[Question or Feature Request] Any wg1.conf option to limit peer IP as 1-to-1?

Mon Dec 17 09:50:28 CET 2018

On Mon, Dec 17, 2018 at 9:10 AM KeXianbin(http://diyism.com)
<kexianbin at diyism.com> wrote:
>
> It seems that "AllowedIPs" have nothing to do with refusing unwantted peer's IP.
> It only specifes the outgoing target IPs,

It should also refuse unwanted, as you wrote. From src/tests/netns.sh,
we have this section:

n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
exec 4< <(n1 ncat -l -u -p 1111)
ncat_pid=$!
waitncatudp $netns1
n2 ncat -u 192.168.241.1 1111 <<<"X"
read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
kill $ncat_pid
more_specific_key="$(pp wg genkey | pp wg pubkey)"
n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
n2 wg set wg0 listen-port 9997
exec 4< <(n1 ncat -l -u -p 1111)
ncat_pid=$!
waitncatudp $netns1
n2 ncat -u 192.168.241.1 1111 <<<"X"
! read -r -N 1 -t 1 out <&4 || false
kill $ncat_pid
n1 wg set wg0 peer "$more_specific_key" remove
[[ $(n1 wg show wg0 endpoints) == "$pub2        [::1]:9997" ]]

Would you propose a more specific test to reach the case you're experiencing?

I also tried to reproduce your situation manually between two real
computers without success:

cannonball ~ # ip link add wg0 type wireguard
cannonball ~ # wg set wg0 private-key <(wg genkey)

thinkpad ~ # ip link add wg0 type wireguard
thinkpad ~ # wg set wg0 private-key <(wg genkey) listen-port 51820
peer fFLm5F2YxzkH0IB1p+r6NUwNqKw3sp09NtVdoWO1lHA= allowed-ips
10.1.0.3/32

cannonball ~ # wg set wg0 peer
YKuR7SRtK4YsF//lqFNp4dSOYdAa6VTNvKFulgC0Vy4= allowed-ips 0.0.0.0/0
endpoint 10.10.13.100:51820

thinkpad ~ # ip address add 10.1.0.1/24 dev wg0
thinkpad ~ # ip link set up dev wg0

cannonball ~ # ip address add 10.1.0.3/24 dev wg0
cannonball ~ # ip link set up dev wg0

cannonball ~ # ping -q -c 1 10.1.0.1
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.492/3.492/3.492/0.000 ms

cannonball ~ # ip address flush dev wg0
cannonball ~ # ip address add 10.1.0.4/24 dev wg0
cannonball ~ # ping -q -c 1 10.1.0.1
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.

--- 10.1.0.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

thinkpad ~ # dmesg | grep unallowed
[17084.651723] wireguard: wg0: Packet has unallowed src IP (10.1.0.4)
from peer 1 (10.10.13.108:47686)

Therefore, I'm seeing the expected behavior. Can you show a similar
sequence that demonstrates the bug you're reporting?

Thanks,
Jason