Is this a concern
Or could it be handled by pre-routing in wg-quick (if it isn't already): https://lwn.net/Articles/806546/ ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: upgrading raspberry pi required me to re install wireguard
If you want to build/install wg from source, you can do what I do (automation is easy): Download the source xz file and unpack it using xzcat and tar. Navigate to the src directory and build the module and tools using the "make" command. Then use "sudo make install" to get the wg .ko file replaced with the latest one and install any updates to the tools and wg executable. If you do this after a kernel upgrade, you'll need to reboot the pi before you install the wg kernel module, otherwise it won't find the right kernel headers. A simple shell script can be made to do all this stuff for you. On Thu, Feb 21, 2019, at 6:30 PM, Derrick Lyndon Pallas wrote: > I just use DKMS to do it. Check out WireGuard to /usr/src, ln -s > WireGuard/src WireGuard-0, dkms add WireGuard/0. If it's not auto building, > have you tried dkms install WireGuard/0? ~D > > On 2/21/19 2:57 PM, Arpit Gupta wrote: >> Ya reboot did not solve this for me. I will read up on how I can execute >> package pre/post install scripts. >> >> Curious to know if the rebuild the module is the responsibility of the os or >> the package after a kernel upgrade? >> >> I will try to remember this next time there is a kernel upgrade 😁. >> >> >> >> -- >> Arpit >> >> On Thu, Feb 21, 2019, 4:30 AM wrote: >>> Yes, the kernel did get updated, causing the wg module dependencies to get >>> out of sync. A reboot after the update should solve this, otherwise you may >>> need to run the package's preinst script to get the modules back in sync. >>> Should be no need to reinstall the wg packages. >>> >>> On Thu, Feb 21, 2019, at 2:14 AM, Arpit Gupta wrote: Hi All I am running raspberry pi v3 and ran apt-get update and upgrade commands to get upto date. It also ended up updating the kernel i think. I should have paid more attention to what all was getting updated. After the update wireguard was not running and upon debugging i found that the wireguard kernel module was no longer present. So i uninstalled all wireguard packages and installed them again and the module showed up and on reboot system was back to normal. What i was curious was how should one go about doing os/kernel updates in future in order to avoid this issue? I am running Linux raspberrypi 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l GNU/Linux No LSB modules are available. Distributor ID: Raspbian Description: Raspbian GNU/Linux 9.8 (stretch) Release: 9.8 Codename: stretch ii wireguard 0.0.20190123-1 all fast, modern, secure kernel VPN tunnel (metapackage) ii wireguard-dkms 0.0.20190123-1 all fast, modern, secure kernel VPN tunnel (DKMS version) ii wireguard-tools 0.0.20190123-1 armhf fast, modern, secure kernel VPN tunnel (userland utilities) -- Arpit ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard >>> >>> ___ >>> WireGuard mailing list >>> WireGuard@lists.zx2c4.com >>> https://lists.zx2c4.com/mailman/listinfo/wireguard >> >> ___ WireGuard mailing list >> WireGuard@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/wireguard >> > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: upgrading raspberry pi required me to re install wireguard
Yes, the kernel did get updated, causing the wg module dependencies to get out of sync. A reboot after the update should solve this, otherwise you may need to run the package's preinst script to get the modules back in sync. Should be no need to reinstall the wg packages. On Thu, Feb 21, 2019, at 2:14 AM, Arpit Gupta wrote: > Hi All > > I am running raspberry pi v3 and ran apt-get update and upgrade commands to > get upto date. It also ended up updating the kernel i think. I should have > paid more attention to what all was getting updated. > > After the update wireguard was not running and upon debugging i found that > the wireguard kernel module was no longer present. So i uninstalled all > wireguard packages and installed them again and the module showed up and on > reboot system was back to normal. What i was curious was how should one go > about doing os/kernel updates in future in order to avoid this issue? > > I am running > Linux raspberrypi 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l > GNU/Linux > No LSB modules are available. > Distributor ID: Raspbian > Description: Raspbian GNU/Linux 9.8 (stretch) > Release: 9.8 > Codename: stretch > > ii wireguard 0.0.20190123-1 all fast, modern, secure kernel VPN tunnel > (metapackage) > ii wireguard-dkms 0.0.20190123-1 all fast, modern, secure kernel VPN tunnel > (DKMS version) > ii wireguard-tools 0.0.20190123-1 armhf fast, modern, secure kernel VPN > tunnel (userland utilities) > > -- > Arpit > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [ANNOUNCE] WireGuard Snapshot `0.0.20181007` Available
I get this when building on armv7, but it doesn't seem to affect the build: echo ' Building modules, stage 2.'; make -f ./scripts/Makefile.modpost grep: ./arch/arm/Kbuild: No such file or directory On Sun, Oct 7, 2018, at 6:37 PM, Jason A. Donenfeld wrote: > On Sun, Oct 7, 2018 at 10:49 PM Jordan Glover > wrote: > > I got an error when doing in-tree build using > > WireGuard/contrib/kernel-tree/create-patch.sh > > > > net/wireguard/receive.c:338:10: fatal error: selftest/counter.c: No such > > file or directory > > #include "selftest/counter.c" > > ^~~~ > > compilation terminated. > > Youch. I'm rewriting those scripts so that it picks up file name > changes like this automatically, so it's not such a whack-a-mole > situation. > > Let me know if this fixes it: > https://git.zx2c4.com/WireGuard/commit/?id=28366408148d0f230daebd9a61c5f7bf0c3e0390 > > Jason > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: [PATCH ARM] Compile on Raspberry Pi
I've been building wg on an rpi b3 for quite some time and have never seen this error. This is with Raspbian Stretch. Maybe compiler related? On Wed, Aug 29, 2018, at 3:07 AM, Emeka wrote: > I was able to build on rpi b3 (board 2710 ) some months ago... and I > didn't encounter this . Can I see the steps you followed?> > Regards, Janus > > On Wed, Aug 29, 2018, 5:05 AM Francis Booth > wrote:>> Attempting to build Wireguard on a Raspberry > Pi will result in an >> assembly error>> Error: immediate expression requires a # prefix -- >> `moveq r5,1'>> (the full build error log can be found here: >> https://pastebin.com/CKTXwGyG)>> Appending # to the values and telling ARM >> to treat them as literals >> solves the issue.>> I was able to test this patch out on my own Raspberry Pi >> 3B+ and can >> confirm the resulting build is successfully able to build, create the >> wg0 interface, generate a private key, connect to a peer, and send >> encrypted messages back and forth.>> justw and revel assisted in providing >> the fix via the Wireguard irc >> channel.>> >> curve25519: arm: Compile on Raspi diff --git a/src/crypto/curve25519- >> arm.S b/src/crypto/curve25519-arm.S index cb40c24..f9d50e9 100644 --- >> a/src/crypto/curve25519-arm.S +++ b/src/crypto/curve25519-arm.S @@ >> -1554,35 +1554,35 @@ ENTRY(curve25519_neon) movw r4, 0 movw r5, 2 >> cmp r1, #1 - moveq r5, 1 + moveq r5, #1 addeq r2, r3, #336 >> addeq r4, r3, #48 cmp r1, #2 - moveq r5, 1 + moveq r5, #1 addeq >> r2, r3, #48 cmp r1, #3 - moveq r5, 5 + moveq r5, #5 addeq r4, >> r3, #336 cmp r1, #4 - moveq r5, 10 + moveq r5, #10 cmp r1, #5 - >> moveq r5, 20 + moveq r5, #20 cmp r1, #6 - moveq r5, 10 + moveq >> r5, #10 addeq r2, r3, #336 addeq r4, r3, #336 cmp r1, #7 - >> moveq r5, 50 + moveq r5, #50 cmp r1, #8 - moveq r5, 100 + moveq >> r5, #100 cmp r1, #9 - moveq r5, 50 + moveq r5, #50 addeq r2, >> r3, #336 cmp r1, #10 - moveq r5, 5 + moveq r5, #5 addeq r2, r3, >> #48 cmp r1, #11 - moveq r5, 0 + moveq r5, #0 addeq r2, r3, #96 >> add r6, r3, #144 add r7, r3, #288>> >> ___ >> WireGuard mailing list >> WireGuard@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/wireguard > _ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard on Docker
I'm wondering if the kernel module is loaded: # modinfo wireguard On Tue, Jul 10, 2018, at 4:16 AM, Mohammad Amir Heshmatkhah wrote: > Hi, > I want to run WireGuard on a docker container as server, > I try difrent base Images but I get this error message every time: > > [#] ip link add wg0 type wireguard > RTNETLINK answers: Operation not supported > Unable to access interface: Protocol not supported > [#] ip link delete dev wg0 > Cannot find device "wg0" > > Here is 3 Dokerfiles I tried: > > FROM alpine:3.7 > RUN apk upgrade --update \ > && echo http://dl-cdn.alpinelinux.org/alpine/edge/testing >> > /etc/apk/repositories \> && apk add --no-cache bash wireguard-tools > > ENTRYPOINT [ "wg-quick", "up", "wg0" ] > > - > > FROM ubuntu:16.04 > RUN apt-get update && apt-get install -y software-properties-common > apt-utils \> && add-apt-repository ppa:wireguard/wireguard \ > && apt-get update \ > && apt-get install -y iproute linux-headers-$(uname -r) wireguard-dkms > wireguard-tools wireguard> > ENTRYPOINT [ "wg-quick", "up", "wg0" ] > > - > > FROM debian:9 > RUN echo "deb http://deb.debian.org/debian/ unstable main" > > /etc/apt/sources.list.d/unstable.list \> && printf 'Package: *\nPin: release > a=unstable\nPin-Priority: 150\n' > > /etc/apt/preferences.d/limit-unstable \> && apt-get update && apt-get install > -y wireguard > > ENTRYPOINT [ "wg-quick", "up", "wg0" ] > > - > > I run this containers with: > > sudo docker run -it -v $(pwd)/config:/etc/wireguard/ -v /dev:/dev > -v /lib/modules:/lib/modules --cap-add=ALL --privileged name here>> > where wg0.conf is located in " $(pwd)/config/wg0.conf" on host machine> > - > > and here is my wg0.conf file: > > [Interface] > Address = 172.26.10.1/24 > SaveConfig = true > PrivateKey = > ListenPort = 40540 > > [Peer] > PublicKey = > AllowedIPs = 172.26.10.2/32 > > - > > So, How can I fix this "*Unable to access interface: Protocol not > supported*" error?> _ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Poor performance under high load
I'm getting 95 Mbps download speed with 0.0.20180708, and this with ARM v7l. On Mon, Jul 9, 2018, at 3:23 PM, Jason A. Donenfeld wrote: > Hey Max, > > Try out 0.0.20180708. I suspect it might show a bit better curve. > > Jason > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: PostUp/PreUp/PostDown/PreDown Dangerous?
I'm in favor of keeping the features. A competent sysadmin or netadmin should know not to put questionable material on their systems, or at the very least, try it on a test bed where it can't do any damage. On Thu, Jun 21, 2018, at 9:41 PM, Jason A. Donenfeld wrote: > Hey list, > > wg(8) is the main WireGuard configuration tool. It takes a fairly > strict set of inputs, and is supposed to perform acceptable input > validation on them. > > https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 > > wg-quick(8), on the other and, is a dinky bash script, that is useful > for making some common limited use cases a bit easier. > > https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 > > wg-quick(8) has the very handy feature of allowing > PostUp/PostDown/PreUp/PreDown directives, to execute some helpers, > such as iptables or whatever else you want in a custom setup. These > have proven very useful to folks. And because these allow arbitrary > execution anyway, wg-quick(8) doesn't try very hard to do proper input > validation either. > > I just saw this nice post pointing out a problem in OpenVPN: > https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da > > The same thing applies to wg-quick(8) with > PostUp/PostDown/PreUp/PreDown. The question is how seriously we should > take the problem presented by this blog post. Namely, you can't trust > configuration files given to you by outside parties. Maybe you > shouldn't reconfigure your network without inspecting what those > reconfigurations are first. However, one could argue that code > execution is a bit beyond networking config. > > So, the question we need to ask is whether this problem is important > enough that these useful features should be _removed_? Or if there's a > way to make them safer? Or if it just doesn't matter that much and we > shouldn't do anything. > > Thoughts? > > Jason > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WG interface to ipv4
On Tue, May 8, 2018, at 11:44 AM, Riccardo Berto wrote: > > > I don't really get why the iface bindings should be accomplished at the > WireGuard level. If I get it correctly, it won't be safer than it > already is. > WireGuard just has to provide a secure and standard network interface. > There are other full-featured, clogged VPNs out there that can even make > you the coffee, I'd like WireGuard to stand out and stick to the > original "UNIX tools philosophy": do one thing and do it well. > Agree completely. I'd be happy to see WG remain as a fast, simple packet-encryption-transmission engine. ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Troubleshooting WireGuard connections
Strange. I've been running WG on an RPI 3 with Raspbian (Stretch) with no problems. The Pi is reached via a squid proxy which tunnels out to a server in the US. On Wed, Apr 25, 2018, at 7:51 AM, Jason A. Donenfeld wrote: > Hi Riccardo, > > We really should debug this in real time. Perhaps pop into #wireguard > on Freenode? > > Jason > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: On redhat 7.4 wireguard not working
FWIW, tried this on Debian Stretch, no errors: 0: from all lookup local 32763: from all lookup main suppress_prefixlength 0 32764: from all lookup main suppress_prefixlength 0 32765: not from all fwmark 0xca6c lookup 51820 32766: from all lookup main 32767: from all lookup default On Wed, Apr 18, 2018, at 3:16 PM, Vikas wrote: > > The error i get is: > > > Error: argument "suppress_prefixlength" is wrong: Failed to parse > rule type> > Here is the detailed output: > > > root@freepbx ~# wg-quick up wg0 > [#] ip link add wg0 type wireguard > [#] wg setconf wg0 /dev/fd/63 > [#] ip address add 10.1.9.4/16 dev wg0 > [#] ip link set mtu 1420 dev wg0 > [#] ip link set wg0 up > [#] wg set wg0 fwmark 51820 > [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 > [#] ip -4 rule add not fwmark 51820 table 51820 > [#] ip -4 rule add table main suppress_prefixlength 0 > Error: argument "suppress_prefixlength" is wrong: Failed to parse > rule type> [#] ip -4 rule delete table 51820 > [#] ip link delete dev wg0 > > > -- > VK > _ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard