Bug #11618
closed
WireGuard using incorrect IPv6 tunnel address prefix length
Added by Reza Arbab about 4 years ago.
Updated almost 4 years ago.
Description
Example; if I specify a tunnel with address fc00:bbbb:bbbb:bb01::9:xxxx/128, this is how it gets configured:
/sbin/ifconfig 'wg0' inet6 'fc00:bbbb:bbbb:bb01::9:xxxx' netmask '255.255.255.255'
This command ends up assigning the interface a /64 subnet instead of the desired /128. When I then try to add a second tunnel, with address fc00:bbbb:bbbb:bb01::8:xxxx/128, it fails because that's in the same /64:
The following input errors were detected:
fc00:bbbb:bbbb:bb01::8:xxxx/128 is already configured on this firewall: OPT10 (fc00:bbbb:bbbb:bb01::9:xxxx/64)
The attached patch fixes things for me so that the first interface is created properly and I can add the second:
/sbin/ifconfig 'wg0' inet6 'fc00:bbbb:bbbb:bb01::9:xxxx' prefixlen '128'
Files
- Subject changed from vpn_wg_edit.php: Interface created with incorrect inet6 prefixlen to WireGuard using incorrect IPv6 tunnel address prefix length
- Target version set to CE-Next
- Assignee set to Jim Pingle
- Target version changed from CE-Next to 2.5.1
That's easy enough to reproduce and check:
- Set WG instance tunnel address to include
2001:db8:1:ee71::1/64 and confirm ifconfig wg0 shows 2001:db8:1:ee71::1/64
- Change tunnel address to
2001:db8:1:ee71::1/128 and ifconfig wg0 incorrectly shows 2001:db8:1:ee71::1/64
- Apply fix
- Save the tunnel again with the tunnel address set to
2001:db8:1:ee71::1/128, ifconfig wg0 correctly shows 2001:db8:1:ee71::1/128
- Set WG instance tunnel address back to
2001:db8:1:ee71::1/64 and confirm ifconfig wg0 correctly shows 2001:db8:1:ee71::1/64
Fix committed, will show up shortly.
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:8579d26bfb0dea0386c61008ade222c0ea29aa98.
- Status changed from Feedback to Waiting on Merge
- Status changed from Waiting on Merge to Feedback
Cherry-picked to RELENG_2_5_1
- Target version changed from 2.5.1 to Future
If still relevant, should be moved to the package support for the WG package in 2.6.0. This is no longer relevant for core pfSense and pfSense Plus with WG removal.
- Project changed from pfSense to pfSense Packages
- Category changed from WireGuard to WireGuard
- Status changed from Feedback to Closed
- Assignee deleted (
Jim Pingle)
- Target version deleted (
Future)
- Release Notes deleted (
Default)
Can be reopened if it still applies to the package.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by