Goddamit, 32 instead of 24. Sorry for the noise.
On Thu, Jun 01, 2023 at 01:02:36PM +0000, Valdrin MUJA wrote:
> Hi,
>
> It's because of preventing possible spoofs by each peer.
> from man wg(4) :
> The interface will accept tunneled traffic only from the peer configured with the most specific matching allowed IP address range for the incoming traffic, or drop it if no such match exists. That is, tunneled traffic routed to a given peer cannot return through another peer of the same wg interface. This ensures that peers cannot spoof another's traffic.
>
> In addition, it is explained that by reading the 2nd article of the document at the https://www.wireguard.com/papers/wireguard.pdf url address, it is determined which public key to encrypt according to the Allowed IP address.
>
> So for security reasons, it was designed that way in principle.
> If this can be assigned to an option, it's a kernel question entirely specific to wireguard implementation.
>
>
> ________________________________
> From: owner-misc@openbsd.org <owner-misc@openbsd.org> on behalf of Consus <consus@ftml.net>
> Sent: Thursday, June 1, 2023 15:47
> To: misc@openbsd.org <misc@openbsd.org>
> Subject: Cannot setup more than one WireGuard peer
>
> Hi,
>
> I'm using OpenBSD 7.3 and I have the following issue with WireGuard:
> adding more than one peer via ifconfig breaks wgaip assignments.
>
> Initial configuration:
>
> $ doas ifconfig wg0
> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 8 priority 0 llprio 3
> wgport <port>
> wgpubkey <pubkey>
> groups: wg
> inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255
>
> Adding a new peer:
>
> $ doas ifconfig wg0 wgpeer <peer1> wgaip 10.45.0.2/24
> $ doas ifconfig wg0
> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 8 priority 0 llprio 3
> wgport <port>
> wgpubkey <pubkey>
> wgpeer <peer1>
> tx: 0, rx: 0
> wgaip 10.45.0.2/24
> groups: wg
> inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255
>
> So far so good, adding another peer:
>
> $ doas ifconfig wg0 wgpeer <peer2> wgaip 10.45.0.3/24
> $ doas ifconfig wg0
> wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
> index 8 priority 0 llprio 3
> wgport <port>
> wgpubkey <pubkey>
> wgpeer <peer1>
> tx: 0, rx: 0
> wgpeer <peer2>
> tx: 0, rx: 0
> wgaip 10.45.0.2/24
> groups: wg
> inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255
>
> Bam. The first peer has lost it's wgaip, the second one gets invalid
> wgaip, hence nothing works.
>
> Merging it all in a single ifconfig line does not help either.
>
> Please halp.
>
No comments:
Post a Comment