From houmie at gmail.com Wed Jun 1 07:42:44 2022 From: houmie at gmail.com (Houman) Date: Wed, 1 Jun 2022 08:42:44 +0100 Subject: How to improve Wireguard speed? Message-ID: Hello, I'm compiling the latest stable Wireguard on Debian 11. git clone https://git.zx2c4.com/wireguard-tools make -C wireguard-tools/src -j$(nproc) sudo make -C wireguard-tools/src install However the speed is not that impressive. I have a VPS with 4 vCores and 8 GB RAM on 1 Gbps network. The VPS is located in London and so am I. With wireguard enabled I get 117 Mbps Without wireguard I get 506 Mbps That's a drop of 75%. What are the factors to improve the download rate? Thank you, From icepic.dz at gmail.com Wed Jun 1 08:50:48 2022 From: icepic.dz at gmail.com (Janne Johansson) Date: Wed, 1 Jun 2022 10:50:48 +0200 Subject: How to improve Wireguard speed? In-Reply-To: References: Message-ID: Den ons 1 juni 2022 kl 09:49 skrev Houman : > Hello, > I'm compiling the latest stable Wireguard on Debian 11. > git clone https://git.zx2c4.com/wireguard-tools > make -C wireguard-tools/src -j$(nproc) > sudo make -C wireguard-tools/src install > > However the speed is not that impressive. I have a VPS with 4 vCores > and 8 GB RAM on 1 Gbps network. The VPS is located in London and so > am I. > > With wireguard enabled I get 117 Mbps > Without wireguard I get 506 Mbps > > That's a drop of 75%. What are the factors to improve the download rate? That seems like very poor values, I would make two tests, one local to the VPS and one test local to the other end (which you left out of the description) and see which one is the limiting box. People (including me) have easily gotten speeds at 1-2 gigabit on 10GE networked computers and VPSes and several gigabits on loopbacks, so the fault is not simply using wireguard. If you check the results of the nightly builds for x86_64 at https://www.wireguard.com/build-status/ you find several iperf3 runs that end up over 2-3 Gbit/s when a box is talking "to itself" so it's not the crypto or the tunnel that prevents you from filling up the gigabit link. Perhaps the VPS isn't giving you a lot of cpu? Perhaps the test reacts poorly to the lowered MTU for using (any) tunnel in between? -- May the most significant bit of your life be positive. From houmie at gmail.com Wed Jun 1 09:07:31 2022 From: houmie at gmail.com (Houman) Date: Wed, 1 Jun 2022 10:07:31 +0100 Subject: How to improve Wireguard speed? In-Reply-To: References: Message-ID: Thanks for your reply. I have run htop to observe the CPU consumption during this test, and the CPU(s) go up only to 10-20%. So the CPU doesn't seem to be the bottleneck. I didn't change the MTU settings, but I have a suspicion about MTU. I found this article here that makes some interesting suggestions to set MTU to 1280: https://keremerkan.net/posts/wireguard-mtu-fixes/ And beyond that iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu On Wed, 1 Jun 2022 at 09:51, Janne Johansson wrote: > > Den ons 1 juni 2022 kl 09:49 skrev Houman : > > Hello, > > I'm compiling the latest stable Wireguard on Debian 11. > > git clone https://git.zx2c4.com/wireguard-tools > > make -C wireguard-tools/src -j$(nproc) > > sudo make -C wireguard-tools/src install > > > > However the speed is not that impressive. I have a VPS with 4 vCores > > and 8 GB RAM on 1 Gbps network. The VPS is located in London and so > > am I. > > > > With wireguard enabled I get 117 Mbps > > Without wireguard I get 506 Mbps > > > > That's a drop of 75%. What are the factors to improve the download rate? > > That seems like very poor values, I would make two tests, one local to > the VPS and one test local to the other end (which you left out of the > description) and see which one is the limiting box. People (including > me) have easily gotten speeds at 1-2 gigabit on 10GE networked > computers and VPSes and several gigabits on loopbacks, so the fault is > not simply using wireguard. > > If you check the results of the nightly builds for x86_64 at > https://www.wireguard.com/build-status/ you find several iperf3 runs > that end up over 2-3 Gbit/s when a box is talking "to itself" so it's > not the crypto or the tunnel that prevents you from filling up the > gigabit link. Perhaps the VPS isn't giving you a lot of cpu? Perhaps > the test reacts poorly to the lowered MTU for using (any) tunnel in > between? > > -- > May the most significant bit of your life be positive. From tklauser at distanz.ch Wed Jun 1 09:33:54 2022 From: tklauser at distanz.ch (Tobias Klauser) Date: Wed, 1 Jun 2022 11:33:54 +0200 Subject: [PATCH wireguard-go] tun: use ByteSliceToString from golang.org/x/sys/unix Message-ID: <20220601093354.30833-1-tklauser@distanz.ch> Use unix.ByteSliceToString in (*NativeTun).nameSloce to convert the TUNGETIFF ioctl result []byte to a string. Signed-off-by: Tobias Klauser --- tun/tun_linux.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tun/tun_linux.go b/tun/tun_linux.go index 89b716d9c70b..fbb8585ff449 100644 --- a/tun/tun_linux.go +++ b/tun/tun_linux.go @@ -9,7 +9,6 @@ package tun */ import ( - "bytes" "errors" "fmt" "os" @@ -321,11 +320,7 @@ func (tun *NativeTun) nameSlow() (string, error) { if errno != 0 { return "", fmt.Errorf("failed to get name of TUN device: %w", errno) } - name := ifr[:] - if i := bytes.IndexByte(name, 0); i != -1 { - name = name[:i] - } - return string(name), nil + return unix.ByteSliceToString(ifr[:]), nil } func (tun *NativeTun) Write(buf []byte, offset int) (int, error) { -- 2.36.1 From tklauser at distanz.ch Wed Jun 1 09:36:23 2022 From: tklauser at distanz.ch (Tobias Klauser) Date: Wed, 1 Jun 2022 11:36:23 +0200 Subject: [PATCH wireguard-go] tun: use ByteSliceToString from golang.org/x/sys/unix In-Reply-To: <20220601093354.30833-1-tklauser@distanz.ch> References: <20220601093354.30833-1-tklauser@distanz.ch> Message-ID: <20220601093622.dacco7owtrm6u2y7@distanz.ch> On 2022-06-01 at 11:33:54 +0200, Tobias Klauser wrote: > Use unix.ByteSliceToString in (*NativeTun).nameSloce to convert the ^- this should say `nameSlow` I can fix it up in a v2 patch if needed. From rm at romanrm.net Wed Jun 1 09:51:43 2022 From: rm at romanrm.net (Roman Mamedov) Date: Wed, 1 Jun 2022 14:51:43 +0500 Subject: How to improve Wireguard speed? In-Reply-To: References: Message-ID: <20220601145143.75234bd8@nvm> On Wed, 1 Jun 2022 10:07:31 +0100 Houman wrote: > I didn't change the MTU settings, but I have a suspicion about MTU. I > found this article here that makes some interesting suggestions to set > MTU to 1280: https://keremerkan.net/posts/wireguard-mtu-fixes/ > > And beyond that iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j > TCPMSS --clamp-mss-to-pmtu So did you apply both of that, and what was the effect? What are the other point that you test against, is it another VPS (better if you could try with that), or your home connection? It could be your home provider has different speed limits (shaping) in place for UDP. Should be possible to test this with: iperf3 -s # on VPS iperf3 -u -b 500M -c -R # on the other side And then see how many "Lost/Total Datagrams" (xx %) you get. A high percentage would indicate that the actual top speed for UDP is less than 500Mbit by this value. -- With respect, Roman From houmie at gmail.com Wed Jun 1 11:40:46 2022 From: houmie at gmail.com (Houman) Date: Wed, 1 Jun 2022 12:40:46 +0100 Subject: How to improve Wireguard speed? In-Reply-To: <20220601145143.75234bd8@nvm> References: <20220601145143.75234bd8@nvm> Message-ID: Thanks Roman. > So did you apply both of that, and what was the effect? I will create a new environment this afternoon and test the MTU changes mentioned earlier and investigate the outcome. > What are the other point that you test against, is it another VPS (better if > you could try with that), or your home connection? The iPhone is connected via Wifi to the home network, which is 500 Mbps / fibre. I have a code snippet on the iPhone that downloads a 1 GB test file from my AWS bucket (London) for 10 seconds. Then measures totalBytesWritten / time elapsed / (1024.0 * 1024.0) * 8.0. Which is the formula for Mbps as far as I am aware. Client (iPhone) --> server (VPS) --> S3 (AWS) = 117 Mbps Client (iPhone) --> S3 (AWS) = 506 Mbps I run this once the Wireguard connection is established and I get 117 Mbps. Then I disconnect the VPN and run the same code again to fetch the test file without VPN that comes down to 506 Mbps. Client (iPhone), server (VPS) and S3 (AWS) are all in located London, UK. I have run your iperf test. On the VPS the Lost/Total Datagrams is 0%. On the client (Mac) the Lost/Total Datagrams is 0.13%. This test proves that the ISP isn't messing around with UDP. [ 5] local 192.168.1.101 port 62103 connected to xxxxx port 5201 [ ID] Interval Transfer Bitrate Jitter Lost/Total Datagrams [ 5] 0.00-1.00 sec 59.5 MBytes 499 Mbits/sec 0.034 ms 0/44538 (0%) [ 5] 1.00-2.00 sec 59.7 MBytes 500 Mbits/sec 0.012 ms 0/44677 (0%) [ 5] 2.00-3.00 sec 59.3 MBytes 497 Mbits/sec 0.021 ms 15/44400 (0.034%) [ 5] 3.00-4.00 sec 60.0 MBytes 503 Mbits/sec 0.015 ms 0/44913 (0%) [ 5] 4.00-5.00 sec 59.5 MBytes 499 Mbits/sec 0.020 ms 0/44588 (0%) [ 5] 5.00-6.00 sec 59.3 MBytes 498 Mbits/sec 0.018 ms 219/44662 (0.49%) [ 5] 6.00-7.00 sec 59.6 MBytes 500 Mbits/sec 0.065 ms 0/44633 (0%) [ 5] 7.00-8.00 sec 59.6 MBytes 500 Mbits/sec 0.037 ms 0/44614 (0%) [ 5] 8.00-9.00 sec 59.6 MBytes 500 Mbits/sec 0.024 ms 0/44633 (0%) [ 5] 9.00-10.00 sec 59.2 MBytes 497 Mbits/sec 0.024 ms 339/44686 (0.76%) - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Jitter Lost/Total Datagrams [ 5] 0.00-10.01 sec 596 MBytes 500 Mbits/sec 0.000 ms 0/446756 (0%) sender [SUM] 0.0-10.0 sec 657 datagrams received out-of-order [ 5] 0.00-10.00 sec 595 MBytes 499 Mbits/sec 0.024 ms 573/446344 (0.13%) receiver For now I'm out of ideas. I will try to play around with MTUs this afternoon and see what happens. Thanks, > It could be your home provider has different speed limits (shaping) in place > for UDP. Should be possible to test this with: > > iperf3 -s # on VPS > > iperf3 -u -b 500M -c -R # on the other side > > And then see how many "Lost/Total Datagrams" (xx %) you get. A high percentage > would indicate that the actual top speed for UDP is less than 500Mbit by this > value. > > -- > With respect, > Roman From frank at carmickle.com Wed Jun 1 12:41:05 2022 From: frank at carmickle.com (Frank Carmickle) Date: Wed, 1 Jun 2022 08:41:05 -0400 Subject: How to improve Wireguard speed? In-Reply-To: References: <20220601145143.75234bd8@nvm> Message-ID: It's almost certainly the iPhone that's the slow part. The wireguard implementation on iOS is running in userspace. --FC > On Jun 1, 2022, at 7:40 AM, Houman wrote: > > Thanks Roman. > >> So did you apply both of that, and what was the effect? > > I will create a new environment this afternoon and test the MTU > changes mentioned earlier and investigate the outcome. > >> What are the other point that you test against, is it another VPS (better if >> you could try with that), or your home connection? > > The iPhone is connected via Wifi to the home network, which is 500 Mbps / fibre. > I have a code snippet on the iPhone that downloads a 1 GB test file > from my AWS bucket (London) for 10 seconds. Then measures > totalBytesWritten / time elapsed / (1024.0 * 1024.0) * 8.0. > Which is the formula for Mbps as far as I am aware. > > Client (iPhone) --> server (VPS) --> S3 (AWS) = 117 Mbps > Client (iPhone) --> S3 (AWS) = 506 Mbps > > I run this once the Wireguard connection is established and I get 117 > Mbps. Then I disconnect the VPN and run the same code again to fetch > the test file without VPN that comes down to 506 Mbps. Client > (iPhone), server (VPS) and S3 (AWS) are all in located London, UK. > > I have run your iperf test. On the VPS the Lost/Total Datagrams is > 0%. On the client (Mac) the Lost/Total Datagrams is 0.13%. This test > proves that the ISP isn't messing around with UDP. > > [ 5] local 192.168.1.101 port 62103 connected to xxxxx port 5201 > [ ID] Interval Transfer Bitrate Jitter > Lost/Total Datagrams > [ 5] 0.00-1.00 sec 59.5 MBytes 499 Mbits/sec 0.034 ms 0/44538 (0%) > [ 5] 1.00-2.00 sec 59.7 MBytes 500 Mbits/sec 0.012 ms 0/44677 (0%) > [ 5] 2.00-3.00 sec 59.3 MBytes 497 Mbits/sec 0.021 ms > 15/44400 (0.034%) > [ 5] 3.00-4.00 sec 60.0 MBytes 503 Mbits/sec 0.015 ms 0/44913 (0%) > [ 5] 4.00-5.00 sec 59.5 MBytes 499 Mbits/sec 0.020 ms 0/44588 (0%) > [ 5] 5.00-6.00 sec 59.3 MBytes 498 Mbits/sec 0.018 ms > 219/44662 (0.49%) > [ 5] 6.00-7.00 sec 59.6 MBytes 500 Mbits/sec 0.065 ms 0/44633 (0%) > [ 5] 7.00-8.00 sec 59.6 MBytes 500 Mbits/sec 0.037 ms 0/44614 (0%) > [ 5] 8.00-9.00 sec 59.6 MBytes 500 Mbits/sec 0.024 ms 0/44633 (0%) > [ 5] 9.00-10.00 sec 59.2 MBytes 497 Mbits/sec 0.024 ms > 339/44686 (0.76%) > - - - - - - - - - - - - - - - - - - - - - - - - - > [ ID] Interval Transfer Bitrate Jitter > Lost/Total Datagrams > [ 5] 0.00-10.01 sec 596 MBytes 500 Mbits/sec 0.000 ms > 0/446756 (0%) sender > [SUM] 0.0-10.0 sec 657 datagrams received out-of-order > [ 5] 0.00-10.00 sec 595 MBytes 499 Mbits/sec 0.024 ms > 573/446344 (0.13%) receiver > > > For now I'm out of ideas. I will try to play around with MTUs this > afternoon and see what happens. > Thanks, > > > > > >> It could be your home provider has different speed limits (shaping) in place >> for UDP. Should be possible to test this with: >> >> iperf3 -s # on VPS >> >> iperf3 -u -b 500M -c -R # on the other side >> >> And then see how many "Lost/Total Datagrams" (xx %) you get. A high percentage >> would indicate that the actual top speed for UDP is less than 500Mbit by this >> value. >> >> -- >> With respect, >> Roman From Jason at zx2c4.com Wed Jun 1 13:01:37 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 1 Jun 2022 15:01:37 +0200 Subject: [PATCH wireguard-go] tun: use ByteSliceToString from golang.org/x/sys/unix In-Reply-To: <20220601093354.30833-1-tklauser@distanz.ch> References: <20220601093354.30833-1-tklauser@distanz.ch> Message-ID: Applied, thanks. From simon.karberg at agillic.com Wed Jun 1 18:45:58 2022 From: simon.karberg at agillic.com (Simon Karberg) Date: Wed, 1 Jun 2022 20:45:58 +0200 Subject: Multiple search domains settings in MacOS based on config file Message-ID: Hi, I can see in my config file under DNS that I have our primary DNS server ip address and then added search domains with comma list after. On linux & Windows it seems to be set correctly but it's not being set through the MacOS client from the app store. I have tried to look through the source code to identify if the settings are there for the app but I'm not sure. I am on MacOS 12.4 (Monterey) in a M1 Max (arm64). App version: 1.0.15 (26) Go backend version: 2ef39d47 From max.schulze at online.de Sun Jun 5 20:21:24 2022 From: max.schulze at online.de (Max Schulze) Date: Sun, 5 Jun 2022 22:21:24 +0200 Subject: wireguard-windows: possibly wrong selection of outgoing IP Address? Message-ID: <4bb8fade-487e-2301-65d0-dea41624682f@online.de> I am running out of ideas to debug this specific issue. I am trying to circumvent a double-NAT scenario. I have wg_serv (10.253.2.9) <-> wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3) wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works). wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ). If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok. First, see that the handshake packet is received (via 10.253.2.2:60026): 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2) 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026) 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026) 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849) 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026) 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026) However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ? Protocol Local Port Local Address Remote Port Remote Address Received Bytes Sent Bytes Rec Pkt Sent Packets wireguard.exe UDP IPv4 51850 192.168.99.101 51849 185.230.xxx.yyy 81.976 8.584 417 216 wireguard.exe UDP IPv4 51850 10.253.2.9 60026 10.253.2.2 55.648 376 wireguard.exe UDP IPv4 51850 192.168.99.101 60026 10.253.2.2 37.848 398 What can I do? Can I make the wireguard log more verbose to show IP Paket src/Destination? Is it possible to also log the src IP of the "handshake response packet"? Best, Max wg_serv config: [Interface] PrivateKey = SFhFHVb__2c= ListenPort = 51850 Address = 10.253.2.9/24 [Peer] # wg-vpn-relais PublicKey = 3A5__wo= AllowedIPs = 10.253.2.2/30 Endpoint = 185.230.xxx.yyy:51849 PersistentKeepalive = 20 [Peer] # peer via vpn relais PublicKey = FTBC__cqghg= AllowedIPs = 10.253.2.3/32 PersistentKeepalive = 20 wg output: peer: 3A5__o= endpoint: 185.230.xxx.yyy:51849 allowed ips: 10.253.2.0/30 latest handshake: 1 minute, 55 seconds ago transfer: 145.71 KiB received, 29.74 KiB sent persistent keepalive: every 20 seconds peer: FTB__hg= endpoint: 10.253.2.2:60026 allowed ips: 10.253.2.3/32 transfer: 89.46 KiB received, 60.67 KiB sent persistent keepalive: every 20 seconds PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table >> ifIndex InterfaceAlias AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend ------- -------------- ------------- --------------- ---------- --------------- ------------ 1 Loopback Pseudo-Interface 1 IPv4 Connected Disabled Disabled Disabled 1 Loopback Pseudo-Interface 1 IPv6 Connected Disabled Disabled Disabled 4 LAN-Verbindung* 11 IPv6 Connected Disabled Disabled Disabled 4 LAN-Verbindung* 11 IPv4 Connected Disabled Disabled Disabled 8 WLAN IPv4 Disconnected Disabled Disabled Disabled 8 WLAN IPv6 Disconnected Disabled Disabled Disabled 12 Ethernet IPv6 Connected Disabled Disabled Disabled 12 Ethernet IPv4 Connected Disabled Disabled Disabled 16 LAN-Verbindung* 2 IPv6 Disconnected Disabled Disabled Disabled 16 LAN-Verbindung* 2 IPv4 Disconnected Disabled Disabled Disabled 17 LAN-Verbindung* 1 IPv6 Disconnected Disabled Disabled Disabled 17 LAN-Verbindung* 1 IPv4 Disconnected Disabled Disabled Disabled 53 wireguard IPv6 Connected Disabled Disabled Disabled 53 wireguard IPv4 Connected Disabled Disabled Disabled wg_relais debug state: wg-vpn-relais # conntrack -L | grep 10.253 udp 17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1 From szymonn841 at gmail.com Tue Jun 7 07:08:13 2022 From: szymonn841 at gmail.com (Szymon Nowak) Date: Tue, 7 Jun 2022 09:08:13 +0200 Subject: wireguard-windows: possibly wrong selection of outgoing IP Address? In-Reply-To: <4bb8fade-487e-2301-65d0-dea41624682f@online.de> References: <4bb8fade-487e-2301-65d0-dea41624682f@online.de> Message-ID: Hi To do this on the windows server, you need to run NAT on the WG interface https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/ On Sun, Jun 5, 2022 at 10:23 PM Max Schulze wrote: > > I am running out of ideas to debug this specific issue. > > I am trying to circumvent a double-NAT scenario. I have > > wg_serv (10.253.2.9) <-> wg-relais (10.253.2.2) <-> wg_peer ( 10.253.2.3) > > wg_serv has an endpoint set for wg-relais, and creates the connection ok (handshake completes, ping works). > wg_peer has an endpoint that points to wg-relais, which should tunnel the connection as-is to wg_serv on the established connection ( iptables SNAT/DNAT ). > > If wg_serv is a linux box, with the exact same config file, everything works. if wg_serv is a windows box, it seems that there are no outgoing packets, but incoming is ok. > > First, see that the handshake packet is received (via 10.253.2.2:60026): > > 2022-06-05 20:30:17.140946: [TUN] [wireguard] Keypair 536 created for peer 1 > > 2022-06-05 20:30:22.085949: [TUN] [wireguard] Handshake for peer 1 (10.253.2.2:60026) did not complete after 5 seconds, retrying (try 2) > > 2022-06-05 20:30:22.265787: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026) > > 2022-06-05 20:30:22.265787: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026) > > 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 536 destroyed for peer 1 > > 2022-06-05 20:30:22.267019: [TUN] [wireguard] Keypair 537 created for peer 1 > > 2022-06-05 20:30:27.147962: [TUN] [wireguard] Sending keepalive packet to peer 2 (185.230.xxx.yyy:51849) > > 2022-06-05 20:30:27.626543: [TUN] [wireguard] Receiving handshake initiation from peer 1 (10.253.2.2:60026) > > 2022-06-05 20:30:27.626543: [TUN] [wireguard] Sending handshake response to peer 1 (10.253.2.2:60026) > > > > > However, it seems that wireguard sends the outgoing packet with the wrong ip (192.168.99.101) instead of 10.253.2.9 to 10.253.2.2:60026 ? > > > > Protocol Local Port Local Address Remote Port Remote Address Received Bytes Sent Bytes Rec Pkt Sent Packets > > wireguard.exe UDP IPv4 51850 192.168.99.101 51849 185.230.xxx.yyy 81.976 8.584 417 216 > > wireguard.exe UDP IPv4 51850 10.253.2.9 60026 10.253.2.2 55.648 376 > > wireguard.exe UDP IPv4 51850 192.168.99.101 60026 10.253.2.2 37.848 398 > > > What can I do? > Can I make the wireguard log more verbose to show IP Paket src/Destination? > > Is it possible to also log the src IP of the "handshake response packet"? > > Best, > Max > > > wg_serv config: > > [Interface] > > PrivateKey = SFhFHVb__2c= > > ListenPort = 51850 > > Address = 10.253.2.9/24 > > > > [Peer] > > # wg-vpn-relais > > PublicKey = 3A5__wo= > > AllowedIPs = 10.253.2.2/30 > > Endpoint = 185.230.xxx.yyy:51849 > > PersistentKeepalive = 20 > > > > [Peer] > > # peer via vpn relais > > PublicKey = FTBC__cqghg= > > AllowedIPs = 10.253.2.3/32 > > PersistentKeepalive = 20 > > > > wg output: > > peer: 3A5__o= > > endpoint: 185.230.xxx.yyy:51849 > > allowed ips: 10.253.2.0/30 > > latest handshake: 1 minute, 55 seconds ago > > transfer: 145.71 KiB received, 29.74 KiB sent > > persistent keepalive: every 20 seconds > > > > peer: FTB__hg= > > endpoint: 10.253.2.2:60026 > > allowed ips: 10.253.2.3/32 > > transfer: 89.46 KiB received, 60.67 KiB sent > > persistent keepalive: every 20 seconds > > > > > > PS C:\Windows\system32> Get-NetIPInterface | select ifIndex,InterfaceAlias,AddressFamily,ConnectionState,Forwarding,weakhostreceive,weakhostsend | Sort-Object -Property IfIndex | Format-Table > > >> > > > > ifIndex InterfaceAlias AddressFamily ConnectionState Forwarding WeakHostReceive WeakHostSend > > ------- -------------- ------------- --------------- ---------- --------------- ------------ > > 1 Loopback Pseudo-Interface 1 IPv4 Connected Disabled Disabled Disabled > > 1 Loopback Pseudo-Interface 1 IPv6 Connected Disabled Disabled Disabled > > 4 LAN-Verbindung* 11 IPv6 Connected Disabled Disabled Disabled > > 4 LAN-Verbindung* 11 IPv4 Connected Disabled Disabled Disabled > > 8 WLAN IPv4 Disconnected Disabled Disabled Disabled > > 8 WLAN IPv6 Disconnected Disabled Disabled Disabled > > 12 Ethernet IPv6 Connected Disabled Disabled Disabled > > 12 Ethernet IPv4 Connected Disabled Disabled Disabled > > 16 LAN-Verbindung* 2 IPv6 Disconnected Disabled Disabled Disabled > > 16 LAN-Verbindung* 2 IPv4 Disconnected Disabled Disabled Disabled > > 17 LAN-Verbindung* 1 IPv6 Disconnected Disabled Disabled Disabled > > 17 LAN-Verbindung* 1 IPv4 Disconnected Disabled Disabled Disabled > > 53 wireguard IPv6 Connected Disabled Disabled Disabled > > 53 wireguard IPv4 Connected Disabled Disabled Disabled > > wg_relais debug state: > > wg-vpn-relais # conntrack -L | grep 10.253 > > udp 17 28 src=178.101.114.260 dst=185.230.xxx.yyy sport=60026 dport=51850 [UNREPLIED] src=10.253.2.9 dst=10.253.2.2 sport=51850 dport=60026 mark=0 use=1 > From max.schulze at online.de Tue Jun 7 08:43:29 2022 From: max.schulze at online.de (Max Schulze) Date: Tue, 7 Jun 2022 10:43:29 +0200 Subject: wireguard-windows: possibly wrong selection of outgoing IP Address? In-Reply-To: References: <4bb8fade-487e-2301-65d0-dea41624682f@online.de> Message-ID: <26d9f096-e8a0-2405-b28c-1b25a319e8d6@online.de> Hallo Szymon, On 07.06.22 09:08, Szymon Nowak wrote: > Hi To do this on the windows server, you need to run NAT on the WG interface > https://openvpn.net/cloud-docs/enabling-routing-nat-on-windows-server-2016/ why should I ? Which interfaces should I bridge? The WG Interface is "stand-alone" and does not to any routing to/from public internet for any clients. Why are you suggesting NAT, when the log shows that the IP adresses for the *destination* are correct? Besides, I do not need to do any of this on the linux box, where the connection is successful with the same config. From Jason at zx2c4.com Fri Jun 10 17:23:55 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 10 Jun 2022 19:23:55 +0200 Subject: [ANNOUNCE] wireguard-freebsd snapshot v0.0.20220610 is available Message-ID: <20220610172402.C3DE7C34114@smtp.kernel.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, An experimental snapshot, v0.0.20220610, of WireGuard for FreeBSD has been been tagged in the git repository. At this time this code is new, unvetted, possibly buggy, and should be considered "experimental". It might contain security issues. We gladly welcome your testing and bug reports, but do keep in mind that this code is new, so some caution should be exercised at the moment for using it in mission critical environments. == Changes == * if_wg: wg_queue_len: remove locking * if_wg: wg_queue_delist_staged: use more standard STAILQ_CONCAT * if_wg: wgc_get/set: use M_WAITOK with malloc() * if_wg: wg_clone_create: Use M_WAITOK with malloc * wg_cookie: ratelimit_init: use callout_init_mtx * if_wg: wg_mbuf_reset: don't free send tags * if_wg: wg_module_init: clean up more if the self tests fail Numerous cleanups. * if_wg: avoid scheduling excessive tasks for encryption/decryption A nice performance improvement - John reports double on iperf3 TCP throughput. * crypto: return an error code from mbuf crypt routines Preparation for the OCF work John's been working on. * if_wg: account for input function returning a boolean * if_wg: account for added argument to sbcreatecontrol These allow building on recent FreeBSD 14 main. * if_wg: do not use continue statement on \!VIMAGE * build: only include compat.h for if_wg.c and fix build with an obj directory These allow building in different configurations. This snapshot contains commits from: John Baldwin and Jason A. Donenfeld. The source repository is available at the usual location: git clone https://git.zx2c4.com/wireguard-freebsd This snapshot is available in compressed tarball form: https://git.zx2c4.com/wireguard-freebsd/snapshot/wireguard-freebsd-0.0.20220610.tar.xz SHA2-256: 518779c383e8087a60a7ec7b0969158a48b2f19a34a13b62683c982960295f17 Thank you, Jason Donenfeld -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAmKjfhcQHGphc29uQHp4 MmM0LmNvbQAKCRBJ/HASpd4DrszsD/9rSo3Cqx8AqilVII4dpbxGzHXnkSCetUc8 e0nBLtvSZ0C/MiHSJtOD1iwdz8ndPX57P2VUdBVV/xmSeWzblfWDyB2nOoiLUq4P EoJaAkMD1isErVdJizlq0QQEq6UFegBcb9ttna33IZJm67uRXICzWq55yl/pJMSV zhsv2cQOKK8S9dUKgBtY31YKnDMZLvbtJbPP5hiDyCmrSVYrQKFd6owhCubRzGKE thNP/+rDgitz7vFB8Uu84Ib/dY8dVPjFbK/k3DqTdSKhefI4uc0y1buM8mV96zGi pXXYqi1qrgnMVpO2plhR04thACbAqT1Gbsx402q48LeJ7cD+oL0WxTJ2H9gEv/tA lJ4e7YnWt3zyu4SW8CvDPbVfWLVTTHR9jvV+/qJp4SVbFsDkmdHT7mWURRUtwawD C0p+wPlBcqdENXVtFmvaKeqclxCXFUkIC1SorIStKhYDPsFdRexOsiXAqAVdXmvJ ZdeX8BJWHXz7cxGNdE96ep6qBMAPJ2+9f3nLIoG/1ca0hWvDpWTGbepoekv0Ab0/ gwXqlxUfOmCjjLBRA4vrp0JJpWJJaWWdQSVKmeDwn/z7h/kASjeL1Z7gDlkEq3yI hKg47SUqupG2/iSoL8EUglAPi1o498BhZANtf3LgYH3z+fd7GU4k/ugfp2KKjsOq +dNT9WYX9Q== =yY95 -----END PGP SIGNATURE----- From Jason at zx2c4.com Tue Jun 14 09:21:19 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Tue, 14 Jun 2022 11:21:19 +0200 Subject: [ANNOUNCE] wireguard-freebsd snapshot v0.0.20220614 is available Message-ID: <20220614092123.14834C341C4@smtp.kernel.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, An experimental snapshot, v0.0.20220614, of WireGuard for FreeBSD has been been tagged in the git repository. At this time this code is new, unvetted, possibly buggy, and should be considered "experimental". It might contain security issues. We gladly welcome your testing and bug reports, but do keep in mind that this code is new, so some caution should be exercised at the moment for using it in mission critical environments. == Changes == * build: include compat.h for all files * compat: fix version stamp Two lingering compat issues. * if_wg: wg_peer_alloc and wg_aip_add: Use M_WAITOK with malloc A small cleanup to memory allocation and error path logic. * crypto: use OCF to encrypt/decrypt packets when supported * crypto: use when present * crypto: use curve25519 API from the kernel when available * crypto: harmonize with compat and clean up Crypto from OCF and FreeBSD's library code will now be used when available. This snapshot contains commits from: John Baldwin and Jason A. Donenfeld. The source repository is available at the usual location: git clone https://git.zx2c4.com/wireguard-freebsd This snapshot is available in compressed tarball form: https://git.zx2c4.com/wireguard-freebsd/snapshot/wireguard-freebsd-0.0.20220614.tar.xz SHA2-256: b048049561f18fd48ab3fa6455f9e0ecca25c6314880f48e68c56ceacf7f6719 Thank you, Jason Donenfeld -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAmKoUwMQHGphc29uQHp4 MmM0LmNvbQAKCRBJ/HASpd4DrtWQD/9SrtU+zAXlB50zLYO1LhNexPLlgWMcAZsM qwJaIzxMdsXPCCfqLOfqxUXOAjPf7EWxFE8cj1iV6hLduzl0wnu84OZIxr7yvSFT qhk6aZxcgiUTpxIHa4WdJkxiqMNRafv6le33F233VWNBbJCn8f9JjxON8Fph0W/N DZ0X+fGwPJ25bnCWc//Cl7WhQulT7BxNi2jrsgpuJNmCGOeSRyfTh9ygDRX5WLD6 mZiIfqTs4+l9gVjeUcC7b49qbZeRtpsmePfaXp5fN2U6s5cyk76SbarCHD62aFlP OM4xdl07J+YhsXdfj98whE1RVTS8jFvz3iADKW0MuwDEeEcDCh4vpspiNerYDIvQ J+aFT8+zexmv9IdNQxYK3u9W1G6COz0wspBWixZGfeqfNZyPpXVOqgdKarsdFLnz wYFFz8FPdMlB8A8J+aehNqqsrH6rXbE4J2poz3upxrntKMxG+u0YB5pDoxY0JkAQ uvT3Ij/7CdsXYHnbKwFtiv9dmSzgSpFNOzSbffBWYb24i1UCCAbJqe5Eae9b7MIh 6PuaBp3YzlR3NHsXcliss2SbEMf1nf2WStTtKHDKW5hAyRdg4dqDMZxvPc8OU6vC BF1gVIEYC9wRLaNfxU/mW5ugdiN0b3u6uT9ELrN/mV56z45xPKmedpDNXKHqz3b2 JF9KsyRjDg== =xgbb -----END PGP SIGNATURE----- From venefax at gmail.com Fri Jun 3 18:40:47 2022 From: venefax at gmail.com (Saint Michael) Date: Fri, 3 Jun 2022 14:40:47 -0400 Subject: How to generate the QR Code In-Reply-To: References: Message-ID: Dear friends I have a Mikrotikotic router and configured all that is necessary for the VPN. I also configured a windows client for testing. Once it worked, I downloaded the Wireguard app from the Google Play Store. The question is, how can I generate the QR Code so all my employees can use it on their phones? I could not find the answer. Philip From david at bamsoftware.com Thu Jun 9 22:05:22 2022 From: david at bamsoftware.com (David Fifield) Date: Thu, 9 Jun 2022 16:05:22 -0600 Subject: WireGuard protocol blocking in China, swgp-go (userspace obfuscation proxy) Message-ID: <20220609220522.kwqa4uvuc3sijlka@bamsoftware.com> I am forwarding some information about WireGuard blocking and anti-blocking that was posted to a censorship circumvention forum. swgp-go is a userspace obfuscation proxy that aims to hide WireGuard's distinctive protocol fingerprint (message_type and reserved_zero fields, fixed packet lengths). It super-encrypts part or all of WireGuard packets using a preshared symmetric key, and optionally adds padding. The security of the channel relies on the encryption and authentication of the underlying WireGuard tunnel, which requires less overhead than a general-purpose circumvention proxy would. https://github.com/database64128/swgp-go https://github.com/net4people/bbs/issues/117 There is a past discussion on this mailing list of something similar. That one was in the kernel; this one is in userspace. https://lists.zx2c4.com/pipermail/wireguard/2021-September/007142.html https://github.com/net4people/bbs/issues/88 Separately, the swgp-go announcement post comments on the dynamics of WireGuard blocking in China: > The GFW will block the remote peer's UDP port for a few days after > about a week's continuous usage. > ... > ... the GFW only started blocking WireGuard on IPv4 this February. GFW = Great Firewall, the collective name for various censorship systems used by the government of China. The pattern of "detect, then block for a limited time, then unblock" is typical for the GFW, though the time intervals are usually rather shorter. For example, when the GFW began to block the use of the ESNI extension in TLS 1.3, it would block the server endpoint for 120 or 180 seconds: https://gfw.report/blog/gfw_esni_blocking/en/#residual-censorship I have not confirmed the reported blocking behavior in China. It's worth keeping in mind also that blocking in China can differ across networks and geographic regions. I did find a Reddit post from 3 months ago, from the Fuzhou region, saying that WireGuard is detected and blocked within 24 hours: https://www.reddit.com/r/WireGuard/comments/t0bpy3/wireguard_detected_and_blocked_by_gfw/ A past message on this mailing list about temporary problems with the WireGuard protocol in Russia last year: https://lists.zx2c4.com/pipermail/wireguard/2021-September/007050.html From snowstorm3842 at mailbox.org Tue Jun 14 07:20:12 2022 From: snowstorm3842 at mailbox.org (snowstorm3842 at mailbox.org) Date: Tue, 14 Jun 2022 15:20:12 +0800 Subject: doas support for wg-quick linux Message-ID: <20220614072012.jsvrl7buu67c6byy@erhnbox> This isn't that much of a problem because I and probably many others start the wg-quick script as a system service. But when you run the script as non-root, it asks for sudo with the option "-p". I have my doas symlinked to sudo so the script actually runs "doas -p prompt" in which the option not exist in doas. I found a the script for openbsd from your repositories, I looked at it and it uses doas. It's not that important but it'll be nice if you could add doas to the linux script. From endre.szabo at wg-ml-rkaofgr.redir.email Tue Jun 14 09:51:07 2022 From: endre.szabo at wg-ml-rkaofgr.redir.email (Endre Szabo) Date: Tue, 14 Jun 2022 09:51:07 +0000 Subject: How to generate the QR Code In-Reply-To: References: Message-ID: Hi Philip, While it is not complicated, it is not that simple to generate the QR codes just based on the Mikrotik configs. QR codes are basically encoded config files for the clients. And the added complexity is that they have the private key in them as well, which I'm sure you have on file somewere, as you had to give Mikrotik the public counterpart of that keypair. What I really miss of the QR code config file is a 'metadata' field that should function as a 'connection name suggestion' the user can accept (or edit as prefilled connetction name field) upon QR code reading. This would be really handly in case of a lot of connections to add to a phone. --Endre On Fri, Jun 03, 2022 at 14:40:47-0400, Saint Michael wrote: > Dear friends > I have a Mikrotikotic router and configured all that is necessary for > the VPN. I also configured a windows client for testing. Once it > worked, I downloaded the Wireguard app from the Google Play Store. The > question is, how can I generate the QR Code so all my employees can > use it on their phones? > I could not find the answer. > > Philip From nico.schottelius at ungleich.ch Tue Jun 14 13:13:11 2022 From: nico.schottelius at ungleich.ch (Nico Schottelius) Date: Tue, 14 Jun 2022 15:13:11 +0200 Subject: WireGuard protocol blocking in China, swgp-go (userspace obfuscation proxy) In-Reply-To: <20220609220522.kwqa4uvuc3sijlka@bamsoftware.com> References: <20220609220522.kwqa4uvuc3sijlka@bamsoftware.com> Message-ID: <87pmjbpele.fsf@ungleich.ch> David Fifield writes: > I am forwarding some information about WireGuard blocking and > anti-blocking that was posted to a censorship circumvention forum. In regards to this topic I was wondering if it makes sense to have a more generic obfuscation proxy that can carry tcp/udp payload? Maybe this already exists, but I would think that something that hops protocols (IPv6, IPv4 endpoints, tcp/udp encapsolution), changes ports and uses envelope based tunneling (http, https, smtp, imap - worst case DNS) would make it easier to sustain communication even in more serious filtering scenarios. Given such a "generic obfuscator", it could be combined with "protocol" modes, i.e. enhancing protocols such as wireguard with the presented algorithm, making it even harder to predict the content. I'd assume some performance regressions using such an obfuscator, but maybe it could even "learn" the proper obfuscation by detecting blocks on easier to detect obfuscation and then switching to a stronger, but less efficient obfuscation. Wondering what your thoughts are on this. Best regards, Nico -- Sustainable and modern Infrastructures by ungleich.ch From simon at rozman.si Tue Jun 14 17:02:41 2022 From: simon at rozman.si (Simon Rozman) Date: Tue, 14 Jun 2022 17:02:41 +0000 Subject: Incompatibility between wintun.dll and go module In-Reply-To: References: Message-ID: <6F224D6F-E5DA-44C9-93AF-83A0B33EFE45@rozman.si> Hi! The 0.14+ is not binary compatible with 0.13. The API changed considerably: https://git.zx2c4.com/wintun/diff/api/wintun.h?id=544fdaaf8fb970d9657a59c1fc4c4569de4f2d3e The wireguard-go repo was adjusted for this API change in https://git.zx2c4.com/wireguard-go/commit/?id=82d2aa87aa623cb5143a41c3345da4fb875ad85d. Wintun adapter pools were completely discontinued; however, your stack trace indicates you are still using an outdated version of wireguard-go calling wintun.(*Pool).OpenAdapter. Please, update wireguard-go and update. Regards, Simon ?-----Original Message----- From: WireGuard on behalf of Thomas Hallgren Date: Tuesday, 14 June 2022 at 11.32 To: "wireguard at lists.zx2c4.com" Subject: Incompatibility between wintun.dll and go module Hi, We're using the wintun.dll and the go module golang.zx2c4.com/wireguard/windows v0.5.3 in our product. The dll initialization fails when upgrading the wintun.dll to version 0.14.1 (or 0.14, it doesn't matter). 0.13 works fine. Relevant stack trace below. Thanks for an excellent library. Without it, it would be much harder to port our product to Windows. unexpected fault address 0xffffffffffffffff fatal error: fault [signal 0xc0000005 code=0x0 addr=0xffffffffffffffff pc=0xe8b29d] goroutine 65 [running, locked to thread]: runtime.throw({0x27b93d9?, 0x0?}) runtime/panic.go:992 +0x76 fp=0xc000a393d8 sp=0xc000a393a8 pc=0xce8996 runtime.sigpanic() runtime/signal_windows.go:261 +0x125 fp=0xc000a39420 sp=0xc000a393d8 pc=0xcfbb05 golang.org/x/sys/windows.UTF16PtrToString(0x240e6a0?) golang.org/x/sys at v0.0.0-20220209214540-3681064d5158/windows/syscall_windows.go:132 +0x1d fp=0xc000a39468 sp=0xc000a39420 pc=0xe8b29d golang.zx2c4.com/wireguard/tun/wintun.setupLogger.func1(0xc000057590?, 0x0?) golang.zx2c4.com/wireguard at v0.0.0-20210427022245-097af6e1351b/tun/wintun/wintun_windows.go:53 +0x1c fp=0xc000a394b0 sp=0xc000a39468 pc=0x1f321bc runtime.call16(0x0, 0x28df468, 0xc000a39538, 0x0, 0x0, 0x10, 0xc000a39790) runtime/asm_amd64.s:701 +0x50 fp=0xc000a394d0 sp=0xc000a394b0 pc=0xd14530 runtime.callbackWrap(0x7c95ffebc0) runtime/syscall_windows.go:378 +0x134 fp=0xc000a398b0 sp=0xc000a394d0 pc=0xd04074 runtime.cgocallbackg1(0xd03f40, 0x0?, 0x0) runtime/cgocall.go:314 +0x2ca fp=0xc000a39980 sp=0xc000a398b0 pc=0xcb4b8a runtime.cgocallbackg(0xc000583380?, 0x300000002?, 0xc000583380?) runtime/cgocall.go:233 +0x106 fp=0xc000a39a18 sp=0xc000a39980 pc=0xcb47c6 runtime.cgocallbackg(0xd03f40, 0x7c95ffebc0, 0x0) :1 +0x36 fp=0xc000a39a40 sp=0xc000a39a18 pc=0xd18356 runtime.cgocallback(0xcb464b, 0xd17be0, 0xc0001002c0) runtime/asm_amd64.s:971 +0xd7 fp=0xc000a39a68 sp=0xc000a39a40 pc=0xd160f7 runtime.systemstack_switch() runtime/asm_amd64.s:436 fp=0xc000a39a70 sp=0xc000a39a68 pc=0xd13fe0 runtime.cgocall(0xd17be0, 0xc0001002c0) runtime/cgocall.go:167 +0xab fp=0xc000a39aa8 sp=0xc000a39a70 pc=0xcb464b syscall.SyscallN(0x7ffc169c3a90?, {0xc000a39b40?, 0x3?, 0x0?}) runtime/syscall_windows.go:538 +0x109 fp=0xc000a39b20 sp=0xc000a39aa8 pc=0xd12de9 syscall.Syscall(0xc000479590?, 0x1a428c8510a?, 0x1a428c8510a?, 0x0?, 0x0?) runtime/syscall_windows.go:476 +0x3b fp=0xc000a39b68 sp=0xc000a39b20 pc=0xd129fb golang.zx2c4.com/wireguard/tun/wintun.(*Pool).OpenAdapter(0xc000187800, {0x27b825c?, 0x1a403910598?}) golang.zx2c4.com/wireguard at v0.0.0-20210427022245-097af6e1351b/tun/wintun/wintun_windows.go:89 +0xad fp=0xc000a39bd8 sp=0xc000a39b68 pc=0x1f3256d golang.zx2c4.com/wireguard/tun.CreateTUNWithRequestedGUID({0x27b825c, 0x4}, 0x0?, 0x0) golang.zx2c4.com/wireguard at v0.0.0-20210427022245-097af6e1351b/tun/tun_windows.go:75 +0x4d fp=0xc000a39c50 sp=0xc000a39bd8 pc=0x1f3384d golang.zx2c4.com/wireguard/tun.CreateTUN(...) golang.zx2c4.com/wireguard at v0.0.0-20210427022245-097af6e1351b/tun/tun_windows.go:63 From jrm at FreeBSD.org Tue Jun 14 19:15:26 2022 From: jrm at FreeBSD.org (Joseph Mingrone) Date: Tue, 14 Jun 2022 16:15:26 -0300 Subject: [PATCH] compat: Update version to handle sbcreatecontrol() changes Message-ID: <20220614191526.70200-1-jrm@FreeBSD.org> The sockbuf changes to merge two versions of sbcreatecontrol() into one occurred in b46667c63eb7 in the FreeBSD src repository. The value of __FreeBSD_version at the time of that commit was 1400059, so check for systems with a version stamp less than 1400059. Ideally __FreeBSD_version would have been bumped in b46667c63eb7, however it was set to 1400059 53 commits prior in 3a9a9c0ca44e and not bumped to 1400060 until 374 commits later in 85d7875d4291. Thus, this is not a perfect solution because CURRENT systems built from 53 possible commits that require the adjustment will still fail to build the wireguard kernel module. This is better than checking for systems with __FreeBSD_version < 1400057. In that case, there are 767 different commits a CURRENT system may be built from where the module will fail to build. Sponsored by: The FreeBSD Foundation --- src/compat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/compat.h b/src/compat.h index 8567524..d55c628 100644 --- a/src/compat.h +++ b/src/compat.h @@ -24,7 +24,7 @@ #define COMPAT_NEED_BLAKE2S #endif -#if __FreeBSD_version < 1400057 +#if __FreeBSD_version < 1400059 #include #define sbcreatecontrol(a, b, c, d, e) sbcreatecontrol(a, b, c, d) #endif -- 2.36.1 From Jason at zx2c4.com Tue Jun 14 19:59:26 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Tue, 14 Jun 2022 21:59:26 +0200 Subject: [PATCH] compat: Update version to handle sbcreatecontrol() changes In-Reply-To: <20220614191526.70200-1-jrm@FreeBSD.org> References: <20220614191526.70200-1-jrm@FreeBSD.org> Message-ID: Hi Joesph, On Tue, Jun 14, 2022 at 04:15:26PM -0300, Joseph Mingrone wrote: > The sockbuf changes to merge two versions of sbcreatecontrol() into one > occurred in b46667c63eb7 in the FreeBSD src repository. The value of > __FreeBSD_version at the time of that commit was 1400059, so check > for systems with a version stamp less than 1400059. > > Ideally __FreeBSD_version would have been bumped in b46667c63eb7, > however it was set to 1400059 53 commits prior in 3a9a9c0ca44e and not > bumped to 1400060 until 374 commits later in 85d7875d4291. Thus, this > is not a perfect solution because CURRENT systems built from 53 possible > commits that require the adjustment will still fail to build the > wireguard kernel module. This is better than checking for systems with > __FreeBSD_version < 1400057. In that case, there are 767 different > commits a CURRENT system may be built from where the module will fail to > build. Seems reasonable. Applied, thanks. Jason From Jason at zx2c4.com Wed Jun 15 14:11:35 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Wed, 15 Jun 2022 16:11:35 +0200 Subject: [ANNOUNCE] wireguard-freebsd snapshot v0.0.20220615 is available Message-ID: <20220615141140.96557C3411C@smtp.kernel.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, An experimental snapshot, v0.0.20220615, of WireGuard for FreeBSD has been been tagged in the git repository. At this time this code is new, unvetted, possibly buggy, and should be considered "experimental". It might contain security issues. We gladly welcome your testing and bug reports, but do keep in mind that this code is new, so some caution should be exercised at the moment for using it in mission critical environments. == Changes == * ci: add FreeBSD 12.3 and 13.1 * compat: update version to handle sbcreatecontrol() changes More fixes to the compat layer. * wg_noise: import hmac from crypto * crypto: inline blake2s convenience function A few crypto cleanups. This snapshot contains commits from: Jason A. Donenfeld, Joseph Mingrone, and Ed Maste. The source repository is available at the usual location: git clone https://git.zx2c4.com/wireguard-freebsd This snapshot is available in compressed tarball form: https://git.zx2c4.com/wireguard-freebsd/snapshot/wireguard-freebsd-0.0.20220615.tar.xz SHA2-256: ad6c42d20a7c0ad2989e729dd41ea5a6a019426b762dfd0c6417e340935cca82 Thank you, Jason Donenfeld -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEq5lC5tSkz8NBJiCnSfxwEqXeA64FAmKp6JIQHGphc29uQHp4 MmM0LmNvbQAKCRBJ/HASpd4DrgjTEAC5p4+osYbOTZG0uBlpAQ4ETTmlbJ8yV0av fZ/P0rLJkL2iYifgynnvO6GyKcRBb9rXa37OKb8+Mt350UU6mgwCB9FaGvWYxEGM cZYN+BVCN49DdFBtiLeCKnDe8ufeLahs87eSQDI1LDbiX9gYkuWR2cxHfN6b5wZX r/M80gxbOBR7/pFWm5Hplfj3CRyJkb4i89/BSJ+5Zmbo+qGd2CoKIxHsUXLQeatq 0LhJuFxIrol1Hm/L4pA5k4MTa/UmOVrDkB04cR7eCFp7yxEVKE9aol6tO1uSdD7S XEdNwsARQ2ehf7DoYdRV+1cl/rTnfaNo7Qp0fAu2+dmd7F0cwRtYCnP45Bcw1F0c 83fImSL4ck0MIFzo9brNK1sa15J+jsYsRsnlqLA0ObPBtOPf+ag/FSp1wfuAwHS6 ugcGNsaX+fOZ9yVf1dxpZHDOiw5TACW221TFb979jaCbHFncf1Ix2GTUeUrEImJa vuS1uhZOWwJza+ZqdsY2SyNPOewvaaXO5owBPZiD2Qz56Tv7c2v1mdYsT21qldah +cyffwJKi9if8eGLMH2ao9pfdjZ12Q93GR5nDACqRJtcB4lyMJbX5cMCESmHiCGX A4C3NUyfiaBxi3Pr4eFWeXuAZLCKmj+/GCoaTdlc34a/LJYuA9GVdR/aIcclRn9e a6zVVuSnPA== =Ktyi -----END PGP SIGNATURE----- From enlight at riseup.net Thu Jun 9 21:56:12 2022 From: enlight at riseup.net (enlight) Date: Thu, 09 Jun 2022 21:56:12 +0000 Subject: [question] wireguard-windows issue Message-ID: Hello, when enabling wireguard kill-switch, it creates aggressive wireguard firewall rule on windows, it creates rule on windows filtering platform (WFP). The rule is to block all inbound/outbound traffic not for or from wireguard interface. i want to modify current wireguard wfp rule to premit inbound/outbout traffic to additional interfaces, like vmware interface. There are several network interfaces in my system active, like "Yggdrasil" -> adapter name in Network and sharing center (it uses wintun driver to create). I tried to modify "wireguard-windows/tunnel/firewall/blocker.go" inside EnableFirewall( ) to add: ``` var adapter *driver.Adapter var luid2 winipcfg.LUID adapter, err = driver.OpenAdapter("Yggdrasil") -> gives error here luid2 = adapter.LUID() err = permitTunInterface(session, baseObjects, 12, uint64(luid2)) ``` the error is: ```Failed to find matching adapter name: Element not found. (Code 0x00000490) Unable to enable firewall rules: Firewall error at golang.zx2c4.com/wireguard/windows/tunnel/firewall/blocker.go:148: Element not found.``` how can i solve the issue ? From enlight at riseup.net Sun Jun 12 21:34:08 2022 From: enlight at riseup.net (enlight) Date: Sun, 12 Jun 2022 21:34:08 +0000 Subject: [question] wireguard-windows wfp issue Message-ID: Hello, when enabling wireguard kill-switch, it creates aggressive wireguard firewall rule on windows, it creates rule on windows filtering platform (WFP). The rule is to block all inbound/outbound traffic not for or from wireguard interface. i want to modify current wireguard wfp rule to premit inbound/outbout traffic to additional interfaces, like vmware interface. There are several network interfaces in my system active, like "Yggdrasil" -> adapter name in Network and sharing center (it uses wintun driver to create). I tried to modify "wireguard-windows/tunnel/firewall/blocker.go" inside EnableFirewall( ) to add: ``` var adapter *driver.Adapter var luid2 winipcfg.LUID adapter, err = driver.OpenAdapter("Yggdrasil") -> gives error here luid2 = adapter.LUID() err = permitTunInterface(session, baseObjects, 12, uint64(luid2)) ``` the error is: ```Failed to find matching adapter name: Element not found. (Code 0x00000490) Unable to enable firewall rules: Firewall error at golang.zx2c4.com/wireguard/windows/tunnel/firewall/blocker.go:148: Element not found.``` how can i solve the issue ? From epicstyt at gmail.com Tue Jun 14 13:52:39 2022 From: epicstyt at gmail.com (Stepan Rabotkin) Date: Tue, 14 Jun 2022 16:52:39 +0300 Subject: [PATCH] feat: add search to app list Message-ID: <20220614135239.1034-1-epicstyt@gmail.com> --- .../android/fragment/AppListDialogFragment.kt | 39 +++++++++++++------ .../res/layout/app_list_dialog_fragment.xml | 15 +++++++ ui/src/main/res/values/strings.xml | 1 + 3 files changed, 44 insertions(+), 11 deletions(-) diff --git a/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt b/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt index 1a40a1c..e9b4cf6 100644 --- a/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt +++ b/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt @@ -11,6 +11,7 @@ import android.widget.Button import android.widget.Toast import androidx.appcompat.app.AlertDialog import androidx.core.os.bundleOf +import androidx.core.widget.doAfterTextChanged import androidx.databinding.Observable import androidx.fragment.app.DialogFragment import androidx.fragment.app.setFragmentResult @@ -28,7 +29,8 @@ import kotlinx.coroutines.launch import kotlinx.coroutines.withContext class AppListDialogFragment : DialogFragment() { - private val appData = ObservableKeyedArrayList() + private val appList: MutableList = ArrayList() + private val appListFiltered = ObservableKeyedArrayList() private var currentlySelectedApps = emptyList() private var initiallyExcluded = false private var button: Button? = null @@ -39,14 +41,13 @@ class AppListDialogFragment : DialogFragment() { val pm = activity.packageManager lifecycleScope.launch(Dispatchers.Default) { try { - val applicationData: MutableList = ArrayList() withContext(Dispatchers.IO) { val packageInfos = pm.getPackagesHoldingPermissions(arrayOf(Manifest.permission.INTERNET), 0) packageInfos.forEach { val packageName = it.packageName val appInfo = it.applicationInfo val appData = ApplicationData(appInfo.loadIcon(pm), appInfo.loadLabel(pm).toString(), packageName, currentlySelectedApps.contains(packageName)) - applicationData.add(appData) + appList.add(appData) appData.addOnPropertyChangedCallback(object : Observable.OnPropertyChangedCallback() { override fun onPropertyChanged(sender: Observable?, propertyId: Int) { if (propertyId == BR.selected) @@ -55,10 +56,10 @@ class AppListDialogFragment : DialogFragment() { }) } } - applicationData.sortWith(compareBy(String.CASE_INSENSITIVE_ORDER) { it.name }) + appList.sortWith(compareBy(String.CASE_INSENSITIVE_ORDER) { it.name }) withContext(Dispatchers.Main.immediate) { - appData.clear() - appData.addAll(applicationData) + appListFiltered.clear() + appListFiltered.addAll(appList) } } catch (e: Throwable) { withContext(Dispatchers.Main.immediate) { @@ -78,7 +79,7 @@ class AppListDialogFragment : DialogFragment() { } private fun setButtonText() { - val numSelected = appData.count { it.isSelected } + val numSelected = appList.count { it.isSelected } button?.text = if (numSelected == 0) getString(R.string.use_all_applications) else when (tabs?.selectedTabPosition) { @@ -106,15 +107,19 @@ class AppListDialogFragment : DialogFragment() { alertDialogBuilder.setNegativeButton(R.string.cancel) { dialog, _ -> dialog.dismiss() } alertDialogBuilder.setNeutralButton(R.string.toggle_all) { _, _ -> } binding.fragment = this - binding.appData = appData + binding.appData = appListFiltered loadData() + binding.appSearchText.doAfterTextChanged { + appListFiltered.clear() + appListFiltered.addAll(filter(it.toString())) + } val dialog = alertDialogBuilder.create() dialog.setOnShowListener { button = dialog.getButton(AlertDialog.BUTTON_POSITIVE) setButtonText() dialog.getButton(AlertDialog.BUTTON_NEUTRAL).setOnClickListener { _ -> - val selectAll = appData.none { it.isSelected } - appData.forEach { + val selectAll = appList.none { it.isSelected } + appList.forEach { it.isSelected = selectAll } } @@ -122,9 +127,21 @@ class AppListDialogFragment : DialogFragment() { return dialog } + private fun filter(s: String): MutableList { + val resultData: MutableList = ArrayList() + + for (app in appList) { + if (app.name.lowercase().contains(s)) { + resultData.add(app) + } + } + + return resultData + } + private fun setSelectionAndDismiss() { val selectedApps: MutableList = ArrayList() - for (data in appData) { + for (data in appList) { if (data.isSelected) { selectedApps.add(data.packageName) } diff --git a/ui/src/main/res/layout/app_list_dialog_fragment.xml b/ui/src/main/res/layout/app_list_dialog_fragment.xml index 4503de1..572996d 100644 --- a/ui/src/main/res/layout/app_list_dialog_fragment.xml +++ b/ui/src/main/res/layout/app_list_dialog_fragment.xml @@ -40,6 +40,21 @@ android:text="@string/include_in_tunnel" /> + + + + + + Authenticate to view private key Authentication failure Authentication failure: %s + Search -- 2.32.0.windows.2 From wireguard at centromere.net Tue Jun 14 14:15:58 2022 From: wireguard at centromere.net (Alex) Date: Tue, 14 Jun 2022 10:15:58 -0400 Subject: WireGuard protocol blocking in China, swgp-go (userspace obfuscation proxy) In-Reply-To: <20220609220522.kwqa4uvuc3sijlka@bamsoftware.com> References: <20220609220522.kwqa4uvuc3sijlka@bamsoftware.com> Message-ID: <20220614101558.31c1dc0b@centromere.net> On Thu, 9 Jun 2022 16:05:22 -0600 David Fifield wrote: > I am forwarding some information about WireGuard blocking and > anti-blocking that was posted to a censorship circumvention forum. > You may find this information[0] relevant and helpful. Regards, Alex [0] https://realworldcrypto.files.wordpress.com/2013/06/shrimpton.pdf -------------- next part -------------- A non-text attachment was scrubbed... Name: shrimpton.pdf Type: application/pdf Size: 2486747 bytes Desc: not available URL: From epicstyt at gmail.com Wed Jun 15 16:07:05 2022 From: epicstyt at gmail.com (Stepan Rabotkin) Date: Wed, 15 Jun 2022 19:07:05 +0300 Subject: [PATCH] feat: add search to app list Message-ID: <20220615160705.898-1-epicstyt@gmail.com> --- .../android/fragment/AppListDialogFragment.kt | 39 +++++++++++++------ .../res/layout/app_list_dialog_fragment.xml | 15 +++++++ ui/src/main/res/values/strings.xml | 1 + 3 files changed, 44 insertions(+), 11 deletions(-) diff --git a/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt b/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt index 1a40a1c..e9b4cf6 100644 --- a/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt +++ b/ui/src/main/java/com/wireguard/android/fragment/AppListDialogFragment.kt @@ -11,6 +11,7 @@ import android.widget.Button import android.widget.Toast import androidx.appcompat.app.AlertDialog import androidx.core.os.bundleOf +import androidx.core.widget.doAfterTextChanged import androidx.databinding.Observable import androidx.fragment.app.DialogFragment import androidx.fragment.app.setFragmentResult @@ -28,7 +29,8 @@ import kotlinx.coroutines.launch import kotlinx.coroutines.withContext class AppListDialogFragment : DialogFragment() { - private val appData = ObservableKeyedArrayList() + private val appList: MutableList = ArrayList() + private val appListFiltered = ObservableKeyedArrayList() private var currentlySelectedApps = emptyList() private var initiallyExcluded = false private var button: Button? = null @@ -39,14 +41,13 @@ class AppListDialogFragment : DialogFragment() { val pm = activity.packageManager lifecycleScope.launch(Dispatchers.Default) { try { - val applicationData: MutableList = ArrayList() withContext(Dispatchers.IO) { val packageInfos = pm.getPackagesHoldingPermissions(arrayOf(Manifest.permission.INTERNET), 0) packageInfos.forEach { val packageName = it.packageName val appInfo = it.applicationInfo val appData = ApplicationData(appInfo.loadIcon(pm), appInfo.loadLabel(pm).toString(), packageName, currentlySelectedApps.contains(packageName)) - applicationData.add(appData) + appList.add(appData) appData.addOnPropertyChangedCallback(object : Observable.OnPropertyChangedCallback() { override fun onPropertyChanged(sender: Observable?, propertyId: Int) { if (propertyId == BR.selected) @@ -55,10 +56,10 @@ class AppListDialogFragment : DialogFragment() { }) } } - applicationData.sortWith(compareBy(String.CASE_INSENSITIVE_ORDER) { it.name }) + appList.sortWith(compareBy(String.CASE_INSENSITIVE_ORDER) { it.name }) withContext(Dispatchers.Main.immediate) { - appData.clear() - appData.addAll(applicationData) + appListFiltered.clear() + appListFiltered.addAll(appList) } } catch (e: Throwable) { withContext(Dispatchers.Main.immediate) { @@ -78,7 +79,7 @@ class AppListDialogFragment : DialogFragment() { } private fun setButtonText() { - val numSelected = appData.count { it.isSelected } + val numSelected = appList.count { it.isSelected } button?.text = if (numSelected == 0) getString(R.string.use_all_applications) else when (tabs?.selectedTabPosition) { @@ -106,15 +107,19 @@ class AppListDialogFragment : DialogFragment() { alertDialogBuilder.setNegativeButton(R.string.cancel) { dialog, _ -> dialog.dismiss() } alertDialogBuilder.setNeutralButton(R.string.toggle_all) { _, _ -> } binding.fragment = this - binding.appData = appData + binding.appData = appListFiltered loadData() + binding.appSearchText.doAfterTextChanged { + appListFiltered.clear() + appListFiltered.addAll(filter(it.toString())) + } val dialog = alertDialogBuilder.create() dialog.setOnShowListener { button = dialog.getButton(AlertDialog.BUTTON_POSITIVE) setButtonText() dialog.getButton(AlertDialog.BUTTON_NEUTRAL).setOnClickListener { _ -> - val selectAll = appData.none { it.isSelected } - appData.forEach { + val selectAll = appList.none { it.isSelected } + appList.forEach { it.isSelected = selectAll } } @@ -122,9 +127,21 @@ class AppListDialogFragment : DialogFragment() { return dialog } + private fun filter(s: String): MutableList { + val resultData: MutableList = ArrayList() + + for (app in appList) { + if (app.name.lowercase().contains(s)) { + resultData.add(app) + } + } + + return resultData + } + private fun setSelectionAndDismiss() { val selectedApps: MutableList = ArrayList() - for (data in appData) { + for (data in appList) { if (data.isSelected) { selectedApps.add(data.packageName) } diff --git a/ui/src/main/res/layout/app_list_dialog_fragment.xml b/ui/src/main/res/layout/app_list_dialog_fragment.xml index 4503de1..572996d 100644 --- a/ui/src/main/res/layout/app_list_dialog_fragment.xml +++ b/ui/src/main/res/layout/app_list_dialog_fragment.xml @@ -40,6 +40,21 @@ android:text="@string/include_in_tunnel" /> + + + + + + Authenticate to view private key Authentication failure Authentication failure: %s + Search -- 2.32.0.windows.2 From programmerjake at gmail.com Thu Jun 16 01:48:08 2022 From: programmerjake at gmail.com (Jacob Lifshay) Date: Wed, 15 Jun 2022 18:48:08 -0700 Subject: why not use ktime_get_clocktai_ts64 Message-ID: I was reading in noise.c and noticed you use ktime_get_real_ts64 and do manual adjustments (the current code is broken if/when there's another leap second) rather than using ktime_get_clocktai_ts64 which already handles compensation for leap seconds. https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/noise.c?id=7fae4596a269d2f9a6a7d1a8695c3a68ab34f7be#n501 Is there a reason for that? Jacob From tom.ty89 at gmail.com Fri Jun 17 11:34:19 2022 From: tom.ty89 at gmail.com (Tom Yan) Date: Fri, 17 Jun 2022 19:34:19 +0800 Subject: [PATCH] wg-quick: avoid traffics from momentarily leaking into the tunnel Message-ID: <20220617113419.17329-1-tom.ty89@gmail.com> The wireguard route table ip rule should stay as a NOP until the `suppress_prefixlength 0 table main` rule is in effect. Therefore, add the wireguard default route to its route table after the latter rule is added. Signed-off-by: Tom Yan --- src/wg-quick/linux.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..69e5bef 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -220,9 +220,9 @@ add_default() { fi local proto=-4 iptables=iptables pf=ip [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 - cmd ip $proto route add "$1" dev "$INTERFACE" table $table cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 + cmd ip $proto route add "$1" dev "$INTERFACE" table $table local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" -- 2.36.1 From Jason at zx2c4.com Fri Jun 17 11:53:09 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 17 Jun 2022 13:53:09 +0200 Subject: [PATCH] wg-quick: avoid traffics from momentarily leaking into the tunnel In-Reply-To: <20220617113419.17329-1-tom.ty89@gmail.com> References: <20220617113419.17329-1-tom.ty89@gmail.com> Message-ID: On Fri, Jun 17, 2022 at 07:34:19PM +0800, Tom Yan wrote: > The wireguard route table ip rule should stay as a NOP until the > `suppress_prefixlength 0 table main` rule is in effect. Therefore, > add the wireguard default route to its route table after the latter > rule is added. > > Signed-off-by: Tom Yan Applied, thanks. > --- > src/wg-quick/linux.bash | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash > index e4d4c4f..69e5bef 100755 > --- a/src/wg-quick/linux.bash > +++ b/src/wg-quick/linux.bash > @@ -220,9 +220,9 @@ add_default() { > fi > local proto=-4 iptables=iptables pf=ip > [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 > - cmd ip $proto route add "$1" dev "$INTERFACE" table $table > cmd ip $proto rule add not fwmark $table table $table > cmd ip $proto rule add table main suppress_prefixlength 0 > + cmd ip $proto route add "$1" dev "$INTERFACE" table $table > > local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd > printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" > -- > 2.36.1 > From Jason at zx2c4.com Fri Jun 17 11:56:23 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 17 Jun 2022 13:56:23 +0200 Subject: why not use ktime_get_clocktai_ts64 In-Reply-To: References: Message-ID: Hi Jacob, On Wed, Jun 15, 2022 at 06:48:08PM -0700, Jacob Lifshay wrote: > I was reading in noise.c and noticed you use ktime_get_real_ts64 and > do manual adjustments (the current code is broken if/when there's > another leap second) rather than using ktime_get_clocktai_ts64 which > already handles compensation for leap seconds. > > https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/noise.c?id=7fae4596a269d2f9a6a7d1a8695c3a68ab34f7be#n501 > > Is there a reason for that? Not really I guess. The only requirement, though, is that the timestamps are monotonic with respect to the particular localprivate-remotepublic pairing of peers. So I'm not sure it matters? Jason From Jason at zx2c4.com Fri Jun 17 13:52:21 2022 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Fri, 17 Jun 2022 15:52:21 +0200 Subject: [PATCH] feat: add search to app list In-Reply-To: <20220615160705.898-1-epicstyt@gmail.com> References: <20220615160705.898-1-epicstyt@gmail.com> Message-ID: Please resubmit this with a proper commit subject, commit message, and signed-off-by line. From tom.ty89 at gmail.com Fri Jun 17 16:13:25 2022 From: tom.ty89 at gmail.com (Tom Yan) Date: Sat, 18 Jun 2022 00:13:25 +0800 Subject: Regarding the firewall rules added by wg-quick (on Linux) Message-ID: Hi all I have a few doubts on the firewall rules added by wg-quick. First of all, is there a reason that the fwmark-restoring rule is unconditional? Shouldn't it consist of a connmark match (like the fwmark-saving rule does on the fwmark)? The next one is, what is the remaining rule intended to prevent exactly? From the commit message the purpose seems to be "bogus injected packets". I mean, was that referring to the fact that Linux does not have a strong address/interface binding concept, that normally / by default you can reach a host using IP assigned on any of its interfaces, regardless of whether the interface is the one connecting it the source host? And if so, is there wireguard-specific security implication in it that has led to the introduction of the rule? Although I'm not entirely clear on its purpose yet, allow me to also suggest in this email that perhaps we can use something like this instead for nft: ip daddr $WG_ADDRESS iifname != { "lo", "$WG_INTERFACE" } drop Alternatively, if it is desired that the rules used for nft and iptables should be more "coherent" to each other, allow me to also suggest something like this: -d $WG_ADDRESS ! -i lo -m addrtype ! --dst-type LOCAL --limit-iface-in -j DROP which should be equivalent, AFAICT, to this in nft: ip daddr $WG_ADDRESS iifname != "lo" fib daddr . iif type != local drop Although it's very unlikely that it can be an issue in reality, it at least seems to me that --src-type LOCAL does not necessarily imply -i lo. I mean like while the replies could hardly go back to the "original" / initiating host, but some host could actually send packets with a source address that is a LOCAL address of this host, and I don't suppose ! --src-type LOCAL will help filter those. Sorry if this is all a bit too much of a "niche". Regards, Tom From programmerjake at gmail.com Sun Jun 19 06:16:46 2022 From: programmerjake at gmail.com (Jacob Lifshay) Date: Sat, 18 Jun 2022 23:16:46 -0700 Subject: why not use ktime_get_clocktai_ts64 In-Reply-To: References: Message-ID: On Fri, Jun 17, 2022, 04:56 Jason A. Donenfeld wrote: > > Hi Jacob, > > On Wed, Jun 15, 2022 at 06:48:08PM -0700, Jacob Lifshay wrote: > > I was reading in noise.c and noticed you use ktime_get_real_ts64 and > > do manual adjustments (the current code is broken if/when there's > > another leap second) rather than using ktime_get_clocktai_ts64 which > > already handles compensation for leap seconds. > > > > https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/noise.c?id=7fae4596a269d2f9a6a7d1a8695c3a68ab34f7be#n501 > > > > Is there a reason for that? > > Not really I guess. The only requirement, though, is that the timestamps > are monotonic with respect to the particular localprivate-remotepublic > pairing of peers. So I'm not sure it matters? ok. Apparently linux's TAI clock offset is often not set on linux systems, so that's a good reason not to use it. Do note that 10s is the wrong offset, the correct value is 37s iirc. see also (related issue on tai64 crate -- also uses the wrong offset): https://github.com/RustCrypto/formats/issues/675 Jacob From alessio.nossa+list at gmail.com Mon Jun 20 20:51:54 2022 From: alessio.nossa+list at gmail.com (Alessio Nossa) Date: Mon, 20 Jun 2022 22:51:54 +0200 Subject: Bug restarting WireGuard using launchd on macOS Message-ID: Hello, I am running WireGuard (installed with wireguard-tools, using HomeBrew) on macOS 12.4, launched using launchd. All works fine until I try to restart it, always with launchd. When WireGuard interface is restarted, it looks like it crashes/gets deactivated immediately: if I run 'wg show' nothing is displayed, but on the "server" peer I can see that the "Latest handshake" report the time elapsed since last "com.example.wg.restartWg.plist" execution. The launchd configurations, that I saved at "/Library/LaunchDaemons/" are available at https://gist.github.com/alessionossa/78f69b9451a130240e2057acbd4eb7f8 The log at "/tmp/com.example.wg.restartWg.err" of is 06/20/22 21:51:18 [+] Interface for wg1 is utun0 [#] rm -f /var/run/wireguard/utun0.sock [#] rm -f /var/run/wireguard/wg1.name --- Restarting... --- [#] wireguard-go utun [+] Interface for wg1 is utun0 [#] wg setconf utun0 /dev/fd/63 [#] ifconfig utun0 inet 10.181.0.5/32 10.181.0.5 alias [#] ifconfig utun0 up [#] route -q -n add -inet 10.181.0.3/32 -interface utun0 [#] route -q -n add -inet 10.181.0.254/32 -interface utun0 [#] route -q -n add -inet 10.181.0.11/32 -interface utun0 [+] Backgrounding route monitor --- Restarted! --- 06/20/22 21:56:20 wg-quick: `wg1' is not a WireGuard interface --- Restarting... --- [#] wireguard-go utun [+] Interface for wg1 is utun0 [#] wg setconf utun0 /dev/fd/63 [#] ifconfig utun0 inet 10.181.0.5/32 10.181.0.5 alias [#] ifconfig utun0 up [#] route -q -n add -inet 10.181.0.3/32 -interface utun0 [#] route -q -n add -inet 10.181.0.254/32 -interface utun0 [#] route -q -n add -inet 10.181.0.11/32 -interface utun0 [+] Backgrounding route monitor If some more Information is needed to debug the issue, I am available. Best regards, Alessio Nossa From frank at deze.org Sun Jun 26 17:51:44 2022 From: frank at deze.org (Frank Volf) Date: Sun, 26 Jun 2022 19:51:44 +0200 Subject: [ANNOUNCE] wireguard-freebsd snapshot v0.0.20220615 is available In-Reply-To: <20220615141140.96557C3411C@smtp.kernel.org> References: <20220615141140.96557C3411C@smtp.kernel.org> Message-ID: <672909d9-560f-3e83-3c9b-e3d69e8e70fa@deze.org> Hi, I tested this snapshot on my setup for 10 days now and it works perfectly without any problems. My setup is fairly simple: central VPN server (FreeBSD 13.1), two servers on branch sites (each behind NAT) and a mobile Android client. VPN's are used for management type activities, so no high bandwidth or low latency requirements needed. So not sure if this setup is representative enough, but I'm happy with how it behaves. There is one small feature that I would like to see: My central server has multiple public IP addresses and sometimes Wireguard needs to initiate a connection to one of the branch servers. Unfortunately, there is no way to specify which source address to use for that. Currently it appears to use a random IP address from the outgoing interface (mostly the first IP address configured on the external interface). I would like to see the option to specify the IP address to be used for outgoing connections, that would be? much more convenient when you have to deal with upstream firewalls. Not sure if this is a difficult thing to implement, but I would love to have it. Anyway, thanks for all the work you guys did on this great product!!! Kind regards, Frank Op 15-6-2022 om 16:11 schreef Jason A. Donenfeld: > Hi, > > An experimental snapshot, v0.0.20220615, of WireGuard for FreeBSD has been > been tagged in the git repository. > > At this time this code is new, unvetted, possibly buggy, and should be > considered "experimental". It might contain security issues. We gladly > welcome your testing and bug reports, but do keep in mind that this code > is new, so some caution should be exercised at the moment for using it > in mission critical environments. > > == Changes == > > ? * ci: add FreeBSD 12.3 and 13.1 > ? * compat: update version to handle sbcreatecontrol() changes > > ? More fixes to the compat layer. > > ? * wg_noise: import hmac from crypto > ? * crypto: inline blake2s convenience function > > ? A few crypto cleanups. > > This snapshot contains commits from: Jason A. Donenfeld, Joseph > Mingrone, and > Ed Maste. > > The source repository is available at the usual location: > ? git clone https://git.zx2c4.com/wireguard-freebsd > > This snapshot is available in compressed tarball form: > https://git.zx2c4.com/wireguard-freebsd/snapshot/wireguard-freebsd-0.0.20220615.tar.xz > ? SHA2-256: > ad6c42d20a7c0ad2989e729dd41ea5a6a019426b762dfd0c6417e340935cca82 > > Thank you, > Jason Donenfeld > > >