Commit graph

355 commits

Author SHA1 Message Date
Jason A. Donenfeld 7fe7f81088 wg: encoding: be more paranoid
Needless, but overkill can be fun.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld eb68ad0722 Makefile: even prettier output
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld d7b3f0fcaf wg: man: include kill-switch documentation using fwmark
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-11 15:50:29 +02:00
Jason A. Donenfeld 4e0e99c74d wg: store tail pointer to make coalescing peers fast
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-10 17:19:01 +02:00
Jason A. Donenfeld e13b1e719b wg: warn once on unrecognized items
DaveM suggests we do in fact do this. Others on the same thread weren't
happy about the length of the proposed message, so we also give a bit of
a less dramatic warning.

This reverts commit a2cc976a3b572cf308cc2d97c080eacac60416fe.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-09 13:31:18 +02:00
Jason A. Donenfeld 8774fccff3 wg: try again if dump is interrupted
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-08 16:24:37 +02:00
Jason A. Donenfeld 38ac0ff08e Makefile: clang now builds the kernel, so use scan-build
Also add little stub for coccinelle and clean up semicolon issue it
found.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-05 22:21:53 +02:00
Jason A. Donenfeld e95fcccb4d Makefile: add non-verbose mode to tools
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-03 22:52:06 +02:00
Jason A. Donenfeld a99b64e5a4 global: satisfy bitshift pedantry
Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-03 06:20:48 +02:00
Jason A. Donenfeld 0b795ca5d5 contrib: remove worthless build artifact
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 16:32:20 +02:00
Jason A. Donenfeld 91416b0caf wg: compile on non-Linux
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 13:05:35 +02:00
Jason A. Donenfeld 573bd7f303 wg: simmer down silly compilers
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 03:44:06 +02:00
Jason A. Donenfeld 53e5b4fa89 wg: do not warn on unrecognized items
Upstream advice is to simply be silent.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:51:57 +02:00
Jason A. Donenfeld 83caaa7a96 wg-quick: check permissions of parent directory
Also prefix octal 0, in case these files are actually of modes that
don't start with 0 by accident (such as SUID or sticky bit).

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld cbd2b0531f wg-quick: verify wireguard interface in more clever way
This helps with old Debian which has ancient iproute2, as well as paving
the path toward this script supporting userspace implementations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld a566bde126 wg-quick: anchor sysctl regex to start and end
This doesn't actually fix a real problem, but it is more correct than
not having it.

Suggested-by: Aaron Sigel <aaron@vtty.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld 5b65f87e9f netlink: switch from ioctl to netlink for configuration
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld 9a0790b50a wg: uapi: only make sure socket file is socket
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-26 15:04:07 +02:00
Jason A. Donenfeld 9ef84af8c0 wg: use key_is_zero for comparing to zeros
Maybe an attacker on the system could use the infoleak in /proc to gauge
how long a wg(8) process takes to complete and determine the number of
leading zeros. This is somewhat ridiculous, but it's possible somebody
somewhere might at somepoint care in the future, so alright.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24 23:10:15 +02:00
Jason A. Donenfeld 6c7d67acfe contrib: add sticky sockets example code
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24 23:10:15 +02:00
Jason A. Donenfeld 92feabdd17 wg-quick: only bash complete existing interfaces for down
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-06 20:51:41 +02:00
Jason A. Donenfeld 34337b0906 wg: fix removal of psk
This is an attribute of the peer, not the device.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-23 12:51:52 -06:00
Jason A. Donenfeld bc9494f8b6 wg: stricter userspace ipc parsing
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-02 21:09:22 +02:00
Jason A. Donenfeld 1019175179 contrib: move Android tools to wireguard-android repo
https: //git.zx2c4.com/wireguard-android/
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-01 23:22:41 +02:00
Jason A. Donenfeld a9d19159a9 android: fix readme
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-26 04:10:33 +02:00
Jason A. Donenfeld 6b27d0d0f0 wg-quick: add explicit support for common DNS usage
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-26 03:38:09 +02:00
Jason A. Donenfeld 41e50edbe5 wg-quick: do not use grep
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:22:10 +02:00
Jason A. Donenfeld 11204afd6f wg-quick: do not set explicit src route for v6 default route
This was only required because clueless network operators were trying to
route fec0::/10 globally, when that range doesn't actually have global
scope. Now that we understand the cause was operator error, we revert
the change here, so that the routing table is kept consistent.

This reverts commit 64e47de870a2f0575b5564a70e5680b48ab83ff9.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:19:38 +02:00
Jason A. Donenfeld 91fb17a014 android: add port of wg-quick
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:19:38 +02:00
Jason A. Donenfeld 077dac0514 wg-quick: usage typos
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20 06:48:57 +02:00
Jason A. Donenfeld aad91ae679 global: wireguard.io --> wireguard.com
Due to concerns with the .io TLD, we are switching to using
wireguard.com instead.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20 03:37:39 +02:00
Samuel Holland 28f373e9cd gitignore: ignore split DWARF debug info
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-03 23:06:27 +02:00
Jason A. Donenfeld e22155a3b7 wg: remove double include in ipc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-29 14:34:27 +02:00
Jason A. Donenfeld d3ebbaccab wg-quick: use printf -v instead of namerefs for bash 4.2
I'm not happy about this.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-28 05:28:54 +02:00
Jason A. Donenfeld cf4b3ebd08 wg-quick: properly match IPv6 endpoint
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-24 02:06:26 +02:00
Jason A. Donenfeld e7fd4cfd3f haskell: re-add updated haskell example
Code-from: John Galt <jgalt@centromere.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-24 02:06:26 +02:00
Jason A. Donenfeld f90f8f33a7 wg: use proper __linux__ ifdef
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12 17:02:12 +02:00
Jason A. Donenfeld eaa64b198b wg-quick: match ipv6 default route more broadly
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12 00:20:31 +02:00
Jason A. Donenfeld 1b5234f3d5 wg-quick: make sure we have empty table for both v6 and v4
Otherwise, we wind up not doing the right thing in the v6-only case, or
doing something totally borked when v4 and v6 are filled unevenly.

Reported-by: Roelf Wichertjes <contact@roelf.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-11 23:39:17 +02:00
Jason A. Donenfeld fbf715ea45 external-tests: trim the fat
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-09 02:56:08 +02:00
Jason A. Donenfeld bdbb6298a0 go test: use x/crypto for blake2s now that we have 128-bit mac
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-08 04:24:13 +02:00
Jason A. Donenfeld 9fbd187288 go test: correct tai64n and formatting
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01 22:58:38 +02:00
Jason A. Donenfeld 19c89f3c3a external-tests: add keepalive packet
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01 18:45:20 +02:00
Jason A. Donenfeld a1e931f9dc go test: properly pad message
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-01 06:31:26 +02:00
Jason A. Donenfeld 32afe0e220 wg: allow creating device with no peers
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-31 05:35:34 +02:00
Jason A. Donenfeld 8d8ea7a4fb rust test: add icmp ping
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jake McGinty 2d8abfd5a0 rust test: convert screech test to snow
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jason A. Donenfeld f65fba7dd8 man: update wg-quick(8) to show Debian resolvconf braindamage
While OpenResolv supports explicit ordering directives such as `-m` and
exclusivity directives such as `-x`, Debian's own resolvconf supports
none of this, instead using a hard coded list of interface name
templates for determining ordering. While trying to emulate `-x` is
difficult [*], we can at least try to mostly emulate `-m 0` by
masquerading as a `tun*` interface to resolvconf. Ugly, but it works.

[*] One heavy handed way of emulating `-x` would be something like:

   # echo nameserver 8.8.8.8 > /etc/resolv.conf.wg0-exclusive
   # mount --bind -o ro /etc/resolv.conf.wg0-exclusive /etc/resolv.conf
   # rm -f /etc/resolv.conf.wg0-exclusive

This in practice works quite well, but is a bit heavy to put in a man
page. It also doesn't "stack" well. For example, if we simply run
`umount /etc/resolv.conf`, how do we know which resolv.conf entry we're
unmounting?

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jason A. Donenfeld 682b15cb5e wg-quick: use src routing for default routes in v6
Otherwise, traffic is sent with the IP address of a different interface,
and then packets don't actually get delivered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-18 14:41:34 +02:00
Jason A. Donenfeld 641b479b44 man: fix psk mention in wg-quick man page
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-18 14:41:24 +02:00