WireGuard connection issues since v1.30.3221.67

lorenzo · April 30, 2024, 6:14am

Hi Team,

When I try to connect using Wireguard to our VPN servers the connection fails since upgrade to v1.30.3221.67. After some investigation, the issue appears to be in the pritunl/handlers/key.py > key_wg_post method (POST /key/wg/<org_id>/<user_id>/<server_id> handler) here.

The if condition checks if the remote_addr is IPv6 by relying on the presence of ‘:’ character, however in our case the remote_addr variable contains the port as well, e.g. 11.22.33.44:12345. Because the code checks for ‘:’ it gets interpreted as IPv6, failing the connection with WireGuard. The stacktrace is the following:

File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/key.py", line 1059, in key_wg_post
remote_addr = str(ipaddress.IPv6Address(remote_addr))
File "/usr/lib/pritunl/usr/lib/python3.9/ipaddress.py", line 1915, in __init__
self._ip = self._ip_int_from_string(addr_str)
File "/usr/lib/pritunl/usr/lib/python3.9/ipaddress.py", line 1628, in _ip_int_from_string
raise AddressValueError(msg)
ipaddress.AddressValueError: At least 3 parts expected in '11.22.33.44:12345'

Could you please advise if this is something incorrectly configured on our side or might be a bug in the IPv6 condition check?

Thanks

zach · April 30, 2024, 9:40pm

This will be fixed in the next release. The change can be applied to /usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/utils/network.py by adding the strip_port function and modifying the get_remote_addr function.

def strip_port(hostport):
    colon = hostport.find(':')
    if colon == -1:
        return hostport

    if ']' in hostport:
        i = hostport.find(']')
        if i != -1:
            return hostport[:i].lstrip('[')

    return hostport[:colon]

def get_remote_addr():
    if settings.app.reverse_proxy:
        forward_ip = flask.request.headers.get('PR-Forwarded-Header')
        if forward_ip:
            return strip_port(forward_ip.split(',')[-1].strip())

    forward_ip = flask.request.headers.get('PR-Forwarded-For')
    if forward_ip:
        return strip_port(forward_ip)

    return strip_port(flask.request.remote_addr)

lorenzo · May 1, 2024, 5:28am

Hi zach,

Thank you for your reply and taking this up in the next release.

Something perhaps to consider with this change is that currently all the journal logs contain the IP:PORT in the User’s Audit log visible from Pritunl UI and in the Journal as well:

By stripping the port it will not be logged anymore along with the IP address, not sure if this might be a problem?

I also find it quite useful having the port along with the IP address in the Users Audit logs.

Thank you

zach · May 8, 2024, 10:16pm

The port is a NAT port that is isn’t intended to be included in those records.