Bug #11450
closed
Problem with IPv6 netmask /128 in WireGuard
0%
Description
Hi All,
Creating a WireGuard VPN, I realized that when registering a Peer in "Allowed IPs" he accepts to enter an IPv6 and mask /128 but if we go to the console and do a netstat -rn we will see the error "illegal prefixlen" and a prefix totally wrong inserted in the routes 7400:1000::/0.
Example:
Allowed IPs: fc00:1111::1/128
- netstat -6 -rn
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
::1 link#6 UH lo0
fc00:1111:: link#12 UHS lo0
fc00:1111::/64 link#12 U wg0
illegal prefixlen
7400:1000::/0 wg0 US wg0
fe80::%em0/64 link#1 U em0
fe80::215:17ff:fe7b:76a6%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::215:17ff:fe7b:76a7%em1 link#2 UHS lo0
fe80::%em2/64 link#4 U em2
fe80::21b:21ff:fe9d:4ac9%em2 link#4 UHS lo0
fe80::%lo0/64 link#6 U lo0
fe80::1%lo0 link#6 UHS lo0
fe80::%pppoe0/64 link#9 U pppoe0
fe80::215:17ff:fe7b:76a6%pppoe0 link#9 UHS lo0
fe80::%ovpns2/64 link#10 U ovpns2
fe80::215:17ff:fe7b:76a6%ovpns2 link#10 UHS lo0
fe80::%ovpns3/64 link#11 U ovpns3
fe80::215:17ff:fe7b:76a6%ovpns3 link#11 UHS lo0
fe80::%wg0/64 link#12 U wg0
fe80::215:17ff:fe7b:76a6%wg0 link#12 UHS lo0
If I have fc00:1111::0 on one side of the VPN and on the other side fc00:1111::1, I cannot get an icmp response from both sides and I believe it is due to this error in the route table .
Updated by Marcelo Gondim almost 4 years ago
If I run: route -6 delete fc00:1111::1/128
It removes 7400:1000::/0 from the route table.
Updated by Jim Pingle almost 4 years ago
Can you test this with the patch from #11433 applied?
Updated by Marcelo Gondim almost 4 years ago
Hi Jim,
Patch applied and the problem persists.
Updated by Christian McDonald almost 3 years ago
- Status changed from New to Rejected
- Target version deleted (
Future) - Release Notes changed from Default to Force Exclusion
Unable to reproduce with current WireGuard implementation.