Project

General

Profile

Actions

Bug #11450

closed

Problem with IPv6 netmask /128 in WireGuard

Added by Marcelo Gondim about 3 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
WireGuard
Target version:
-
Start date:
02/18/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Force Exclusion
Affected Version:
2.5.0
Affected Architecture:

Description

Hi All,

Creating a WireGuard VPN, I realized that when registering a Peer in "Allowed IPs" he accepts to enter an IPv6 and mask /128 but if we go to the console and do a netstat -rn we will see the error "illegal prefixlen" and a prefix totally wrong inserted in the routes 7400:1000::/0.

Example:

Allowed IPs: fc00:1111::1/128

  1. netstat -6 -rn

Routing tables

Internet6:
Destination Gateway Flags Netif Expire
::1 link#6 UH lo0
fc00:1111:: link#12 UHS lo0
fc00:1111::/64 link#12 U wg0
illegal prefixlen
7400:1000::/0 wg0 US wg0
fe80::%em0/64 link#1 U em0
fe80::215:17ff:fe7b:76a6%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::215:17ff:fe7b:76a7%em1 link#2 UHS lo0
fe80::%em2/64 link#4 U em2
fe80::21b:21ff:fe9d:4ac9%em2 link#4 UHS lo0
fe80::%lo0/64 link#6 U lo0
fe80::1%lo0 link#6 UHS lo0
fe80::%pppoe0/64 link#9 U pppoe0
fe80::215:17ff:fe7b:76a6%pppoe0 link#9 UHS lo0
fe80::%ovpns2/64 link#10 U ovpns2
fe80::215:17ff:fe7b:76a6%ovpns2 link#10 UHS lo0
fe80::%ovpns3/64 link#11 U ovpns3
fe80::215:17ff:fe7b:76a6%ovpns3 link#11 UHS lo0
fe80::%wg0/64 link#12 U wg0
fe80::215:17ff:fe7b:76a6%wg0 link#12 UHS lo0

If I have fc00:1111::0 on one side of the VPN and on the other side fc00:1111::1, I cannot get an icmp response from both sides and I believe it is due to this error in the route table .

Actions #1

Updated by Marcelo Gondim about 3 years ago

If I run: route -6 delete fc00:1111::1/128

It removes 7400:1000::/0 from the route table.

Actions #2

Updated by Jim Pingle about 3 years ago

Can you test this with the patch from #11433 applied?

087d28fa3f5cfebfd4af7f4a4479b0fac053e062

Actions #3

Updated by Marcelo Gondim about 3 years ago

Hi Jim,

Patch applied and the problem persists.

Actions #4

Updated by Jim Pingle almost 3 years ago

  • Target version set to Future
Actions #5

Updated by Christian McDonald about 2 years ago

  • Status changed from New to Rejected
  • Target version deleted (Future)
  • Release Notes changed from Default to Force Exclusion

Unable to reproduce with current WireGuard implementation.

Actions

Also available in: Atom PDF