From owner-freebsd-net@freebsd.org Thu Jan 21 16:20:24 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EFA284D8660 for ; Thu, 21 Jan 2021 16:20:24 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DM70S2GSHz4ZVr for ; Thu, 21 Jan 2021 16:20:24 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-oi1-x234.google.com with SMTP id 9so2708291oiq.3 for ; Thu, 21 Jan 2021 08:20:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=Qh93p/a3ShD0g/+0GDs4P/ulgQuBMepYZ9O5duypvxc=; b=dkyle9RHdHzho1SNXrF6U1+IqAI2Wz4W8J3Wy+p3am1dAhsjO2PkOYbU7l1dZpLGrH LB1+0Yp2v6/0qkrrEZkCgk3aPqQMqdWpKW5zHiOSnaSVGLeOOjA3PrsM6dvPSp8FYBih vOvh3OcORDBdrqAp92ZXJvT9P1YqjrzJACr9rZr+9gLo0jkSrPtAAAg51HSSuDO0TUK0 IpF64/8Ao9M2AHMtQAQNzUX4edkBBlJNfu112nveU1ZpfzcqA7wz12+LVKanOqP9aDAR 0aNPRRcMau4CGfTXduIKs0xSUH9y+vftSyxnIBy6DkAltsKsnvKcscS5ijP2l2S68utI 06eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=Qh93p/a3ShD0g/+0GDs4P/ulgQuBMepYZ9O5duypvxc=; b=S9qZrYJ8tfPA+6E6AocA+nZ2iZy+hwFF6/iVidzuEBS66l585+WXuC9Z+1pL/+xcNV 8FBUGmF+MmE1MwNlk0l1a9EMqs5ZXDNnhOPbBmE66BytQzpCvrs7EY/4NAJffDxw0HuL 4vom3vaxFdLdVkqSfEXN+wMLbNSENtrItHMAXVRiOSGZLxi1rr6IUo7ae1hoawQnii31 U3Iii89upuPMx4U05df2DQpa7+QwoSaxBDQq0dLUEn7pjVTwgj7GTmLM9WTQdOcQISJG vy6Qw0cjaA9LhlNT3LbXkzQX3IwQ1FAWAAfogrAcX5NX5LgQjZ0Rheq4RcryTTCj2V3v HOQw== X-Gm-Message-State: AOAM531M6gtWE5CCOvioKo+LnEyudII6jB+srUEUFZLar3fwIrQOq8qy oHEdJ8j0+TWsvPyAGM7k/2RaoCTDckkfuGryn9TI29keNJqTFQ== X-Google-Smtp-Source: ABdhPJyjW3jTZe5YPWViaXjRGOfm5Av73EsNTgcSJVkQxFsnGSXTH62bad7tXAePJO3SSFj/TtHCdDppNGmn7jgWlO0= X-Received: by 2002:aca:6185:: with SMTP id v127mr249859oib.140.1611246023241; Thu, 21 Jan 2021 08:20:23 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Vasily Postnicov Date: Thu, 21 Jan 2021 19:20:12 +0300 Message-ID: Subject: Re: New WireGuard kernel module does not work with mullvad VPN To: freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4DM70S2GSHz4ZVr X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=dkyle9RH; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::234 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-2.02 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::234:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::234:from:127.0.2.255]; NEURAL_SPAM_SHORT(0.98)[0.977]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::234:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jan 2021 16:20:25 -0000 Aha! My Public key derived from the private key does not match the key mullvad VPN derives (they give me my generated private key): root@vonbraun:~ # ifconfig wg0 create private-key 94krUfNiNdUwZoPwek2PlCDB92h1nbvmavggQbgrfM0=3D listen-port 5423 root@vonbraun:~ # ifconfig wg0 wg0: flags=3D8080a0 metric 0 mtu 1420 options=3D880000 groups: wg listen-port: 5423 private-key: 8IkrUfNiNdUwZoPwek2PlCDB92h1nbvmavggQbgrfE0=3D public-key: FpuxfigYTk73RE4VwFV/2zbAc6sWxQkQWnShccOvvSc=3D media: Ethernet autoselect (25GBase-ACC ) status: active nd6 options=3D29 Mullvad thinks the public key is izjBq6I7GRVaNOvO=E2=80=A6 I delete this key from my account now) wireguard-go always displays the correct public key (corresponding with what mullvad thinks) =D1=87=D1=82, 21 =D1=8F=D0=BD=D0=B2. 2021 =D0=B3. =D0=B2 18:38, Vasily Post= nicov : > > Hello. I try the new module and it does not seem to work for me. I use > mullvad VPN and wireguard-go but want to replace wireguard-go with > kernelspace implementation. > > A have the following configuration: > [Interface] > PrivateKey =3D > Address =3D 10.66.116.246/32,fc00:bbbb:bbbb:bb01::3:74f5/128 > DNS =3D 193.138.218.74 > > [Peer] > PublicKey =3D jJVG/lv7RikDG0FMsV3WJgfot5XecPm9aHDrYvU+NAM=3D > AllowedIPs =3D 0.0.0.0/0,::0/0 > Endpoint =3D 86.107.21.34:51820 > > So I try this (12345 is just a random port, I do not have it in the > configuration): > ifconfig wg0 create private-key listen-port 12345 > ifconfig wg0 peer public-key allowed-ips 0.0.0.0/0 > allowed-ips ::0/0 endpoint 86.107.21.34:51820 > ifconfig wg0 inet 10.66.116.246/32 > ifconfig wg0 inet6 fc00:bbbb:bbbb:bb01::3:74f5/128 > > The interface goes up after "ifconfig wg0 inet" command. > Then I add new routes just like wireguard-go does: > route -q -n add -inet6 ::/1 -interface wg0 > route -q -n add -inet6 8000::/1 -interface wg0 > route -q -n add -inet 0.0.0.0/1 -interface wg0 > route -q -n add -inet 128.0.0.0/1 -interface wg0 > route -q -n add -inet 86.107.21.34 -gateway 192.168.20.1 > > 192.168.20.1 is just my default gateway. > > I also set sysctl net.inet.ip.forwarding =3D 1 (some manual told so). > Nothing works in the result, I can ping my gateway and the endpoint, > but nothing else. Wireshark says there are "WireGuard Handshake > Initiation" packages from re0 (my interface connected to the internet) > to the endpoint, but no responses. > > What can be wrong?