Feature #11498
open
WireGuard does not pass multicast traffic to peer
0%
Description
Moving this over from the internal Redmine (NG 5521)
From reports I've seen on other platforms, WireGuard should be passing multicast traffic, but it does not.
The interface reports MULTICAST in its capabilities:
: ifconfig wg0
wg0: flags=8080c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
options=880000<LINKSTATE>
inet 10.15.210.2 netmask 0xffffff00
inet6 fe80::290:bff:fe37:a324%wg0 prefixlen 64 scopeid 0xa
groups: wg
listen-port: 51820
private-key: yEGEI23vEu1OWYoCC9SJujvP53twqTxgtx0+nPoTmWM=
public-key: VBzLM57GLcW0guY2MQF8OZgI2HQKhAWqTE5qeMIANHo=
media: Ethernet autoselect (25GBase-ACC <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
When attempting to use OSPF, it appears to have joined the appropriate groups:
: ifmcstat -i wg0
wg0:
inet 10.15.210.2
igmpv3 rv 2 qi 125 qri 10 uri 3
group 224.0.0.6 mode exclude
group 224.0.0.5 mode exclude
inet6 fe80::290:bff:fe37:a324%wg0 scopeid 0xa
mldv2 flags=2<USEALLOW> rv 2 qi 125 qri 10 uri 3
group ff01::1%wg0 scopeid 0xa mode exclude
group ff02::2:c735:9c5f%wg0 scopeid 0xa mode exclude
group ff02::2:ffc7:359c%wg0 scopeid 0xa mode exclude
group ff02::1%wg0 scopeid 0xa mode exclude
group ff02::1:ff37:a324%wg0 scopeid 0xa mode exclude
inet 10.15.210.2
igmpv3 rv 2 qi 125 qri 10 uri 3
group 224.0.0.1 mode exclude
tcpdump shows the multicast traffic egress via wg0, and I see the outer WireGuard packets on the external interfaces, but nothing arrives at the wg0 interface on the peer, so it appears to be getting dropped by the kernel.
Additional notes from Peter:
[This is only viable for tunnels with a single peer]
OpenBSD advertises multicast capability, but also has no replication for multicast/broadcast traffic.
I'll have a look at the Linux wireguard implementation and see what it does.
Related issues
Updated by