Re: Wireguard on android w/o kernel module

2018-06-02 Thread Jose Marinez 
Hi Jason,
I'm looking into that specific aspect as we speak. Google at times has 
"peculiar ways" to conceive of how users would interact with Android, maybe 
this is one of them. However, I've seen developers abuse APIs in self interest 
for a number of reasons.
On iOS, once a VPN app is disconnected, it automatically ceases the right to 
"always on."
I'll dig around and get back to you on this.  


Thanks,Jose

On Saturday, June 2, 2018, 5:49 PM, Jason A. Donenfeld  wrote:

On Sat, Jun 2, 2018 at 11:47 PM Jose Marinez  wrote:
> Pardon me, as I just sent a related message without reading this one first. 
> The fact remains, there should be a better way to handle and prevent this.

Care to poke around in the APIs and see if you can come up with
something automatic and useful?

Jason



___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Wireguard on android w/o kernel module

2018-06-02 Thread Jose Marinez 
Pardon me, as I just sent a related message without reading this one first. The 
fact remains, there should be a better way to handle and prevent this. Perhaps, 
at a minimum and in the interim, to suggest investigating the installation of 
another VPN client settings right in the error message.


Thanks,Jose

On Friday, June 1, 2018, 12:54 PM, Maximilian Eschenbacher 
 wrote:

Hey Jason,

thanks for the quick response.

On 01/06/2018 18:42:41, Jason A. Donenfeld wrote:
>You can investigate (b) by fishing around in the system VPN settings
>and seeing what's there, possibly removing authorization for those.
>Afterwards, close the application, reopen it, and it should prompt you
>to accept permissions.

This was exactly what had happened.

Best regards

Max
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard



___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Android error, fix and next steps

2018-06-02 Thread Jose Marinez 
Hello guys,
I encountered this error while testing on a LG V30 running Oreo.
"Error binging up tunnel: VPN service not authorized by user"
It turned out that due to an existing StrongSwan installation, the Wireguard 
client could not work. The fix involved deleting the StrongSwan client from the 
phone.
Next steps:
I can't imagine the Wireguard client to expect exclusivity as the sole VPN 
client to run on any device. In the case of StrongSwan, it had an "Always On" 
setting which I believe prevented Wireguard from making network changes.
What's the best way to approach this? I don't want to assume this is a 
Wireguard Android client bug. Perhaps on Android only one client can have the 
"always on" setting at once.
Any clarity on this would help, to at a minimum figure out which party to 
approach: Google vs. StrongSwan vs. Wireguard

Thanks,Jose___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

peer key in file

2018-06-02 Thread Jungle Boogie 
Hi All,

I know the private key can be specified via file, but what about the peer key?

wg set tun0 peer ./peerfile allowed-ips 0.0.0.0/0 endpoint 192.168.0.1:7394

Thanks!
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Openbsd update recommendation

2018-06-02 Thread Jungle Boogie 
Hey Jason,
On Sat 02 Jun 2018  4:39 PM, Jason A. Donenfeld wrote:
> Hey Jungle,
> 
> On Sat, Jun 2, 2018 at 9:08 AM, Jungle Boogie  wrote:
> > Interesting behavior. I don't know the reason behind it, though.
> 
> I figured the whole thing out, and wrote up a really detailed commit here:
> https://git.zx2c4.com/wireguard-go/commit/?id=a050431f2660d73e191ab8100d2f0934c8aedbf9
> 
> Might be of general interest.
> 

Good info! Thanks for taking the time to keep things running smootly across many
different platforms.

> >
> > Once I'm more confident with the steps, I'll write something up.
> 
> Great, thanks. Any status on actually getting these made into proper
> packages, so people aren't as inclined to rely on the script, which is
> only intended as a stopgap solution?
> 

I haven't seen any updates on the thread you wrote about. Maybe I'll drop a
line.
However, your script is probably the best option until you make a 1.0, or
non-snapshot release. The reason is the package may not be updated weekly, and
each week, you seem to bring in useful improvements and changes. The -release
build of openBSD doesn't receive new package updates. If your snapshot was
made into a port/package a few weeks before the 6.4 -release, it would be the
only available option until the next release. Fortunately, -release builds
happen very often, every six months.

> Jason

Best,
j.b.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Openbsd update recommendation

2018-06-02 Thread Jason A. Donenfeld 
Hey Jungle,

On Sat, Jun 2, 2018 at 9:08 AM, Jungle Boogie  wrote:
> Interesting behavior. I don't know the reason behind it, though.

I figured the whole thing out, and wrote up a really detailed commit here:
https://git.zx2c4.com/wireguard-go/commit/?id=a050431f2660d73e191ab8100d2f0934c8aedbf9

Might be of general interest.

> I do still see this in the install file:
> curl -sLO "$URI_KMODTOOLS"
> curl -sLO "$URI_GO"

Nice catch -- I changed these to ftp(1) as well.

> The process for getting the tunnel working on openBSD is similar to linux, but
> the interface is tun and starts with tun0.

Yea, OpenBSD annoyingly does not support arbitrary network interface
names, so I have to do a fake mapping in wg-quick.

>
> Once I'm more confident with the steps, I'll write something up.

Great, thanks. Any status on actually getting these made into proper
packages, so people aren't as inclined to rely on the script, which is
only intended as a stopgap solution?

Jason
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Openbsd update recommendation

2018-06-02 Thread Matthias Urlichs 
On 02.06.2018 05:15, Jason A. Donenfeld wrote:
> # ksh -c pwd
> /root/a
>
> That's pretty weird behavior, but maybe there's an interesting reason
> for it

Yes.

# mv ../a ../xx
# /bin/pwd

Basically you have three choices, (a) check whether $PWD points to the
current directory, (b) reconstruct the current path by walking up and
"readdir()" on each level, (c) ask the kernel.

In order to make some interesting attacks via symlinks more difficult,
(b) is somewhat safer. However, it's also significantly more expensive.
(c) works on Linux, just readlink("/proc/self/cwd"); it's equivalent to
(b). I don't know whether OpenBSD can do that, though.

-- 
-- Matthias Urlichs

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Openbsd update recommendation

2018-06-02 Thread Jungle Boogie 
Hi Jason,
On Sat 02 Jun 2018  5:15 AM, Jason A. Donenfeld wrote:
> Hey Jungle,
> 
> On Sat, Jun 2, 2018 at 1:26 AM, jungle Boogie  wrote:
> > Hi All,
> >
> > For openBSD instructions here:
> > https://www.wireguard.com/install/#packages
> >
> > Curl is not apart of base, so you can either assume the users have
> > curl installed, or use ftp(1) in the example. If you're doing the
> > latter, you'll need a pkg_add to also include curl.
> >
> > https://man.openbsd.org/ftp.1
> 
> I love how OpenBSD commands keep evolving over time. Thanks for the
> suggestion. I've updated the page.
> 

Yeah, the ftp command from way back is different on Linux than on openBSD. It
can still do the plain ol' ftp connections, though. ;)

> > Also, I already have a go path setup. How do I get around this?
> >
> > cd .gopath/src/git.zx2c4.com/wireguard-go && dep ensure -vendor-only -v
> > /usr/src/wireguard/wireguard-go-0.0.20180531 is not within a known 
> > GOPATH/src
> > gmake: *** [Makefile:33: vendor/.created] Error 1
> > gmake: Leaving directory '/usr/src/wireguard/wireguard-go-0.0.20180531'
> 
> Somebody mentioned this on IRC the other day (maybe you?), but I
> didn't figure out what was going on then. I just now triaged the
> issue: in ksh(1), before exec'ing a new process, it resolves all
> symlinks of pwd. Try for yourself:
> 
> # ksh
> # mkdir a
> # ln -s a b
> # cd b
> # ksh -c pwd
> /root/a
> 
> That's pretty weird behavior, but maybe there's an interesting reason
> for it; I'll poke around tomorrow and see if I can figure it out.
> 

Interesting behavior. I don't know the reason behind it, though.

> In any case, I've worked around it now in the install script and
> tested on a fresh OpenBSD 6.3 install, so you should now be able to
> run:
> 
> # ftp -o - https://xn--4db.cc/IKuBc62Z | sh
> 
> Let me know how it goes, and thanks for the report.
> 

It went great! I was able to install wireguard on two amd64 arch platform
machines.

I do still see this in the install file:
curl -sLO "$URI_KMODTOOLS"
curl -sLO "$URI_GO"

I'd still recommend adding curl to the pkg_add section for fewer errors during
install.

The process for getting the tunnel working on openBSD is similar to linux, but
the interface is tun and starts with tun0.

Once I'm more confident with the steps, I'll write something up.

> Regards,
> Jason

Thanks,
j.b.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard