Project

General

Profile

Actions

Bug #11338

closed

WireGuard cannot connect to an IPv6 endpoint

Added by Jim Pingle almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Peter Grehan
Category:
WireGuard
Target version:
Start date:
01/29/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.x
Affected Architecture:

Description

WireGuard won't connect if using an IPv6 endpoint address on either end.

The IPv6 address in the config file doesn't have brackets around it when it should.

Even with a properly formatted Endpoint line in the configuration file, however, the wg command doesn't show the endpoint as being configured.

I have a commit ready to fix the formatting issue, but the parsing issue still needs attention.


Files

PR11338_wg_tools.diff (1.61 KB) PR11338_wg_tools.diff Peter Grehan, 01/31/2021 01:00 AM
PR11338_if_wg.diff (2.17 KB) PR11338_if_wg.diff Peter Grehan, 01/31/2021 01:00 AM
Actions #1

Updated by Jim Pingle almost 4 years ago

  • Subject changed from WireGuard doesn't parse an IPv6 endpoint address to WireGuard cannot connect to an IPv6 endpoint

Sample config, after my config file fix:

: cat /etc/wg/wg0.conf
# This WireGuard config file has been created automatically. Do not edit!
# Description: Tunnel to B

[Interface]
PrivateKey = <key>
ListenPort = 51820

# Peer: B
[Peer]
PublicKey = SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
EndPoint = [2001:db8::21]:51820
AllowedIPs = 2001:db8:1:df25::2/128, 2001:db8:1:df10::/64

wg output which is lacking a peer endpoint:

: wg
interface: wg0
  public key: +jKgI1Y8DAWMEobY0n7PtBx9lm9oOv00FHAS5v7cRmQ=
  private key: (hidden)
  listening port: 51820

peer: SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
  allowed ips: 2001:db8:1:df10::/64, 2001:db8:1:df25::2/128

If I switch it to an IPv4 endpoint it works OK. So either the wg utility is failing to parse it or it's getting lost somewhere deeper

Actions #2

Updated by Scott Long almost 4 years ago

  • Assignee set to Anonymous
Actions #3

Updated by Scott Long almost 4 years ago

  • Assignee changed from Anonymous to Peter Grehan
Actions #4

Updated by Viktor Gurov almost 4 years ago

  • Status changed from New to Feedback
Actions #5

Updated by Viktor Gurov almost 4 years ago

  • Status changed from Feedback to New
Actions #6

Updated by Peter Grehan almost 4 years ago

Took a while to set this up, but I can get a repro with an OpenBSD client.

Tunnel traffic is being delivered to wg, but it is failing with "wg0: Invalid handshake initiation" which indicates an error returned from the noise_consume_initiation() routine.

(as an aside, I tested IPv6 over an IPv4 tunnel, which worked fine other than a minor error in tcpdump rx which I'll checkin).

Actions #7

Updated by Peter Grehan almost 4 years ago

The above wasn't correct: just another misconfiguration :(

There are a number of issues, all boiling down to "struct sockaddr" being smaller than "struct sockaddr_in6", resulting in addresses being truncated or size checks failing.

The first issue was in kernel code in wg_input(), where the UDP source address was being copied to a struct sockaddr. In the v6 case, this was resulting in the address being truncated, and an incorrect address being used to reply to the sender. This would result in the initial handshake never succeeding, and no date being sent over the tunnel.

Once this was fixed, a wildcard endpoint (OpenBSD) was able to communicate with v4 traffic over a v6 tunnel.

The next issue was a combination of sockaddr vs sockaddr_in6 issues in both the kernel's handling of the WG_SET/GET ioctls, and also code in the wg utility. Once these were fixed, v6 endpoints could be configured and also displayed correctly.

[21.02-DEVELOPMENT][admin@pfSense.home.arpa]/root: wg
interface: wg0
  public key: 0XsS9biScR0S6/DLVYRv0yON3R53TplDQzgW9Y8ZNE4=
  private key: (hidden)
  listening port: 51820

peer: p4zVA9wYwWorvuYoQ96xqSK1/V4FtqxaH+InRaG8/0A=
  endpoint: [2001:f00:f00b::129]:51821
  allowed ips: 2001:f00:f00b::/64

peer: XJmG0uaQAs7DUVFxJDQhB36VdsH/zqJapPu3v4y9zig=
  endpoint: [fd87:afd:a3fd:181b::40]:51820
  allowed ips: 10.0.0.0/24

peer: pnYy/12d2WZGtPF/+usF8DgOl8DVvwHPk5kRra+MGhA=
  endpoint: 192.168.1.113:51820
  allowed ips: ::/0
Actions #8

Updated by Peter Grehan almost 4 years ago

if_wg.diff - kernel diff
wg_tools - wireguard_tools diff

Actions #9

Updated by Renato Botelho almost 4 years ago

  • Status changed from New to Feedback

Peter Grehan wrote:

if_wg.diff - kernel diff
wg_tools - wireguard_tools diff

I've imported both patches and they will be available on next round of snapshots

Actions #10

Updated by Jim Pingle almost 4 years ago

  • Status changed from Feedback to Resolved

Latest snapshot looks good!

: cat /etc/wg/wg0.conf
# This WireGuard config file has been created automatically. Do not edit!
# Description: Tunnel to B

[Interface]
PrivateKey = <key>
ListenPort = 51820

# Peer: B
[Peer]
PublicKey = SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
EndPoint = [2001:db8::21]:51820
AllowedIPs = 10.8.210.2/32, 10.21.0.0/24, 2001:db8:1:df25::2/128, 2001:db8:1:df10::/64
: wg
interface: wg0
  public key: +jKgI1Y8DAWMEobY0n7PtBx9lm9oOv00FHAS5v7cRmQ=
  private key: (hidden)
  listening port: 51820

peer: SKZza23ibQOb6iiUMQeXFKkzvzRnyftAKKru08BO2wM=
  endpoint: [2001:db8::21]:51820
  allowed ips: 2001:db8:1:df10::/64, 2001:db8:1:df25::2/128, 10.21.0.0/24, 10.8.210.2/32
: ping -S 10.8.210.1 10.8.210.2
PING 10.8.210.2 (10.8.210.2) from 10.8.210.1: 56 data bytes
64 bytes from 10.8.210.2: icmp_seq=0 ttl=64 time=0.854 ms
64 bytes from 10.8.210.2: icmp_seq=1 ttl=64 time=0.532 ms
: pfctl -ss | grep 51820
mvneta2 udp 2001:db8::8[51820] -> 2001:db8::21[51820]       MULTIPLE:MULTIPLE

Thanks!

Actions

Also available in: Atom PDF