* FreeBSD wireguard wg-quick remote IP address assignment is incorrect @ 2020-02-23 8:00 Peter Libassi 2020-02-23 11:37 ` Jason A. Donenfeld 0 siblings, 1 reply; 6+ messages in thread From: Peter Libassi @ 2020-02-23 8:00 UTC (permalink / raw) To: wireguard [-- Attachment #1.1: Type: text/plain, Size: 1109 bytes --] local wg interface does not respond due to the wg-quick script sets up the interface by reusing the local address as the remote address in the ifconfig command: root@bsd2:~ # wg-quick up wg0 [#] wireguard-go wg0 INFO: (wg0) 2020/02/20 09:45:16 Starting wireguard-go version 0.0.20200121 [#] wg setconf wg0 /tmp/tmp.87viEAsK/sh-np.YdRfI6 [#] ifconfig wg0 inet 192.168.2.2 192.168.2.2 alias On linux setting up an IP address on a tun interface does not require a remote address: [root@vpn2 wireguard]# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 192.168.2.2/24 dev wg0 In the wg-quick script function add_addr() is where the assignment is made: cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias I verifed this by replacing remote address with localhost: cmd ifconfig "$INTERFACE" inet "$1" "127.0.0.1" alias Now local ping works. You can give any address I suppose since the ”remote address” of the ifconfig of a tun interface is not really used by wireguard. I also filed this as FreeBSD bug 244330. /Peter [-- Attachment #1.2: Type: text/html, Size: 1619 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect 2020-02-23 8:00 FreeBSD wireguard wg-quick remote IP address assignment is incorrect Peter Libassi @ 2020-02-23 11:37 ` Jason A. Donenfeld 2020-02-23 13:25 ` Peter Libassi 0 siblings, 1 reply; 6+ messages in thread From: Jason A. Donenfeld @ 2020-02-23 11:37 UTC (permalink / raw) To: Peter Libassi; +Cc: WireGuard mailing list We tried this already and it didn't work. See the below commit. Perhaps you can update that bug report you filed? commit 2c6cabd73dfb23990c245250ef2e502bdb33d189 Author: Jason A. Donenfeld <Jason@zx2c4.com> Date: Thu Feb 28 19:03:11 2019 +0100 wg-quick: freebsd: rebreak interface loopback, while fixing localhost The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was supposed to make things better, but actually it just started sending legitimate localhost traffic over the WireGuard interface, which is really quite bad. This reverts commit 7c833642dfa342218602ab18e7091e86408d2982. Reported-by: Matt Smith <matt.xtaz@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash index 93f1a3b7..e83dbef0 100755 --- a/src/wg-quick/freebsd.bash +++ b/src/wg-quick/freebsd.bash @@ -158,7 +158,7 @@ add_addr() { if [[ $1 == *:* ]]; then cmd ifconfig "$INTERFACE" inet6 "$1" alias else - cmd ifconfig "$INTERFACE" inet "$1" 127.0.0.1 alias + cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias fi } _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect 2020-02-23 11:37 ` Jason A. Donenfeld @ 2020-02-23 13:25 ` Peter Libassi 2020-02-23 15:32 ` Jason A. Donenfeld 0 siblings, 1 reply; 6+ messages in thread From: Peter Libassi @ 2020-02-23 13:25 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: WireGuard mailing list [-- Attachment #1.1: Type: text/plain, Size: 2207 bytes --] Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else. How about adding a directive for the remote interface address in wg.conf? Like this: # cat /usr/local/etc/wireguard/wg0.conf [Interface] PrivateKey = <-> ListenPort = 7777 Address = 192.168.2.1/32 RemoteAddress = 192.168.2.2 [Peer] PublicKey = <-> AllowedIPs = 192.168.2.0/24 Endpoint = 172.16.0.23:7777 # diff /usr/local/bin/wg-quick.org ./wg-quick 17a18 > REMOTE_ADDRESS="" 86a88 > RemoteAddress) REMOTEADDRESS="$value"; continue ;; 175c177,181 < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias --- > if [[ -n $REMOTEADDRESS ]]; then > cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias > else > cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias > fi /Peter > 23 feb. 2020 kl. 12:37 skrev Jason A. Donenfeld <Jason@zx2c4.com>: > > We tried this already and it didn't work. See the below commit. > Perhaps you can update that bug report you filed? > > commit 2c6cabd73dfb23990c245250ef2e502bdb33d189 > Author: Jason A. Donenfeld <Jason@zx2c4.com> > Date: Thu Feb 28 19:03:11 2019 +0100 > > wg-quick: freebsd: rebreak interface loopback, while fixing localhost > > The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was > supposed to make things better, but actually it just started sending > legitimate localhost traffic over the WireGuard interface, which is > really quite bad. > > This reverts commit 7c833642dfa342218602ab18e7091e86408d2982. > > Reported-by: Matt Smith <matt.xtaz@gmail.com> > Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> > > diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash > index 93f1a3b7..e83dbef0 100755 > --- a/src/wg-quick/freebsd.bash > +++ b/src/wg-quick/freebsd.bash > @@ -158,7 +158,7 @@ add_addr() { > if [[ $1 == *:* ]]; then > cmd ifconfig "$INTERFACE" inet6 "$1" alias > else > - cmd ifconfig "$INTERFACE" inet "$1" 127.0.0.1 alias > + cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias > fi > } [-- Attachment #1.2: Type: text/html, Size: 8792 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect 2020-02-23 13:25 ` Peter Libassi @ 2020-02-23 15:32 ` Jason A. Donenfeld 2020-02-25 6:07 ` Peter Libassi 0 siblings, 1 reply; 6+ messages in thread From: Jason A. Donenfeld @ 2020-02-23 15:32 UTC (permalink / raw) To: Peter Libassi; +Cc: WireGuard mailing list On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote: > > Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else. > > How about adding a directive for the remote interface address in wg.conf? Like this: > > # cat /usr/local/etc/wireguard/wg0.conf > [Interface] > PrivateKey = <-> > ListenPort = 7777 > Address = 192.168.2.1/32 > RemoteAddress = 192.168.2.2 > > [Peer] > PublicKey = <-> > AllowedIPs = 192.168.2.0/24 > Endpoint = 172.16.0.23:7777 > > # diff /usr/local/bin/wg-quick.org ./wg-quick > 17a18 > > REMOTE_ADDRESS="" > 86a88 > > RemoteAddress) REMOTEADDRESS="$value"; continue ;; > 175c177,181 > < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias > --- > > if [[ -n $REMOTEADDRESS ]]; then > > cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias > > else > > cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias > > fi This is not a correct fix; we're not going to add a configuration nob to work around FreeBSD network stack gotchas. Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone around multiple routing tables and marks, much like on Linux, though I don't know if that's possible. Barring that, a proper solution probably involves re-reading the ifconfig man page a few dozen times to find out how to have interface addresses as we need them. _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect 2020-02-23 15:32 ` Jason A. Donenfeld @ 2020-02-25 6:07 ` Peter Libassi 0 siblings, 0 replies; 6+ messages in thread From: Peter Libassi @ 2020-02-25 6:07 UTC (permalink / raw) To: Jason A. Donenfeld; +Cc: WireGuard mailing list > 23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld <Jason@zx2c4.com>: > > On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote: >> >> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else. >> >> How about adding a directive for the remote interface address in wg.conf? Like this: >> >> # cat /usr/local/etc/wireguard/wg0.conf >> [Interface] >> PrivateKey = <-> >> ListenPort = 7777 >> Address = 192.168.2.1/32 >> RemoteAddress = 192.168.2.2 >> >> [Peer] >> PublicKey = <-> >> AllowedIPs = 192.168.2.0/24 >> Endpoint = 172.16.0.23:7777 >> >> # diff /usr/local/bin/wg-quick.org ./wg-quick >> 17a18 >>> REMOTE_ADDRESS="" >> 86a88 >>> RemoteAddress) REMOTEADDRESS="$value"; continue ;; >> 175c177,181 >> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias >> --- >>> if [[ -n $REMOTEADDRESS ]]; then >>> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias >>> else >>> cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias >>> fi > > This is not a correct fix; we're not going to add a configuration nob > to work around FreeBSD network stack gotchas. > > Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone > around multiple routing tables and marks, much like on Linux, though I > don't know if that's possible. Barring that, a proper solution > probably involves re-reading the ifconfig man page a few dozen times > to find out how to have interface addresses as we need them. It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script. /Peter _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <4c6af2b0-62bc-84bd-f1ec-ce11a152d348@gmail.com>]
* Re: FreeBSD wireguard wg-quick remote IP address assignment is incorrect [not found] <4c6af2b0-62bc-84bd-f1ec-ce11a152d348@gmail.com> @ 2020-02-25 13:08 ` Peter Libassi 0 siblings, 0 replies; 6+ messages in thread From: Peter Libassi @ 2020-02-25 13:08 UTC (permalink / raw) To: Jan Novak, WireGuard mailing list [-- Attachment #1.1: Type: text/plain, Size: 5470 bytes --] >> 25 feb. 2020 kl. 07:24 skrev Jan Novak <repcom@gmail.com>: > Am 25.02.20 um 07:07 schrieb Peter Libassi: >>>> 23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld <Jason@zx2c4.com>: >>> On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote: >>>> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else. >>>> How about adding a directive for the remote interface address in wg.conf? Like this: >>>> # cat /usr/local/etc/wireguard/wg0.conf >>>> [Interface] >>>> PrivateKey = <-> >>>> ListenPort = 7777 >>>> Address = 192.168.2.1/32 >>>> RemoteAddress = 192.168.2.2 >>>> [Peer] >>>> PublicKey = <-> >>>> AllowedIPs = 192.168.2.0/24 >>>> Endpoint = 172.16.0.23:7777 >>>> # diff /usr/local/bin/wg-quick.org ./wg-quick >>>> 17a18 >>>>> REMOTE_ADDRESS="" >>>> 86a88 >>>>> RemoteAddress) REMOTEADDRESS="$value"; continue ;; >>>> 175c177,181 >>>> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias >>>> --- >>>>> if [[ -n $REMOTEADDRESS ]]; then >>>>> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias >>>>> else >>>>> cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias >>>>> fi >>> This is not a correct fix; we're not going to add a configuration nob >>> to work around FreeBSD network stack gotchas. >>> Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone >>> around multiple routing tables and marks, much like on Linux, though I >>> don't know if that's possible. Barring that, a proper solution >>> probably involves re-reading the ifconfig man page a few dozen times >>> to find out how to have interface addresses as we need them. >> It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script. > > Hi Peter, > > Can you show me an example for "... implement local/remote address awareness per [Peer] in the wg-quick script... " > > > Bfo > > > Here is one way to do it: root@vpn1:~ # cat /usr/local/etc/wireguard/wg0.conf [Interface] PrivateKey = <-> ListenPort = 7777 [Peer] PublicKey = <-> LinkAddress = 10.0.0.1/10.0.0.2 Endpoint = 192.168.59.155:7777 AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = <-> LinkAddress = 10.1.1.1/10.1.1.2 Endpoint = 192.168.58.155:7777 AllowedIPs = 10.1.1.2/32 $ diff /usr/local/bin/wg-quick wg-quick 16a17 > LADDRESSES=( ) 63c64 < local interface_section=0 line key value stripped path --- > local interface_section=0 peer_section=0 line key value stripped path 95a97,102 > [[ $key == "[Peer]" ]] && peer_section=1 > if [[ $peer_section -eq 1 ]]; then > case "$key" in > LinkAddress) LADDRESSES+=( ${value//,/ } ); continue ;; > esac > fi 175c182 < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias --- > cmd ifconfig "$INTERFACE" inet "${1%/*}/32" "${1#*/}" alias 419c426 < for i in "${ADDRESSES[@]}"; do --- > for i in "${LADDRESSES[@]}"; do root@vpn1:~ # /home/peter/wg-quick up wg0 [#] wireguard-go wg0 INFO: (wg0) 2020/02/25 13:49:54 Starting wireguard-go version 0.0.20200121 [#] wg setconf wg0 /tmp/tmp.vXURfmKj/sh-np.pCIWwG [#] ifconfig wg0 inet 10.0.0.1/32 10.0.0.2 alias [#] ifconfig wg0 inet 10.1.1.1/32 10.1.1.2 alias [#] ifconfig wg0 mtu 1420 [#] ifconfig wg0 up [#] route -q -n add -inet 10.1.1.2/32 -interface wg0 [#] route -q -n add -inet 10.0.0.2/32 -interface wg0 [+] Backgrounding route monitor root@vpn1:~ # ifconfig wg0 wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420 options=80000<LINKSTATE> inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff inet 10.1.1.1 --> 10.1.1.2 netmask 0xffffffff groups: tun nd6 options=101<PERFORMNUD,NO_DAD> Opened by PID 2033 root@VPN1:~ # netstat -rn4 Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.59.2 UGS em0 10.0.0.1 link#4 UHS lo0 10.0.0.2 link#4 UH wg0 10.0.0.2/32 wg0 US wg0 10.1.1.1 link#4 UHS lo0 10.1.1.2 link#4 UH wg0 10.1.1.2/32 wg0 US wg0 127.0.0.1 link#3 UH lo0 192.168.59.0/24 link#1 U em0 192.168.59.154 link#1 UHS lo0 192.168.153.0/24 link#2 U em1 192.168.153.130 link#2 UHS lo0 root@vpn1:~ # ping -c1 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 56 data bytes 64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.373 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms root@vpn1:~ # ping -c1 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.277 ms --- 10.1.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.277/0.277/0.277/0.000 ms /Peter [-- Attachment #1.2: Type: text/html, Size: 28448 bytes --] [-- Attachment #2: Type: text/plain, Size: 148 bytes --] _______________________________________________ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-02-25 13:09 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-02-23 8:00 FreeBSD wireguard wg-quick remote IP address assignment is incorrect Peter Libassi 2020-02-23 11:37 ` Jason A. Donenfeld 2020-02-23 13:25 ` Peter Libassi 2020-02-23 15:32 ` Jason A. Donenfeld 2020-02-25 6:07 ` Peter Libassi [not found] <4c6af2b0-62bc-84bd-f1ec-ce11a152d348@gmail.com> 2020-02-25 13:08 ` Peter Libassi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).