FreeBSD wireguard wg-quick remote IP address assignment is incorrect

Peter Libassi peter at libassi.se
Tue Feb 25 14:08:30 CET 2020 

>> 25 feb. 2020 kl. 07:24 skrev Jan Novak <repcom at gmail.com>:
> Am 25.02.20 um 07:07 schrieb Peter Libassi:
>>>> 23 feb. 2020 kl. 16:32 skrev Jason A. Donenfeld <Jason at zx2c4.com>:
>>> On Sun, Feb 23, 2020 at 2:25 PM Peter Libassi <peter at libassi.se> wrote:
>>>> Ok, Well even if using another local IP in range 127.0.0.0/8 we can’t be certain we will clash with something else.
>>>> How about adding a directive for the remote interface address in wg.conf? Like this:
>>>> # cat /usr/local/etc/wireguard/wg0.conf
>>>> [Interface]
>>>> PrivateKey = <->
>>>> ListenPort = 7777
>>>> Address = 192.168.2.1/32
>>>> RemoteAddress = 192.168.2.2
>>>> [Peer]
>>>> PublicKey = <->
>>>> AllowedIPs = 192.168.2.0/24
>>>> Endpoint = 172.16.0.23:7777
>>>> # diff /usr/local/bin/wg-quick.org ./wg-quick
>>>> 17a18
>>>>> REMOTE_ADDRESS=""
>>>> 86a88
>>>>> RemoteAddress) REMOTEADDRESS="$value"; continue ;;
>>>> 175c177,181
>>>> < cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
>>>> ---
>>>>>    if [[ -n $REMOTEADDRESS ]]; then
>>>>> cmd ifconfig "$INTERFACE" inet "$1" "$REMOTEADDRESS" alias
>>>>>    else
>>>>>                cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
>>>>>    fi
>>> This is not a correct fix; we're not going to add a configuration nob
>>> to work around FreeBSD network stack gotchas.
>>> Rather, I'd prefer to see all the FreeBSD wg-quick semantics redone
>>> around multiple routing tables and marks, much like on Linux, though I
>>> don't know if that's possible. Barring that, a proper solution
>>> probably involves re-reading the ifconfig man page a few dozen times
>>> to find out how to have interface addresses as we need them.
>> It works perfectly for my single site-2-site use case. You have two options as I see it. Either convince the FreeBSD team to drop the dest_address requirement or implement local/remote address awareness per [Peer] in the wg-quick script.
> 
> Hi Peter,
> 
> Can you show me an example for "... implement local/remote address awareness per [Peer] in the wg-quick script... "
> 
> 
> Bfo
> 
> 
> 
Here is one way to do it:

root at vpn1:~ # cat /usr/local/etc/wireguard/wg0.conf
[Interface]
  PrivateKey = <->
  ListenPort = 7777
 
[Peer]
  PublicKey = <->
  LinkAddress = 10.0.0.1/10.0.0.2
  Endpoint = 192.168.59.155:7777
  AllowedIPs = 10.0.0.2/32
 
[Peer]
  PublicKey = <->
  LinkAddress = 10.1.1.1/10.1.1.2
  Endpoint = 192.168.58.155:7777
  AllowedIPs = 10.1.1.2/32
 
$ diff /usr/local/bin/wg-quick wg-quick
16a17
> LADDRESSES=( )
63c64
<       local interface_section=0 line key value stripped path
---
>       local interface_section=0 peer_section=0 line key value stripped path
95a97,102
>               [[ $key == "[Peer]" ]] && peer_section=1
>               if [[ $peer_section -eq 1 ]]; then
>                       case "$key" in
>                       LinkAddress) LADDRESSES+=( ${value//,/ } ); continue ;;
>                       esac
>               fi
175c182
<               cmd ifconfig "$INTERFACE" inet "$1" "${1%%/*}" alias
---
>               cmd ifconfig "$INTERFACE" inet "${1%/*}/32" "${1#*/}" alias
419c426
<       for i in "${ADDRESSES[@]}"; do
---
>       for i in "${LADDRESSES[@]}"; do
 
root at vpn1:~ # /home/peter/wg-quick up wg0
[#] wireguard-go wg0
INFO: (wg0) 2020/02/25 13:49:54 Starting wireguard-go version 0.0.20200121
[#] wg setconf wg0 /tmp/tmp.vXURfmKj/sh-np.pCIWwG
[#] ifconfig wg0 inet 10.0.0.1/32 10.0.0.2 alias
[#] ifconfig wg0 inet 10.1.1.1/32 10.1.1.2 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.1.1.2/32 -interface wg0
[#] route -q -n add -inet 10.0.0.2/32 -interface wg0
[+] Backgrounding route monitor
 
root at vpn1:~ # ifconfig wg0
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
        inet 10.1.1.1 --> 10.1.1.2 netmask 0xffffffff
        groups: tun
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 2033
 
root at VPN1:~ # netstat -rn4
Routing tables
 
Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.59.2       UGS         em0
10.0.0.1           link#4             UHS         lo0
10.0.0.2           link#4             UH          wg0
10.0.0.2/32        wg0                US          wg0
10.1.1.1           link#4             UHS         lo0
10.1.1.2           link#4             UH          wg0
10.1.1.2/32        wg0                US          wg0
127.0.0.1          link#3             UH          lo0
192.168.59.0/24    link#1             U           em0
192.168.59.154     link#1             UHS         lo0
192.168.153.0/24   link#2             U           em1
192.168.153.130    link#2             UHS         lo0
 
root at vpn1:~ # ping -c1 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=0.373 ms
 
--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.373/0.373/0.373/0.000 ms
 
root at vpn1:~ # ping -c1 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.277 ms
 
--- 10.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.277/0.277/0.277/0.000 ms
 
/Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20200225/a9cfa285/attachment.html>

More information about the WireGuard mailing list