Page MenuHomeVyOS Platform
Create Task
Maniphest T2863

Wireguard IPv6 Link-Local Addresses Are Not Unique
Closed, ResolvedPublic
Actions

Description

Wireguard interfaces have IPv6 link-local addresses that are all fe80::fdfe.
Here's the A side of a tunnel:

trae@cr01a-vyos# show interfaces wireguard wg2
 address 192.168.254.25/30
 description "VL: L::cr01a-vyos.int wg2 | R::cr01-vyos.bhs wg0"
 ipv6 {
     ospfv3 {
         cost 1
         dead-interval 40
         hello-interval 10
         ifmtu 1420
         instance-id 0
         mtu-ignore
         priority 1
         retransmit-interval 5
         transmit-delay 1
     }
 }
 peer CR01-VYOS.BHS {
     address <ADDRESS>
     allowed-ips 0.0.0.0/0
     allowed-ips ::/0
     persistent-keepalive 5
     port 51820
     pubkey <pubkey>
 }
 port 51822
 private-key CR01A.INT_CR01.BHS
trae@cr01a-vyos# ip -6 a show dev wg2
16: wg2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fe80::fdfe/64 scope link 
       valid_lft forever preferred_lft forever
[edit]

Here's the B side:

vyos@cr01-vyos# show interfaces wireguard wg0
 address 192.168.254.26/30
 description "VL: L::cr01-vyos.bhs wg0 | R::cr01a-vyos.int wg2"
 ipv6 {
     ospfv3 {
         cost 1
         dead-interval 40
         hello-interval 10
         ifmtu 1420
         instance-id 0
         mtu-ignore
         priority 1
         retransmit-interval 5
         transmit-delay 1
     }
 }
 peer CR01A-VYOS.INT {
     address <ADDRESS>
     allowed-ips 0.0.0.0/0
     allowed-ips ::/0
     persistent-keepalive 5
     port 51822
     pubkey <PUBKEY>
 }
 port 51820
 private-key CR01.BHS_CR01A.INT
vyos@cr01-vyos# ip -6 a show dev wg0
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 state UNKNOWN qlen 1000
    inet6 fe80::fdfe/64 scope link 
       valid_lft forever preferred_lft forever

I believe this is due to the fact that you're attempting to add an EUI64 address here:
https://github.com/vyos/vyos-1x/blob/current/python/vyos/ifconfig/interface.py#L1017

EUI64 requires a MAC address, and Wireguard interfaces have no MAC:

trae@cr01a-vyos# ip link show wg2
16: wg2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none 
    alias VL: L::cr01a-vyos.int wg2 | R::cr01-vyos.bhs wg0

I'm guessing you'll need to figure out another way of generating the IPv6 LL address, or alternatively, leave it to the user to configure.

Details

Version
1.3-rolling-202009050118
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

trae32566 created this task.Sep 7 2020, 8:50 PM
trae32566 created this object in space S1 VyOS Public.
pasik subscribed.Sep 8 2020, 5:30 PM
owensresearch subscribed.Sep 12 2020, 5:48 AM
This comment was removed by owensresearch.
owensresearch added a comment.EditedSep 12 2020, 5:49 AM
show ipv6 ospfv3 route
---------------------------------------------------------------------------
*N E1 x:470:xx3c::/64             fe80::fdfe                  wg20 00:09:00
*N E1 x:19f0:6c01:acd::/64        fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:1234:179::50/128     fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:1234:179::69/128     fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:1234:179::b2/128     fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:1234:179::2464:0/126 fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:1234:179::2464:2/128 fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:1234:2b5::/64        fe80::fdfe                  wg20 00:09:00
*N IA fdx:xx:1234:face::/64       ::                          wg20 00:20:15
 N IA fdx:xx:1234:face::/64       fe80::fdfe                  wg20 00:09:00
 N E1 fdx:xx:1234:face::/64       fe80::fdfe                  wg20 00:09:00
*N E1 fdx:xx:2601:31::1/128       fe80::fdfe                  wg20 00:09:00
*N E1 fd86:x:x:116::1/128         fe80::fdfe                  wg20 00:09:00
*N E1 fdef:x:ee12:0:8:2:x11:0/127 fe80::fdfe                  wg20 00:09:00
*N E1 fdef:x:ee12:0:8:2:x11:0/128 fe80::fdfe                  wg20 00:09:00
*N E1 fdfc:x:fb45:x34::1/128      fe80::fdfe                  wg20 00:09:00
show int wireguard wg20
---------------------------------------------------------------------------
 address fd42:xxxx:xxxx:face::1/64
 address x.x.x.x/31
 address fe80::face:1/127
 description "Core"
 peer rtr01 {
     address x.x.x.x
     allowed-ips 0.0.0.0/0
     allowed-ips ::/0
     persistent-keepalive 15
     port 1234
     pubkey ***********
 }
 port 4321

1.3-rolling-202009100118

owensresearch added a comment.Sep 12 2020, 6:07 AM

https://phabricator.vyos.net/T1483

trae32566 added a comment.Sep 12 2020, 7:52 AM

Try a show ipv6 route ospfand look at the routes; they're probably being rejected:

trae@cr01b-vyos# run show ipv ro ospf
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

O>* fd52:d62e:8011:64::/64 [110/26] via fe80::192:168:15:1, bond0, 00:27:27
O   fd52:d62e:8011:6e::/64 [110/1] is directly connected, bond0, 00:27:27
O>r fd52:d62e:8011:1397::/64 [110/1] via fe80::fdfe, wg0, 00:27:27
O>r fd52:d62e:8011:13d0::/64 [110/101] via fe80::fdfe, wg1, 00:27:27
  r                                    via fe80::fdfe, wg0, 00:27:27
O>* fd52:d62e:8011:f000::/64 [110/2] via fe80::192:168:15:3, bond0, 00:27:27
O   fd52:d62e:8011:f001::/64 [110/1] is directly connected, wg0, 00:27:39
O>* fd52:d62e:8011:f002::/64 [110/2] via fe80::192:168:15:3, bond0, 00:27:27
O   fd52:d62e:8011:f003::/64 [110/1] is directly connected, wg1, 00:27:39
O>r fd52:d62e:8011:f004::/64 [110/201] via fe80::fdfe, wg0, 00:27:27
O>r fd52:d62e:8011:f005::/64 [110/201] via fe80::fdfe, wg1, 00:27:27
O>* fd52:d62e:8011:fffe:192:168:253:1/128 [110/1] via fe80::192:168:15:1, bond0, 00:27:27
O>* fd52:d62e:8011:fffe:192:168:253:2/128 [110/1] via fe80::192:168:15:3, bond0, 00:27:27
O>* fd52:d62e:8011:fffe:192:168:253:4/128 [110/26] via fe80::192:168:15:1, bond0, 00:27:27
O>* fd52:d62e:8011:fffe:192:168:253:5/128 [110/26] via fe80::192:168:15:1, bond0, 00:27:27
O>r fd52:d62e:8011:fffe:192:168:253:6/128 [110/1] via fe80::fdfe, wg0, 00:27:27
O>r fd52:d62e:8011:fffe:192:168:253:7/128 [110/1] via fe80::fdfe, wg1, 00:27:27
O>r fd52:d62e:8011:fffe:192:168:253:8/128 [110/101] via fe80::fdfe, wg1, 00:27:27
  r                                                 via fe80::fdfe, wg0, 00:27:27
O>r fd52:d62e:8011:fffe:192:168:253:9/128 [110/101] via fe80::fdfe, wg1, 00:27:27
  r                                                 via fe80::fdfe, wg0, 00:27:27
O>* fd52:d62e:8011:fffe:192:168:253:10/128 [110/26] via fe80::192:168:15:1, bond0, 00:27:27

Also, check your logs.; I'm willing to bet you'll see spam about duplicate OSPFv3 neighbors. It is _impossible_ for OSPF to work correctly when the neighbor addresses are the same.

c-po added a comment.Sep 12 2020, 8:10 AM

Fix will be in one of the next rolling releases, stay tuned!

c-po added a comment.Sep 12 2020, 10:21 PM

With VyOS 1.2 the default WireGuard behavior is used. This means that when a
WireGuard interface is added to the system, there is no "MAC" address - also
there is no IPv6 link-local address assigned by the Kernel to this particular
interface.

With implementation of T2653 all interfaces now receive an IPv6 address - which
is also valid for WireGuard interfaces - unfortunately this logic relies on the
interface MAC address - and as there is none, the link-local address will be
always the same. The logic behind is coded here [1].

We generate an IPv6 link-local address even when there is no "MAC" address. The
behavior/functionality (as with VyOS 1.2) must be restored to not have a
link-local IPv6 address at all. Any user can add any IPv6 link-local address
manually by issuing: set interfaces wireguard wg01 address fe80::ff:1/64.

Change vyos.ifconfig.add_ipv6_eui64_address to only add the EUI64-based
link-local address if a MAC address is available.

[1] https://github.com/vyos/vyos-1x/blob/3077158391ceee4ce04c27dec33f629529727c36/python/vyos/ifconfig/interface.py#L468

c-po mentioned this in rVYOSONEXd49845421dbd: ifconfig: T2863: only use IPv6 link-local address if interface has MAC address.Sep 12 2020, 10:21 PM
c-po closed this task as Resolved.Sep 12 2020, 10:21 PM
c-po mentioned this in T2864: Wireguard IPv6 Link-Local Addresses Cannot Be Disabled.Sep 14 2020, 3:41 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 23 2020, 4:03 PM
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:11 PM
erkin removed a subscriber: Global Notifications.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:26 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.