Possible regression between 5.18.2 and 6.2.1

Dan Crawford dnlcrwfrd at gmail.com
Sun Apr 2 01:14:45 UTC 2023


Thanks for the suggestions. I've done some bisecting and I've found
that the issue appears due to wg-quick, which means I can easily work
around it. First, apologies but there's a typo in my original
email, I upgraded from 5.12.8, not 5.18.2.

On versions prior to 5.14.0, wg-quick correctly adds routes for the
appropriate addresses (line 341 and then line 177). However, on versions
after 5.14.0, the condition doesn't work quite right and the ip route
add command does not run (line 177).

To investigate this I print ip -4 route show dev wg1 match 192.168.1.3,
on both 5.13.0 and 5.14.0, at line 177.

On 5.13.0 I get no output, and the ip route add command runs.
However, on 5.14.0 the output is

192.168.1.0/24 proto kernel scope link src 192.168.1.0 

and so the ip route add command does not run.

Obviously I can easily work around the issue by patching the conditional
out of wg-quick. But I don't have any clue why the output of ip varies
between 5.13 and 5.14. I'm also surprised no-one has encountered
this issue either (unless I missed something while searching).

Possibly one way to resolve the issue is to replace the conditional with

[[ -n $(ip $proto route show dev "$INTERFACE" match "$1" proto boot 2>/dev/null) ]]


Thanks
Dan


On Fri Mar 31, 2023 at 1:39 AM AEDT, Jason A. Donenfeld wrote:
> Hi Dan,
>
> Hard to imagine that this is a WireGuard bug, but more likely
> something having to do with SNAT or something.
>
> What is the unallowed src IP when you get that error? Can you debug
> further? Maybe bisect a bit? Otherwise, not much I can do.
>
> The diff between those versions you listed is pretty minimal, so I
> suspect your bug is elsewhere.
>
> Jason



More information about the WireGuard mailing list