Use peer's wireguard port, not our own

euank · euank · commit 468e91f46a6c · 2025-03-10T23:58:20.000+09:00
Before this change, the wireguard code constructed a peer endpoint via
"PeerIP + n.dev.listenPort", i.e. we used the peer's IP, but our port.

This works fine if every k8s node has the same ListenPort, which is
admittedly the common setup...

However, some people may desire to use different ports for some cases,
and in that case, we should respect that different port.

I've manually tested that this works in my cluster, where 1 node has
different ports for wireguard from all the others.

After deploying this diff to each node, I get a working pod network.
diff --git a/pkg/backend/wireguard/wireguard.go b/pkg/backend/wireguard/wireguard.go
@@ -57,9 +57,17 @@ func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backen
 	return be, nil
 }
 
-func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enableIPv6 bool, publicKey string) (*lease.LeaseAttrs, error) {
-	data, err := json.Marshal(&wireguardLeaseAttrs{
+func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enableIPv6 bool, publicKey string, v4Port, v6Port uint16) (*lease.LeaseAttrs, error) {
+	v4Data, err := json.Marshal(&wireguardLeaseAttrs{
 		PublicKey: publicKey,
+		Port:      v4Port,
+	})
+	if err != nil {
+		return nil, err
+	}
+	v6Data, err := json.Marshal(&wireguardLeaseAttrs{
+		PublicKey: publicKey,
+		Port:      v6Port,
 	})
 	if err != nil {
 		return nil, err
@@ -74,15 +82,15 @@ func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enableIPv6 b
 	}
 
 	if enableIPv4 {
-		leaseAttrs.BackendData = json.RawMessage(data)
+		leaseAttrs.BackendData = json.RawMessage(v4Data)
 	}
 
 	if publicIPv6 != nil {
 		leaseAttrs.PublicIPv6 = ip.FromIP6(publicIPv6)
 	}
 
 	if enableIPv6 {
-		leaseAttrs.BackendV6Data = json.RawMessage(data)
+		leaseAttrs.BackendV6Data = json.RawMessage(v6Data)
 	}
 
 	return leaseAttrs, nil
@@ -155,7 +163,7 @@ func (be *WireguardBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr
 		return nil, fmt.Errorf("no valid Mode configured")
 	}
 
-	subnetAttrs, err := newSubnetAttrs(be.extIface.ExtAddr, be.extIface.ExtV6Addr, config.EnableIPv4, config.EnableIPv6, publicKey)
+	subnetAttrs, err := newSubnetAttrs(be.extIface.ExtAddr, be.extIface.ExtV6Addr, config.EnableIPv4, config.EnableIPv6, publicKey, uint16(cfg.ListenPort), uint16(cfg.ListenPortV6))
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/backend/wireguard/wireguard_network.go b/pkg/backend/wireguard/wireguard_network.go
@@ -17,6 +17,7 @@
 package wireguard
 
 import (
+	"cmp"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -101,6 +102,7 @@ func (n *network) Run(ctx context.Context) {
 
 type wireguardLeaseAttrs struct {
 	PublicKey string
+	Port      uint16
 }
 
 // Select the endpoint address that is most likely to allow for a successful
@@ -115,24 +117,20 @@ type wireguardLeaseAttrs struct {
 //     address will only have a small chance of succeeding (ipv6 masquarading is
 //     very rare)
 //   - If neither is true default to ipv4 and cross fingers.
-func (n *network) selectPublicEndpoint(ip4 *ip.IP4, ip6 *ip.IP6) string {
+func (n *network) autoMode(ip4 *ip.IP4, ip6 *ip.IP6) Mode {
 	if ip4 != nil && ip6 == nil {
-		return ip4.String()
+		return Ipv4
 	}
-
 	if ip4 == nil && ip6 != nil {
-		return fmt.Sprintf("[%s]", ip6.String())
+		return Ipv6
 	}
-
 	if !ip4.IsPrivate() && n.extIface.ExtAddr != nil {
-		return ip4.String()
+		return Ipv4
 	}
-
 	if !ip6.IsPrivate() && n.extIface.ExtV6Addr != nil && !ip.FromIP6(n.extIface.ExtV6Addr).IsPrivate() {
-		return fmt.Sprintf("[%s]", ip6.String())
+		return Ipv6
 	}
-
-	return ip4.String()
+	return Ipv4
 }
 
 func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) {
@@ -169,12 +167,18 @@ func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) {
 				subnets = append(subnets, event.Lease.IPv6Subnet.ToIPNet()) //only used if n.mode != Separate
 			}
 
+			// default to the port in the attr, but use the device's listen port
+			// if it's not set for backwards compatibility with older flannel
+			// versions.
+			v4Port := cmp.Or(v4wireguardAttrs.Port, uint16(n.dev.attrs.listenPort))
+			v6Port := cmp.Or(v6wireguardAttrs.Port, uint16(n.v6Dev.attrs.listenPort))
+			v4PeerEndpoint := fmt.Sprintf("%s:%d", event.Lease.Attrs.PublicIP.String(), v4Port)
+			v6PeerEndpoint := fmt.Sprintf("%s:%d", event.Lease.Attrs.PublicIPv6.String(), v6Port)
 			if n.mode == Separate {
 				if event.Lease.EnableIPv4 {
-					publicEndpoint := fmt.Sprintf("%s:%d", event.Lease.Attrs.PublicIP.String(), n.dev.attrs.listenPort)
-					log.Infof("Subnet added: %v via %v", event.Lease.Subnet, publicEndpoint)
+					log.Infof("Subnet added: %v via %v", event.Lease.Subnet, v4PeerEndpoint)
 					if err := n.dev.addPeer(
-						publicEndpoint,
+						v4PeerEndpoint,
 						v4wireguardAttrs.PublicKey,
 						[]net.IPNet{*event.Lease.Subnet.ToIPNet()}); err != nil {
 						log.Errorf("failed to setup ipv4 peer (%s): %v", v4wireguardAttrs.PublicKey, err)
@@ -190,10 +194,9 @@ func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) {
 				}
 
 				if event.Lease.EnableIPv6 {
-					publicEndpoint := fmt.Sprintf("[%s]:%d", event.Lease.Attrs.PublicIPv6.String(), n.v6Dev.attrs.listenPort)
-					log.Infof("Subnet added: %v via %v", event.Lease.IPv6Subnet, publicEndpoint)
+					log.Infof("Subnet added: %v via %v", event.Lease.IPv6Subnet, v6PeerEndpoint)
 					if err := n.v6Dev.addPeer(
-						publicEndpoint,
+						v6PeerEndpoint,
 						v6wireguardAttrs.PublicKey,
 						[]net.IPNet{*event.Lease.IPv6Subnet.ToIPNet()}); err != nil {
 						log.Errorf("failed to setup ipv6 peer (%s): %v", v6wireguardAttrs.PublicKey, err)
@@ -209,14 +212,17 @@ func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) {
 				}
 			} else {
 				var publicEndpoint string
-				if n.mode == Ipv4 {
-					publicEndpoint = fmt.Sprintf("%s:%d", event.Lease.Attrs.PublicIP.String(), n.dev.attrs.listenPort)
-				} else if n.mode == Ipv6 {
-					publicEndpoint = fmt.Sprintf("[%s]:%d", event.Lease.Attrs.PublicIPv6.String(), n.dev.attrs.listenPort)
-				} else { // Auto mode
-					publicEndpoint = fmt.Sprintf("%s:%d",
-						n.selectPublicEndpoint(&event.Lease.Attrs.PublicIP, event.Lease.Attrs.PublicIPv6),
-						n.dev.attrs.listenPort)
+				mode := n.mode
+				if mode == Auto {
+					mode = n.autoMode(&event.Lease.Attrs.PublicIP, event.Lease.Attrs.PublicIPv6)
+				}
+				switch mode {
+				case Ipv4:
+					publicEndpoint = v4PeerEndpoint
+				case Ipv6:
+					publicEndpoint = v6PeerEndpoint
+				default:
+					panic(fmt.Sprintf("inexhaustive match: %v", mode))
 				}
 
 				log.Infof("Subnet(s) added: %v via %v", subnets, publicEndpoint)

Original file line number	Diff line number	Diff line change
`@@ -57,9 +57,17 @@ func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backend.Backen`
`57`	`57`	`return be, nil`
`58`	`58`	`}`
`59`	`59`
`60`		`-func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enableIPv6 bool, publicKey string) (*lease.LeaseAttrs, error) {`
`61`		`- data, err := json.Marshal(&wireguardLeaseAttrs{`
	`60`	`+func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enableIPv6 bool, publicKey string, v4Port, v6Port uint16) (*lease.LeaseAttrs, error) {`
	`61`	`+ v4Data, err := json.Marshal(&wireguardLeaseAttrs{`
`62`	`62`	`PublicKey: publicKey,`
	`63`	`+ Port: v4Port,`
	`64`	`+ })`
	`65`	`+ if err != nil {`
	`66`	`+ return nil, err`
	`67`	`+ }`
	`68`	`+ v6Data, err := json.Marshal(&wireguardLeaseAttrs{`
	`69`	`+ PublicKey: publicKey,`
	`70`	`+ Port: v6Port,`
`63`	`71`	`})`
`64`	`72`	`if err != nil {`
`65`	`73`	`return nil, err`
`@@ -74,15 +82,15 @@ func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enableIPv6 b`
`74`	`82`	`}`
`75`	`83`
`76`	`84`	`if enableIPv4 {`
`77`		`- leaseAttrs.BackendData = json.RawMessage(data)`
	`85`	`+ leaseAttrs.BackendData = json.RawMessage(v4Data)`
`78`	`86`	`}`
`79`	`87`
`80`	`88`	`if publicIPv6 != nil {`
`81`	`89`	`leaseAttrs.PublicIPv6 = ip.FromIP6(publicIPv6)`
`82`	`90`	`}`
`83`	`91`
`84`	`92`	`if enableIPv6 {`
`85`		`- leaseAttrs.BackendV6Data = json.RawMessage(data)`
	`93`	`+ leaseAttrs.BackendV6Data = json.RawMessage(v6Data)`
`86`	`94`	`}`
`87`	`95`
`88`	`96`	`return leaseAttrs, nil`
`@@ -155,7 +163,7 @@ func (be WireguardBackend) RegisterNetwork(ctx context.Context, wg sync.WaitGr`
`155`	`163`	`return nil, fmt.Errorf("no valid Mode configured")`
`156`	`164`	`}`
`157`	`165`
`158`		`- subnetAttrs, err := newSubnetAttrs(be.extIface.ExtAddr, be.extIface.ExtV6Addr, config.EnableIPv4, config.EnableIPv6, publicKey)`
	`166`	`+ subnetAttrs, err := newSubnetAttrs(be.extIface.ExtAddr, be.extIface.ExtV6Addr, config.EnableIPv4, config.EnableIPv6, publicKey, uint16(cfg.ListenPort), uint16(cfg.ListenPortV6))`
`159`	`167`	`if err != nil {`
`160`	`168`	`return nil, err`
`161`	`169`	`}`