Page MenuHomeVyOS Platform

WireGuard can not configure multiple peers - allowed-ips is overwritten
Closed, InvalidPublicBUG

Description

vyos@vyos# show interfaces wireguard
 wireguard wg0 {
     address 128.0.0.1/30
     peer LR1 {
         allowed-ips 0.0.0.0/0
         endpoint 172.18.201.10:10000
         pubkey DnYrUOVWGhGr5IjD94Y68JOVI91AUb5W2pcZvTNxxS0=
     }
     peer LR3 {
         allowed-ips 0.0.0.0/0
         endpoint 172.28.254.203:10000
         pubkey gskeJI2X5CnMSD273NyBvGCxzPeFNQP/ZHUTBkjqXVg=
     }
     port 10000
 }
set interfaces wireguard wg0 address '128.0.0.1/30'
set interfaces wireguard wg0 peer LR1 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer LR1 endpoint '172.18.201.10:10000'
set interfaces wireguard wg0 peer LR1 pubkey 'DnYrUOVWGhGr5IjD94Y68JOVI91AUb5W2pcZvTNxxS0='
set interfaces wireguard wg0 peer LR3 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg0 peer LR3 endpoint '172.28.254.203:10000'
set interfaces wireguard wg0 peer LR3 pubkey 'gskeJI2X5CnMSD273NyBvGCxzPeFNQP/ZHUTBkjqXVg='
set interfaces wireguard wg0 port '10000'

If only one peer is given, all is fine. As soon as a second peer is added the allowed-ips statement is dropped form the first peer

vyos@vyos# sudo wg show
interface: wg0
  public key: ZuOCE0oVgixTJxo7oXuwGUrZlitSOkskP2iO8f7+Z00=
  private key: (hidden)
  listening port: 10000

peer: DnYrUOVWGhGr5IjD94Y68JOVI91AUb5W2pcZvTNxxS0=
  endpoint: 172.18.201.10:10000
  allowed ips: (none)
  latest handshake: 1 minute, 16 seconds ago
  transfer: 67.18 KiB received, 365.13 KiB sent

peer: gskeJI2X5CnMSD273NyBvGCxzPeFNQP/ZHUTBkjqXVg=
  endpoint: 172.28.254.203:10000
  allowed ips: 0.0.0.0/0

Details

Difficulty level
Hard (possibly days)
Version
1.2.5 + 1.3-rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Stricter validation

Event Timeline

c-po created this task.Jul 26 2020, 2:33 PM
c-po changed Version from 1.2.5 to 1.2.5 + 1.3-rolling.
runar added a subscriber: runar.Jul 26 2020, 7:10 PM

This s expected wireguard behavior.

In wireguard routing is done based on the allowed-ip statements and the destination ip and not on the nexthop ip defined on the neighbor

So, defining the same/overlapping allowed-ips on two peers
in the same tunnel results in only one peer getting the statement, as wireguard removes it from the prevous defined peer

It might be that we should disallow configuration of the same allowed-ips statement on different peers as this makes an inconsistency in the config vs running

c-po added a comment.EditedJul 26 2020, 7:27 PM

Thanks for clarification! That exclusion could indeed be added to the config scripts would would require some ipaddress mangling to determine overlapping subnets.

c-po closed this task as Invalid.Jul 26 2020, 7:28 PM
c-po added a comment.Jul 26 2020, 7:58 PM

Thanks - added a note to the docs.

pasik added a subscriber: pasik.Jul 27 2020, 12:00 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 3 2020, 2:12 PM

I think stricter validation should only be added to 1.3 so that 1.2 LTS behaviour remains stable.

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Stricter validation.