Hi, It's because of preventing possible spoofs by each peer. from man wg(4) : The interface will accept tunneled traffic only from the peer configured with the most specific matching allowed IP address range for the incoming traffic, or drop it if no such match exists. That is, tunneled traffic routed to a given peer cannot return through another peer of the same wg interface. This ensures that peers cannot spoof another's traffic.
In addition, it is explained that by reading the 2nd article of the document at the https://www.wireguard.com/papers/wireguard.pdf url address, it is determined which public key to encrypt according to the Allowed IP address. So for security reasons, it was designed that way in principle. If this can be assigned to an option, it's a kernel question entirely specific to wireguard implementation. ________________________________ From: [email protected] <[email protected]> on behalf of Consus <[email protected]> Sent: Thursday, June 1, 2023 15:47 To: [email protected] <[email protected]> Subject: Cannot setup more than one WireGuard peer Hi, I'm using OpenBSD 7.3 and I have the following issue with WireGuard: adding more than one peer via ifconfig breaks wgaip assignments. Initial configuration: $ doas ifconfig wg0 wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 index 8 priority 0 llprio 3 wgport <port> wgpubkey <pubkey> groups: wg inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255 Adding a new peer: $ doas ifconfig wg0 wgpeer <peer1> wgaip 10.45.0.2/24 $ doas ifconfig wg0 wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 index 8 priority 0 llprio 3 wgport <port> wgpubkey <pubkey> wgpeer <peer1> tx: 0, rx: 0 wgaip 10.45.0.2/24 groups: wg inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255 So far so good, adding another peer: $ doas ifconfig wg0 wgpeer <peer2> wgaip 10.45.0.3/24 $ doas ifconfig wg0 wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420 index 8 priority 0 llprio 3 wgport <port> wgpubkey <pubkey> wgpeer <peer1> tx: 0, rx: 0 wgpeer <peer2> tx: 0, rx: 0 wgaip 10.45.0.2/24 groups: wg inet 10.45.0.1 netmask 0xffffff00 broadcast 10.45.0.255 Bam. The first peer has lost it's wgaip, the second one gets invalid wgaip, hence nothing works. Merging it all in a single ifconfig line does not help either. Please halp.
