Commit graph

342 commits

Author SHA1 Message Date
Jason A. Donenfeld 83caaa7a96 wg-quick: check permissions of parent directory
Also prefix octal 0, in case these files are actually of modes that
don't start with 0 by accident (such as SUID or sticky bit).

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld cbd2b0531f wg-quick: verify wireguard interface in more clever way
This helps with old Debian which has ancient iproute2, as well as paving
the path toward this script supporting userspace implementations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld a566bde126 wg-quick: anchor sysctl regex to start and end
This doesn't actually fix a real problem, but it is more correct than
not having it.

Suggested-by: Aaron Sigel <aaron@vtty.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld 5b65f87e9f netlink: switch from ioctl to netlink for configuration
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld 9a0790b50a wg: uapi: only make sure socket file is socket
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-26 15:04:07 +02:00
Jason A. Donenfeld 9ef84af8c0 wg: use key_is_zero for comparing to zeros
Maybe an attacker on the system could use the infoleak in /proc to gauge
how long a wg(8) process takes to complete and determine the number of
leading zeros. This is somewhat ridiculous, but it's possible somebody
somewhere might at somepoint care in the future, so alright.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24 23:10:15 +02:00
Jason A. Donenfeld 6c7d67acfe contrib: add sticky sockets example code
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24 23:10:15 +02:00
Jason A. Donenfeld 92feabdd17 wg-quick: only bash complete existing interfaces for down
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-06 20:51:41 +02:00
Jason A. Donenfeld 34337b0906 wg: fix removal of psk
This is an attribute of the peer, not the device.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-23 12:51:52 -06:00
Jason A. Donenfeld bc9494f8b6 wg: stricter userspace ipc parsing
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-02 21:09:22 +02:00
Jason A. Donenfeld 1019175179 contrib: move Android tools to wireguard-android repo
https: //git.zx2c4.com/wireguard-android/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-01 23:22:41 +02:00
Jason A. Donenfeld a9d19159a9 android: fix readme
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-26 04:10:33 +02:00
Jason A. Donenfeld 6b27d0d0f0 wg-quick: add explicit support for common DNS usage
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-26 03:38:09 +02:00
Jason A. Donenfeld 41e50edbe5 wg-quick: do not use grep
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:22:10 +02:00
Jason A. Donenfeld 11204afd6f wg-quick: do not set explicit src route for v6 default route
This was only required because clueless network operators were trying to
route fec0::/10 globally, when that range doesn't actually have global
scope. Now that we understand the cause was operator error, we revert
the change here, so that the routing table is kept consistent.

This reverts commit 64e47de870a2f0575b5564a70e5680b48ab83ff9.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:19:38 +02:00
Jason A. Donenfeld 91fb17a014 android: add port of wg-quick
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:19:38 +02:00
Jason A. Donenfeld 077dac0514 wg-quick: usage typos
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20 06:48:57 +02:00
Jason A. Donenfeld aad91ae679 global: wireguard.io --> wireguard.com
Due to concerns with the .io TLD, we are switching to using
wireguard.com instead.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20 03:37:39 +02:00
Samuel Holland 28f373e9cd gitignore: ignore split DWARF debug info
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-03 23:06:27 +02:00
Jason A. Donenfeld e22155a3b7 wg: remove double include in ipc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-29 14:34:27 +02:00
Jason A. Donenfeld d3ebbaccab wg-quick: use printf -v instead of namerefs for bash 4.2
I'm not happy about this.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-28 05:28:54 +02:00
Jason A. Donenfeld cf4b3ebd08 wg-quick: properly match IPv6 endpoint
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-24 02:06:26 +02:00
Jason A. Donenfeld e7fd4cfd3f haskell: re-add updated haskell example
Code-from: John Galt <jgalt@centromere.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-24 02:06:26 +02:00
Jason A. Donenfeld f90f8f33a7 wg: use proper __linux__ ifdef
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12 17:02:12 +02:00
Jason A. Donenfeld eaa64b198b wg-quick: match ipv6 default route more broadly
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12 00:20:31 +02:00
Jason A. Donenfeld 1b5234f3d5 wg-quick: make sure we have empty table for both v6 and v4
Otherwise, we wind up not doing the right thing in the v6-only case, or
doing something totally borked when v4 and v6 are filled unevenly.

Reported-by: Roelf Wichertjes <contact@roelf.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-11 23:39:17 +02:00
Jason A. Donenfeld fbf715ea45 external-tests: trim the fat
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-09 02:56:08 +02:00
Jason A. Donenfeld bdbb6298a0 go test: use x/crypto for blake2s now that we have 128-bit mac
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-08 04:24:13 +02:00
Jason A. Donenfeld 9fbd187288 go test: correct tai64n and formatting
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01 22:58:38 +02:00
Jason A. Donenfeld 19c89f3c3a external-tests: add keepalive packet
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01 18:45:20 +02:00
Jason A. Donenfeld a1e931f9dc go test: properly pad message
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01 06:31:26 +02:00
Jason A. Donenfeld 32afe0e220 wg: allow creating device with no peers
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-31 05:35:34 +02:00
Jason A. Donenfeld 8d8ea7a4fb rust test: add icmp ping
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jake McGinty 2d8abfd5a0 rust test: convert screech test to snow
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jason A. Donenfeld f65fba7dd8 man: update wg-quick(8) to show Debian resolvconf braindamage
While OpenResolv supports explicit ordering directives such as `-m` and
exclusivity directives such as `-x`, Debian's own resolvconf supports
none of this, instead using a hard coded list of interface name
templates for determining ordering. While trying to emulate `-x` is
difficult [*], we can at least try to mostly emulate `-m 0` by
masquerading as a `tun*` interface to resolvconf. Ugly, but it works.

[*] One heavy handed way of emulating `-x` would be something like:

   # echo nameserver 8.8.8.8 > /etc/resolv.conf.wg0-exclusive
   # mount --bind -o ro /etc/resolv.conf.wg0-exclusive /etc/resolv.conf
   # rm -f /etc/resolv.conf.wg0-exclusive

This in practice works quite well, but is a bit heavy to put in a man
page. It also doesn't "stack" well. For example, if we simply run
`umount /etc/resolv.conf`, how do we know which resolv.conf entry we're
unmounting?

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jason A. Donenfeld 682b15cb5e wg-quick: use src routing for default routes in v6
Otherwise, traffic is sent with the IP address of a different interface,
and then packets don't actually get delivered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-18 14:41:34 +02:00
Jason A. Donenfeld 641b479b44 man: fix psk mention in wg-quick man page
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-18 14:41:24 +02:00
Jason A. Donenfeld 3a7be3fac5 wg: opt-in globally to GNU-isms to keep the BSDs happy
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:34:23 +02:00
Jason A. Donenfeld 945fae0c7c wg: support text-based ipc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:13:14 +02:00
Jason A. Donenfeld c3b2dbcdb0 wg: check for proto error on set too
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld 067ebe2cb9 wg: stricter key file reading
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld fabb6eca2b noise: redesign preshared key mode
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld 13db708a0f wg-quick: auto MTU discovery
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld 83223f8e4c wg: retry name resolution on temporary failure
This should solve many problems at init time.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld c98c415bd1 wg: no hyphen in preshared, to keep uniformity
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-20 22:53:00 +02:00
Jason A. Donenfeld 5fab6f18d5 wg: argc is always 1
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19 18:26:32 +02:00
Jason A. Donenfeld 6a967c63a7 wg: check for malloc failure
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19 18:26:32 +02:00
Jason A. Donenfeld 755217bd85 wg: side channel resistant base64
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19 18:26:32 +02:00
Jason A. Donenfeld d42dd68add wg: do not use addrconfig with port in gai
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-28 10:46:31 +02:00
Jason A. Donenfeld 6d20c647d0 uapi: add version magic
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-24 04:44:27 +01:00