Hoi folks, On a reasonably recent VPP, I'm trying to create a Wireguard tunnel, it's not working for me and I have a few questions (and found a few small bugs along the way) - I'm hoping you can help me further :) This is on two instances of VPP running on a hypervisor (KVM so interfaces are virtio) and the version is *vpp v22.02-rc0~347-gb28df767d built by pim on hippo at 2021-11-30T15:22:48*
After bringing up basic connectivity, machine vpp1 has a loopback 192.168.10.0 and vpp2 has a loopback 192.168.10.3 -- they can reach each other fine, and there is no additional configuration (like ACLs and such) -- vpp1# ping 192.168.10.3 116 bytes from 192.168.10.3: icmp_seq=1 ttl=62 time=5.7011 ms 116 bytes from 192.168.10.3: icmp_seq=2 ttl=62 time=4.4814 ms 116 bytes from 192.168.10.3: icmp_seq=3 ttl=62 time=4.4962 ms 116 bytes from 192.168.10.3: icmp_seq=4 ttl=62 time=23.2758 ms 116 bytes from 192.168.10.3: icmp_seq=5 ttl=62 time=5.6050 ms Statistics: 5 sent, 5 received, 0% packet loss vpp1# wireguard create listen-port 50869 src 192.168.10.0 generate-key vpp1# set int state wg0 up vpp1# set int mtu packet 1420 wg0 vpp1# set interface ip address wg0 10.0.123.1/24 vpp1# set interface ip address wg0 2001:db8::1/64 vpp1# show wireguard interface [0] wg0 src:192.168.10.0 port:50869 private-key:CJ5whwpgaWQRFGfU6PzJXYs06ix8IOfrE63iKDSl9lU= 089e70870a606964111467d4e8fcc95d8b34ea2c7c20e7eb13ade22834a5f655 public-key:x3ULwpplNvNRq5vl0ejj9ixlA5vEMLjip5M89Jvv3F0= c7750bc29a6536f351ab9be5d1e8e3f62c65039bc430b8e2a7933cf49befdc5d mac-key: ce323661f94c40e14e6efcfd5ca4827e5d4ea53cdc3cd4c3b0413462de99b539 vpp1# wireguard peer add wg0 public-key qZz6XPwtrrEJw2rnzFHXYCm5KGm7+Cc9clpoP+B6kQc= allowed-ip 10.0.123.2/32 vpp1# show wireguard peer [0] endpoint:[192.168.10.0:50869->202c:8103:ab7f:0:ff00:::0] wg0 keep-alive:0 flags: 0, api-clients count: 0 adj: key:qZz6XPwtrrEJw2rnzFHXYCm5KGm7+Cc9clpoP+B6kQc= a99cfa5cfc2daeb109c36ae7cc51d76029b92869bbf8273d725a683fe07a9107 allowed-ips: 10.0.123.2/32 I noticed right off the bat that the endpoint seems weird: 192.168.10.0:50869->202c:8103:ab7f:0:ff00:::0 is off considering nothing has been configured on machine vpp2 yet. That sounds like a formatting bug to me, so I continued with the other machine: vpp2# wireguard create listen-port 50869 src 192.168.10.3 generate-key vpp2# set int state wg0 up vpp2# set int mtu packet 1420 wg0 vpp2# set interface ip address wg0 10.0.123.2/24 vpp2# set interface ip address wg0 2001:db8::2/64 vpp2# wireguard peer add wg0 public-key x3ULwpplNvNRq5vl0ejj9ixlA5vEMLjip5M89Jvv3F0= allowed-ip 10.0.123.0/24 port 50869 endpoint 192.168.10.0 vpp2# show wireguard peer [0] endpoint:[192.168.10.3:50869->192.168.10.0:50869] wg0 keep-alive:0 flags: 0, api-clients count: 0 adj: key:x3ULwpplNvNRq5vl0ejj9ixlA5vEMLjip5M89Jvv3F0= c7750bc29a6536f351ab9be5d1e8e3f62c65039bc430b8e2a7933cf49befdc5d allowed-ips: 10.0.123.0/24 Observations: * On vpp2, the relationship seems correct to me 192.168.10.3:50869-> 192.168.10.0:50869 but on vpp1, the relationship is still 192.168.10.0:50869 ->202c:8103:ab7f:0:ff00:::0 * If I don't specify an "allowed-ip" argument, VPP crashes. It seems we can catch that and return an error instead. * The usage of 'wireguard peer add' claims the argument is 'dst-port', but it's "port" instead. There's also a formatting error there (between <pub_key_other> and endpoint, missing space: wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval] The tunnel is not functional, If I look at the connection between vpp1 and vpp2, I do see that vpp2 is sending handshake packets: pim@hvn0:/srv/kvm$ sudo tcpdump -evni vpp1-vpp2 udp and port 50869 tcpdump: listening on vpp1-vpp2, link-type EN10MB (Ethernet), snapshot length 262144 bytes 12:51:28.929809 52:54:00:02:10:01 > 52:54:00:01:10:02, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto UDP (17), length 176) 192.168.10.3.50869 > 192.168.10.0.50869: UDP, length 148 12:51:33.945859 52:54:00:02:10:01 > 52:54:00:01:10:02, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto UDP (17), length 176) 192.168.10.3.50869 > 192.168.10.0.50869: UDP, length 148 12:51:39.216163 52:54:00:02:10:01 > 52:54:00:01:10:02, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto UDP (17), length 176) 192.168.10.3.50869 > 192.168.10.0.50869: UDP, length 148 12:51:44.357225 52:54:00:02:10:01 > 52:54:00:01:10:02, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto UDP (17), length 176) 192.168.10.3.50869 > 192.168.10.0.50869: UDP, length 148 But vpp1 is not receiving them. Show errors and show logging gives me no reasonable leads. Can somebody help me figure this out ? groet, Pim -- Pim van Pelt <p...@ipng.nl> PBVP1-RIPE - http://www.ipng.nl/
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20690): https://lists.fd.io/g/vpp-dev/message/20690 Mute This Topic: https://lists.fd.io/mt/88321357/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-