Wireguard address binding - how to fix?
Sebastian Hyrvall
sh at keff.org
Tue May 21 14:11:31 UTC 2024
The reason wireguard does it like this I think is because when designing
it there was no thought given to any client,server scenario.
Both sides are behaving like clients that can jump between IPs at any
time. This is a flawed concept given that in 90% of scenarios there
is at least one side acting as a server on a static ip. Unless the
server side is a home user on dynamic ip and rebinding could be difficult.
I've also given a bit of thought to the security aspect of this for VPN
providers. Since a remote party can override the configured "Endpoint"
if there was a scenario where vpn provider privkeys are
compromised. The attacker can then, by knowing the connecting clients
ip, get him to shift over the tunnel to their server and perform a long
term, most likely undetected, mitm attack.
Anyway. I've waited for this binding option for years. It's insane to me
it gets ignored.
One product is for example Mikrotik hardware. They don't want to
implement third party patches so they are waiting for this bind-patch to
be included in the kernel. Until then we're forced to use OpenVPN in our
setups.
On 2024-05-21 19:58, Nico Schottelius wrote:
> Hello Janne,
>
> Janne Johansson <icepic.dz at gmail.com> writes:
>
>> Den tis 21 maj 2024 kl 09:50 skrev Nico Schottelius
>> <nico.schottelius at ungleich.ch>:
>>> Hello Jason,
>>> do you mind applying the patch from Daniel? Or is there anything wrong with it?
>>>
>>> Daniel: amazing work, I was not aware that you have already put in the
>>> hard work, thank you so very much!
>>>
>>> The world (*) is suffering because of the lack of IP address binding in wireguard.
>>>
>>> (*) With world I refer to every engineer that needs to run wireguard in
>>> non-trivial situations with multiple IP addresses on one host, which is
>>> extremely common for anything that routes.
>> Well, the main reason for wg to NOT do anything special is because
>> routing generally is done by looking at the destination ip and then
> No. Generally speaking that is incorrect.
> It is not special to reply with the same IP address.
>
> Generally speaking, when you have systems with multiple IP addresses you
> want to be able to steer the binding to an IP address. And even if you
> don't do that, you reply with the same IP address you have been
> contacted with. Wireguard does neither of it at the moment. I have
> written this already many times on this list, but the reason is very
> easy:
>
> - A connection is initiated from device A, connecting to router B on IP adddress a.b.c.d
> - The packet is correctly received by router B
> - The router replies incorrectly with address f.d.g.h
> - The reply packet is correctly blocked at the firewall of device A, because it comes
> from a random, unknown IP address
>
> This is the basic 101 of networking is to reply with the same address
> you have been contacted with, there is no discussion necessary. The
> whole world does it, even A-patch-y httpd (*) supports it. Since 1980 or
> so.
>
> Routing choices are independent of that, replying with the same IP
> address is a standard behaviour.
>
> Nico
>
> (*) As does ssh, nginx, ipsec protocols, openvpn, any rails application,
> any python application - I am not sure which software that binds to a
> socket does not support it, with the exception of wireguard.
>
>
More information about the WireGuard
mailing list