From owner-freebsd-net@freebsd.org Thu Feb 4 07:44:57 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 82BF253B77F for ; Thu, 4 Feb 2021 07:44:57 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DWVvC4ldnz3FrG for ; Thu, 4 Feb 2021 07:44:55 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from fomalhaut.potoki.eu ([IPv6:2001:470:71:d47:79ee:fad5:6a59:d13]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.16.1/8.16.1) with ESMTPSA id 1147io0e026383 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 4 Feb 2021 08:44:50 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1612424691; bh=abv70n7ovWCIEvKQGZLf3FV4WlwLsqC4x6DJu/DEa0A=; h=To:Cc:References:From:Subject:Date:In-Reply-To; b=HmY2c8wvvazE6gCXBCrXmIfySMYHA7G6h2kxYaBXXTIV8YZEywVskIXsZPGkwWCbb GbbB4zajBXqJcWEKKGGj7ZNJ/0YzPOX03lOb+LVBbOWoI/2ckFT0euPyybFHk18sp6 x6GhgJsYMD92sCrzOOYhvnhiTyiURf69B/M5wVN58zvhMgACHQH+ec4hptIXiLu2Fn PQGLfswkbNeUTbEGyAdJEbZrWLcrzjsolCgheAGukFU8ubgd6MAm6lH0RmlwZMGk/M a+jJKJVnZCoN+W2i1Aa4GEMNQkgd/nw8Fx/PQwhgbDngpAm7E9oD1+LaNWgrkH2jkS Y73cT9P8P6OOw== X-Authentication-Warning: plan-b.pwste.edu.pl: Host [IPv6:2001:470:71:d47:79ee:fad5:6a59:d13] claimed to be fomalhaut.potoki.eu To: Vasily Postnicov Cc: freebsd-net@freebsd.org References: <6d9afa54-d0be-df3e-9377-e19243279a70@plan-b.pwste.edu.pl> From: Marek Zarychta Subject: Re: new in-kernel wireguard and IPv6 endpoint Message-ID: <0706606b-d14e-14ee-cb02-5aeef0492798@plan-b.pwste.edu.pl> Date: Thu, 4 Feb 2021 08:44:49 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-Rspamd-Queue-Id: 4DWVvC4ldnz3FrG X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=HmY2c8wv; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-5.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; HAS_XAW(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:678:618::40:from]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; SPAMHAUS_ZRD(0.00)[2001:678:618::40:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2021 07:44:57 -0000 W dniu 04.02.2021 o=C2=A005:25, Vasily Postnicov pisze: > If the endpoint does not use the same WireGuard implementation from=20 > FreeBSD, try to cherry-pick this commit first and then rebuild and=20 > reinstall the kernel. > > https://cgit.freebsd.org/src/commit/?id=3D5aaea4b99e5cc724e97e24a68876e= 8768d3d8012=20 > Thank you for the reply, Vasily. Indeed, the second endpoint uses in Go=20 implementation from ports (net/wireguard-go) and this version is capable = to utilize IPv6 endpoints for the tunnels since a while (almost from the = early beginning of the existence of the port). Thank you for the clue=20 with cherry-picking the commit above, but my latest tests were done=20 yesterday on 14-CURRENT already after this fix was committed. The only thing I modified was touching the code in line 590 of file=20 sys/dev/if_wg/module/module.c b/sys/dev/if_wg/module/module.c which is=20 validating the endpoint length size. It always appeared to be 28 for=20 IPv6 endpoints and 16 for legacy IP endpoints. Without this ugly hack,=20 IPv6 endpoints were not accepted at all, but the code itself suggested=20 that such an endpoint should be parsed if supplied in the correct form=20 ie.: [IPv6_address]:port. Perhaps the endpoint length is not correctly calculated for IPv6 sockets = or there is an overflow which happens there? > > =D1=81=D1=80, 3 =D1=84=D0=B5=D0=B2=D1=80. 2021 =D0=B3., 23:13 Marek Zar= ychta=20 > >:= > > W dniu 21.01.2021 o=C2=A020:03, Marek Zarychta pisze: > > Dear subscribers, > > > > please let me know if is it possible to use IPv6 addressed endpoi= nt > > for the tunnel? I have tried to specify the address enclosed in [= ] > > followed by the port number, for example: [2001:db8:0:1::1]:54333= , > > have tried without it: 2001:db8:0:1::1:54333. I have also tried t= o > > specify it with prefix length, like this one: > > [2001:db8:0:1::1]/128:54333, but neither works. > > > > I got only some errors: > > > > matchaddr failed > > peer not found - dropping 0xfffff802099b6700 > > wg0: wg_peer_add bad length for endpoint 28 > > > > Is it possible to utilize IPv6 address as an endpoint for the > tunnel > > with this implementation? > > > > > There was not much feedback on the mailing list, so I changed the > code a > bit to not validate endpoint length so strictly and check if IPv6 > address as endpoint is supported. This resulted in a partial succes= s. > The handshake over IPv6 looks like established from the endpoint (a= s > it's reported by "wg show" command), but the tunnel is neither > capable > to carry any data nor keepalives are send. > > Here is the handshake as sniffed on the endpoint: > > 00:00:00.000000 IP6 (hlim 57, next-header UDP (17) payload length: > 156) > 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, > length 148 > 00:00:00.002860 IP6 (hlim 64, next-header UDP (17) payload length: > 100) > 2001:db8::b.55667 > 2001:db8:d47::c:100d.12345: [bad udp cksum > 0x6f50 -> > 0x62b4!] UDP, length 92 > 00:00:00.000892 IP6 (hlim 57, next-header UDP (17) payload length: > 120) > 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, > length 112 > > Perhaps the incompatibility with IPv6 should be mentioned at least = in > just added wg(4) manual page[1]? > > [1] https://cgit.freebsd.org/src/commit/?id=3De59d9cb41284 > > --=20 Marek Zarychta