Project

General

Profile

Bug #11465

Input validation does not prevent multiple conflicting WireGuard peers on a single tunnel from attempting to act as default route

Added by Jim Pingle about 2 months ago. Updated 25 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
WireGuard
Target version:
Start date:
02/19/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:
Release Notes:
Default

Description

WireGuard uses Allowed IPs for internal routing to decide where to send traffic to a peer. When a peer has Allowed IPs set to 0.0.0.0/0 and/or ::/0 that means all traffic gets associated with that peer, and no other peers can be added.

We need input validation to check and prevent this from being configured, both when adding a new peer and when editing existing peers.

Similarly, if there are multiple peers, neither of them can have a blank Allowed IPs list as the result is ambiguous. With a single peer, WireGuard assumes 0.0.0.0/0,::/0, but once another peer is present that becomes invalid.

Associated revisions

Revision 29b2cdb4 (diff)
Added by Viktor Gurov about 1 month ago

WireGuard default route Allowed IPs validation. Issue #11465

Revision 4e2d1ee8 (diff)
Added by Viktor Gurov about 1 month ago

WireGuard default route Allowed IPs validation. Issue #11465

(cherry picked from commit 29b2cdb4e1d0cd9c2be98819d0e07dbf5b696308)

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

#3 Updated by Jim Pingle about 1 month ago

  • Target version changed from CE-Next to 2.5.1

#4 Updated by Jim Pingle about 1 month ago

When testing, attempt these configurations in order without removing anything unless noted otherwise:

  • Create a tunnel with one peer that has Allowed IPs empty -- should succeed
  • Create a tunnel with the first peer Allowed IPs set to "10.0.0.0/24" or equivalent non-default network
  • Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should succeed (first IPv4 default for this tunnel)
  • Add a peer to this tunnel with Allowed IPs set to "::/0" -- should succeed (first IPv6 default for this tunnel)
  • Add a peer to this tunnel with Allowed IPs empty -- should fail (additional attempt at IPv4 and IPv6 default)
  • Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should fail
  • Add a peer to this tunnel with Allowed IPs set to "::/0" -- should fail
  • Create a tunnel with the first peer Allowed IPs set to "10.0.0.0/24" or equivalent non-default network -- should succeed
  • Add a peer to this tunnel with Allowed IPs empty -- should succeed (IPv4 and IPv6 default for this tunnel)
  • Add a peer to this tunnel with Allowed IPs empty -- should fail
  • Add a peer to this tunnel with Allowed IPs set to "::/0" -- should fail
  • Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should fail
  • Create a tunnel with the first peer Allowed IPs empty -- should succeed
  • Add a peer to this tunnel with Allowed IPs set to "::/0" -- should fail
  • Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should fail
  • Add a peer to this tunnel with Allowed IPs set to "10.0.1.0/24" -- should succeed
  • Add a peer to this tunnel with Allowed IPs set to "fc07:1::0/64" -- should succeed
  • Create a tunnel with the first peer Allowed IPs set to "10.5.0.0/24" or equivalent non-default network -- should succeed
  • Add a peer to this tunnel with Allowed IPs set to "10.5.1.0/24" -- should succeed
  • Add a peer to this tunnel with Allowed IPs set to "10.5.2.0/24" -- should succeed

#5 Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

#6 Updated by Renato Botelho about 1 month ago

Cherry-picked to RELENG_2_5_1

#7 Updated by Jim Pingle about 1 month ago

  • Tracker changed from Todo to Bug
  • Subject changed from Add validation to prevent multiple WireGuard peers when Allowed IPs is 0.0.0.0/0, ::/0, or blank. to Input validation does not prevent multiple conflicting WireGuard peers on a single tunnel from attempting to act as default route

Updating subject for release notes.

#8 Updated by Jim Pingle 25 days ago

  • Target version changed from 2.5.1 to Future

Also available in: Atom PDF