ICMP leaves with TTL=1

[SkyperTHC]

I'm using the "simple" configuration. WireTap worked for me for years (I'm not new to it)

Recently noticed that ICMP ECHO requests are leaving the EXIT with TTL=1 even when the origin sends them with TTL=64

Origin:

17:19:44.332934 IP (tos 0x0, ttl 64, id 17710, offset 0, flags [DF], proto ICMP (1), length 84)
    172.16.0.2 > 1.1.1.1: ICMP echo request, id 3271, seq 1, length 64

Exit:

18:19:44.335955 IP (tos 0x0, ttl 1, id 26639, offset 0, flags [DF], proto ICMP (1), length 84)
    37.120.167.65 > 1.1.1.1: ICMP echo request, id 44904, seq 1, length 64

• Expected behaviour here is to see ttl=64.
• wiretap is running as root.

First HOP router correctly returns with TE:

18:19:44.338129 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56)
    37.120.164.2 > 37.120.167.65: ICMP time exceeded in-transit, length 36
        IP (tos 0x0, ttl 1, id 26639, offset 0, flags [DF], proto ICMP (1), length 84)
    37.120.167.65 > 1.1.1.1: ICMP echo request, id 44904, seq 1, length 64

[Aptimex]

I'm not able to reproduce this issue. Whether using --simple mode or not, I'm seeing the expected ttl 64 on both the origin and the exit nodes.

If you can provide the following I can look into this further:

• The exact wiretap commands you are using (including the configure and serve commands), as well as the wg-quick (or equivalent) commands you are running to get the Wiretap network up and running.
• Which release version of Wiretap you're using
• What OS is running on the origin and exit nodes
• Any other relevant networking info (such as custom Docker environment, cloud provider, etc)

[SkyperTHC]

Origin (WireGuard Linux 5.15.0-131, kali linux, WG is running in it's own network namespace. No container, x86_64)

interface: wgExit
  public key: vHdQMDpbh3+n6FrxPgSlVGefdLaJOkbFUmlMaOmwhVU=
  private key: (hidden)
  listening port: 35600

peer: G2RfDtF8GPo6kYaKGVM/mpfPZnZ5E20zgXNWBtFckyc=
  endpoint: 37.120.167.65:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 50 seconds ago
  transfer: 43.32 KiB received, 25.77 KiB sent

EXIT (wiretap 0.6.0, Debian GNU/Linux 11 (bullseye), no container, x86_64)

WIRETAP_INTERFACE_PRIVATEKEY='yIteZHzH/k7eovA6/7zP66sWVkElNkZBuE7058Bks1Q=' \
WIRETAP_PEER_PUBLICKEY='vHdQMDpbh3+n6FrxPgSlVGefdLaJOkbFUmlMaOmwhVU=' \
WIRETAP_PEER_ENDPOINT='144.76.220.20:35600' \
WIRETAP_RELAY_INTERFACE_PRIVATEKEY='yIteZHzH/k7eovA6/7zP66sWVkElNkZBuE7058Bks1Q=' \
WIRETAP_RELAY_PEER_PUBLICKEY='vHdQMDpbh3+n6FrxPgSlVGefdLaJOkbFUmlMaOmwhVU=' \
WIRETAP_RELAY_PEER_ENDPOINT='144.76.220.20:35600' \
WIRETAP_SIMPLE='true' \
WIRETAP_RELAY_INTERFACE_MTU='1340' \
wiretap serve -q -a "172.16.0.0/16,fd:16::0/104"

Additional info:

• The 2nd and further ICMP is not visible on eth0 EXIT (e.g. wiretap only sends the first ICMP with ttl=1 and then seems to drop all further ICMP).

Did some research. found this (strace):

• Oddly, even when root, wiretap tries to fall-back to using /usr/bin/ping but then uses the wrong parameters (note the -t 1 will force TTL=1):

[pid 2900347] execve("/usr/bin/ping", ["/usr/bin/ping", "-c", "1", "-t", "1", "1.1.1.1"], 0xc000270000 /* 38 vars
 */ <unfinished ...>

ping -h 2>&1| grep -- -t
  -t <ttl>           define time to live

[Aptimex]

Thanks for the extra info, very odd that it's setting a silly TTL value like that. I'll look into it.

[SkyperTHC]

Thanks for your quick reply and looking into it.

...and why would it use ping anyhow? Wiretap is running as root. It should be able to send ICMP packets directly without having to fall back to /usr/bin/ping ....

[Aptimex]

Wiretap has been specifically designed to provide full functionality without needing to run the binary as root, so possibly alternative root-specific code for doing pings without using that binary were deemed unnecessary when that functionality was written. Or maybe it is in there and there's a bug preventing that from working properly, I'll find out!

[Aptimex]

Looks like the -t 1 is hardcoded into the command because it was tested on MacOS, which uses -t to specify the timeout, whereas on Linux it's supposed to be -w. I'll get that fixed shortly.