WireGuard connection issues since v1.30.3221.67

Hi Team,

When I try to connect using Wireguard to our VPN servers the connection fails since upgrade to v1.30.3221.67. After some investigation, the issue appears to be in the pritunl/handlers/key.py > key_wg_post method (POST /key/wg/<org_id>/<user_id>/<server_id> handler) here.

The if condition checks if the remote_addr is IPv6 by relying on the presence of ‘:’ character, however in our case the remote_addr variable contains the port as well, e.g. Because the code checks for ‘:’ it gets interpreted as IPv6, failing the connection with WireGuard. The stacktrace is the following:

File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/key.py", line 1059, in key_wg_post
remote_addr = str(ipaddress.IPv6Address(remote_addr))
File "/usr/lib/pritunl/usr/lib/python3.9/ipaddress.py", line 1915, in __init__
self._ip = self._ip_int_from_string(addr_str)
File "/usr/lib/pritunl/usr/lib/python3.9/ipaddress.py", line 1628, in _ip_int_from_string
raise AddressValueError(msg)
ipaddress.AddressValueError: At least 3 parts expected in ''

Could you please advise if this is something incorrectly configured on our side or might be a bug in the IPv6 condition check?


This will be fixed in the next release. The change can be applied to /usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/utils/network.py by adding the strip_port function and modifying the get_remote_addr function.

def strip_port(hostport):
    colon = hostport.find(':')
    if colon == -1:
        return hostport

    if ']' in hostport:
        i = hostport.find(']')
        if i != -1:
            return hostport[:i].lstrip('[')

    return hostport[:colon]

def get_remote_addr():
    if settings.app.reverse_proxy:
        forward_ip = flask.request.headers.get('PR-Forwarded-Header')
        if forward_ip:
            return strip_port(forward_ip.split(',')[-1].strip())

    forward_ip = flask.request.headers.get('PR-Forwarded-For')
    if forward_ip:
        return strip_port(forward_ip)

    return strip_port(flask.request.remote_addr)

Hi zach,

Thank you for your reply and taking this up in the next release.

Something perhaps to consider with this change is that currently all the journal logs contain the IP:PORT in the User’s Audit log visible from Pritunl UI and in the Journal as well:

By stripping the port it will not be logged anymore along with the IP address, not sure if this might be a problem?

I also find it quite useful having the port along with the IP address in the Users Audit logs.

Thank you

The port is a NAT port that is isn’t intended to be included in those records.