Re: Wireguard on android w/o kernel module
Hi Jason, I'm looking into that specific aspect as we speak. Google at times has "peculiar ways" to conceive of how users would interact with Android, maybe this is one of them. However, I've seen developers abuse APIs in self interest for a number of reasons. On iOS, once a VPN app is disconnected, it automatically ceases the right to "always on." I'll dig around and get back to you on this. Thanks,Jose On Saturday, June 2, 2018, 5:49 PM, Jason A. Donenfeld wrote: On Sat, Jun 2, 2018 at 11:47 PM Jose Marinez wrote: > Pardon me, as I just sent a related message without reading this one first. > The fact remains, there should be a better way to handle and prevent this. Care to poke around in the APIs and see if you can come up with something automatic and useful? Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wireguard on android w/o kernel module
Pardon me, as I just sent a related message without reading this one first. The fact remains, there should be a better way to handle and prevent this. Perhaps, at a minimum and in the interim, to suggest investigating the installation of another VPN client settings right in the error message. Thanks,Jose On Friday, June 1, 2018, 12:54 PM, Maximilian Eschenbacher wrote: Hey Jason, thanks for the quick response. On 01/06/2018 18:42:41, Jason A. Donenfeld wrote: >You can investigate (b) by fishing around in the system VPN settings >and seeing what's there, possibly removing authorization for those. >Afterwards, close the application, reopen it, and it should prompt you >to accept permissions. This was exactly what had happened. Best regards Max ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Android error, fix and next steps
Hello guys, I encountered this error while testing on a LG V30 running Oreo. "Error binging up tunnel: VPN service not authorized by user" It turned out that due to an existing StrongSwan installation, the Wireguard client could not work. The fix involved deleting the StrongSwan client from the phone. Next steps: I can't imagine the Wireguard client to expect exclusivity as the sole VPN client to run on any device. In the case of StrongSwan, it had an "Always On" setting which I believe prevented Wireguard from making network changes. What's the best way to approach this? I don't want to assume this is a Wireguard Android client bug. Perhaps on Android only one client can have the "always on" setting at once. Any clarity on this would help, to at a minimum figure out which party to approach: Google vs. StrongSwan vs. Wireguard Thanks,Jose___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
peer key in file
Hi All, I know the private key can be specified via file, but what about the peer key? wg set tun0 peer ./peerfile allowed-ips 0.0.0.0/0 endpoint 192.168.0.1:7394 Thanks! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Openbsd update recommendation
Hey Jason, On Sat 02 Jun 2018 4:39 PM, Jason A. Donenfeld wrote: > Hey Jungle, > > On Sat, Jun 2, 2018 at 9:08 AM, Jungle Boogie wrote: > > Interesting behavior. I don't know the reason behind it, though. > > I figured the whole thing out, and wrote up a really detailed commit here: > https://git.zx2c4.com/wireguard-go/commit/?id=a050431f2660d73e191ab8100d2f0934c8aedbf9 > > Might be of general interest. > Good info! Thanks for taking the time to keep things running smootly across many different platforms. > > > > Once I'm more confident with the steps, I'll write something up. > > Great, thanks. Any status on actually getting these made into proper > packages, so people aren't as inclined to rely on the script, which is > only intended as a stopgap solution? > I haven't seen any updates on the thread you wrote about. Maybe I'll drop a line. However, your script is probably the best option until you make a 1.0, or non-snapshot release. The reason is the package may not be updated weekly, and each week, you seem to bring in useful improvements and changes. The -release build of openBSD doesn't receive new package updates. If your snapshot was made into a port/package a few weeks before the 6.4 -release, it would be the only available option until the next release. Fortunately, -release builds happen very often, every six months. > Jason Best, j.b. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Openbsd update recommendation
Hey Jungle, On Sat, Jun 2, 2018 at 9:08 AM, Jungle Boogie wrote: > Interesting behavior. I don't know the reason behind it, though. I figured the whole thing out, and wrote up a really detailed commit here: https://git.zx2c4.com/wireguard-go/commit/?id=a050431f2660d73e191ab8100d2f0934c8aedbf9 Might be of general interest. > I do still see this in the install file: > curl -sLO "$URI_KMODTOOLS" > curl -sLO "$URI_GO" Nice catch -- I changed these to ftp(1) as well. > The process for getting the tunnel working on openBSD is similar to linux, but > the interface is tun and starts with tun0. Yea, OpenBSD annoyingly does not support arbitrary network interface names, so I have to do a fake mapping in wg-quick. > > Once I'm more confident with the steps, I'll write something up. Great, thanks. Any status on actually getting these made into proper packages, so people aren't as inclined to rely on the script, which is only intended as a stopgap solution? Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Openbsd update recommendation
On 02.06.2018 05:15, Jason A. Donenfeld wrote: > # ksh -c pwd > /root/a > > That's pretty weird behavior, but maybe there's an interesting reason > for it Yes. # mv ../a ../xx # /bin/pwd Basically you have three choices, (a) check whether $PWD points to the current directory, (b) reconstruct the current path by walking up and "readdir()" on each level, (c) ask the kernel. In order to make some interesting attacks via symlinks more difficult, (b) is somewhat safer. However, it's also significantly more expensive. (c) works on Linux, just readlink("/proc/self/cwd"); it's equivalent to (b). I don't know whether OpenBSD can do that, though. -- -- Matthias Urlichs ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Openbsd update recommendation
Hi Jason, On Sat 02 Jun 2018 5:15 AM, Jason A. Donenfeld wrote: > Hey Jungle, > > On Sat, Jun 2, 2018 at 1:26 AM, jungle Boogie wrote: > > Hi All, > > > > For openBSD instructions here: > > https://www.wireguard.com/install/#packages > > > > Curl is not apart of base, so you can either assume the users have > > curl installed, or use ftp(1) in the example. If you're doing the > > latter, you'll need a pkg_add to also include curl. > > > > https://man.openbsd.org/ftp.1 > > I love how OpenBSD commands keep evolving over time. Thanks for the > suggestion. I've updated the page. > Yeah, the ftp command from way back is different on Linux than on openBSD. It can still do the plain ol' ftp connections, though. ;) > > Also, I already have a go path setup. How do I get around this? > > > > cd .gopath/src/git.zx2c4.com/wireguard-go && dep ensure -vendor-only -v > > /usr/src/wireguard/wireguard-go-0.0.20180531 is not within a known > > GOPATH/src > > gmake: *** [Makefile:33: vendor/.created] Error 1 > > gmake: Leaving directory '/usr/src/wireguard/wireguard-go-0.0.20180531' > > Somebody mentioned this on IRC the other day (maybe you?), but I > didn't figure out what was going on then. I just now triaged the > issue: in ksh(1), before exec'ing a new process, it resolves all > symlinks of pwd. Try for yourself: > > # ksh > # mkdir a > # ln -s a b > # cd b > # ksh -c pwd > /root/a > > That's pretty weird behavior, but maybe there's an interesting reason > for it; I'll poke around tomorrow and see if I can figure it out. > Interesting behavior. I don't know the reason behind it, though. > In any case, I've worked around it now in the install script and > tested on a fresh OpenBSD 6.3 install, so you should now be able to > run: > > # ftp -o - https://xn--4db.cc/IKuBc62Z | sh > > Let me know how it goes, and thanks for the report. > It went great! I was able to install wireguard on two amd64 arch platform machines. I do still see this in the install file: curl -sLO "$URI_KMODTOOLS" curl -sLO "$URI_GO" I'd still recommend adding curl to the pkg_add section for fewer errors during install. The process for getting the tunnel working on openBSD is similar to linux, but the interface is tun and starts with tun0. Once I'm more confident with the steps, I'll write something up. > Regards, > Jason Thanks, j.b. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard