Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	SrividyaA
	Mar 14 2025, 6:20 PM

Description

A traceback error is received if configured public key is starting with //

set int wireguard wg01 peer to-wg02 public-key '//3/sDdozmikDxtYPw0MMYeuM2WPX7cgLnSH6L5+BQU='

vyos@vyos# commit
[ interfaces wireguard wg01 ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report time:      2025-03-14 18:08:07
Image version:    VyOS 1.4.1
Release train:    sagitta

Built by:         VyOS Networks Iberia S.L.U.
Built on:         Thu 19 Dec 2024 16:39 UTC
Build UUID:       857ab426-c3d8-4254-b23a-0ad62a45ecc7
Build commit ID:  98c72c5c45a7a1-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    898574b0-c264-4c85-8693-da1c745bfbf9

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/interfaces_wireguard.py", line 129, in <module>
    apply(c)
  File "/usr/libexec/vyos/conf_mode/interfaces_wireguard.py", line 120, in apply
    wg.update(wireguard)
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/wireguard.py", line 220, in update
    self._cmd(cmd.format(**peer_config))
  File "/usr/lib/python3/dist-packages/vyos/ifconfig/control.py", line 52, in _cmd
    return cmd(command, self.debug)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/process.py", line 155, in cmd
    raise OSError(code, feedback)
PermissionError: [Errno 1] failed to run command: wg set wg01 listen-port 51820 fwmark 0 private-key /tmp/tmp6aba_vo8 peer {} preshared-key /dev/null allowed-ips 192.168.200.0/24 endpoint 10.0.1.2:51820
returned:
exit code: 1

noteworthy:
cmd 'nft --check delete element inet vrf_zones ct_iface_map { "wg01" }'
returned (out):

returned (err):
Error: Could not process rule: No such file or directory
delete element inet vrf_zones ct_iface_map { wg01 }
                                             ^^^^
cmd 'wg set wg01 listen-port 51820 fwmark 0 private-key /tmp/tmp6aba_vo8 peer {} preshared-key /dev/null allowed-ips 192.168.200.0/24 endpoint 10.0.1.2:51820'
returned (out):

returned (err):
Key is not the correct length or format: `{}'

[[interfaces wireguard wg01]] failed
Commit failed
[edit]
vyos@vyos# compare commands

set interfaces wireguard wg01 address '10.100.1.1/30'
set interfaces wireguard wg01 peer to-wg02 address '10.0.1.2'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.200.0/24'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 public-key
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY='

Whereas in rolling release, it does not give any error and commits successfully with empty public key:

vyos@vyos# comp
[interfaces]
+ wireguard wg01 {
+     address "10.100.1.1/30"
+     peer to-wg02 {
+         address "10.0.1.2"
+         allowed-ips "192.168.200.0/24"
+         port "51820"
+         public-key
+     }
+     port "51820"
+     private-key "iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY="
+ }

[edit]
vyos@vyos# commit
[edit]
vyos@vyos# run sh conf comm | grep wireguard
set interfaces wireguard wg01 address '10.100.1.1/30'
set interfaces wireguard wg01 peer to-wg02 address '10.0.1.2'
set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.200.0/24'
set interfaces wireguard wg01 peer to-wg02 port '51820'
set interfaces wireguard wg01 peer to-wg02 public-key
set interfaces wireguard wg01 port '51820'
set interfaces wireguard wg01 private-key 'iJJyEARGK52Ls1GYRCcFvPuTj7WyWYDo//BknoDU0XY='
[edit]

Version:
vyos@vyos# run sh ver
Version: VyOS 2025.03.14-0017-rolling
Release train: current
Release flavor: generic

Built by: autobuild@vyos.net
Built on: Fri 14 Mar 2025 00:17 UTC
Build UUID: 0969a76f-625b-47fd-aebf-d86026842580

Details

Version: 1.4.1, 2025.03.14-0017-rolling
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: rVYOSONEX27e4b0a5eaf7: Merge pull request #29 from jestabro/strip-version
rVYOSONEXc0c11e011f1a: T7246: update hash for strip version on config load
rVYOSONEX55b2d352333e: Merge pull request #28 from jestabro/relax-lexer
rVYOSONEXb92033fd1ae9: T7246: update vyos1x-config hash
1.4.3
rVYOSONEX4871e5bb5b8c: Merge pull request #4415 from jestabro/strip-version
rVYOSONEX42bc671b1875: T7246: update hash for strip version on config load
rVYOSONEXf2d427bd6b2a: Merge pull request #4402 from c-po/wireguard-key-T7246
rVYOSONEX8021bdd62e41: wireguard: T7246: verify Base64 encoded 32byte boundary on keys
rVYOSONEX7eec4583bf7f: Merge pull request #4407 from jestabro/relax-lexer-test
rVYOSONEXfbf871b3cdbb: T7246: update libvyosconfig hash and add nosetest
rVYOSONEX39364b6a9f8c: Merge pull request #4406 from jestabro/relax-lexer
rVYOSONEX6dd7dbc2500d: T7246: do not pass unneeded version string to parser

Event Timeline

SrividyaA created this task.Mar 14 2025, 6:20 PM

pasik subscribed.Mar 14 2025, 11:00 PM

FYI: https://lists.zx2c4.com/pipermail/wireguard/2020-December/006222.html by Jason A. Donenfeld

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS Rolling, VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.1).Mar 17 2025, 2:17 PM

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

SrividyaA renamed this task from Wireguard: Need a valid error if the public-key is invalid base64 to Wireguard: Traceback error received if the public-key starts with //.Mar 17 2025, 4:33 PM

SrividyaA updated the task description. (Show Details)

SrividyaA changed Version from 1.4.1 to 1.4.1, 2025.03.14-0017-rolling.

Viacheslav triaged this task as Normal priority.Mar 17 2025, 5:04 PM

c-po claimed this task.Mar 17 2025, 7:56 PM

https://github.com/vyos/vyos-1x/pull/4402

Change is perfectly compatible as it was not working in the first place.

c-po changed Is it a breaking change? from Perfectly compatible to Stricter validation.Mar 17 2025, 8:06 PM

c-po changed Is it a breaking change? from Stricter validation to Perfectly compatible.

jestabro claimed this task.Mar 18 2025, 12:57 PM

jestabro added a subscriber: c-po.

The lexer is unnecessarily aggressive in disallowing strings following '//', originally added to ignore version string information. This has the side effect of ignoring legitimate values. Since the version string is extracted before parsing, this restriction can be dropped. Fix in preparation.

PR's:
https://github.com/vyos/vyos-1x/pull/4406

jestabro mentioned this in rVYOSONEX6dd7dbc2500d: T7246: do not pass unneeded version string to parser.Mar 20 2025, 2:20 PM

Restricted Repository Identity mentioned this in rVYOSONEX39364b6a9f8c: Merge pull request #4406 from jestabro/relax-lexer.Mar 20 2025, 2:20 PM

jestabro mentioned this in rVYOSONEXfbf871b3cdbb: T7246: update libvyosconfig hash and add nosetest.Mar 20 2025, 4:59 PM

Restricted Repository Identity mentioned this in rVYOSONEX7eec4583bf7f: Merge pull request #4407 from jestabro/relax-lexer-test.Mar 20 2025, 4:59 PM

c-po mentioned this in rVYOSONEX8021bdd62e41: wireguard: T7246: verify Base64 encoded 32byte boundary on keys.Mar 20 2025, 9:05 PM

Restricted Repository Identity mentioned this in rVYOSONEXf2d427bd6b2a: Merge pull request #4402 from c-po/wireguard-key-T7246.Mar 20 2025, 9:05 PM

jestabro mentioned this in rVYOSONEX42bc671b1875: T7246: update hash for strip version on config load.Mar 25 2025, 7:38 PM

Restricted Repository Identity mentioned this in rVYOSONEX4871e5bb5b8c: Merge pull request #4415 from jestabro/strip-version.Mar 25 2025, 7:38 PM

jestabro closed this task as Resolved.May 4 2025, 8:47 PM

jestabro moved this task from Open to Finished on the VyOS 1.5 Circinus board.

jestabro moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.3) board.