Multiple wgpeers on single wg(4) interface with same wgaip list

Thu, 31 Mar 2022 10:47:08 -0700 

Hello misc@,
        I am trying to setup several tunnels into a single wg(4) endpoint.
The first tunnel worked fine however when I add the second one the wgaip
statement moves to the last wgpeer configured.  Is this expected behavior?

/etc/hostname.wg0 with a single tunnel:
----
descr "Wireguard Site Tunnels"
inet 172.17.33.17 255.255.255.240
wgkey [REDACTED]
wgport 13231
wgpeer [ENDPOINT_1_PUBKEY] \
        wgendpoint a.b.c.d 51806 \
        wgpsk [ENDPOINT_1_PSK] \
        wgaip 0.0.0.0/0 
up

`doas ifconfig wg0` output:
----
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
        description: Wireguard Site Tunnels
        index 13 priority 0 llprio 3
        wgport 13231
        wgpubkey [SERVER_PUBLIC_KEY]
        wgpeer [ENDPOINT_1_PUBKEY]
                wgpsk (present)
                wgendpoint a.b.c.d 51806
                tx: 124, rx: 180
                last handshake: 5 seconds ago
        groups: wg
        inet 172.17.33.17 netmask 0xfffffff0 broadcast 172.17.33.31


The above works as expected, however adding the second peer causes the first
peer to fail.

/etc/hostname.wg0
----
descr "Wireguard Site Tunnels"
inet 172.17.33.17 255.255.255.240
wgkey [REDACTED]
wgport 13231
wgpeer [ENDPOINT_1_PUBKEY] \
        wgendpoint a.b.c.d 51806 \
        wgpsk [ENDPOINT_1_PSK] \
        wgaip 0.0.0.0/0 
wgpeer [ENDPOINT_2_PUBKEY] \
        wgpsk [ENDPOINT_2_PSK] \
        wgaip 0.0.0.0/0 
up

`doas ifconfig wg0` output:
----
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
        description: Wireguard Site Tunnels
        index 13 priority 0 llprio 3
        wgport 13231
        wgpubkey [SERVER_PUBLIC_KEY]
        wgpeer [ENDPOINT_1_PUBKEY]
                wgpsk (present)
                wgendpoint a.b.c.d 51806
                tx: 17784, rx: 54632
                last handshake: 5 seconds ago
        wgpeer [ENDPOINT_2_PUBKEY]
                wgpsk (present)
                wgendpoint f.g.h.i 51807
                tx: 116328, rx: 98008
                last handshake: 42 seconds ago
                wgaip 0.0.0.0/0
        groups: wg
        inet 172.17.33.17 netmask 0xfffffff0 broadcast 172.17.33.31

This seems to happen reguardless of if I destroy the interface
between adding peers or not.  It seems to also happen if I try
to specify the wg0 interface's network as the wgaip, eg
wgaip 172.17.33.16/28 on both peers, only the last one seems to
retain it.  Once the wgaip stanza switches the other peer still
seems to authenticate fine but all traffic is dropped and
`doas ifconfig wg0 debug` causes the following to be printed
into the kernel ringbuffer:
wg0: Packet has unallowed src IP from peer 7
which makes sense, given the default is to have no ip allowed.

Is it expected that one cannot assign the same wgaip blocks to more
than one peer simultaneously? 

Thanks,
Matt

-- 
Matthew Ernisse
m...@going-flying.com
https://www.going-flying.com/

Reply via email to