Page MenuHomeFreeBSD

wireguard: add a very simple rc.d script
AbandonedPublic

Authored by dch on Jan 28 2021, 4:24 PM.

Details

Reviewers
mmacy
grehan
decke
Summary

There's some *very* sketchy notes at https://hackmd.io/CIR3ALlmS1SEJa9fgXBFRw as I work my
way through first time using wireguard. I expect the config format below to be insufficient
for moderate use cases, but should be good enough for a base 13.0R to have a simple config
/etc/rc.conf.d/wireguard like below, and for it to be functional enough to get started.

wireguard_enable=YES
# you can share the entire config file across servers and just rely on
# wireguard_local_hostname to avoid adding this node as a peer
# wireguard_local_hostname=wintermute
wireguard_local_route="-net 10.0.0.0/24"

# the private key will be created on first use
# the public key will be derived from the private key on first load

# peers go here
wireguard_peers="wintermute straylight continuity flatline"

# each peer has mandatory, and optional parameters
# mandatory: public_key
# optional: allowed_ips, endpoint, ... pre / post scripts

wireguard_peer_continuity_allowed_ips="10.0.0.8/32"
wireguard_peer_continuity_endpoint="172.16.1.8:54321"
wireguard_peer_continuity_public_key="T9mxK11y7Vbaqv4lA3Af6G7KE0qT2B322btrfmQwC3w="

wireguard_peer_flatline_allowed_ips="10.0.0.1/32"
wireguard_peer_flatline_endpoint="172.16.1.1:54321"
wireguard_peer_flatline_public_key="Vjp1YrfPRie2tTeN8Ik4CdyHnc9eL/zlXTKquhsTKDU="

wireguard_peer_straylight_allowed_ips="10.0.0.5/32"
wireguard_peer_straylight_endpoint="172.16.1.5:54321"
wireguard_peer_straylight_public_key="UNxuh/5EQVE42DoaC5G14WkycL8oi3H114Bg+Q9qPxY="

wireguard_peer_wintermute_allowed_ips="10.0.0.4/32"
wireguard_peer_wintermute_endpoint="172.16.1.4:54321"
wireguard_peer_wintermute_public_key="MN/o29krOyJBgnhi3Vgt4weGceCU4dROR4wRIyOr7C8="
Test Plan

Feedback

Matt, Bernhard - comments welcomed & many thanks

Fixes

  1. public keys don't match other WG implementations

Peter - are you able to commit your patch or should I find somebody else?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252894
  1. private key is displayed by ifconfig

The private key is only shown in ifconfig wg0 output when UID=root,
but this still means that it will show up in logs unless we deliberately
obscure it each time. I can understand that we want an easy way to display
the private key, but I don't think it should come out by default if you do
sudo ifconfig this is risky.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 36581
Build 33470: arc lint + arc unit

Event Timeline

dch requested review of this revision.Jan 28 2021, 4:24 PM
dch edited the test plan for this revision. (Show Details)
dch added reviewers: mmacy, grehan, decke.

The good thing is that it does not need any new tools but it also does not support:

  • multiple wireguard interfaces
  • allow empty endpoints (which is valid for wireguard)
  • add peers at runtime without destroying the interface

and the local interface config in peers looks a bit strange - why can't this have his own variables for address, private-key, listen-port outside of peers?

Should we also update rc.conf(5) ?