WireGuard does not pass multicast traffic to peer
Moving this over from the internal Redmine (NG 5521)
From reports I've seen on other platforms, WireGuard should be passing multicast traffic, but it does not.
The interface reports MULTICAST in its capabilities:
: ifconfig wg0 wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420 options=880000<LINKSTATE> inet 10.15.210.2 netmask 0xffffff00 inet6 fe80::290:bff:fe37:a324%wg0 prefixlen 64 scopeid 0xa groups: wg listen-port: 51820 private-key: yEGEI23vEu1OWYoCC9SJujvP53twqTxgtx0+nPoTmWM= public-key: VBzLM57GLcW0guY2MQF8OZgI2HQKhAWqTE5qeMIANHo= media: Ethernet autoselect (25GBase-ACC <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
When attempting to use OSPF, it appears to have joined the appropriate groups:
: ifmcstat -i wg0 wg0: inet 10.15.210.2 igmpv3 rv 2 qi 125 qri 10 uri 3 group 188.8.131.52 mode exclude group 184.108.40.206 mode exclude inet6 fe80::290:bff:fe37:a324%wg0 scopeid 0xa mldv2 flags=2<USEALLOW> rv 2 qi 125 qri 10 uri 3 group ff01::1%wg0 scopeid 0xa mode exclude group ff02::2:c735:9c5f%wg0 scopeid 0xa mode exclude group ff02::2:ffc7:359c%wg0 scopeid 0xa mode exclude group ff02::1%wg0 scopeid 0xa mode exclude group ff02::1:ff37:a324%wg0 scopeid 0xa mode exclude inet 10.15.210.2 igmpv3 rv 2 qi 125 qri 10 uri 3 group 220.127.116.11 mode exclude
tcpdump shows the multicast traffic egress via wg0, and I see the outer WireGuard packets on the external interfaces, but nothing arrives at the wg0 interface on the peer, so it appears to be getting dropped by the kernel.
Additional notes from Peter:
[This is only viable for tunnels with a single peer]
OpenBSD advertises multicast capability, but also has no replication for multicast/broadcast traffic.
I'll have a look at the Linux wireguard implementation and see what it does.