remove peer endpoint

remove peer endpoint

[Devin Smith]

[-- Attachment #1.1: Type: text/plain, Size: 629 bytes --]

Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0`, `endpoint off`, `endpoint ""`, and `remove endpoint`.

My workaround for now is to just remove the whole peer, and then re-set the other attributes.

If it is not possible to currently do this with `wg set`, the syntax `remove <attribute-name>` might be a good way to generalize the notion of unsetting any peer attribute.

Thanks,
-Devin

[-- Attachment #1.2: Type: text/html, Size: 756 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Lonnie Abelbeck]

> On Dec 27, 2019, at 9:51 AM, Devin Smith <devinrsmith@protonmail.com> wrote:
> 
> Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0` ...

Yes, this works:
--
wg set <interface> peer <base64-public-key> remove
--

If you forget, "wg set --help" will remind you.

Lonnie

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Devin Smith]

If I'm not mistaken, `wg set <interface> peer <base64> remove` removes the whole peer - I'm looking to remove just the peer's endpoint attribute [endpoint <ip>:<port>].

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, December 27, 2019 10:51 AM, Lonnie Abelbeck <lists@lonnie.abelbeck.com> wrote:

> > On Dec 27, 2019, at 9:51 AM, Devin Smith devinrsmith@protonmail.com wrote:
> > Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0` ...
>
> Yes, this works:
>
> -------------------
>
> wg set <interface> peer <base64-public-key> remove
> --
>
> If you forget, "wg set --help" will remind you.
>
> Lonnie


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[em12345]

Hi,

how about setting the peers endpoint to any local IP (127.0.99.1)?
I'm setting the peers endpoint initially to 127.0.1.1, and only later I
resolve the hostname of the endpoint and update to that IP.
Because in my case I need more control of the resolving process, than
standard "wg" supplies.


--
Emmanuel



On 2019-12-27 19:28, Devin Smith wrote:
> If I'm not mistaken, `wg set <interface> peer <base64> remove` removes the whole peer - I'm looking to remove just the peer's endpoint attribute [endpoint <ip>:<port>].
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, December 27, 2019 10:51 AM, Lonnie Abelbeck <lists@lonnie.abelbeck.com> wrote:
>
>>> On Dec 27, 2019, at 9:51 AM, Devin Smith devinrsmith@protonmail.com wrote:
>>> Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0` ...
>>
>> Yes, this works:
>>
>> -------------------
>>
>> wg set <interface> peer <base64-public-key> remove
>> --
>>
>> If you forget, "wg set --help" will remind you.
>>
>> Lonnie
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Jason A. Donenfeld]

[-- Attachment #1.1: Type: text/plain, Size: 1323 bytes --]

I'm interested to learn, why would you want such a thing? The endpoint
field is only ever a "hint" anyway, due to the roaming.

On Sat, Dec 28, 2019, 13:12 Devin Smith <devinrsmith@protonmail.com> wrote:

> If I'm not mistaken, `wg set <interface> peer <base64> remove` removes the
> whole peer - I'm looking to remove just the peer's endpoint attribute
> [endpoint <ip>:<port>].
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, December 27, 2019 10:51 AM, Lonnie Abelbeck <
> lists@lonnie.abelbeck.com> wrote:
>
> > > On Dec 27, 2019, at 9:51 AM, Devin Smith devinrsmith@protonmail.com
> wrote:
> > > Is it possible to remove the endpoint of a peer via the `wg set`
> command? All of the other peer attributes (preshared-key,
> persistent-keepalive, allowed-ips) are removable in this fashion (and
> documented in the man page). I've tried `wg set <interface> peer
> <base64-public-key> endpoint 0` ...
> >
> > Yes, this works:
> >
> > -------------------
> >
> > wg set <interface> peer <base64-public-key> remove
> > --
> >
> > If you forget, "wg set --help" will remind you.
> >
> > Lonnie
>
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>

[-- Attachment #1.2: Type: text/html, Size: 2099 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Jason A. Donenfeld]

Hi Devin,

Could you let me know your reason for wanting this? If there's a good
justification, we could consider adding it. But I'd like some
reasoning as it relates to the entire system you're trying to build,
first.

Thanks,
Jason

On Sat, Dec 28, 2019 at 10:36 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> I'm interested to learn, why would you want such a thing? The endpoint field is only ever a "hint" anyway, due to the roaming.
>
> On Sat, Dec 28, 2019, 13:12 Devin Smith <devinrsmith@protonmail.com> wrote:
>>
>> If I'm not mistaken, `wg set <interface> peer <base64> remove` removes the whole peer - I'm looking to remove just the peer's endpoint attribute [endpoint <ip>:<port>].
>>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Friday, December 27, 2019 10:51 AM, Lonnie Abelbeck <lists@lonnie.abelbeck.com> wrote:
>>
>> > > On Dec 27, 2019, at 9:51 AM, Devin Smith devinrsmith@protonmail.com wrote:
>> > > Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0` ...
>> >
>> > Yes, this works:
>> >
>> > -------------------
>> >
>> > wg set <interface> peer <base64-public-key> remove
>> > --
>> >
>> > If you forget, "wg set --help" will remind you.
>> >
>> > Lonnie
>>
>>
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[em12345]

Hi,

in my case the reason is not exactly being able to remove the endpoint,
but rather being able to setup a peer without endpoint, so that only the
endpoint needs to be setup later.

Scenario:
All keys for interface and peer are configured via "wg" standard config
file, so that the interface can be brought up at boot time.

But when having to use a to be resolved host name as endpoint, then the
boot process blocks for around a minute in case no network (incl. DNS)
is available. At least when running systemd reading
/etc/network/interfaces. I'm not using systemd builtin wg support.

There is of course the possibility to bring up the wg-* interfaces later
altogether. But the easiest way for me was to use a local endpoint IP
(127.0.1.1) address, and then use up/down scripts triggered on LAN/WLAN
up/down, which then only resolve the endpoint host name and set via wg
the resolved IP of that.

This way I'm also able to use several hostnames from different DynDNS
providers, in case one service provider is down, which wg as far as I
know doesn't currently support.
I.e:
	1.) resolve first host name
	2.) set endpoint IP on peer
	3.) ping into tunnel to see if it is working
	4.) if not working, then try next host name


Thanks,

Emmanuel


On 2019-12-30 10:37, Jason A. Donenfeld wrote:
> Hi Devin,
>
> Could you let me know your reason for wanting this? If there's a good
> justification, we could consider adding it. But I'd like some
> reasoning as it relates to the entire system you're trying to build,
> first.
>
> Thanks,
> Jason
>
> On Sat, Dec 28, 2019 at 10:36 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>>
>> I'm interested to learn, why would you want such a thing? The endpoint field is only ever a "hint" anyway, due to the roaming.
>>
>> On Sat, Dec 28, 2019, 13:12 Devin Smith <devinrsmith@protonmail.com> wrote:
>>>
>>> If I'm not mistaken, `wg set <interface> peer <base64> remove` removes the whole peer - I'm looking to remove just the peer's endpoint attribute [endpoint <ip>:<port>].
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Friday, December 27, 2019 10:51 AM, Lonnie Abelbeck <lists@lonnie.abelbeck.com> wrote:
>>>
>>>>> On Dec 27, 2019, at 9:51 AM, Devin Smith devinrsmith@protonmail.com wrote:
>>>>> Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0` ...
>>>>
>>>> Yes, this works:
>>>>
>>>> -------------------
>>>>
>>>> wg set <interface> peer <base64-public-key> remove
>>>> --
>>>>
>>>> If you forget, "wg set --help" will remind you.
>>>>
>>>> Lonnie
>>>
>>>
>>> _______________________________________________
>>> WireGuard mailing list
>>> WireGuard@lists.zx2c4.com
>>> https://lists.zx2c4.com/mailman/listinfo/wireguard
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Jason A. Donenfeld]

On Mon, Dec 30, 2019 at 11:13 AM em12345 <em12345@web.de> wrote:
>
> Hi,
>
> in my case the reason is not exactly being able to remove the endpoint,
> but rather being able to setup a peer without endpoint, so that only the
> endpoint needs to be setup later.
>
> Scenario:
> All keys for interface and peer are configured via "wg" standard config
> file, so that the interface can be brought up at boot time.
>
> But when having to use a to be resolved host name as endpoint, then the
> boot process blocks for around a minute in case no network (incl. DNS)
> is available. At least when running systemd reading
> /etc/network/interfaces. I'm not using systemd builtin wg support.
>
> There is of course the possibility to bring up the wg-* interfaces later
> altogether. But the easiest way for me was to use a local endpoint IP
> (127.0.1.1) address, and then use up/down scripts triggered on LAN/WLAN
> up/down, which then only resolve the endpoint host name and set via wg
> the resolved IP of that.
>
> This way I'm also able to use several hostnames from different DynDNS
> providers, in case one service provider is down, which wg as far as I
> know doesn't currently support.
> I.e:
>         1.) resolve first host name
>         2.) set endpoint IP on peer
>         3.) ping into tunnel to see if it is working
>         4.) if not working, then try next host name
>
>
> Thanks,
>
> Emmanuel

You've misunderstood the discussion. Nobody is discussing removing the
ability to set an endpoint after the interface has been configured.
This exists and works today and isn't going anywhere. Rather, this is
a discussion about being able to unset an endpoint.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[em12345]

Sorry, may be I was not clear enough. I didn't intend to ask for the
removal of the ability to set an endpoint, but for the ability to
configure a peer without knowing the endpoint at configuration time.
Because the endpoint is only known at a later point.




On 2019-12-30 11:58, Jason A. Donenfeld wrote:
> On Mon, Dec 30, 2019 at 11:13 AM em12345 <em12345@web.de> wrote:
>>
>> Hi,
>>
>> in my case the reason is not exactly being able to remove the endpoint,
>> but rather being able to setup a peer without endpoint, so that only the
>> endpoint needs to be setup later.
>>
>> Scenario:
>> All keys for interface and peer are configured via "wg" standard config
>> file, so that the interface can be brought up at boot time.
>>
>> But when having to use a to be resolved host name as endpoint, then the
>> boot process blocks for around a minute in case no network (incl. DNS)
>> is available. At least when running systemd reading
>> /etc/network/interfaces. I'm not using systemd builtin wg support.
>>
>> There is of course the possibility to bring up the wg-* interfaces later
>> altogether. But the easiest way for me was to use a local endpoint IP
>> (127.0.1.1) address, and then use up/down scripts triggered on LAN/WLAN
>> up/down, which then only resolve the endpoint host name and set via wg
>> the resolved IP of that.
>>
>> This way I'm also able to use several hostnames from different DynDNS
>> providers, in case one service provider is down, which wg as far as I
>> know doesn't currently support.
>> I.e:
>>         1.) resolve first host name
>>         2.) set endpoint IP on peer
>>         3.) ping into tunnel to see if it is working
>>         4.) if not working, then try next host name
>>
>>
>> Thanks,
>>
>> Emmanuel
>
> You've misunderstood the discussion. Nobody is discussing removing the
> ability to set an endpoint after the interface has been configured.
> This exists and works today and isn't going anywhere. Rather, this is
> a discussion about being able to unset an endpoint.
>
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Jason A. Donenfeld]

On Mon, Dec 30, 2019 at 12:50 PM em12345 <em12345@web.de> wrote:
>
> Sorry, may be I was not clear enough. I didn't intend to ask for the
> removal of the ability to set an endpoint, but for the ability to
> configure a peer without knowing the endpoint at configuration time.
> Because the endpoint is only known at a later point.

This is already possible and not relevant to the discussion at hand.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: remove peer endpoint

[Devin Smith]

It's more of a theoretical question wrt configuration (an attempt of mine to define a more declarative configuration model on top of wg) - but I can see how it's probably not very useful in most cases. There may be some edge cases where it may make sense - for example, you create a new peer with an (incorrect) endpoint, but realize that endpoint should actually be unset. It's easy enough to tear down the peer, and rebuild it without the endpoint set; or just leave the endpoint since it's a hint; but the first is "inefficient", and the second leaves the runtime at odds with the desired (declarative) configuration.

It's probably a fringe issue, so not sure if it makes sense to add it.


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, December 30, 2019 3:37 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

> Hi Devin,
>
> Could you let me know your reason for wanting this? If there's a good
> justification, we could consider adding it. But I'd like some
> reasoning as it relates to the entire system you're trying to build,
> first.
>
> Thanks,
> Jason
>
> On Sat, Dec 28, 2019 at 10:36 PM Jason A. Donenfeld Jason@zx2c4.com wrote:
>
> > I'm interested to learn, why would you want such a thing? The endpoint field is only ever a "hint" anyway, due to the roaming.
> > On Sat, Dec 28, 2019, 13:12 Devin Smith devinrsmith@protonmail.com wrote:
> >
> > > If I'm not mistaken, `wg set <interface> peer <base64> remove` removes the whole peer - I'm looking to remove just the peer's endpoint attribute [endpoint <ip>:<port>].
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > On Friday, December 27, 2019 10:51 AM, Lonnie Abelbeck lists@lonnie.abelbeck.com wrote:
> > >
> > > > > On Dec 27, 2019, at 9:51 AM, Devin Smith devinrsmith@protonmail.com wrote:
> > > > > Is it possible to remove the endpoint of a peer via the `wg set` command? All of the other peer attributes (preshared-key, persistent-keepalive, allowed-ips) are removable in this fashion (and documented in the man page). I've tried `wg set <interface> peer <base64-public-key> endpoint 0` ...
> > > >
> > > > Yes, this works:
> > > >
> > > > wg set <interface> peer <base64-public-key> remove
> > > >
> > > > ---------------------------------------------------
> > > >
> > > > If you forget, "wg set --help" will remind you.
> > > > Lonnie
> > >
> > > WireGuard mailing list
> > > WireGuard@lists.zx2c4.com
> > > https://lists.zx2c4.com/mailman/listinfo/wireguard


_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard