Dear maintainer, I tried to set up a wireguard connection on wg0 interface using NetworkManager for testing purpose and then forgot about that. Let's say I used 192.168.16.233/32 ip and several routes (ex 10.0.3.0/24 10.0.5.0/24).
Then, using wg-quick, I set up a connection on wg0 with different settings, let's say 192.168.26.3/32 ip and the same route (10.0.3.0/24 10.0.5.0/24) I run into similar issues. wg0 appeared with both 192.168.16.233/32 and 192.168.26.3/32 addresses and routes where randomly applying (most of the time it wouldn't work). Fixed my issue removing the NetworkManager config, maybe NetworkManager also does not handle correctly wireguard connection yet. Anyway it was clearly a mess but maybe this may help someone else. Thanks for maintaining this package, Fabrice On Mon, 09 Sep 2019 18:56:33 -0400 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > Control: retitle 921017 wireguard: wg setconf doesn't always set all allowed-ips > Control: reassign 921017 wireguard-tools > > Hi Piotr-- > > On Mon 2019-09-09 12:40:30 +0200, Piotr Ożarowski wrote: > > yes, I can still replicate it with 0.0.20190905-1 but I do it on stable > > (first Stretch now Buster) with packages from unstable (without > > rebuilding them). Every time different peer (I have 11 of them) gets a > > non complete AllowedIPs so I admit it's hard to reproduce… > > Thanks for testing again so promptly, and sorry for the delay on my > side. > > This is a delicate situation because i want to try to reproduce the > problem you're seeing but i don't want to leak any secret information > from your system (or any of your peers' public metadata either, unless > you're ok with that). > > If i can try to restate the problem, it sounds like "wg setconf" is not > reliably setting all the allowed-ips from a complex configuration file. > > But "wg set" itself always works fine to adjust it, right? That makes > it sound like a problem with the "wg setconf" subcommand itself. > > So can you help me figure out how i can replicate the problem without > leaking your secret information? For example, can you supply a > templated configuration file that fails sometimes (but with relevant > secrets and sensitive public metadata redacted)? For example, is this > something you can replicate intermittently by running the configuration > steps in a tight loop, and testing for the failure after each time? > > I've tried to do that briefly with some simple tests, but i still can't > seem to get it to happen, even from a debian buster installation (with > wireguard-dkms and wireguard-tools installed from unstable directly). > > > PS I have another problem that I didn't report yet on one (and only one) > > of my peers which I don't think is related, but in case it is: > > from time to time (sometimes few days apart sometimes weeks) > > wireguard freezes (as in it doesn't accept any in/out connections). > > Restarting (ip l set dev wg0 down and up again) doesn't help. What > > helps is to change listening port to something else. This peer has a > > non-public and dynamic IP (but I have another client using the same > > provider on my OpenWRT router and it seems to work fine there) > > hm, this is likely to be a different thing, so if you want to discuss > it, please open it as a separate ticket. > > --dkg --
