Thursday, March 31, 2022

Multiple wgpeers on single wg(4) interface with same wgaip list

Hello misc@,
I am trying to setup several tunnels into a single wg(4) endpoint.
The first tunnel worked fine however when I add the second one the wgaip
statement moves to the last wgpeer configured. Is this expected behavior?

/etc/hostname.wg0 with a single tunnel:
----
descr "Wireguard Site Tunnels"
inet 172.17.33.17 255.255.255.240
wgkey [REDACTED]
wgport 13231
wgpeer [ENDPOINT_1_PUBKEY] \
wgendpoint a.b.c.d 51806 \
wgpsk [ENDPOINT_1_PSK] \
wgaip 0.0.0.0/0
up

`doas ifconfig wg0` output:
----
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
description: Wireguard Site Tunnels
index 13 priority 0 llprio 3
wgport 13231
wgpubkey [SERVER_PUBLIC_KEY]
wgpeer [ENDPOINT_1_PUBKEY]
wgpsk (present)
wgendpoint a.b.c.d 51806
tx: 124, rx: 180
last handshake: 5 seconds ago
groups: wg
inet 172.17.33.17 netmask 0xfffffff0 broadcast 172.17.33.31


The above works as expected, however adding the second peer causes the first
peer to fail.

/etc/hostname.wg0
----
descr "Wireguard Site Tunnels"
inet 172.17.33.17 255.255.255.240
wgkey [REDACTED]
wgport 13231
wgpeer [ENDPOINT_1_PUBKEY] \
wgendpoint a.b.c.d 51806 \
wgpsk [ENDPOINT_1_PSK] \
wgaip 0.0.0.0/0
wgpeer [ENDPOINT_2_PUBKEY] \
wgpsk [ENDPOINT_2_PSK] \
wgaip 0.0.0.0/0
up

`doas ifconfig wg0` output:
----
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
description: Wireguard Site Tunnels
index 13 priority 0 llprio 3
wgport 13231
wgpubkey [SERVER_PUBLIC_KEY]
wgpeer [ENDPOINT_1_PUBKEY]
wgpsk (present)
wgendpoint a.b.c.d 51806
tx: 17784, rx: 54632
last handshake: 5 seconds ago
wgpeer [ENDPOINT_2_PUBKEY]
wgpsk (present)
wgendpoint f.g.h.i 51807
tx: 116328, rx: 98008
last handshake: 42 seconds ago
wgaip 0.0.0.0/0
groups: wg
inet 172.17.33.17 netmask 0xfffffff0 broadcast 172.17.33.31

This seems to happen reguardless of if I destroy the interface
between adding peers or not. It seems to also happen if I try
to specify the wg0 interface's network as the wgaip, eg
wgaip 172.17.33.16/28 on both peers, only the last one seems to
retain it. Once the wgaip stanza switches the other peer still
seems to authenticate fine but all traffic is dropped and
`doas ifconfig wg0 debug` causes the following to be printed
into the kernel ringbuffer:
wg0: Packet has unallowed src IP from peer 7
which makes sense, given the default is to have no ip allowed.

Is it expected that one cannot assign the same wgaip blocks to more
than one peer simultaneously?

Thanks,
Matt

--
Matthew Ernisse
matt@going-flying.com
https://www.going-flying.com/

No comments:

Post a Comment