Page MenuHomeVyOS Platform
Create Task
Maniphest T1483

Can not redistribute routes via OSPFv3 on a WireGuard link
Closed, InvalidPublicBUG
Actions

Description

Tested with:

  • VyOS 1.2.0-rolling+201906240337
  • VyOS 1.2.1

I have two routers (BR1 and BR2) which are connected through a WireGuard tunnel, but I can not see any ip6 MULTICAST messages for OSPFv3 in tcpdump.

OSPFv2 on the other hand works fine on the interface.

Pinging the individual IPv6 addresses assigned to the WireGuard interfaces works like a charm (they also show up in the tcpdump). Also SSH via this link is fine.

BR1

vyos@BR1# show interfaces wireguard  | strip-private
 wireguard wg01 {
     address xxx.xxx.151.213/30
     address xxxx:xxxx:200:ff::105:1/112
     ip {
         ospf {
             authentication {
                 md5 {
                     key-id 10 {
                         md5-key foo
                     }
                 }
             }
             dead-interval 40
             hello-interval 10
             network broadcast
             priority 1
             retransmit-interval 5
             transmit-delay 5
         }
     }
     mtu 1380
     peer to-ffmI {
         allowed-ips xxx.xxx.0.0/0
         allowed-ips ::/0
         endpoint xxx.xxx.145.16:8000
         pubkey jONYO99jYjBxXX3mNWKRDN8ETgIHxyTk+wODfco2d04=
     }
     port 8000
}

vyos@BR1# show protocols ospfv3 | strip-private
 area xxx.xxx.0.0 {
     interface eth1
     interface eth0.5
     interface wg01
     interface lo
 }
 parameters {
     router-id xxx.xxx.150.253
 }
 redistribute {
     connected {
         route-map MAP-OSPF-CONNECTED
     }
}

vyos@BR1# show policy
 route-map MAP-OSPF-CONNECTED {
     rule 1 {
         action deny
         match {
             interface eth2
         }
     }
     rule 10 {
         action permit
         match {
             interface lo
         }
     }
}

BR2

vyos@BR2# show interfaces wireguard | strip-private
 wireguard wg01 {
     address xxx.xxx.151.214/30
     address xxxx:xxxx:200:ff::105:2/112
     ip {
         ospf {
             authentication {
                 md5 {
                     key-id 10 {
                         md5-key foo
                     }
                 }
             }
             dead-interval 40
             hello-interval 10
             network broadcast
             priority 1
             retransmit-interval 5
             transmit-delay 5
         }
     }
     mtu 1380
     peer to-BR1 {
         allowed-ips xxx.xxx.0.0/0
         allowed-ips ::/0
         endpoint xxx.xxx.8.67:8000
         pubkey jzKVNw6MPepw1FYmniY4O/5exYui2DWW3SVPkDokUxQ=
     }
     port 8000
}

vyos@BR2# show protocols ospfv3 | strip-private
 area xxx.xxx.0.0 {
     interface wg01
     interface lo
 }
 parameters {
     router-id xxx.xxx.150.250
 }
 redistribute {
     connected {
         route-map MAP-OSPF-CONNECTED
     }
 }

vyos@BR2# show policy
 route-map MAP-OSPF-CONNECTED {
     rule 1 {
         action deny
         match {
             interface eth0
         }
     }
     rule 10 {
         action permit
         match {
             interface lo
         }
     }
 }

Details

Version
1.2.1

Related Objects

Event Timeline

c-po created this task.Jun 24 2019, 6:26 PM
c-po triaged this task as High priority.Jun 24 2019, 6:28 PM
c-po updated the task description. (Show Details)
c-po updated the task description. (Show Details)
c-po added a project: VyOS 1.3 Equuleus.
c-po added subscribers: dmbaturin, syncer, zsdc and 4 others.
syncer added a subscriber: zx2c4.Jun 25 2019, 9:27 AM

@zx2c4 any known limitations around multicast in WG?

zx2c4 added a comment.Jun 25 2019, 10:15 AM

Yes. It explicitly doesn't do it.

c-po added a comment.Jun 25 2019, 5:02 PM

@zx2c4 thanks for clarification. But why does OSPFv2 work as it uses multicast too if I remember correctly.

pasik subscribed.Jun 26 2019, 8:46 PM
master subscribed.Jul 5 2019, 2:12 PM
hagbard added a comment.Jul 8 2019, 10:36 PM

I tested the following so far successful:

ospf01

set interfaces wireguard wg01 address 'fe80::216:3eff:fe51:fd8c/64'
set interfaces wireguard wg01 address '192.168.0.1/24'
set interfaces wireguard wg01 ipv6 ospfv3 instance-id '100'
set interfaces wireguard wg01 peer ospf02 allowed-ips '::/0'
set interfaces wireguard wg01 peer ospf02 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer ospf02 endpoint '10.1.1.101:12345'
set interfaces wireguard wg01 peer ospf02 pubkey 'ie3t3DyKO8qz55WCVIxikvuVTpGeYQuyjNGEf2N82nY='
set interfaces wireguard wg01 port '12345'
set protocols ospfv3 area 0.0.0.0 interface 'wg01'
set protocols ospfv3 area 0.0.0.0 interface 'eth2'
set protocols ospfv3 area 0.0.0.0 interface 'eth3'
set protocols ospfv3 area 0.0.0.0 interface 'lo'

ospf02

set interfaces wireguard wg01 address 'fe80::216:3eff:fe0a:7ada/64'
set interfaces wireguard wg01 address '192.168.0.2/24'
set interfaces wireguard wg01 ipv6 ospfv3 instance-id '200'
set interfaces wireguard wg01 peer ospf01 allowed-ips '::/0'
set interfaces wireguard wg01 peer ospf01 allowed-ips '0.0.0.0/0'
set interfaces wireguard wg01 peer ospf01 endpoint '10.1.1.100:12345'
set interfaces wireguard wg01 peer ospf01 pubkey 'NHI4rmCsTuvmf4Xk6Z4GQ5yAYLZr+PeCwB+vmS7qPCk='
set interfaces wireguard wg01 port '12345'
set protocols ospfv3 area 0.0.0.0 interface 'wg01'
set protocols ospfv3 area 0.0.0.0 interface 'lo'
set protocols ospfv3 area 0.0.0.0 interface 'eth3'
set protocols ospfv3 area 0.0.0.0 interface 'eth2'
vyos@ospf01:~$ sh ipv6 ospfv3 neighbor 
Neighbor ID     Pri    DeadTime    State/IfState         Duration I/F[State]
192.168.0.2       1    00:00:32  Loading/BDR             00:00:00 eth2[DR]
192.168.0.2       1    00:00:32     Full/BDR             00:00:05 eth3[DR]

vyos@ospf02# run sh ipv6 ospfv3 neighbor 
Neighbor ID     Pri    DeadTime    State/IfState         Duration I/F[State]
192.168.0.1       1    00:00:32  ExStart/DR              00:08:47 eth3[BDR]
192.168.0.1       1    00:00:32     Full/DR              00:00:02 eth2[BDR]
c-po added a comment.Jul 9 2019, 4:33 PM

Thanks, the trick was adding some link-local adresses.

I also updated the docs

c-po closed this task as Invalid.Jul 9 2019, 4:33 PM
c-po assigned this task to hagbard.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Aug 5 2019, 12:22 PM
syncer edited projects, added Rejected; removed VyOS 1.3 Equuleus, VyOS 1.2 Crux.Aug 31 2019, 2:33 AM
owensresearch mentioned this in T2863: Wireguard IPv6 Link-Local Addresses Are Not Unique.Sep 12 2020, 6:07 AM