When I try to set up a wireguard tunnel with an endpoint using its IPv6 link-local address, I am greeted with the following error message, even though the address is valid. I suspect this is probably due to the '%' sign and the letters of the interface. Using a regular Linux distribution and wg-quick, IPv6 link-local addresses are accepted and function as expected.
Description
Details
- Version
- vyos-1.4-rolling-202201130317-amd64
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Bug (incorrect behavior)
Related Objects
- Mentioned In
- 1.3.3
1.3.1
rVYOSONEXcb69b6e875c9: wireguard: T4183: Allow setting ipv6 link local addres for peer
rVYOSONEX31a27136a499: Merge pull request #1170 from sever-sever/T4183-equ
rVYOSONEXdbdb736c8512: wireguard: T4183: Allow to set peer IPv6 link-local address
rVYOSONEX3b4ece7dde02: Merge pull request #1169 from sever-sever/T4183
Event Timeline
Link-local addresses with %ethX are not accepted in any protocols/peers/etc. A few services are allowed to set them as listen like ssh/dns at the moment.
Is there a real use case why you need it on wireguard interfaces?
It requires to change or extend validator for address/host
Getting link-local addresses to work would probably be very low-priority, but I did run into an extremely niche case where I wanted to do that. It's not the type of situation that would happen in a production environment, but I was running VyOS on a computer tethered via ethernet to an Android-based phone, and I wanted to connect to a wireguard peer running on the phone. Modern version of Android randomize the IPv4 address of their tethered interface on each reboot, but their link-local IPv6 address remains the same, making it more convenient to use it.
(What I was doing was using socat on the Android phone to relay an external wireguard peer to a locally running listener, and then connecting to that from the VyOS router. When doing this, since the UDP connection to the wireguard peer originates on the phone, the relayed wireguard connection between the router and the external wireguard peer isn't subject to tethering data limits on an otherwise unlimited plan. The VyOS router would then use the unlimited wireguard connection as a failover connection.)
I can't really think of any normal circumstances where one would need a link-local IPv6 address as a wireguard peer though.
@odhnera Try to comment or delete the validation string and restart vyos-configd service
sudo nano -c +5 /opt/vyatta/share/vyatta-cfg/templates/interfaces/wireguard/node.tag/peer/node.tag/address/node.def sudo systemctl restart vyos-configd
After this, you should allowed to set link_local_v6
Can you test it?
Thanks; I just tested commenting out line 5 of that file, and it successfully works around the issue, allowing me to set a link-local IPv6 address as my endpoint. The wireguard connection itself also works, and I can pass traffic.