Development discussion of WireGuard
 help / color / mirror / Atom feed
* FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
@ 2021-04-14 18:43 Stefan Haller
  2021-04-14 20:24 ` Jason A. Donenfeld
  0 siblings, 1 reply; 21+ messages in thread
From: Stefan Haller @ 2021-04-14 18:43 UTC (permalink / raw)
  To: wireguard

Hello everyone!

Today I tried switching to the if_wg kernel module. I observed that the
behaviour of the tunnel interface was changed to drop the POINTTOPOINT
and MULTICAST flags (8801509656e9).

For some reason the bird2 routing daemon is not picking up my interface
if there is only a /32 address configured and I manually add host routes
over the wg interface. This broke my wireguard mesh setup and I wanted
to find out ways to get it back into a working state.

Luckily, a look into the git history showed up change 0adab0e961c6e that
I find really useful (and also quite smart). I can simply say `ifconfig
wg0 link1` to get the POINTTOPOINT behaviour back.

Unfortunately, most routing protocols seem to rely on multicast traffic
(e.g. OSPF, Babel, at least with default settings). bird2 will not pick
up my interface, because the MULTICAST flag is missing.

I tested a simple change that you can also find at the end of this email. The
link1 flag will not only toggle the POINTTOPOINT flag, but additionally also
toggles the MULTICAST flag. I am not really experienced with kernel and network
stack code, but to me it makes sense to mark the interface as multicast capable
in a peer-to-peer setting (if you use this, you will most likely set AllowedIPs
to 0.0.0.0/0, ::/0 anyway). Is such a change sensible?

I tested the change for my specific use case and everything seems to be working
again (without broader changes to the configuration otherwise necessary).

I do not want to imply that the current behaviour is wrong, because I
simply don't know much about the topic. If someone else is using dynamic
routing protocols over p2p wireguard tunnels successfully, I appreciate
pointers into the right direction :)

Kind regards,
Stefan


diff --git a/src/if_wg.c b/src/if_wg.c
index ca54476..414a641 100644
--- a/src/if_wg.c
+++ b/src/if_wg.c
@@ -2910,9 +2910,9 @@ wg_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
        case SIOCSIFFLAGS:

                if ((ifp->if_flags & IFF_LINK0) || !(ifp->if_flags & IFF_LINK1))
-                       ifp->if_flags &= ~IFF_POINTOPOINT;
+                       ifp->if_flags &= ~IFF_POINTOPOINT & ~IFF_MULTICAST;
                else if (ifp->if_flags & IFF_LINK1)
-                       ifp->if_flags |= IFF_POINTOPOINT;
+                       ifp->if_flags |= IFF_POINTOPOINT | IFF_MULTICAST;
                ifp->if_flags &= ~(IFF_LINK0 | IFF_LINK1 | IFF_LINK2);

                if (ifp->if_flags & IFF_UP)

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-14 18:43 FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour Stefan Haller
@ 2021-04-14 20:24 ` Jason A. Donenfeld
  2021-04-14 21:50   ` Stefan Haller
  0 siblings, 1 reply; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-14 20:24 UTC (permalink / raw)
  To: Stefan Haller; +Cc: WireGuard mailing list

Hi Stefan,

WireGuard does not do multicast, so we probably won't set that flag.
You'll want to use babble over unicast anyway.

As far as the `ifconfig wg0 link1` trick I added yesterday goes... I'm
not totally convinced I'll keep that yet for the next snapshot. Does
bird completely ignore interfaces without it? Is there no setting to
change that? Ptp isn't quite a correct match for WireGuard, so having
that flag to satisfy a misbehaving userspace seems like a bummer. Have
you looked everywhere within bird first to see if there's another way?

Jason

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-14 20:24 ` Jason A. Donenfeld
@ 2021-04-14 21:50   ` Stefan Haller
  2021-04-14 22:14     ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 21+ messages in thread
From: Stefan Haller @ 2021-04-14 21:50 UTC (permalink / raw)
  To: WireGuard mailing list

Hi Jason,

Thanks for your clarification. I understand that setting this flag would
be a false promise to userspace, because generally Wireguard is
point-to-multipoint and doesn't copy messages to multiple peers (which
is not exactly necessary in my case, where only a single peer is
configured on both sides).

I just wanted to ensure that the introduced change was intentional
before looking into other directions, hence my question.

On Wed, Apr 14, 2021 at 02:24:20PM -0600, Jason A. Donenfeld wrote:
> Does bird completely ignore interfaces without it? Is there no setting
> to change that?

At least a brief look at the code suggests this: [1]

The Babel protocol seems to rely on well-known *link-local* IPv6
multicast addresses. I did not find anything related to unicast "hello"
messages in the RFC or in the implementations. (OSPF is similar, but
as far as I remember unicast hellos are explicitly allowed.)

One odd thing I noticed: On Linux (5.11.13-arch1-1, so quite recent),
the interface does not list the MULTICAST flag and the interface is
still used by bird:

# ip l show dev wg1
4: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000

I will have a closer look why it doesn't work on FreeBSD but the same thing
works on Linux. I am probably missing something important.


Kind regards,
Stefan


[1]: https://gitlab.nic.cz/labs/bird/-/blob/9c41e1ca3e93d4498eaa085139caf1545e08c1d8/proto/babel/babel.c#L1662

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-14 21:50   ` Stefan Haller
@ 2021-04-14 22:14     ` Toke Høiland-Jørgensen
  2021-04-15  4:30       ` Jason A. Donenfeld
  2021-04-15 11:36       ` Stefan Haller
  0 siblings, 2 replies; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-14 22:14 UTC (permalink / raw)
  To: Stefan Haller, WireGuard mailing list

Stefan Haller <stefan.haller@stha.de> writes:

> Hi Jason,
>
> Thanks for your clarification. I understand that setting this flag would
> be a false promise to userspace, because generally Wireguard is
> point-to-multipoint and doesn't copy messages to multiple peers (which
> is not exactly necessary in my case, where only a single peer is
> configured on both sides).
>
> I just wanted to ensure that the introduced change was intentional
> before looking into other directions, hence my question.
>
> On Wed, Apr 14, 2021 at 02:24:20PM -0600, Jason A. Donenfeld wrote:
>> Does bird completely ignore interfaces without it? Is there no setting
>> to change that?
>
> At least a brief look at the code suggests this: [1]
>
> The Babel protocol seems to rely on well-known *link-local* IPv6
> multicast addresses. I did not find anything related to unicast "hello"
> messages in the RFC or in the implementations. (OSPF is similar, but
> as far as I remember unicast hellos are explicitly allowed.)
>
> One odd thing I noticed: On Linux (5.11.13-arch1-1, so quite recent),
> the interface does not list the MULTICAST flag and the interface is
> still used by bird:
>
> # ip l show dev wg1
> 4: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
>
> I will have a closer look why it doesn't work on FreeBSD but the same thing
> works on Linux. I am probably missing something important.

That's because the babel protocol code is checking for Bird's internal
MULTICAST flag, which is set like:

  else if (fl & IFF_POINTOPOINT)    /* PtP */
    f.flags |= IF_MULTICAST;
  else if (fl & IFF_BROADCAST)      /* Broadcast */
    f.flags |= IF_MULTIACCESS | IF_BROADCAST | IF_MULTICAST;

so it needs either the OS-level POINTOPOINT or the BROADCAST flag set.
Wireguard interfaces on Linux has POINTOPOINT which is enough for Bird.

And yeah, for now Babel only speaks multicast; the spec does allow for
unicast communication, but the code in Bird doesn't implement that yet
(I'm the author of the Babel implementation in Bird). Even for unicast,
Babel still needs multicast for discovery, but in the case of Wireguard
that could be replaced by reading the peers directly from the Wireguard
kernel module. Add in updating of Wireguard AllowedIPs, and presto,
there's you completely dynamic mesh requiring only a single wg interface
on each peer :)

Quite happy to review Bird patches if someone wants to hack on this,
BTW, but otherwise it's on my "eventually" list :P

-Toke

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-14 22:14     ` Toke Høiland-Jørgensen
@ 2021-04-15  4:30       ` Jason A. Donenfeld
  2021-04-15  9:42         ` Toke Høiland-Jørgensen
  2021-04-15 11:36       ` Stefan Haller
  1 sibling, 1 reply; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-15  4:30 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen; +Cc: Stefan Haller, WireGuard mailing list

Hey Toke,

Regarding POINTTOPOINT flag in Linux vs FreeBSD -- apparently FreeBSD
routes everything differently simply by virtue of the interface having
that flag, whereas on Linux, PTP routing mode is only switched on if
you actually add an address with a dest peer. So for FreeBSD, the
different routing seemed somewhat disruptive, so I stopped setting
that flag in a recent snapshot release.

Hey Stefan,

Looking at bird's source code (iface.c), it looks like bird will only
look at IFF flags if you fail to specify the interface type in the
config file. Can you try *not changing to link1/ptp mode* and then
setting the type flag in your bird config? Specifically:

                interface <interface pattern> [instance <num>] {
                        ...
                        type [broadcast|bcast|pointopoint|ptp|
                                nonbroadcast|nbma|pointomultipoint|ptmp];

If you set `type ptmp` or `type nbma` or something, and see if that
will do the trick for you? I'd like to _not_ release this link1
hack/trick if possible.

Thanks,
Jason

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-15  4:30       ` Jason A. Donenfeld
@ 2021-04-15  9:42         ` Toke Høiland-Jørgensen
  0 siblings, 0 replies; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-15  9:42 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: Stefan Haller, WireGuard mailing list

"Jason A. Donenfeld" <Jason@zx2c4.com> writes:

> Hey Toke,
>
> Regarding POINTTOPOINT flag in Linux vs FreeBSD -- apparently FreeBSD
> routes everything differently simply by virtue of the interface having
> that flag, whereas on Linux, PTP routing mode is only switched on if
> you actually add an address with a dest peer. So for FreeBSD, the
> different routing seemed somewhat disruptive, so I stopped setting
> that flag in a recent snapshot release.

Ah, of course that would be different...

> Hey Stefan,
>
> Looking at bird's source code (iface.c), it looks like bird will only
> look at IFF flags if you fail to specify the interface type in the
> config file. Can you try *not changing to link1/ptp mode* and then
> setting the type flag in your bird config? Specifically:
>
>                 interface <interface pattern> [instance <num>] {
>                         ...
>                         type [broadcast|bcast|pointopoint|ptp|
>                                 nonbroadcast|nbma|pointomultipoint|ptmp];

This is from the OSPF protocol code, though, so it won't work for
Babel.

-Toke

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-14 22:14     ` Toke Høiland-Jørgensen
  2021-04-15  4:30       ` Jason A. Donenfeld
@ 2021-04-15 11:36       ` Stefan Haller
  2021-04-15 12:22         ` Toke Høiland-Jørgensen
  2021-04-15 17:22         ` Jason A. Donenfeld
  1 sibling, 2 replies; 21+ messages in thread
From: Stefan Haller @ 2021-04-15 11:36 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen; +Cc: WireGuard mailing list

Hi Toke,

On Thu, Apr 15, 2021 at 12:14:04AM +0200, Toke Høiland-Jørgensen wrote:
> That's because the babel protocol code is checking for Bird's internal
> MULTICAST flag, which is set like:
> 
>   else if (fl & IFF_POINTOPOINT)    /* PtP */
>     f.flags |= IF_MULTICAST;
>   else if (fl & IFF_BROADCAST)      /* Broadcast */
>     f.flags |= IF_MULTIACCESS | IF_BROADCAST | IF_MULTICAST;
> 
> so it needs either the OS-level POINTOPOINT or the BROADCAST flag set.
> Wireguard interfaces on Linux has POINTOPOINT which is enough for Bird.

That explains a lot. I expected something like this, but did not have
time yet to look more closely.

> And yeah, for now Babel only speaks multicast; the spec does allow for
> unicast communication, but the code in Bird doesn't implement that yet
> (I'm the author of the Babel implementation in Bird). Even for unicast,
> Babel still needs multicast for discovery, but in the case of Wireguard
> that could be replaced by reading the peers directly from the Wireguard
> kernel module. Add in updating of Wireguard AllowedIPs, and presto,
> there's you completely dynamic mesh requiring only a single wg interface
> on each peer :)

Overall, this sounds like a great idea. Having to create so many
wireguard p2p tunnels to form a mesh is quite cumbersome. Using
Wireguards AllowedIPs as an alternative to the kernel routing table
sounds useful. The peer discovery could also be useful outside of the
babel protocol implementation (even though it will always be quite
non-standard). One could probably assume that the first configured
v6/128 and v4/32 IPs belong to the directly connected peer.

> Quite happy to review Bird patches if someone wants to hack on this,
> BTW, but otherwise it's on my "eventually" list :P

While I am interested and it sounds like a great opportunity to learn
cool new things I don't know a lot about yet, I have to see if I am
actually up to the task. :)

Anyway, I think there is an agreement that it is better to add specific
support for Wireguard interfaces in bird instead of changing the
interface flags.


Kind regards,
Stefan

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-15 11:36       ` Stefan Haller
@ 2021-04-15 12:22         ` Toke Høiland-Jørgensen
  2021-04-15 17:22         ` Jason A. Donenfeld
  1 sibling, 0 replies; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-15 12:22 UTC (permalink / raw)
  To: Stefan Haller; +Cc: WireGuard mailing list

Stefan Haller <stefan.haller@stha.de> writes:

> Hi Toke,
>
> On Thu, Apr 15, 2021 at 12:14:04AM +0200, Toke Høiland-Jørgensen wrote:
>> That's because the babel protocol code is checking for Bird's internal
>> MULTICAST flag, which is set like:
>> 
>>   else if (fl & IFF_POINTOPOINT)    /* PtP */
>>     f.flags |= IF_MULTICAST;
>>   else if (fl & IFF_BROADCAST)      /* Broadcast */
>>     f.flags |= IF_MULTIACCESS | IF_BROADCAST | IF_MULTICAST;
>> 
>> so it needs either the OS-level POINTOPOINT or the BROADCAST flag set.
>> Wireguard interfaces on Linux has POINTOPOINT which is enough for Bird.
>
> That explains a lot. I expected something like this, but did not have
> time yet to look more closely.
>
>> And yeah, for now Babel only speaks multicast; the spec does allow for
>> unicast communication, but the code in Bird doesn't implement that yet
>> (I'm the author of the Babel implementation in Bird). Even for unicast,
>> Babel still needs multicast for discovery, but in the case of Wireguard
>> that could be replaced by reading the peers directly from the Wireguard
>> kernel module. Add in updating of Wireguard AllowedIPs, and presto,
>> there's you completely dynamic mesh requiring only a single wg interface
>> on each peer :)
>
> Overall, this sounds like a great idea. Having to create so many
> wireguard p2p tunnels to form a mesh is quite cumbersome. Using
> Wireguards AllowedIPs as an alternative to the kernel routing table
> sounds useful. The peer discovery could also be useful outside of the
> babel protocol implementation (even though it will always be quite
> non-standard). One could probably assume that the first configured
> v6/128 and v4/32 IPs belong to the directly connected peer.
>
>> Quite happy to review Bird patches if someone wants to hack on this,
>> BTW, but otherwise it's on my "eventually" list :P
>
> While I am interested and it sounds like a great opportunity to learn
> cool new things I don't know a lot about yet, I have to see if I am
> actually up to the task. :)
>
> Anyway, I think there is an agreement that it is better to add specific
> support for Wireguard interfaces in bird instead of changing the
> interface flags.

Yeah; in the meantime, you can just patch Bird; just get rid of this
check in proto/babel/babel.c (there are two of them):

    if (!(iface->flags & IF_MULTICAST))
      continue;

should have no ill effects. Actually I think we could just get rid of
that check entirely, it's not strictly needed for anything other than
maybe filtering a very wide glob of interfaces. I'll send a patch...

-Toke

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-15 11:36       ` Stefan Haller
  2021-04-15 12:22         ` Toke Høiland-Jørgensen
@ 2021-04-15 17:22         ` Jason A. Donenfeld
  2021-04-15 17:53           ` Toke Høiland-Jørgensen
  1 sibling, 1 reply; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-15 17:22 UTC (permalink / raw)
  To: Stefan Haller; +Cc: Toke Høiland-Jørgensen, WireGuard mailing list

Hi Stefan,

Sounds like Toke has come up with the optimal solution, so I think
I'll drop the "link1" patch/hack.

One thing I was wondering though, mostly for my own curiosity, is what
config you're using that shows the problem, and how does the problem
manifest?

I just put this in bird.conf:

router id 192.168.88.2;
protocol babel {
       interface "wg0" {
               type wired;
               port 1234;
       };
};

And then I ran:

# pkg install bird2
# bird -d -c bird.conf

And I didn't see any troubling error messages. But maybe it's more
subtle than that?

Jason

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-15 17:22         ` Jason A. Donenfeld
@ 2021-04-15 17:53           ` Toke Høiland-Jørgensen
  2021-04-16  0:05             ` Jason A. Donenfeld
  0 siblings, 1 reply; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-15 17:53 UTC (permalink / raw)
  To: Jason A. Donenfeld, Stefan Haller; +Cc: WireGuard mailing list

"Jason A. Donenfeld" <Jason@zx2c4.com> writes:

> Hi Stefan,
>
> Sounds like Toke has come up with the optimal solution, so I think
> I'll drop the "link1" patch/hack.
>
> One thing I was wondering though, mostly for my own curiosity, is what
> config you're using that shows the problem, and how does the problem
> manifest?
>
> I just put this in bird.conf:
>
> router id 192.168.88.2;
> protocol babel {
>        interface "wg0" {
>                type wired;
>                port 1234;
>        };
> };
>
> And then I ran:
>
> # pkg install bird2
> # bird -d -c bird.conf
>
> And I didn't see any troubling error messages. But maybe it's more
> subtle than that?

I think it would just silently ignore the interface; does it say
anything about running on it? You could also see if there's any traffic,
there should be UDP packets with dest port 6696 appearing if it does
run...

-Toke

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-15 17:53           ` Toke Høiland-Jørgensen
@ 2021-04-16  0:05             ` Jason A. Donenfeld
  2021-04-16  8:57               ` Stefan Haller
  0 siblings, 1 reply; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-16  0:05 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen, Stefan Haller
  Cc: WireGuard mailing list, Bernhard Froehlich

Hey Stefan, Toke,

I spent the day playing around with bird and babel and sorted out
FreeBSD's v6 situation. Basically, ff00::/8 addresses are treated
differently, and they're blocked unless the interface sets
IFF_MULTICAST. So I've committed
https://git.zx2c4.com/wireguard-freebsd/commit/?id=a7a84a17faf784857f076e37aa4818f6b6c12a95
to do this. We _could_ also set IFF_BROADCAST, which would translate
to babel enabling IF_MULTICAST, but so far I can't see how this would
help anything real, and combined with Toke's patch --
https://bird.network.cz/pipermail/bird-users/2021-April/015415.html --
I think we're actually in a good situation. Seeing that this now
works, I've also dropped the link1 hack and put that in a branch in
case it becomes useful later.

Bernhard (decke@) is CC'd here in case he'd like to get some of this
into ports early for your use case. Specifically, this involves:

1) https://bird.network.cz/pipermail/bird-users/2021-April/015415.html
for the bird2 package.
2) https://git.zx2c4.com/wireguard-freebsd/patch/?id=a7a84a17faf784857f076e37aa4818f6b6c12a95
for the wireguard-kmod package.

Stefan - please let me know if those work for you. In my testing thus
far, things seem to work for me.

Long term, we'll certainly want to have Toke's planned support for
direct WireGuard peering inside of bird.

Regards,
Jason

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-16  0:05             ` Jason A. Donenfeld
@ 2021-04-16  8:57               ` Stefan Haller
  2021-04-16  9:35                 ` Toke Høiland-Jørgensen
  2021-04-16 12:14                 ` Muenz, Michael
  0 siblings, 2 replies; 21+ messages in thread
From: Stefan Haller @ 2021-04-16  8:57 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

Hi Jason,

On Thu, Apr 15, 2021 at 06:05:03PM -0600, Jason A. Donenfeld wrote:
> I spent the day playing around with bird and babel and sorted out
> FreeBSD's v6 situation. Basically, ff00::/8 addresses are treated
> differently, and they're blocked unless the interface sets
> IFF_MULTICAST. So I've committed
> https://git.zx2c4.com/wireguard-freebsd/commit/?id=a7a84a17faf784857f076e37aa4818f6b6c12a95
> to do this.

That is also what I observed. Without IFF_MULTICAST I see the following
error in bird's log:

bird[8045]: babel1: Socket error: IPV6_MULTICAST_IF: Can't assign requested address
bird[8045]: babel1: Cannot open socket for wg1

> Stefan - please let me know if those work for you. In my testing thus
> far, things seem to work for me.

After applying Toke's patch for bird and your Wireguard patch in
a7a84a17faf784 everything is working as before (with minor config
changes).

Just for the record, my previous configuration looked like this (using
POINTTOPOINT interfaces, I use ifconfig to set the peer address):

> [Interface]
> ...
> Address = fe80::5/64
> PostUp = ifconfig %i inet 169.254.42.5/32 169.254.42.2

My new configuration without POINTTOPOINT, but only a single peer
directly attached to other side of the wg tunnel:

> [Interface]
> ...
> Address = 169.254.42.5/32, fe80::5/64
> PostUp = route add 169.254.42.2 -iface %i

So for me everything works as expected again. A big thanks to all of you for
figuring out what was going wrong and getting it fixed so quickly.


Kind regards,
Stefan

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-16  8:57               ` Stefan Haller
@ 2021-04-16  9:35                 ` Toke Høiland-Jørgensen
  2021-04-19 18:25                   ` Toke Høiland-Jørgensen
  2021-04-16 12:14                 ` Muenz, Michael
  1 sibling, 1 reply; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-16  9:35 UTC (permalink / raw)
  To: Stefan Haller, Jason A. Donenfeld; +Cc: WireGuard mailing list

Stefan Haller <stefan.haller@stha.de> writes:

> Hi Jason,
>
> On Thu, Apr 15, 2021 at 06:05:03PM -0600, Jason A. Donenfeld wrote:
>> I spent the day playing around with bird and babel and sorted out
>> FreeBSD's v6 situation. Basically, ff00::/8 addresses are treated
>> differently, and they're blocked unless the interface sets
>> IFF_MULTICAST. So I've committed
>> https://git.zx2c4.com/wireguard-freebsd/commit/?id=a7a84a17faf784857f076e37aa4818f6b6c12a95
>> to do this.
>
> That is also what I observed. Without IFF_MULTICAST I see the following
> error in bird's log:
>
> bird[8045]: babel1: Socket error: IPV6_MULTICAST_IF: Can't assign requested address
> bird[8045]: babel1: Cannot open socket for wg1
>
>> Stefan - please let me know if those work for you. In my testing thus
>> far, things seem to work for me.
>
> After applying Toke's patch for bird and your Wireguard patch in
> a7a84a17faf784 everything is working as before (with minor config
> changes).
>
> Just for the record, my previous configuration looked like this (using
> POINTTOPOINT interfaces, I use ifconfig to set the peer address):
>
>> [Interface]
>> ...
>> Address = fe80::5/64
>> PostUp = ifconfig %i inet 169.254.42.5/32 169.254.42.2
>
> My new configuration without POINTTOPOINT, but only a single peer
> directly attached to other side of the wg tunnel:
>
>> [Interface]
>> ...
>> Address = 169.254.42.5/32, fe80::5/64
>> PostUp = route add 169.254.42.2 -iface %i
>
> So for me everything works as expected again. A big thanks to all of you for
> figuring out what was going wrong and getting it fixed so quickly.

Great! You're welcome :)

-Toke

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-16  8:57               ` Stefan Haller
  2021-04-16  9:35                 ` Toke Høiland-Jørgensen
@ 2021-04-16 12:14                 ` Muenz, Michael
  2021-04-16 15:17                   ` Jason A. Donenfeld
  1 sibling, 1 reply; 21+ messages in thread
From: Muenz, Michael @ 2021-04-16 12:14 UTC (permalink / raw)
  To: wireguard

Am 16.04.2021 um 10:57 schrieb Stefan Haller:
> After applying Toke's patch for bird and your Wireguard patch in
> a7a84a17faf784 everything is working as before (with minor config
> changes).
>
> Just for the record, my previous configuration looked like this (using
> POINTTOPOINT interfaces, I use ifconfig to set the peer address):


Hi,

Just following the conversation and also had a quick chat with Jason via 
IRC (mimugmail).
We had a couple of reports that with latest change of removing PTP which 
breaks OSPF.
In our case (OPNsense) we rely on FRR so it would be nice to have a 
generic solution without toucingh routing software itself.


> So for me everything works as expected again. A big thanks to all of you for
> figuring out what was going wrong and getting it fixed so quickly.
>
>

I set up a lab and will do some testing with version before and after 
the change, maybe for FRR it's enough to set NBMA or similar.


Best,

Michael


^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-16 12:14                 ` Muenz, Michael
@ 2021-04-16 15:17                   ` Jason A. Donenfeld
  2021-04-16 17:45                     ` Jason A. Donenfeld
  0 siblings, 1 reply; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-16 15:17 UTC (permalink / raw)
  To: Muenz, Michael; +Cc: wireguard

Hi Michael,

On 4/16/21, Muenz, Michael <m.muenz@spam-fetish.org> wrote:
> Am 16.04.2021 um 10:57 schrieb Stefan Haller:
>> After applying Toke's patch for bird and your Wireguard patch in
>> a7a84a17faf784 everything is working as before (with minor config
>> changes).
>>
>> Just for the record, my previous configuration looked like this (using
>> POINTTOPOINT interfaces, I use ifconfig to set the peer address):
>
>
> Hi,
>
> Just following the conversation and also had a quick chat with Jason via
> IRC (mimugmail).
> We had a couple of reports that with latest change of removing PTP which
> breaks OSPF.
> In our case (OPNsense) we rely on FRR so it would be nice to have a
> generic solution without toucingh routing software itself.
>
>
>> So for me everything works as expected again. A big thanks to all of you
>> for
>> figuring out what was going wrong and getting it fixed so quickly.
>>
>>
>
> I set up a lab and will do some testing with version before and after
> the change, maybe for FRR it's enough to set NBMA or similar.

Could you send a minimal bird config that's broken so that I can
reproduce the problem and debug?

Jason

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-16 15:17                   ` Jason A. Donenfeld
@ 2021-04-16 17:45                     ` Jason A. Donenfeld
  0 siblings, 0 replies; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-16 17:45 UTC (permalink / raw)
  To: Muenz, Michael; +Cc: WireGuard mailing list

On Fri, Apr 16, 2021 at 9:17 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > I set up a lab and will do some testing with version before and after
> > the change, maybe for FRR it's enough to set NBMA or similar.
>
> Could you send a minimal bird config that's broken so that I can
> reproduce the problem and debug?

With the latest version --
https://lists.zx2c4.com/pipermail/wireguard/2021-April/006634.html --
wireguardd seems to be working out of the box with frr.

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-16  9:35                 ` Toke Høiland-Jørgensen
@ 2021-04-19 18:25                   ` Toke Høiland-Jørgensen
  2021-04-19 19:41                     ` Stefan Haller
  0 siblings, 1 reply; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-19 18:25 UTC (permalink / raw)
  To: Stefan Haller, Jason A. Donenfeld; +Cc: WireGuard mailing list

Toke Høiland-Jørgensen <toke@toke.dk> writes:

> Stefan Haller <stefan.haller@stha.de> writes:
>
>> Hi Jason,
>>
>> On Thu, Apr 15, 2021 at 06:05:03PM -0600, Jason A. Donenfeld wrote:
>>> I spent the day playing around with bird and babel and sorted out
>>> FreeBSD's v6 situation. Basically, ff00::/8 addresses are treated
>>> differently, and they're blocked unless the interface sets
>>> IFF_MULTICAST. So I've committed
>>> https://git.zx2c4.com/wireguard-freebsd/commit/?id=a7a84a17faf784857f076e37aa4818f6b6c12a95
>>> to do this.
>>
>> That is also what I observed. Without IFF_MULTICAST I see the following
>> error in bird's log:
>>
>> bird[8045]: babel1: Socket error: IPV6_MULTICAST_IF: Can't assign requested address
>> bird[8045]: babel1: Cannot open socket for wg1
>>
>>> Stefan - please let me know if those work for you. In my testing thus
>>> far, things seem to work for me.
>>
>> After applying Toke's patch for bird and your Wireguard patch in
>> a7a84a17faf784 everything is working as before (with minor config
>> changes).
>>
>> Just for the record, my previous configuration looked like this (using
>> POINTTOPOINT interfaces, I use ifconfig to set the peer address):
>>
>>> [Interface]
>>> ...
>>> Address = fe80::5/64
>>> PostUp = ifconfig %i inet 169.254.42.5/32 169.254.42.2
>>
>> My new configuration without POINTTOPOINT, but only a single peer
>> directly attached to other side of the wg tunnel:
>>
>>> [Interface]
>>> ...
>>> Address = 169.254.42.5/32, fe80::5/64
>>> PostUp = route add 169.254.42.2 -iface %i
>>
>> So for me everything works as expected again. A big thanks to all of you for
>> figuring out what was going wrong and getting it fixed so quickly.
>
> Great! You're welcome :)

Stefan, any chance you could test this patch to Bird (*instead of* the
previous one that removes the check from the Babel code)?

-Toke

diff --git a/sysdep/bsd/krt-sock.c b/sysdep/bsd/krt-sock.c
index c2faa23dd44f..cd89544063c7 100644
--- a/sysdep/bsd/krt-sock.c
+++ b/sysdep/bsd/krt-sock.c
@@ -665,6 +665,9 @@ krt_read_ifinfo(struct ks_msg *msg, int scan)
   else
     f.flags |= IF_MULTIACCESS;      /* NBMA */
 
+  if (fl & IFF_MULTICAST)
+    f.flags |= IF_MULTICAST;
+
   iface = if_update(&f);
 
   if (!scan)

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-19 18:25                   ` Toke Høiland-Jørgensen
@ 2021-04-19 19:41                     ` Stefan Haller
  2021-04-19 19:42                       ` Jason A. Donenfeld
  0 siblings, 1 reply; 21+ messages in thread
From: Stefan Haller @ 2021-04-19 19:41 UTC (permalink / raw)
  To: Toke Høiland-Jørgensen
  Cc: Jason A. Donenfeld, WireGuard mailing list

On Mon, Apr 19, 2021 at 08:25:46PM +0200, Toke Høiland-Jørgensen wrote:
> Stefan, any chance you could test this patch to Bird (*instead of* the
> previous one that removes the check from the Babel code)?

The patch is working on FreeBSD 13.0.

Kind regards,
Stefan

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-19 19:41                     ` Stefan Haller
@ 2021-04-19 19:42                       ` Jason A. Donenfeld
  2021-04-19 19:49                         ` Stefan Haller
  0 siblings, 1 reply; 21+ messages in thread
From: Jason A. Donenfeld @ 2021-04-19 19:42 UTC (permalink / raw)
  To: Stefan Haller; +Cc: Toke Høiland-Jørgensen, WireGuard mailing list

On Mon, Apr 19, 2021 at 1:42 PM Stefan Haller <stefan.haller@stha.de> wrote:
>
> On Mon, Apr 19, 2021 at 08:25:46PM +0200, Toke Høiland-Jørgensen wrote:
> > Stefan, any chance you could test this patch to Bird (*instead of* the
> > previous one that removes the check from the Babel code)?
>
> The patch is working on FreeBSD 13.0.

Just FYI, the previous patch was added to ports, so I wanted to double
check that you removed that previous patch before adding this one...

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-19 19:42                       ` Jason A. Donenfeld
@ 2021-04-19 19:49                         ` Stefan Haller
  2021-04-19 21:46                           ` Toke Høiland-Jørgensen
  0 siblings, 1 reply; 21+ messages in thread
From: Stefan Haller @ 2021-04-19 19:49 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Toke Høiland-Jørgensen, WireGuard mailing list

On Mon, Apr 19, 2021 at 01:42:58PM -0600, Jason A. Donenfeld wrote:
> On Mon, Apr 19, 2021 at 1:42 PM Stefan Haller <stefan.haller@stha.de> wrote:
> >
> > On Mon, Apr 19, 2021 at 08:25:46PM +0200, Toke Høiland-Jørgensen wrote:
> > > Stefan, any chance you could test this patch to Bird (*instead of* the
> > > previous one that removes the check from the Babel code)?
> >
> > The patch is working on FreeBSD 13.0.
> 
> Just FYI, the previous patch was added to ports, so I wanted to double
> check that you removed that previous patch before adding this one...

Yes, I did remove the old patch (in proto/babel/babel.c):

> root@fbsd:/usr/ports/net/bird2 # git status .
> On branch main
> Changes not staged for commit:
>   (use "git add/rm <file>..." to update what will be committed)
>   (use "git restore <file>..." to discard changes in working directory)
>         deleted:    files/patch-proto_babel_babel.c
> 
> Untracked files:
>   (use "git add <file>..." to include in what will be committed)
>         files/patch-sysdep_bsd_krt-sock.c

Kind regards,
Stefan

^ permalink raw reply	[flat|nested] 21+ messages in thread

* Re: FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour
  2021-04-19 19:49                         ` Stefan Haller
@ 2021-04-19 21:46                           ` Toke Høiland-Jørgensen
  0 siblings, 0 replies; 21+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-04-19 21:46 UTC (permalink / raw)
  To: Stefan Haller, Jason A. Donenfeld; +Cc: WireGuard mailing list

Stefan Haller <stefan.haller@stha.de> writes:

> On Mon, Apr 19, 2021 at 01:42:58PM -0600, Jason A. Donenfeld wrote:
>> On Mon, Apr 19, 2021 at 1:42 PM Stefan Haller <stefan.haller@stha.de> wrote:
>> >
>> > On Mon, Apr 19, 2021 at 08:25:46PM +0200, Toke Høiland-Jørgensen wrote:
>> > > Stefan, any chance you could test this patch to Bird (*instead of* the
>> > > previous one that removes the check from the Babel code)?
>> >
>> > The patch is working on FreeBSD 13.0.
>> 
>> Just FYI, the previous patch was added to ports, so I wanted to double
>> check that you removed that previous patch before adding this one...
>
> Yes, I did remove the old patch (in proto/babel/babel.c):
>
>> root@fbsd:/usr/ports/net/bird2 # git status .
>> On branch main
>> Changes not staged for commit:
>>   (use "git add/rm <file>..." to update what will be committed)
>>   (use "git restore <file>..." to discard changes in working directory)
>>         deleted:    files/patch-proto_babel_babel.c
>> 
>> Untracked files:
>>   (use "git add <file>..." to include in what will be committed)
>>         files/patch-sysdep_bsd_krt-sock.c

Awesome! Thank you for testing! :)

-Toke

^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2021-04-19 21:46 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-14 18:43 FreeBSD if_wg POINTTOPOINT and MULTICAST behaviour Stefan Haller
2021-04-14 20:24 ` Jason A. Donenfeld
2021-04-14 21:50   ` Stefan Haller
2021-04-14 22:14     ` Toke Høiland-Jørgensen
2021-04-15  4:30       ` Jason A. Donenfeld
2021-04-15  9:42         ` Toke Høiland-Jørgensen
2021-04-15 11:36       ` Stefan Haller
2021-04-15 12:22         ` Toke Høiland-Jørgensen
2021-04-15 17:22         ` Jason A. Donenfeld
2021-04-15 17:53           ` Toke Høiland-Jørgensen
2021-04-16  0:05             ` Jason A. Donenfeld
2021-04-16  8:57               ` Stefan Haller
2021-04-16  9:35                 ` Toke Høiland-Jørgensen
2021-04-19 18:25                   ` Toke Høiland-Jørgensen
2021-04-19 19:41                     ` Stefan Haller
2021-04-19 19:42                       ` Jason A. Donenfeld
2021-04-19 19:49                         ` Stefan Haller
2021-04-19 21:46                           ` Toke Høiland-Jørgensen
2021-04-16 12:14                 ` Muenz, Michael
2021-04-16 15:17                   ` Jason A. Donenfeld
2021-04-16 17:45                     ` Jason A. Donenfeld

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git