Bug#921017: wireguard: doesn't always set all allowed-ips

Thu, 31 Jan 2019 09:19:40 -0800 

Package: wireguard
Version: 0.0.20190123-1
Severity: normal

Hi Daniel,

I have multiple peers defined in /etc/wireguard/wg0.conf
but setting AllowedIPs doesn't fully work for some of them
if I use `wg setconf`… and works perfectly fine if I do this
"manually" via `wg set wg0 peer my_public_key allowed-ips …`.

example peer setup in /etc/wireguard/wg0.conf:

 [Peer]
 PublicKey = my_public_key
 AllowedIPs = 10.8.1.2/32,10.1.0.0/20,10.0.0.0/20,192.168.6.0/24

and `wg setconf wg0 /etc/wireguard/wg0.conf && wg show wg0 allowed-ips | grep 
my_public_key`
outputs:

 my_public_key 192.168.6.0/24 10.8.1.2/32

(note missing 10.1.0.0/20,10.0.0.0/20)


Same thing happens if I use systemd-networkd to handle the interface
(/etc/systemd/network/wg0.netdev with "AllowedIPs = 
10.8.1.2/32,10.1.0.0/20,192.168.6.0/24,10.0.0.0/20")


It works for most peers (with multiple IPs/ranges) and
doesn't for two. I have to add missing ranges "manually" via
`wg set wg0 peer my_public_key allowed-ips 
192.168.6.0/24,10.8.1.2/24,10.1.0.0/20,10.0.0.0/20`
The other one that fails has one IP and one range in AllowedIPs so it's
not about more than 2 IPs/ranges.


FTR: I do not use wg-quick, I use either systemd-networkd or my own
startup script that basically does this:

 ip link add wg0 type wireguard
 ip addr add 10.8.1.1/24 dev wg0
 wg setconf wg0 /etc/wireguard/wg0.conf
 ip link set up dev wg0


PS thanks for maintaining WireGuard! I already replaced OpenVPN with it on all
   my machines :-)


-- System Information:
Debian Release: 9.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages wireguard depends on:
ii  wireguard-dkms   0.0.20190123-1
ii  wireguard-tools  0.0.20190123-1

wireguard recommends no packages.

wireguard suggests no packages.

-- no debconf information

Reply via email to