The example in the man page at some point changed:
- \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+ \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
This is actually wrong because PreUp is followed by set_config(), which
calls `wg setconf`, which in turn deletes the private key from the
interface because it is missing from the configuration. Replacing this
with `wg addconf` is safe to do because the interface is newly created.
Suggested-by: Matthias Dressel <code@deadcode.eu>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
When Ubuntu systems upgrade from Debian's atrocious resolvconf to the
systemd-resolve symlink, they sometimes leave around
/etc/resolvconf/interface-order, which then winds up breaking the
detection and passing the bogus 'tun.' prefix to systemd's resolvconf,
resulting in failure. Work around this by only doing the 'tun.' prefix
hack if resolvconf isn't a symlink. This is ugly but so it goes.
Reported-by: Andrei Borzenkov <arvidjaar@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Currently commands in {Pre,Post}{Up,Down} are stripped of everything
starting with the first #, even if the # is escaped or in a string. This
patch leaves comment interpretation to the shell, as it can presumably
already handle the difference between comments and escaped #.
Signed-off-by: Robyn Kosching <robyn@kosching.me>
[Jason: massage commit message, port to other platforms]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
By accident, this function was looking at the endpoint with the largest
MTU rather than the smallest one.
Reported-by: Ismael Bouya <ismael@bouya.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Currently PreUp hooks run before the interface is created. This is
problematic for moving the device into a Linux VRFs as this will
currently clear all assigned IPv6 addressess (possibly a bug), so if we
did this in PostUp (i.e. before add_addr) we'll have to manually re-add
all assigned addresses. This is obviously less than ideal.
Instead create the wg device just before running PreUp hooks. We apply
this to all platforms for consistency.
Test case:
$ ip link add vrf-test type vrf table 1234
$ ip link add wg-test type wireguard
$ ip addr add dev wg-test 192.168.42.42/24
$ ip addr add dev wg-test fe80::/64
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/24 fe80::/64
$ ip link set dev wg-test master vrf-test
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/32
Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The wireguard route table ip rule should stay as a no-op until the
`suppress_prefixlength 0 table main` rule is in effect. Therefore, add
the wireguard default route to its route table after the latter rule is
added.
Signed-off-by: Tom Yan <tom.ty89@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This reverts commit 26683f6c9a, which
means the old problem comes back. That's an issue. But waiting on
process substitutions is not available with commonly used bash versions:
# wg-quick up demo
[#] ip link add demo type wireguard
[#] wg setconf demo /dev/fd/63
/usr/bin/wg-quick: line 251: wait: pid 2955 is not a child of this shell
[#] ip link delete dev demo
This means we have to wait a few years before fixing this issue. IOW,
bash limitation; can't fix.
Reported-by: Theodore Mozzo <theodore.mozzo@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Bash does not propagate error values, which is a bummer, but process
substitutions are a useful feature. Introduce a new idiom to deal with
this: either "; wait $!" after the line to propagate the error, or "||
true" to indicate explicitly that we don't care about the error.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If DNS= has an IP in it, treat it as a DNS server. If DNS= has a non-IP
in it, treat it as a DNS search domain.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Otherwise nft(8) has strange ideas of what a string is.
Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).
Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).
Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.
Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.
Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
`wg-quick strip` prints the config file to stdout after stripping it of
all wg-quick-specific options.
This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`.
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This avoids another ip(8) invocation for little benefit.
Confirmed to work with iproute2 and busybox.
Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This knob might disappear at some point, and we don't want to encourage
its use, so it's not being documented, but this should help with
development of new implementations.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
For properly configured Homebrew installations /usr/local/bin should be
before /bin, so this should still work. This allows the script to be
used in more than one setting.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
