Wireguard setup with SIP
Rick van Rein
rick at openfortress.nl
Wed Oct 19 09:29:54 UTC 2022
Hello all,
I would like to tell you about some work I'm doing to allow
Wireguard sites to negotiate their setup over SIP. This can
even be used to spontaneously setup VPNs with new parties, to
the level that their SIP server is open to such requests.
The standard session setup and teardown is used, INVITE and BYE.
Given the right SDP formulation, these can exchange the params
for the tunnel; this is what I am sending in the current version,
v=0
o=- 4124031101 285260646 IN IP6 2001:db8:666::666
s=-
c=IN IP6 2001:db8:666::666
t=0 0
m=application 57660 udp vnd.wireguard
a=fmtp:vnd.wireguard pubkey=YWl42m1t56sMAYKwGZUQZNuYG+AbdW9eE7KLj3KBT1M=;prefix=2001:db8:456:1::/64;pskmth=none
a=sendrecv
The traffic should be authenticated; for that I want to validate
the From: and To: SIP headers using SASL, possibly with mutual
authentication and possibly with key derivation (then set pskmth
to a suitable value).
I'm curious how you feel about this!
In the SDP fragment above, I mentioned application/vnd.wireguard
as a Media Type; these are best registered with IANA. In this
application (and probably any other) this could represent the
message flow as it is encapsulated into UDP.
Would you agree on registering such a Media Type with IANA?
I don't care who does it, but it would be the proper course of
action.
Code, SIP achieves Wireguard setup within localhost:
https://gitlab.com/0cpm/subliminal/-/blob/master/src/wgsip.c
Man page:
https://gitlab.com/0cpm/subliminal/-/blob/master/doc/man/wgsip.1
SASL for SIP and HTTP:
https://www.ietf.org/archive/id/draft-vanrein-sipauth-sasl-01.html
https://www.ietf.org/archive/id/draft-vanrein-httpauth-sasl-07.html
Context:
The code arose as part of a project "Subliminal Messaging" that injects
digital data into a POTS/VoIP call mixture. The idea is that phone
calls would be *one* possible method for Wireguard setup, but the same
idea would also work over
Thanks,
-Rick
RFC 6838 says:
The "application" top-level type is to be used for discrete data that
do not fit under any of the other type names, and particularly for
data to be processed by some type of application program. This is
information that must be processed by an application before it is
viewable or usable by a user.
...
The vendor tree is used for media types associated with publicly
available products. "Vendor" and "producer" are construed very
broadly in this context and are considered equivalent. Note that
industry consortia as well as non-commercial entities that do not
qualify as recognized standards-related organizations can quite
appropriately register media types in the vendor tree.
...
Vendor-tree registrations will be distinguished by the leading facet
"vnd.". That may be followed, at the discretion of the registrant,
by either a media subtype name from a well-known producer (e.g.,
"vnd.mudpie") or by an IANA-approved designation of the producer's
name that is followed by a media type or product designation (e.g.,
vnd.bigcompany.funnypictures).
While public exposure and review of media types to be registered in
the vendor tree are not required, using the media-types at iana.org
mailing list for review is encouraged, to improve the quality of
those specifications. Registrations in the vendor tree may be
submitted directly to the IANA, where they will undergo Expert Review
[RFC5226] prior to approval.
More information about the WireGuard
mailing list