[PATCH] Improvements to wg-quick output for linux.bash.

Peter Hyman pete at peterhyman.com
Fri Nov 19 15:33:34 UTC 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


- From c675c173a8b008bd2853fde8688f4da34271ae18 Mon Sep 17 00:00:00 2001
From: Peter Hyman <pete at peterhyman.com>
Date: Fri, 19 Nov 2021 08:30:29 -0600
Subject: [PATCH] Improvements to wg-quick output for linux.bash.

Replaced use of '<(echo $var)' for 'wg setconf -f' and 'nft -f' commands.
Use of '<(echo $var)' obscured actual input to 'wg' and 'nft' commands
and replaced with /dev/fd/63 which just indicates piped input.
After this commit, output will reflect actual commands for 'nft'
and will echo the config parameters being read by 'wg setconf'.
Config parameters will also hide Private and Preshared keys like
the 'wg' command.

Before
======
[#] wg setconf wg0 /dev/fd/63
[#] nft -f /dev/fd/63

After
=====
[#] wg setconf wg0 /dev/fd/63
wg configuration
[Interface]
PrivateKey = (hidden)
ListenPort = 51820

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
PresharedKey = (hidden)
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xxx.xxx.xxx:51820
PersistentKeepalive = 25

[#] nft delete table ip wg-quick-wg0

Signed-off-by: Peter Hyman <pete at peterhyman.com>
- ---
 src/wg-quick/linux.bash | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index e4d4c4f..f4f7298 100755
- --- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -192,7 +192,7 @@ remove_firewall() {
 		while read -r table; do
 			[[ $table == *" wg-quick-$INTERFACE" ]] && printf -v nftcmd '%sdelete %s\n' "$nftcmd" "$table"
 		done < <(nft list tables 2>/dev/null)
- -		[[ -z $nftcmd ]] || cmd nft -f <(echo -n "$nftcmd")
+		[[ -z $nftcmd ]] || cmd nft "$nftcmd"
 	fi
 	if type -p iptables >/dev/null; then
 		local line iptables found restore
@@ -239,7 +239,7 @@ add_default() {
 	printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable"
 	[[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1
 	if type -p nft >/dev/null; then
- -		cmd nft -f <(echo -n "$nftcmd")
+		cmd nft "$nftcmd"
 	else
 		echo -n "$restore" | cmd $iptables-restore -n
 	fi
@@ -248,7 +248,10 @@ add_default() {
 }
 
 set_config() {
+	local WG_CONFIGTMP
+	WG_CONFIGTMP=$(echo "wg configuration\n$WG_CONFIG" | sed -e 's/\(PrivateKey = \|PresharedKey = \).*$/\1(hidden)/')
 	cmd wg setconf "$INTERFACE" <(echo "$WG_CONFIG")
+	echo -e "$WG_CONFIGTMP"
 }
 
 save_config() {
- -- 
2.34.0


- -- 
Peter Hyman
GPG: 0x467FBF7D
-----BEGIN PGP SIGNATURE-----

iEYEAREDAAYFAmGXw84ACgkQTTfGLUZ/v3079gCgvx2ZCbBfmFH2FQbSXAl2lhPy
svMAmwav2EfkYwJ2jLgBm0ws5j6IQURc
=Ls+S
-----END PGP SIGNATURE-----

More information about the WireGuard mailing list