list
On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote:
>
> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else.
>
> How about adding a directive for the remote interface address in wg.conf? Like this:
>
> # cat /usr/local/etc/wireguard/wg0.conf
> [Interface]
> PrivateKey = <->
> ListenPort = 7777
> Address = 192.168.2.1/32
> RemoteAddress = 192.168.2.2
>
> [Peer]
> PublicKey = <->
> AllowedIPs = 192.168.2.0/24
> Endpoint = 172.16.0.23:7777
>
> # diff /usr/local/bin/wg-quick.org ./wg-quick
> 17a18
> > REMOTE_ADDRESS=""
> 86a88
> > RemoteAddress) REMOTEADDRESS="$value"; continue ;;
> 175c177,181
> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
> ---
> > if [[ -n $REMOTEADDRESS ]]; then
> > cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias
> > else
> > cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
> > fi
This is not a correct fix; we're not going to add a configuration nob
to work around FreeBSD network stack gotchas.
Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone
around multiple routing tables and marks, much like on Linux, though I
don't know if that's possible. Barring that, a proper solution
probably involves re-reading the ifconfig man page a few dozen times
to find out how to have interface addresses as we need them.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect
2020-02-23 15:32 ` Jason A. Donenfeld
@ 2020-02-25 6:07 ` Peter Libassi
0 siblings, 0 replies; 6+ messages in thread
From: Peter Libassi @ 2020-02-25 6:07 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
> 23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld <Jason@zx2c4.com>:
>
> On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote:
>>
>> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else.
>>
>> How about adding a directive for the remote interface address in wg.conf? Like this:
>>
>> # cat /usr/local/etc/wireguard/wg0.conf
>> [Interface]
>> PrivateKey = <->
>> ListenPort = 7777
>> Address = 192.168.2.1/32
>> RemoteAddress = 192.168.2.2
>>
>> [Peer]
>> PublicKey = <->
>> AllowedIPs = 192.168.2.0/24
>> Endpoint = 172.16.0.23:7777
>>
>> # diff /usr/local/bin/wg-quick.org ./wg-quick
>> 17a18
>>> REMOTE_ADDRESS=""
>> 86a88
>>> RemoteAddress) REMOTEADDRESS="$value"; continue ;;
>> 175c177,181
>> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
>> ---
>>> if [[ -n $REMOTEADDRESS ]]; then
>>> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias
>>> else
>>> cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
>>> fi
>
> This is not a correct fix; we're not going to add a configuration nob
> to work around FreeBSD network stack gotchas.
>
> Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone
> around multiple routing tables and marks, much like on Linux, though I
> don't know if that's possible. Barring that, a proper solution
> probably involves re-reading the ifconfig man page a few dozen times
> to find out how to have interface addresses as we need them.
It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script.
/Peter
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect
[not found] <4c6af2b0-62bc-84bd-f1ec-ce11a152d348@gmail.com>
@ 2020-02-25 13:08 ` Peter Libassi
0 siblings, 0 replies; 6+ messages in thread
From: Peter Libassi @ 2020-02-25 13:08 UTC (permalink / raw)
To: Jan Novak, WireGuard mailing list
[-- Attachment #1.1: Type: text/plain, Size: 5470 bytes --]
>> 25 feb. 2020 kl. 07:24 skrev Jan Novak <repcom@gmail.com>:
> Am 25.02.20 um 07:07 schrieb Peter Libassi:
>>>> 23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld <Jason@zx2c4.com>:
>>> On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote:
>>>> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else.
>>>> How about adding a directive for the remote interface address in wg.conf? Like this:
>>>> # cat /usr/local/etc/wireguard/wg0.conf
>>>> [Interface]
>>>> PrivateKey = <->
>>>> ListenPort = 7777
>>>> Address = 192.168.2.1/32
>>>> RemoteAddress = 192.168.2.2
>>>> [Peer]
>>>> PublicKey = <->
>>>> AllowedIPs = 192.168.2.0/24
>>>> Endpoint = 172.16.0.23:7777
>>>> # diff /usr/local/bin/wg-quick.org ./wg-quick
>>>> 17a18
>>>>> REMOTE_ADDRESS=""
>>>> 86a88
>>>>> RemoteAddress) REMOTEADDRESS="$value"; continue ;;
>>>> 175c177,181
>>>> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
>>>> ---
>>>>> if [[ -n $REMOTEADDRESS ]]; then
>>>>> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias
>>>>> else
>>>>> cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
>>>>> fi
>>> This is not a correct fix; we're not going to add a configuration nob
>>> to work around FreeBSD network stack gotchas.
>>> Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone
>>> around multiple routing tables and marks, much like on Linux, though I
>>> don't know if that's possible. Barring that, a proper solution
>>> probably involves re-reading the ifconfig man page a few dozen times
>>> to find out how to have interface addresses as we need them.
>> It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script.
>
> Hi Peter,
>
> Can you show me an example for "... implement local/remote address awareness per [Peer] in the wg-quick script... "
>
>
> Bfo
>
>
>
Here is one way to do it:
root@vpn1:~ # cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <->
ListenPort = 7777
[Peer]
PublicKey = <->
LinkAddress = 10.0.0.1/10.0.0.2
Endpoint = 192.168.59.155:7777
AllowedIPs = 10.0.0.2/32
[Peer]
PublicKey = <->
LinkAddress = 10.1.1.1/10.1.1.2
Endpoint = 192.168.58.155:7777
AllowedIPs = 10.1.1.2/32
$ diff /usr/local/bin/wg-quick wg-quick
16a17
> LADDRESSES=( )
63c64
< local interface_section=0 line key value stripped path
---
> local interface_section=0 peer_section=0 line key value stripped path
95a97,102
> [[ $key == "[Peer]" ]] && peer_section=1
> if [[ $peer_section -eq 1 ]]; then
> case "$key" in
> LinkAddress) LADDRESSES+=( ${value//,/ } ); continue ;;
> esac
> fi
175c182
< cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
---
> cmd ifconfig "$INTERFACE" inet "${1%/*}/32" "${1#*/}" alias
419c426
< for i in "${ADDRESSES[@]}"; do
---
> for i in "${LADDRESSES[@]}"; do
root@vpn1:~ # /home/peter/wg-quick up wg0
[#] wireguard-go wg0
INFO: (wg0) 2020/02/25 13:49:54 Starting wireguard-go version 0.0.20200121
[#] wg setconf wg0 /tmp/tmp.vXURfmKj/sh-np.pCIWwG
[#] ifconfig wg0 inet 10.0.0.1/32 10.0.0.2 alias
[#] ifconfig wg0 inet 10.1.1.1/32 10.1.1.2 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.1.1.2/32 -interface wg0
[#] route -q -n add -inet 10.0.0.2/32 -interface wg0
[+] Backgrounding route monitor
root@vpn1:~ # ifconfig wg0
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
inet 10.1.1.1 --> 10.1.1.2 netmask 0xffffffff
groups: tun
nd6 options=101<PERFORMNUD,NO_DAD>
Opened by PID 2033
root@VPN1:~ # netstat -rn4
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.59.2 UGS em0
10.0.0.1 link#4 UHS lo0
10.0.0.2 link#4 UH wg0
10.0.0.2/32 wg0 US wg0
10.1.1.1 link#4 UHS lo0
10.1.1.2 link#4 UH wg0
10.1.1.2/32 wg0 US wg0
127.0.0.1 link#3 UH lo0
192.168.59.0/24 link#1 U em0
192.168.59.154 link#1 UHS lo0
192.168.153.0/24 link#2 U em1
192.168.153.130 link#2 UHS lo0
root@vpn1:~ # ping -c1 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.373 ms
--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms
root@vpn1:~ # ping -c1 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.277 ms
--- 10.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.277/0.277/0.277/0.000 ms
/Peter
[-- Attachment #1.2: Type: text/html, Size: 28448 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-02-25 13:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-23 8:00 FreeBSD wireguard wg-quick remote IP address assignment is incorrect Peter Libassi
2020-02-23 11:37 ` Jason A. Donenfeld
2020-02-23 13:25 ` Peter Libassi
2020-02-23 15:32 ` Jason A. Donenfeld
2020-02-25 6:07 ` Peter Libassi
[not found] <4c6af2b0-62bc-84bd-f1ec-ce11a152d348@gmail.com>
2020-02-25 13:08 ` Peter Libassi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).