Bug 253435 - Jail does not create tunnel (wireguard) interface alias.
Summary: Jail does not create tunnel (wireguard) interface alias.
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 12.2-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-jail (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-11 13:13 UTC by Robert David
Modified: 2021-04-19 11:21 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert David 2021-02-11 13:13:02 UTC
When adding wireguard tunnel interface alias address to the jail I need to specify it without the interface name and create the address staticly before jail startup.

Examples that does not work:

1)
no wgnet0 address created
jail.conf:
ip4.addr = "wgnet0|192.168.0.10"; 

2)
wgnet0 address created using
ifconfig wgnet0 inet 192.168.0.10 192.168.0.10 alias
jail.conf:
ip4.addr = "wgnet0|192.168.0.10";


Example that works:
when I create the alias and remove the interface name from ip4.addr

wgnet0 address created using
ifconfig wgnet0 inet 192.168.0.10 192.168.0.10 alias
jail.conf:
ip4.addr = "192.168.0.10";

Seems like the last one works by accident, because it assigns to the correct interface if the address is defined.

I don't know if this affects only wireguard or generic tunnel interface. But the solution would be make the first example working by using different ifconfig arguments in the jail starting procedure.

Eg:
ifconfig wgnet0 inet 192.168.0.10 192.168.0.10 alias
Comment 1 Jamie Gritton freebsd_committer 2021-02-11 18:16:03 UTC
jail(8) will automatically run "ifconfig alias <ifname> <ipaddr>" on startup (and "-alias" on shutdown).  But it's interface-agnostic, and doesn't know things like the tunnel interface needing the address twice (which I didn't know either).

So anything more complicated than a single address added to an existing interface is going to take you running the commands yourself.  For your setup, I think this should work:

{
 ip4.addr = 192.168.0.10;
 exec.prestart = "ifconfig wgnet0 alias inet ${ip4.addr} ${ip4.addr}";
 exec.poststop = "ifconfig wgnet0 -alias inet ${ip4.addr} ${ip4.addr}";
}

Keeping track of what requirements different interfaces might need is a potential can of worms beyond the scope of jail(8).
Comment 2 Robert David 2021-02-11 19:03:48 UTC
If the example #2 would work it would be fine. Because sometimes one needs/wants to assign the device name.

Because there is a difference in 

ip4.addr = "wgnet0|192.168.0.10"
and
ip4.addr = "192.168.0.10"

the first try to assign the address to the wgnet0 interface (and fail), the second one just use the interface which got the address.
Comment 3 Luca Pizzamiglio freebsd_committer 2021-02-12 20:19:33 UTC
(In reply to Robert David from comment #2)

I created a wireguard setup and those are my findings.

The command to configure an alias on a wireguard interface via ifconfig is:
ifconfig wgnet0 inet 192.168.0.10/24 192.168.0.10 alias

With the jail command line, I successfully created an alias with:

jail -c path=/path/to/jail ip4.addr="wgnet0|192.168.0.10/24 192.168.0.10" command=/bin/sh

Or, using jail.conf: 

wg-jail {
  path = /home/pizzamig/empty-jail;
  ip4.addr = "wgnet0|192.168.0.10/24 192.168.0.10";
  command = "/bin/sh";
}

Have you tried this latest configuration?
Comment 4 Bernhard Froehlich freebsd_committer 2021-03-23 20:36:19 UTC
This should be a lot more flexible now with the new wireguard kernel module. Could you please repeat the tests with net/wireguard-kmod?
Comment 5 Robert David 2021-03-23 21:40:56 UTC
(In reply to Bernhard Froehlich from comment #4)
I'm in process of testing NanoPI NEO3 with FreeBSD13, so I plan to test this as soon as the the wireguard package 1.0.20210315 is available (not sure why only the aarch64 does not have this package updated).
Comment 6 Jason A. Donenfeld 2021-04-17 23:47:18 UTC
Is this working now with the latest wireguard-kmod package? If so, can this bug be closed?
Comment 7 Robert David 2021-04-19 11:21:02 UTC
I have tested this now and can confirm that it works ok, so the bug may be closed.

Tested simple jail configuration, with testing wireguard kmod 
interface enabled and it is working correctly.

$ cat /etc/jail.conf
test {
    host.hostname = test;           # Hostnae
    ip4.addr = dwc0|192.168.10.60,wg0|192.168.200.60;                   # IP address of the jail
    path = "/nanopool/testjail";                    # Path to the jail
    exec.start = "/bin/sh /etc/rc";            # Start command
    exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
}

With this configuration, there is no need to set the ip address on wg0 interface before jail start. It is set ok with jail start and assigned correctly. I have tested ssh to the jail through wireguard and it works.