WireGuard in systemd-networkd

WireGuard in systemd-networkd

[Jason A. Donenfeld]

Hi folks,

Thanks to the wonderful work of J=C3=B6rg Thalheim, WireGuard is now
supported inside systemd-netword's .netdev files. The syntax should be
pretty similar to wg(8). Expect for this to be released as part of the
next release of systemd, where you'll then be able to read the man
pages for using it.

Next up - anybody interested in providing support for NetworkManager?

Jason

Re: WireGuard in systemd-networkd

[Matthias Urlichs]

On 09.01.2018 14:49, Jason A. Donenfeld wrote:
> Thanks to the wonderful work of Jörg Thalheim, WireGuard is now
> supported inside systemd-netword's .netdev files.

That's great. Thaks for doing the work.

Speaking of systemd, and almost completely offtopic: would somebody be
willing to add support for ppp/pppoe to systemd-networkd? that's still
missing …

-- 
-- Matthias Urlichs

Re: WireGuard in systemd-networkd

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 946 bytes --]

On Tue 2018-01-09 14:49:13 +0100, Jason A. Donenfeld wrote:

> Thanks to the wonderful work of Jörg Thalheim, WireGuard is now
> supported inside systemd-netword's .netdev files. The syntax should be
> pretty similar to wg(8). Expect for this to be released as part of the
> next release of systemd, where you'll then be able to read the man
> pages for using it.

very cool!  systemd-networkd end up invoking wg(8)?  or does it interact
with the kernel directly?

if doesn't need wg(8), then once the new release of systemd is made, we
may want to change the dependency recommendations for the wireguard
kernel module packages.

> Next up - anybody interested in providing support for NetworkManager?

iirc, NetworkManager imports a big chunk of systemd in each release
(yuck embedded code copies).  maybe it'll import the relevant wireguard
bits as well?  that would probably make the NM work an easier lift.

     --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: WireGuard in systemd-networkd

[Germano Massullo]

As systemd-networkd user I am very happy about that!
Jason it has been a pleasure to meet you at 34C3 :-)

Re: WireGuard in systemd-networkd

[Jason A. Donenfeld]

Hey Dan,

On Tue, Jan 9, 2018 at 4:20 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> very cool!  systemd-networkd end up invoking wg(8)?  or does it interact
> with the kernel directly?

We taught systemd to talk the generic netlink protocol --useful for
all sorts of new things cropping up in the kernel -- and then after
that we taught it to talk wireguard, which builds on top of generic
netlink. And, it doesn't introduce any build-time dependencies into
systemd-networkd. So it's there for people who want it and not there
for those who don't. I think this is the right approach for
Linux-centric approaches like systemd.

>
> if doesn't need wg(8), then once the new release of systemd is made, we
> may want to change the dependency recommendations for the wireguard
> kernel module packages.

Maybe? I'm not quite sure what the Debian semantics for
recommendations are. If additional recommendations crowd out existing
recommendations, or introduce some kind of automatic selection logic
where only one has to be satisfied in an install-recommendations mode,
then I'd be hesitant. The reason is that wg(8) allows users to see
what's going on with the wireguard interface, whereas networkd only
enables setting up the interface but after doesn't give much
visibility into what's going on. So all users who run wireguard
probably want wg(8), and only some users who run wireguard
additionally will want systemd-networkd. But as I said, I don't know
what the Debian recommendations are supposed to be precisely, so you
can decide this better than me.


>
>> Next up - anybody interested in providing support for NetworkManager?
>
> iirc, NetworkManager imports a big chunk of systemd in each release
> (yuck embedded code copies).  maybe it'll import the relevant wireguard
> bits as well?  that would probably make the NM work an easier lift.

Oh, cool, I didn't realize that. Thanks for the pointer. I'll poke
around to see what they import.

Jason

Re: WireGuard in systemd-networkd

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 3441 bytes --]

On Tue 2018-01-09 18:38:59 +0100, Jason A. Donenfeld wrote:
> On Tue, Jan 9, 2018 at 4:20 PM, Daniel Kahn Gillmor
> <dkg@fifthhorseman.net> wrote:
>> very cool!  systemd-networkd end up invoking wg(8)?  or does it interact
>> with the kernel directly?
>
> We taught systemd to talk the generic netlink protocol --useful for
> all sorts of new things cropping up in the kernel -- and then after
> that we taught it to talk wireguard, which builds on top of generic
> netlink. And, it doesn't introduce any build-time dependencies into
> systemd-networkd. So it's there for people who want it and not there
> for those who don't. I think this is the right approach for
> Linux-centric approaches like systemd.

cool.  this sounds very much like you've decided that the netlink
interface is now stable, which is good to hear :)  It becomes much
trickier to update the interface when you've got external tools (whose
release cycle you don't control) talking to them!

>> if doesn't need wg(8), then once the new release of systemd is made, we
>> may want to change the dependency recommendations for the wireguard
>> kernel module packages.
>
> Maybe? I'm not quite sure what the Debian semantics for
> recommendations are. If additional recommendations crowd out existing
> recommendations, or introduce some kind of automatic selection logic
> where only one has to be satisfied in an install-recommendations mode,
> then I'd be hesitant. The reason is that wg(8) allows users to see
> what's going on with the wireguard interface, whereas networkd only
> enables setting up the interface but after doesn't give much
> visibility into what's going on. So all users who run wireguard
> probably want wg(8), and only some users who run wireguard
> additionally will want systemd-networkd. But as I said, I don't know
> what the Debian recommendations are supposed to be precisely, so you
> can decide this better than me.

thanks for the explanation.  debian's semantics are:

   https://www.debian.org/doc/debian-policy/#binary-dependencies-depends-recommends-suggests-enhances-pre-depends

Basically, Recommends: isn't the same as a hard Depends: -- it's
possible to ignore a Recommends: on systems you want to consciously keep
minimal.

The disjunction (A | B) means "if one of A or B is installed, don't bother
trying to satisfy the other; but if neither is installed, install A".


systemd-networkd is shipped (but by default disabled) in the systemd
package itself.

At the moment, wireguard-dkms (the kernel module package) Recommends:
wireguard-tools (which supplies wg(8)), which i'd write as:

  0)  Recommends: wireguard-tools

So i think we have several other choices:

  1)  Recommends: systemd | wireguard-tools

  2)  Recommends: wireguard-tools | systemd

  3)  Recommends: wireguard-tools, systemd

  4)  Recommends: wireguard-tools
      Suggests: systemd


Of the above, i think i'll probably either stick with 0 or move to 4.
given what you said above, i don't really like the idea of using the
disjunction; people already running systemd will have systemd-networkd
available; and i don't want the wireguard-dkms package to encourage
people to install systemd if they've already made a decision to avoid
the default and not use it.

oh, also, any reference to systemd here would probably be versioned to
be at least the first version that supports it.

let me know if you have any other preferences or suggestions.

   --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: WireGuard in systemd-networkd

[Matthias Urlichs]

On 10.01.2018 08:09, Daniel Kahn Gillmor wrote:
> The disjunction (A | B) means "if one of A or B is installed, don't bother
> trying to satisfy the other; but if neither is installed, install A".

… unless installing A causes a conflict – then the solver is free to use
B instead.

Given that systemd is installed by default in Debian, a "Suggests:
systemd" is unlikely to be useful for anybody, and an A|B recommendation
also is a no-op for the majority of users.

Instead, I would simply Recommend wg-tools, as they're very useful for
querying or modifying its state even when systemd-networkd manages the
interface.

I would also create a virtual "wireguard" package that directly depends
on wireguard-dkms and wireguard-tools (and Recommends:
networkmanager-wireguard, as soon as that exists). Then, simply instruct
the user to install that.

-- 
-- Matthias Urlichs

Re: WireGuard in systemd-networkd

[Jonathon Fernyhough]

[-- Attachment #1.1: Type: text/plain, Size: 1208 bytes --]

On 10/01/18 07:09, Daniel Kahn Gillmor wrote:
> systemd-networkd is shipped (but by default disabled) in the systemd
> package itself.
> 
> At the moment, wireguard-dkms (the kernel module package) Recommends:
> wireguard-tools (which supplies wg(8)), which i'd write as:
> 
>   0)  Recommends: wireguard-tools
> 
> So i think we have several other choices:
> 
>   1)  Recommends: systemd | wireguard-tools
> 
>   2)  Recommends: wireguard-tools | systemd
> 
>   3)  Recommends: wireguard-tools, systemd
> 
>   4)  Recommends: wireguard-tools
>       Suggests: systemd
> 
> 
> Of the above, i think i'll probably either stick with 0 or move to 4.

Sticking with 0) makes most sense to me. Just because systemd (>=
23something) supports wireguard, if wireguard-dkms can't rely on the
support being there then recommending its "own" tools is more reliable,
and more portable.

Alternatively, perhaps an "Enhances: systemd" ? e.g. wireguard-dkms
doesn't _need_ systemd, doesn't work any _better_ with systemd, but
definitely adds something _to_ systemd.

J

[1]
https://www.debian.org/doc/debian-policy/#binary-dependencies-depends-recommends-suggests-enhances-pre-depends


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: WireGuard in systemd-networkd

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 707 bytes --]

On Wed 2018-01-10 09:50:39 +0100, Matthias Urlichs wrote:
> I would also create a virtual "wireguard" package that directly depends
> on wireguard-dkms and wireguard-tools (and Recommends:
> networkmanager-wireguard, as soon as that exists). Then, simply instruct
> the user to install that.

This is a good idea, thanks!  As an aside, if anyone wants to suggest
packaging improvements like this, a bug report to the debian BTS is
probably the easiest way to go.

As for the dependencies related to systemd-networkd, the discussion here
makes me think we're better off just sticking with the status quo
(option 0), so i'll do that unless i hear a really compelling argument
to do anything else.

     --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: WireGuard in systemd-networkd

[Stefan Tatschner]

Hi!

Thanks all for the amazing work here, I am really impressed.

On Wed, Jan 10, 2018 at 11:30 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> On Wed 2018-01-10 09:50:39 +0100, Matthias Urlichs wrote:
>> I would also create a virtual "wireguard" package that directly depends
>> on wireguard-dkms and wireguard-tools (and Recommends:
>> networkmanager-wireguard, as soon as that exists). Then, simply instruct
>> the user to install that.

Is it really neccessary to recommend an additional tool in the
package? Wireguard can already be integrated in debian's native
network configuration via /etc/network/interfaces:
https://wiki.debian.org/Wireguard

I just do

  # ifup wg0
  # ifdown wg0

and it's fine.

Stefan

>
> This is a good idea, thanks!  As an aside, if anyone wants to suggest
> packaging improvements like this, a bug report to the debian BTS is
> probably the easiest way to go.
>
> As for the dependencies related to systemd-networkd, the discussion here
> makes me think we're better off just sticking with the status quo
> (option 0), so i'll do that unless i hear a really compelling argument
> to do anything else.
>
>      --dkg
>

Re: WireGuard in systemd-networkd

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

Hi Stefan--

On Thu 2018-01-11 07:37:49 +0100, Stefan Tatschner wrote:
> Is it really neccessary to recommend an additional tool in the
> package? Wireguard can already be integrated in debian's native
> network configuration via /etc/network/interfaces:
> https://wiki.debian.org/Wireguard

these instructions already assume that you have both wireguard-dkms and
wireguard-tools installed.  wireguard-tools supplies both wg(8) and
wg-quick(8), which are used in the different /etc/network/interfaces
stanzas there.

Matthias was suggesting a simply-named meta-package: just "wireguard",
which would ensure that both wireguard-dkms and wireguard-tools are
installed.  The advantage there is that you can tell people to do:

   apt install wireguard

and apt make sure the system has the common setup by default :)

> I just do
>
>   # ifup wg0
>   # ifdown wg0
>
> and it's fine.

i'm glad it works for you, it's always nice to have positive feedback :)

happy hacking,

    --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: WireGuard in systemd-networkd

[Jason A. Donenfeld]

Hey Daniel,

On Wed, Jan 10, 2018 at 8:09 AM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> cool.  this sounds very much like you've decided that the netlink
> interface is now stable, which is good to hear

Yep!

>   0)  Recommends: wireguard-tools
>   4)  Recommends: wireguard-tools
>       Suggests: systemd
>
>
> Of the above, i think i'll probably either stick with 0 or move to 4.
> given what you said above, i don't really like the idea of using the
> disjunction; people already running systemd will have systemd-networkd
> available; and i don't want the wireguard-dkms package to encourage
> people to install systemd if they've already made a decision to avoid
> the default and not use it.

I think it probably makes most sense to stick with 0.


Jason

Re: WireGuard in systemd-networkd

[Jason A. Donenfeld]

On Thu, Jan 11, 2018 at 2:43 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> Matthias was suggesting a simply-named meta-package: just "wireguard",
> which would ensure that both wireguard-dkms and wireguard-tools are
> installed.  The advantage there is that you can tell people to do:
>
>    apt install wireguard
>
> and apt make sure the system has the common setup by default :)

This is a great idea. Let me know if you wind up making this. I've
added Egbert to the CC so that he can make an identical change in the
Ubuntu PPA.

Jason

Re: WireGuard in systemd-networkd

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 1188 bytes --]

On Thu 2018-01-11 16:02:30 +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 11, 2018 at 2:43 PM, Daniel Kahn Gillmor
> <dkg@fifthhorseman.net> wrote:
>> Matthias was suggesting a simply-named meta-package: just "wireguard",
>> which would ensure that both wireguard-dkms and wireguard-tools are
>> installed.  The advantage there is that you can tell people to do:
>>
>>    apt install wireguard
>>
>> and apt make sure the system has the common setup by default :)
>
> This is a great idea. Let me know if you wind up making this. I've
> added Egbert to the CC so that he can make an identical change in the
> Ubuntu PPA.

I've just uploaded this arrangement to debian, but it needs to clear the
NEW queue, which can take a little while.

You should be able to follow the NEW queue here:

   https://ftp-master.debian.org/new.html

Egbert (or any other packager for a debian derivative) can see my
packaging here, if they're interested:

   https://salsa.debian.org/debian/wireguard

in particular:

   https://salsa.debian.org/debian/wireguard/commit/cc3cab4b799a64e9c74985da627fc85ba0ee2cc8

as always, I welcome feedback and suggestions for other improvements.

Regards,

        --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: WireGuard in systemd-networkd

[Stefan Tatschner]

On Thu, Jan 11, 2018 at 2:43 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> Hi Stefan--
>
> Matthias was suggesting a simply-named meta-package: just "wireguard",
> which would ensure that both wireguard-dkms and wireguard-tools are
> installed.  The advantage there is that you can tell people to do:
>
>    apt install wireguard
>
> and apt make sure the system has the common setup by default :)

Awesome! Thanks for clarifying this.

>
>> I just do
>>
>>   # ifup wg0
>>   # ifdown wg0
>>
>> and it's fine.
>
> i'm glad it works for you, it's always nice to have positive feedback :)

:)

Stefan

>
> happy hacking,
>
>     --dkg

Re: WireGuard in systemd-networkd

[Egbert Verhage]

Hey dkg,

I wanted to do the same thing with the meta package, so I have included
your patch in the ubuntu ppa repo.

I have pushed the packages to the PPA, so will be up in 10min.

Here the commit with the meta package patch:
https://github.com/EggieCode/wireguard-ppa/commit/1c502977301cfc1695996
ba68fa260576f0f0cad

Thanks dkg for the patch!

Greetz,
Egbert

On Thu, 2018-01-11 at 18:38 -0500, Daniel Kahn Gillmor wrote:
> On Thu 2018-01-11 16:02:30 +0100, Jason A. Donenfeld wrote:
> > On Thu, Jan 11, 2018 at 2:43 PM, Daniel Kahn Gillmor
> > <dkg@fifthhorseman.net> wrote:
> > > Matthias was suggesting a simply-named meta-package: just
> > > "wireguard",
> > > which would ensure that both wireguard-dkms and wireguard-tools
> > > are
> > > installed.  The advantage there is that you can tell people to
> > > do:
> > > 
> > >    apt install wireguard
> > > 
> > > and apt make sure the system has the common setup by default :)
> > 
> > This is a great idea. Let me know if you wind up making this. I've
> > added Egbert to the CC so that he can make an identical change in
> > the
> > Ubuntu PPA.
> 
> I've just uploaded this arrangement to debian, but it needs to clear
> the
> NEW queue, which can take a little while.
> 
> You should be able to follow the NEW queue here:
> 
>    https://ftp-master.debian.org/new.html
> 
> Egbert (or any other packager for a debian derivative) can see my
> packaging here, if they're interested:
> 
>    https://salsa.debian.org/debian/wireguard
> 
> in particular:
> 
>    https://salsa.debian.org/debian/wireguard/commit/cc3cab4b799a64e9c
> 74985da627fc85ba0ee2cc8
> 
> as always, I welcome feedback and suggestions for other improvements.
> 
> Regards,
> 
>         --dkg

Re: WireGuard in systemd-networkd

[Jason A. Donenfeld]

[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]

Wonderful! Thanks guys. I'll update the documentation shortly.

Jason

On Jan 12, 2018 16:51, "Egbert Verhage" <egbert@eggiecode.org> wrote:

> Hey dkg,
>
> I wanted to do the same thing with the meta package, so I have included
> your patch in the ubuntu ppa repo.
>
> I have pushed the packages to the PPA, so will be up in 10min.
>
> Here the commit with the meta package patch:
> https://github.com/EggieCode/wireguard-ppa/commit/1c502977301cfc1695996
> ba68fa260576f0f0cad
>
> Thanks dkg for the patch!
>
> Greetz,
> Egbert
>
> On Thu, 2018-01-11 at 18:38 -0500, Daniel Kahn Gillmor wrote:
> > On Thu 2018-01-11 16:02:30 +0100, Jason A. Donenfeld wrote:
> > > On Thu, Jan 11, 2018 at 2:43 PM, Daniel Kahn Gillmor
> > > <dkg@fifthhorseman.net> wrote:
> > > > Matthias was suggesting a simply-named meta-package: just
> > > > "wireguard",
> > > > which would ensure that both wireguard-dkms and wireguard-tools
> > > > are
> > > > installed.  The advantage there is that you can tell people to
> > > > do:
> > > >
> > > >    apt install wireguard
> > > >
> > > > and apt make sure the system has the common setup by default :)
> > >
> > > This is a great idea. Let me know if you wind up making this. I've
> > > added Egbert to the CC so that he can make an identical change in
> > > the
> > > Ubuntu PPA.
> >
> > I've just uploaded this arrangement to debian, but it needs to clear
> > the
> > NEW queue, which can take a little while.
> >
> > You should be able to follow the NEW queue here:
> >
> >    https://ftp-master.debian.org/new.html
> >
> > Egbert (or any other packager for a debian derivative) can see my
> > packaging here, if they're interested:
> >
> >    https://salsa.debian.org/debian/wireguard
> >
> > in particular:
> >
> >    https://salsa.debian.org/debian/wireguard/commit/cc3cab4b799a64e9c
> > 74985da627fc85ba0ee2cc8
> >
> > as always, I welcome feedback and suggestions for other improvements.
> >
> > Regards,
> >
> >         --dkg
>

[-- Attachment #2: Type: text/html, Size: 3339 bytes --]

Some gossip

[M. Dietrich]

[-- Attachment #1: Type: text/plain, Size: 1037 bytes --]

Hi All,

i looked for a connection-less VPN since long. i am not an
expert in VPNs and do not want to dive into it too deep but i
had the impression that all solutions today have a connection
and once lost it has to be renogotiated.

since using mosh i think this would be an incredible solution
for a VPN.

Quotation from Germano Massullo at Januar 9, 2018 18:19:
> Jason it has been a pleasure to meet you at 34C3 :-)

at the 34C3 i was concentrated with some coding at my notebook
when a guy throw me a sticker directly onto my keyboard. i was
upset and flicked it off but when i needed a break i grabed
it and took a look. it was weird, some names, a logo, no url.

the name was good enough to point to the project behind (same
logo) after a search. and i found out: this seems to be the
VPN i was looking for so long!

so thank you for this incredible project! i could not attend
at the workshop because it was too crowded (btw: today
wireguard is the 6th hit when looking for vpn and mosh).

M. Dietrich

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: Some gossip

[Jason A. Donenfeld]

On Sat, Jan 13, 2018 at 5:30 PM, M. Dietrich <mdt@emdete.de> wrote:
> at the 34C3 i was concentrated with some coding at my notebook
> when a guy throw me a sticker directly onto my keyboard. i was
> upset and flicked it off but when i needed a break i grabed
> it and took a look. it was weird, some names, a logo, no url.

Pretty much the real life version of a pop-up window. :)

Re: WireGuard in systemd-networkd

[Jörg Thalheim]

Wireguard support in networkd is now set in stone.
systemd v237 was released three days ago.

On 2018-01-09 13:49, Jason A. Donenfeld wrote:
> Hi folks,
>
> Thanks to the wonderful work of Jörg Thalheim, WireGuard is now
> supported inside systemd-netword's .netdev files. The syntax should be
> pretty similar to wg(8). Expect for this to be released as part of the
> next release of systemd, where you'll then be able to read the man
> pages for using it.
>
> Next up - anybody interested in providing support for NetworkManager?
>
> Jason
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard