Hi, I’m struggling to set up a WireGuard tunnel between two VPP instances and would appreciate some guidance.
Setup ----- I have two VPP (v25.10) instances running WireGuard, each with a single wg0 interface, and obviously an ingress interface, listening on UDP port 51820. VPP #1 vpp# sh wireguard interface [0] wg0 src:10.111.2.32 port:51820 private-key:8FfU4ObJvqEvjURgEMdHoPbTs9UgF8NDR6B+ZSxdZFY= \ f057d4e0e6c9bea12f8d446010c747a0f6d3b3d52017c34347a07e652c5d6456 \ public-key:aeQRjKX/8Rt5if2RhEjxqaPs+PYcPozy+JvO3gUikQA= \ 69e4118ca5fff11b7989fd918448f1a9a3ecf8f61c3e8cf2f89bcede05229100 \ mac-key: ea7b418811281a565295e6fac624c6dbc7ec2f145548377e462a91ec34d8b060 vpp# sh wireguard peer [0] endpoint:[10.111.2.32:51820->10.111.2.33:51820] wg0 keep-alive:25 flags: 0, api-clients count: 0 adj: key:pEMNX4tA3P3JkYp0LNNFpbVn7cgq1J7dutWXSrY2JFk= \ a4430d5f8b40dcfdc9918a742cd345a5b567edc82ad49eddbad5974ab6362459 allowed-ips: 172.0.0.0/16 VPP #2 vpp# sh wireguard interface [0] wg0 src:10.111.2.33 port:51820 private-key:wOCFz4Jz2X0QL1+/nkjCDUtbzs+y07LrQz91hhepzGY= \ c0e085cf8273d97d102f5fbf9e48c20d4b5bcecfb2d3b2eb433f758617a9cc66 \ public-key:pEMNX4tA3P3JkYp0LNNFpbVn7cgq1J7dutWXSrY2JFk= \ a4430d5f8b40dcfdc9918a742cd345a5b567edc82ad49eddbad5974ab6362459 \ mac-key: e4f26a86439c71fd926b588a494cfa86a1e9a972dfc30546e53dffdfc6e659ce vpp# sh wireguard peer [0] endpoint:[10.111.2.33:51820->10.111.2.32:51820] wg0 keep-alive:25 flags: 0, api-clients count: 0 adj: key:aeQRjKX/8Rt5if2RhEjxqaPs+PYcPozy+JvO3gUikQA= \ 69e4118ca5fff11b7989fd918448f1a9a3ecf8f61c3e8cf2f89bcede05229100 allowed-ips: 172.0.0.0/16 Issue ----- When attempting the WireGuard handshake, packets are received correctly on UDP port 51820 , but the handshake fails and is dropped by WireGuard. The packet trace ends with: wg4-input Wireguard input: Type: Handshake initiation Peer: -1 Length: 148 Keepalive: false error-drop drop wg4-input: Peer error >From what I can tell, the packet reaches wg4-input , but the peer lookup fails >( Peer: -1 ), resulting in a wg4-input: Peer error. Question -------- Is there something obvious I’m missing in the peer or interface configuration that could cause the peer not to be recognized during handshake? Are there known pitfalls regarding: * endpoint configuration * allowed-ips matching * source address handling * or key usage/order in VPP WireGuard? Any pointers or debugging suggestions would be greatly appreciated. Thanks in advance for your help. Best regards, Mathis
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#26677): https://lists.fd.io/g/vpp-dev/message/26677 Mute This Topic: https://lists.fd.io/mt/116911216/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
