Page MenuHomeVyOS Platform
Create Task
Maniphest T7246

Wireguard: Traceback error received if the public-key starts with //
In progress, NormalPublicBUG
Actions

Description

A traceback error is received if configured public key is starting with //

set int wireguard wg01 peer to-wg02 public-key '//3/sDdozmikDxtYPw0MMYeuM2WPX7cgLnSH6L5+BQU='

vyos@vyos# commit
[ interfaces wireguard wg01 ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report time:      2025-03-14 18:08:07
Image version:    VyOS 1.4.1
Release train:    sagitta

Built by:         VyOS Networks Iberia S.L.U.
Built on:         Thu 19 Dec 2024 16:39 UTC
Build UUID:       857ab426-c3d8-4254-b23a-0ad62a45ecc7
Build commit ID:  98c72c5c45a7a1-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    898574b0-c264-4c85-8693-da1c745bfbf9

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/interfaces_wireguard.py", line 129, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/interfaces_wireguard.py", line 120, in apply
    wg.update(wireguard)
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 220, in update
    self._cmd(cmd.format(**peer_config))
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 52, in _cmd
    return cmd(command, self.debug)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: wg set wg01 listen-port 51820 fwmark 0 private-key /tmp/tmp6aba_vo8 peer {} preshared-key /dev/null allowed-ips 192.168.200.0/24 endpoint 10.0.1.2:51820
returned:
exit code: 1

noteworthy:
cmd 'nft --check delete element inet vrf_zones ct_iface_map { "wg01" }'
returned (out):

returned (err):
Error: Could not process rule: No such file or directory
delete element inet vrf_zones ct_iface_map { wg01 }
                                             ^^^^
cmd 'wg set wg01 listen-port 51820 fwmark 0 private-key /tmp/tmp6aba_vo8 peer {} preshared-key /dev/null allowed-ips 192.168.200.0/24 endpoint 10.0.1.2:51820'
returned (out):

returned (err):
Key is not the correct length or format: `{}'

[[interfaces wireguard wg01]] failed
Commit failed
[edit]
vyos@vyos# compare commands

set interfaces wireguard wg01 address '10.100.1.1/30'
set interfaces wireguard wg01 peer to-wg02 address '10.0.1.2'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.200.0/24'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 public-key
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY='

Whereas in rolling release, it does not give any error and commits successfully with empty public key:

vyos@vyos# comp
[interfaces]
+ wireguard wg01 {
+     address "10.100.1.1/30"
+     peer to-wg02 {
+         address "10.0.1.2"
+         allowed-ips "192.168.200.0/24"
+         port "51820"
+         public-key
+     }
+     port "51820"
+     private-key "iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY="
+ }

[edit]
vyos@vyos# commit
[edit]
vyos@vyos# run sh conf comm | grep wireguard
set interfaces wireguard wg01 address '10.100.1.1/30'
set interfaces wireguard wg01 peer to-wg02 address '10.0.1.2'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.200.0/24'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 public-key
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY='
[edit]

Version:
vyos@vyos# run sh ver
Version: VyOS 2025.03.14-0017-rolling
Release train: current
Release flavor: generic

Built by: autobuild@vyos.net
Built on: Fri 14 Mar 2025 00:17 UTC
Build UUID: 0969a76f-625b-47fd-aebf-d86026842580

Details

Version
1.4.1, 2025.03.14-0017-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

SrividyaA created this task.Mar 14 2025, 6:20 PM
pasik subscribed.Mar 14 2025, 11:00 PM
sskaje subscribed.Mar 16 2025, 12:49 PM

FYI: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html by Jason A. Donenfeld

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS Rolling, VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.1).Mar 17 2025, 2:17 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
SrividyaA renamed this task from Wireguard: Need a valid error if the public-key is invalid base64 to Wireguard: Traceback error received if the public-key starts with //.Mar 17 2025, 4:33 PM
SrividyaA updated the task description. (Show Details)
SrividyaA changed Version from 1.4.1 to 1.4.1, 2025.03.14-0017-rolling.
Viacheslav triaged this task as Normal priority.Mar 17 2025, 5:04 PM
c-po claimed this task.Mar 17 2025, 7:56 PM
c-po added a comment.EditedMar 17 2025, 8:06 PM

https://github.com/vyos/vyos-1x/pull/4402

Change is perfectly compatible as it was not working in the first place.

c-po changed Is it a breaking change? from Perfectly compatible to Stricter validation.Mar 17 2025, 8:06 PM
c-po changed Is it a breaking change? from Stricter validation to Perfectly compatible.
jestabro claimed this task.Mar 18 2025, 12:57 PM
jestabro added a subscriber: c-po.
jestabro changed the task status from Open to In progress.EditedMar 18 2025, 2:00 PM

The lexer is unnecessarily aggressive in disallowing strings following '//', originally added to ignore version string information. This has the side effect of ignoring legitimate values. Since the version string is extracted before parsing, this restriction can be dropped. Fix in preparation.

jestabro added a comment.Mar 18 2025, 5:35 PM

PR's:
https://github.com/vyos/vyos-1x/pull/4406

jestabro mentioned this in rVYOSONEX6dd7dbc2500d: T7246: do not pass unneeded version string to parser.Thu, Mar 20, 2:20 PM
Restricted Repository Identity mentioned this in rVYOSONEX39364b6a9f8c: Merge pull request #4406 from jestabro/relax-lexer.Thu, Mar 20, 2:20 PM
jestabro mentioned this in rVYOSONEXfbf871b3cdbb: T7246: update libvyosconfig hash and add nosetest.Thu, Mar 20, 4:59 PM
Restricted Repository Identity mentioned this in rVYOSONEX7eec4583bf7f: Merge pull request #4407 from jestabro/relax-lexer-test.Thu, Mar 20, 4:59 PM
c-po mentioned this in rVYOSONEX8021bdd62e41: wireguard: T7246: verify Base64 encoded 32byte boundary on keys.Thu, Mar 20, 9:05 PM
Restricted Repository Identity mentioned this in rVYOSONEXf2d427bd6b2a: Merge pull request #4402 from c-po/wireguard-key-T7246.Thu, Mar 20, 9:05 PM
jestabro mentioned this in rVYOSONEX42bc671b1875: T7246: update hash for strip version on config load.Tue, Mar 25, 7:38 PM
Restricted Repository Identity mentioned this in rVYOSONEX4871e5bb5b8c: Merge pull request #4415 from jestabro/strip-version.Tue, Mar 25, 7:38 PM