Project

General

Profile

Actions
Copy link

Bug #11606

closed

Wireguard AllowedIPs filtering issue

Added by Sylwester Baranski about 3 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
WireGuard
Target version:
-
Start date:
03/02/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

There is potential problem with filtering AllowedIPs in Wireguard server.
To demonstrate it is enough to setup basic server-client network:

pfSense Server settings:

VPN/WireGuard/Tunnel:

Interface wg0:
Enabled: V
Description: WG1
Address: 192.168.2.1/24
Listen Port: 51820
Interface keys: x/x

Peer 0:
Description: Peer1
Public Key: x
Allowed IPs: 192.168.2.2/32

Peer should be able to use only 192.168.2.2 IP address.

Wireguard client configuration (RaspberryPI):

[Interface]
Address = 192.168.2.2
PrivateKey = x

[Peer]
PublicKey = x
Endpoint = endpoint.ip:51820
AllowedIPs = 192.168.2.1/32

I can ping my server from my client. It's ok.
  1. ping 192.168.2.1
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=8.96 ms

When I set client address set to 192.168.2.5

  1. ping 192.168.2.1
    PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
    ^C
    --- 192.168.2.1 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 30ms

This is what I expected.

But when I set client address to 192.168.2.6 I can ping my server again.

After short tests I realized that: even IPs are passing, while odd aren't.
I think something is wrong with AllowedIPs filtering.

Regards
Sylwester

Actions
Copy link

Also available in: Atom PDF