[PATCH] wg: Allow config to read private key from file

dxld at darkboxed.org dxld at darkboxed.org
Mon Nov 21 13:28:55 UTC 2022

Hi Michael,

On Mon, Nov 21, 2022 at 09:31:41AM +0300, Michael Tokarev wrote:
> 21.11.2022 01:46, Daniel Gröber wrote:
> > Using this new option the interface configs can be much easier to deploy in
> > an automated fashion as they don't contain secrets anymore. The private key
> > can easily be provisioned out of band or using a one-time provisioning step
> > instead.
> This is definitely a very welcome option in my PoV.
> Add my
> Signed-off-by: Michael Tokarev <mjt at tls.msk.ru>

I think you mean Reviewed-By? Speaking of which I actually forgot the
signoff myself. Doh.

Is Reviewed-By something we do here? I can't find a single such tag with
`git log --grep Reviewed-By`. I appreciate the positive response nontheless
though :)

> > Before this patch we were using a neat hack: it's possible to simply omit
> > PrivateKey= and set it using PostUp= wg set %i private-key /some/file.
> Well, this isn't really neat, it is a hackish workaround for the missing
> functionality ;)

It does work surprisingly well though :D. I just re-set the private-key
after syncconf now, which definetly ought to loose some traffic but it
works at least ;)

> On a side, note, almost a year ago I sent a patch for wg utility to recognize
> and discard some keywords which are processed by wg-quick script - like,
> Address=. This way, there's no need to pre-process the config file anymore,
> and in order to recognize more peers, one doesn't have to restart the
> tunnel interface, instead, a regular wg syncconf wgif.conf is sufficient,
> and many things can be simplified too (removing the preprocessing).

Ok I think I found your patch[1]. So we did actually independently come up
with the idea of PrivateKeyFile, interesting. Also you support PresharedKey
too. I realised I forgot that one right after sending the patch obv. ;)
I'll send a v2 for that soon.

[1]: https://lists.zx2c4.com/pipermail/wireguard/2021-January/006346.html

As for ignoring the wg-quick options, I'm not sure what's the right way to
go there. I don't find the wg-quick strip approach toooo taxing but it sure
would be more convenient to just call one tool.

> I've never got any reply for these patches.

I have another patch pending for a longish while aswell "wg: Support
restricting address family of DNS resolved Endpoint". IMO you should have
just resent your series every couple of months :)


More information about the WireGuard mailing list