NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/58156: wg(4) roaming endpoint gets stuck on private addresses



>Number:         58156
>Category:       kern
>Synopsis:       wg(4) roaming endpoint gets stuck on private addresses
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 16 02:40:01 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10
>Organization:
The NotWG Foundation
>Environment:
>Description:
wg(4) maintains an endpoint address for each peer to which it will send outgoing packets.

For wg(4) to initiate a session with a peer, the endpoint address must be configured with `wgconfig wgN add peer ... --endpoint=<address> ...'.

Whenever wg(4) receives an authenticated packet from a peer, it generally updates the endpoint address to be the source address of that packet, in order to support seamless roaming.

wg(4) does this even if the endpoint has been explicitly configured, rather than inferred from the first packet sent by a peer initiating a session.

Suppose you want to configure a roaming laptop as a VPN client to use a VPN server at a fixed publicly routable IP address, say 192.0.2.42:

wgconfig wg0 add peer vpnserver <publickey> --endpoint=192.0.2.42:51820 --allowed-ips=10.0.0.0/24

Suppose the VPN server also acts as a router at 192.168.1.1 for a private NATted network 192.168.1.0/24, such as a home network, and you then connect the laptop to that private NATted network, where it gets the IP address 192.168.1.123.

The VPN server, which is also the router, will then send wg(4)-encapsulated packets to the VPN client, i.e., the roaming laptop, with a source address of 192.168.1.1 on this network, rather than its publicly routable address 192.0.2.42.  At that point, wg(4) on the laptop will dutifully update the endpoint address to 192.168.1.1, even though the user had explicitly configured 192.0.2.42.

Suppose you then move the roaming laptop to another network, where the VPN server is _not_ at 192.168.1.1.  The wg(4) session will fail until you delete the peer for the VPN server and re-add it with the endpoint address 192.0.2.42.
>How-To-Repeat:
see above
>Fix:
Yes, please!

- Maybe never override an explicitly configured endpoint address.
- Maybe avoid changing a publicly routable endpoint address to a private endpoint address.
- Maybe check for prior art, which I haven't done yet.



Home | Main Index | Thread Index | Old Index