go test: correct tai64n and formatting

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

external-tests: add keepalive packet

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

go test: properly pad message

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: allow creating device with no peers

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

rust test: add icmp ping

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

rust test: convert screech test to snow

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: update wg-quick(8) to show Debian resolvconf braindamage

While OpenResolv supports explicit ordering directives such as `-m` and
exclusivity directives such as `-x`, Debian's own resolvconf supports
none of this, instead using a hard coded list of interface name
templates for determining ordering. While trying to emulate `-x` is
difficult [*], we can at least try to mostly emulate `-m 0` by
masquerading as a `tun*` interface to resolvconf. Ugly, but it works.

[*] One heavy handed way of emulating `-x` would be something like:

   # echo nameserver 8.8.8.8 > /etc/resolv.conf.wg0-exclusive
   # mount --bind -o ro /etc/resolv.conf.wg0-exclusive /etc/resolv.conf
   # rm -f /etc/resolv.conf.wg0-exclusive

This in practice works quite well, but is a bit heavy to put in a man
page. It also doesn't "stack" well. For example, if we simply run
`umount /etc/resolv.conf`, how do we know which resolv.conf entry we're
unmounting?

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: use src routing for default routes in v6

Otherwise, traffic is sent with the IP address of a different interface,
and then packets don't actually get delivered.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

man: fix psk mention in wg-quick man page

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: opt-in globally to GNU-isms to keep the BSDs happy

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: support text-based ipc

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: check for proto error on set too

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: stricter key file reading

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

noise: redesign preshared key mode

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: auto MTU discovery

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: retry name resolution on temporary failure

This should solve many problems at init time.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: no hyphen in preshared, to keep uniformity

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: argc is always 1

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: check for malloc failure

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: side channel resistant base64

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: do not use addrconfig with port in gai

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

uapi: add version magic

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: various cleanups

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: document # comments in wg(8) man page

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: support old ip(8)

Old versions of ip(8) do not accept arguments to `ip rule show.` This
patch works around that limitation.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: add wg-json utility

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fix bash completion spaces

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add wg show [interface] dump

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: give "off" value for fwmark

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: allow config files without trailing newline

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

extract-keys: respect compat directives

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: unquote fwmark for bash 4.3

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: set LC_ALL for consistent regex

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

socket: enable setting of fwmark

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

socket: general ephemeral ports instead of name-based ports

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: support v6 dual stack

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: remove key for any empty file

Rather than just using /dev/null to mean key removal, match on any empty
file, so that this interface is cross platform.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: setconf should remove existing psk

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: recommend using resolvconf in exclusive mode

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: man: recommend correct port

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: parse IPv6 endpoints correctly

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: better removal of suppress_prefix rule

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Update copyright

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

uapi: use sockaddr union instead of sockaddr_storage

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

uapi: use flag instead of C bitfield for portability

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: ipc: read from socket incrementally

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: error on short ret reads

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-quick: enforce good permissions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add installation note for distros

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: remove DESTDIR for autodetection

DESTDIR is always empty, no need to check anything there. Check the main
system instead.

Signed-off-by: Christian Hesse <mail@eworm.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add systemd unit and auto-detection

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add makefile instructions

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add wg-quick

This is based on wg-config, but is even easier to use, and now makes
our full tools suite.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add bash completion for wg(8)

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: slight ncat tweak

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: syscall.h should actually be sys/syscall.h

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-config: use ip rules instead of tungate

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

external-tests: update to latest

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: rename 'bandwidth' to 'transfer' in output

'bandwidth' is a measure of speed, but wg's output shows only the
number of bytes transferred. Thus 'transfer' is a better label.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-config: cleanups

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: do not use AI_ADDRCONFIG

Some people run wg(8) using hard coded v6 addresses before interfaces
have v6 addresses, causing getaddrinfo to fail. Since AI_ADDRCONFIG
doesn't actualy change the sorting, but just the queries made, we don't
really need AI_ADDRCONFIG anyway, since we're always only taking the
first result.

Reported-by: Benedikt Morbach <benedikt.morbach@googlemail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: allowed-ips is easier to parse with spaces instead of ", "

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg-config: cleanup ip parsing

This also sorts routes by cidr.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fix latest-handshake typo in documentation

Reported-by: Dan Lüdtke <mail@danrl.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

contrib: add wg-config

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: warn about clock going backward

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

headers: cleanup notices

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: chill modern gcc out

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

qemu: move build outside of kernel dir to avoid kernel's make clean

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: abstract pkg-config to PKG_CONFIG

Distros like Exherbo have multitarget setups with toolnames prefixed by
the arch.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: everybody hates automatic stripping

I happen to like it, but package managers don't. The GNU standard [1]
says there should be a separate install-strip target. I don't like
duplicating code like that. So, instead, I'll just remove stripping all
together.

[1] https://www.gnu.org/prep/standards/html_node/Standard-Targets.html

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

git: organize ignore files

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Rework headers and includes

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: allow multiple AllowedIPs invocations

It turns out this is a somewhat natural thing to do in config files.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

examples: add key extractor

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

examples: add nat-hole-punching

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

tests: use makefile and expand greatly

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

persistent-keepalive: change range to [1,65535]

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: use correct headers in ipc

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: do not show private keys in pretty output

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

c: specify static array size in function params

The C standard states:

  A declaration of a parameter as ``array of type'' shall be adjusted to ``qualified pointer to
  type'', where the type qualifiers (if any) are those specified within the [ and ] of the
  array type derivation. If the keyword static also appears within the [ and ] of the
  array type derivation, then for each call to the function, the value of the corresponding
  actual argument shall provide access to the first element of an array with at least as many
  elements as specified by the size expression.

By changing void func(int array[4]) to void func(int array[static 4]),
we automatically get the compiler checking argument sizes for us, which
is quite nice.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: use stream instead of seqpacket

To support OS X and Windows, we have to. Ugh.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: Use seqpacket instead of dgram

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add -MP to makefile

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: add default cflag

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: propagate set errno

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: abstract sockets are dangerous

They have no permissions, so we're probably better off just creating a
socket file with the umask set, as we do in BSD.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: rename kernel to ipc

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: support horrible freebsd/osx/unix semantics

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: first additions of userspace integration

This is designed to work with a server that follows this:

  struct sockaddr_un addr = {
      .sun_family = AF_UNIX,
      .sun_path = "/var/run/wireguard/wguserspace0.sock"
  };
  int fd, ret;
  ssize_t len;
  socklen_t socklen;
  struct wgdevice *device;

  fd = socket(AF_UNIX, SOCK_DGRAM, 0);
  if (fd < 0)
      exit(1);
  if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
      exit(1);

  for (;;) {
      /* First we look at how big the next message is, so we know how much to
       * allocate. Note on BSD you can instead use ioctl(fd, FIONREAD, &len). */
      len = recv(fd, NULL, 0, MSG_PEEK | MSG_TRUNC);
      if (len < 0) {
          handle_error();
          continue;
      }
      /* Next we allocate a buffer for the received data. */
      device = NULL;
      if (len) {
          device = malloc(len);
          if (!device) {
              handle_error();
              continue;
          }
      }
      /* Finally we receive the data, storing too the return address. */
      socklen = sizeof(addr);
      len = recvfrom(fd, device, len, 0, (struct sockaddr *)&addr, (socklen_t *)&socklen);
      if (len < 0) {
          handle_error();
          free(device);
          continue;
      }
      if (!len) { /* If len is zero, it's a "get" request, so we send our device back. */
          device = get_current_wireguard_device(&len);
          sendto(fd, device, len, 0, (struct sockaddr *)&addr, socklen);
      } else { /* Otherwise, we just received a wgdevice, so we should "set" and send back the return status. */
          ret = set_current_wireguard_device(device);
          sendto(fd, &ret, sizeof(ret), 0, (struct sockaddr *)&addr, socklen);
          free(device);
      }
  }

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

wg: fix numbering in man page

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

persistent keepalive: use authenticated keepalives

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

examples: update ncat-client-server readme

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

persistent keepalive: enable in an example

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

persistent keepalive: documentation

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

persistent keepalive: add userspace support

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

go test: don't rely on undefined append behavior

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

rust test: actually use tai64n

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

go test: actually use TAI64N

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

go test: don't use 1 as icmp ids

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>