Duplicate IP address, and permissions problems on Windows

David Woodhouse dwmw2 at infradead.org
Thu Apr 8 08:46:43 UTC 2021



On 8 April 2021 00:00:46 BST, Daniel Lenski <dlenski at gmail.com> wrote:
>On Tue, Apr 6, 2021 at 5:17 PM Jason A. Donenfeld <Jason at zx2c4.com>
>wrote:
>> It's pretty typical behavior on Windows for IP addresses to be
>> exclusive per interface. WireGuard for Windows does something
>similar:
>>
>https://git.zx2c4.com/wireguard-windows/tree/tunnel/addressconfig.go#n22
>
>Thank you! That's very interesting.
>
>Following David's initial implementation, I wrote something for
>OpenConnect that's pretty much the same as yours:
>https://gitlab.com/openconnect/openconnect/-/compare/5e6e9b850756157164f83cd4fedafb747fbbd50f...0bca5b32ac478b5d03b6e88f96bf29c6556610a5
>
>1. Uses GetAdaptersAddresses to list all the addresses
>2. If/when it finds a clashing address, it uses
>GetUnicastIpAddressTable to determine the up/down state of the other
>interface
>3. Only delete the address from the other interface if it's non-UP.
>
>I was also annoyed that the GetAdaptersAddresses return structure
>doesn't provide the adapter state, and that I had to go for this
>convoluted O(n^2) design.
>
>I guess this reassures me that there isn't an obviously-better way to
>do it.

Unless netsh will do it for us when we ask *it* to set the IP address? OpenConnect doesn't normally bother itself with administrivia like setting IP addresses; its job is to pass packets.

When I first wrote it, I just usurped the vpnc-script from vpnc which does all the routing/DNS/etc configuration for every platform under the sun, so all we do generally in OpenConnect is set the environment variables up and spawn the script.

The only reason we ever set a Legacy IP directly in C for Tap-Windows was to make it do all the fake ARP nonsense correctly. (And ISTR we didn't need to do anything for IPv6 as it just needs to use a known lladdr as the route gw). We don't need that with Wintun.

I preserved it in the first cut of Wintun support because the existing vpnc-script for Windows actually depends on it... but purely for waiting for the interface to come up. Can we ditch that, let the script set the address for us, and forget we ever saw that O(n²) code because netsh handles the conflicting interfaces for us?



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


More information about the WireGuard mailing list