Re: Private and public keys generation

[Aaron Jones]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 06/10/18 11:27, Evgeniy Ivanov wrote:
> Hi everybody,
> 
> I’m able to generate the private keys pretty straightforward with
> any tool I like (eg: dd if=/dev/urandom bs=32 count=1 2>/dev/null |
> base64)

This is not sufficient, as documented on https://cr.yp.to/ecdh.html
("Computing secret keys"). Please use wg(8) or any other library or
application that supports Curve25519.

-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCgAdFiEEYKVBwe43zZh/jkxPivBzdIirMBIFAlu5jicACgkQivBzdIir
MBIMuA/7BjeS4tKQP7HnAFDLF5h5xt+dgYi/FyVBC2UbOIq24IbRPIDI/y2X9uQS
sa/Zs6bx2QvjI3HC7py6Q40XEm7M5QbsOo8uxQYsEJRGWnG0hsDsG2iZ7Rjz9iIz
rJ8w/gxbEtFmCsb2z7fZmoVlMLtdYSQG3HDyKPXsZsfccUGaK+Q0RMgObtLzg11Z
P0mryXiqonqUUjAC2fs4s9KGrT0ZLabdEzJoUwlv0+tGd94W5i3AJbWR0D+E8V7z
tkVWalYZvHdaGf8j0td5QHfbEdCjfSrTro+iWdZ/L0+sMQZrPM0MyOe5ZMNKlBXB
foWV4eXycqjcrgoI+hvLSr8ac/rfrd5dlK0cfl9xKmoG1rOqAtVpTJ1qDQYyYbuv
3iLNYAXjAzLTpknt2ZwGQsb5nxH1AwJ1oGMCcY3NDYfF2+u2HXka1vhPdTpySbXh
NwYQ2yLjG2R1wVdtb/z7otVtq4O3Z6yMj6GJfLimnEwHjDZOjSOn7w2RuV3CsI/C
zdVU6b4FTp+s3RAOFuTNaGlQ2ZHHejQFX5YvgFKs/hfxg+2zf114zoNocKQl1tZ0
oaxNERD5y8N97ySXc87/d59zn9cc6R476igecaAyPRVCmH2RbszAEqqr+RIu69yq
nK8mbL5Cuevkly+vOdjWrzXuad2/u4Jtxr8Qv7KppOExx5BjQ+g=
=HQ0D
-END PGP SIGNATURE-
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Private and public keys generation

[StarBrilliant]

On Sun, Oct 7, 2018 at 9:13 AM Evgeniy Ivanov  wrote:
>
> Hi everybody,
>
> I’m able to generate the private keys pretty straightforward with any tool I 
> like (eg: dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64)
>
> But now, I’m more curious about generating the public keys without using wg 
> pubkey directly. Any thoughts?
>
> Thanks!
>
> --
> Best Regards,
> Evgeniy Ivanov


Hi Evgeniy,

Try this Python code:
https://github.com/m13253/VxWireguard-Generator/blob/1859e1ed199b067764bb29b7b5cd332037f5a665/vwgen/common.py#L236

See the function "genkey" and "pubkey".

Best regards,
StarBrilliant
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Fail to compile - redefinition of may_use_simd

[Jason A. Donenfeld]

Thanks for pointing this out. I'm working on a fix now and it should
be rolled out to Android kernels shortly.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20181006` Available

[Jason A. Donenfeld]

Thanks for the report. I'll have this fixed shortly.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Fail to compile - redefinition of may_use_simd

[Nico]

Hi,

may_use_simd is defined in include/asm-generic/simd.h

>From commit
https://github.com/hritikutekar/kernel_motorola_msm8916/commit/adcea6f1a489cb7048f799c3b2bca86d97448324

Please avoid this.

Thanks,
nico
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Private and public keys generation

[Evgeniy Ivanov]

Hi everybody,

I’m able to generate the private keys pretty straightforward with any tool I 
like (eg: dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64)

But now, I’m more curious about generating the public keys without using wg 
pubkey directly. Any thoughts?

Thanks!

-- 
Best Regards,
Evgeniy Ivanov

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20181006` Available

[Jason Edson]

I started getting build errors today with the latest release. I'm 
building Wireguard in a 3.18.123 kernel using Clang 8.0. Here is the 
error, any help would be appreciated.



net/built-in.o: In function `selftest_run':
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/chacha20/../selftest/run.h:20: 
undefined reference to `__compiletime_assert_21'
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/chacha20/../selftest/run.h:20:(.init.text+0x4874): 
relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol 
`__compiletime_assert_21'

net/built-in.o: In function `selftest_run':
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/poly1305/../selftest/run.h:20: 
undefined reference to `__compiletime_assert_21'
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/poly1305/../selftest/run.h:20:(.init.text+0x48a0): 
relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol 
`__compiletime_assert_21'

net/built-in.o: In function `selftest_run':
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/selftest/run.h:20: 
undefined reference to `__compiletime_assert_21'
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/selftest/run.h:20:(.init.text+0x48b8): 
relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol 
`__compiletime_assert_21'

net/built-in.o: In function `selftest_run':
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/blake2s/../selftest/run.h:20: 
undefined reference to `__compiletime_assert_21'
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/blake2s/../selftest/run.h:20:(.init.text+0x48d0): 
relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol 
`__compiletime_assert_21'

net/built-in.o: In function `selftest_run':
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/curve25519/../selftest/run.h:20: 
undefined reference to `__compiletime_assert_21'
/media/otherhd/android/out/target/product/marlin/obj/KERNEL_OBJ/../../../../../../kernel/google/marlin/net/wireguard/crypto/zinc/curve25519/../selftest/run.h:20:(.init.text+0x48e8): 
relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol 
`__compiletime_assert_21'


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Sending just ssh traffic via wg

[Konstantin Ryabitsev]

On Sat, Oct 06, 2018 at 11:21:01AM +0100, Brian Candler wrote:
> My even more stupid question is "why use wireguard if the only thing it's
> carrying is ssh?" - but I guess it's a convenient way to tunnel to a network
> which doesn't have public-routed addresses.

Right -- and I also don't want to expose ssh ports to the world when not
necessary. It's still a root-perms daemon with a (remote) possibility of
unknown vulnerabilities in it.

> (Aside: I wish ssh had a feature like SNI, so that you could build an ssh
> proxy that forwards incoming connections to the right host.  I have done
> this before using an inbound SOCKS proxy, but it's messy to use)

It also has important downsides that are similar to those in ssh bastion
hosts. When you use a proper VPN, every user gets their own internal IP
address, so their traffic can be still easily distinguished from traffic
belonging to another admin. This is useful for auditing reasons and for
identifying unusual activity (e.g. Alex normally accesses hosts
belonging to project X, but suddenly starts accessing a lot of hosts
that belong to project Y). With bastion hosts or with DNAT-ing proxies
this auditing becomes impossible, since all traffic comes from the same
IP.

-K
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Sending just ssh traffic via wg

[Brian Candler]

On 06/10/2018 11:27, Roman Mamedov wrote:

(Aside: I wish ssh had a feature like SNI, so that you could build an
ssh proxy that forwards incoming connections to the right host.  I have
done this before using an inbound SOCKS proxy, but it's messy to use)

What insane things people invent only not to use IPv6:)


Quite the opposite: I want it so that I can reach my IPv6-addressable 
devices when I'm on an IPv4-only network.  Which means, almost 
everywhere :-)


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Sending just ssh traffic via wg

[Roman Mamedov]

On Sat, 6 Oct 2018 11:21:01 +0100
Brian Candler  wrote:

> (Aside: I wish ssh had a feature like SNI, so that you could build an 
> ssh proxy that forwards incoming connections to the right host.  I have 
> done this before using an inbound SOCKS proxy, but it's messy to use)

What insane things people invent only not to use IPv6 :)

-- 
With respect,
Roman
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Sending just ssh traffic via wg

[Brian Candler]

On 06/10/2018 11:00, wireguard-requ...@lists.zx2c4.com wrote:

This may be a stupid question, but why do you need OpenVPN any more, if
you have Wireguard?

Because it's already there?:)

Furthermore, some members of our IT team use macs (gasp!) and for them
it would be much easier to continue to use OpenVPN than to set up
wireguard-go.

I use wireguard on a Mac and it was as simple as "brew install 
wireguard-tools"; create config; "sudo wg-quick up wg0".


My even more stupid question is "why use wireguard if the only thing 
it's carrying is ssh?" - but I guess it's a convenient way to tunnel to 
a network which doesn't have public-routed addresses.


(Aside: I wish ssh had a feature like SNI, so that you could build an 
ssh proxy that forwards incoming connections to the right host.  I have 
done this before using an inbound SOCKS proxy, but it's messy to use)


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard