AllowedIPs not applied properly

jbauers commented 4 years ago

Hi, thanks for this package! I've been playing around with it, and it seems like AllowedIPs as part of wgtypes.PeerConfig when passed to wgctrl.ConfigureDevice() isn't applied properly:

# PeerConfig A 
backend_1   | 2020/05/21 17:01:37 {ihFgmvJFsG8gLpyWHAp/y9W0mtnWqXtZnEdVXptnQzY= false false qs91slZ5udbFNOdp6WZnxlw89ZtwZLiCjZZ2qkn7Peo= <nil> <nil> false [{10.100.0.80 ffffff00}]}
# PeerConfig B
backend_1   | 2020/05/21 17:01:37 {NEfzWNvt/KleuQPYm3S1kKjs2tbiuvTYrcNYpVPrk38= false false bwzBUg3nDYr2TzAaBYWUYAnLvUGw5+/XDqx1fhLybIs= <nil> <nil> false [{10.100.0.116 ffffff00}]}
# Peers []PeerConfig
backend_1   | 2020/05/21 17:01:37 [{ihFgmvJFsG8gLpyWHAp/y9W0mtnWqXtZnEdVXptnQzY= false false qs91slZ5udbFNOdp6WZnxlw89ZtwZLiCjZZ2qkn7Peo= <nil> <nil> false [{10.100.0.80 ffffff00}]} {NEfzWNvt/KleuQPYm3S1kKjs2tbiuvTYrcNYpVPrk38= false false bwzBUg3nDYr2TzAaBYWUYAnLvUGw5+/XDqx1fhLybIs= <nil> <nil> false [{10.100.0.116 ffffff00}]}]
# Output of wgctrl.Devices()
backend_1   | 2020/05/21 17:01:37 [0xc0002a8380]
backend_1   | 2020/05/21 17:01:37 wg0
backend_1   | 2020/05/21 17:01:37 Linux kernel
backend_1   | 2020/05/21 17:01:37 IPOxbEgVcT0UDdT57XgCqap4KaxcbnJN5ov+zE8vWXM=
backend_1   | 2020/05/21 17:01:37 G4KXIoG4zm/I119wu1F6C7XLOmSEWAk2hNZ6hzmSp38=
backend_1   | 2020/05/21 17:01:37 51820
backend_1   | 2020/05/21 17:01:37 0
backend_1   | 2020/05/21 17:01:37 [{NEfzWNvt/KleuQPYm3S1kKjs2tbiuvTYrcNYpVPrk38= bwzBUg3nDYr2TzAaBYWUYAnLvUGw5+/XDqx1fhLybIs= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [{10.100.0.0 ffffff00}] 1} {ihFgmvJFsG8gLpyWHAp/y9W0mtnWqXtZnEdVXptnQzY= qs91slZ5udbFNOdp6WZnxlw89ZtwZLiCjZZ2qkn7Peo= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [] 1}]

AllowedIPs for Peer A end up as [], and Peer B gets [{10.100.0.0 ffffff00}]. I'd expect [{10.100.0.80 ffffff00}] and [{10.100.0.116 ffffff00}] respectively. Inspecting with wg:

interface: wg0
  public key: G4KXIoG4zm/I119wu1F6C7XLOmSEWAk2hNZ6hzmSp38=
  private key: (hidden)
  listening port: 51820

peer: NEfzWNvt/KleuQPYm3S1kKjs2tbiuvTYrcNYpVPrk38=
  preshared key: (hidden)
  allowed ips: 10.100.0.0/24

peer: ihFgmvJFsG8gLpyWHAp/y9W0mtnWqXtZnEdVXptnQzY=
  preshared key: (hidden)
  allowed ips: (none)

Not sure if I'm holding it wrong of if there's a bug somewhere. Any help would be appreciated. Thanks :)

mdlayher commented 4 years ago

Can you share your code? I would be surprised if this library was broken in that way since the integration tests continue to pass.

https://github.com/WireGuard/wgctrl-go/blob/master/client_integration_test.go#L202

Check out the test here to see what I'm using. Perhaps you're not passing the appropriate "replace allowed IPs" or "replace peers" flags to the kernel?

jbauers commented 4 years ago

Thanks for the quick reply. Sure, below are the relevant parts.

Here's the function to generate a peer configuration: https://github.com/jbauers/saml-wireguard/blob/lua/backend/src/wireguard.go#L25

Stitching them together: https://github.com/jbauers/saml-wireguard/blob/lua/backend/src/redis.go#L88

And finally updating the interface: https://github.com/jbauers/saml-wireguard/blob/lua/backend/src/wireguard.go#L44

Let me know if I can help with anything else.

jbauers commented 4 years ago

Hi, just a quick update, it works as expected when my IPs are a /32. If they're part of the same subnet, I see the described behaviour. This happens for both IPv6 and IPv4 as far as I can tell (just briefly tried IPv6).

Expected behaviour with IPv4 and /32:

backend_1   | 2020/05/21 19:44:15 {Fr/KrjXdvl85DA49f2Ip9bo8M+oPTZoGiclZ5ySA1i0= false false /8a5jaKVU2EElUcpaP4PUpg1KCpQaFpwDQTc2fdZU9E= <nil> <nil> true [{10.100.0.118 ffffffff}]}
backend_1   | 2020/05/21 19:44:15 {X4HzTvvUY8KOsJtwjZk53fg1OklBDP4XK0Jflo88lmA= false false H4t3uMrGbpM9AGEZ7YzoM0bMW9QuUBbgFCzWJoAl2+E= <nil> <nil> true [{10.100.0.113 ffffffff}]}
backend_1   | 2020/05/21 19:44:15 [{Fr/KrjXdvl85DA49f2Ip9bo8M+oPTZoGiclZ5ySA1i0= false false /8a5jaKVU2EElUcpaP4PUpg1KCpQaFpwDQTc2fdZU9E= <nil> <nil> true [{10.100.0.118 ffffffff}]} {X4HzTvvUY8KOsJtwjZk53fg1OklBDP4XK0Jflo88lmA= false false H4t3uMrGbpM9AGEZ7YzoM0bMW9QuUBbgFCzWJoAl2+E= <nil> <nil> true [{10.100.0.113 ffffffff}]}]
backend_1   | 2020/05/21 19:44:15 [0xc000012e80]
backend_1   | 2020/05/21 19:44:15 wg0
backend_1   | 2020/05/21 19:44:15 Linux kernel
backend_1   | 2020/05/21 19:44:15 kPEgo1AYt8PW4GPa7I8i3U5d2yB5HLTcDnFPP9gTe0U=
backend_1   | 2020/05/21 19:44:15 fcizOLK6Yx1zc7WO5uaTaDtWNG6/xY41UqxvSEpp7kU=
backend_1   | 2020/05/21 19:44:15 51820
backend_1   | 2020/05/21 19:44:15 0
backend_1   | 2020/05/21 19:44:15 [{Fr/KrjXdvl85DA49f2Ip9bo8M+oPTZoGiclZ5ySA1i0= /8a5jaKVU2EElUcpaP4PUpg1KCpQaFpwDQTc2fdZU9E= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [{10.100.0.118 ffffffff}] 1} {X4HzTvvUY8KOsJtwjZk53fg1OklBDP4XK0Jflo88lmA= H4t3uMrGbpM9AGEZ7YzoM0bMW9QuUBbgFCzWJoAl2+E= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [{10.100.0.113 ffffffff}] 1}]

IPv6 example, 3 peers on the same network:

backend_1   | 2020/05/21 19:40:53 {fP2j74q/q/XpvjqRc9uNDPPaIF0tJEFs1ln+UHt7/2M= false false ErqY0SbOFrMbhKMA5B0xMyh9Gz0GOK/CdRMG0fFFDoM= <nil> <nil> true [{fc00:: fe000000000000000000000000000000}]}
backend_1   | 2020/05/21 19:40:53 {N1CHua5VguZvKSdvsn745BOknmHSseKLg8InNneKBQE= false false q9CSdz+nobXrMmwG0OYGHV7d85yUH4NiY7rX0fn40r8= <nil> <nil> true [{fc00:: fe000000000000000000000000000000}]}
backend_1   | 2020/05/21 19:40:53 {P08VPorvEbOY7SOqKsYfkRBWqawIro6rcVZAEjPr8SY= false false ytljwFLuxzjO/1YlPSfaVmwpJc/jJjFoMGGR9yLzqSk= <nil> <nil> true [{fc00:: fe000000000000000000000000000000}]}
backend_1   | 2020/05/21 19:40:53 [{fP2j74q/q/XpvjqRc9uNDPPaIF0tJEFs1ln+UHt7/2M= false false ErqY0SbOFrMbhKMA5B0xMyh9Gz0GOK/CdRMG0fFFDoM= <nil> <nil> true [{fc00:: fe000000000000000000000000000000}]} {N1CHua5VguZvKSdvsn745BOknmHSseKLg8InNneKBQE= false false q9CSdz+nobXrMmwG0OYGHV7d85yUH4NiY7rX0fn40r8= <nil> <nil> true [{fc00:: fe000000000000000000000000000000}]} {P08VPorvEbOY7SOqKsYfkRBWqawIro6rcVZAEjPr8SY= false false ytljwFLuxzjO/1YlPSfaVmwpJc/jJjFoMGGR9yLzqSk= <nil> <nil> true [{fc00:: fe000000000000000000000000000000}]}]
backend_1   | 2020/05/21 19:40:53 [0xc000013e80]
backend_1   | 2020/05/21 19:40:53 wg0
backend_1   | 2020/05/21 19:40:53 Linux kernel
backend_1   | 2020/05/21 19:40:53 oIeu6HtyvOpnfKP48jhJ1DfAC2d7GTjVl59lfW4dZUU=
backend_1   | 2020/05/21 19:40:53 i6kOuDTh3dCictmGbc6LKVVbpSVVW5pSBNzdr4+Ucyw=
backend_1   | 2020/05/21 19:40:53 51820
backend_1   | 2020/05/21 19:40:53 0
backend_1   | 2020/05/21 19:40:53 [{fP2j74q/q/XpvjqRc9uNDPPaIF0tJEFs1ln+UHt7/2M= ErqY0SbOFrMbhKMA5B0xMyh9Gz0GOK/CdRMG0fFFDoM= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [] 1} {N1CHua5VguZvKSdvsn745BOknmHSseKLg8InNneKBQE= q9CSdz+nobXrMmwG0OYGHV7d85yUH4NiY7rX0fn40r8= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [] 1} {P08VPorvEbOY7SOqKsYfkRBWqawIro6rcVZAEjPr8SY= ytljwFLuxzjO/1YlPSfaVmwpJc/jJjFoMGGR9yLzqSk= <nil> 0s 0001-01-01 00:00:00 +0000 UTC 0 0 [{fc00:: fe000000000000000000000000000000}] 1}]

I had a quick look at the code, and this struck me as odd: https://github.com/WireGuard/wgctrl-go/blob/master/internal/wglinux/configure_linux.go#L109

Could there be an issue here? Sorry, I'm not super experienced with Go, just trying to figure things out.

jbauers commented 4 years ago

Just realised, it should only work when they're a /32 on the server side. Sorry for the the noise :sweat_smile: Just wondering if there should be an error, but oh well - will close.

WireGuard / wgctrl-go

AllowedIPs not applied properly #90