[PATCH] wireguard-tools: embeddable-wg-library: add named wg_endpoint union

2021-10-10 Thread mikma . wg 

Hello,

It would be useful to have a named wg_endpoint type in the embeddable wg 
library. It's added by the attached patch.


/Mikael

>From 62b35cb221af7208399fced86660585080c688f5 Mon Sep 17 00:00:00 2001
From: Mikael Magnusson 
Date: Sat, 7 Nov 2020 13:32:56 +0100
Subject: [PATCH] embeddable-wg-library: add named wg_endpoint union

Define wg_endpoint as a named union to allow users of the emeddable
library to use the type in function arguments, variables etc.

Signed-off-by: Mikael Magnusson 
---
 contrib/embeddable-wg-library/wireguard.h | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/contrib/embeddable-wg-library/wireguard.h b/contrib/embeddable-wg-library/wireguard.h
index fbd8765..328fcb4 100644
--- a/contrib/embeddable-wg-library/wireguard.h
+++ b/contrib/embeddable-wg-library/wireguard.h
@@ -40,17 +40,19 @@ enum wg_peer_flags {
 	WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL = 1U << 4
 };
 
+typedef union wg_endpoint {
+	struct sockaddr addr;
+	struct sockaddr_in addr4;
+	struct sockaddr_in6 addr6;
+} wg_endpoint;
+
 typedef struct wg_peer {
 	enum wg_peer_flags flags;
 
 	wg_key public_key;
 	wg_key preshared_key;
 
-	union {
-		struct sockaddr addr;
-		struct sockaddr_in addr4;
-		struct sockaddr_in6 addr6;
-	} endpoint;
+	wg_endpoint endpoint;
 
 	struct timespec64 last_handshake_time;
 	uint64_t rx_bytes, tx_bytes;
-- 
2.25.1

Re: Nested Wireguard tunnels not working on Android and Windows

2021-03-02 Thread mikma . wg 

On 2021-03-01 21:09, i iordanov wrote:


Hi Frank,

On Mon, Mar 1, 2021 at 9:42 AM Frank Carmickle  wrote:

Maybe it's a bug and not a feature? It seems to me that you would have no way 
of setting the MTU on the inner tunnel.

That's true - other than inefficient packet fragmentation, is there
anything else that would be an issue?
It's possible to configure the MTU for each route on Linux. (Obviously 
you can't use the extremely simple wg-quick script for this.)



Is there a reason why you can't try multiple interfaces?

I cannot bring up more than a single interface on Android. I am not
sure about interface management on Windows with wg.exe, but
wireguard.exe certainly does not permit multiple interfaces to be
brought up.


The WireGuard app on Android also can't use a VPN address as the source 
of WireGuard packets. Only non-VPN addresses are supported.


Which means currently the WireGuard app on Android can't be used for 
nested tunnels.

Re: Openwrt wg0 behaves not alike that on Fedora: why?

2020-06-15 Thread mikma . wg 

On 2020-06-14 20:19, Sergey Ivanov wrote:

Hi,
I have a question about wg0 on OpenWRT not forwarding packets from one
client to another. I have a laptop at home in my home LAN, and a
computer at work in a very restricted LAN. They can not see one
another. I spent a lot of time trying to get them connected by adding
their wg0's IP addresses to the AllowedIPs on my home router running
OpenWRT. I saw pings from each of them successfully decrypted (I've
used ping with patterns) on the OpenWRT wg0, but they never got routed
further.

When I decided to try to move the same AllowedIPs from OpenWRT's wg0
to my desktop Fedora, it immediately worked. It looks like some sort
of setting like isolation of the clients, or hairpin mode which is
different on OpenWRT than on Fedora.

Can someone help and suggest what I should look at? I'd like to have
it working on the router which is all time on.


You should look at the firewall in OpenWrt. It's probably dropping or 
rejecting the packets. In particular look at the forward option of the 
firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings 
GUI:


the forward option describes the policy for forwarded traffic 
between different networks within the zone.


Since WireGuard is a routed (and not bridged) VPN the above setting can 
also control forwarding between hosts on the same network.

wireguard-go: IpcGetOperation: return peers in sorted order

2020-02-15 Thread mikma . wg 

Hello,

I have an improvement to IpcGetOperation in wireguard-go.

uapi: IpcGetOperation: return peers in sorted order

Sort peers based on the public key.
The pros of using a sorted peer list is that the order doesn't change in
each ipc operation, or execution of the "wg showconf" command. Which 
could be the case previously with an unsorted peer list.


The output from git format-patch is attached. The patch is also 
available at 
https://cgit.m7n.se/pub/wireguard-go/commit/?id=027bf58651f1a7b2be1bedfde187e5277a13f48e


/Mikael
>From 027bf58651f1a7b2be1bedfde187e5277a13f48e Mon Sep 17 00:00:00 2001
From: Mikael Magnusson 
Date: Sun, 22 Sep 2019 23:13:30 +0200
Subject: [PATCH] uapi: IpcGetOperation: return peers in sorted order

Sort peers based on the public key.
The pros of using a sorted peer list is that the order doesn't change in
each ipc operation, or execution of the "wg showconf" command. Which could
be the case previously with an unsorted peer list.

Signed-off-by: Mikael Magnusson 
---
 device/uapi.go | 41 -
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/device/uapi.go b/device/uapi.go
index 72611ab..bd66451 100644
--- a/device/uapi.go
+++ b/device/uapi.go
@@ -7,9 +7,11 @@ package device
 
 import (
 	"bufio"
+	"bytes"
 	"fmt"
 	"io"
 	"net"
+	"sort"
 	"strconv"
 	"strings"
 	"sync/atomic"
@@ -30,6 +32,42 @@ func (s IPCError) ErrorCode() int64 {
 	return s.int64
 }
 
+type PeerInfo struct {
+	pubkey NoisePublicKey
+	pubkeySlice []byte
+	peer *Peer
+}
+
+type PeerInfoList []PeerInfo
+
+func (list PeerInfoList) Len() int {
+	return len(list)
+}
+
+func (list PeerInfoList) Less(i, j int) bool {
+	k1 := list[i].pubkeySlice
+	k2 := list[j].pubkeySlice
+
+	return bytes.Compare(k1, k2) == -1;
+}
+
+func (list PeerInfoList) Swap(i, j int) {
+	list[i], list[j] = list[j], list[i]
+}
+
+func (device *Device) GetSortedPeers() PeerInfoList {
+	peers := make(PeerInfoList, 0, len(device.peers.keyMap))
+	for pubkey, peer := range device.peers.keyMap {
+		info := PeerInfo{}
+		info.pubkey = pubkey
+		info.pubkeySlice = info.pubkey[:]
+		info.peer = peer
+		peers = append(peers, info)
+	}
+	sort.Sort(peers)
+	return peers
+}
+
 func (device *Device) IpcGetOperation(socket *bufio.Writer) *IPCError {
 	lines := make([]string, 0, 100)
 	send := func(line string) {
@@ -65,7 +103,8 @@ func (device *Device) IpcGetOperation(socket *bufio.Writer) *IPCError {
 
 		// serialize each peer state
 
-		for _, peer := range device.peers.keyMap {
+		for _, peerInfo := range device.GetSortedPeers() {
+			peer := peerInfo.peer
 			peer.RLock()
 			defer peer.RUnlock()
 
-- 
2.17.1

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: IPv6 endpoint AND IPv4 fallback endpoint in roadwarrior scenario?

2019-11-27 Thread mikma . wg 

On 2019-09-30 09:52, Nico Schottelius wrote:


At lookup time this works already. The problem is, if the underlying
network topology changes and you need to reconnect via IPv4, when you
had IPv6 underlying before.


It doesn't work for me at least not with the Android app. I have a DNS 
name with both  and A records that I use but the app seems to prefer 
IPv4 instead of IPv6. And I also can't detect any fallback to IPv6 if 
ICMP unreachable are sent for the IPv4 handshake attempts.


/Mikma



This is the feature that is - afaik- not currently implemented in
wireguard.


Henning Reich  writes:


Should a DNS entry Wirth one
 record and one A record solve thus problem? So the OS decide the best
way to connect?


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Crashes in wg_allowedips_insert_X

2019-04-05 Thread mikma . wg 

Hello list,

I'm experiencing crashes in wg_allowedips_insert_v4 and 
wg_allowedips_insert_v6 in the wireguard kernel module. It happens both 
with the current snapshot (0.0.20190227-wg1~bionic) and the current git 
master (65e1f283). It seems to be caused by commit 20a230b3 (allowedips: 
maintain per-peer list of allowedips), since I can't trigger the bug(s) 
after reverting that commit.


I have attached a dmesg dump of one general protection fault, and 
included two scripts below which triggers the bug(s). I am running 
Ubuntu 18.04 x86_64 with mainline linux 5.0.5 from 
https://kernel.ubuntu.com/~kernel-ppa/mainline.


/Mikma

#!/bin/sh

name=wgtest
key="pUZ1gXtFRRNeJFcBx2cGLELdeJTA00nTdQMuHjMYI2E="

ips="
0.0.0.0/0
10.0.0.0/8
100.64.0.0/10
172.16.0.0/12
192.168.0.0/16
"

allowed_ips=$(echo $ips | tr ' ' ',')

ip l add $name type wireguard
wg set $name peer $key allowed-ips $allowed_ips
wg set $name peer $key allowed-ips '0.0.0.0/0'


#!/bin/sh

name=wgtest
key="pUZ1gXtFRRNeJFcBx2cGLELdeJTA00nTdQMuHjMYI2E="

ips="
::/0
17e5:9cdb:34ce:1800::/111
5000::/4
eb3f:fbec:5000::/37
9730:9636:d403:e000::/75
"

allowed_ips=$(echo $ips | tr ' ' ',')

ip l add $name type wireguard
wg set $name peer $key allowed-ips $allowed_ips
wg set $name peer $key allowed-ips '::/0'

[   47.508485] wireguard: loading out-of-tree module taints kernel.
[   47.508591] wireguard: module verification failed: signature and/or required 
key missing - tainting kernel
[   47.511058] wireguard: WireGuard 0.0.20190227 loaded. See www.wireguard.com 
for information.
[   47.511059] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld 
. All Rights Reserved.
[   47.517456] general protection fault:  [#1] SMP PTI
[   47.517545] CPU: 0 PID: 1278 Comm: wg Tainted: G   OE 
5.0.5-050005-generic #201903271212
[   47.517639] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
1.10.2-1ubuntu1 04/01/2014
[   47.517750] RIP: 0010:wg_allowedips_insert_v4+0x298/0x3c0 [wireguard]
[   47.517845] Code: 00 00 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 89 
d9 48 8b 41 38 48 8b 71 30 48 8d 51 30 4c 89 31 49 81 c6 20 06 00 00 <48> 89 46 
08 48 89 30 49 8b 46 08 49 89 56 08 4c 89 71 30 48 89 41
[   47.518043] RSP: 0018:a9acc08579f0 EFLAGS: 00010282
[   47.518131] RAX: dead0200 RBX: 8d949378a340 RCX: 8d949378a340
[   47.518190] RDX: 8d949378a370 RSI: dead0100 RDI: 
[   47.518283] RBP: a9acc0857a30 R08: 8d9494f9ad08 R09: 0003
[   47.518376] R10: 3a2caa423744a024 R11: cea45abfb35c5be3 R12: 
[   47.518472] R13:  R14: 8d9493eb7e20 R15: 8d9494f9acf0
[   47.518580] FS:  7f44a28c7740() GS:8d949f20() 
knlGS:
[   47.518690] CS:  0010 DS:  ES:  CR0: 80050033
[   47.518780] CR2: 7ffed57ee0a0 CR3: 137ba004 CR4: 003606f0
[   47.518907] Call Trace:
[   47.519055]  set_peer+0x3b7/0x4c0 [wireguard]
[   47.519148]  wg_set_device+0x2e9/0x4c0 [wireguard]
[   47.519243]  genl_family_rcv_msg+0x1d8/0x410
[   47.519334]  genl_rcv_msg+0x4c/0x93
[   47.519424]  ? _cond_resched+0x19/0x30
[   47.519511]  ? genl_family_rcv_msg+0x410/0x410
[   47.519598]  netlink_rcv_skb+0x4f/0x120
[   47.519699]  genl_rcv+0x28/0x40
[   47.519794]  netlink_unicast+0x1a1/0x260
[   47.519864]  netlink_sendmsg+0x20d/0x3c0
[   47.519881]  sock_sendmsg+0x3e/0x50
[   47.519931]  __sys_sendto+0x114/0x1a0
[   47.520019]  ? __sys_recvmsg+0x59/0xa0
[   47.520103]  __x64_sys_sendto+0x28/0x30
[   47.520193]  do_syscall_64+0x5a/0x110
[   47.520280]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   47.520371] RIP: 0033:0x7f44a21d7da7
[   47.520457] Code: 64 89 02 48 c7 c0 ff ff ff ff eb b6 0f 1f 80 00 00 00 00 
48 8d 05 61 db 2c 00 41 89 ca 8b 00 85 c0 75 18 b8 2c 00 00 00 0f 05 <48> 3d 00 
f0 ff ff 77 79 f3 c3 0f 1f 80 00 00 00 00 41 57 41 56 4d
[   47.520654] RSP: 002b:7ffed5728f18 EFLAGS: 0246 ORIG_RAX: 
002c
[   47.520787] RAX: ffda RBX:  RCX: 7f44a21d7da7
[   47.520892] RDX: 0074 RSI: 55c70f110450 RDI: 0003
[   47.520985] RBP: 55c70f110450 R08: 7f44a24a99e0 R09: 000c
[   47.521077] R10:  R11: 0246 R12: 55c70f1104a8
[   47.521170] R13:  R14:  R15: 55c70f110260
[   47.521285] Modules linked in: wireguard(OE) ip6_udp_tunnel udp_tunnel 
binfmt_misc veth btrfs zstd_compress xor raid6_pq ebtable_filter ebtables 
ip6table_nat nf_nat_ipv6 ip6table_filter ip6_tables xt_CHECKSUM xt_comment 
xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 
nf_defrag_ipv4 libcrc32c iptable_mangle iptable_filter bpfilter bridge stp llc 
snd_hda_codec_generic ledtrig_audio crct10dif_pclmul crc32_pclmul 
ghash_clmulni_intel aesni_intel aes_x86_64 crypto_simd cryptd snd_hda_intel 
glue_helper snd_hda_codec snd_hda_core snd_hwdep joydev input_leds serio_raw

Re: Multiple VPN connections on Android

2019-04-05 Thread mikma . wg 



On 2019-03-26 15:17, Julian Orth wrote:

Hello list,

I'm currently using WireGuard on Android for two purposes:

1. Routing all traffic via a commercial VPN provider to protect myself on
open wireless networks.
2. Connecting to my home network.

Unfortunately WireGuard on Android does not allow me to do both of these
things at the same time. I assume this is because VpnService [1] only allows 1
VPN connection at a time.


Can't you add the peer for your home network to the same configuration 
(tun device) as the peer for the commercial VPN provider? It seems a 
straight forward solution to me if you are okay with the IP addresses 
assigned by the VPN provider.




Has any thought been put into emulating multiple tun devices in user space?


I don't see why you would need multiple tun devices. It is possible to 
add multiple IPv4 and IPv6 addresses to the tun device, but there may be 
a problem with the source address selection. Linux allows specifying a 
preferred address for each route, but it isn't possible in the Android 
API AFAIK. If you have a rooted device then you can potentially update 
the routing tables with the preferred source address for each VPN route.


/Mikma



Julian

[1] https://developer.android.com/reference/android/net/VpnService.html
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard


___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Why does 'allowed-ips' affect route selection behavior?

2018-04-15 Thread mikma . wg 

On 04/15/2018 08:49 PM, Patrick O'Sullivan wrote:


$ sudo ip route show
default via 10.199.199.1 dev wlan0
10.111.111.0/24 dev wg0 proto kernel scope link src 10.111.111.100
10.199.199.0/24 dev wlan0 proto kernel scope link src 10.199.199.131

By this route table, traffic to e.g. 4.2.2.1 should use 10.199.199.1.
Packet captures were showing traffic trying to instead use wg0. Then I
found this:

$ sudo ip route get 4.2.2.1
4.2.2.1 dev wg0 table 51820 src 10.111.111.100
 cache

Can someone please explain this behavior?


Table 51820 is the default table used by wg-quick.

From wg-quick's man page:


It infers all routes from the list of peers' allowed IPs, and automatically  
adds them to the system routing table. If one of those routes is the default 
route (0.0.0.0/0 or ::/0), then it uses ip-rule(8) to  handle overriding of the 
default gateway.


/Mikma
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: wg-ip, a tool to assign automatic ip addresses to wireguard interfaces

2018-04-12 Thread mikma . wg 



On 04/12/2018 01:42 PM, Christophe-Marie Duquesne wrote:


Long story short, you need a proper central server that will find the
next ip address, or you need to stick to ipv6 (and in that case the
address space makes it pointless to do that check).


I think one option is to use the DHCPv4-over-DHCPv6 (DHCP 4o6) Transport 
defined in RFC 7341. In that case you would need a link-local IPv6 
address which is used with DHCPv6. Via DHCPv6 you will be able to 
receive the DHCP 4o6 server address option. And then request an IPv4 
address using the DHCP 4o6 server.


https://datatracker.ietf.org/doc/rfc7341/

/Mikma
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard