[Bug 290768] if_wg(4): handshake response has src and dst reverse

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 290768] if_wg(4): handshake response has src and dst reverse"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 03 Nov 2025 12:32:23 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290768

            Bug ID: 290768
           Summary: if_wg(4): handshake response has src and dst reverse
           Product: Base System
           Version: 14.3-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: it@vineyard-sha.de

I am on OpnSense 25.7.6 that uses FreeBSD 14.3-stable.
I got Wireguard working. Then I added CARP interfaces on LAN and WAN side. Then
handshake does not complete.

I see this in the pflog0 traffic on VPN initiation:

tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), snapshot
length 256 bytes
 00:00:00.000000 rule 191/0(match): pass in on igc0: (tos 0x0, ttl 56, id
50850, offset 0, flags [DF], proto UDP (17), length 176)
    a.b.c.d.29106 > 192.168.178.2.51820: UDP, length 148
 00:00:00.000028 rule 137/0(match): pass out on igc0: (tos 0x0, ttl 55, id
50850, offset 0, flags [DF], proto UDP (17), length 176)
    a.b.c.d.29106 > 192.168.178.2.51820: UDP, length 148

a.b.c.d is the public IP address of my peer. 192.168.178.2 is my CARP interface
on the WAN side.
The pass in is the handshake initiation from the peer.
The pass out is the response thereof. Notice, the src and dst are reversed.
That's why handshake does not complete (if it started at all).

I need help in diving deep and undoing src and dst reversal.

Snippet from netstat -rnfinet
10.251.0.0/16      link#23            U               wg1
10.251.0.1         link#7             UHS             lo0
10.251.0.2         link#23            UHS             wg1
10.251.0.3         link#23            UHS             wg1

Enable debugging on wg1 gives me:

wg1: Handshake for peer 1 did not complete after 5 seconds, retrying (retry 15)
wg1: Sending handshake initiation to peer 1
wg1: Unable to send packet: 47

I looked into the FreeBSD wg(4) driver source code:
https://cgit.freebsd.org/src/tree/sys/dev/wg/if_wg.c?h=stable/14&id=684dd4e8c0085f4e64016a44d4cd699b2fc29681
  line 1014 prints "Unable to send packet: "
https://cgit.freebsd.org/src/tree/sys/sys/errno.h?h=stable/14  in line 110  I
found this:

#define    EAFNOSUPPORT    47        /* Address family not supported by
protocol family */

47 means it cannot handle the address family.
This is weird to me because I use IPv4 only. IPv6 is disabled.

From looking into the code, I suppose the stacktrace looks like this:

wg_send_initiation() line 1290
wg_peer_send_buf() line 1278
wg_send_buf() line 987
wg_send() line 935
return EAFNOSUPPORT;  line 960

-- 
You are receiving this mail because:
You are the assignee for the bug.