Re: WireGuard patchset for OpenBSD, rev. 3

On Sun, 21 Jun 2020 15:54:00 +0200 Matthieu Herrb wrote: > Hi, > > I was wondering if there is a way to specify a routing domain/table > for wgendpoint in ifconfig(8). > > In a VPN client setup (roadwarrior style) I'd like to keep wg0 in > rdomain 0 and put the actual physical interface in rdoma

Re: WireGuard patchset for OpenBSD, rev. 3

On Sun, Jun 21, 2020 at 10:06:52AM -0400, Sonic wrote: > Along that line, does wireguard have any problems using alias > addresses? It's not a problem with IKEv1 but it is with IKEv2. > > Thanks! > > Chris I still don't see how this is a problem with IKEv2, so don't spread any rumours and instea

Re: WireGuard patchset for OpenBSD, rev. 3

Along that line, does wireguard have any problems using alias addresses? It's not a problem with IKEv1 but it is with IKEv2. Thanks! Chris

Re: WireGuard patchset for OpenBSD, rev. 3

On Fri, Jun 19, 2020 at 06:46:00PM +1000, Matt Dunwoodie wrote: > Hi all, > > After the previous submission of WireGuard, we've again been through a > number of improvements. Thank you everyone for your feedback. Hi, I was wondering if there is a way to specify a routing domain/table for wgendpo

Re: WireGuard patchset for OpenBSD, rev. 3

On Sun, Jun 21, 2020 at 12:52:53PM +0200, Matthieu Herrb wrote: > On Fri, Jun 19, 2020 at 06:46:00PM +1000, Matt Dunwoodie wrote: > > Hi all, > > > > After the previous submission of WireGuard, we've again been through a > > number of improvements. Thank you everyone for your feedback. > > Hi, >

Re: WireGuard patchset for OpenBSD, rev. 3

On Fri, Jun 19, 2020 at 06:46:00PM +1000, Matt Dunwoodie wrote: > Hi all, > > After the previous submission of WireGuard, we've again been through a > number of improvements. Thank you everyone for your feedback. Hi, While giving wireguard a try, I found that this patch is needed to fix ifconfig

Re: WireGuard patchset for OpenBSD, rev. 2

On Thu, May 28, 2020 at 01:07:40PM +0200, Martin Pieuchot wrote: > On 27/05/20(Wed) 20:18, Matt Dunwoodie wrote: > > On Wed, 27 May 2020 09:34:53 +0200 > > Martin Pieuchot wrote: > > > Regarding the kernel, I'd suggest you use "#if NWG > 0" like it is > > > done for other pseudo-drives with 'needs

Re: WireGuard patchset for OpenBSD, rev. 2

On 27/05/20(Wed) 20:18, Matt Dunwoodie wrote: > On Wed, 27 May 2020 09:34:53 +0200 > Martin Pieuchot wrote: > > Regarding the kernel, I'd suggest you use "#if NWG > 0" like it is > > done for other pseudo-drives with 'needs-flag'. > > For the most part there is no significant changes to other p

Re: WireGuard patchset for OpenBSD, rev. 2

On Thu, May 28, 2020 at 01:21:21AM -0600, Jason A. Donenfeld wrote: > On Thu, May 28, 2020 at 1:19 AM Otto Moerbeek wrote: > > Of course.., I was running it from a !wxallowed mount. BTW, qemu is in > > packages, no need to build it yourself. > > Sure, but now I've been somewhat nerd sniped and a

Re: WireGuard patchset for OpenBSD, rev. 2

On Thu, May 28, 2020 at 1:19 AM Otto Moerbeek wrote: > Of course.., I was running it from a !wxallowed mount. BTW, qemu is in > packages, no need to build it yourself. Sure, but now I've been somewhat nerd sniped and am playing with this fcode forth implementation in qemu :-P. I wonder if there's

Re: WireGuard patchset for OpenBSD, rev. 2

On Thu, May 28, 2020 at 01:05:59AM -0600, Jason A. Donenfeld wrote: > On Thu, May 28, 2020 at 12:15 AM Otto Moerbeek wrote: > > > > On Wed, May 27, 2020 at 11:28:09PM -0600, Jason A. Donenfeld wrote: > > > > > Hi Otto, > > > > > > On Wed, May 27, 2020 at 4:07 AM Otto Moerbeek wrote: > > > > Alth

Re: WireGuard patchset for OpenBSD, rev. 2

On Thu, May 28, 2020 at 12:15 AM Otto Moerbeek wrote: > > On Wed, May 27, 2020 at 11:28:09PM -0600, Jason A. Donenfeld wrote: > > > Hi Otto, > > > > On Wed, May 27, 2020 at 4:07 AM Otto Moerbeek wrote: > > > Although I'm not terribly interested in bugs that are only seen (s0 > > > far) using emul

Re: WireGuard patchset for OpenBSD, rev. 2

On Wed, May 27, 2020 at 11:28:09PM -0600, Jason A. Donenfeld wrote: > Hi Otto, > > On Wed, May 27, 2020 at 4:07 AM Otto Moerbeek wrote: > > Although I'm not terribly interested in bugs that are only seen (s0 > > far) using emulation, please send me the details on how you set up > > qemu. > > Ri

Re: WireGuard patchset for OpenBSD, rev. 2

Hi Otto, On Wed, May 27, 2020 at 4:07 AM Otto Moerbeek wrote: > Although I'm not terribly interested in bugs that are only seen (s0 > far) using emulation, please send me the details on how you set up > qemu. Right, it could very well be a TCG bug. But maybe not. Here's how to get things [not-]w

Re: WireGuard patchset for OpenBSD, rev. 2

On Wed, 27 May 2020 01:43:34 -0600 "Jason A. Donenfeld" wrote: > On Wed, May 27, 2020 at 1:34 AM Martin Pieuchot > wrote: > > First question is, is it possible to use the wg(4) interface > > without a port? > > No, that is not how WireGuard works. For details on the actual > protocol particul

Re: WireGuard patchset for OpenBSD, rev. 2

On Wed, 27 May 2020 09:34:53 +0200 Martin Pieuchot wrote: > Hello Matt, > > Thank you for your submission. Hi Martin, No worries, thank you for your feedback. This is something I want to help make happen and if I recall correctly, someone once said that if I wanted a new feature on OpenBSD t

Re: WireGuard patchset for OpenBSD, rev. 2

On Wed, May 27, 2020 at 03:14:29AM -0600, Jason A. Donenfeld wrote: > One interesting quirk in doing this on qemu is that the 6.7 and > -current kernel both crash: > > Loading FCode image... > Loaded 6882 bytes > entry point is 0x4000 > Evaluating FCode... > OpenBSD IEEE 1275 Bootblock 2.0 > Unha

Re: WireGuard patchset for OpenBSD, rev. 2

On Wed, May 27, 2020 at 2:12 AM Jason A. Donenfeld wrote: > > Hi again Klemens, > > On Tue, May 26, 2020 at 5:42 PM Jason A. Donenfeld wrote: > > > > On Tue, May 26, 2020 at 4:52 PM Jason A. Donenfeld wrote: > > > With regards to your crash, though, that's a bit more puzzling, and > > > I'd be i

Re: WireGuard patchset for OpenBSD, rev. 2

Hey David, On Wed, May 27, 2020 at 2:26 AM David Gwynne wrote: > > On Tue, May 26, 2020 at 05:42:13PM -0600, Jason A. Donenfeld wrote: > > On Tue, May 26, 2020 at 4:52 PM Jason A. Donenfeld wrote: > > > With regards to your crash, though, that's a bit more puzzling, and > > > I'd be interested t

Re: WireGuard patchset for OpenBSD, rev. 2

On Tue, May 26, 2020 at 05:42:13PM -0600, Jason A. Donenfeld wrote: > On Tue, May 26, 2020 at 4:52 PM Jason A. Donenfeld wrote: > > With regards to your crash, though, that's a bit more puzzling, and > > I'd be interested to learn more details. Because these structs are > > already naturally align

Re: WireGuard patchset for OpenBSD, rev. 2

Hi again Klemens, On Tue, May 26, 2020 at 5:42 PM Jason A. Donenfeld wrote: > > On Tue, May 26, 2020 at 4:52 PM Jason A. Donenfeld wrote: > > With regards to your crash, though, that's a bit more puzzling, and > > I'd be interested to learn more details. Because these structs are > > already nat

Re: WireGuard patchset for OpenBSD, rev. 2

On Tue, 26 May 2020 13:28:22 +0200 Tobias Heider wrote: > Hi Matt, > > just repeating what I commented yesterday for the new diff to make > sure it isn't overlooked. Thank you for repeating it, I didn't get around to addressing it before the new diff. > > +int > > +wg_ioctl_get(struct wg_softc

Re: WireGuard patchset for OpenBSD, rev. 2

Hi Martin, To answer a few but not all of your questions: On Wed, May 27, 2020 at 1:34 AM Martin Pieuchot wrote: > First question is, is it possible to use the wg(4) interface without a > port? No, that is not how WireGuard works. For details on the actual protocol particulars, please see https

Re: WireGuard patchset for OpenBSD, rev. 2

Hello Matt, Thank you for your submission. On 26/05/20(Tue) 19:39, Matt Dunwoodie wrote: > After some feedback and comments, we've addressed the concerns, and > fixed a few things from our side too. Overall the structure is familiar > with no major changes, so any prior readings mostly carry over

Re: WireGuard patchset for OpenBSD, rev. 2

On Tue, May 26, 2020 at 4:52 PM Jason A. Donenfeld wrote: > With regards to your crash, though, that's a bit more puzzling, and > I'd be interested to learn more details. Because these structs are > already naturally aligned, the __packed attribute, even with the odd > nesting Matt had prior, shou

Re: WireGuard patchset for OpenBSD, rev. 2

Hey Klemens, Theo, On Tue, May 26, 2020 at 2:38 PM Klemens Nanni wrote: > > On Tue, May 26, 2020 at 02:23:06PM -0600, Jason A. Donenfeld wrote: > > That's good news that it's working for you now, but I didn't change > > anything within the last 24 hours (you mentioned "yesterday") that > > would

Re: WireGuard patchset for OpenBSD, rev. 2

On Tue, May 26, 2020 at 2:33 PM Theo de Raadt wrote: > > Jason A. Donenfeld wrote: > > > Hey Klemens, > > > > On Tue, May 26, 2020 at 9:13 AM Klemens Nanni wrote: > > > I worked with the patches from the wireguard-openbsd repository after > > > version one of this diff on tech@ became a bit old.

Re: WireGuard patchset for OpenBSD, rev. 2

Jason A. Donenfeld wrote: > Hey Klemens, > > On Tue, May 26, 2020 at 9:13 AM Klemens Nanni wrote: > > I worked with the patches from the wireguard-openbsd repository after > > version one of this diff on tech@ became a bit old. > > > > That was until yesterday; the kernel would panic due to me

Re: WireGuard patchset for OpenBSD, rev. 2

Hey Klemens, On Tue, May 26, 2020 at 9:13 AM Klemens Nanni wrote: > I worked with the patches from the wireguard-openbsd repository after > version one of this diff on tech@ became a bit old. > > That was until yesterday; the kernel would panic due to memory > alignment issues in various spots,

Re: WireGuard patchset for OpenBSD, rev. 2

Hey Tobias, On Tue, May 26, 2020 at 5:28 AM Tobias Heider wrote: > > + if (((SIZE_MAX - size) / sizeof(struct wg_aip_io)) < sc->sc_aip_num) > > + goto error; > > I still think those two should return an error. 'goto error' is misleading as > it doesn't actually set ret != 0. 'er

Re: WireGuard patchset for OpenBSD, rev. 2

On Tue, May 26, 2020 at 08:09:48AM -0600, Theo de Raadt wrote: > I'll let you know who has sparc64 machines to help out: > > kn was the developer who saw the problem. jca is also adept > enough to look at this with you. I worked with the patches from the wireguard-openbsd repository after version

Re: WireGuard patchset for OpenBSD, rev. 2

I'll let you know who has sparc64 machines to help out: kn was the developer who saw the problem. jca is also adept enough to look at this with you.

Re: WireGuard patchset for OpenBSD, rev. 2

On Tue, May 26, 2020 at 07:39:01PM +1000, Matt Dunwoodie wrote: > Hi tech, > > After some feedback and comments, we've addressed the concerns, and > fixed a few things from our side too. Overall the structure is familiar > with no major changes, so any prior readings mostly carry over. > > This i

Re: WireGuard patchset for OpenBSD, rev. 2

Hey tech@, A few things I thought I should add to our v2 revision: First, the improvements we've made in the last few weeks have been pretty substantial, and we've now got a much more faithful protocol implementation. I've been running this on a few high traffic servers, and I'll probably move de

Re: WireGuard patchset for OpenBSD

On Mon, May 25, 2020 at 2:16 PM Theo de Raadt wrote: > > I'll make a comment that I am quite unhappy about this ioctl > methodology. I don't like void *'s and varying sizes. > > I would be much happier if this was a fixed structure, filled with > known objects. > > It looks fragile. Indeed the f

Re: WireGuard patchset for OpenBSD

I'll make a comment that I am quite unhappy about this ioctl methodology. I don't like void *'s and varying sizes. I would be much happier if this was a fixed structure, filled with known objects. It looks fragile. Tobias Heider wrote: > Hi Matt, > > i finally found some time to look at yo

Re: WireGuard patchset for OpenBSD

Hi Matt, i finally found some time to look at your diff and it looks pretty good to me so far. I have a few question about the SIOCGWG ioctl. > +void > +wg_status(void) > +{ > + size_t i, j, size = 0; > + struct timespec now; > + char hb

Re: WireGuard patchset for OpenBSD

Hi Matt, Matt Dunwoodie wrote on Wed, May 13, 2020 at 01:56:51AM +1000: > On Tue, 12 May 2020 17:36:15 +0200 > Ingo Schwarze wrote: >> I feel somewhat concerned that you recommend the openssl(1) command >> for production use. As far as i understand, the LibreSSL developers >> consider openssl(1

Re: WireGuard patchset for OpenBSD

Hi Matt, again, documentation is not critical for the initial commit, but why not provide feedback right away. As we already have an ifconfig(8) manual page, i decided to simply send an updated version of the ifconfig.8 part of the diff because sending around diffs of diffs feels awkward, and you

Re: WireGuard patchset for OpenBSD

On Tue, 12 May 2020 17:36:15 +0200 Ingo Schwarze wrote: > Hi Matt, > > thanks for doing all this work. Note that i cannot provide feedback > on the code or concepts, and also note that when the code is ready, > a developer can commit it even if there are still issues to sort out > with the docu

Re: WireGuard patchset for OpenBSD

Hi Matt, thanks for doing all this work. Note that i cannot provide feedback on the code or concepts, and also note that when the code is ready, a developer can commit it even if there are still issues to sort out with the documentation. We do value good documentation, but the exact point in tim

Re: WireGuard patchset for OpenBSD

Matt Dunwoodie wrote: > +.Ek > +.nr nS 0 > +.Pp Ask schwarze@ about that. > +Unlike the other commands, the following command receives input from > +stdin. This allows very fast configuration with a large number of > +peers. > + > +.Bl -tag -width Ds New sentence, new line. And no blank lines.

Re: WireGuard patchset for OpenBSD

On Tue, 12 May 2020 14:44:45 +0200 Tobias Heider wrote: > Hi, > > thanks for the diff! > > > SipHash and ChaCha20Poly1305 are already available in the kernel. > > The only modification here is add the short and simple chapoly AEAD > > construction alongside the existing AE one. > > At first

Re: WireGuard patchset for OpenBSD

Hi, thanks for the diff! > SipHash and ChaCha20Poly1305 are already available in the kernel. The > only modification here is add the short and simple chapoly AEAD > construction alongside the existing AE one. At first glance, I think you could use the crypto framework implementation for the chac

Re: WireGuard patchset for OpenBSD

On 2020-05-12 10:00, Jason A. Donenfeld wrote: > Djb has a nice post on chacha performance in > this context: . I shall leave this to the wireguard folks to explore but I'm not totally convinced. It is not just about speed. Perhaps Int

Re: WireGuard patchset for OpenBSD

On Tue, May 12, 2020 at 3:48 AM Kevin Chadwick wrote: > > On 2020-05-12 06:05, Matt Dunwoodie wrote: > > I don't want to put misleading numbers out there and every use case > >is different, therefore you should perform your own tests. In my > >environment (tcbbench between two Lenovo x230

Re: WireGuard patchset for OpenBSD

On 2020-05-12 06:05, Matt Dunwoodie wrote: > I don't want to put misleading numbers out there and every use case >is different, therefore you should perform your own tests. In my >environment (tcbbench between two Lenovo x230 (i5-3320m), em(4) >ethernet) I was seeing 750mbit/s. This wa

Re: WireGuard patchset for OpenBSD

On Tue, May 12, 2020 at 12:37 AM Theo de Raadt wrote: > > Jason A. Donenfeld wrote: > > > On Mon, May 11, 2020 at 11:03:45PM -0600, Jason A. Donenfeld wrote: > > > I plan to publish some easy one-click > > > scripts for users to mess around with the kernel support while we're > > > working throug

Re: WireGuard patchset for OpenBSD

Jason A. Donenfeld wrote: > On Mon, May 11, 2020 at 11:03:45PM -0600, Jason A. Donenfeld wrote: > > I plan to publish some easy one-click > > scripts for users to mess around with the kernel support while we're > > working through it here on the list. > > While tailing my opensmtpd log waiting f

Re: WireGuard patchset for OpenBSD

On Mon, May 11, 2020 at 11:03:45PM -0600, Jason A. Donenfeld wrote: > I plan to publish some easy one-click > scripts for users to mess around with the kernel support while we're > working through it here on the list. While tailing my opensmtpd log waiting for the mailing list server to release it

Re: WireGuard patchset for OpenBSD

Hey folks, [resending, as my original reply was to Matt's message that got killed by the graylist, so he resent with a new msgid.] Just wanted to chime in here to mention how thrilled I am about this. Matt has been at this for a long time, came to visit Paris last summer to work with me on this,

Re: WireGuard patchset for OpenBSD

Hey folks, Just wanted to chime in here to mention how thrilled I am about this. Matt has been at this for a long time, came to visit Paris last summer to work with me on this, and I think the end result is a very high quality implementation. I expect all sorts of useful feedback on network driver