-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fwmark not applying when using AllowedIPs = 0.0.0.0/0 #132
Comments
I have the exact same problem running with the same options in a alpine based docker container. Any help would be appreciated. |
+1 Expect: (wireguard-go)
Actual: (boringtun)
|
The wg tool can't display the fwmark since fwmark is written as part of each peer, when fwmark should be written before the peers. This is a bug in boringtun. Line 143 in 0fb1891
But this particular bug shouldn't change how fwmark are used on WireGuard packets in boringtun. |
The fwmark key must be included before any peers.
The fwmark key must be included before any peers.
So when I run wg-quick, everything looks normal:
$ sudo WG_QUICK_USERSPACE_IMPLEMENTATION=boringtun WG_SUDO=1 wg-quick up ./wg0.conf
[#] boringtun wg0
BoringTun started successfully
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.3/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
But, using
wg show
, the fwmark option isn't there.$ sudo wg show
interface: wg0
public key: <PUBLIC_KEY>
private key: (hidden)
listening port: 56761
The fwmark setting is usually listed here
peer: <PEER_PUBLIC_KEY>
endpoint: <ENDPOINT_IP>:<ENDPOINT_PORT>
allowed ips: 0.0.0.0/0
latest handshake: 14 seconds ago
transfer: 456 B received, 9.21 KiB sent
persistent keepalive: every 21 seconds
As a result, I am not able to use this to emerge via my endpoint. Nor am I able to access SSH on that endpoint server via its VPN IP address.
I have also set the caps:
boringtun = cap_net_admin+eip
However, if I use wireguard-go, this does work:
$ sudo wg show
interface: wg0
public key: <PUBLIC_KEY>
private key: (hidden)
listening port: 43448
fwmark: 0xca6c
peer: <PEER_PUBLIC_KEY>
endpoint: <ENDPOINT_IP>:<ENDPOINT_PORT>
allowed ips: 0.0.0.0/0
transfer: 0 B received, 296 B sent
persistent keepalive: every 21 seconds
And I am able to route via my endpoint.
I am using Gentoo:
Linux gentoo 5.4.28-gentoo-x86_64 #1 SMP Mon Apr 27 14:39:46 -00 2020 x86_64 Intel(R) Core(TM) i5-3317U CPU @ 1.70GHz GenuineIntel GNU/Linux
The text was updated successfully, but these errors were encountered: