Bug #11465
closed
Input validation does not prevent multiple conflicting WireGuard peers on a single tunnel from attempting to act as default route
Added by Jim Pingle almost 4 years ago.
Updated about 3 years ago.
Description
WireGuard uses Allowed IPs for internal routing to decide where to send traffic to a peer. When a peer has Allowed IPs set to 0.0.0.0/0 and/or ::/0 that means all traffic gets associated with that peer, and no other peers can be added.
We need input validation to check and prevent this from being configured, both when adding a new peer and when editing existing peers.
Similarly, if there are multiple peers, neither of them can have a blank Allowed IPs list as the result is ambiguous. With a single peer, WireGuard assumes 0.0.0.0/0,::/0, but once another peer is present that becomes invalid.
- Status changed from New to Pull Request Review
- Target version changed from CE-Next to 2.5.1
When testing, attempt these configurations in order without removing anything unless noted otherwise:
- Create a tunnel with one peer that has Allowed IPs empty -- should succeed
- Create a tunnel with the first peer Allowed IPs set to "10.0.0.0/24" or equivalent non-default network
- Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should succeed (first IPv4 default for this tunnel)
- Add a peer to this tunnel with Allowed IPs set to "::/0" -- should succeed (first IPv6 default for this tunnel)
- Add a peer to this tunnel with Allowed IPs empty -- should fail (additional attempt at IPv4 and IPv6 default)
- Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should fail
- Add a peer to this tunnel with Allowed IPs set to "::/0" -- should fail
- Create a tunnel with the first peer Allowed IPs set to "10.0.0.0/24" or equivalent non-default network -- should succeed
- Add a peer to this tunnel with Allowed IPs empty -- should succeed (IPv4 and IPv6 default for this tunnel)
- Add a peer to this tunnel with Allowed IPs empty -- should fail
- Add a peer to this tunnel with Allowed IPs set to "::/0" -- should fail
- Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should fail
- Create a tunnel with the first peer Allowed IPs empty -- should succeed
- Add a peer to this tunnel with Allowed IPs set to "::/0" -- should fail
- Add a peer to this tunnel with Allowed IPs set to "0.0.0.0/0" -- should fail
- Add a peer to this tunnel with Allowed IPs set to "10.0.1.0/24" -- should succeed
- Add a peer to this tunnel with Allowed IPs set to "fc07:1::0/64" -- should succeed
- Create a tunnel with the first peer Allowed IPs set to "10.5.0.0/24" or equivalent non-default network -- should succeed
- Add a peer to this tunnel with Allowed IPs set to "10.5.1.0/24" -- should succeed
- Add a peer to this tunnel with Allowed IPs set to "10.5.2.0/24" -- should succeed
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Cherry-picked to RELENG_2_5_1
- Tracker changed from Todo to Bug
- Subject changed from Add validation to prevent multiple WireGuard peers when Allowed IPs is 0.0.0.0/0, ::/0, or blank. to Input validation does not prevent multiple conflicting WireGuard peers on a single tunnel from attempting to act as default route
Updating subject for release notes.
- Target version changed from 2.5.1 to Future
This ticket can now be closed as the PR has been merged
- Status changed from Feedback to Closed
- Project changed from pfSense to pfSense Packages
- Category changed from WireGuard to WireGuard
- Target version deleted (
Future)
- Release Notes deleted (
Default)
Also available in: Atom
PDF
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by