On IPv4-only hosts it can happen that the v6 default route pointed at a
wireguard interface blackholes wireguard peer traffic intended for the v4
network when the Endpoint hostname resolves to both v6 and v4 records as
most hosts will prefer the v6 address by default. This makes using
dual-stack dy
When using wireguard tunnels for providing IPv6 connectivity to machines it
can be important to pin which IP address family should be used.
Consider a peer using a DNS name with both A/ records, wg will
currently blindly follow system policy and use the first address returned
by getaddrinfo().
option into account.
We would like to note that the not_oif patch[1] would also alleviate this
problem but since this never got merged it's not a workable solution.
[1]: http://marc.info/?t=145452167200014&r=1&w=2
Signed-off-by: Daniel Gröber
---
contrib/reresolve-dns/reresolv
This adds a new config key PrivateKeyFile= that simply hooks up the
existing code for the `wg set ... private-key /file` codepath.
Using this new option the interface configs can be much easier to deploy in
an automated fashion as they don't contain secrets anymore. The private key
can easily be p
42.42/24
$ ip addr add dev wg-test fe80::/64
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/24 fe80::/64
$ ip link set dev wg-test master vrf-test
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/32
Signed-off-by: Daniel G
option into account.
We would like to note that the not_oif patch[1] would also alleviate this
problem but since this never got merged it's not a workable solution.
[1]: http://marc.info/?t=145452167200014&r=1&w=2
Signed-off-by: Daniel Gröber
---
contrib/reresolve-dns/reresolve-dns.sh
wg set %i private-key /some/file`.
However this breaks when we try to use setconf or synconf as they
will (rightly) unset the private key when it's missing in the underlying
config file breaking connectivity.
Reviewed-By: Michael Tokarev
Signed-off-by: Daniel Gröber
---
src/config.c | 8 +++
Hi,
I though it might be useful to do some quick and dirty code review instead
of speculating wildly to figure out where these source IP selection
problems could be coming from ;)
>From previous code deep dives I know the udp_tunnel_xmit_skb function is
where tunnel packets get handed off to the
Hi wire-guard, :)
tl;dr: I wan to implement mutliple peer endpoints to fix the only two
problems haunting me with wireguard.
I have a multihomed router with two public IPv4 addresses plus default
routes in a failover configuration. The setup includes the two default
routes with different metrics
Hi John,
On Fri, Jul 21, 2023 at 09:47:11AM -0400, John Lauro wrote:
> I have a lots of multihomed routers setup for vpn site to site and
> running bgp over the vpn mesh.
>
> First, make sure these are all 0 as are multihomed.
> cat $( find /proc/sys/net/ipv4 -name rp_filter )
My routers are beh
Hi Daniel,
On Mon, Jul 31, 2023 at 11:39:35PM +0200, Daniel wrote:
> I create a hostname with few IPs v4 & v6 for my wireguard server. I faced
> today a problem that after a failure with the ip a customer wg was
> registered, it continue to try to register with this ip insteed to fallback
> to ano
On Tue, Aug 01, 2023 at 10:33:03AM +0200, Daniel wrote:
> > On Mon, Jul 31, 2023 at 11:39:35PM +0200, Daniel wrote:
> > > I create a hostname with few IPs v4 & v6 for my wireguard server. I faced
> > > today a problem that after a failure with the ip a customer wg was
> > > registered, it continue
---
drivers/net/wireguard/socket.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireguard/socket.c b/drivers/net/wireguard/socket.c
index 0414d7a6ce74..c35163f503e7 100644
--- a/drivers/net/wireguard/socket.c
+++ b/drivers/net/wireguard/socket.c
@@ -387,
Multihomed hosts may want to run distinct wg tunnels across all their
uplinks for redundant connectivity. Currently this entails picking
different ports for each wg tunnel since we allow only binding to the
wildcard address. Sharing a single port-number for all uplink
connections (but bound to a pa
option into account.
We would like to note that the not_oif patch[1] would also alleviate this
problem but since this never got merged it's not a workable solution.
[1]: http://marc.info/?t=145452167200014&r=1&w=2
Signed-off-by: Daniel Gröber
---
contrib/reresolve-dns/reresolve-dns.sh
Signed-off-by: Daniel Gröber
---
src/uapi/linux/linux/wireguard.h | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/uapi/linux/linux/wireguard.h b/src/uapi/linux/linux/wireguard.h
index 0efd52c..36afb66 100644
--- a/src/uapi/linux/linux/wireguard.h
+++ b/src/uapi/linux/linux
Signed-off-by: Daniel Gröber
---
src/config.c | 116 +++---
src/containers.h | 33 +++--
src/ipc-freebsd.h | 4 ++
src/ipc-linux.h | 38 ++-
src/ipc-openbsd.h | 4 ++
src/ipc-uapi.h| 2 +
src/ipc-windows.h | 4
ot; prefix. Instead print the
error to stderr and just don't print anything on stdout in this case. Empty
string is easier to detect than an arbitrary set of (possibly localised!)
error messages.
Signed-off-by: Daniel Gröber
---
src/show.c | 29 +++--
1 file changed,
This will allow more codesharing with code dealing with the peer endpoints.
Signed-off-by: Daniel Gröber
---
src/config.c | 2 --
src/ipc-freebsd.h | 2 +-
src/ipc-linux.h | 6 +++---
src/ipc-openbsd.h | 4 ++--
src/ipc-uapi.h| 2 +-
src/ipc-windows.h | 4 ++--
src/show.c
wg set %i private-key /some/file`.
However this breaks when we try to use setconf or synconf as they
will (rightly) unset the private key when it's missing in the underlying
config file breaking connectivity.
Reviewed-By: Michael Tokarev
Signed-off-by: Daniel Gröber
---
src/config.c | 8 +++
Hi Nathaniel,
On Mon, May 22, 2023 at 07:48:04AM +0100, Nathaniel Filardo wrote:
> This means that v4-mapped v6 addresses (:::a.b.c.d) can be
> registered as peer endpoints, but the kernel very silently won't try
> to reach out. Is that deliberate for some reason that eludes me? If
> it is,
Hi wireguard, birds, and babelers,
tl;dr I want to add a new Linux route attribute (think "via $wgpeer") to
supplement wireguard's internal AllowedIPs logic for both routing and
source address filtering.
I've been pondering how to better integrate wireguard into dynamic routing
daemons, particula
Hi Bernd,
On Sat, Aug 19, 2023 at 07:50:38PM +0200, Bernd Naumann wrote:
> Chances are high I do miss something, but I've just set AllowedIPs to
> 0.0.0.0/0 and ::/0 and just used the routing protocol of my choice and
> filters to select which routes got exported and imported... :shrug:
Right, le
Hi Nathaniel,
On Sat, Aug 19, 2023 at 05:34:00PM +0100, Nathaniel Filardo wrote:
> DNS absolutely can and does
I mean I can (and used to) enter fe80::/64 link local addressess into DNS
but it turns out this is actually forbidden by the RFCs but nothing will
stop you. I'm not convinced putting ::f
Hi Steffen,
from the questions you ask I fear you've misunderstood my intention to
"replace" AllowedIPs. I'm strictly talking of the _implementation_
(allowedips.c) in Linux particular. The netlink interface would naturally
stay unchanged.
On Sat, Aug 19, 2023 at 10:00:17PM +0200, Steffen Vogel w
Some systems may have the sockaddr fields in a different arrangement and
need #ifdef'ing this makes this obvious to any future porters.
Signed-off-by: Daniel Gröber
---
src/containers.h | 21 +
1 file changed, 21 insertions(+)
diff --git a/src/containers.h
Hi Luiz,
On Tue, Aug 22, 2023 at 05:39:23PM -0300, Luiz Angelo Daros de Luca wrote:
> We noticed an issue with clients that use PPPoE and connect to WG
> using IPv6. Both sides start to fragment the encrypted packet leading
> to a severe degradation in performance. We reduced the wireguard MTU
> f
Hi,
On Wed, Aug 23, 2023 at 04:58:40PM +0200, Marek Küthe wrote:
> PPPoE adds 8 bytes of overhead so that an MTU of 1432 can be used. I
> also have to do this at home with my DSL line for example.
> The MTU should be set on each side (on both peers) for this to work.
Oh, I just realized I used th
Hi Kyle,
On Mon, Aug 28, 2023 at 11:40:48AM -0400, Kyle Rose wrote:
> On Sat, Aug 19, 2023 at 5:25 PM Daniel Gröber wrote:
> > Having read Kyle's use-case I'm thinking my original plan to extend the wg
> > internal source-address filtering to use a rt lookup with our ne
Hi Juliusz,
On Mon, Aug 28, 2023 at 07:40:51PM +0200, Juliusz Chroboczek wrote:
> I've read the whole discussion, and I'm still not clear what advantages
> the proposed route attribute has over having one interface per peer. Is
> it because interfaces are expensive in the Linux kernel? Or is the
Hi Ivan,
> IMO, a good tunnel solution may be if what is now called AllowedIPs,
> were functionally split into:
> - AcceptIPS (to be different from AllowedIPs)
> - RouteIPs
> Perhaps with a default shorthand of, say, IPs, setting both, as
> AllowedIPs historically caused confusion wrt. it's mean
This doesn't seem to be reachable normally, but while working on a patch
for the address binding code I ended up triggering this leak and had to
reboot to get rid of the leaking wg sockets.
---
drivers/net/wireguard/socket.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --gi
or wg tunnel traffic by configuring
fwmark ip-rules and setting sysctl udp_l3mdev_accept=1 (with or without
additional nft filtering) this is at best a cludge. When VRF membership
changes it becomes a major hassle to keep ip-rules up to date.
Signed-off-by: Daniel Gröber
---
drivers/net/wire
2023 at 03:06:09PM +0200, Daniel Gröber wrote:
> > This doesn't seem to be reachable normally, but while working on a patch
>
> "Normally" as in what? At all? Or?
I committed this while working on my address/ifindex binding patch[1]
(which I will also resend shortly), at t
Some systems may have the sockaddr fields in a different arrangement and
need #ifdef'ing this makes this obvious to any future porters.
Signed-off-by: Daniel Gröber
---
src/containers.h | 21 +
1 file changed, 21 insertions(+)
diff --git a/src/containers.h
Signed-off-by: Daniel Gröber
---
src/uapi/linux/linux/wireguard.h | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/uapi/linux/linux/wireguard.h b/src/uapi/linux/linux/wireguard.h
index 0efd52c..36afb66 100644
--- a/src/uapi/linux/linux/wireguard.h
+++ b/src/uapi/linux/linux
Signed-off-by: Daniel Gröber
---
src/config.c | 116 +++---
src/containers.h | 33 +++--
src/ipc-freebsd.h | 4 ++
src/ipc-linux.h | 38 ++-
src/ipc-openbsd.h | 4 ++
src/ipc-uapi.h| 2 +
src/ipc-windows.h | 4
This will allow more codesharing with code dealing with the peer endpoints.
Signed-off-by: Daniel Gröber
---
src/config.c | 2 --
src/ipc-freebsd.h | 2 +-
src/ipc-linux.h | 6 +++---
src/ipc-openbsd.h | 4 ++--
src/ipc-uapi.h| 2 +-
src/ipc-windows.h | 4 ++--
src/show.c
Signed-off-by: Daniel Gröber
---
src/showconf.c | 17 ++---
1 file changed, 2 insertions(+), 15 deletions(-)
diff --git a/src/showconf.c b/src/showconf.c
index c99a6a0..f2c6a68 100644
--- a/src/showconf.c
+++ b/src/showconf.c
@@ -23,8 +23,6 @@ int showconf_main(int argc, const char
wg set %i private-key /some/file`.
However this breaks when we try to use setconf or synconf as they
will (rightly) unset the private key when it's missing in the underlying
config file breaking connectivity.
Reviewed-By: Michael Tokarev
Signed-off-by: Daniel Gröber
---
src/config.c | 8 +++
ot; prefix. Instead print the
error to stderr and just don't print anything on stdout in this case. Empty
string is easier to detect than an arbitrary set of (possibly localised!)
error messages.
Signed-off-by: Daniel Gröber
---
Changes in v2:
- Remove now redundant print_endpoi
option into account.
We would like to note that the not_oif patch[1] would also alleviate this
problem but since this never got merged it's not a workable solution.
[1]: http://marc.info/?t=145452167200014&r=1&w=2
Signed-off-by: Daniel Gröber
---
contrib/reresolve-dns/reresolve-dns.sh
42 matches
Mail list logo