Project

General

Profile

Actions

Bug #11618

closed

WireGuard using incorrect IPv6 tunnel address prefix length

Added by Reza Arbab about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
WireGuard
Target version:
-
Start date:
03/03/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.5.0
Affected Plus Version:
Affected Architecture:

Description

Example; if I specify a tunnel with address fc00:bbbb:bbbb:bb01::9:xxxx/128, this is how it gets configured:

/sbin/ifconfig 'wg0' inet6 'fc00:bbbb:bbbb:bb01::9:xxxx' netmask '255.255.255.255'

This command ends up assigning the interface a /64 subnet instead of the desired /128. When I then try to add a second tunnel, with address fc00:bbbb:bbbb:bb01::8:xxxx/128, it fails because that's in the same /64:

The following input errors were detected:
fc00:bbbb:bbbb:bb01::8:xxxx/128 is already configured on this firewall: OPT10 (fc00:bbbb:bbbb:bb01::9:xxxx/64)

The attached patch fixes things for me so that the first interface is created properly and I can add the second:

/sbin/ifconfig 'wg0' inet6 'fc00:bbbb:bbbb:bb01::9:xxxx' prefixlen '128'

Files

wg.inc.patch (589 Bytes) wg.inc.patch Reza Arbab, 03/03/2021 04:15 PM
Actions #1

Updated by Jim Pingle about 3 years ago

  • Subject changed from vpn_wg_edit.php: Interface created with incorrect inet6 prefixlen to WireGuard using incorrect IPv6 tunnel address prefix length
  • Target version set to CE-Next
Actions #2

Updated by Jim Pingle about 3 years ago

  • Assignee set to Jim Pingle
  • Target version changed from CE-Next to 2.5.1
Actions #3

Updated by Jim Pingle about 3 years ago

That's easy enough to reproduce and check:

  • Set WG instance tunnel address to include 2001:db8:1:ee71::1/64 and confirm ifconfig wg0 shows 2001:db8:1:ee71::1/64
  • Change tunnel address to 2001:db8:1:ee71::1/128 and ifconfig wg0 incorrectly shows 2001:db8:1:ee71::1/64
  • Apply fix
  • Save the tunnel again with the tunnel address set to 2001:db8:1:ee71::1/128, ifconfig wg0 correctly shows 2001:db8:1:ee71::1/128
  • Set WG instance tunnel address back to 2001:db8:1:ee71::1/64 and confirm ifconfig wg0 correctly shows 2001:db8:1:ee71::1/64

Fix committed, will show up shortly.

Actions #4

Updated by Jim Pingle about 3 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Applied in changeset commit:8579d26bfb0dea0386c61008ade222c0ea29aa98.

Actions #5

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to Waiting on Merge
Actions #6

Updated by Renato Botelho about 3 years ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #7

Updated by Jim Pingle about 3 years ago

  • Target version changed from 2.5.1 to Future
Actions #8

Updated by Kris Phillips almost 3 years ago

If still relevant, should be moved to the package support for the WG package in 2.6.0. This is no longer relevant for core pfSense and pfSense Plus with WG removal.

Actions #9

Updated by Jim Pingle almost 3 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from WireGuard to WireGuard
  • Status changed from Feedback to Closed
  • Assignee deleted (Jim Pingle)
  • Target version deleted (Future)
  • Release Notes deleted (Default)

Can be reopened if it still applies to the package.

Actions

Also available in: Atom PDF