Commit graph

308 commits

Author SHA1 Message Date
Jonathan Neuschäfer
ef54cbf568 manpages: eliminate whitespace at the end of the line
This eliminates a few style warnings from "mandoc -T lint src/tools/wg*.8".

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-22 04:09:39 +02:00
Jason A. Donenfeld
02733c681b wg-quick: android: don't forget to free compiled regexes
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17 19:36:37 +02:00
Jason A. Donenfeld
3bbacaaf14 wg-quick: android: disable roaming to v6 networks when v4 is specified
This works around an unfortunate bug in 464XLAT transitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17 19:36:37 +02:00
Jason A. Donenfeld
6f85449d79 wg: getentropy requires 10.12
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-14 05:25:23 +02:00
Jason A. Donenfeld
0632c8af68 wg: support getentropy(3)
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-08 03:24:46 +02:00
Jason A. Donenfeld
d90e49599b wg: encoding: add missing static array constraints
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-06 00:05:58 +02:00
Jason A. Donenfeld
8c4cf156d5 wg-quick: android: change name of intent
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-04 07:05:58 +02:00
Jason A. Donenfeld
2044bb026d wg-quick: android: delay setting users until end
`ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing
them to reconnect. By delaying this until after routes are set, we
ensure that the sockets reconnect using the tunnel, rather than the old
route.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 16:38:08 +02:00
Jason A. Donenfeld
2bca99893f wg: constanter time encoding
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 01:24:51 +02:00
Jason A. Donenfeld
206e8f08e2 wg-quick: darwin: set DNS servers after delay on route change
This works around a race condition in macOS's network daemons, while
also adding one in the form of possibly calling kill -ALRM on a stale
PID; unfortunately bash can't wait from a trap.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 01:24:51 +02:00
Jason A. Donenfeld
d532074ef5 wg-quick: freebsd: configure as p2p link
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-27 05:24:07 +02:00
Jason A. Donenfeld
df6c69e98c wg-quick: darwin: add multiple IP addresses
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-27 05:22:55 +02:00
Jason A. Donenfeld
19ce650fb6 wg-quick: determine IPs when saving interface
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-27 02:42:31 +02:00
Jason A. Donenfeld
c99e6beecb wg-quick: freebsd: work around security vulnerabilities in bash
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-24 02:24:02 +02:00
Jason A. Donenfeld
86dd5587a9 wg-quick: allow enumeration of socket files
These OSes have an unpriv'd ifconfig, so this isn't an even larger info
leak.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-23 15:31:47 +02:00
Jason A. Donenfeld
3d089e07e2 wg-quick: better bash completion for non-renaming OSes
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-23 15:24:07 +02:00
Jason A. Donenfeld
d40231c766 wg-quick: support FreeBSD/Darwin search path
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-23 15:24:07 +02:00
Jason A. Donenfeld
b818e71ba5 wg: always pass -v as first argument to install
This lets crippled OSes sed out our -v more easily.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-23 05:23:59 +02:00
Jason A. Donenfeld
6b7f88aa7d wg-quick: openbsd: add new implementation
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22 16:41:59 +02:00
Jason A. Donenfeld
333363f77c wg-quick: freebsd: add new implementation
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22 16:41:59 +02:00
Jason A. Donenfeld
52eb6a187c wg-quick: darwin: do not remove routes when no real interface
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22 16:41:59 +02:00
Jason A. Donenfeld
59dae33e9a wg-quick: darwin: rename namefile environment variable
This paves the way for an openbsd implementation.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22 16:41:59 +02:00
Filippo Valsorda
9d52a812c8 wg: fix OpenBSD build
License: MIT
Signed-off-by: Filippo Valsorda <valsorda@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-22 16:41:59 +02:00
Jason A. Donenfeld
a8654606c2 wg: fix errno propagation and messages
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-18 19:51:51 +02:00
Jason A. Donenfeld
434bc616b2 wg-quick: darwin: simpler inclusion check
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-17 19:30:34 +02:00
Jason A. Donenfeld
986feba2ee wg-quick: darwin: reorder functions
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-17 05:01:50 +02:00
Jason A. Donenfeld
80ff1f8ded wg-quick: darwin: networksetup does not like missing stdio
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-17 05:01:50 +02:00
Jason A. Donenfeld
884f7c50ce wg-quick: darwin: avoid routing loop if no default
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-17 04:08:53 +02:00
Jason A. Donenfeld
0d9f30246d wg-quick: darwin: sometimes there are no network services
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-17 03:26:51 +02:00
Jason A. Donenfeld
fe9bc71e40 wg-quick: use invoking shell in auto rooting
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 19:19:48 +02:00
Jason A. Donenfeld
6c407ae27b wg-quick: add intentionally undocumented userspace implementation knob
This knob might disappear at some point, and we don't want to encourage
its use, so it's not being documented, but this should help with
development of new implementations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 04:25:42 +02:00
Jason A. Donenfeld
4502350512 wg-quick: darwin: use bash from environment and require bash 4+
For properly configured Homebrew installations /usr/local/bin should be
before /bin, so this should still work. This allows the script to be
used in more than one setting.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 04:25:42 +02:00
Jason A. Donenfeld
699777da8c wg-quick: darwin: restore DNS on down
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 04:05:04 +02:00
Jason A. Donenfeld
9c18c70da6 wg-quick: darwin: bash correctness
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 04:05:04 +02:00
Jason A. Donenfeld
f64f0cc740 wg-quick: darwin: remove v6 routes after shutdown
This works around a Darwin kernel bug regarding interface removal.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 04:05:04 +02:00
Jason A. Donenfeld
cfa4203be7 wg-quick: darwin: ensure socket directory exists
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-16 04:05:04 +02:00
Jason A. Donenfeld
a5412d1056 wg-quick: add darwin implementation
It's pretty rough and leaves much to be desired, but it works.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-15 02:12:13 +02:00
Jason A. Donenfeld
5d9433d73f wg-quick: add wg symlink
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-14 19:23:17 +02:00
Jason A. Donenfeld
a563ba2cf9 wg-quick: add android implementation
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-14 18:23:52 +02:00
Jason A. Donenfeld
08c78a65af wg: reorganize for multiplatform wg-quick
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-14 18:18:40 +02:00
Jason A. Donenfeld
0b64881c7a wg-quick: preliminary support for go implementation
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-10 19:23:02 +02:00
Jason A. Donenfeld
81879fe346 wg-quick: account for specified fwmark in auto routing mode
If we're doing automatic routing with default routes, but the config has
also specified an explicit fwmark, then use that explicit fwmark, even
if it's conflicting, since the administrator has explicitly opted into
using it. Also, when shutting down the interface, we only now remove the
fancy rules if we're in automatic routing mode with default routes.

Suggested-by: Luis Ressel <aranea@aixah.de>
Reported-by: Saeid Akbari <saeidscorp@yahoo.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-15 15:41:57 +02:00
Jason A. Donenfeld
cd19f54970 wg-quick.8: fix typo
Reported-by: Mike Pechkin <mike.pechkin@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-04-04 10:53:20 -04:00
Jason A. Donenfeld
81b7e4863c wg-quick: hide errors on save
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-04 19:03:54 +01:00
Jason A. Donenfeld
e6ce5fd386 wg-quick: if resolvconf/run/iface exists, use it
Some older broken resolvconfs don't support resolvconf -l, but do have a
file in a standard location, so use it.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-04 18:50:25 +01:00
Jason A. Donenfeld
99264cb88f wg-quick: if resolvconf/interface-order exists, use it
Some older broken resolvconf implementations ignore -m, but do have an
interface-order list. It's better to use this list dynamically, in case
it changes, or in case it's not used by the OS's resolvconf
implementation, such as in the case of systemd or openresolv.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-04 18:50:25 +01:00
Jason A. Donenfeld
4574967465 global: in gnu code, use un-underscored asm
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-03-02 16:42:29 +01:00
Jason A. Donenfeld
d29e0bad7d wg: fixup errno handling
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-17 20:15:49 +01:00
Jason A. Donenfeld
ca5d2708e0 wg: FreeBSD doesn't have EAI_NODATA
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-17 19:30:05 +01:00
Jason A. Donenfeld
5ecc49a62f wg: do not collide types with libc clashes
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-17 18:58:31 +01:00
Jason A. Donenfeld
186df55998 wg(8): clarify phrasing
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-17 05:55:03 +01:00
Jason A. Donenfeld
437116f238 wg: allow in-line comments
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-17 05:55:03 +01:00
Jason A. Donenfeld
186272048d wg: normalize strncpy/snprintf usage
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-14 23:21:11 +01:00
Jason A. Donenfeld
725258b9e3 wg-quick: match from beginning rather than shift right
Before, this meant that it simply took the last 15 characters, instead
of erroring out when there's more than 15 chars.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-06 12:52:09 +01:00
Jason A. Donenfeld
5be1ce2aab wg: endian.h is not portable
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-05 12:26:28 +01:00
Jason A. Donenfeld
bee5bbb6f3 curve25519: replace fiat64 with faster hacl64
This reverts commit da4ff396cc5d5e0ff21f9ecbc2f951c048c63fff and adds
some optimizations to hacl64.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-01 19:51:50 +01:00
Jason A. Donenfeld
40ae0e0bba curve25519: replace hacl64 with fiat64
For now, it's faster:

hacl64: 109782 cycles per call
fiat64: 108984 cycles per call

It's quite possible this commit will be reverted with nice changes from
INRIA, though.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-02-01 19:51:50 +01:00
Jason A. Donenfeld
bc3f283148 wg: dedup secret normalization
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-31 15:58:17 +01:00
Jason A. Donenfeld
1e5d6b9a66 wg: fread doesn't change errno
Thus we might be responding to an old errno, which could cause this to
unnecessarily fail.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-30 14:46:34 +01:00
Jason A. Donenfeld
b0d41e8b10 wg: share curve25519 implementations with kernel
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-23 11:55:44 +01:00
Jason A. Donenfeld
5306604aa5 curve25519-fiat32: uninline certain functions
While this has a negative performance impact on x86_64, it has a
positive performance impact on smaller machines, which is where we're
actually using this code. For example, an A53:

Before: fiat32: 228605 cycles per call
After: fiat32: 188307 cycles per call
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-18 20:14:27 +01:00
Jason A. Donenfeld
feea1e6f30 wg: import new curve25519 implementations
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-18 13:28:16 +01:00
Jason A. Donenfeld
723abc5098 wg: plug memleak in config error path
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-18 11:26:09 +01:00
Jason A. Donenfeld
7fc4c0af45 wg-quick: ifnames have max len of 15
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-10 02:51:01 +01:00
Jason A. Donenfeld
9207dec08f global: year bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-01-03 21:58:00 +01:00
Jason A. Donenfeld
5536e6de46 wg-quick: dumber matching for default routes
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-12-13 16:28:39 +01:00
Luis Ressel
31d8ebcd2a wg-quick: add the "Table" config option
* Table=auto (default) selects the current behaviour
* Table=off disables creation of routes altogether
* All other values are passed through to "ip route add"'s table option

Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-12-13 16:28:39 +01:00
Greg Kroah-Hartman
01d00bc035 global: add SPDX tags to all files
It's good to have SPDX identifiers in all files as the Linux kernel
developers are working to add these identifiers to all files.

Update all files with the correct SPDX license identifier based on the license
text of the project or based on the license in the file itself.  The SPDX
identifier is a legally binding shorthand, which can be used instead of the
full boiler plate text.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Modified-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-12-09 22:29:28 +01:00
Jason A. Donenfeld
f583209935 wg: no need to put this on the stack
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-12-03 15:07:52 +01:00
Jason A. Donenfeld
8bf100a25b wg: remove undocumented unused syntax
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-12-03 15:07:52 +01:00
Jason A. Donenfeld
30cf5eb883 wg: fix removing preshared keys
Also clean up related logic quite a bit and add unit tests.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-23 11:09:12 +01:00
Jason A. Donenfeld
bc1f6be5db global: switch from timeval to timespec
This gets us nanoseconds instead of microseconds, which is better, and
we can do this pretty much without freaking out existing userspace,
which doesn't actually make use of the nano/micro seconds field:

zx2c4@thinkpad ~ $ cat a.c
void main()
{
        puts(sizeof(struct timeval) == sizeof(struct timespec) ? "success" : "failure");
}
zx2c4@thinkpad ~ $ gcc a.c -m64 && ./a.out
success
zx2c4@thinkpad ~ $ gcc a.c -m32 && ./a.out
success

This doesn't solve y2038 problem, but timespec64 isn't yet a thing in
userspace.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-22 18:32:48 +01:00
Jason A. Donenfeld
08ce3b2426 wg: tighten up strtoul parsing
Reported-by: Cedric Buxin <cedric.buxin@izri.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-17 14:06:18 +01:00
Jason A. Donenfeld
be4597e10f wg-quick: document localhost exception and v6 rule
Reported-by: Hermann Lienstromberg <nurtic-vibe@grmml.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-12 00:57:44 +09:00
Jason A. Donenfeld
e77a77a805 wg: allow for NULL keys everywhere
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-11 12:30:49 +09:00
Jason A. Donenfeld
e7923ba775 wg: remove ioctl cruft
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-11 12:19:55 +09:00
Jason A. Donenfeld
e0775354bd wg-quick: allow for tabs in keys
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-10 16:20:09 +09:00
Jason A. Donenfeld
d8ad40da25 wg-quick: stat the correct enclosing folder of config file
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-10 16:20:09 +09:00
Jason A. Donenfeld
753dc179b6 wg-quick: save all hooks on save
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-11-01 00:55:19 +01:00
Jason A. Donenfeld
6e313371cc wg-quick: fsync the temporary file before renaming
This ensures that on an unclean shutdown, we either see the old content
or the new content, but not empty content.

Suggested-by: Ka Ho Ng <ngkaho1234@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 18:13:31 +01:00
Jason A. Donenfeld
eb181e811c wg-quick: allow for saving existing interface
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:51:38 +01:00
Jason A. Donenfeld
2207025c2f wg: correct type for CTRL_ATTR_FAMILY_ID
Suggested-by: Jörg Thalheim <joerg@thalheim.io>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:25:23 +01:00
Jason A. Donenfeld
d30d9630b6 wg-quick: allow for the hatchet, but not by default
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:25:23 +01:00
Jason A. Donenfeld
9bcb48eacd wg-quick: remember to rewind DNS settings on failure
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:25:23 +01:00
Jason A. Donenfeld
17f9548182 wg-quick: allow specifiying multiple hooks
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:25:23 +01:00
Jason A. Donenfeld
b1dd8d711e global: style nits
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:25:23 +01:00
Jason A. Donenfeld
d9d0a2cbed global: infuriating kernel iterator style
One types:

   for (i = 0 ...

So one should also type:

  for_each_obj (obj ...

But the upstream kernel style guidelines are insane, and so we must
instead do:

  for_each_obj(obj ...

Ugly, but one must choose his battles wisely.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-31 17:25:23 +01:00
Jason A. Donenfeld
fe703c0cf5 wg: account for padding being in zero attribute
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
88b1d35ec0 wg: newline after warning
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
06e7bdf2a5 wg: style
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
6f9b135966 wg: add pass example to wg-quick man page
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
65db14706b wg: don't insist on having a private key
This lets us do flexible things from wg-quick such as:

PostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)

It also was never a very sensible policy to enforce.

Suggested-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
085796b210 wg: retry resolution except when fatal
The reference to this is <https://sourceware.org/glibc/wiki/NameResolver>,
which mentions:

"From the perspective of the application that calls getaddrinfo() it
perhaps doesn't matter that much since EAI_FAIL, EAI_NONAME and
EAI_NODATA are all permanent failure codes and the causes are all
permanent failures in the sense that there is no point in retrying
later."

This should cover more early-boot situations.

While we're at it, we clean up the logic a bit so that we don't have a
retry message on the final non-retrying attempt. We also peer into errno
when receiving EAI_SYSTEM, to report to the user what actually happened.

Also, fix the quoting back tick front tick mess.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
7fe7f81088 wg: encoding: be more paranoid
Needless, but overkill can be fun.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
eb68ad0722 Makefile: even prettier output
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-17 19:26:07 +02:00
Jason A. Donenfeld
d7b3f0fcaf wg: man: include kill-switch documentation using fwmark
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-11 15:50:29 +02:00
Jason A. Donenfeld
4e0e99c74d wg: store tail pointer to make coalescing peers fast
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-10 17:19:01 +02:00
Jason A. Donenfeld
e13b1e719b wg: warn once on unrecognized items
DaveM suggests we do in fact do this. Others on the same thread weren't
happy about the length of the proposed message, so we also give a bit of
a less dramatic warning.

This reverts commit a2cc976a3b572cf308cc2d97c080eacac60416fe.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-09 13:31:18 +02:00
Jason A. Donenfeld
8774fccff3 wg: try again if dump is interrupted
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-08 16:24:37 +02:00
Jason A. Donenfeld
38ac0ff08e Makefile: clang now builds the kernel, so use scan-build
Also add little stub for coccinelle and clean up semicolon issue it
found.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-05 22:21:53 +02:00
Jason A. Donenfeld
e95fcccb4d Makefile: add non-verbose mode to tools
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-03 22:52:06 +02:00
Jason A. Donenfeld
a99b64e5a4 global: satisfy bitshift pedantry
Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-03 06:20:48 +02:00
Jason A. Donenfeld
91416b0caf wg: compile on non-Linux
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 13:05:35 +02:00
Jason A. Donenfeld
573bd7f303 wg: simmer down silly compilers
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 03:44:06 +02:00
Jason A. Donenfeld
53e5b4fa89 wg: do not warn on unrecognized items
Upstream advice is to simply be silent.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:51:57 +02:00
Jason A. Donenfeld
83caaa7a96 wg-quick: check permissions of parent directory
Also prefix octal 0, in case these files are actually of modes that
don't start with 0 by accident (such as SUID or sticky bit).

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld
cbd2b0531f wg-quick: verify wireguard interface in more clever way
This helps with old Debian which has ancient iproute2, as well as paving
the path toward this script supporting userspace implementations.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld
a566bde126 wg-quick: anchor sysctl regex to start and end
This doesn't actually fix a real problem, but it is more correct than
not having it.

Suggested-by: Aaron Sigel <aaron@vtty.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld
5b65f87e9f netlink: switch from ioctl to netlink for configuration
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-10-02 02:45:53 +02:00
Jason A. Donenfeld
9a0790b50a wg: uapi: only make sure socket file is socket
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-26 15:04:07 +02:00
Jason A. Donenfeld
9ef84af8c0 wg: use key_is_zero for comparing to zeros
Maybe an attacker on the system could use the infoleak in /proc to gauge
how long a wg(8) process takes to complete and determine the number of
leading zeros. This is somewhat ridiculous, but it's possible somebody
somewhere might at somepoint care in the future, so alright.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-24 23:10:15 +02:00
Jason A. Donenfeld
92feabdd17 wg-quick: only bash complete existing interfaces for down
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-09-06 20:51:41 +02:00
Jason A. Donenfeld
34337b0906 wg: fix removal of psk
This is an attribute of the peer, not the device.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-23 12:51:52 -06:00
Jason A. Donenfeld
bc9494f8b6 wg: stricter userspace ipc parsing
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-08-02 21:09:22 +02:00
Jason A. Donenfeld
6b27d0d0f0 wg-quick: add explicit support for common DNS usage
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-26 03:38:09 +02:00
Jason A. Donenfeld
41e50edbe5 wg-quick: do not use grep
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:22:10 +02:00
Jason A. Donenfeld
11204afd6f wg-quick: do not set explicit src route for v6 default route
This was only required because clueless network operators were trying to
route fec0::/10 globally, when that range doesn't actually have global
scope. Now that we understand the cause was operator error, we revert
the change here, so that the routing table is kept consistent.

This reverts commit 64e47de870a2f0575b5564a70e5680b48ab83ff9.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-24 23:19:38 +02:00
Jason A. Donenfeld
077dac0514 wg-quick: usage typos
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20 06:48:57 +02:00
Jason A. Donenfeld
aad91ae679 global: wireguard.io --> wireguard.com
Due to concerns with the .io TLD, we are switching to using
wireguard.com instead.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-07-20 03:37:39 +02:00
Jason A. Donenfeld
e22155a3b7 wg: remove double include in ipc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-29 14:34:27 +02:00
Jason A. Donenfeld
d3ebbaccab wg-quick: use printf -v instead of namerefs for bash 4.2
I'm not happy about this.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-28 05:28:54 +02:00
Jason A. Donenfeld
cf4b3ebd08 wg-quick: properly match IPv6 endpoint
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-24 02:06:26 +02:00
Jason A. Donenfeld
f90f8f33a7 wg: use proper __linux__ ifdef
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12 17:02:12 +02:00
Jason A. Donenfeld
eaa64b198b wg-quick: match ipv6 default route more broadly
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-12 00:20:31 +02:00
Jason A. Donenfeld
1b5234f3d5 wg-quick: make sure we have empty table for both v6 and v4
Otherwise, we wind up not doing the right thing in the v6-only case, or
doing something totally borked when v4 and v6 are filled unevenly.

Reported-by: Roelf Wichertjes <contact@roelf.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-06-11 23:39:17 +02:00
Jason A. Donenfeld
32afe0e220 wg: allow creating device with no peers
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-31 05:35:34 +02:00
Jason A. Donenfeld
f65fba7dd8 man: update wg-quick(8) to show Debian resolvconf braindamage
While OpenResolv supports explicit ordering directives such as `-m` and
exclusivity directives such as `-x`, Debian's own resolvconf supports
none of this, instead using a hard coded list of interface name
templates for determining ordering. While trying to emulate `-x` is
difficult [*], we can at least try to mostly emulate `-m 0` by
masquerading as a `tun*` interface to resolvconf. Ugly, but it works.

[*] One heavy handed way of emulating `-x` would be something like:

   # echo nameserver 8.8.8.8 > /etc/resolv.conf.wg0-exclusive
   # mount --bind -o ro /etc/resolv.conf.wg0-exclusive /etc/resolv.conf
   # rm -f /etc/resolv.conf.wg0-exclusive

This in practice works quite well, but is a bit heavy to put in a man
page. It also doesn't "stack" well. For example, if we simply run
`umount /etc/resolv.conf`, how do we know which resolv.conf entry we're
unmounting?

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-30 18:07:28 +02:00
Jason A. Donenfeld
682b15cb5e wg-quick: use src routing for default routes in v6
Otherwise, traffic is sent with the IP address of a different interface,
and then packets don't actually get delivered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-18 14:41:34 +02:00
Jason A. Donenfeld
641b479b44 man: fix psk mention in wg-quick man page
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-18 14:41:24 +02:00
Jason A. Donenfeld
3a7be3fac5 wg: opt-in globally to GNU-isms to keep the BSDs happy
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:34:23 +02:00
Jason A. Donenfeld
945fae0c7c wg: support text-based ipc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:13:14 +02:00
Jason A. Donenfeld
c3b2dbcdb0 wg: check for proto error on set too
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld
067ebe2cb9 wg: stricter key file reading
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld
fabb6eca2b noise: redesign preshared key mode
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld
13db708a0f wg-quick: auto MTU discovery
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld
83223f8e4c wg: retry name resolution on temporary failure
This should solve many problems at init time.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-05-17 18:07:42 +02:00
Jason A. Donenfeld
c98c415bd1 wg: no hyphen in preshared, to keep uniformity
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-20 22:53:00 +02:00
Jason A. Donenfeld
5fab6f18d5 wg: argc is always 1
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19 18:26:32 +02:00
Jason A. Donenfeld
6a967c63a7 wg: check for malloc failure
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19 18:26:32 +02:00
Jason A. Donenfeld
755217bd85 wg: side channel resistant base64
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-04-19 18:26:32 +02:00
Jason A. Donenfeld
d42dd68add wg: do not use addrconfig with port in gai
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-28 10:46:31 +02:00
Jason A. Donenfeld
6d20c647d0 uapi: add version magic
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-24 04:44:27 +01:00
Jason A. Donenfeld
a8803c17a7 wg-quick: various cleanups
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-24 04:44:27 +01:00
Jason A. Donenfeld
3067b59798 wg: document # comments in wg(8) man page
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-24 04:44:27 +01:00
Pim van Pelt
ef66ea99e4 wg-quick: support old ip(8)
Old versions of ip(8) do not accept arguments to `ip rule show.` This
patch works around that limitation.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-03-19 15:34:46 +01:00
Jason A. Donenfeld
aefa5e8edc wg: fix bash completion spaces
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-23 07:09:49 +01:00
Jason A. Donenfeld
bda4b8c60b wg: add wg show [interface] dump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-23 07:09:49 +01:00
Jason A. Donenfeld
d4edc7baa8 wg: give "off" value for fwmark
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-23 07:09:49 +01:00
Jason A. Donenfeld
a9bcd0d401 wg-quick: allow config files without trailing newline
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-23 07:09:49 +01:00
Jason A. Donenfeld
6448d5557c wg-quick: unquote fwmark for bash 4.3
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2017-02-14 11:41:56 +01:00