Re: WireGuard-p2p: A tool for NAT traversal

2017-09-21 Thread Jason A. Donenfeld 
Hey Manuel,

Looks like you rewrote this project from python into rust. Cool!

I'd be interested to learn what's new, what's changed, and what's up
in general. I always thought this was a pretty neat idea.

Jason
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: 2-factor auth options

2017-09-21 Thread Jason A. Donenfeld 
Hi Konstantin,

The easiest way would be to add OTP to the part of your infra that
does the key exchange. That is, if you have some kind of HTTPS
REST-based API or an SSH-based API, you can have the server not accept
a new public key until the OTP challenge is satisfied.

Alternatively, you could do OTP in-band, in order to authorize that
public key for a certain window of time before inactivity. In this
scheme, you'd disallow access to the network segment based on firewall
rules until a certain in-band challenge is made -- perhaps by
contacting a certain sandboxed server and answering an OTP challenge
there

(At some point it is planned for WireGuard to have an API for sending
control messages directly to a public key, not via an IP address,
which will provide another option for in-band challenges (in addition
to dynamic configuration of IPs), but it's not immediately obvious
that this actually simplifies things, which is why I haven't yet
implemented the plan.)

What kind of infrastructure are you imagining? Is this for kernel.org?

Jason
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Failure building on CentOS-7.4

2017-09-21 Thread Jason A. Donenfeld 
Hey Konstantin,

You are using an old snapshot. Try upgrading to 20170918, which brings
CentOS 7.4 support.

Jason
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: 2-factor auth options

2017-09-21 Thread David Woodhouse 
On Thu, 2017-09-21 at 15:21 -0400, Konstantin Ryabitsev wrote:
> Hello, all:
> 
> Is there any mechanism to add some kind of 2-factor authentication
> mechanism either via:
> 
> a. additional prompting for a HOTP/TOTP key sequence similar to how
> openvpn allows doing auth-user-pass in addition to certificate-based
> authentication

Remember things like Yubikeys can do [HT]OTP in hardware. Not as HID
but actually generating the OTP on demand via PCSC.

> b. some way to use PGP Auth keys with wireguard so that keys stored on
> GnuPG-capable smartcards can be used for establishing a VPN connection.

PKCS#11 might be a better choice than PGP.

> c. (some other means)

smime.p7s
Description: S/MIME cryptographic signature
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Failure building on CentOS-7.4

2017-09-21 Thread Konstantin Ryabitsev 
Hi, all:

I am getting the following error trying to build using the latest
CentOS-7.4 kernel using the 20170907 snapshot:

[root@ossna17 ~]# uname -r
3.10.0-693.2.2.el7.x86_64
[root@ossna17 ~]# cat /var/lib/dkms/wireguard/0.0.20170907/build/make.log
DKMS make.log for wireguard-0.0.20170907 for kernel 3.10.0-693.2.2.el7.x86_64 
(x86_64)
Thu Sep 21 19:37:51 UTC 2017
make: Entering directory `/usr/src/kernels/3.10.0-693.2.2.el7.x86_64'
  LD  /var/lib/dkms/wireguard/0.0.20170907/build/built-in.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20170907/build/main.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20170907/build/noise.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20170907/build/device.o
  CC [M]  /var/lib/dkms/wireguard/0.0.20170907/build/peer.o
In file included from :0:0:
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static 
declaration of ‘ipv6_mod_enabled’ follows non-static declaration
 static inline bool ipv6_mod_enabled(void)
^
In file included from :0:0:
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static 
declaration of ‘ipv6_mod_enabled’ follows non-static declaration
 static inline bool ipv6_mod_enabled(void)
^
In file included from include/net/dsfield.h:11:0,
 from include/net/ip_tunnels.h:10,
 from 
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71,
 from :0:
include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ 
was here
 bool ipv6_mod_enabled(void);
  ^
In file included from include/net/dsfield.h:11:0,
 from include/net/ip_tunnels.h:10,
 from 
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71,
 from :0:
include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ 
was here
 bool ipv6_mod_enabled(void);
  ^
In file included from :0:0:
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static 
declaration of ‘ipv6_mod_enabled’ follows non-static declaration
 static inline bool ipv6_mod_enabled(void)
^
In file included from include/net/dsfield.h:11:0,
 from include/net/ip_tunnels.h:10,
 from 
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71,
 from :0:
include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ 
was here
 bool ipv6_mod_enabled(void);
  ^
In file included from :0:0:
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:98:20: error: static 
declaration of ‘ipv6_mod_enabled’ follows non-static declaration
 static inline bool ipv6_mod_enabled(void)
^
In file included from include/net/dsfield.h:11:0,
 from include/net/ip_tunnels.h:10,
 from 
/var/lib/dkms/wireguard/0.0.20170907/build/compat/compat.h:71,
 from :0:
include/linux/ipv6.h:260:6: note: previous declaration of ‘ipv6_mod_enabled’ 
was here
 bool ipv6_mod_enabled(void);
  ^
make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/peer.o] Error 1
make[1]: *** Waiting for unfinished jobs
make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/main.o] Error 1
make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/device.o] Error 1
make[1]: *** [/var/lib/dkms/wireguard/0.0.20170907/build/noise.o] Error 1
make: *** [_module_/var/lib/dkms/wireguard/0.0.20170907/build] Error 2
make: Leaving directory `/usr/src/kernels/3.10.0-693.2.2.el7.x86_64'

Best,
Konstantin
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

2-factor auth options

2017-09-21 Thread Konstantin Ryabitsev 
Hello, all:

Is there any mechanism to add some kind of 2-factor authentication
mechanism either via:

a. additional prompting for a HOTP/TOTP key sequence similar to how
openvpn allows doing auth-user-pass in addition to certificate-based
authentication

b. some way to use PGP Auth keys with wireguard so that keys stored on
GnuPG-capable smartcards can be used for establishing a VPN connection.

c. (some other means)


Best,
-K


signature.asc
Description: PGP signature
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread Jason A. Donenfeld 
There shouldn't be any massive issue with sharing your public key
between customers. Just keep your private keys private.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread Jason A. Donenfeld 
On Thu, Sep 21, 2017 at 3:14 PM, nicolas prochazka
 wrote:
> "historical" private software, and it's difficult to deal with.
> It is not a wireguard issue.

In that case, I'd recommend you bind your services to 0.0.0.0 and just
use iptables to do net-based ACLs with the standard filter table.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread Jason A. Donenfeld 
Perhaps I'm not understanding your last message, but it's most
certainly possible to bind to a particular IP address with a service.
It's also possible to bind to _all_ IP addresses, and then use
iptables to control which source networks have access to a particular
port. Finally, within a service, if you only allow input from wg0
since allowed-ips gives strong cryptographic binding, you can
explicitly filter on the IP addresses you get from recvfrom.

I don't understand your meaning of "internal dev".
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread nicolas prochazka 
Ok,
To be more precise, the uses cases are :
services ( as daemon ) are listening on specifiq interface/Ipv6
address to secure and active service by client, with only one
interface, it is not possible, aliasing seems to be not relevant.
However i can understand that is not the problem of wireguard ,
perhaps can you tell us if an internal dev is possible or if the
nature of wireguard forbid this ?

Regards,
Nicolas
Ps : sorry for the prefix

2017-09-21 13:55 GMT+02:00 Jason A. Donenfeld :
> Please do not prefix your email subjects with [wireguard-dev].
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread Jason A. Donenfeld 
Please do not prefix your email subjects with [wireguard-dev].
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread Jason A. Donenfeld 
On Thu, Sep 21, 2017 at 1:46 PM, nicolas prochazka
 wrote:
> at this moment, only one interface wg0  manage all peers and all
> customers , it's very complicating for the administrive tasks , qos,
> client separation 

It should be possible to accomplish these administrative tasks and qos
via subnet range rather than interface. Each interface will handle up
to 2^20 peers, which should certainly be enough.

In any case, if you would like to use different interfaces, you'll
need to use different ports.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread nicolas prochazka 
Hello,
i known, but we are using one interface by customer, each interface
manages multiple peers ( > 500 )
as
wg_interface0 = client 0  = 500 peers
wf_interfacen= client n = 500 peers

at this moment, only one interface wg0  manage all peers and all
customers , it's very complicating for the administrive tasks , qos,
client separation 

Regards,
NIcolas

2017-09-21 13:25 GMT+02:00 Jason A. Donenfeld :
> I'd recommend you use multiple peers per interface. The strong binding
> with allowed-ips enables you to use qos, network analysis, security,
> and iptables rules in a very straightforward way.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread Jason A. Donenfeld 
I'd recommend you use multiple peers per interface. The strong binding
with allowed-ips enables you to use qos, network analysis, security,
and iptables rules in a very straightforward way.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

[wireguard-dev] Ability to use one udp port for multiple wg interfaces

2017-09-21 Thread nicolas prochazka 
Hello,
this question have alreadry be post in the past, but i need some help.
We want create one wireguard interface by client, because at this
moment, we are using one interface for all our client, and it's
becomes very difficult to manage in term of Qos , network analyse ,
security , iptables ..
With mutliple interface, all is good in term of performance with the
last release , but each interface must have it's own port, that  is
not possible to manage ( different port by client )
Is there a solution ?
Regards,
Nicolas Prochazka
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard