Hello, I would like to report a strange behavior of the Wireguard Linux kernel implementation — when you try to create a peer whose public key matches the public key of the interface, the call returns success, but nothing is done. I don't have an opinion (and relevant deep understanding of the crypto involved) whether such a call should succeed or not. Especially since it's 99% not what you want. I came across this issue by mistake anyway. However I think an error should be returned when such a peer is rejected. Steps to reproduce: `wg genkey > priv` `wg pubkey > pub < priv` `ip link add wg type wireguard` `wg set wg private-key priv` `wg set wg peer $(cat pub) allowed-ips 1.1.1.1/32` Observe: The return code is 0. `wg show wg` does not print any peer. The same happens when using the wgctrl golang library. Regards, Vojtěch Káně
This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section. We don't allow peers talking to themselves simply because it made the formal analysis of the crypto slightly more complicated.
> This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section.
Does that mean it's unfixable in the meaning you cannot detect it and
return appropriate error?
While being clearly my mistake, it took me multiple hours to understand
the problem instead of simply getting `cannot set peer foo as it already
is a public key of interface bar`.
On Sun, Sep 5, 2021 at 10:27 PM Vojtěch Káně <vojtech.kane@gmail.com> wrote:
>
> > This is by design across all implementations, so that multiple peers can share the same stanzas after the [Interface] section.
> Does that mean it's unfixable in the meaning you cannot detect it and
> return appropriate error?
>
>
> While being clearly my mistake, it took me multiple hours to understand
> the problem instead of simply getting `cannot set peer foo as it already
> is a public key of interface bar`.
>
It sounds like we really need to document that in more obvious places,
like wg(8), as that kind of confusion indeed must have been really
frustrating.
Jason