Re: Continued use of `wg-quick save` and SaveConfig=true?

["Michael B. Williams" <Michael.Williams@glexia.com>]

[-- Attachment #1: Type: text/plain, Size: 4563 bytes --]

I agree with this commentary and would second keeping the functionality.

________________________________

Michael B. Williams
Glexia, Inc. - An IT Company
USA Direct: +1 978 477 6797
USA Toll Free: +1 800 675 0297 x101
AUS Direct: +61 3 8594 2265
AUS Toll Free: +61 1800 931 724 x101
Fax: +1.815-301-5570
Michael.Williams@glexia.com
https://www.glexia.com/
https://www.glexia.com.au/

Legal Notice:
The information in this electronic mail message is the sender's
confidential business and may be legally privileged. It is intended
solely for the addressee(s). Access to this internet electronic mail
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it is prohibited and may be
unlawful.


________________________________

Michael B. Williams
Glexia, Inc. - An IT Company
USA Direct: +1 978 477 6797
USA Toll Free: +1 800 675 0297 x101
AUS Direct: +61 3 8594 2265
AUS Toll Free: +61 1800 931 724 x101
Fax: +1.815-301-5570
Michael.Williams@glexia.com
https://www.glexia.com/
https://www.glexia.com.au/

Legal Notice:
The information in this electronic mail message is the sender's
confidential business and may be legally privileged. It is intended
solely for the addressee(s). Access to this internet electronic mail
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken
or omitted to be taken in reliance on it is prohibited and may be
unlawful.



On Mon, Jan 4, 2021 at 1:49 PM Adrian Larsen
<alarsen@maidenheadbridge.com> wrote:
>
> Hi Jason,
>
> 1) From a manual operation point of view, I feel more comfortable if an
> Operator uses:
>
> # wg set wg0 peer ... allowed-ips ...
> # wg-quick save wg0
>
> rather than editing manually the config file.
>
> In case the Wire Guard is running multiple peers with production
> traffic, I think an Operator can do less damage using the commands if
> something goes wrong.
>
> 2) From automation point of view, still I think that is easy to use the
> commands (on an script):
>
> # wg set wg0 peer ... allowed-ips ...
> # wg-quick save wg0
>
> rather than using "sed" or "awk" to modify the config file.
>
> My 2 cents.
>
> Adrian
>
> On 04/01/2021 16:16, Maarten de Vries wrote:
> > On 03-01-2021 20:59, Chris Osicki wrote:
> >> On Sat, Jan 02, 2021 at 03:37:09PM +0100, Jason A. Donenfeld wrote:
> >>> Hi,
> >>>
> >>> I was thinking recently that most people have switched from a model of
> >>> updating the runtime configuration and then reading that back into a
> >>> config file, to editing the config file and then syncing that with the
> >>> runtime config. In other words, people have moved from doing:
> >>>
> >>> # wg set wg0 peer ... allowed-ips ...
> >>> # wg-quick save wg0
> >>>
> >>> To doing:
> >>>
> >>> # vim /etc/wireguard/wg0.conf
> >>> # wg syncconf wg0 <(wg-quick strip wg0)
> >>>
> >>> I think this is mostly a positive change too in terms of reliability.
> >>> Reading back the runtime configuration was always a bit hit or miss,
> >>> and I suspect that more times than not people have been confused by
> >>> SaveConfig=true.
> >>>
> >>> That raises the question: are there good uses left for SaveConfig=true
> >>> and `wg-quick save` that warrant keeping the feature around?
> >>> Temporarily caching a roamed endpoint IP, perhaps, but how helpful is
> >>> that?
> >>>
> >>> I haven't thought too deeply about this in order to be wedded to one
> >>> outcome over the other yet, but seeing some confusion today, again, in
> >>> #wireguard over the feature made me wonder.
> >>>
> >>> Any opinions on this? Any one on this list actively use this feature
> >>> and see replacements for it (e.g. syncconf) as clearly inferior?
> >>>
> >>> Jason
> >> Hi Jason
> >>
> >> Being an old fashioned Unix admin, ~30 years spent in this job, I
> >> vote for the traditional way of doing it:
> >> change the config file and let the application reread it.
> >> I think the KISS principle is still valid ;-)
> >
> > I totally agree. Reloading the config file is much nicer :)
> >
> > I also don't need to save roaming endpoints. All WireGuard tunnels I
> > use have at-least one side with a fixed endpoint. And if that's not
> > the case I imagine you probably need a more complicated solution than
> > wg-quick.
> >
> >
> >> Thanks for the excellent software, Jason!
> >
> > I also totally agree with this. WireGuard has made my life a lot
> > easier :)
> >
> >
> > Regards,
> >
> > Maarten
> >

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5326 bytes --]