[WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[Kalin KOZHUHAROV]

[-- Attachment #1: Type: text/plain, Size: 777 bytes --]

Hello,

I have been testing a few things between Gentoo and few OpenWRT boxen, so
far so good. Just saw that Luci config landed, recompiling now.

This brings me to "What is a good way to ingrate (as of now) wireguard into
openrc in Gentoo?" question.

I have my scripts, I just found out about /lib64/netifrc/net/wireguard.sh
but I couldn't find a way to edit /etc/conf.d/net so that I can integrate
it.

Since Jason is a Gentoo user/dev I thought that is already solved :-D

An example static config for the simple case of

host_A:wg0<----->wg0:host_B

and

              /-->wg0:host_B
host_A:wg0<--||
              \-->wg0:host_C

(say where A,B,C share some private subnet) will be appreciated.

Any good "default" way to store config files? Private keys?

Cheers,
Kalin.

[-- Attachment #2: Type: text/html, Size: 1507 bytes --]

Re: [WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[Jason A. Donenfeld]

Hey Kalin,

Funny enough, I can't remember the exact interworkings of that script,
because I didn't write it. A guy named zhasha in #wireguard did. I'll
ask him to document it; that could be useful. I know another gentoo
dev was working on a WireGuard gentoo page for the wiki.

I think, in short, the way it works is you add this to your /etc/conf.d/net:

wireguard_wg0="/path/to/file.conf"

or,

wireguard_wg0="private-key /path/to/whatever listen-port 1234 peer
ABCDEF= endpoint 1.2.3.4:2468"

In other words, if the argument is a file path, it is passed to
setconf, and otherwise they're passed to set. You can then use the
other ordinary netifrc values for setting the IP addresses.

A somewhat reasonable place to store config files would be in
/etc/wireguard, and make sure that directory is chmod'd to 700, since
it contains private keys.

Jason

Re: [WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[Kalin KOZHUHAROV]

Hello Jason,

Thanks for the answer!

On Sat, Nov 19, 2016 at 10:14 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Funny enough, I can't remember the exact interworkings of that script,
> because I didn't write it. A guy named zhasha in #wireguard did. I'll
> ask him to document it; that could be useful. I know another gentoo
> dev was working on a WireGuard gentoo page for the wiki.
>
I tested a few things, it is almost working.

So, I needed to save a running config (`wg showconf wg0
>/etc/wireguard/wg0.conf`), then put this in `/etc/conf.d/net`:

config_wg0="192.168.13.12/24"
wireguard_wg0="/etc/wireguard/wg0.conf"

Finally, symlink to net.lo:

  ln -nfs net.lo /etc/init.d/net.wg0

Then `/etc/init.d/net.wg0 start` and `/etc/init.d/net.wg0 stop` work
as expected.

EDIT: Add this to /etc/rc.conf to make things run smoothly:
rc_hotplug="!net.wg?"


However `/etc/init.d/net.wg0 restart` sometimes fails silently...
I am trying to reproduce it, but cannot get the pattern of failures.
It outputs all fine to the console, but there is no actual interface created...

$ /etc/init.d/net.wg0 restart
 * /etc/init.d/net.wg0 uses runscript, please convert to openrc-run.
 * Bringing down interface wg0
 *   Removing WireGuard interface wg0 ...


              [ ok ]
 * Bringing up interface wg0
 *   Creating WireGuard interface wg0 ...


              [ ok ]
 *   Configuring WireGuard interface wg0 ...


              [ ok ]
 *   192.168.13.12/24 ...


              [ ok ]

$ ip l show dev wg0
Device "wg0" does not exist.

# NOT WORKING!


$ /etc/init.d/net.wg0 start
 * /etc/init.d/net.wg0 uses runscript, please convert to openrc-run.
 * WARNING: net.wg0 has already started, but is inactive

$ /etc/init.d/net.wg0 zap
 * /etc/init.d/net.wg0 uses runscript, please convert to openrc-run.
 * Manually resetting net.wg0 to stopped state

$ /etc/init.d/net.wg0 start
 * /etc/init.d/net.wg0 uses runscript, please convert to openrc-run.
 * Bringing up interface wg0
 *   Creating WireGuard interface wg0 ...


              [ ok ]
 *   Configuring WireGuard interface wg0 ...


              [ ok ]
 *   192.168.13.12/24 ...


              [ ok ]

$ ip l show dev wg0
34: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1423 qdisc
noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/void

# WORKING

 $ /etc/init.d/net.wg0 restart
 * /etc/init.d/net.wg0 uses runscript, please convert to openrc-run.
 * Bringing down interface wg0
 *   Removing WireGuard interface wg0 ...
 * Bringing up interface wg0
 *   Creating WireGuard interface wg0 ...


              [ ok ]
 *   Configuring WireGuard interface wg0 ...


              [ ok ]
 *   192.168.13.12/24 ...


              [ ok ]

$ ip l show dev wg0
36: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1423 qdisc
noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/void


I tried to debug a few things and my observation is that "sometimes",
interface is reappearing after `ip link delete dev wg0`...
Any ideas? I thought am not running any automagic daemons (systemd,
networkmanager, etc.).
But... there is some systemd code lurking may be.
Anyway, I added it to be NOT hotplugged:
$ grep wg /etc/rc.conf
rc_hotplug="pcscd !net.wg?"

And it seems to work! Otherwise the interface gets marked as
hotpluggable and is being recreated/killed (see the first number  on
`ip link show dev wg0` constantly growing)

> In other words, if the argument is a file path, it is passed to
> setconf, and otherwise they're passed to set. You can then use the
> other ordinary netifrc values for setting the IP addresses.
>
yep, apparently!

> A somewhat reasonable place to store config files would be in
> /etc/wireguard, and make sure that directory is chmod'd to 700, since
> it contains private keys.
>
Yes, I am glad I guessed this settings, before your mail!

Cheers,
Kalin.

Re: [WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[Joakim Sindholt]

On Fri, Nov 18, 2016 at 12:42 PM, Kalin KOZHUHAROV <me.kalin@gmail.com> 
wrote:
> Hello,
> 
> I have been testing a few things between Gentoo and few OpenWRT 
> boxen, so far so good. Just saw that Luci config landed, recompiling 
> now.
> 
> This brings me to "What is a good way to ingrate (as of now) 
> wireguard into openrc in Gentoo?" question.
> 
> I have my scripts, I just found out about 
> /lib64/netifrc/net/wireguard.sh but I couldn't find a way to edit 
> /etc/conf.d/net so that I can integrate it.
> 
> Since Jason is a Gentoo user/dev I thought that is already solved :-D

I'm the idiot who wrote it, not Jason - direct your frustration towards 
me :)

The idea is that the wireguard_$if variable is passed to 'wg set' or 
'wg setconf',
depending on whether or not it's a single argument and a file.
You join this with config_$if which is passed to 'ip address', and 
optionally
routes_$if to create custom routes and 'rules_$if' which is passed to 
'ip rule'.

There are a couple of problems with this - the number I've experienced 
being that
dhcpcd has no respect for network config it didn't create and so it 
will happily
nuke the ip rules every time it renews the dhcp lease.

> An example static config for the simple case of
> 
> host_A:wg0<----->wg0:host_B
> 
> and
> 
>               /-->wg0:host_B
> host_A:wg0<--||
>               \-->wg0:host_C
> 
> (say where A,B,C share some private subnet) will be appreciated.

You can directly follow the terminal examples from eg. the quickstart 
page.
Interface creation is automatic so you just need a 
config_wg0=ip-addr-line and
wireguard_wg0=wg-set-line and you're golden.

> Any good "default" way to store config files? Private keys?

Re: [WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[Joakim Sindholt]

On Mon, Nov 21, 2016 at 6:15 AM, Kalin KOZHUHAROV <me.kalin@gmail.com> 
wrote:
> config_wg0="192.168.13.12/24"
> wireguard_wg0="/etc/wireguard/wg0.conf"
> 
> Finally, symlink to net.lo:
> 
>   ln -nfs net.lo /etc/init.d/net.wg0
> 
> Then `/etc/init.d/net.wg0 start` and `/etc/init.d/net.wg0 stop` work
> as expected.

Yep, that's how it's supposed to be used

> EDIT: Add this to /etc/rc.conf to make things run smoothly:
> rc_hotplug="!net.wg?"

I have not experienced any issues like this.

> However `/etc/init.d/net.wg0 restart` sometimes fails silently...
> I am trying to reproduce it, but cannot get the pattern of failures.
> It outputs all fine to the console, but there is no actual interface 
> created...
> 
> [...]
> 
> I tried to debug a few things and my observation is that "sometimes",
> interface is reappearing after `ip link delete dev wg0`...
> Any ideas? I thought am not running any automagic daemons (systemd,
> networkmanager, etc.).
> But... there is some systemd code lurking may be.
> Anyway, I added it to be NOT hotplugged:
> $ grep wg /etc/rc.conf
> rc_hotplug="pcscd !net.wg?"
> 
> And it seems to work! Otherwise the interface gets marked as
> hotpluggable and is being recreated/killed (see the first number  on
> `ip link show dev wg0` constantly growing)

Interesting. I've had problems with other programs interfering in the 
past,
most notably dhcpcd which would nuke my routing rules, but never this.
The script is basically just a whittled down version of the pppd.sh 
script
and should work in much the same way. I just hacked it up rather quickly
so it's very possible that I missed something really important.
I'm running an otherwise bog-standard clean gentoo install with pretty 
much
nothing installed and this issue hasn't presented itself so far.
It's being updated today so I'll get on it if I can reproduce it.
Pretty weird though...

Re: [WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

[Jason A. Donenfeld]

On Mon, Nov 21, 2016 at 2:55 PM, Joakim Sindholt <opensource@zhasha.com> wrote:
> There are a couple of problems with this - the number I've experienced being
> that
> dhcpcd has no respect for network config it didn't create and so it will
> happily
> nuke the ip rules every time it renews the dhcp lease.

Add 'wg*' to denyinterfaces in dhcpcd.conf.