Project

General

Profile

Bug #11606

Wireguard AllowedIPs filtering issue

Added by Sylwester Baranski about 1 month ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
WireGuard
Target version:
-
Start date:
03/02/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

There is potential problem with filtering AllowedIPs in Wireguard server.
To demonstrate it is enough to setup basic server-client network:

pfSense Server settings:

VPN/WireGuard/Tunnel:

Interface wg0:
Enabled: V
Description: WG1
Address: 192.168.2.1/24
Listen Port: 51820
Interface keys: x/x

Peer 0:
Description: Peer1
Public Key: x
Allowed IPs: 192.168.2.2/32

Peer should be able to use only 192.168.2.2 IP address.

Wireguard client configuration (RaspberryPI):

[Interface]
Address = 192.168.2.2
PrivateKey = x

[Peer]
PublicKey = x
Endpoint = endpoint.ip:51820
AllowedIPs = 192.168.2.1/32

I can ping my server from my client. It's ok.
  1. ping 192.168.2.1
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=8.96 ms

When I set client address set to 192.168.2.5

  1. ping 192.168.2.1
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    ^C
    --- 192.168.2.1 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 30ms

This is what I expected.

But when I set client address to 192.168.2.6 I can ping my server again.

After short tests I realized that: even IPs are passing, while odd aren't.
I think something is wrong with AllowedIPs filtering.

Regards
Sylwester

History

#1 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Rejected

I can't replicate this as stated. I have a tunnel with multiple peers and the peers can only communicate with the addresses listed on their entries. If I edit the client and try to have it use other addresses, I get nothing but failures with both odd and even IP addresses.

Please post on the Netgate Forum to discuss and diagnose the issue further. If we can figure out how to replicate it and what might be at play here, this can be reopened with more complete information.

Also available in: Atom PDF