25 feb. 2020 kl. 07:24 skrev Jan Novak <repcom@gmail.com>:

Am 25.02.20 um 07:07 schrieb Peter Libassi:
23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld <Jason@zx2c4.com>:

On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter@libassi.se> wrote:
Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else.

How about adding a directive for the remote interface address in wg.conf? Like this:

# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = <->
ListenPort = 7777
Address = 192.168.2.1/32
RemoteAddress = 192.168.2.2

[Peer]
PublicKey = <->
AllowedIPs = 192.168.2.0/24
Endpoint = 172.16.0.23:7777

# diff /usr/local/bin/wg-quick.org ./wg-quick
17a18
REMOTE_ADDRESS=""
86a88
RemoteAddress) REMOTEADDRESS="$value"; continue ;;
175c177,181
< cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
---
   if [[ -n $REMOTEADDRESS ]]; then
cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias
   else
               cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
   fi
This is not a correct fix; we're not going to add a configuration nob
to work around FreeBSD network stack gotchas.

Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone
around multiple routing tables and marks, much like on Linux, though I
don't know if that's possible. Barring that, a proper solution
probably involves re-reading the ifconfig man page a few dozen times
to find out how to have interface addresses as we need them.
It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script.


Hi Peter,

Can you show me an example for "... implement local/remote address awareness per [Peer] in the wg-quick script... "


Bfo



Here is one way to do it:

root@vpn1:~ # cat /usr/local/etc/wireguard/wg0.conf

[Interface]

  PrivateKey = <->

  ListenPort = 7777

 

[Peer]

  PublicKey = <->

  LinkAddress = 10.0.0.1/10.0.0.2

  Endpoint = 192.168.59.155:7777

  AllowedIPs = 10.0.0.2/32

 

[Peer]

  PublicKey = <->

  LinkAddress = 10.1.1.1/10.1.1.2

  Endpoint = 192.168.58.155:7777

  AllowedIPs = 10.1.1.2/32

 

$ diff /usr/local/bin/wg-quick wg-quick

16a17

> LADDRESSES=( )

63c64

<       local interface_section=0 line key value stripped path

---

>       local interface_section=0 peer_section=0 line key value stripped path

95a97,102

>               [[ $key == "[Peer]" ]] && peer_section=1

>               if [[ $peer_section -eq 1 ]]; then

>                       case "$key" in

>                       LinkAddress) LADDRESSES+=( ${value//,/ } ); continue ;;

>                       esac

>               fi

175c182

<               cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias

---

>               cmd ifconfig "$INTERFACE" inet "${1%/*}/32" "${1#*/}" alias

419c426

<       for i in "${ADDRESSES[@]}"; do

---

>       for i in "${LADDRESSES[@]}"; do

 

root@vpn1:~ # /home/peter/wg-quick up wg0

[#] wireguard-go wg0

INFO: (wg0) 2020/02/25 13:49:54 Starting wireguard-go version 0.0.20200121

[#] wg setconf wg0 /tmp/tmp.vXURfmKj/sh-np.pCIWwG

[#] ifconfig wg0 inet 10.0.0.1/32 10.0.0.2 alias

[#] ifconfig wg0 inet 10.1.1.1/32 10.1.1.2 alias

[#] ifconfig wg0 mtu 1420

[#] ifconfig wg0 up

[#] route -q -n add -inet 10.1.1.2/32 -interface wg0

[#] route -q -n add -inet 10.0.0.2/32 -interface wg0

[+] Backgrounding route monitor

 

root@vpn1:~ # ifconfig wg0

wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420

        options=80000<LINKSTATE>

        inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff

        inet 10.1.1.1 --> 10.1.1.2 netmask 0xffffffff

        groups: tun

        nd6 options=101<PERFORMNUD,NO_DAD>

        Opened by PID 2033

 

root@VPN1:~ # netstat -rn4

Routing tables

 

Internet:

Destination        Gateway            Flags     Netif Expire

default            192.168.59.2       UGS         em0

10.0.0.1           link#4             UHS         lo0

10.0.0.2           link#4             UH          wg0

10.0.0.2/32        wg0                US          wg0

10.1.1.1           link#4             UHS         lo0

10.1.1.2           link#4             UH          wg0

10.1.1.2/32        wg0                US          wg0

127.0.0.1          link#3             UH          lo0

192.168.59.0/24    link#1             U           em0

192.168.59.154     link#1             UHS         lo0

192.168.153.0/24   link#2             U           em1

192.168.153.130    link#2             UHS         lo0

 

root@vpn1:~ # ping -c1 10.0.0.1

PING 10.0.0.1 (10.0.0.1): 56 data bytes

64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.373 ms

 

--- 10.0.0.1 ping statistics ---

1 packets transmitted, 1 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms

 

root@vpn1:~ # ping -c1 10.1.1.1

PING 10.1.1.1 (10.1.1.1): 56 data bytes

64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.277 ms

 

--- 10.1.1.1 ping statistics ---

1 packets transmitted, 1 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.277/0.277/0.277/0.000 ms

 

/Peter