Paths

Table of Contentst

wireguard: add a very simple rc.d script
AbandonedPublic
Actions

Authored by dch on Jan 28 2021, 4:24 PM.

Details

Reviewers

mmacy
grehan
decke

Summary

There's some *very* sketchy notes at https://hackmd.io/CIR3ALlmS1SEJa9fgXBFRw as I work my
way through first time using wireguard. I expect the config format below to be insufficient
for moderate use cases, but should be good enough for a base 13.0R to have a simple config
/etc/rc.conf.d/wireguard like below, and for it to be functional enough to get started.

wireguard_enable=YES
# you can share the entire config file across servers and just rely on
# wireguard_local_hostname to avoid adding this node as a peer
# wireguard_local_hostname=wintermute
wireguard_local_route="-net 10.0.0.0/24"

# the private key will be created on first use
# the public key will be derived from the private key on first load

# peers go here
wireguard_peers="wintermute straylight continuity flatline"

# each peer has mandatory, and optional parameters
# mandatory: public_key
# optional: allowed_ips, endpoint, ... pre / post scripts

wireguard_peer_continuity_allowed_ips="10.0.0.8/32"
wireguard_peer_continuity_endpoint="172.16.1.8:54321"
wireguard_peer_continuity_public_key="T9mxK11y7Vbaqv4lA3Af6G7KE0qT2B322btrfmQwC3w="

wireguard_peer_flatline_allowed_ips="10.0.0.1/32"
wireguard_peer_flatline_endpoint="172.16.1.1:54321"
wireguard_peer_flatline_public_key="Vjp1YrfPRie2tTeN8Ik4CdyHnc9eL/zlXTKquhsTKDU="

wireguard_peer_straylight_allowed_ips="10.0.0.5/32"
wireguard_peer_straylight_endpoint="172.16.1.5:54321"
wireguard_peer_straylight_public_key="UNxuh/5EQVE42DoaC5G14WkycL8oi3H114Bg+Q9qPxY="

wireguard_peer_wintermute_allowed_ips="10.0.0.4/32"
wireguard_peer_wintermute_endpoint="172.16.1.4:54321"
wireguard_peer_wintermute_public_key="MN/o29krOyJBgnhi3Vgt4weGceCU4dROR4wRIyOr7C8="

Test Plan

Feedback

Matt, Bernhard - comments welcomed & many thanks

Fixes

public keys don't match other WG implementations

Peter - are you able to commit your patch or should I find somebody else?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252894

private key is displayed by ifconfig

The private key is only shown in ifconfig wg0 output when UID=root,
but this still means that it will show up in logs unless we deliberately
obscure it each time. I can understand that we want an easy way to display
the private key, but I don't think it should come out by default if you do
sudo ifconfig this is risky.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 36581
Build 33470: arc lint + arc unit

Event Timeline

dch created this revision.Jan 28 2021, 4:24 PM

Herald added a subscriber: imp. · View Herald TranscriptJan 28 2021, 4:24 PM

dch requested review of this revision.Jan 28 2021, 4:24 PM

Harbormaster completed remote builds in B36581: Diff 83054.Jan 28 2021, 4:24 PM

dch edited the summary of this revision. (Show Details)Jan 28 2021, 4:33 PM

dch edited the test plan for this revision. (Show Details)

dch added reviewers: mmacy, grehan, decke.

The good thing is that it does not need any new tools but it also does not support:

multiple wireguard interfaces
allow empty endpoints (which is valid for wireguard)
add peers at runtime without destroying the interface

and the local interface config in peers looks a bit strange - why can't this have his own variables for address, private-key, listen-port outside of peers?

dch edited the test plan for this revision. (Show Details)Jan 28 2021, 4:40 PM

Should we also update rc.conf(5) ?

overcome by events

Revision Contents
Changeset List

Path

Size

libexec/

rc/

rc.d/

wireguard

114 lines

Diff 83054

View Options

wireguard: add a very simple rc.d scriptAbandonedPublicActions