Re: Endpoints are not in sync (latest handshake)
> I have two wireguard endpoints that has different opinions about when the > last handshake was made: > > interface: wg0 > public key: PauftxCvmti7CDDZ9yj6EKZ+r9zQj6gjb9hvP1whzwQ= > private key: (hidden) > listening port: 17395 > > peer: s5dnr91F06+AQ/3o5urOM5Dc1f0gzHOsGjwD+AEmwDA= > endpoint: 192.168.201.24:17395 > allowed ips: 192.168.26.197/32, 192.168.201.38/32 > latest handshake: 8 hours, 42 minutes, 30 seconds ago > transfer: 260.73 GiB received, 313.35 GiB sent > > And: > > interface: wg0 > public key: s5dnr91F06+AQ/3o5urOM5Dc1f0gzHOsGjwD+AEmwDA= > private key: (hidden) > listening port: 17395 > > peer: PauftxCvmti7CDDZ9yj6EKZ+r9zQj6gjb9hvP1whzwQ= > endpoint: 192.168.201.23:17395 > allowed ips: 192.168.26.200/32, 192.168.201.249/32 > latest handshake: 2 minutes, 15 seconds ago > transfer: 282.13 GiB received, 276.13 GiB sent > > It is not possible to send data through the tunnel in both directions only > in one direction. > > It is pretty easy to repeat this situation: > Send UDP packets through the tunnel at a speed that wireguard cannot keep up > with. I expect packet loss in this case but not that the tunnel is "partially > closed". > > Any ideas? > > Best regards, > Mats Loman Adding more information: One side: . . . [71254.512872] wireguard: wg0: Receiving handshake initiation from peer 2 (192.168.201.48:17395) [71254.512939] wireguard: wg0: Sending handshake response to peer 2 (192.168.201.48:17395) [71254.527580] wireguard: wg0: Keypair 1399 destroyed for peer 2 [71254.527642] wireguard: wg0: Keypair 1400 created for peer 2 [71284.585205] wireguard: wg0: Receiving handshake initiation from peer 2 (192.168.201.48:17395) [71284.585267] wireguard: wg0: Sending handshake response to peer 2 (192.168.201.48:17395) [71284.592697] wireguard: wg0: Keypair 1400 destroyed for peer 2 [71284.592715] wireguard: wg0: Keypair 1401 created for peer 2 [71314.024610] wireguard: wg0: Receiving handshake initiation from peer 2 (192.168.201.48:17395) [71314.024671] wireguard: wg0: Sending handshake response to peer 2 (192.168.201.48:17395) [71314.032095] wireguard: wg0: Keypair 1401 destroyed for peer 2 [71314.032113] wireguard: wg0: Keypair 1402 created for peer 2 [71344.744295] wireguard: wg0: Receiving handshake initiation from peer 2 (192.168.201.48:17395) [71344.744356] wireguard: wg0: Sending handshake response to peer 2 (192.168.201.48:17395) [71344.751780] wireguard: wg0: Keypair 1402 destroyed for peer 2 [71344.751799] wireguard: wg0: Keypair 1403 created for peer 2 [71362.663988] wireguard: wg0: Receiving handshake initiation from peer 2 (192.168.201.48:17395) [71362.664048] wireguard: wg0: Sending handshake response to peer 2 (192.168.201.48:17395) [71362.671474] wireguard: wg0: Keypair 1403 destroyed for peer 2 [71362.671493] wireguard: wg0: Keypair 1404 created for peer 2 The other side: . . . [71974.055151] wireguard: wg0: Sending handshake initiation to peer 12 (192.168.201.47:17395) [71974.076684] wireguard: wg0: Receiving handshake response from peer 12 (192.168.201.47:17395) [71974.076775] wireguard: wg0: Keypair 1427 destroyed for peer 12 [71974.076789] wireguard: wg0: Keypair 1429 created for peer 12 [71974.076815] wireguard: wg0: Sending keepalive packet to peer 12 (192.168.201.47:17395) [72004.134540] wireguard: wg0: Retrying handshake with peer 12 (192.168.201.47:17395) because we stopped hearing back after 15 seconds [72004.134650] wireguard: wg0: Sending handshake initiation to peer 12 (192.168.201.47:17395) [72004.155991] wireguard: wg0: Receiving handshake response from peer 12 (192.168.201.47:17395) [72004.156080] wireguard: wg0: Keypair 1428 destroyed for peer 12 [72004.156094] wireguard: wg0: Keypair 1430 created for peer 12 [72004.156121] wireguard: wg0: Sending keepalive packet to peer 12 (192.168.201.47:17395) [72025.894170] wireguard: wg0: Retrying handshake with peer 12 (192.168.201.47:17395) because we stopped hearing back after 15 seconds [72025.894294] wireguard: wg0: Sending handshake initiation to peer 12 (192.168.201.47:17395) [72025.915688] wireguard: wg0: Receiving handshake response from peer 12 (192.168.201.47:17395) [72025.915779] wireguard: wg0: Keypair 1429 destroyed for peer 12 [72025.915794] wireguard: wg0: Keypair 1431 created for peer 12 [72025.915820] wireguard: wg0: Sending keepalive packet to peer 12 (192.168.201.47:17395) [72041.893912] wireguard: wg0: Retrying handshake with peer 12 (192.168.201.47:17395) because we stopped hearing back after 15 seconds [72041.894025] wireguard: wg0: Sending handshake initiation to peer 12 (192.168.201.47:17395) [72041.915460] wireguard: wg0: Receiving handshake response from peer 12 (192.168.201.47:17395) [72041.915551] wireguard: wg0: Keypair 1430 destroyed for peer 12 [72041.915566] wireguard: wg0: Keypair 1432 created for peer 12 [72041.915591] wireguard: wg0: Sending keepalive packet to peer 12 (192.168.201.47:17395) /Mats Loman
Re: [Question or feature request] Support multiple peer config file using something like /etc/wireguard/conf.d
Hello, On Tue, 19 Jul 2022 21:36:57 + Quentin Vallin wrote: > I'm trying to separate my peer configuration and automate it. > > I know that I can use the post hook PostUp = wg addconf /path/to/my/file > > It would be easier to have a special path were wireguard can merge the config > file together, like /etc/wireguard/conf.d//.conf. Personally I use my own shell script that concatenates pieces of the config into a single file and runs wg on that. The same script also then handles addresses, routes and such. If you're doing any sort of non-trivial setup, you'd likely have a similar wrapper on top of WG, and then it is easy to also make your own "conf.d". -- With respect, Roman
FreeBSD current socket-src changed. Wireguard not compiling.
Tonight after updating kernel freebsd current I got coredump with wireguard enabled kernel module. As is https://reviews.freebsd.org/D36232 D36232 protosw: refactor protosw and domain static declaration and load (freebsd.org) in wireguard-freebsd/src/support.h ... error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, nam); ... replace to ... error = solisten_proto_check(so); ... Recompile - no more core dumps. All works now, perhaps... Is this the right way to fix the problem? Is this enough or should we wait for a full-scale refactoring of the code? Thanks in advance for your reply.
[PATCH v3] wg: Support restricting address family of DNS resolved Endpoint
When using wireguard tunnels for providing IPv6 connectivity to machines it
can be important to pin which IP address family should be used.
Consider a peer using a DNS name with both A/ records, wg will
currently blindly follow system policy and use the first address returned
by getaddrinfo(). In typical deployments this will cause the IPv6 address
of the peer to be used, however when the whole IPv6 internet is being
routed over our wireguard all this accomplishes is a traffic black hole.
Naturally this can be worked around by having different DNS names for
v4-only / dual-stack addresses, however this may not be possible in some
situations where, say, a dynamic-DNS service is also in use.
To fix this we allow users to control which address family they want using
the new AddressFamily= config option, see wg.8 for details. We also update
reresolve-dns to take the AddressFamily option into account.
We would like to note that the not_oif patch[1] would also alleviate this
problem but since this never got merged it's not a workable solution.
[1]: http://marc.info/?t=145452167200014=1=2
Signed-off-by: Daniel Gröber
---
contrib/reresolve-dns/reresolve-dns.sh | 4 ++-
src/config.c | 41 --
src/config.h | 2 +-
src/containers.h | 5
src/man/wg.8 | 8 -
src/set.c | 9 +-
src/setconf.c | 2 +-
7 files changed, 57 insertions(+), 14 deletions(-)
--
Changes since v1: reword commit message and add missing sign-off.
diff --git a/contrib/reresolve-dns/reresolve-dns.sh
b/contrib/reresolve-dns/reresolve-dns.sh
index 711c332..bdb47ac 100755
--- a/contrib/reresolve-dns/reresolve-dns.sh
+++ b/contrib/reresolve-dns/reresolve-dns.sh
@@ -17,7 +17,7 @@ process_peer() {
[[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
[[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\
([0-9]+) ]] || return 0
(( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
- wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
+ wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
address-family "$FAMILY"
reset_peer_section
}
@@ -25,6 +25,7 @@ reset_peer_section() {
PEER_SECTION=0
PUBLIC_KEY=""
ENDPOINT=""
+ FAMILY=unspec
}
reset_peer_section
@@ -38,6 +39,7 @@ while read -r line || [[ -n $line ]]; do
case "$key" in
PublicKey) PUBLIC_KEY="$value"; continue ;;
Endpoint) ENDPOINT="$value"; continue ;;
+ AddressFamily) FAMILY="$value"; continue ;;
esac
fi
done < "$CONFIG_FILE"
diff --git a/src/config.c b/src/config.c
index 81ccb47..e8db900 100644
--- a/src/config.c
+++ b/src/config.c
@@ -192,14 +192,14 @@ static inline int parse_dns_retries(void)
return (int)ret;
}
-static inline bool parse_endpoint(struct sockaddr *endpoint, const char *value)
+static inline bool parse_endpoint(struct sockaddr *endpoint, const char
*value, int family)
{
char *mutable = strdup(value);
char *begin, *end;
int ret, retries = parse_dns_retries();
struct addrinfo *resolved;
struct addrinfo hints = {
- .ai_family = AF_UNSPEC,
+ .ai_family = family,
.ai_socktype = SOCK_DGRAM,
.ai_protocol = IPPROTO_UDP
};
@@ -279,6 +279,20 @@ static inline bool parse_endpoint(struct sockaddr
*endpoint, const char *value)
return true;
}
+static inline bool parse_address_family(int *family, const char *value)
+{
+ if (strcmp(value, "inet") == 0)
+ *family = AF_INET;
+ else if (strcmp(value, "inet6") == 0)
+ *family = AF_INET6;
+ else if (strcmp(value, "unspec") == 0)
+ *family = AF_UNSPEC;
+ else
+ return false;
+
+ return true;
+}
+
static inline bool parse_persistent_keepalive(uint16_t *interval, uint32_t
*flags, const char *value)
{
unsigned long ret;
@@ -454,8 +468,10 @@ static bool process_line(struct config_ctx *ctx, const
char *line)
goto error;
} else if (ctx->is_peer_section) {
if (key_match("Endpoint"))
- ret = parse_endpoint(>last_peer->endpoint.addr,
value);
- else if (key_match("PublicKey")) {
+ ctx->last_peer->endpoint_value = strdup(value);
+ else if (key_match("AddressFamily")) {
+ ret = parse_address_family(>last_peer->addr_fam,
value);
+ } else if (key_match("PublicKey")) {
ret = parse_key(ctx->last_peer->public_key, value);
if (ret)
ctx->last_peer->flags |= WGPEER_HAS_PUBLIC_KEY;
@@
[PATCH wireguard-go] tun/netstack: bump to latest gvisor
To build with go1.19, gvisor needs
99325baf ("Bump gVisor build tags to go1.19").
However gvisor.dev/gvisor/pkg/tcpip/buffer is no longer available,
so refactor to use gvisor.dev/gvisor/pkg/tcpip/link/channel directly.
Signed-off-by: Shengjing Zhu
---
tun/netstack/go.mod | 3 +-
tun/netstack/go.sum | 963 +---
tun/netstack/tun.go | 105 ++---
3 files changed, 37 insertions(+), 1034 deletions(-)
diff --git a/tun/netstack/go.mod b/tun/netstack/go.mod
index 18aa993..231584b 100644
--- a/tun/netstack/go.mod
+++ b/tun/netstack/go.mod
@@ -5,12 +5,11 @@ go 1.18
require (
golang.org/x/net v0.0.0-20220225172249-27dd8689420f
golang.zx2c4.com/wireguard v0.0.0-20220316235147-5aff28b14c24
- gvisor.dev/gvisor v0.0.0-20211020211948-f76a604701b6
+ gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5
)
require (
github.com/google/btree v1.0.1 // indirect
- golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86 // indirect
golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
diff --git a/tun/netstack/go.sum b/tun/netstack/go.sum
index 845c7e0..c02671a 100644
--- a/tun/netstack/go.sum
+++ b/tun/netstack/go.sum
@@ -1,973 +1,14 @@
-bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod
h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
-cloud.google.com/go v0.26.0/go.mod
h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod
h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod
h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod
h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod
h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod
h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod
h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod
h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod
h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod
h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod
h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod
h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod
h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod
h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod
h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod
h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod
h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.78.0/go.mod
h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod
h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go/bigquery v1.0.1/go.mod
h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod
h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod
h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod
h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod
h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod
h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/datastore v1.0.0/go.mod
h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod
h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/pubsub v1.0.1/go.mod
h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod
h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod
h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod
h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod
h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod
h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod
h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod
h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod
h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod
h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod
h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod
Endpoints are not in sync (latest handshake)
I have two wireguard endpoints that has different opinions about when the last handshake was made: interface: wg0 public key: PauftxCvmti7CDDZ9yj6EKZ+r9zQj6gjb9hvP1whzwQ= private key: (hidden) listening port: 17395 peer: s5dnr91F06+AQ/3o5urOM5Dc1f0gzHOsGjwD+AEmwDA= endpoint: 192.168.201.24:17395 allowed ips: 192.168.26.197/32, 192.168.201.38/32 latest handshake: 8 hours, 42 minutes, 30 seconds ago transfer: 260.73 GiB received, 313.35 GiB sent And: interface: wg0 public key: s5dnr91F06+AQ/3o5urOM5Dc1f0gzHOsGjwD+AEmwDA= private key: (hidden) listening port: 17395 peer: PauftxCvmti7CDDZ9yj6EKZ+r9zQj6gjb9hvP1whzwQ= endpoint: 192.168.201.23:17395 allowed ips: 192.168.26.200/32, 192.168.201.249/32 latest handshake: 2 minutes, 15 seconds ago transfer: 282.13 GiB received, 276.13 GiB sent It is not possible to send data through the tunnel in both directions only in one direction. It is pretty easy to repeat this situation: Send UDP packets through the tunnel at a speed that wireguard cannot keep up with. I expect packet loss in this case but not that the tunnel is "partially closed". Any ideas? Best regards, Mats Loman
[PATCH v2] wg: Support restricting address family of DNS resolved Endpoint
When using wireguard tunnels for providing IPv6 connectivity to machines it
can be important to pin which IP address family should be used.
Consider a peer using a DNS name with both A/ records, wg will
currently blindly follow system policy and use the first address returned
by getaddrinfo(). In typical deployments this will cause the IPv6 address
of the peer to be used, however when the whole IPv6 internet is being
routed over our wireguard all this accomplishes is a traffic black hole.
Naturally this can be worked around by having different DNS names for
v4-only / dual-stack addresses, however this may not be possible in some
situations where, say, a dynamic-DNS service is also in use.
To fix this we allow users to control which address family they want using
the new AddressFamily= config option, see wg.8 for details. We also update
reresolve-dns to take the AddressFamily option into account.
We would like to note that the not_oif patch[1] would also alleviate this
problem but since this never got merged it's not a workable solution.
[1]: http://marc.info/?t=145452167200014=1=2
---
contrib/reresolve-dns/reresolve-dns.sh | 4 ++-
src/config.c | 41 --
src/config.h | 2 +-
src/containers.h | 5
src/man/wg.8 | 8 -
src/set.c | 9 +-
src/setconf.c | 2 +-
7 files changed, 57 insertions(+), 14 deletions(-)
--
Changes in v2: Reword commit message
diff --git a/contrib/reresolve-dns/reresolve-dns.sh
b/contrib/reresolve-dns/reresolve-dns.sh
index 711c332..bdb47ac 100755
--- a/contrib/reresolve-dns/reresolve-dns.sh
+++ b/contrib/reresolve-dns/reresolve-dns.sh
@@ -17,7 +17,7 @@ process_peer() {
[[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
[[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\
([0-9]+) ]] || return 0
(( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
- wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
+ wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
address-family "$FAMILY"
reset_peer_section
}
@@ -25,6 +25,7 @@ reset_peer_section() {
PEER_SECTION=0
PUBLIC_KEY=""
ENDPOINT=""
+ FAMILY=unspec
}
reset_peer_section
@@ -38,6 +39,7 @@ while read -r line || [[ -n $line ]]; do
case "$key" in
PublicKey) PUBLIC_KEY="$value"; continue ;;
Endpoint) ENDPOINT="$value"; continue ;;
+ AddressFamily) FAMILY="$value"; continue ;;
esac
fi
done < "$CONFIG_FILE"
diff --git a/src/config.c b/src/config.c
index 81ccb47..e8db900 100644
--- a/src/config.c
+++ b/src/config.c
@@ -192,14 +192,14 @@ static inline int parse_dns_retries(void)
return (int)ret;
}
-static inline bool parse_endpoint(struct sockaddr *endpoint, const char *value)
+static inline bool parse_endpoint(struct sockaddr *endpoint, const char
*value, int family)
{
char *mutable = strdup(value);
char *begin, *end;
int ret, retries = parse_dns_retries();
struct addrinfo *resolved;
struct addrinfo hints = {
- .ai_family = AF_UNSPEC,
+ .ai_family = family,
.ai_socktype = SOCK_DGRAM,
.ai_protocol = IPPROTO_UDP
};
@@ -279,6 +279,20 @@ static inline bool parse_endpoint(struct sockaddr
*endpoint, const char *value)
return true;
}
+static inline bool parse_address_family(int *family, const char *value)
+{
+ if (strcmp(value, "inet") == 0)
+ *family = AF_INET;
+ else if (strcmp(value, "inet6") == 0)
+ *family = AF_INET6;
+ else if (strcmp(value, "unspec") == 0)
+ *family = AF_UNSPEC;
+ else
+ return false;
+
+ return true;
+}
+
static inline bool parse_persistent_keepalive(uint16_t *interval, uint32_t
*flags, const char *value)
{
unsigned long ret;
@@ -454,8 +468,10 @@ static bool process_line(struct config_ctx *ctx, const
char *line)
goto error;
} else if (ctx->is_peer_section) {
if (key_match("Endpoint"))
- ret = parse_endpoint(>last_peer->endpoint.addr,
value);
- else if (key_match("PublicKey")) {
+ ctx->last_peer->endpoint_value = strdup(value);
+ else if (key_match("AddressFamily")) {
+ ret = parse_address_family(>last_peer->addr_fam,
value);
+ } else if (key_match("PublicKey")) {
ret = parse_key(ctx->last_peer->public_key, value);
if (ret)
ctx->last_peer->flags |= WGPEER_HAS_PUBLIC_KEY;
@@ -527,19 +543,22 @@ bool config_read_init(struct config_ctx *ctx,
[PATCH] wireguard: send/receive: update function names in comments
The functions packet_send_queued_handshakes() and packet_process_queued_handshake_packets() were renamed to wg_packet_handshake_send_worker() and wg_packet_handshake_receive_worker() respectively, but the comments referring to them were not updated accordingly, let's fix it. Signed-off-by: Yuntao Wang --- drivers/net/wireguard/receive.c | 2 +- drivers/net/wireguard/send.c| 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c index 7135d51d2d87..5b9cd1841390 100644 --- a/drivers/net/wireguard/receive.c +++ b/drivers/net/wireguard/receive.c @@ -566,7 +566,7 @@ void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb) } atomic_inc(>handshake_queue_len); cpu = wg_cpumask_next_online(>handshake_queue.last_cpu); - /* Queues up a call to packet_process_queued_handshake_packets(skb): */ + /* Queues up a call to wg_packet_handshake_receive_worker(skb): */ queue_work_on(cpu, wg->handshake_receive_wq, _cpu_ptr(wg->handshake_queue.worker, cpu)->work); break; diff --git a/drivers/net/wireguard/send.c b/drivers/net/wireguard/send.c index 5368f7c35b4b..15202c2e91a8 100644 --- a/drivers/net/wireguard/send.c +++ b/drivers/net/wireguard/send.c @@ -69,8 +69,8 @@ void wg_packet_send_queued_handshake_initiation(struct wg_peer *peer, goto out; wg_peer_get(peer); - /* Queues up calling packet_send_queued_handshakes(peer), where we do a -* peer_put(peer) after: + /* Queues up calling wg_packet_handshake_send_worker(peer), where we do +* a wg_peer_put(peer) after: */ if (!queue_work(peer->device->handshake_send_wq, >transmit_handshake_work)) -- 2.37.1
Android app icon isn't displayed in F-Droid clients
https://github.com/NeoApplications/Neo-Store/issues/273#issuecomment-1214153179
Android App: dynamic configuration
Hi guys, Is there a way planned to pass a dynamically created configuration set to the wireguard android app? I have this use case as following: Some devices receive information about a new, dynamically established VPN and want to connect to it. The information about the IP address, public key and so on is received from another Android app. This app creates the appropriate configuration set and causes the VPN to start based on this set. I have seen that triggering the VPN connection is possible. But taking over the configuration set is not possible, isn't it? best regards Jörg Schaffner
[Question or feature request] Support multiple peer config file using something like /etc/wireguard/conf.d
Hi, I'm trying to separate my peer configuration and automate it. I know that I can use the post hook PostUp = wg addconf /path/to/my/file It would be easier to have a special path were wireguard can merge the config file together, like /etc/wireguard/conf.d//.conf. I don't find anything in the doc. Do you have a clue if that feature exists? Or if that feature is on the backlog? Thank you for your amazing tool ! Quentin.
[PATCH] wg: Support restricting resolved Endpoint address family
On IPv4-only hosts it can happen that the v6 default route pointed at a
wireguard interface blackholes wireguard peer traffic intended for the v4
network when the Endpoint hostname resolves to both v6 and v4 records as
most hosts will prefer the v6 address by default. This makes using
dual-stack dynamic-dns services for peer endpoints cumbersome.
We allow users to control which address family they want with the new
AddressFamily= config option, see wg.8 for details. We also update
reresolve-dns to take the AddressFamily option into account.
---
contrib/reresolve-dns/reresolve-dns.sh | 4 ++-
src/config.c | 41 --
src/config.h | 2 +-
src/containers.h | 5
src/man/wg.8 | 8 -
src/set.c | 9 +-
src/setconf.c | 2 +-
7 files changed, 57 insertions(+), 14 deletions(-)
diff --git a/contrib/reresolve-dns/reresolve-dns.sh
b/contrib/reresolve-dns/reresolve-dns.sh
index 711c332..bdb47ac 100755
--- a/contrib/reresolve-dns/reresolve-dns.sh
+++ b/contrib/reresolve-dns/reresolve-dns.sh
@@ -17,7 +17,7 @@ process_peer() {
[[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0
[[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\
([0-9]+) ]] || return 0
(( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0
- wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
+ wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"
address-family "$FAMILY"
reset_peer_section
}
@@ -25,6 +25,7 @@ reset_peer_section() {
PEER_SECTION=0
PUBLIC_KEY=""
ENDPOINT=""
+ FAMILY=unspec
}
reset_peer_section
@@ -38,6 +39,7 @@ while read -r line || [[ -n $line ]]; do
case "$key" in
PublicKey) PUBLIC_KEY="$value"; continue ;;
Endpoint) ENDPOINT="$value"; continue ;;
+ AddressFamily) FAMILY="$value"; continue ;;
esac
fi
done < "$CONFIG_FILE"
diff --git a/src/config.c b/src/config.c
index 81ccb47..e8db900 100644
--- a/src/config.c
+++ b/src/config.c
@@ -192,14 +192,14 @@ static inline int parse_dns_retries(void)
return (int)ret;
}
-static inline bool parse_endpoint(struct sockaddr *endpoint, const char *value)
+static inline bool parse_endpoint(struct sockaddr *endpoint, const char
*value, int family)
{
char *mutable = strdup(value);
char *begin, *end;
int ret, retries = parse_dns_retries();
struct addrinfo *resolved;
struct addrinfo hints = {
- .ai_family = AF_UNSPEC,
+ .ai_family = family,
.ai_socktype = SOCK_DGRAM,
.ai_protocol = IPPROTO_UDP
};
@@ -279,6 +279,20 @@ static inline bool parse_endpoint(struct sockaddr
*endpoint, const char *value)
return true;
}
+static inline bool parse_address_family(int *family, const char *value)
+{
+ if (strcmp(value, "inet") == 0)
+ *family = AF_INET;
+ else if (strcmp(value, "inet6") == 0)
+ *family = AF_INET6;
+ else if (strcmp(value, "unspec") == 0)
+ *family = AF_UNSPEC;
+ else
+ return false;
+
+ return true;
+}
+
static inline bool parse_persistent_keepalive(uint16_t *interval, uint32_t
*flags, const char *value)
{
unsigned long ret;
@@ -454,8 +468,10 @@ static bool process_line(struct config_ctx *ctx, const
char *line)
goto error;
} else if (ctx->is_peer_section) {
if (key_match("Endpoint"))
- ret = parse_endpoint(>last_peer->endpoint.addr,
value);
- else if (key_match("PublicKey")) {
+ ctx->last_peer->endpoint_value = strdup(value);
+ else if (key_match("AddressFamily")) {
+ ret = parse_address_family(>last_peer->addr_fam,
value);
+ } else if (key_match("PublicKey")) {
ret = parse_key(ctx->last_peer->public_key, value);
if (ret)
ctx->last_peer->flags |= WGPEER_HAS_PUBLIC_KEY;
@@ -527,19 +543,22 @@ bool config_read_init(struct config_ctx *ctx, bool append)
return true;
}
-struct wgdevice *config_read_finish(struct config_ctx *ctx)
+struct wgdevice *config_read_finish(struct wgdevice *device)
{
struct wgpeer *peer;
- for_each_wgpeer(ctx->device, peer) {
+ for_each_wgpeer(device, peer) {
if (!(peer->flags & WGPEER_HAS_PUBLIC_KEY)) {
fprintf(stderr, "A peer is missing a public key\n");
goto err;
}
+
+ if (!parse_endpoint(>endpoint.addr, peer->endpoint_value,
peer->addr_fam))
+ goto err;
