Control: retitle 921017 wireguard: wg setconf doesn't always set all allowed-ips Control: reassign 921017 wireguard-tools
Hi Piotr--
On Mon 2019-09-09 12:40:30 +0200, Piotr Ożarowski wrote:
> yes, I can still replicate it with 0.0.20190905-1 but I do it on stable
> (first Stretch now Buster) with packages from unstable (without
> rebuilding them). Every time different peer (I have 11 of them) gets a
> non complete AllowedIPs so I admit it's hard to reproduce…
Thanks for testing again so promptly, and sorry for the delay on my
side.
This is a delicate situation because i want to try to reproduce the
problem you're seeing but i don't want to leak any secret information
from your system (or any of your peers' public metadata either, unless
you're ok with that).
If i can try to restate the problem, it sounds like "wg setconf" is not
reliably setting all the allowed-ips from a complex configuration file.
But "wg set" itself always works fine to adjust it, right? That makes
it sound like a problem with the "wg setconf" subcommand itself.
So can you help me figure out how i can replicate the problem without
leaking your secret information? For example, can you supply a
templated configuration file that fails sometimes (but with relevant
secrets and sensitive public metadata redacted)? For example, is this
something you can replicate intermittently by running the configuration
steps in a tight loop, and testing for the failure after each time?
I've tried to do that briefly with some simple tests, but i still can't
seem to get it to happen, even from a debian buster installation (with
wireguard-dkms and wireguard-tools installed from unstable directly).
> PS I have another problem that I didn't report yet on one (and only one)
> of my peers which I don't think is related, but in case it is:
> from time to time (sometimes few days apart sometimes weeks)
> wireguard freezes (as in it doesn't accept any in/out connections).
> Restarting (ip l set dev wg0 down and up again) doesn't help. What
> helps is to change listening port to something else. This peer has a
> non-public and dynamic IP (but I have another client using the same
> provider on my OpenWRT router and it seems to work fine there)
hm, this is likely to be a different thing, so if you want to discuss
it, please open it as a separate ticket.
--dkg
signature.asc
Description: PGP signature
