Hey All, I'm having some trouble passing a wireguard connection into the kernel. I'm new to VPP, but my goal is to set up a series of FRR / VPP routers running OSPF, BGP, and wireguard to connect several datacenters and do internet peering for any anycast project.
I am using VPP 22.06 on Ubuntu 20.04, with Intel X550T NICs. I'm using Pim Van Pelt's lcpng_nl and lcpng_if plugins to connect the linux control plane, and that seems to be working fine for my physical interfaces. I tried the built-in linux_cp and linux_nl plugins, but the netlink plugin specifically seemed to get the startup process stuck in a loop of adding the interface pairs over and over again and I wasn't able to contact the host over the network. I've run into a problem when adding the wireguard interface though. It connects to the remote side just fine (an ubuntu 20.04 server, not running vpp). From the non-vpp server I can ping the vpp interface, and from within vpp I can ping the remote side. However, when adding the LCP pair I _cannot_ ping the remote side from linux. If I disable the VPP ping plugin then the remote side stops being able to ping the VPP server since VPP is no longer responding. VPP config: wireguard create listen-port 51820 private-key <private_key> src <vpp-public-ip> lcp create wg0 host-if wg1-0-0 set interface state wg0 up set interface mtu packet 1420 wg0 # set interface ip address wg0 192.168.42.6/31 wireguard peer add wg0 public-key <public_key> endpoint <remote-public-ip> allowed-ip 0.0.0.0/0 dst-port 51822 persistent-keepalive 25 I ran tcpdump on the VPP server side while pinging from the remote host and noticed something odd. Instead of receiving decapsulated packets on the kernel interface, I seem to be seeing the encrypted packets, and it's complaining about 16 bytes missing from the packet. I did notice that the source IP <remote-router-ip> is NOT the <remote-public-ip>, but instead a private IP that's used on that routers /31 link with the upstream router. I'm not sure if that makes a difference to the packet processing or not. root@vpp-host:~# tcpdump -i wg1-0-0 -v tcpdump: listening on wg1-0-0, link-type EN10MB (Ethernet), capture size 262144 bytes 03:50:30.355637 IP truncated-ip - 16 bytes missing! (tos 0x0, ttl 60, id 16433, offset 0, flags [none], proto UDP (17), length 156) <remote-router-ip>.51822 > <vpp-public-ip>.51820: UDP, length 128 03:50:31.379675 IP truncated-ip - 16 bytes missing! (tos 0x0, ttl 60, id 16549, offset 0, flags [none], proto UDP (17), length 156) <remote-router-ip>.51822 > <vpp-public-ip>.51820: UDP, length 128 03:50:32.403509 IP truncated-ip - 16 bytes missing! (tos 0x0, ttl 60, id 16776, offset 0, flags [none], proto UDP (17), length 156) <remote-router-ip>.51822 > <vpp-public-ip>.51820: UDP, length 128 03:50:33.427508 IP truncated-ip - 16 bytes missing! (tos 0x0, ttl 60, id 17027, offset 0, flags [none], proto UDP (17), length 156) <remote-router-ip>.51822 > <vpp-public-ip>.51820: UDP, length 128 03:50:34.451562 IP truncated-ip - 16 bytes missing! (tos 0x0, ttl 60, id 17165, offset 0, flags [none], proto UDP (17), length 156) <remote-router-ip>.51822 > <vpp-public-ip>.51820: UDP, length 128 Does anybody have any ideas? I can't imagine that I'm the first person to want to create an LCP interface for a wireguard tunnel. Thanks, Landy
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#22053): https://lists.fd.io/g/vpp-dev/message/22053 Mute This Topic: https://lists.fd.io/mt/94447618/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
