W dniu 04.02.2021 o 05:25, Vasily Postnicov pisze:
If the endpoint does not use the same WireGuard implementation from
FreeBSD, try to cherry-pick this commit first and then rebuild and
reinstall the kernel.
https://cgit.freebsd.org/src/commit/?id=5aaea4b99e5cc724e97e24a68876e8768d3d8012
<https://cgit.freebsd.org/src/commit/?id=5aaea4b99e5cc724e97e24a68876e8768d3d8012>
Thank you for the reply, Vasily. Indeed, the second endpoint uses in Go
implementation from ports (net/wireguard-go) and this version is capable
to utilize IPv6 endpoints for the tunnels since a while (almost from the
early beginning of the existence of the port). Thank you for the clue
with cherry-picking the commit above, but my latest tests were done
yesterday on 14-CURRENT already after this fix was committed.
The only thing I modified was touching the code in line 590 of file
sys/dev/if_wg/module/module.c b/sys/dev/if_wg/module/module.c which is
validating the endpoint length size. It always appeared to be 28 for
IPv6 endpoints and 16 for legacy IP endpoints. Without this ugly hack,
IPv6 endpoints were not accepted at all, but the code itself suggested
that such an endpoint should be parsed if supplied in the correct form
ie.: [IPv6_address]:port.
Perhaps the endpoint length is not correctly calculated for IPv6 sockets
or there is an overflow which happens there?
ср, 3 февр. 2021 г., 23:13 Marek Zarychta
<zarych...@plan-b.pwste.edu.pl <mailto:zarych...@plan-b.pwste.edu.pl>>:
W dniu 21.01.2021 o 20:03, Marek Zarychta pisze:
> Dear subscribers,
>
> please let me know if is it possible to use IPv6 addressed endpoint
> for the tunnel? I have tried to specify the address enclosed in []
> followed by the port number, for example: [2001:db8:0:1::1]:54333,
> have tried without it: 2001:db8:0:1::1:54333. I have also tried to
> specify it with prefix length, like this one:
> [2001:db8:0:1::1]/128:54333, but neither works.
>
> I got only some errors:
>
> matchaddr failed
> peer not found - dropping 0xfffff802099b6700
> wg0: wg_peer_add bad length for endpoint 28
>
> Is it possible to utilize IPv6 address as an endpoint for the
tunnel
> with this implementation?
>
>
There was not much feedback on the mailing list, so I changed the
code a
bit to not validate endpoint length so strictly and check if IPv6
address as endpoint is supported. This resulted in a partial success.
The handshake over IPv6 looks like established from the endpoint (as
it's reported by "wg show" command), but the tunnel is neither
capable
to carry any data nor keepalives are send.
Here is the handshake as sniffed on the endpoint:
00:00:00.000000 IP6 (hlim 57, next-header UDP (17) payload length:
156)
2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP,
length 148
00:00:00.002860 IP6 (hlim 64, next-header UDP (17) payload length:
100)
2001:db8::b.55667 > 2001:db8:d47::c:100d.12345: [bad udp cksum
0x6f50 ->
0x62b4!] UDP, length 92
00:00:00.000892 IP6 (hlim 57, next-header UDP (17) payload length:
120)
2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP,
length 112
Perhaps the incompatibility with IPv6 should be mentioned at least in
just added wg(4) manual page[1]?
[1] https://cgit.freebsd.org/src/commit/?id=e59d9cb41284
<https://cgit.freebsd.org/src/commit/?id=e59d9cb41284>
--
Marek Zarychta
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
