The example in the man page at some point changed:
- \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
+ \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP
This is actually wrong because PreUp is followed by set_config(), which
calls `wg setconf`, which in turn deletes the private key from the
interface because it is missing from the configuration. Replacing this
with `wg addconf` is safe to do because the interface is newly created.
Suggested-by: Matthias Dressel <code@deadcode.eu> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg-quick: linux: deal with resolvconf migration more gracefully
When Ubuntu systems upgrade from Debian's atrocious resolvconf to the
systemd-resolve symlink, they sometimes leave around
/etc/resolvconf/interface-order, which then winds up breaking the
detection and passing the bogus 'tun.' prefix to systemd's resolvconf,
resulting in failure. Work around this by only doing the 'tun.' prefix
hack if resolvconf isn't a symlink. This is ugly but so it goes.
Reported-by: Andrei Borzenkov <arvidjaar@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Robyn Kosching [Wed, 15 Jan 2025 11:33:50 +0000 (12:33 +0100)]
wg-quick: pass on # comments to {Pre,Post}{Up,Down}
Currently commands in {Pre,Post}{Up,Down} are stripped of everything
starting with the first #, even if the # is escaped or in a string. This
patch leaves comment interpretation to the shell, as it can presumably
already handle the difference between comments and escaped #.
Signed-off-by: Robyn Kosching <robyn@kosching.me>
[Jason: massage commit message, port to other platforms] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
syncconf: account for psks removed from config file
Otherwise removing a psk from a config file wouldn't reflect on the
runtime state.
Note that this could have been implemented more simply, by just setting
WGPEER_HAS_PRESHARED_KEY on all of the file's peers, since the psk slot
is zeroed by calloc in config.c, and this way ones with no set key will
be cleared. The downside is that this means every peer update will take
the handshake lock in the kernel, creating more work and possibly
contention:
if (preshared_key) {
down_write(&peer->handshake.lock);
memcpy(&peer->handshake.preshared_key, preshared_key,
NOISE_SYMMETRIC_KEY_LEN);
up_write(&peer->handshake.lock);
}
Avoid this by only setting it if there's a mismatch between the runtime
and the file. Computationally this shouldn't make much of a difference
because we can do it in the same iteration as the peer removal
detection.
Reported-by: Patrick Havelange <patrick.havelange_ext@softathome.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Jordan Rife [Sat, 17 May 2025 19:29:51 +0000 (12:29 -0700)]
ipc: linux: support incremental allowed ips updates
Extend the interface of `wg set` to leverage the WGALLOWEDIP_F_REMOVE_ME
flag, a direct way of removing a single allowed ip from a peer,
allowing for incremental updates to a peer's configuration. By default,
allowed-ips fully replaces a peer's allowed ips using
WGPEER_REPLACE_ALLOWEDIPS under the hood. When '+' or '-' is prepended
to any ip in the list, wg clears WGPEER_F_REPLACE_ALLOWEDIPS and sets
the WGALLOWEDIP_F_REMOVE_ME flag on any ip prefixed with '-'.
$ wg set wg0 peer <PUBKEY> allowed-ips +192.168.88.0/24,-192.168.0.1/32
This command means "add 192.168.88.0/24 to this peer's allowed ips if
not present, and remove 192.168.0.1/32 if present".
Use -isystem so that headers in uapi/ take precedence over system
headers; otherwise, the build will fail on systems running kernels
without the WGALLOWEDIP_F_REMOVE_ME flag.
Note that this patch is meant to be merged alongside the kernel patch
that introduces the flag.
Signed-off-by: Jordan Rife <jordan@jrife.io>
[Jason: removed linux ifdefs; this will eventually come to other platforms too. minor style nits.] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
AF_INET assumes that IPv4 is built into the kernel, but it's completely
valid to build a kernel without it. unix(4) sockets, on the other hand,
are not-optional in the kernel build. Given that interface ioctls can
be invoked on any kind of socket, switch to the safer one to avoid
breaking on IPv6-only kernels.
Signed-off-by: Kyle Evans <kevans@FreeBSD.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Daniel Gröber [Wed, 7 Dec 2022 18:00:31 +0000 (19:00 +0100)]
wg-quick: run PreUp hook after creating interface
Currently PreUp hooks run before the interface is created. This is
problematic for moving the device into a Linux VRFs as this will
currently clear all assigned IPv6 addressess (possibly a bug), so if we
did this in PostUp (i.e. before add_addr) we'll have to manually re-add
all assigned addresses. This is obviously less than ideal.
Instead create the wg device just before running PreUp hooks. We apply
this to all platforms for consistency.
Test case:
$ ip link add vrf-test type vrf table 1234
$ ip link add wg-test type wireguard
$ ip addr add dev wg-test 192.168.42.42/24
$ ip addr add dev wg-test fe80::/64
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/24 fe80::/64
$ ip link set dev wg-test master vrf-test
$ ip -br addr show wg-test
wg-test DOWN 192.168.42.42/32
Signed-off-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Kyle Evans [Thu, 3 Nov 2022 18:20:29 +0000 (13:20 -0500)]
ipc: freebsd: NULL out some freed memory in kernel_set_device()
The `err` path in kernel_set_device() will attempt to free() allocated
nvl_peers, but these two cases meant we could end up attempting a use
after free or a double free, as we rely on nvlist_destroy(NULL) being
a NOP as well as free(NULL).
FreeBSD-Coverity: 1500421 Signed-off-by: Kyle Evans <kevans@FreeBSD.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Kyle Evans [Thu, 3 Nov 2022 17:59:01 +0000 (12:59 -0500)]
ipc: freebsd: avoid leaking memory in kernel_get_device()
Primarily, front-load validation of an allowed-ip entry to before we
allocate `aip`, so that we don't need to free() it if we end up skipping
this entry. Assert that `aip` is NULL after we exit the loop, as we
should have transfered ownership to the `peer` or freed it in all paths
through the allowed-ip loop.
FreeBSD-Coverity: 1500405 Signed-off-by: Kyle Evans <kevans@FreeBSD.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Kyle Evans [Sat, 29 Oct 2022 01:45:05 +0000 (20:45 -0500)]
ipc: freebsd: move if_wg path to reflect new in-tree location
When we re-added if_wg to the tree, we changed directories in dev to
strip the if_ (we don't use this prefix for other interfaces'
directories). Adjust it here as a convenience, so that when we import
wireguard-tools to FreeBSD the path will just work as-is with our usual
build.
Signed-off-by: Kyle Evans <kevans@FreeBSD.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Tom Yan [Fri, 17 Jun 2022 11:34:19 +0000 (19:34 +0800)]
wg-quick: linux: prevent traffic from momentarily leaking into tunnel
The wireguard route table ip rule should stay as a no-op until the
`suppress_prefixlength 0 table main` rule is in effect. Therefore, add
the wireguard default route to its route table after the latter rule is
added.
Signed-off-by: Tom Yan <tom.ty89@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Matt Dunwoodie [Tue, 7 Sep 2021 11:48:53 +0000 (21:48 +1000)]
wg-quick: openbsd: set DNS with resolvd(8)
OpenBSD has introduced a new daemon named resolvd(8) to manage
resolv.conf. This creates problems with the old "horrible way" of
completely replacing resolv.conf. Resolvd will attempt to merge manual
changes with DNS servers discovered through dhcpleased(8) and slaacd(8).
Unfortunately, resolvd puts any manual modifications at the end of
resolv.conf, meaning that the wg-quick name servers will be queried
last.
The process for handling multiple name servers (at least with libc) is
to try a name server, and if the query times out, try the next, until
out of name servers, then repeat trying all name servers until a maximum
number of retries are performed. The name servers are queried in the
order listed in resolv.conf and the timeout is 5 seconds.
With this patch, we ensure the wg-quick name server is first in
resolv.conf (as route creates the name server with "static" priority),
but cannot ensure it is exclusive. Therfore, it may be possible that
queries are leaked to other name servers if the wg-quick name server
doesn't respond within 5 seconds.
We have another problem however, and that is if resolvd detects unwind
is running, it will set 127.0.0.1 as the only name server in
resolv.conf. unwind does not have deterministic name server selection in
the default configuration. This means, all a user would need to do to
inadvertently cause persistent query leaks would be to run `rcctl enable
unwind`.
There are warnings added when these situations may occur.
The next step is to add an exclusive flag and search to route and
resolvd.
Reported-by: Matthieu Herrb <matthieu@herrb.eu> Signed-off-by: Matt Dunwoodie <ncon@noconroy.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Hangbin Liu [Mon, 17 May 2021 08:17:30 +0000 (16:17 +0800)]
contrib/launchd: fix xml syntax error
The current plist xml gets error "DOCTYPE improperly terminated" with xml
syntax checker[1]. The example in apple doc[2] also doesn't have semicolon
at the end of DOCTYPE line.
Fixes: b30e74b5956a ("wg-quick: darwin: support being called from launchd") Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
If the route monitor doesn't attempt to write more to stdout, then this
leaves a process hanging around. Kill it explicitly. We also switch to
using exec in the process substitution, to reduce a bash process.
Closes: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255286 Reported-by: Christos Chatzaras <chris@cretaforce.gr> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg-quick: freebsd: avoid writing private keys to /tmp
FreeBSD's bash doesn't handle <(...) safely, creating a temporary file
instead of using /proc/self/fd/N like on Linux. Work around this by
using a simple pipeline with /dev/stdin.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This reverts commit 26683f6c9ad18d9914b23312c221f27fd5ecab51, which
means the old problem comes back. That's an issue. But waiting on
process substitutions is not available with commonly used bash versions:
# wg-quick up demo
[#] ip link add demo type wireguard
[#] wg setconf demo /dev/fd/63
/usr/bin/wg-quick: line 251: wait: pid 2955 is not a child of this shell
[#] ip link delete dev demo
This means we have to wait a few years before fixing this issue. IOW,
bash limitation; can't fix.
Reported-by: Theodore Mozzo <theodore.mozzo@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
wg-quick: android: use iproute2 to bring up interface instead of ndc
Android 11's ndc regresses even more, but it turns out that netd doesn't
need to track up/down state via direct invocation, so just set the
interface up by way of normal iproute2.
Reported-by: Harsh Shandilya <me@msfjarvis.dev> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Bash does not propagate error values, which is a bummer, but process
substitutions are a useful feature. Introduce a new idiom to deal with
this: either "; wait $!" after the line to propagate the error, or "||
true" to indicate explicitly that we don't care about the error.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
We also make these constant time, even though we're never distinguishing
between bits of a secret using them. From that perspective, though, this
is markedly better than the locale-specific table lookups in glibc, even
though base64 characters span two cache lines and valid private keys
must hit both.
Co-authored-by: Samuel Neves <sneves@dei.uc.pt> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Samuel Neves <sneves@dei.uc.pt>
Users can now run `systemctl reload wg-quick@wgnet0`, as described in
the wg-quick(8) man page. Note that this won't adjust Address=, DNS=, or
the various other non-wg(8) fields.
Signed-off-by: Domonkos P. Tomcsanyi <domi@tomcsanyi.net>
[zx2c4: use exec for bash commands to reduce excess forks, and rewrite
commit message] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Prior we only supported a blacklist, but actually a whitelist is an
easier algorithm because that's internally how netd considers it, so we
don't need to find range spans. This commit adds an IncludedApplications
key.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
It turns out that the binary actually gets smaller if we simply inline
the very small parts of libmnl that we need. Since we wind up needing
the mnlg bits anyway, there's little benefit in linking to libmnl.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
projects / thirdparty / wireguard-tools.git / log
