Bug #11606
closedWireguard AllowedIPs filtering issue
0%
Description
There is potential problem with filtering AllowedIPs in Wireguard server.
To demonstrate it is enough to setup basic server-client network:
pfSense Server settings:
VPN/WireGuard/Tunnel:
Interface wg0:
Enabled: V
Description: WG1
Address: 192.168.2.1/24
Listen Port: 51820
Interface keys: x/x
Peer 0:
Description: Peer1
Public Key: x
Allowed IPs: 192.168.2.2/32
Peer should be able to use only 192.168.2.2 IP address.
Wireguard client configuration (RaspberryPI):
[Interface]
Address = 192.168.2.2
PrivateKey = x
[Peer]
PublicKey = x
Endpoint = endpoint.ip:51820
AllowedIPs = 192.168.2.1/32
- ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=8.96 ms
When I set client address set to 192.168.2.5
- ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
^C
--- 192.168.2.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 30ms
This is what I expected.
But when I set client address to 192.168.2.6 I can ping my server again.
After short tests I realized that: even IPs are passing, while odd aren't.
I think something is wrong with AllowedIPs filtering.
Regards
Sylwester