From: dxld@darkboxed.org
To: Michael Tokarev <mjt@tls.msk.ru>
Cc: wireguard@lists.zx2c4.com, "Jason A . Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH] wg: Allow config to read private key from file
Date: Mon, 21 Nov 2022 14:28:55 +0100 [thread overview]
Message-ID: <20221121132855.vkwsez6kjm3ughrr@House.clients.dxld.at> (raw)
In-Reply-To: <bd851ce5-c45b-b6ed-986e-4d9f3cf54494@msgid.tls.msk.ru>
Hi Michael,
On Mon, Nov 21, 2022 at 09:31:41AM +0300, Michael Tokarev wrote:
> 21.11.2022 01:46, Daniel Gröber wrote:
> > Using this new option the interface configs can be much easier to deploy in
> > an automated fashion as they don't contain secrets anymore. The private key
> > can easily be provisioned out of band or using a one-time provisioning step
> > instead.
>
> This is definitely a very welcome option in my PoV.
>
> Add my
> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
I think you mean Reviewed-By? Speaking of which I actually forgot the
signoff myself. Doh.
Is Reviewed-By something we do here? I can't find a single such tag with
`git log --grep Reviewed-By`. I appreciate the positive response nontheless
though :)
> > Before this patch we were using a neat hack: it's possible to simply omit
> > PrivateKey= and set it using PostUp= wg set %i private-key /some/file.
>
> Well, this isn't really neat, it is a hackish workaround for the missing
> functionality ;)
It does work surprisingly well though :D. I just re-set the private-key
after syncconf now, which definetly ought to loose some traffic but it
works at least ;)
> On a side, note, almost a year ago I sent a patch for wg utility to recognize
> and discard some keywords which are processed by wg-quick script - like,
> Address=. This way, there's no need to pre-process the config file anymore,
> and in order to recognize more peers, one doesn't have to restart the
> tunnel interface, instead, a regular wg syncconf wgif.conf is sufficient,
> and many things can be simplified too (removing the preprocessing).
Ok I think I found your patch[1]. So we did actually independently come up
with the idea of PrivateKeyFile, interesting. Also you support PresharedKey
too. I realised I forgot that one right after sending the patch obv. ;)
I'll send a v2 for that soon.
[1]: https://lists.zx2c4.com/pipermail/wireguard/2021-January/006346.html
As for ignoring the wg-quick options, I'm not sure what's the right way to
go there. I don't find the wg-quick strip approach toooo taxing but it sure
would be more convenient to just call one tool.
> I've never got any reply for these patches.
I have another patch pending for a longish while aswell "wg: Support
restricting address family of DNS resolved Endpoint". IMO you should have
just resent your series every couple of months :)
--Daniel
prev parent reply other threads:[~2022-11-21 13:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-20 22:46 Daniel Gröber
2022-11-21 6:31 ` Michael Tokarev
2022-11-21 13:28 ` dxld [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221121132855.vkwsez6kjm3ughrr@House.clients.dxld.at \
--to=dxld@darkboxed.org \
--cc=Jason@zx2c4.com \
--cc=mjt@tls.msk.ru \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).