Page MenuHomeVyOS Platform

wireguard - changing the pubkey on an existing peer seems to destroy the running config.
Closed, ResolvedPublicBUG

Description

I changed the public key on a peer so I could do some testing. This was the only change:

# compare 0 1
[edit interfaces wireguard wg0 peer ERX-Test]
>pubkey g61nxZ0dCkiPlFgshe2Hx67esYJJdGvxcIn+X/SFQEM=

After committing, the whole active config disappeared:

sudo wg show
interface: wg0
interface: wg1
interface: wg2
interface: wg3

A reboot brought everything back up:

$ sudo wg show
interface: wg0
  public key: XXXX
  private key: (hidden)
  listening port: 2224

peer: XXXXXXXXX 
  endpoint: 10.0.10.234:41005
  allowed ips: 10.172.24.60/32, 2001:dead:beef::60/128
  latest handshake: 56 seconds ago
  transfer: 692 B received, 732 B sent
  persistent keepalive: every 15 seconds

peer: YYYYYYYYYY
  allowed ips: 10.172.24.30/32, 2001:dead:beef::30/128
  persistent keepalive: every 15 seconds

peer: ZZZZZZZZZZ
  allowed ips: 10.172.24.40/32, 2001:dead:beef::40/128
  persistent keepalive: every 15 seconds

peer: AAAAAAAAAAAA
  allowed ips: 10.172.24.20/32, 2001:dead:beef::20/

Details

Difficulty level
Unknown (require assessment)
Version
1.2 rolling
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

When the config was gone, the processes still seemed to be running

5897 ?        I<     0:00 [wg-crypt-wg0]
5946 ?        I<     0:00 [wg-crypt-wg1]
5982 ?        I<     0:00 [wg-crypt-wg2]
6017 ?        I<     0:00 [wg-crypt-wg3]

What were the steps you used when you upated the pubkey?

host1:
set interfaces wireguard wg0 disable
commit
run generate wireguard default-keypair 
You already have a wireguard key-pair, do you want to re-generate? [y/n] y

host2:
set interfaces wireguard wg0 peer wg02 disable
set interfaces wireguard wg0 peer wg02 pubkey G1aA2KkyFyC8xsCUeENvuIW8HC5yDxwi902nR20592Y=
del interfaces wireguard wg0 peer wg02 disable


vyos@wg01# sudo wg show
interface: wg0
  public key: pcCYd7iNt9KM/0E8b4DgFVgLvw4PLJHNpXYtYoNYgz4=
  private key: (hidden)
  listening port: 12345

peer: UM7a4Cw0yUOr8MO1AO+z8Y+vyBtsOLffVIPHJyj4pAE=
  endpoint: 10.1.1.201:12345
  allowed ips: (none)
  latest handshake: 4 minutes, 54 seconds ago
  transfer: 15.95 KiB received, 30.21 KiB sent

peer: G1aA2KkyFyC8xsCUeENvuIW8HC5yDxwi902nR20592Y=
  endpoint: 10.1.1.201:12345
  allowed ips: 0.0.0.0/0, ::/0

When you change keys you need to disable the peer, then change the key and enable the peer. If you re-generate your private key, you need to disable the interface, generate/change the priv. key then enable it again.
If that was the issue, it's not really a bug but I think it could be implemented based on these 2 events to integrate the logic into the wireguard.py script. Did you do the steps above or did you do it without
disable/enable?

@kroy I can't really reproduce it if I disable the peer first when multiple peers are defined on the same wg interface.
Can you please do a touch /tmp/vyos.ifconfig.debug and then run your commands and post it here?
It will show you the commands execute for each step like:

vyos@wg01# set  interfaces wireguard wg0 peer wg02 disable 
[edit]
vyos@wg01# commit
[ interfaces wireguard wg0 ]
DEBUG/wg0    write '1420' > '/sys/class/net/wg0/mtu'
DEBUG/wg0    write 'wg0' > '/sys/class/net/wg0/ifalias'
DEBUG/wg0    cmd 'wg set wg0 peer G1aA2KkyFyC8xsCUeENvuIW8HC5yDxwi902nR20592Y= remove'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer hbwJSCu6SGUKIReNhWxlDIFRNCl5L7PaUSYOo2BF+Rg=  preshared-key /dev/null  allowed-ips 10.100.100.3/32 endpoint 10.1.1.203:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'ip link set dev wg0 up'


vyos@wg01# set  interfaces wireguard wg0 peer wg02 pubkey JqT4EsaHlxjg++Fy8MqWsjZJcUY5YvFQNm6lQaO4uGs=
[edit]
vyos@wg01# commit
[ interfaces wireguard wg0 ]
DEBUG/wg0    write '1420' > '/sys/class/net/wg0/mtu'
DEBUG/wg0    write 'wg0' > '/sys/class/net/wg0/ifalias'
DEBUG/wg0    cmd 'wg set wg0 peer JqT4EsaHlxjg++Fy8MqWsjZJcUY5YvFQNm6lQaO4uGs= remove'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer hbwJSCu6SGUKIReNhWxlDIFRNCl5L7PaUSYOo2BF+Rg=  preshared-key /dev/null  allowed-ips 10.100.100.3/32 endpoint 10.1.1.203:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'ip link set dev wg0 up'


vyos@wg01# del interfaces wireguard wg0 peer wg02 disable 
[edit]
vyos@wg01# commit
[ interfaces wireguard wg0 ]
DEBUG/wg0    write '1420' > '/sys/class/net/wg0/mtu'
DEBUG/wg0    write 'wg0' > '/sys/class/net/wg0/ifalias'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer hbwJSCu6SGUKIReNhWxlDIFRNCl5L7PaUSYOo2BF+Rg=  preshared-key /dev/null  allowed-ips 10.100.100.3/32 endpoint 10.1.1.203:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer JqT4EsaHlxjg++Fy8MqWsjZJcUY5YvFQNm6lQaO4uGs=  preshared-key /dev/null  allowed-ips 10.100.100.2/32 endpoint 10.1.1.202:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'ip link set dev wg0 up'

As soon as you rename/remove the debug file in /tmp, you see the normal cli output again.
I also tested it with a change on the fly, it removes the old peer key and sets up the new one then, so that should work too.

Okay, so this problem just got a LOT more bizarre.

This works as expected:

set interfaces wireguard wg0 peer ERX-Test pubkey g61nxZ0dCkiPlFgshe2Hx67esYJJdGvxcIn+X/SFQEM=

This breaks as I was stating, taking down all of wireguard:

edit interfaces wireguard wg0
set peer ERX-Test pubkey g61nxZ0dCkiPlFgshe2Hx67esYJJdGvxcIn+X/SFQEM=

Related to T1844, which should correct the original problem in this ticket

hagbard changed the task status from Open to Needs testing.Dec 10 2019, 5:38 PM
hagbard moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.

@kroy please test with the latest rolling if https://phabricator.vyos.net/T1846 solves your issue.

hagbard changed the status of subtask T1853: wireguard - disable peer doesn't work from Needs testing to Backport candidate.Dec 10 2019, 5:57 PM
hagbard changed the task status from Needs testing to Backport pending.Dec 11 2019, 3:55 PM
hagbard closed this task as Resolved.
syncer reopened this task as Backport candidate.Jan 1 2020, 2:03 PM
syncer triaged this task as Low priority.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.5) board.
hagbard moved this task from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.5) board.
syncer changed the status of subtask T1853: wireguard - disable peer doesn't work from Backport candidate to Backport pending.Mar 15 2020, 10:12 PM