Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEAT] Do not regenerate all peers when adding a new peer #297

Closed
1 task done
3891sinneD opened this issue Aug 27, 2023 · 5 comments
Closed
1 task done

[FEAT] Do not regenerate all peers when adding a new peer #297

3891sinneD opened this issue Aug 27, 2023 · 5 comments
Labels
enhancement New feature or request

Comments

@3891sinneD
Copy link

Is this a new feature request?

  • I have searched the existing issues

Wanted change

Maybe you can add a parameter, like REGENERATE_ALL true|false, so when you add one new peer on recreate the container it will only add the new peer or add the new peer and regenerate all the configs.

Reason for change

I made some ipv6 adjustments, and now when i add a new peer al the configs are regenerated and the start-up of the container will fail.
Cause some of the ipv6 address will remain in the config but not in a proper way.
Like
Address: 2a02:a44b:xxxx:1:1 remains as
2a02:a44b:xxxx:1:1

Proposed code change

No response
@3891sinneD 3891sinneD added the enhancement New feature or request label Aug 27, 2023
@github-actions
Copy link

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@aptalca
Copy link
Member

aptalca commented Aug 27, 2023

Please elaborate further.

The peer confs are not necessarily used for the server so they shouldn't cause startup issues. Are you making manual changes to the wg0.conf?

@3891sinneD
Copy link
Author

I see, i was a bit too guick.
For ipv6 i've edited the wg0.conf too.

I made a test environment and this is my wg0.conf with 1 peer:

[Interface]
Address = 10.13.13.1
Address = 2a02:a44b:xxxx:3::1/64
ListenPort = 51820
PrivateKey = <private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_Test1
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.2/32,2a02:a44b:xxxx:3::2/128

And the conf for Test1:

[Interface]
Address = 10.13.13.2
Address = 2a02:a44b:xxxx:3::2/128
PrivateKey = <private key>
ListenPort = 51820
DNS = 10.13.13.1

[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
Endpoint = <endpoint url>:51820
AllowedIPs = 0.0.0.0/0, ::/0

But now, when i add an extra peer when recreating the wireguard container -e PEERS=Test1,Test2 \ The wg0.conf is not valid anymore so wireguard will fail to start. But also the peer.conf for peer1 is not valid anymore.

linux/arm64, go1.20.7,
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Line unrecognized: `2a02:a44b:xxxx:3::2/128/32'
Configuration parsing error
[#] ip link delete dev wg0
s6-rc: warning: unable to start service svc-wireguard: command exited 1

The wg0.conf now looks like this, the ipv6 address is missing for the interface, the ip6tables settings are gone and the ipv6 allowed ip for Test1 is just a string in the config :

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_Test1
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.2
2a02:a44b:xxxx:3::2/128/32

[Peer]
# peer_Test2
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.3/32

And the config for Test1 is also not valid anymore, in case peer Test1 needs to recreate the tunnel locally on that peer.

[Interface]
Address = 10.13.13.2
2a02:a44b:xxxx:3::2/128
PrivateKey = <private key>
ListenPort = 51820
DNS = 10.13.13.1

[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
Endpoint = <endpoint url>:51820
AllowedIPs = 0.0.0.0/0, ::/0

I hope this made things clear.
I would love to have an option, that when a peer is added, the new peer will be added to the wg0.conf (only with an ipv4 address, i'll add an ipv6 address manually)
And the other peers in the wg0 and the peer configs are left alone.

@aptalca
Copy link
Member

aptalca commented Aug 27, 2023

We don't support manual edits to the wg0.conf in server mode with PEERS set. wg0.conf has to be auto generated when there are changes to the vars, like adding a new peer. Any user changes need to be made through the env vars and/or the server conf template.

@drizuid
Copy link
Member

drizuid commented Sep 11, 2023

This is a bit off topic, but I have to just toss this out... why in the world are you natting ipv6? the whole point of ipv6 is that with the, on average, 18quintillion ip addresses you get, you do not ever need to NAT.
Either way, the issue was caused by an unsupported direct change, as mentioned above, closing as non-reproducible.

@drizuid drizuid closed this as not planned Won't fix, can't repro, duplicate, stale Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Issue & PR Tracker
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aptalca @drizuid @3891sinneD