Re: wg(4) listen on a specific interface / address

[Matt Dunwoodie]

On Tue, 27 Oct 2020 22:36:38 +0100
Pierre Emeriaud  wrote:

> Howdy misc@,
> 
> I have a fairly complicated setup with lots of interfaces, a couple of
> rdomains etc.
> 
> I'd like wireguard to listen only on an IP address, not all. But if my
> understanding of ifconfig(8) is correct, this doesn't seem possible
> currently:
> 
> wgport port
>  Set the UDP port that the tunnel operates on.  _The
> interface will bind to INADDR_ANY and IN6ADDR_ANY_INIT._
> 
> I guess this the reason for the following behaviour?
> 
> $ doas ifconfig wg0 wgport 53
> ifconfig: SIOCSWG: Address already in use
> (the error message is generic I guess - but confusing imho)
> 
> $ netstat -natfinet | grep 53
> tcp  0  0  127.0.0.1.53   *.*
> LISTEN udp  0  0  127.0.0.1.53   *.*
> 
> $  netstat -T1 -natfinet | grep 53
> udp  0  0  127.0.0.1.53   *.*
> 
> Is there a way to circumvent this restriction? (is there a reason
> behind it maybe?)

A lot has been said already, however I should clarify things.

wg(4)'s primary goal is to provide a secure network tunnel. We have no
desire to obfuscating or manipulating traffic to bypass restrictive
firewalls, which appears to be what you want to use port 53 for.

Why INADDR_ANY (and IN6ADDR_ANY_INIT)? We listen on all interfaces to
discard any notion of trusting IP addresses and rely entirely on the
crypto to authenticate packets. This ties directly the "roaming" feature
of WireGuard [1]. As Theo mentioned we don't want to monitor for
addressing changes, so INADDR_ANY is correct.

Why no configuration knob for bind address? Well, this is a "simple"
VPN and prides itself on minimising unnecessary configuration while
still achieving it's primary goals. Allowing configuration of the bind
address opens a whole can of complexity worms, including configuration
failure modes and security issues that we don't have consensus on. The
behaviour exhibited on wg(4) is also consistent with implementations of
WireGuard on other platforms. This has been discussed before: [2][3].

Finally, if you want to continue using port 53, bind wg first, then
unwind. Alternatively rdr-to rules will work and I'm guessing your
didn't do any debugging to figure out why your rules weren't working as
expected. If your goal is to bypass restrictive firewalls, you may also
want to add ports 123, 4500, 5060 to your redirect rules, but keep in
mind you're abusing software in ways it wasn't designed for so support
is minimal. I imagine it would look something like the following (with
wg(4) listening on port 53535 on the same rdomain):

pass in on $wan proto udp to (self) \
  port { 53, 123, 4500, 5060 } rdr-to 127.0.0.1 port 53535

Cheers,
Matt

[1] https://www.wireguard.com/#built-in-roaming
[2] https://lists.zx2c4.com/pipermail/wireguard/2017-May/001280.html
[3] https://lists.zx2c4.com/pipermail/wireguard/2018-June/003013.html

Re: wg(4) listen on a specific interface / address

[Brian Brombacher]

> On Oct 29, 2020, at 6:09 PM, Pierre Emeriaud  
> wrote:
> 
> Le jeu. 29 oct. 2020 à 21:03, Stuart Henderson  a 
> écrit :
>> Which DNS server do you have bound on 53?
> 
> unwind
> 
> 
>>> Is there a reason why wg needs such a large bind?
>> Unless/until it gets an option to bind to a specific IP that's all it
>> can sanely do. It would definitely be useful IMO.
> 
> This is maybe where it starts to make sense. By binding INADDR_ANY,
> this allows wg to accept incoming packets whichever interface they
> came from. Maybe to mimic what is done with other tunnels/protocols
> operating at L3, while still operating at L4.

You can achieve success using pf + routing domains.  It’ll work just takes 
extra effort.  I agree a bind IP parameter would be nice, but not a necessity 
to function.

Where one function in the kernel isn’t a jack of all trades (wg) or perfect, 
another feature can help to achieve the goal (pf + rdomains, the network stack 
design used by OpenBSD for virtualizing the address and port space).

Re: wg(4) listen on a specific interface / address

[Theo de Raadt]

Pierre Emeriaud  wrote:

> Totally agreed. This is because of my stupid idea to share port 53 for
> this use. Maybe my understanding of sockets was wrong, but I thought
> that applications could use the bind port _if and only_ they weren't
> trying to bind the same IP+port, hence my question about this
> conflict, which could happen with other ports as well.

Such a weird perspective.  I guess you've never setup a multhomed
machine.  INADDR_ANY means all interfaces, so a daemon doesn't need
to open a new socket on each interfaces, and listen to the route socket
for new interfaces to arrive, or old ones to be disconnected.

> Thanks everyone who answered, and if anyone has the definitive answer
> about why it wg binds INADDR_ANY, I'd be interested to know.

Why does sshd bind to INADDR_ANY?  Why does httpd bind to INADDR_ANY?
The same reason for wg.  It wants to respond to requests on all interfaces.
And the loopback is not exempt.

Re: wg(4) listen on a specific interface / address

[Stuart Henderson]

On 2020/10/29 23:08, Pierre Emeriaud wrote:
> Le jeu. 29 oct. 2020 à 21:03, Stuart Henderson  a écrit 
> :
> >
> > Which DNS server do you have bound on 53?
> 
> unwind
> 
> 
> > > Is there a reason why wg needs such a large bind?
> >
> > Unless/until it gets an option to bind to a specific IP that's all it
> > can sanely do. It would definitely be useful IMO.
> 
> This is maybe where it starts to make sense. By binding INADDR_ANY,
> this allows wg to accept incoming packets whichever interface they
> came from. Maybe to mimic what is done with other tunnels/protocols
> operating at L3, while still operating at L4.

Incoming is one side of it. The other side is the address used for
outgoing packets - on a multihomed system it's quite common to bind
to a specific port to get the correct source address (which can
easily vary between different services running on a machine).

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le jeu. 29 oct. 2020 à 21:17, Theo de Raadt  a écrit :
>
> Or, don't try to overlay stuff onto a single port.  Look, we can tell
> what is going on here, you want to tunnel over the least-filtered port
> on the internet, but if you do that trying to use that port for another
> thing is quite a problem of your own making.

Le jeu. 29 oct. 2020 à 23:10, Theo de Raadt  a écrit :
>
> port 53 has a well known use.  It is the firstcomer, for a critical service.
>
> You are abusing that port.

Totally agreed. This is because of my stupid idea to share port 53 for
this use. Maybe my understanding of sockets was wrong, but I thought
that applications could use the bind port _if and only_ they weren't
trying to bind the same IP+port, hence my question about this
conflict, which could happen with other ports as well.

> I could easily argue there is nothing to fix in our kernel.

I think I agree, anyhow, this behavior might be intentional, so I'll
avoid doing that in the future.

Thanks everyone who answered, and if anyone has the definitive answer
about why it wg binds INADDR_ANY, I'd be interested to know.

Re: wg(4) listen on a specific interface / address

[Theo de Raadt]

Pierre Emeriaud  wrote:

> Le jeu. 29 oct. 2020 à 18:00, Brian Brombacher  a écrit 
> :
> >
> >
> > Then there’s a misconfiguration, wg driver bug, or the driver documentation 
> > is wrong in ifconfig about wgrtable.
> >
> > Routing domains are where you can specify multiple conflicting port binds 
> > and be fine, INADDR_ANY included.
> 
> On that matter there are no issues, only me/my setup. wg has no issues
> with binding INADDR_ANY if it is the only software binding on port 53
> _in that rdomain_. The issue I have is when I already have another
> software, like a dns resolver here already listening on 127.0.0.1 in
> that same rdomain.

port 53 has a well known use.  It is the firstcomer, for a critical service.

You are abusing that port.

I could easily argue there is nothing to fix in our kernel.

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le jeu. 29 oct. 2020 à 21:03, Stuart Henderson  a écrit :
>
> Which DNS server do you have bound on 53?

unwind


> > Is there a reason why wg needs such a large bind?
>
> Unless/until it gets an option to bind to a specific IP that's all it
> can sanely do. It would definitely be useful IMO.

This is maybe where it starts to make sense. By binding INADDR_ANY,
this allows wg to accept incoming packets whichever interface they
came from. Maybe to mimic what is done with other tunnels/protocols
operating at L3, while still operating at L4.

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le jeu. 29 oct. 2020 à 18:00, Brian Brombacher  a écrit :
>
>
> Then there’s a misconfiguration, wg driver bug, or the driver documentation 
> is wrong in ifconfig about wgrtable.
>
> Routing domains are where you can specify multiple conflicting port binds and 
> be fine, INADDR_ANY included.

On that matter there are no issues, only me/my setup. wg has no issues
with binding INADDR_ANY if it is the only software binding on port 53
_in that rdomain_. The issue I have is when I already have another
software, like a dns resolver here already listening on 127.0.0.1 in
that same rdomain.

Re: wg(4) listen on a specific interface / address

[Theo de Raadt]

Stuart Henderson  wrote:

> On 2020-10-29, Pierre Emeriaud  wrote:
> > Le jeu. 29 oct. 2020 à 01:20, Theo de Raadt  a écrit :
> >>
> >> I believe you are running into the restriction that we don't allow an
> >> INADDR_ANY:port binding to be done after a ipaddr:port binding has been
> >> done.  It must be done beforehands.
> >
> > Sorry Theo, maybe things got lost in translation, but if my
> > understanding is correct this is not exactly the case here. wg is
> > trying to bind to INADDR_ANY, which fails because a dns daemon (in my
> > case) is already bound to 127.0.0.1:53 (in wg_socket_open() -L700 of
> > if_wg.c-, sin->sin_addr.s_addr = INADDR_ANY?).
> 
> There are extra restrictions, to prevent some software "stealing" packets
> intended for some other software. In userland software that wants to coexist
> with other software on the same pprt hut a different bound IP needs to use
> SO_REUSEADDR (I forgot exactly how the restriction work though). The problem
> you are seeing might be related to this.
> 
> Which DNS server do you have bound on 53?
> 
> > Is there a reason why wg needs such a large bind?
> 
> Unless/until it gets an option to bind to a specific IP that's all it
> can sanely do. It would definitely be useful IMO.

Or, configure it before the application software.

Or, don't try to overlay stuff onto a single port.  Look, we can tell
what is going on here, you want to tunnel over the least-filtered port
on the internet, but if you do that trying to use that port for another
thing is quite a problem of your own making.

Re: wg(4) listen on a specific interface / address

[Stuart Henderson]

On 2020-10-29, Pierre Emeriaud  wrote:
> Le jeu. 29 oct. 2020 à 01:20, Theo de Raadt  a écrit :
>>
>> I believe you are running into the restriction that we don't allow an
>> INADDR_ANY:port binding to be done after a ipaddr:port binding has been
>> done.  It must be done beforehands.
>
> Sorry Theo, maybe things got lost in translation, but if my
> understanding is correct this is not exactly the case here. wg is
> trying to bind to INADDR_ANY, which fails because a dns daemon (in my
> case) is already bound to 127.0.0.1:53 (in wg_socket_open() -L700 of
> if_wg.c-, sin->sin_addr.s_addr = INADDR_ANY?).

There are extra restrictions, to prevent some software "stealing" packets
intended for some other software. In userland software that wants to coexist
with other software on the same pprt hut a different bound IP needs to use
SO_REUSEADDR (I forgot exactly how the restriction work though). The problem
you are seeing might be related to this.

Which DNS server do you have bound on 53?

> Is there a reason why wg needs such a large bind?

Unless/until it gets an option to bind to a specific IP that's all it
can sanely do. It would definitely be useful IMO.

Re: wg(4) listen on a specific interface / address

[Brian Brombacher]

> On Oct 29, 2020, at 11:21 AM, Pierre Emeriaud  
> wrote:
> 
> Le jeu. 29 oct. 2020 à 00:09, Brian Brombacher  a 
> écrit :
>> 
>> Scratch that, use the ifconfig wgrtable option to specify separate routing 
>> domains for the port 53.  This lets you initiate many.  You still need to 
>> deal with getting the IP pointing at the right routing domain now.
> 
> I'm already using wgrtable and rdomains, and I can't change the
> outside interface to use another rtable. This won't solve the fact
> that wg is still trying to bind to INADDR_ANY.
> 

Then there’s a misconfiguration, wg driver bug, or the driver documentation is 
wrong in ifconfig about wgrtable.

Routing domains are where you can specify multiple conflicting port binds and 
be fine, INADDR_ANY included.

Re: wg(4) listen on a specific interface / address

[Kevin Chadwick]

On 10/29/20 5:20 PM, Kevin Chadwick wrote:
> I believe it actually operates at layer 2/3 below IP and uses the default gw 
> IP
> to decide where to operate for a peer to peer link.

I'm not actually sure how that makes any sense as it uses UDP which is layer 4.

But this says layer 3

"https://www.wireguard.com/papers/wireguard.pdf;

Re: wg(4) listen on a specific interface / address

[Kevin Chadwick]

On 10/29/20 4:00 PM, Pierre Emeriaud wrote:
>>> Is there a reason why wg needs such a large bind?
>> I don't know why wg does that, because I haven't looked at the code.
>> Your configuration is definately pushing the limits.
> Allright many thanks Theo. Maybe Jason can chime in on this topic.

I believe it actually operates at layer 2/3 below IP and uses the default gw IP
to decide where to operate for a peer to peer link.

I could be totally wrong and I just hit some Windows bugs but I had issues
getting the Windows clients to work for more than a few seconds on a LAN around
6 months ago and that was my conclusion (designed for easy internet use). I just
used OpenSSH tunnels instead?

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le jeu. 29 oct. 2020 à 16:40, Theo de Raadt  a écrit :
>
> > Is there a reason why wg needs such a large bind?
>
> I don't know why wg does that, because I haven't looked at the code.
> Your configuration is definately pushing the limits.

Allright many thanks Theo. Maybe Jason can chime in on this topic.

regards
pierre

Re: wg(4) listen on a specific interface / address

[Theo de Raadt]

Pierre Emeriaud  wrote:

> Le jeu. 29 oct. 2020 à 01:20, Theo de Raadt  a écrit :
> >
> > I believe you are running into the restriction that we don't allow an
> > INADDR_ANY:port binding to be done after a ipaddr:port binding has been
> > done.  It must be done beforehands.
> 
> Sorry Theo, maybe things got lost in translation, but if my
> understanding is correct this is not exactly the case here. wg is
> trying to bind to INADDR_ANY, which fails because a dns daemon (in my
> case) is already bound to 127.0.0.1:53 (in wg_socket_open() -L700 of
> if_wg.c-, sin->sin_addr.s_addr = INADDR_ANY?).
> 
> Is there a reason why wg needs such a large bind?

I don't know why wg does that, because I haven't looked at the code.
Your configuration is definately pushing the limits.

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le jeu. 29 oct. 2020 à 01:20, Theo de Raadt  a écrit :
>
> I believe you are running into the restriction that we don't allow an
> INADDR_ANY:port binding to be done after a ipaddr:port binding has been
> done.  It must be done beforehands.

Sorry Theo, maybe things got lost in translation, but if my
understanding is correct this is not exactly the case here. wg is
trying to bind to INADDR_ANY, which fails because a dns daemon (in my
case) is already bound to 127.0.0.1:53 (in wg_socket_open() -L700 of
if_wg.c-, sin->sin_addr.s_addr = INADDR_ANY?).

Is there a reason why wg needs such a large bind?

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le jeu. 29 oct. 2020 à 00:09, Brian Brombacher  a écrit :
>
> Scratch that, use the ifconfig wgrtable option to specify separate routing 
> domains for the port 53.  This lets you initiate many.  You still need to 
> deal with getting the IP pointing at the right routing domain now.

I'm already using wgrtable and rdomains, and I can't change the
outside interface to use another rtable. This won't solve the fact
that wg is still trying to bind to INADDR_ANY.

Re: wg(4) listen on a specific interface / address

[Theo de Raadt]

Pierre Emeriaud  wrote:

> Le mar. 27 oct. 2020 à 23:46, j...@snoopy.net.nz  a écrit 
> :
> >
> >
> >
> > Hi Pierre,
> >
> > The error may indicate that port 53 on 127.0.0.1 is already used by another 
> > service. This appears to be confirmed by your netstat example. This is 
> > probably a dns service.
> 
> Thanks Joe. This is indeed a dns daemon, several in fact. But nothing
> should prevent wireguard from using port 53 on any other IP address
> than 127.0.0.1 here. (well, nothing but the code that has been
> implemented)

I believe you are running into the restriction that we don't allow an
INADDR_ANY:port binding to be done after a ipaddr:port binding has been
done.  It must be done beforehands.

Re: wg(4) listen on a specific interface / address

[Brian Brombacher]

> On Oct 28, 2020, at 6:21 PM, Brian Brombacher  wrote:
> 
> 
> 
>> On Oct 28, 2020, at 5:07 PM, Pierre Emeriaud  
>> wrote:
>> 
>> Le mar. 27 oct. 2020 à 23:46, j...@snoopy.net.nz  a 
>> écrit :
>>> 
>>> 
>>> 
>>> Hi Pierre,
>>> 
>>> The error may indicate that port 53 on 127.0.0.1 is already used by another 
>>> service. This appears to be confirmed by your netstat example. This is 
>>> probably a dns service.
>> 
>> Thanks Joe. This is indeed a dns daemon, several in fact. But nothing
>> should prevent wireguard from using port 53 on any other IP address
>> than 127.0.0.1 here. (well, nothing but the code that has been
>> implemented)
>> 
> 
> Can you specify separate rdomains for the wg interfaces and still use port 53 
> on all plus a dns daemon?
> 
> I have not experimented with any of this guidance.
> 

Scratch that, use the ifconfig wgrtable option to specify separate routing 
domains for the port 53.  This lets you initiate many.  You still need to deal 
with getting the IP pointing at the right routing domain now.

https://man.openbsd.org/ifconfig#wgrtable

Re: wg(4) listen on a specific interface / address

[Brian Brombacher]

> On Oct 28, 2020, at 5:07 PM, Pierre Emeriaud  
> wrote:
> 
> Le mar. 27 oct. 2020 à 23:46, j...@snoopy.net.nz  a 
> écrit :
>> 
>> 
>> 
>> Hi Pierre,
>> 
>> The error may indicate that port 53 on 127.0.0.1 is already used by another 
>> service. This appears to be confirmed by your netstat example. This is 
>> probably a dns service.
> 
> Thanks Joe. This is indeed a dns daemon, several in fact. But nothing
> should prevent wireguard from using port 53 on any other IP address
> than 127.0.0.1 here. (well, nothing but the code that has been
> implemented)
> 

Can you specify separate rdomains for the wg interfaces and still use port 53 
on all plus a dns daemon?

I have not experimented with any of this guidance.

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Le mar. 27 oct. 2020 à 23:46, j...@snoopy.net.nz  a écrit :
>
>
>
> Hi Pierre,
>
> The error may indicate that port 53 on 127.0.0.1 is already used by another 
> service. This appears to be confirmed by your netstat example. This is 
> probably a dns service.

Thanks Joe. This is indeed a dns daemon, several in fact. But nothing
should prevent wireguard from using port 53 on any other IP address
than 127.0.0.1 here. (well, nothing but the code that has been
implemented)

Re: wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Hi Brian

Le mar. 27 oct. 2020 à 23:07, Brian Brombacher  a écrit :
>
> I wonder if multiple ports, 5053, 5153 (and so on) redirected using pf rdr-to 
> rules may work?  That way you can setup rules like first IP + port 53 
> redirect to 5053, second IP + 53 redirect to 5153?
>
> May be worth a shot trying.  Not an answer to your question, but as a 
> workaround for others.

I just tried that, with rdr-to for inbound and nat-to for outbound. It
could work indeed, but I did not manage to make it work properly.

match in quick on $wan proto udp from any to $vpnip port 53 rdr-to
self port 24854 rtable 1
match out quick on $wan proto udp from $vpnip  to any port 24854
nat-to $vpnip port 53 rtable 1

Anyhow this is unfortunately painful. This means that any port shown
on 'ifconfig wg' has to be mentally merged with pf rules, and while
this could technically work, this is difficult to troubleshoot :(

Re: wg(4) listen on a specific interface / address

[j...@snoopy.net.nz]

Hi Pierre,
The error may indicate that port 53 on 127.0.0.1 is already used by
another service. This appears to be confirmed by your netstat example.
This is probably a dns service.
Hope this helps explain the error.
Joe

 Original message 
From: Pierre Emeriaud 
Date: Wed, 28 Oct 2020, 10:36 am
To: misc 
Subject: wg(4) listen on a specific interface / address

  Howdy misc@,

  I have a fairly complicated setup with lots of interfaces, a couple
  of
  rdomains etc.

  I'd like wireguard to listen only on an IP address, not all. But if
  my
  understanding of ifconfig(8) is correct, this doesn't seem possible
  currently:

  wgport port
  Set the UDP port that the tunnel operates on.  _The interface will
  bind to INADDR_ANY and IN6ADDR_ANY_INIT._

  I guess this the reason for the following behaviour?

  $ doas ifconfig wg0 wgport 53
  ifconfig: SIOCSWG: Address already in use
  (the error message is generic I guess - but confusing imho)

  $ netstat -natfinet | grep 53
  tcp  0  0  127.0.0.1.53   *.*   
  LISTEN
  udp  0  0  127.0.0.1.53   *.*

  $  netstat -T1 -natfinet | grep 53
  udp  0  0  127.0.0.1.53   *.*

  Is there a way to circumvent this restriction? (is there a reason
  behind it maybe?)

  thanks
  --
  pierre

Re: wg(4) listen on a specific interface / address

[Brian Brombacher]

> On Oct 27, 2020, at 5:33 PM, Pierre Emeriaud  
> wrote:
> 
> Howdy misc@,
> 
> I have a fairly complicated setup with lots of interfaces, a couple of
> rdomains etc.
> 
> I'd like wireguard to listen only on an IP address, not all. But if my
> understanding of ifconfig(8) is correct, this doesn't seem possible
> currently:
> 
> wgport port
> Set the UDP port that the tunnel operates on.  _The interface will
> bind to INADDR_ANY and IN6ADDR_ANY_INIT._
> 
> I guess this the reason for the following behaviour?
> 
> $ doas ifconfig wg0 wgport 53
> ifconfig: SIOCSWG: Address already in use
> (the error message is generic I guess - but confusing imho)
> 
> $ netstat -natfinet | grep 53
> tcp  0  0  127.0.0.1.53   *.*LISTEN
> udp  0  0  127.0.0.1.53   *.*
> 
> $  netstat -T1 -natfinet | grep 53
> udp  0  0  127.0.0.1.53   *.*
> 
> Is there a way to circumvent this restriction? (is there a reason
> behind it maybe?)
> 
> thanks
> --
> pierre
> 

I wonder if multiple ports, 5053, 5153 (and so on) redirected using pf rdr-to 
rules may work?  That way you can setup rules like first IP + port 53 redirect 
to 5053, second IP + 53 redirect to 5153?

May be worth a shot trying.  Not an answer to your question, but as a 
workaround for others.

wg(4) listen on a specific interface / address

[Pierre Emeriaud]

Howdy misc@,

I have a fairly complicated setup with lots of interfaces, a couple of
rdomains etc.

I'd like wireguard to listen only on an IP address, not all. But if my
understanding of ifconfig(8) is correct, this doesn't seem possible
currently:

wgport port
 Set the UDP port that the tunnel operates on.  _The interface will
 bind to INADDR_ANY and IN6ADDR_ANY_INIT._

I guess this the reason for the following behaviour?

$ doas ifconfig wg0 wgport 53
ifconfig: SIOCSWG: Address already in use
(the error message is generic I guess - but confusing imho)

$ netstat -natfinet | grep 53
tcp  0  0  127.0.0.1.53   *.*LISTEN
udp  0  0  127.0.0.1.53   *.*

$  netstat -T1 -natfinet | grep 53
udp  0  0  127.0.0.1.53   *.*

Is there a way to circumvent this restriction? (is there a reason
behind it maybe?)

thanks
--
pierre