Wireguard Security Risk - Disabling a peer does NOT work and do nothing

a.katib91 · September 16, 2022, 11:45am

Hi,

I noticed that after creating a wireguard config, and connecting a peer to my vyos, then disabling the peer from the configuration. does not disconnect that peer.

in fact, I tried to disable the whole wg interface and re-enabling it (I was thinking it will resync the configuration to disable the peer, and it did cause disconnection of the peer while the interface is disabled) however, once it is enabled back, the disabled peer also connected back no issue.

this means that the disable parameter in peers of wireguard interface basically doesn’t do anything. which I think is very high security risk.

FYI I’m running a nightly build:

VyOS 1.4-rolling-202208270217

Any feedback on the issue is appreciated

zsdc · September 16, 2022, 1:03pm

Hello, @a.katib91! Thanks for the report!
This must be fixed. Please, track the progress in the Phabricator: ⚓ T4702 Wireguard peers configuration is not synchronized with CLI

c-po · September 17, 2022, 6:43pm

Fixed via wireguard: T4702: actively revoke peer if it gets disabled · vyos/vyos-1x@a4feb96 · GitHub

Will be available in the next rolling ISO and backport is currently beeing done for VyOS 1.3.3

a.katib91 · September 17, 2022, 11:05pm

Awesome. Thank you <3

system · September 21, 2022, 12:25pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.