Using WG for transport security in a p2p network
Jason A. Donenfeld
Jason at zx2c4.com
Fri Apr 6 19:59:54 CEST 2018
Hi Ximin,
On Thu, Apr 5, 2018 at 5:22 AM, Ximin Luo <ximin at dfinity.org> wrote:
> Our usage would indeed involve setting up and tearing down interfaces ~30
> times
> a week in an automated fashion, which might be "strange" going by the above.
No certainly not strange. Actually, there's no amount of setting up
and tearing down that should be considered a bad thing. I have a
script I run during development that sets up thousands of interfaces,
each with hundreds of thousands of peers, connects them to each other,
and then toggles everything up and down over and over. I have another
script that just adds and removes interfaces really fast. The purpose
is to stress test WireGuard to ensure it's resilient in these types of
configurations. So... I think you should be good with a mere 30 a week
;-).
>
> I'm also wondering how easy this would be to program. It would clearly be
> much
> more heavyweight than simply opening a socket, but I guess it can be done
> via
> invocations of the `wg` or `wg-quick` tools. Has anyone had any experience
> with
> this level of WG automation, could you share your thoughts? Would the
> program
> need any extra system-level privileges? Ideally we wouldn't need root, of
> course - does that mean we're forced to wait for a userspace WG library such
> as
> wireguard-rs? I understand there is a performance penalty here, but I'd have
> to
> run benchmarks to know if this affects our use-case significantly.
The overhead and performance penalty is minimal, and you should easily
be able to get away with doing this. You can script it pretty easily
using wg (it needs only CAP_NET_ADMIN), or if you want closer
integration and more sophisticated priv separation, you could open the
netlink socket, then drop privs, and use something like the
embeddable-wg-library to automate everything:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library
Let me know if you have any more questions or ways in which I can help
you guys out with the p2p protocol.
Regards,
Jason
More information about the WireGuard
mailing list