Hello misc@, I am trying to setup several tunnels into a single wg(4) endpoint. The first tunnel worked fine however when I add the second one the wgaip statement moves to the last wgpeer configured. Is this expected behavior?
/etc/hostname.wg0 with a single tunnel: ---- descr "Wireguard Site Tunnels" inet 172.17.33.17 255.255.255.240 wgkey [REDACTED] wgport 13231 wgpeer [ENDPOINT_1_PUBKEY] \ wgendpoint a.b.c.d 51806 \ wgpsk [ENDPOINT_1_PSK] \ wgaip 0.0.0.0/0 up `doas ifconfig wg0` output: ---- wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 description: Wireguard Site Tunnels index 13 priority 0 llprio 3 wgport 13231 wgpubkey [SERVER_PUBLIC_KEY] wgpeer [ENDPOINT_1_PUBKEY] wgpsk (present) wgendpoint a.b.c.d 51806 tx: 124, rx: 180 last handshake: 5 seconds ago groups: wg inet 172.17.33.17 netmask 0xfffffff0 broadcast 172.17.33.31 The above works as expected, however adding the second peer causes the first peer to fail. /etc/hostname.wg0 ---- descr "Wireguard Site Tunnels" inet 172.17.33.17 255.255.255.240 wgkey [REDACTED] wgport 13231 wgpeer [ENDPOINT_1_PUBKEY] \ wgendpoint a.b.c.d 51806 \ wgpsk [ENDPOINT_1_PSK] \ wgaip 0.0.0.0/0 wgpeer [ENDPOINT_2_PUBKEY] \ wgpsk [ENDPOINT_2_PSK] \ wgaip 0.0.0.0/0 up `doas ifconfig wg0` output: ---- wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 description: Wireguard Site Tunnels index 13 priority 0 llprio 3 wgport 13231 wgpubkey [SERVER_PUBLIC_KEY] wgpeer [ENDPOINT_1_PUBKEY] wgpsk (present) wgendpoint a.b.c.d 51806 tx: 17784, rx: 54632 last handshake: 5 seconds ago wgpeer [ENDPOINT_2_PUBKEY] wgpsk (present) wgendpoint f.g.h.i 51807 tx: 116328, rx: 98008 last handshake: 42 seconds ago wgaip 0.0.0.0/0 groups: wg inet 172.17.33.17 netmask 0xfffffff0 broadcast 172.17.33.31 This seems to happen reguardless of if I destroy the interface between adding peers or not. It seems to also happen if I try to specify the wg0 interface's network as the wgaip, eg wgaip 172.17.33.16/28 on both peers, only the last one seems to retain it. Once the wgaip stanza switches the other peer still seems to authenticate fine but all traffic is dropped and `doas ifconfig wg0 debug` causes the following to be printed into the kernel ringbuffer: wg0: Packet has unallowed src IP from peer 7 which makes sense, given the default is to have no ip allowed. Is it expected that one cannot assign the same wgaip blocks to more than one peer simultaneously? Thanks, Matt -- Matthew Ernisse m...@going-flying.com https://www.going-flying.com/