The example in the man page at some point changed:
- \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+ \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
This is actually wrong because PreUp is followed by set_config(), which
calls `wg setconf`, which in turn deletes the private key from the
interface because it is missing from the configuration. Replacing this
with `wg addconf` is safe to do because the interface is newly created.
Suggested-by: Matthias Dressel <code@deadcode.eu>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
When Ubuntu systems upgrade from Debian's atrocious resolvconf to the
systemd-resolve symlink, they sometimes leave around
/etc/resolvconf/interface-order, which then winds up breaking the
detection and passing the bogus 'tun.' prefix to systemd's resolvconf,
resulting in failure. Work around this by only doing the 'tun.' prefix
hack if resolvconf isn't a symlink. This is ugly but so it goes.
Reported-by: Andrei Borzenkov <arvidjaar@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Currently commands in {Pre,Post}{Up,Down} are stripped of everything
starting with the first #, even if the # is escaped or in a string. This
patch leaves comment interpretation to the shell, as it can presumably
already handle the difference between comments and escaped #.
Signed-off-by: Robyn Kosching <robyn@kosching.me>
[Jason: massage commit message, port to other platforms]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Otherwise removing a psk from a config file wouldn't reflect on the
runtime state.
Note that this could have been implemented more simply, by just setting
WGPEER_HAS_PRESHARED_KEY on all of the file's peers, since the psk slot
is zeroed by calloc in config.c, and this way ones with no set key will
be cleared. The downside is that this means every peer update will take
the handshake lock in the kernel, creating more work and possibly
contention:
if (preshared_key) {
down_write(&peer->handshake.lock);
memcpy(&peer->handshake.preshared_key, preshared_key,
NOISE_SYMMETRIC_KEY_LEN);
up_write(&peer->handshake.lock);
}
Avoid this by only setting it if there's a mismatch between the runtime
and the file. Computationally this shouldn't make much of a difference
because we can do it in the same iteration as the peer removal
detection.
Reported-by: Patrick Havelange <patrick.havelange_ext@softathome.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
By accident, this function was looking at the endpoint with the largest
MTU rather than the smallest one.
Reported-by: Ismael Bouya <ismael@bouya.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Extend the interface of `wg set` to leverage the WGALLOWEDIP_F_REMOVE_ME
flag, a direct way of removing a single allowed ip from a peer,
allowing for incremental updates to a peer's configuration. By default,
allowed-ips fully replaces a peer's allowed ips using
WGPEER_REPLACE_ALLOWEDIPS under the hood. When '+' or '-' is prepended
to any ip in the list, wg clears WGPEER_F_REPLACE_ALLOWEDIPS and sets
the WGALLOWEDIP_F_REMOVE_ME flag on any ip prefixed with '-'.
$ wg set wg0 peer <PUBKEY> allowed-ips +192.168.88.0/24,-192.168.0.1/32
This command means "add 192.168.88.0/24 to this peer's allowed ips if
not present, and remove 192.168.0.1/32 if present".
Use -isystem so that headers in uapi/ take precedence over system
headers; otherwise, the build will fail on systems running kernels
without the WGALLOWEDIP_F_REMOVE_ME flag.
Note that this patch is meant to be merged alongside the kernel patch
that introduces the flag.
Signed-off-by: Jordan Rife <jordan@jrife.io>
[Jason: removed linux ifdefs; this will eventually come to other platforms too. minor style nits.]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
AF_INET assumes that IPv4 is built into the kernel, but it's completely
valid to build a kernel without it. unix(4) sockets, on the other hand,
are not-optional in the kernel build. Given that interface ioctls can
be invoked on any kind of socket, switch to the safer one to avoid
breaking on IPv6-only kernels.
Signed-off-by: Kyle Evans <kevans@FreeBSD.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
libmnl doesn't check lengths, so do our own checking before copying the
interface name to the netlink buffer.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This is probably more sensible, since there's no point in letting
traffic flow before the interface is configured.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Currently PreUp hooks run before the interface is created. This is
problematic for moving the device into a Linux VRFs as this will
currently clear all assigned IPv6 addressess (possibly a bug), so if we
did this in PostUp (i.e. before add_addr) we'll have to manually re-add
all assigned addresses. This is obviously less than ideal.
Instead create the wg device just before running PreUp hooks. We apply
this to all platforms for consistency.
Test case:
$ ip link add vrf-test type vrf table 1234
$ ip link add wg-test type wireguard
$ ip addr add dev wg-test 192.168.42.42/24
$ ip addr add dev wg-test fe80::/64
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/24 fe80::/64
$ ip link set dev wg-test master vrf-test
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/32
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Currently "wg show all endpoints" prints interface name only once
while other "show all" commands print it on each line as man says.
Signed-off-by: Dmitry Selivanov <dseliv@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The `err` path in kernel_set_device() will attempt to free() allocated
nvl_peers, but these two cases meant we could end up attempting a use
after free or a double free, as we rely on nvlist_destroy(NULL) being
a NOP as well as free(NULL).
FreeBSD-Coverity: 1500421
Signed-off-by: Kyle Evans <kevans@FreeBSD.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Primarily, front-load validation of an allowed-ip entry to before we
allocate `aip`, so that we don't need to free() it if we end up skipping
this entry. Assert that `aip` is NULL after we exit the loop, as we
should have transfered ownership to the `peer` or freed it in all paths
through the allowed-ip loop.
FreeBSD-Coverity: 1500405
Signed-off-by: Kyle Evans <kevans@FreeBSD.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
When we re-added if_wg to the tree, we changed directories in dev to
strip the if_ (we don't use this prefix for other interfaces'
directories). Adjust it here as a convenience, so that when we import
wireguard-tools to FreeBSD the path will just work as-is with our usual
build.
Signed-off-by: Kyle Evans <kevans@FreeBSD.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The wireguard route table ip rule should stay as a no-op until the
`suppress_prefixlength 0 table main` rule is in effect. Therefore, add
the wireguard default route to its route table after the latter rule is
added.
Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
To make it easier for FreeBSD to import wg(8), dual license the core
files as MIT, so that they don't have any trouble.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Looks like the "is valid ifname" regex was copy and pasted from
wg-quick.bash instead of the "is valid IP" regex.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Define wg_endpoint as a named union to allow users of the emeddable
library to use the type in function arguments, variables etc.
Signed-off-by: Mikael Magnusson <mikma@users.sourceforge.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
OpenBSD has introduced a new daemon named resolvd(8) to manage
resolv.conf. This creates problems with the old "horrible way" of
completely replacing resolv.conf. Resolvd will attempt to merge manual
changes with DNS servers discovered through dhcpleased(8) and slaacd(8).
Unfortunately, resolvd puts any manual modifications at the end of
resolv.conf, meaning that the wg-quick name servers will be queried
last.
The process for handling multiple name servers (at least with libc) is
to try a name server, and if the query times out, try the next, until
out of name servers, then repeat trying all name servers until a maximum
number of retries are performed. The name servers are queried in the
order listed in resolv.conf and the timeout is 5 seconds.
With this patch, we ensure the wg-quick name server is first in
resolv.conf (as route creates the name server with "static" priority),
but cannot ensure it is exclusive. Therfore, it may be possible that
queries are leaked to other name servers if the wg-quick name server
doesn't respond within 5 seconds.
We have another problem however, and that is if resolvd detects unwind
is running, it will set 127.0.0.1 as the only name server in
resolv.conf. unwind does not have deterministic name server selection in
the default configuration. This means, all a user would need to do to
inadvertently cause persistent query leaks would be to run `rcctl enable
unwind`.
There are warnings added when these situations may occur.
The next step is to add an exclusive flag and search to route and
resolvd.
Reported-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
On macOS, under specific configurations, the `netstat -nr -f inet` and
`netstat -nr -f inet6` outputs break gateway collection.
Signed-off-by: Laura Hausmann <laura@hausmann.dev>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If the route monitor doesn't attempt to write more to stdout, then this
leaves a process hanging around. Kill it explicitly. We also switch to
using exec in the process substitution, to reduce a bash process.
Closes: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255286
Reported-by: Christos Chatzaras <chris@cretaforce.gr>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We no longer need the arp hack, as these bugs have been fixed in the
FreeBSD kernel.
This partially reverts 090639ae90.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
FreeBSD's bash doesn't handle <(...) safely, creating a temporary file
instead of using /proc/self/fd/N like on Linux. Work around this by
using a simple pipeline with /dev/stdin.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If we execute `wg --version` we get a different version string that does
not match with the version string in the openwrt makefile.
Current version string:
`wireguard-tools vreboot-13159-gac5caa2718 -https://git.zx2c4.com/wireguard-tools/`
Corrected versions string:
`wireguard-tools v1.0.20200319 -https://git.zx2c4.com/wireguard-tools/`
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
