Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wireguard tunnel alias support #134

Open
robertek opened this issue Feb 11, 2021 · 4 comments
Open

wireguard tunnel alias support #134

robertek opened this issue Feb 11, 2021 · 4 comments
Labels
feature

Comments

@robertek
Copy link

This is partly bug, partly new feature.

It is not possible to add wireguard interface alias to the pot jail.
Now for wireguard interface the opiton is to assign its own address manually (ifconfig) and define the jail address without interface name. This way the address is then correctly assigned to the wireguard interface (if it already got the address).

This corresponds to the base freebsd bug, I have submitted:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253435

From POT point of view this cannot be used, because pot always add interface name to the address that does not have one.

There are possible solutions:

  1. configuration option to say if interface name should be added or no (to ipaddr strings without name)
  2. better, but much more specific to support directly wireguard. When wgnetX name is defined in the ipaddr string, remove it and create the address manually using "ifconfig wgnetX inet addr addr alias".

I will probably hack myself the second solution locally to be able to use jails comfortably without the need to have all the wireguard address allocated.

It is not clear how long it would take to have the fix in the base. Probably the first solution would be enough to have in POT, it is generic enough to support fixed or not fixed jail command.
@pizzamig
Copy link
Collaborator

Hi. I'm not sure I've got it right, I have no experience with wireguard yet, so I'm not an expert.

alias network type supports already allows to specify which network interface to use:

pot create -p casserole -t single -b 12.2 -N alias -i "wgnet0|192.168.178.200"

More details here:https://pot.pizzamig.dev/Network/#network-configuration-ipv4-or-ipv6-alias
pot is not based on jail.conf, alias addresses are added at start and removed at stop

However, for what I read, the ifconfig command that the wireguard network interface wants are a bit different, hence not supported.
I would need to build a setup on my own to understand how to properly build a workaround. Probably hooks are the best thing here, but they are not yet documented...

@robertek
Copy link
Author

robertek commented Feb 12, 2021
edited

Wireguard is pretty easy to setup, and will be in 13.0 as kernel module.
You may see: wireguard quick start

The only difference is that the address is created using
add:
"ifconfig inet alias addr addr"
remove:
"ifconfig inet -alias addr addr"

this is notation for tunnel interfaces.

I have already tried multiple pot options but not being luck. The issue is that pot assign default interface name to address field that has no interface name. Which collides with the jail command issue that for wireguard tunnel only address without interface name field works. It sounds crippled, but it is that way (this is also why I created also bug for jail command).

On different host I use iocage which does not force the interface name string and I'm able to use wireguard (having the addresses preset directly from wireguard conf, which is not much convenient but works)

So I need to have ip4.addr="x.x.x.x" not ip4.addr="wgnet0|x.x.x.x".

As a quick dirty fix that works for me now I did this:

diff --git a/share/pot/network.sh b/share/pot/network.sh
index 8377fca..4005264 100644
--- a/share/pot/network.sh
+++ b/share/pot/network.sh
@@ -224,17 +224,17 @@ _get_alias_ipv4()
        if [ "$( _get_pot_network_stack "$1" )" != "ipv6" ]; then
                for _i in $2 ; do
                        if echo "$_i" | grep -qF '|' ; then
-                               _nic="$( echo "$_i" | cut -f 1 -d '|' )"
+                               _nic="$( echo "$_i" | cut -f 1 -d '|' )|"
                                _ip="$( echo "$_i" | cut -f 2 -d '|' )"
                        else
-                               _nic="$POT_EXTIF"
+                               _nic=""
                                _ip="$_i"
                        fi
                        if potnet ip4check -H "$_ip" 2> /dev/null ; then
                                if [ -z "$_output" ]; then
-                                       _output="$_nic|$_ip"
+                                       _output="$_nic$_ip"
                                else
-                                       _output="$_output,$_nic|$_ip"
+                                       _output="$_output,$_nic$_ip"
                                fi
                        fi
                done

I need to specify the interface name to the normal interface but it works for now.

I will try to come up with much cleaner solution.

@pizzamig
Copy link
Collaborator

I cannot accept this patch, because it's breaking the normal use case.
However, I updated the FreeBSD PR with what I think it's the solution to your problem, a proper jail configuration (ip4.addr="wgnet0|192.168.0.10 192.168.0.10")

Unfortunately for pot I would need some additional work, because there is some input sanitation that is currently needed.

@robertek
Copy link
Author

Of course this patch was never been intended to be accepted :). It is something I use now as a workaround. But thanks for the jail configuration settings, never knew about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pizzamig @robertek