Date: Thu, 4 Feb 2021 08:44:49 +0100 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Vasily Postnicov <shamaz.mazum@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: new in-kernel wireguard and IPv6 endpoint Message-ID: <0706606b-d14e-14ee-cb02-5aeef0492798@plan-b.pwste.edu.pl> In-Reply-To: <CADnZ6B=A2fGrZ-gi2robwq8ONNcE250oXpdAR6Limnj4HsuncQ@mail.gmail.com> References: <6d9afa54-d0be-df3e-9377-e19243279a70@plan-b.pwste.edu.pl> <c9267bd0-7504-0448-fee3-7c12abc8076b@plan-b.pwste.edu.pl> <CADnZ6B=A2fGrZ-gi2robwq8ONNcE250oXpdAR6Limnj4HsuncQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 04.02.2021 o=C2=A005:25, Vasily Postnicov pisze: > If the endpoint does not use the same WireGuard implementation from=20 > FreeBSD, try to cherry-pick this commit first and then rebuild and=20 > reinstall the kernel. > > https://cgit.freebsd.org/src/commit/?id=3D5aaea4b99e5cc724e97e24a68876e= 8768d3d8012=20 > <https://cgit.freebsd.org/src/commit/?id=3D5aaea4b99e5cc724e97e24a68876= e8768d3d8012> Thank you for the reply, Vasily. Indeed, the second endpoint uses in Go=20 implementation from ports (net/wireguard-go) and this version is capable = to utilize IPv6 endpoints for the tunnels since a while (almost from the = early beginning of the existence of the port). Thank you for the clue=20 with cherry-picking the commit above, but my latest tests were done=20 yesterday on 14-CURRENT already after this fix was committed. The only thing I modified was touching the code in line 590 of file=20 sys/dev/if_wg/module/module.c b/sys/dev/if_wg/module/module.c which is=20 validating the endpoint length size. It always appeared to be 28 for=20 IPv6 endpoints and 16 for legacy IP endpoints. Without this ugly hack,=20 IPv6 endpoints were not accepted at all, but the code itself suggested=20 that such an endpoint should be parsed if supplied in the correct form=20 ie.: [IPv6_address]:port. Perhaps the endpoint length is not correctly calculated for IPv6 sockets = or there is an overflow which happens there? > > =D1=81=D1=80, 3 =D1=84=D0=B5=D0=B2=D1=80. 2021 =D0=B3., 23:13 Marek Zar= ychta=20 > <zarychtam@plan-b.pwste.edu.pl <mailto:zarychtam@plan-b.pwste.edu.pl>>:= > > W dniu 21.01.2021 o=C2=A020:03, Marek Zarychta pisze: > > Dear subscribers, > > > > please let me know if is it possible to use IPv6 addressed endpoi= nt > > for the tunnel? I have tried to specify the address enclosed in [= ] > > followed by the port number, for example: [2001:db8:0:1::1]:54333= , > > have tried without it: 2001:db8:0:1::1:54333. I have also tried t= o > > specify it with prefix length, like this one: > > [2001:db8:0:1::1]/128:54333, but neither works. > > > > I got only some errors: > > > > matchaddr failed > > peer not found - dropping 0xfffff802099b6700 > > wg0: wg_peer_add bad length for endpoint 28 > > > > Is it possible to utilize IPv6 address as an endpoint for the > tunnel > > with this implementation? > > > > > There was not much feedback on the mailing list, so I changed the > code a > bit to not validate endpoint length so strictly and check if IPv6 > address as endpoint is supported. This resulted in a partial succes= s. > The handshake over IPv6 looks like established from the endpoint (a= s > it's reported by "wg show" command), but the tunnel is neither > capable > to carry any data nor keepalives are send. > > Here is the handshake as sniffed on the endpoint: > > 00:00:00.000000 IP6 (hlim 57, next-header UDP (17) payload length: > 156) > 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, > length 148 > 00:00:00.002860 IP6 (hlim 64, next-header UDP (17) payload length: > 100) > 2001:db8::b.55667 > 2001:db8:d47::c:100d.12345: [bad udp cksum > 0x6f50 -> > 0x62b4!] UDP, length 92 > 00:00:00.000892 IP6 (hlim 57, next-header UDP (17) payload length: > 120) > 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, > length 112 > > Perhaps the incompatibility with IPv6 should be mentioned at least = in > just added wg(4) manual page[1]? > > [1] https://cgit.freebsd.org/src/commit/?id=3De59d9cb41284 > <https://cgit.freebsd.org/src/commit/?id=3De59d9cb41284>; > --=20 Marek Zarychta
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0706606b-d14e-14ee-cb02-5aeef0492798>