add/remove a peer

add/remove a peer

[ST]

Hello,

I'm learning WireGuard and have a question regarding adding/removing a
peer.

Is there something like:

1) wg add peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint
209.202.254.14:8172

and by default, if some(/all) values are not provided - WG will generate
them on its own. E.g. if IP is not provided - it will scan all known IPs
and choose a new one (with /32) from the range that was mentioned with
`ip address add dev wg0` command. This way system administrator doesn't
have to choose IPs manually for new clients (doing so manually is
boring, time consuming and error prone). The same for the keys: the
server will generate the pair of keys - the public (together with the
new IP) keep for itself to set a new peer/client. And the private key
together with 0.0.0.0/0 (or the range mentioned with `ip address add dev
wg0` command) print as output to be used for setting up a new client.

So adding a new client on server could look like this:

wg add peer persistent-keepalive 25  endpoint vpn0.example.org:22000 >
wg0.conf

Where wg0.conf will look like:

[Interface]
PrivateKey = ui4AN....AbhwcvHWo=
ListenPort = 22000

[Peer]
PublicKey = ViCKc...gQp43rp7BHM=
AllowedIPs = 10.0.0.0/8
Endpoint = vpn0.example.org:22000
PersistentKeepalive = 25

wg0.conf can now be encrypted, let's say with PGP and sent to the new
client to be placed under /etc/wireguard/wg0.conf. Super easy even for
not so tech-savvy folks...

2) similar for removing clients:

wg rm peer ABCDEF...
or
wg rm peer allowed-ips 192.168.88.4/32

Is this implemented already or should I file it as a feature request
somewhere? (if so - where?)

Thank you!

Re: add/remove a peer

[Wang Jian]

2018-03-25 3:32 GMT+08:00 ST <smntov@gmail.com>:
> Hello,
>
> I'm learning WireGuard and have a question regarding adding/removing a
> peer.
>
> Is there something like:
>
> 1) wg add peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint
> 209.202.254.14:8172


>
> 2) similar for removing clients:
>
> wg rm peer ABCDEF...
> or
> wg rm peer allowed-ips 192.168.88.4/32
>
> Is this implemented already or should I file it as a feature request
> somewhere? (if so - where?)
>

You should already read man pages  (man wg).

for adding peer
# wg set wg0 peer peer_pubkey allowed-ips 192.168.88.4/32 endpoint
209.202.254.14:8172

for removing peer
# wg set wg0 peer peer_pubkey remove

Re: add/remove a peer

[ST]

On Mon, 2018-03-26 at 00:43 +0800, Wang Jian wrote:
> 2018-03-25 3:32 GMT+08:00 ST <smntov@gmail.com>:
> > Hello,
> >
> > I'm learning WireGuard and have a question regarding adding/removing a
> > peer.
> >
> > Is there something like:
> >
> > 1) wg add peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint
> > 209.202.254.14:8172
> 
> 
> >
> > 2) similar for removing clients:
> >
> > wg rm peer ABCDEF...
> > or
> > wg rm peer allowed-ips 192.168.88.4/32
> >
> > Is this implemented already or should I file it as a feature request
> > somewhere? (if so - where?)
> >
> 
> You should already read man pages  (man wg).
> 
> for adding peer
> # wg set wg0 peer peer_pubkey allowed-ips 192.168.88.4/32 endpoint
> 209.202.254.14:8172

I want a WG (server) to assign an IP to a peer *automatically* if
allowed-ips is not provided when running `wg set wg0 peer`. And then
output it to STDOUT, so it can be passed to the peer (client). The same
can be done if peer's public key is not provided.
This would make addition of new peers(clients) much more easy - both for
sysadmins and for non-tech-savvy clients (the latter will get a ready
made wg0.conf file that they need to save to /etc/wireguard/ and all
they need to do is `wg-quick up wg0`. That's it.)

I don't think it is implemented...

Mr. Donenfeld - would this qualify as a feature request?

Thank you!

Re: add/remove a peer

[ST]

On Mon, 2018-03-26 at 00:43 +0800, Wang Jian wrote:
> 2018-03-25 3:32 GMT+08:00 ST <smntov@gmail.com>:
> > Hello,
> >
> > I'm learning WireGuard and have a question regarding adding/removing a
> > peer.
> >
> > Is there something like:
> >
> > 1) wg add peer ABCDEF... allowed-ips 192.168.88.0/24 endpoint
> > 209.202.254.14:8172
> 
> 
> >
> > 2) similar for removing clients:
> >
> > wg rm peer ABCDEF...
> > or
> > wg rm peer allowed-ips 192.168.88.4/32
> >
> > Is this implemented already or should I file it as a feature request
> > somewhere? (if so - where?)
> >
> 
> You should already read man pages  (man wg).
> 
> for adding peer
> # wg set wg0 peer peer_pubkey allowed-ips 192.168.88.4/32 endpoint
> 209.202.254.14:8172

I want a WG (server) to assign an IP to a peer *automatically* if
allowed-ips is not provided when running `wg set wg0 peer`. And then
output it to STDOUT, so it can be passed to the peer (client). The same
can be done if peer's public key is not provided.
This would make addition of new peers(clients) much more easy - both for
sysadmins and for non-tech-savvy clients (the latter will get a ready
made wg0.conf file that they need to save to /etc/wireguard/ and all
they need to do is `wg-quick up wg0`. That's it.)

I don't think it is implemented...

Mr. Donenfeld - would this qualify as a feature request?

Thank you!

PS: if you have over 100 peers it is a bit a headache to find a free IP
when adding a new peer. There is no reason WG could not scan through IPs
it already knows and choose a free one, assign it in its own config file
and print it out for passing to the remote peer...

Re: add/remove a peer

[Kalin KOZHUHAROV]

On Sun, Mar 25, 2018 at 8:10 PM, ST <smntov@gmail.com> wrote:
> PS: if you have over 100 peers it is a bit a headache to find a free IP
> when adding a new peer. There is no reason WG could not scan through IPs
> it already knows and choose a free one, assign it in its own config file
> and print it out for passing to the remote peer...
>
There is a reason, at least one, good one - it is called simplicity.
It is also hard to work when you are running out of disk space or
memory; do you expect WG to solve that for you?
Simply put, IP addressing schemes are not a part of WG, neither a requirement.
There are many ways to use WG and "assign random, free IP address and
send to a new peer" is too specific of a use case.

May be you can cobble up something with a DHCP server that cares about
certain address range?
Or a simple flat-file dB and a script that does it for you?

What happens when you run out of addresses?
How do you re-assign an IP address to a new peer?
...
Those are questions widely outside WG, IMHO.

Cheers,
Kalin.

Re: add/remove a peer

[Roman Mamedov]

On Sun, 25 Mar 2018 21:17:35 +0200
Kalin KOZHUHAROV <me.kalin@gmail.com> wrote:

> There is a reason, at least one, good one - it is called simplicity.
> It is also hard to work when you are running out of disk space or
> memory; do you expect WG to solve that for you?
> Simply put, IP addressing schemes are not a part of WG, neither a requirement.
> There are many ways to use WG and "assign random, free IP address and
> send to a new peer" is too specific of a use case.
> 
> May be you can cobble up something with a DHCP server that cares about
> certain address range?
> Or a simple flat-file dB and a script that does it for you?
> 
> What happens when you run out of addresses?
> How do you re-assign an IP address to a new peer?
> ...
> Those are questions widely outside WG, IMHO.

Agreed.

One more idea that comes to mind, is to use IPv6 and assign IPs based on peer
public keys. Assuming a fixed /64 subnet, using a 64-bit half of the public
key for the host part, still makes collisions nearly impossible.

-- 
With respect,
Roman

Re: add/remove a peer

[ST]

On Sun, 2018-03-25 at 21:17 +0200, Kalin KOZHUHAROV wrote:
> On Sun, Mar 25, 2018 at 8:10 PM, ST <smntov@gmail.com> wrote:
> > PS: if you have over 100 peers it is a bit a headache to find a free IP
> > when adding a new peer. There is no reason WG could not scan through IPs
> > it already knows and choose a free one, assign it in its own config file
> > and print it out for passing to the remote peer...
> >
> There is a reason, at least one, good one - it is called simplicity.
> It is also hard to work when you are running out of disk space or
> memory; do you expect WG to solve that for you?

They are not related to WG at all.

> Simply put, IP addressing schemes are not a part of WG, neither a requirement.
> There are many ways to use WG and "assign random, free IP address and
> send to a new peer" is too specific of a use case.

No, sending to a peer is not what I asked - only assign a random free IP
if no one is provided to `wg set peer ...`. That's it. Only locally and
only internally. No keys distribution schemes or something. How to send
it to the new peer is the problem of the sysadmin. Could be per
encrypted email/https or whatever.

> What happens when you run out of addresses?

You just give an error message "no more IPs are available, make one free
or choose another IP range!"

> How do you re-assign an IP address to a new peer?

You delete the [Peer] with that IP from the .conf file (or `wg set wg0
peer peer_pubkey remove`) and then `wg set peer allowed-ips
old.ip.to.reassign/32 ...`

Thank you!

Re: add/remove a peer

[Luis Ressel]

Hello,

Low-level tools such as wg aren't the right place for the "automagic"
features you're suggesting. wg should have simple, bugproof code and
behave reliably and predictably so that it can serve as a solid
foundation for all sorts of high-level scripts.

Of course, this doesn't mean your suggested features would be useless
-- they just don't belong into the same binary as the low-level stuff.
Build a script to handle the boring IP assignments for you, and if you
believe it might be useful to others, by all means publish it!

Cheers,
Luis

Re: add/remove a peer

[ST]

On Mon, 2018-03-26 at 20:46 +0200, Luis Ressel wrote:
> Hello,
> 
> Low-level tools such as wg aren't the right place for the "automagic"
> features you're suggesting. wg should have simple, bugproof code and
> behave reliably and predictably so that it can serve as a solid
> foundation for all sorts of high-level scripts.
> 
> Of course, this doesn't mean your suggested features would be useless
> -- they just don't belong into the same binary as the low-level stuff.
> Build a script to handle the boring IP assignments for you, and if you
> believe it might be useful to others, by all means publish it!

Agreed. I remember that I read in the docs that some of the WG's tools
are of higher level. So I thought that automatic IP assignment could
belong to them. Probably it was wg-quick, but `wg set ...` is seemingly
a low-level stuff. Now I see. Thank you!