Re: (Unofficial) wireguard packages for Debian Stretch (testing)
On Thu, Feb 16, 2017 at 09:46:15PM -0500, Daniel Kahn Gillmor wrote: > On Wed 2017-02-15 16:31:54 -0500, Baptiste Jonglez wrote: > > On jessie, it worked exactly the same with the 4.9 kernel from > > jessie-backports: > > > > # cat /etc/apt/sources.list > > deb http://httpredir.debian.org/debian jessie main > > deb http://httpredir.debian.org/debian jessie-backports main > > deb http://httpredir.debian.org/debian unstable main > > # cat /etc/apt/preferences.d/limit-unstable > > Package: * > > Pin: release a=unstable > > Pin-Priority: 200 > > # apt update > > # apt install -t jessie-backports linux-image-amd64 linux-base > > # reboot > > # apt install wireguard-dkms wireguard-tools > > # ./client.sh > > # ping 192.168.4.1 > > PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. > > 64 bytes from 192.168.4.1: icmp_seq=1 ttl=64 time=15.1 ms > > interesting, thanks for testing and reporting back! > > are you sure that with this installation on jessie, the wireguard > packages are the only things that got pulled in from unstable? Yes, it pulled only dkms and menu (from jessie). Though I probably had the other dependencies already installed (from jessie or jessie-backports). signature.asc Description: PGP signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[wireguard-devel] : wg output format
hello, wg show, showconf output format is not easy to parse. Can you add a json output , with all information about peers , conf ( endpoint, pubkey,handshake ... ) in a single line Regards, Nicolas Prochazka ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-devel] : wg output format
Hello Nicolas, been there, asked that. The answer was negative. I know, it is no fun to parse. See here how I worked around it: -> https://github.com/danrl/lede-luci/blob/58833aa2df97ba93a9512f3b0c428cf558fa2235/applications/luci-app-wireguard/luasrc/view/wireguard.htm JSON output would have saved me about 100+ lines of LUA code. Still considering patching the wg util. Hopefully, this LUA code helps you to get started. Feel free to share your solution, I am still interested in getting JSON out of wg for some other project. Cheers, Dan > On 17 Feb 2017, at 11:25, nicolas prochazka > wrote: > > hello, > wg show, showconf output format is not easy to parse. > Can you add a json output , with all information about peers , conf ( > endpoint, pubkey,handshake ... ) in a single line > > Regards, > Nicolas Prochazka > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [wireguard-devel] : wg output format
Hey guys, Seems like this isn't the first request for such a thing. I'll investigate better means of generating bulk output, and might eventually converge on JSON for that. Will keep you posted. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: (Unofficial) wireguard packages for Debian Stretch (testing)
Hey guys, Very nice investigation. I think adding some simple instructions on this to the WireGuard website makes sense. If you've got a one or two or three or four line command to magically add these files and sync the repos, could you send it along? Then I'll include it on the page. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
version mismatch
Hi All, I'm just starting out playing with connecting systems and I'm wondering what issues there are around mismatched wireguard and kernel versions at peers? I assume it's best to be identical in terms of wireguard and "as modern as possible" in terms of kernel? Thanks, David ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Instability during large transfers
Hey Samuel, Thanks very much for the excellent debugging output. I'll try to reproduce this as well on my systems. The stack trace does indicate that the OOPS is happening in padata, not in wireguard, so I wonder if this is some bug caused either by grsecurity or by something else that was then fixed, but since your kernel is a bit old (4.7.10) maybe the fix didn't make it. In either case, I'll try to reproduce on that kernel and on newer kernels and will get back to you. I presume you have most PaX options turned on? Thanks, Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: version mismatch
Hi David, Since WireGuard is still in active development, it's probably best to run the latest versions if you can, since every version is better than the previous. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Rust Version
Hey Sascha, I would be very happy to work with you on the Rust implementation. Find me on IRC (I'm zx2c4) and we can chat about it. Regards, Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wanted: Novice Guides
Hi Daniel, On Wed, Feb 15, 2017 at 3:53 PM, Daniel Kahn Gillmor wrote: > A good "novice guide" usually has the following pattern: This is a nice list of suggestions on how to structure guides. Thanks for that. > Those of us who are not novices understand that tools like WireGuard can > be used on a lot of different platforms (c) to perform a lot of > different tasks (a), but how those tasks are carried out might have more > to do with policy details (where do you get the peer's public keys from? > how do you verify that they're the right public keys? How do peers find > each other if there are no stable public IP addresses? How do you > allocate IP addresses for the wg interfaces? Which traffic should each > peer route over which wg interfaces?) than with WireGuard itself. Right. The concepts are simple, and simplify a lot of the things WireGuard is supposed to replace, but they're still somewhat new concepts. That means there's going to need to be explanations and diagrams and good solid descriptions for people who don't even know the prior concepts. > The fact that the WireGuard-specific instructions for any such guide are > likely to be minimal is one of the strengths of WireGuard, i think. But > that also means that any novice guide is going to be at least as much > about non-WireGuard details as it is about WireGuard itself. Right. This also raises the question of the role of WireGuard in general. It's being designed as sort of a fundumental basic build block, on which other tools and simple bash scripts should be built. How much should I build those larger things? (Such as wg-quick.) How much should I wait for others to integrate this into existing utilities (such as NetworkManager or systemd-networkd)? How much should other people simply build new tools ontop of the WireGuard core? I suspect the answer is: all of those things all at once, and then we'll have a flourishing ecosystem. This, though, makes the focus of beginner guides non obvious. > > Jason, what kinds of novice guides are people asking for? "How do I set up my laptop with my server?" "How do I set up my laptop with my home router?" "How do I put it on a RasPi at home and connect to it from the Internet with my laptop?" "How do I hook all my servers together with it?" "What's the difference between a tunnel IP address and an endpoint?" "What do I put in AllowedIPs and what do I put as the interface IP and what's the difference?" "What's the difference between AllowedIPs and the normal routing table?" etc etc ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wanted: Novice Guides
On Wed, Feb 15, 2017 at 5:39 PM, jugs wrote: > Should we put them on a blog or the wireguard site? Either? Both? I'd very much welcome external blogs, since these tend to be good forums for guides that focus on particular platforms and setups. However, if there is some good general-purpose writing that might apply well to everybody, then it seems like the wireguard site could be an okay place for that. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Some questions about wireguard
On Wed, Feb 15, 2017 at 11:12 AM, Nicolas Prochazka wrote: > - how many tunnels a peer can manage ? > In our environnement, ~ 10 000 clients --> "server"|peer Each interface can have 65536 peers. Each linux system can have multiple interfaces. (If that peer limit becomes a problem for somebody, it wouldn't be difficult to remove it and expand it to 4294967296.) > how wireguard manage this ( udp tunnel from kernel ? ) Not sure I understand your question. Could you rephrase? > > - about peer key management ? > with 10 000 peer keys, how can we manage it You can load the keys into the interface using wg(8). At some later date there may be support for dynamic database stuff. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [PATCH] Handle (a) changes in Screech and (b) borrow issue
Hey, Thanks for the patch. This changes the screech repository to your own. Has Trevor agreed for you to officially take over that project? If so, please link me to the moderncrypto mailing list post about this. If not, why should things switch to yours rather than moving your patches upstream to Trevor? Regards, Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Some questions about wireguard
hello, sorry for my english. This question(udp tunnel ..) is not relevant, I learn a lot with the read of mailing list. Regards, Nicolas 2017-02-17 14:48 GMT+01:00 Jason A. Donenfeld : > On Wed, Feb 15, 2017 at 11:12 AM, Nicolas Prochazka > wrote: > > - how many tunnels a peer can manage ? > > In our environnement, ~ 10 000 clients --> "server"|peer > > Each interface can have 65536 peers. Each linux system can have > multiple interfaces. > > (If that peer limit becomes a problem for somebody, it wouldn't be > difficult to remove it and expand it to 4294967296.) > > > how wireguard manage this ( udp tunnel from kernel ? ) > > Not sure I understand your question. Could you rephrase? > > > > > - about peer key management ? > > with 10 000 peer keys, how can we manage it > > You can load the keys into the interface using wg(8). At some later > date there may be support for dynamic database stuff. > ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[wireguard-devel] About ip management
Hello, I hope not to have misunderstood ip management with wireguard, in a "server mode operation" , as many peers -> one peer ( server ) , private ip configuration must be coherent. In fact, as server / client example in contrib, server must delivery ip to clients, there's no way for client to know good private_ip . We cannot use dhcp, layer 3 , so ... we need to implement a pool ip manager , is it correct ? Regards, Nicolas Prochazka. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Instability during large transfers
Hello, On 02/17/17 07:36, Jason A. Donenfeld wrote: The stack trace does indicate that the OOPS is happening in padata, not in wireguard, so I wonder if this is some bug caused either by grsecurity or by something else that was then fixed, but since your kernel is a bit old (4.7.10) maybe the fix didn't make it. In either case, I'll try to reproduce on that kernel and on newer kernels and will get back to you. There do not appear to be any relevant changes to padata in the past few years, and grsecurity doesn't look like it affects padata much, but that doesn't rule it out: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?qt=grep&q=padata https://grsecurity.net/changelog-test.txt I presume you have most PaX options turned on? Attached is my config.gz (it's the same on all machines). Thanks, Jason Thanks, Samuel config-4.7.10-hardened.gz Description: application/gzip ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [PATCH] Handle (a) changes in Screech and (b) borrow issue
Hi Jason, It was necessary to "vendor" Screech. A separate Git repo makes for a cleaner patch than downloading and including all of Screech. The patch makes some stuff public again that was once public and then went private: https://github.com/solidsnack/screech/commit/6d91d075ad2f98f03c807a471953495c720a5696 I assume Trevor made them private for a reason; but also that the original developer of the client used them for a reason. I would like to better understand the application before making a suggestion as regards the Screech API; but I would also really like the Rust client to build (as I think we all would). Kind Regards, Jason Jason A. Donenfeld schrieb am Fr. 17. Feb. 2017 um 05:50: > Hey, > > Thanks for the patch. This changes the screech repository to your own. > Has Trevor agreed for you to officially take over that project? If so, > please link me to the moderncrypto mailing list post about this. If > not, why should things switch to yours rather than moving your patches > upstream to Trevor? > > Regards, > Jason > ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: (Unofficial) wireguard packages for Debian Stretch (testing)
On Thu 2017-02-16 22:14:11 -0500, David Anderson wrote: > The transcript below still shows one additional package being pulled from > sid/main, the dkms package. I find this strange: wireguard-dkms depends on > dkms >=2.1.0.0, stretch has dkms 2.3-2, and sid has dkms 2.3-3. Despite the > negative priority for unstable, apt picks 2.3-3 from sid, even though the > dependency could be satisfied out of stretch. What am I missing? That is indeed weird. what does "apt-cache policy dkms" show you? what if you "apt install dkms" on its own first, which version do you get? --dkg signature.asc Description: PGP signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard