Hi,
It's because of preventing possible spoofs by each peer.
from man wg(4) :
The interface will accept tunneled traffic only from the peer configured with the most specific matching allowed IP address range for the incoming traffic, or drop it if no such match exists. That is, tunneled traffic routed to a given peer cannot return through another peer of the same wg interface. This ensures that peers cannot spoof another's traffic.
In addition, it is explained that by reading the 2nd article of the document at the https://www.wireguard.com/papers/wireguard.pdf url address, it is determined which public key to encrypt according to the Allowed IP address.
So for security reasons, it was designed that way in principle.
If this can be assigned to an option, it's a kernel question entirely specific to wireguard implementation.
________________________________
From: owner-misc@openbsd.org <owner-misc@openbsd.org> on behalf of Consus <consus@ftml.net>
Sent: Thursday, June 1, 2023 15:47
To: misc@openbsd.org <misc@openbsd.org>
Subject: Cannot setup more than one WireGuard peer
Hi,
I'm using OpenBSD 7.3 and I have the following issue with WireGuard:
adding more than one peer via ifconfig breaks wgaip assignments.
Initial configuration:
$ doas ifconfig wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 8 priority 0 llprio 3
wgport <port>
wgpubkey <pubkey>
groups: wg
inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255
Adding a new peer:
$ doas ifconfig wg0 wgpeer <peer1> wgaip 10.45.0.2/24
$ doas ifconfig wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 8 priority 0 llprio 3
wgport <port>
wgpubkey <pubkey>
wgpeer <peer1>
tx: 0, rx: 0
wgaip 10.45.0.2/24
groups: wg
inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255
So far so good, adding another peer:
$ doas ifconfig wg0 wgpeer <peer2> wgaip 10.45.0.3/24
$ doas ifconfig wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 8 priority 0 llprio 3
wgport <port>
wgpubkey <pubkey>
wgpeer <peer1>
tx: 0, rx: 0
wgpeer <peer2>
tx: 0, rx: 0
wgaip 10.45.0.2/24
groups: wg
inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255
Bam. The first peer has lost it's wgaip, the second one gets invalid
wgaip, hence nothing works.
Merging it all in a single ifconfig line does not help either.
Please halp.
No comments:
Post a Comment