Page MenuHomeVyOS Platform

IPv6 link-local address not accepted as wireguard peer
Closed, ResolvedPublicFEATURE REQUEST


When I try to set up a wireguard tunnel with an endpoint using its IPv6 link-local address, I am greeted with the following error message, even though the address is valid. I suspect this is probably due to the '%' sign and the letters of the interface. Using a regular Linux distribution and wg-quick, IPv6 link-local addresses are accepted and function as expected.


Difficulty level
Easy (less than an hour)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav changed the subtype of this task from "Bug" to "Feature Request".Thu, Jan 13, 11:19 PM

Link-local addresses with %ethX are not accepted in any protocols/peers/etc. A few services are allowed to set them as listen like ssh/dns at the moment.
Is there a real use case why you need it on wireguard interfaces?

It requires to change or extend validator for address/host

Getting link-local addresses to work would probably be very low-priority, but I did run into an extremely niche case where I wanted to do that. It's not the type of situation that would happen in a production environment, but I was running VyOS on a computer tethered via ethernet to an Android-based phone, and I wanted to connect to a wireguard peer running on the phone. Modern version of Android randomize the IPv4 address of their tethered interface on each reboot, but their link-local IPv6 address remains the same, making it more convenient to use it.

(What I was doing was using socat on the Android phone to relay an external wireguard peer to a locally running listener, and then connecting to that from the VyOS router. When doing this, since the UDP connection to the wireguard peer originates on the phone, the relayed wireguard connection between the router and the external wireguard peer isn't subject to tethering data limits on an otherwise unlimited plan. The VyOS router would then use the unlimited wireguard connection as a failover connection.)

I can't really think of any normal circumstances where one would need a link-local IPv6 address as a wireguard peer though.

@odhnera Try to comment or delete the validation string and restart vyos-configd service

sudo nano -c +5 /opt/vyatta/share/vyatta-cfg/templates/interfaces/wireguard/node.tag/peer/node.tag/address/node.def
sudo systemctl restart vyos-configd

After this, you should allowed to set link_local_v6

Can you test it?

Thanks; I just tested commenting out line 5 of that file, and it successfully works around the issue, allowing me to set a link-local IPv6 address as my endpoint. The wireguard connection itself also works, and I can pass traffic.

Viacheslav changed the task status from Open to In progress.Fri, Jan 14, 9:01 PM
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.