Date: Thu, 4 Feb 2021 10:47:18 +0300 From: Vasily Postnicov <shamaz.mazum@gmail.com> To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> Cc: freebsd-net@freebsd.org Subject: Re: new in-kernel wireguard and IPv6 endpoint Message-ID: <CADnZ6Bm=de2-y=TR_FsCD6QpC9xj8LpfmWyFfVx1__7fMrhFBQ@mail.gmail.com> In-Reply-To: <0706606b-d14e-14ee-cb02-5aeef0492798@plan-b.pwste.edu.pl> References: <6d9afa54-d0be-df3e-9377-e19243279a70@plan-b.pwste.edu.pl> <c9267bd0-7504-0448-fee3-7c12abc8076b@plan-b.pwste.edu.pl> <CADnZ6B=A2fGrZ-gi2robwq8ONNcE250oXpdAR6Limnj4HsuncQ@mail.gmail.com> <0706606b-d14e-14ee-cb02-5aeef0492798@plan-b.pwste.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
May be. I have nothing to suggest, sorry. I never used IPv6 in real life. =D1=87=D1=82, 4 =D1=84=D0=B5=D0=B2=D1=80. 2021 =D0=B3., 10:44 Marek Zarycht= a <zarychtam@plan-b.pwste.edu.pl>: > W dniu 04.02.2021 o 05:25, Vasily Postnicov pisze: > > If the endpoint does not use the same WireGuard implementation from > FreeBSD, try to cherry-pick this commit first and then rebuild and > reinstall the kernel. > > > https://cgit.freebsd.org/src/commit/?id=3D5aaea4b99e5cc724e97e24a68876e87= 68d3d8012 > > > Thank you for the reply, Vasily. Indeed, the second endpoint uses in Go > implementation from ports (net/wireguard-go) and this version is capable = to > utilize IPv6 endpoints for the tunnels since a while (almost from the ear= ly > beginning of the existence of the port). Thank you for the clue with > cherry-picking the commit above, but my latest tests were done yesterday = on > 14-CURRENT already after this fix was committed. > > The only thing I modified was touching the code in line 590 of file > sys/dev/if_wg/module/module.c b/sys/dev/if_wg/module/module.c which is > validating the endpoint length size. It always appeared to be 28 for IPv6 > endpoints and 16 for legacy IP endpoints. Without this ugly hack, IPv6 > endpoints were not accepted at all, but the code itself suggested that su= ch > an endpoint should be parsed if supplied in the correct form ie.: > [IPv6_address]:port. > > Perhaps the endpoint length is not correctly calculated for IPv6 sockets > or there is an overflow which happens there? > > > > =D1=81=D1=80, 3 =D1=84=D0=B5=D0=B2=D1=80. 2021 =D0=B3., 23:13 Marek Zaryc= hta <zarychtam@plan-b.pwste.edu.pl>: > >> W dniu 21.01.2021 o 20:03, Marek Zarychta pisze: >> > Dear subscribers, >> > >> > please let me know if is it possible to use IPv6 addressed endpoint >> > for the tunnel? I have tried to specify the address enclosed in [] >> > followed by the port number, for example: [2001:db8:0:1::1]:54333, >> > have tried without it: 2001:db8:0:1::1:54333. I have also tried to >> > specify it with prefix length, like this one: >> > [2001:db8:0:1::1]/128:54333, but neither works. >> > >> > I got only some errors: >> > >> > matchaddr failed >> > peer not found - dropping 0xfffff802099b6700 >> > wg0: wg_peer_add bad length for endpoint 28 >> > >> > Is it possible to utilize IPv6 address as an endpoint for the tunnel >> > with this implementation? >> > >> > >> There was not much feedback on the mailing list, so I changed the code a >> bit to not validate endpoint length so strictly and check if IPv6 >> address as endpoint is supported. This resulted in a partial success. >> The handshake over IPv6 looks like established from the endpoint (as >> it's reported by "wg show" command), but the tunnel is neither capable >> to carry any data nor keepalives are send. >> >> Here is the handshake as sniffed on the endpoint: >> >> 00:00:00.000000 IP6 (hlim 57, next-header UDP (17) payload length: 156) >> 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, length >> 148 >> 00:00:00.002860 IP6 (hlim 64, next-header UDP (17) payload length: 100) >> 2001:db8::b.55667 > 2001:db8:d47::c:100d.12345: [bad udp cksum 0x6f50 -> >> 0x62b4!] UDP, length 92 >> 00:00:00.000892 IP6 (hlim 57, next-header UDP (17) payload length: 120) >> 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, length >> 112 >> >> Perhaps the incompatibility with IPv6 should be mentioned at least in >> just added wg(4) manual page[1]? >> >> [1] https://cgit.freebsd.org/src/commit/?id=3De59d9cb41284 >> >> -- > > Marek Zarychta > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADnZ6Bm=de2-y=TR_FsCD6QpC9xj8LpfmWyFfVx1__7fMrhFBQ>