Project

General

Profile

Actions

Feature #11498

open

WireGuard does not pass multicast traffic to peer

Added by Jim Pingle 5 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
WireGuard
Target version:
Start date:
02/22/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Moving this over from the internal Redmine (NG 5521)

From reports I've seen on other platforms, WireGuard should be passing multicast traffic, but it does not.

The interface reports MULTICAST in its capabilities:

: ifconfig wg0
wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=880000<LINKSTATE>
        inet 10.15.210.2 netmask 0xffffff00
        inet6 fe80::290:bff:fe37:a324%wg0 prefixlen 64 scopeid 0xa
        groups: wg
        listen-port: 51820
        private-key: yEGEI23vEu1OWYoCC9SJujvP53twqTxgtx0+nPoTmWM=
        public-key:  VBzLM57GLcW0guY2MQF8OZgI2HQKhAWqTE5qeMIANHo=
        media: Ethernet autoselect (25GBase-ACC <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

When attempting to use OSPF, it appears to have joined the appropriate groups:

: ifmcstat -i wg0
wg0:
        inet 10.15.210.2
        igmpv3 rv 2 qi 125 qri 10 uri 3
                group 224.0.0.6 mode exclude
                group 224.0.0.5 mode exclude
        inet6 fe80::290:bff:fe37:a324%wg0 scopeid 0xa
        mldv2 flags=2<USEALLOW> rv 2 qi 125 qri 10 uri 3
                group ff01::1%wg0 scopeid 0xa mode exclude
                group ff02::2:c735:9c5f%wg0 scopeid 0xa mode exclude
                group ff02::2:ffc7:359c%wg0 scopeid 0xa mode exclude
                group ff02::1%wg0 scopeid 0xa mode exclude
                group ff02::1:ff37:a324%wg0 scopeid 0xa mode exclude
        inet 10.15.210.2
        igmpv3 rv 2 qi 125 qri 10 uri 3
                group 224.0.0.1 mode exclude

tcpdump shows the multicast traffic egress via wg0, and I see the outer WireGuard packets on the external interfaces, but nothing arrives at the wg0 interface on the peer, so it appears to be getting dropped by the kernel.

Additional notes from Peter:

[This is only viable for tunnels with a single peer]
OpenBSD advertises multicast capability, but also has no replication for multicast/broadcast traffic.
I'll have a look at the Linux wireguard implementation and see what it does.


Related issues

Has duplicate Bug #11480: mDNS repeater (Avahi) over WireGuard not working at allDuplicate02/20/2021

Actions
Actions #1

Updated by Jim Pingle 5 months ago

  • Has duplicate Bug #11480: mDNS repeater (Avahi) over WireGuard not working at all added
Actions #2

Updated by Jim Pingle 4 months ago

  • Target version changed from 2.6.0 to Future
Actions

Also available in: Atom PDF