Invalid interface listen port

bjc · Jan 21, 2021, 1:31 AM

Getting that error when attempting to set up a tunnel. the listen port is automatically populated with 51820, so I'm not sure why it's resulting in an error.

tirsojrp · Jan 21, 2021, 3:44 AM

@bjc are you leaving the field empty?

stephenw10 · Jan 21, 2021, 4:42 AM

Just fill it as 51820 for now. That confused me at first too.
I think we have a patch incoming for that.

Steve

bjc · Jan 21, 2021, 4:34 PM

@stephenw10 Ahhh, now I see it. I just assumed it was populated for me the whole time...didn't realize I needed to type over the pre-populated suggestion.

@tirsojrp Thanks for the hint!

stephenw10 · Jan 21, 2021, 8:50 PM

Yeah, it should use the default there. It will in the next snapshot.

Steve

tobira · Jan 23, 2021, 7:51 AM

Is there any way to listen with Wireguard on a non-standard port at all? With this error, I am unable to have it listen on anything but the normal ports.

stephenw10 · Jan 24, 2021, 1:02 AM

It can listen on any port you choose, just set it in the WireGuard interface config.

If you do that you obviously have to set any peers to use that new port.

What issue are you seeing?

Steve

tobira · Jan 24, 2021, 1:06 AM

@stephenw10 When I attempt to set my Wireguard tunnel to listen on port 443 for example I get this message:

"The following input errors were detected:
Invalid interface listen port."

I have also confirmed that 443 is not in-use on the PFSense server:
: netstat -an | grep 443
tcp6 0 0 *.8443 . LISTEN
tcp4 0 0 *.8443 . LISTEN
[2.5.0-DEVELOPMENT]

stephenw10 · Jan 24, 2021, 3:13 PM

Hmm, could be restricted to high numbered ports only (>1023). Not sure I've tested that...

stephenw10 · Jan 24, 2021, 3:25 PM

Nope has to be >511 currently:
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/web/wg.inc#L103

That looks like input validation only though so you could probbably edit the config if you really wanted a port <512. Or edit the validation on that file.

Steve

tobira · Jan 25, 2021, 2:34 AM

@stephenw10 since there isn’t a technical reason to not allow it, can the port restriction be removed? There is no such restriction on the OpenVPN server ports.

Having to make manual config changes or changing the code to allow lower ports seem like issues in the future when the system is upgraded.

stephenw10 · Jan 25, 2021, 8:43 PM

It was clearly coded that way for a reason. I'm digging internally.....

tobira · Jan 25, 2021, 8:43 PM

@stephenw10 Thanks! I appreciate it.

stephenw10 · Jan 25, 2021, 9:36 PM

https://github.com/pfsense/pfsense/commit/94230d38349cfc3e76be3239833168f8835df07f

serbus · Jan 26, 2021, 12:45 AM

Hmmm...

login-to-view

stephenw10 · Jan 26, 2021, 3:55 AM

Well that doesn't look right!

What did you do to see that?

serbus · Jan 26, 2021, 4:14 AM

Hello!

I am testing on :

2.5.0-DEVELOPMENT (amd64)
built on Mon Jan 25 09:13:15 EST 2021
FreeBSD 12.2-STABLE

Using Firefox 84.0.1 (64-bit)

I dont see any form field validation happening and the code in wg_validate_post and wg_validate_peer will let you enter just about anything you want.

I made a redmine issue with some stopgap code that might help. https://redmine.pfsense.org/issues/11311

John