Using WG for transport security in a p2p network

Ximin Luo ximin at
Thu Apr 5 21:00:31 CEST 2018

On Thu, Apr 5, 2018 at 9:06 AM, Tim Sedlmeyer <tim at> wrote:

> On Thu, Apr 5, 2018 at 3:13 AM, Matthias Urlichs <matthias at>
> wrote:
> >
> > Ideally we wouldn't need root
> >
> > If you go the netlink route, you do need one process that has the
> > appropriate privilege, which means root at install time (but not
> runtime).
> The process doesn't need full root permissions even at install time.
> Whatever process is going to create and manage
> the interfaces needs the CAP_NET_ADMIN capability.

Thanks, that's good to know. Though CAP_NET_ADMIN is "almost root" (e.g.
see [1]) so it would be more comfortable to not even require that. But I
guess a "next best thing" would be to put minimal logic inside a small
program and give only this program CAP_NET_ADMIN. Possibly wireguard-rs's
`wgrs` has both sufficient and not-too-much functionality that we could
directly `setcap` that, I'll have to look into it in more detail.
Unfortunately `wg-quick` is a shell script which is more annoying to try to
`setcap` on.

Another approach I was thinking of, was to extend wireguard to expose a
SOCKS5-UDP interface, or even simpler just a socket-wrapper API like
Python's `ssl.wrap_socket()`, and not use tunnel interfaces at all. Of
course this would run in userspace, but wireguard-rs already does that so I
hope there would be no "extra" performance penalty. Then one could run QUIC
through this, and I know that some SCTP implementations can run on top of
UDP too. Any further comments on this idea would be much appreciated.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list