Stuart Henderson <[email protected]> wrote: > On 2020-10-29, Pierre Emeriaud <[email protected]> wrote: > > Le jeu. 29 oct. 2020 à 01:20, Theo de Raadt <[email protected]> a écrit : > >> > >> I believe you are running into the restriction that we don't allow an > >> INADDR_ANY:port binding to be done after a ipaddr:port binding has been > >> done. It must be done beforehands. > > > > Sorry Theo, maybe things got lost in translation, but if my > > understanding is correct this is not exactly the case here. wg is > > trying to bind to INADDR_ANY, which fails because a dns daemon (in my > > case) is already bound to 127.0.0.1:53 (in wg_socket_open() -L700 of > > if_wg.c-, sin->sin_addr.s_addr = INADDR_ANY?). > > There are extra restrictions, to prevent some software "stealing" packets > intended for some other software. In userland software that wants to coexist > with other software on the same pprt hut a different bound IP needs to use > SO_REUSEADDR (I forgot exactly how the restriction work though). The problem > you are seeing might be related to this. > > Which DNS server do you have bound on 53? > > > Is there a reason why wg needs such a large bind? > > Unless/until it gets an option to bind to a specific IP that's all it > can sanely do. It would definitely be useful IMO.
Or, configure it before the application software. Or, don't try to overlay stuff onto a single port. Look, we can tell what is going on here, you want to tunnel over the least-filtered port on the internet, but if you do that trying to use that port for another thing is quite a problem of your own making.
