Development discussion of WireGuard
 help / color / mirror / Atom feed
* Hooks in clients?
@ 2020-11-13 15:46 Sune Mølgaard
  2020-11-13 15:50 ` Jason A. Donenfeld
  2020-11-13 16:58 ` Nicholas Capo
  0 siblings, 2 replies; 5+ messages in thread
From: Sune Mølgaard @ 2020-11-13 15:46 UTC (permalink / raw)
  To: wireguard

Hiya,

I am looking towards deploying WireGuard as my primary VPN connection,
and wonder a bit if the various clients (Android, wg-quick, whatever
there is for macOS, iOS and Windows), could be made to include the
possibility of calling external programs upon (re-)connections, in my
case specifically for port knocking, but possibly useful for other
purposes as well?

In the cases of Android and iOS, I am a bit unsure about interaction
with other apps, so maybe, to begin with, just built-in port knocking
capabilities could be considered.

Any thoughts?

-- 
A video dry
trample here madam ere help
martyr doe diva
-- http://doulogos.blogspot.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hooks in clients?
  2020-11-13 15:46 Hooks in clients? Sune Mølgaard
@ 2020-11-13 15:50 ` Jason A. Donenfeld
  2020-11-13 16:58 ` Nicholas Capo
  1 sibling, 0 replies; 5+ messages in thread
From: Jason A. Donenfeld @ 2020-11-13 15:50 UTC (permalink / raw)
  To: Sune Mølgaard; +Cc: WireGuard mailing list

wg-quick-based clients have this, but the UI clients do not.

However, for your use case, port knocking, I'd recommend getting rid
of the port knocking. WireGuard is silent to unauthenticated packets,
which means you don't need to port knock it. It was specifically made
as a port knocking replacement.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hooks in clients?
  2020-11-13 15:46 Hooks in clients? Sune Mølgaard
  2020-11-13 15:50 ` Jason A. Donenfeld
@ 2020-11-13 16:58 ` Nicholas Capo
  2020-11-14  9:55   ` Sune Mølgaard
  1 sibling, 1 reply; 5+ messages in thread
From: Nicholas Capo @ 2020-11-13 16:58 UTC (permalink / raw)
  To: Sune Mølgaard, wireguard

On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote:
> Hiya,
> 
> I am looking towards deploying WireGuard as my primary VPN
> connection,
> and wonder a bit if the various clients (Android, wg-quick, whatever
> there is for macOS, iOS and Windows), could be made to include the
> possibility of calling external programs upon (re-)connections, in my
> case specifically for port knocking, but possibly useful for other
> purposes as well?
> 
> In the cases of Android and iOS, I am a bit unsure about interaction
> with other apps, so maybe, to begin with, just built-in port knocking
> capabilities could be considered.
> 
> Any thoughts?
> 

In my experence there isn't really a case where the client gets
disconnected (like a crash) and then needs to reconnect.
For me the client always stays enabled, but if there is a problem at
the remote end then packets don't go anywhere.

In other words the traffic might get dropped by the remote (feels like
no traffic *at all*), but I've never seen a situation where I was
accedentially sending unencrypted traffic.

Nicholas




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hooks in clients?
  2020-11-13 16:58 ` Nicholas Capo
@ 2020-11-14  9:55   ` Sune Mølgaard
  2020-11-14 10:02     ` Jason A. Donenfeld
  0 siblings, 1 reply; 5+ messages in thread
From: Sune Mølgaard @ 2020-11-14  9:55 UTC (permalink / raw)
  To: Nicholas Capo, wireguard

On 13/11/2020 17.58, Nicholas Capo wrote:
> On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote:
>> Hiya,
>>
>> I am looking towards deploying WireGuard as my primary VPN
>> connection,
>> and wonder a bit if the various clients (Android, wg-quick, whatever
>> there is for macOS, iOS and Windows), could be made to include the
>> possibility of calling external programs upon (re-)connections, in my
>> case specifically for port knocking, but possibly useful for other
>> purposes as well?
>>
>> In the cases of Android and iOS, I am a bit unsure about interaction
>> with other apps, so maybe, to begin with, just built-in port knocking
>> capabilities could be considered.
>>
>> Any thoughts?
>>
> 
> In my experence there isn't really a case where the client gets
> disconnected (like a crash) and then needs to reconnect.
> For me the client always stays enabled, but if there is a problem at
> the remote end then packets don't go anywhere.
> 
> In other words the traffic might get dropped by the remote (feels like
> no traffic *at all*), but I've never seen a situation where I was
> accedentially sending unencrypted traffic.
> 
> Nicholas
> 
> 
> 

Hi Nicholas,

Well, my worry was that if I used port knocking, then, since I also use
fail2ban on the server, the client (phone specifically), would change
IP-addresses, need to knock, or else get banned.

But if I understand Jason correctly (thank you, Jason), even if we
employ port knocking for a few other things, if we keep the WG port
open, it will actually look closed, unless one actually has a legitimate
client and client config.

Is that understanding correct?

-- 
Real programmers don't comment...
What was hard to write should be hard to read.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Hooks in clients?
  2020-11-14  9:55   ` Sune Mølgaard
@ 2020-11-14 10:02     ` Jason A. Donenfeld
  0 siblings, 0 replies; 5+ messages in thread
From: Jason A. Donenfeld @ 2020-11-14 10:02 UTC (permalink / raw)
  To: Sune Mølgaard; +Cc: Nicholas Capo, wireguard

On 11/14/20, Sune Mølgaard <sune@molgaard.org> wrote:

> But if I understand Jason correctly (thank you, Jason), even if we
> employ port knocking for a few other things, if we keep the WG port
> open, it will actually look closed, unless one actually has a legitimate
> client and client config.
>
> Is that understanding correct?

That is correct.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-11-14 10:02 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-13 15:46 Hooks in clients? Sune Mølgaard
2020-11-13 15:50 ` Jason A. Donenfeld
2020-11-13 16:58 ` Nicholas Capo
2020-11-14  9:55   ` Sune Mølgaard
2020-11-14 10:02     ` Jason A. Donenfeld

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git