Page MenuHomeVyOS Platform
Create Task
Maniphest T1851

wireguard - changing the pubkey on an existing peer seems to destroy the running config.
Closed, ResolvedPublicBUG
Actions

Description

I changed the public key on a peer so I could do some testing. This was the only change:

# compare 0 1
[edit interfaces wireguard wg0 peer ERX-Test]
>pubkey g61nxZ0dCkiPlFgshe2Hx67esYJJdGvxcIn+X/SFQEM=

After committing, the whole active config disappeared:

sudo wg show
interface: wg0
interface: wg1
interface: wg2
interface: wg3

A reboot brought everything back up:

$ sudo wg show
interface: wg0
  public key: XXXX
  private key: (hidden)
  listening port: 2224

peer: XXXXXXXXX 
  endpoint: 10.0.10.234:41005
  allowed ips: 10.172.24.60/32, 2001:dead:beef::60/128
  latest handshake: 56 seconds ago
  transfer: 692 B received, 732 B sent
  persistent keepalive: every 15 seconds

peer: YYYYYYYYYY
  allowed ips: 10.172.24.30/32, 2001:dead:beef::30/128
  persistent keepalive: every 15 seconds

peer: ZZZZZZZZZZ
  allowed ips: 10.172.24.40/32, 2001:dead:beef::40/128
  persistent keepalive: every 15 seconds

peer: AAAAAAAAAAAA
  allowed ips: 10.172.24.20/32, 2001:dead:beef::20/

Details

Version
1.2 rolling
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

kroy created this task.Dec 5 2019, 4:39 PM
hagbard claimed this task.Dec 5 2019, 4:40 PM
kroy added a comment.Dec 5 2019, 4:42 PM

When the config was gone, the processes still seemed to be running

5897 ?        I<     0:00 [wg-crypt-wg0]
5946 ?        I<     0:00 [wg-crypt-wg1]
5982 ?        I<     0:00 [wg-crypt-wg2]
6017 ?        I<     0:00 [wg-crypt-wg3]
hagbard added a comment.Dec 5 2019, 5:31 PM

What were the steps you used when you upated the pubkey?

host1:
set interfaces wireguard wg0 disable
commit
run generate wireguard default-keypair 
You already have a wireguard key-pair, do you want to re-generate? [y/n] y

host2:
set interfaces wireguard wg0 peer wg02 disable
set interfaces wireguard wg0 peer wg02 pubkey G1aA2KkyFyC8xsCUeENvuIW8HC5yDxwi902nR20592Y=
del interfaces wireguard wg0 peer wg02 disable


vyos@wg01# sudo wg show
interface: wg0
  public key: pcCYd7iNt9KM/0E8b4DgFVgLvw4PLJHNpXYtYoNYgz4=
  private key: (hidden)
  listening port: 12345

peer: UM7a4Cw0yUOr8MO1AO+z8Y+vyBtsOLffVIPHJyj4pAE=
  endpoint: 10.1.1.201:12345
  allowed ips: (none)
  latest handshake: 4 minutes, 54 seconds ago
  transfer: 15.95 KiB received, 30.21 KiB sent

peer: G1aA2KkyFyC8xsCUeENvuIW8HC5yDxwi902nR20592Y=
  endpoint: 10.1.1.201:12345
  allowed ips: 0.0.0.0/0, ::/0

When you change keys you need to disable the peer, then change the key and enable the peer. If you re-generate your private key, you need to disable the interface, generate/change the priv. key then enable it again.
If that was the issue, it's not really a bug but I think it could be implemented based on these 2 events to integrate the logic into the wireguard.py script. Did you do the steps above or did you do it without
disable/enable?

hagbard changed the status of subtask T1853: wireguard - disable peer doesn't work from Open to In progress.Dec 5 2019, 7:05 PM
hagbard changed the status of subtask T1853: wireguard - disable peer doesn't work from In progress to Needs testing.Dec 5 2019, 9:59 PM
hagbard added a comment.EditedDec 5 2019, 10:21 PM

@kroy I can't really reproduce it if I disable the peer first when multiple peers are defined on the same wg interface.
Can you please do a touch /tmp/vyos.ifconfig.debug and then run your commands and post it here?
It will show you the commands execute for each step like:

vyos@wg01# set  interfaces wireguard wg0 peer wg02 disable 
[edit]
vyos@wg01# commit
[ interfaces wireguard wg0 ]
DEBUG/wg0    write '1420' > '/sys/class/net/wg0/mtu'
DEBUG/wg0    write 'wg0' > '/sys/class/net/wg0/ifalias'
DEBUG/wg0    cmd 'wg set wg0 peer G1aA2KkyFyC8xsCUeENvuIW8HC5yDxwi902nR20592Y= remove'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer hbwJSCu6SGUKIReNhWxlDIFRNCl5L7PaUSYOo2BF+Rg=  preshared-key /dev/null  allowed-ips 10.100.100.3/32 endpoint 10.1.1.203:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'ip link set dev wg0 up'


vyos@wg01# set  interfaces wireguard wg0 peer wg02 pubkey JqT4EsaHlxjg++Fy8MqWsjZJcUY5YvFQNm6lQaO4uGs=
[edit]
vyos@wg01# commit
[ interfaces wireguard wg0 ]
DEBUG/wg0    write '1420' > '/sys/class/net/wg0/mtu'
DEBUG/wg0    write 'wg0' > '/sys/class/net/wg0/ifalias'
DEBUG/wg0    cmd 'wg set wg0 peer JqT4EsaHlxjg++Fy8MqWsjZJcUY5YvFQNm6lQaO4uGs= remove'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer hbwJSCu6SGUKIReNhWxlDIFRNCl5L7PaUSYOo2BF+Rg=  preshared-key /dev/null  allowed-ips 10.100.100.3/32 endpoint 10.1.1.203:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'ip link set dev wg0 up'


vyos@wg01# del interfaces wireguard wg0 peer wg02 disable 
[edit]
vyos@wg01# commit
[ interfaces wireguard wg0 ]
DEBUG/wg0    write '1420' > '/sys/class/net/wg0/mtu'
DEBUG/wg0    write 'wg0' > '/sys/class/net/wg0/ifalias'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer hbwJSCu6SGUKIReNhWxlDIFRNCl5L7PaUSYOo2BF+Rg=  preshared-key /dev/null  allowed-ips 10.100.100.3/32 endpoint 10.1.1.203:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'wg set wg0 listen-port 12345 fwmark 0 private-key /config/auth/wireguard/default/private.key peer JqT4EsaHlxjg++Fy8MqWsjZJcUY5YvFQNm6lQaO4uGs=  preshared-key /dev/null  allowed-ips 10.100.100.2/32 endpoint 10.1.1.202:12345 persistent-keepalive 0'
DEBUG/wg0    cmd 'ip link set dev wg0 up'

As soon as you rename/remove the debug file in /tmp, you see the normal cli output again.
I also tested it with a change on the fly, it removes the old peer key and sets up the new one then, so that should work too.

kroy added a comment.Dec 6 2019, 1:31 AM

Okay, so this problem just got a LOT more bizarre.

This works as expected:

set interfaces wireguard wg0 peer ERX-Test pubkey g61nxZ0dCkiPlFgshe2Hx67esYJJdGvxcIn+X/SFQEM=

This breaks as I was stating, taking down all of wireguard:

edit interfaces wireguard wg0
set peer ERX-Test pubkey g61nxZ0dCkiPlFgshe2Hx67esYJJdGvxcIn+X/SFQEM=
pasik subscribed.Dec 8 2019, 7:00 PM
kroy added a comment.Dec 9 2019, 7:17 PM

Related to T1844, which should correct the original problem in this ticket

jestabro added a parent task: T1846: Make session_config not depend on the current edit level.Dec 9 2019, 7:55 PM
hagbard changed the task status from Open to Needs testing.Dec 10 2019, 5:38 PM
hagbard moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.

@kroy please test with the latest rolling if https://phabricator.vyos.net/T1846 solves your issue.

hagbard closed subtask T1853: wireguard - disable peer doesn't work as Unknown Status.Dec 10 2019, 5:57 PM
kroy added a subscriber: jestabro.Dec 11 2019, 5:30 AM

@hagbard
@jestabro

Confirmed.

T1846 fixes this

hagbard closed this task as Unknown Status.Dec 11 2019, 3:55 PM
hagbard changed the task status from Unknown Status to Resolved.
syncer changed the task status from Resolved to Unknown Status.Jan 1 2020, 2:03 PM
syncer triaged this task as Low priority.
syncer edited projects, added VyOS 1.3 Equuleus, VyOS 1.2 Crux (VyOS 1.2.4); removed VyOS 1.2 Crux.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.5); removed VyOS 1.2 Crux (VyOS 1.2.4).
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.5) board.
hagbard changed the task status from Unknown Status to Resolved.Feb 8 2020, 4:15 PM
hagbard moved this task from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.5) board.
syncer changed the status of subtask T1853: wireguard - disable peer doesn't work from Unknown Status to Unknown Status.Mar 15 2020, 10:12 PM
jestabro changed the status of subtask T1853: wireguard - disable peer doesn't work from Unknown Status to Resolved.Jul 26 2020, 6:59 PM
dmbaturin removed a project: VyOS 1.3 Equuleus.Sep 10 2021, 2:36 PM