Bug #11606
closedWireguard AllowedIPs filtering issue
0%
Description
There is potential problem with filtering AllowedIPs in Wireguard server.
To demonstrate it is enough to setup basic server-client network:
pfSense Server settings:
VPN/WireGuard/Tunnel:
Interface wg0:
Enabled: V
Description: WG1
Address: 192.168.2.1/24
Listen Port: 51820
Interface keys: x/x
Peer 0:
Description: Peer1
Public Key: x
Allowed IPs: 192.168.2.2/32
Peer should be able to use only 192.168.2.2 IP address.
Wireguard client configuration (RaspberryPI):
[Interface]
Address = 192.168.2.2
PrivateKey = x
[Peer]
PublicKey = x
Endpoint = endpoint.ip:51820
AllowedIPs = 192.168.2.1/32
- ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=8.96 ms
When I set client address set to 192.168.2.5
- ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 30ms
This is what I expected.
But when I set client address to 192.168.2.6 I can ping my server again.
After short tests I realized that: even IPs are passing, while odd aren't.
I think something is wrong with AllowedIPs filtering.
Regards
Sylwester
Updated by Jim Pingle about 3 years ago
- Status changed from New to Rejected
I can't replicate this as stated. I have a tunnel with multiple peers and the peers can only communicate with the addresses listed on their entries. If I edit the client and try to have it use other addresses, I get nothing but failures with both odd and even IP addresses.
Please post on the Netgate Forum to discuss and diagnose the issue further. If we can figure out how to replicate it and what might be at play here, this can be reopened with more complete information.