Using WG for transport security in a p2p network
tim at sedlmeyer.org
Thu Apr 5 18:06:51 CEST 2018
On Thu, Apr 5, 2018 at 3:13 AM, Matthias Urlichs <matthias at urlichs.de> wrote:
> Another option would be to run insecure QUIC or SCTP on top of WireGuard,
> You cannot run SCTP on the Internet anyway. Too many routers block anything
> that's not TCP/UDP/ICMP.
> I'm also wondering how easy this would be to program. It would clearly be
> more heavyweight than simply opening a socket, but I guess it can be done
> invocations of the `wg` or `wg-quick` tools.
> Don't use the tools. There's a library around that you can use to do all of
> the heavy lifting via netlink sockets. You'll also need the privilege to
> assign addresses and routes to the WG interfaces.
> Ideally we wouldn't need root
> If you go the netlink route, you do need one process that has the
> appropriate privilege, which means root at install time (but not runtime).
The process doesn't need full root permissions even at install time.
Whatever process is going to create and manage
the interfaces needs the CAP_NET_ADMIN capability.
> Once the network is live, we'd need the transport protocol to be relatively
> stable, or at least be easily upgradeable
> Well, the WG wire protocol is supposed to be stable by now. Switching away
> from it would require new code on your side anyway, so you can implement the
> exact method of switching at that time.
> -- Matthias Urlichs
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
More information about the WireGuard