Wireguard adding a peer results in duplicit "list allowed ips"

NethSecurity
,
1

Latest Nethsecurity 8.7.1 with all updates

(trying to migrate 500+ VPNs from previous solution to Nethsecurity …)

If you add a Wireguard server tunnel peer via the WebUI the resulting config looks like:

config wireguard_wg1 'wg1_ns_9c80b847_peer'
        option disabled '0'
        option ns_name 'chadima-ntb'
        option preshared_key 'xxx'
        option ns_route_all_traffic '1'
        list allowed_ips ''
        list allowed_ips '10.189.165.8/32'
        option ns_ip '10.189.165.8'
        option public_key 'xxx'
        option private_key 'xxx'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option ns_link 'network/wg1'

where the “list allowed_ips ‘ ‘“ is unnecessary and duplicitous.

Please repair this bug.

2 Likes
2

Thanks for pointing out.
I could reproduce it when “Route all traffic” is enabled in the peer. Can you confirm?

grafik
grafik1079×1833 69 KB

3

Exactly

1 Like
4

Thanks, I filed a bug.

3 Likes
5

What about the Wireguard and MTU error? (The other topic)
That is more of an opinion on how to properly create a VPN tunnel on a server for multiple peers,
but at this point Nethsecurity is going against the recommendations and best practices.
And the MTU configured this way will not work for peers connecting over “bad” network providers.
For example some bus and railway carriers, hotels etc.

It’s caused by a network configuration error at the provider.
If the provider has a smaller MTU on the route to the internet than the standard one, because they probably have the connection wrapped in another VPN layer, but the WiFi of the provider won’t tell your computer and the network stack of your OS.
Anything TCP (including TCP OpenVPN) will work but not UDP (Wireguard).
VPNs that set the normal MTU on TUN connections in UDP mode fail epically, because longer datagrams are silently discarded, instead of rejected it with an error.
So you need to reduce the MTU on the VPN network interface of the peer using the UDP protocol so that it can pass through those providers.

That is the reason you need to change the MTU for the peers and there config files, not the server MTU. The need of changing the servers MTU is very unlikely and rare, because most of the servers are not using networks with these problems.