https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-01-29T13:03:14ZpfSense bugtrackerpfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=506572021-01-29T13:03:14ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>WireGuard doesn't parse an IPv6 endpoint address</i> to <i>WireGuard cannot connect to an IPv6 endpoint</i></li></ul><p>Sample config, after my config file fix:</p>
<pre>
: cat /etc/wg/wg0.conf
# This WireGuard config file has been created automatically. Do not edit!
# Description: Tunnel to B
[Interface]
PrivateKey = <key>
ListenPort = 51820
# Peer: B
[Peer]
PublicKey = SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
EndPoint = [2001:db8::21]:51820
AllowedIPs = 2001:db8:1:df25::2/128, 2001:db8:1:df10::/64
</pre>
<p><code>wg</code> output which is lacking a peer endpoint:</p>
<pre>
: wg
interface: wg0
public key: +jKgI1Y8DAWMEobY0n7PtBx9lm9oOv00FHAS5v7cRmQ=
private key: (hidden)
listening port: 51820
peer: SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
allowed ips: 2001:db8:1:df10::/64, 2001:db8:1:df25::2/128
</pre>
<p>If I switch it to an IPv4 endpoint it works OK. So either the <code>wg</code> utility is failing to parse it or it's getting lost somewhere deeper</p> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=506612021-01-29T15:30:22ZScott Long
<ul><li><strong>Assignee</strong> set to <i>Anonymous</i></li></ul> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=506622021-01-29T15:39:00ZScott Long
<ul><li><strong>Assignee</strong> changed from <i>Anonymous</i> to <i>Peter Grehan</i></li></ul> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=506712021-01-29T23:17:19ZViktor Gurov
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=506782021-01-30T01:08:47ZViktor Gurov
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>New</i></li></ul> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=506812021-01-30T02:48:59ZPeter Grehan
<ul></ul><p>Took a while to set this up, but I can get a repro with an OpenBSD client.</p>
<p>Tunnel traffic is being delivered to wg, but it is failing with "wg0: Invalid handshake initiation" which indicates an error returned from the noise_consume_initiation() routine.</p>
<p>(as an aside, I tested IPv6 over an IPv4 tunnel, which worked fine other than a minor error in tcpdump rx which I'll checkin).</p> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=507012021-01-31T00:43:10ZPeter Grehan
<ul></ul><p>The above wasn't correct: just another misconfiguration :(</p>
<p>There are a number of issues, all boiling down to "struct sockaddr" being smaller than "struct sockaddr_in6", resulting in addresses being truncated or size checks failing.</p>
<p>The first issue was in kernel code in wg_input(), where the UDP source address was being copied to a struct sockaddr. In the v6 case, this was resulting in the address being truncated, and an incorrect address being used to reply to the sender. This would result in the initial handshake never succeeding, and no date being sent over the tunnel.</p>
<p>Once this was fixed, a wildcard endpoint (OpenBSD) was able to communicate with v4 traffic over a v6 tunnel.</p>
<p>The next issue was a combination of sockaddr vs sockaddr_in6 issues in both the kernel's handling of the WG_SET/GET ioctls, and also code in the wg utility. Once these were fixed, v6 endpoints could be configured and also displayed correctly.</p>
<pre>
[21.02-DEVELOPMENT][admin@pfSense.home.arpa]/root: wg
interface: wg0
public key: 0XsS9biScR0S6/DLVYRv0yON3R53TplDQzgW9Y8ZNE4=
private key: (hidden)
listening port: 51820
peer: p4zVA9wYwWorvuYoQ96xqSK1/V4FtqxaH+InRaG8/0A=
endpoint: [2001:f00:f00b::129]:51821
allowed ips: 2001:f00:f00b::/64
peer: XJmG0uaQAs7DUVFxJDQhB36VdsH/zqJapPu3v4y9zig=
endpoint: [fd87:afd:a3fd:181b::40]:51820
allowed ips: 10.0.0.0/24
peer: pnYy/12d2WZGtPF/+usF8DgOl8DVvwHPk5kRra+MGhA=
endpoint: 192.168.1.113:51820
allowed ips: ::/0
</pre> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=507022021-01-31T01:00:45ZPeter Grehan
<ul><li><strong>File</strong> <a href="/attachments/3356">PR11338_if_wg.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3356/PR11338_if_wg.diff">PR11338_if_wg.diff</a> added</li><li><strong>File</strong> <a href="/attachments/3355">PR11338_wg_tools.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3355/PR11338_wg_tools.diff">PR11338_wg_tools.diff</a> added</li></ul><p>if_wg.diff - kernel diff<br />wg_tools - wireguard_tools diff</p> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=507062021-02-01T06:39:51ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>Peter Grehan wrote:</p>
<blockquote>
<p>if_wg.diff - kernel diff<br />wg_tools - wireguard_tools diff</p>
</blockquote>
<p>I've imported both patches and they will be available on next round of snapshots</p> pfSense - Bug #11338: WireGuard cannot connect to an IPv6 endpointhttps://redmine.pfsense.org/issues/11338?journal_id=507732021-02-02T08:05:36ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Latest snapshot looks good!</p>
<pre>
: cat /etc/wg/wg0.conf
# This WireGuard config file has been created automatically. Do not edit!
# Description: Tunnel to B
[Interface]
PrivateKey = <key>
ListenPort = 51820
# Peer: B
[Peer]
PublicKey = SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
EndPoint = [2001:db8::21]:51820
AllowedIPs = 10.8.210.2/32, 10.21.0.0/24, 2001:db8:1:df25::2/128, 2001:db8:1:df10::/64
</pre>
<pre>
: wg
interface: wg0
public key: +jKgI1Y8DAWMEobY0n7PtBx9lm9oOv00FHAS5v7cRmQ=
private key: (hidden)
listening port: 51820
peer: SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
endpoint: [2001:db8::21]:51820
allowed ips: 2001:db8:1:df10::/64, 2001:db8:1:df25::2/128, 10.21.0.0/24, 10.8.210.2/32
</pre>
<pre>
: ping -S 10.8.210.1 10.8.210.2
PING 10.8.210.2 (10.8.210.2) from 10.8.210.1: 56 data bytes
64 bytes from 10.8.210.2: icmp_seq=0 ttl=64 time=0.854 ms
64 bytes from 10.8.210.2: icmp_seq=1 ttl=64 time=0.532 ms
</pre>
<pre>
: pfctl -ss | grep 51820
mvneta2 udp 2001:db8::8[51820] -> 2001:db8::21[51820] MULTIPLE:MULTIPLE
</pre>
<p>Thanks!</p>