Closed 3891sinneD closed 1 year ago
Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
Please elaborate further.
The peer confs are not necessarily used for the server so they shouldn't cause startup issues. Are you making manual changes to the wg0.conf?
I see, i was a bit too guick. For ipv6 i've edited the wg0.conf too.
I made a test environment and this is my wg0.conf with 1 peer:
[Interface]
Address = 10.13.13.1
Address = 2a02:a44b:xxxx:3::1/64
ListenPort = 51820
PrivateKey = <private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
[Peer]
# peer_Test1
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.2/32,2a02:a44b:xxxx:3::2/128
And the conf for Test1:
[Interface]
Address = 10.13.13.2
Address = 2a02:a44b:xxxx:3::2/128
PrivateKey = <private key>
ListenPort = 51820
DNS = 10.13.13.1
[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
Endpoint = <endpoint url>:51820
AllowedIPs = 0.0.0.0/0, ::/0
But now, when i add an extra peer when recreating the wireguard container -e PEERS=Test1,Test2 \
The wg0.conf is not valid anymore so wireguard will fail to start. But also the peer.conf for peer1 is not valid anymore.
linux/arm64, go1.20.7,
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Line unrecognized: `2a02:a44b:xxxx:3::2/128/32'
Configuration parsing error
[#] ip link delete dev wg0
s6-rc: warning: unable to start service svc-wireguard: command exited 1
The wg0.conf now looks like this, the ipv6 address is missing for the interface, the ip6tables settings are gone and the ipv6 allowed ip for Test1 is just a string in the config :
[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
[Peer]
# peer_Test1
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.2
2a02:a44b:xxxx:3::2/128/32
[Peer]
# peer_Test2
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.3/32
And the config for Test1 is also not valid anymore, in case peer Test1 needs to recreate the tunnel locally on that peer.
[Interface]
Address = 10.13.13.2
2a02:a44b:xxxx:3::2/128
PrivateKey = <private key>
ListenPort = 51820
DNS = 10.13.13.1
[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
Endpoint = <endpoint url>:51820
AllowedIPs = 0.0.0.0/0, ::/0
I hope this made things clear. I would love to have an option, that when a peer is added, the new peer will be added to the wg0.conf (only with an ipv4 address, i'll add an ipv6 address manually) And the other peers in the wg0 and the peer configs are left alone.
We don't support manual edits to the wg0.conf
in server mode with PEERS set. wg0.conf
has to be auto generated when there are changes to the vars, like adding a new peer. Any user changes need to be made through the env vars and/or the server conf template.
This is a bit off topic, but I have to just toss this out... why in the world are you natting ipv6? the whole point of ipv6 is that with the, on average, 18quintillion ip addresses you get, you do not ever need to NAT. Either way, the issue was caused by an unsupported direct change, as mentioned above, closing as non-reproducible.
Is this a new feature request?
Wanted change
Maybe you can add a parameter, like REGENERATE_ALL true|false, so when you add one new peer on recreate the container it will only add the new peer or add the new peer and regenerate all the configs.
Reason for change
I made some ipv6 adjustments, and now when i add a new peer al the configs are regenerated and the start-up of the container will fail. Cause some of the ipv6 address will remain in the config but not in a proper way. Like Address: 2a02:a44b:xxxx:1:1 remains as 2a02:a44b:xxxx:1:1
Proposed code change
No response