Project

General

Profile

Actions
Copy link

Bug #11618

closed

WireGuard using incorrect IPv6 tunnel address prefix length

Added by Reza Arbab over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
WireGuard
Target version:
-
Start date:
03/03/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.5.0
Affected Plus Version:
Affected Architecture:

Description

Example; if I specify a tunnel with address fc00:bbbb:bbbb:bb01::9:xxxx/128, this is how it gets configured:

/sbin/ifconfig 'wg0' inet6 'fc00:bbbb:bbbb:bb01::9:xxxx' netmask '255.255.255.255'

This command ends up assigning the interface a /64 subnet instead of the desired /128. When I then try to add a second tunnel, with address fc00:bbbb:bbbb:bb01::8:xxxx/128, it fails because that's in the same /64:

The following input errors were detected:
fc00:bbbb:bbbb:bb01::8:xxxx/128 is already configured on this firewall: OPT10 (fc00:bbbb:bbbb:bb01::9:xxxx/64)

The attached patch fixes things for me so that the first interface is created properly and I can add the second:

/sbin/ifconfig 'wg0' inet6 'fc00:bbbb:bbbb:bb01::9:xxxx' prefixlen '128'

Files

wg.inc.patch (589 Bytes) wg.inc.patch Reza Arbab, 03/03/2021 04:15 PM
Actions
Copy link
 #1

Updated by Jim Pingle over 4 years ago

  • Subject changed from vpn_wg_edit.php: Interface created with incorrect inet6 prefixlen to WireGuard using incorrect IPv6 tunnel address prefix length
  • Target version set to CE-Next
Actions
Copy link
 #2

Updated by Jim Pingle over 4 years ago

  • Assignee set to Jim Pingle
  • Target version changed from CE-Next to 2.5.1
Actions
Copy link
 #3

Updated by Jim Pingle over 4 years ago

That's easy enough to reproduce and check:

  • Set WG instance tunnel address to include 2001:db8:1:ee71::1/64 and confirm ifconfig wg0 shows 2001:db8:1:ee71::1/64
  • Change tunnel address to 2001:db8:1:ee71::1/128 and ifconfig wg0 incorrectly shows 2001:db8:1:ee71::1/64
  • Apply fix
  • Save the tunnel again with the tunnel address set to 2001:db8:1:ee71::1/128, ifconfig wg0 correctly shows 2001:db8:1:ee71::1/128
  • Set WG instance tunnel address back to 2001:db8:1:ee71::1/64 and confirm ifconfig wg0 correctly shows 2001:db8:1:ee71::1/64

Fix committed, will show up shortly.

Actions
Copy link
 #4

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:8579d26bfb0dea0386c61008ade222c0ea29aa98.

Actions
Copy link
 #5

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Waiting on Merge
Actions
Copy link
 #6

Updated by Renato Botelho over 4 years ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions
Copy link
 #7

Updated by Jim Pingle over 4 years ago

  • Target version changed from 2.5.1 to Future
Actions
Copy link
 #8

Updated by Kris Phillips over 4 years ago

If still relevant, should be moved to the package support for the WG package in 2.6.0. This is no longer relevant for core pfSense and pfSense Plus with WG removal.

Actions
Copy link
 #9

Updated by Jim Pingle over 4 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from WireGuard to WireGuard
  • Status changed from Feedback to Closed
  • Assignee deleted (Jim Pingle)
  • Target version deleted (Future)
  • Release Notes deleted (Default)

Can be reopened if it still applies to the package.

Actions
Copy link

Also available in: Atom PDF