Community discussions

MikroTik App
 
mjr
just joined
Topic Author
Posts: 3
Joined: Tue Jun 01, 2021 2:31 am

Defect: Cannot add Wireguard Peers with same key to different WireGuard Interfaces

Fri Nov 05, 2021 11:10 am

*Updated topic name, now that I understand the problem is with the public key collision*

I know this is not a common use-case, but I still think it is a defect:

Use-case:
I have a VPN provider with WireGuard peers which can either
  • Exit the network at the same location as the peer
  • Route through their internal network, and exit at a different location
The provider operates these peers on the same IP, but different ports.
I want to use both of these peers at the same time (on different interfaces), but ROS validates only on the IP and will not let me add the second peer:
failure: entry already exists

RouterOS version: 7.1rc4
Router: RB4011iGS+
Interface: Terminal and WinBox

Steps to reproduce:
interface/wireguard/add listen-port=13233 mtu=1420 name=Wireguard_UK
interface/wireguard/add listen-port=13234 mtu=1420 name=Wireguard_Spain_via_UK
interface/wireguard/peer/add allowed-address=0.0.0.0/0 endpoint-address=141.98.252.222 endpoint-port=51820 interface=Wireguard_UK public-key="========"
interface/wireguard/peer/add allowed-address=0.0.0.0/0 endpoint-address=141.98.252.222 endpoint-port=3169 interface=Wireguard_Spain_via_UK public-key="========"
I get output
failure: entry already exists


Expected: To be able to add different address:port combinations as different peers
To be totally honest, I would expect to be able to add multiple peers with the same IP and port so long as they are attached to different interfaces
Last edited by mjr on Sat Nov 06, 2021 7:38 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Defect: Cannot add multiple Wirguard Peers on same IP

Fri Nov 05, 2021 6:50 pm

Just for giggles ... took your config and entered it in a mAP Lite I have lying here without WG configured.

Here is the export.
# nov/05/2021 17:47:03 by RouterOS 7.1rc5
# software id = IFN6-V3SY
#
# model = RBmAPL-2nD
/interface wireguard
add listen-port=13234 mtu=1420 name=Wireguard_Spain_via_UK
add listen-port=13233 mtu=1420 name=Wireguard_UK
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=141.98.252.222 endpoint-port=51820 interface=Wireguard_UK public-key=\
    "/yZWgiYAgNNSy7AIcxuEewYwOVPqJJRKG90s9ypwfiM="
add allowed-address=0.0.0.0/0 endpoint-address=141.98.252.222 endpoint-port=3169 interface=Wireguard_Spain_via_UK public-key=\
    "4psuVGV/S/EEhvCUfCsVKJhZ+uRn2BaBwC79xbP+DAQ=" 
Initially I used copy-paste from your post and obviously got an error on the public key (seems there is some validation mechanism on that key).
So (lazy me) I took the public key from the other interface which was created already as entry.
As you can see, I can set it up as you described.

Are you sure your issue is not with the public keys ?

Proof:
If I delete one of the peers and use the SAME public key as the other one, I get this
[xyz@mAPLite92] /interface/wireguard> peer add allowed-address=0.0.0.0/0 endpoint-address=141.98.252.222 endpoint-port=3169 interface=Wireguard_Sp
ain_via_UK public-key="/yZWgiYAgNNSy7AIcxuEewYwOVPqJJRKG90s9ypwfiM="
failure: entry already exists
[xyz@mAPLite92] /interface/wireguard>
And that makes perfect sense. A peer IS already existing with THAT Public key.
When you create an interface with a different endpoint port, there will also be a different public key.

On your last comment, there I dare to disagree. But that's me.
Last edited by holvoetn on Sat Nov 06, 2021 1:47 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Defect: Cannot add multiple Wirguard Peers on same IP

Fri Nov 05, 2021 7:04 pm

The keys is indeed a limitation. For example NordVPN has for all servers in the Netherlands, the same key. Germany has two keys, Berlin and Frankfurt.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Defect: Cannot add multiple Wirguard Peers on same IP

Sat Nov 06, 2021 1:44 pm

one key = one peer.
It's not a defect.
Do you have this issue with different keys?
 
mjr
just joined
Topic Author
Posts: 3
Joined: Tue Jun 01, 2021 2:31 am

Re: Defect: Cannot add multiple Wirguard Peers on same IP

Sat Nov 06, 2021 7:36 pm

Cool, so the issue is with the key (thanks @holvoetn!, I really appreciate you digging in to this for me).

@Zvevna, you are completely correct that, on an interface level, a peer is uniquely identified by it's key. However - if we have 2 entirely separate WireGuard interfaces, listening on different ports, why can't we have each connecting to the same peer? There is no such limitation in the WireGuard technical docs [AFAICT - open to being wrong], and I can do this right now on a Linux machine (each interface is defined in a separate config file). I can easily foresee a requirement to have 2 separate interfaces, with different key identifiers, connecting to the same peer address - allowing for specific routing and permissions on each end of the connection.

I still think this is a defect, and that the validation should include 'Interface' field in the test for uniqueness.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Defect: Cannot add Wireguard Peers with same key to different WireGuard Interfaces

Sat Nov 06, 2021 10:10 pm

Nonono...
Each combination ip/port generates a unique public key for the interface.
You can on the other side not have multiple peers with the same public key on the same device.
That would mean you have multiple peers going to the SAME interface.
It does not make sense !

2 interfaces with same IP but different port = different public key = no conflict.
 
rplant
Member Candidate
Member Candidate
Posts: 287
Joined: Fri Sep 29, 2017 11:42 am

Re: Defect: Cannot add Wireguard Peers with same key to different WireGuard Interfaces

Sun Nov 07, 2021 11:52 am

Perhaps they could add a name to the peer, which could be unique.

And then either,
-Ensure public key/wireguard-if (ip address/port??) are unique.
- Or ignore this entirely (easier, might cause occasional operator grief)
 
mjr
just joined
Topic Author
Posts: 3
Joined: Tue Jun 01, 2021 2:31 am

Re: Defect: Cannot add Wireguard Peers with same key to different WireGuard Interfaces

Mon Nov 08, 2021 10:08 am

Hi Holvoetn,

Thanks for your reply. As I said in my last post, I've read through the WireGuard specs, and there is nothing about requiring a unique key per listener, in fact - you specify the key, it is not auto generated for you (although you may use one of many utilities to generate one).
There are at least 2 VPN providers running with the same keys over multiple IPs and in my case, over multiple ports.

On each WireGuard interface, we specify our port to listen on, along with our key, so unique port and local key combo.
On each peer, we specify the local Wireguard interface, and the peer's IP and port and key. So here we have specified a unique peer IP,Port,Key,Local port, local key.

So far as I understand the wireguard spec (and I don't claim to know it well), this should be enough to differentiate each connection - if you know better, I'd really appreciate a quick explainer (you don't owe me anything, I'd just appreciate it).
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Defect: Cannot add Wireguard Peers with same key to different WireGuard Interfaces

Mon Nov 08, 2021 1:08 pm

I read the spec yesterday evening again, specifically paying attention to listening port and public key.
And it seems you are correct. There is nothing mentioned.

Nevertheless, personally I still think it is illogical to have multiple peers using the same key and going to the SAME ip ( and same allowed address ?).

So either what you see is effectively a bug in Routeros. Or there is something implicit yet unclear which may cause confusion depending on who is looking at it.

I suggest you send a mail to support@mikrotik.com and point them to this thread.
They should answer then what the reasoning is for the current implementation or confirm it is a bug which then hopefully will be corrected in one of the next releases.

Who is online

Users browsing this forum: No registered users and 14 guests