From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Ximin Luo <ximin@dfinity.org>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Using WG for transport security in a p2p network
Date: Fri, 6 Apr 2018 19:59:54 +0200 [thread overview]
Message-ID: <CAHmME9racrutSPmM_Oy6eHAx3B=ah1=xzchzb_msZ5F9Zf-rGA@mail.gmail.com> (raw)
In-Reply-To: <CADX+UFjEBcWRsL3SRv5_b0ezU0adcURqOJf=MvDbQkSXg3JRHg@mail.gmail.com>
Hi Ximin,
On Thu, Apr 5, 2018 at 5:22 AM, Ximin Luo <ximin@dfinity.org> wrote:
> Our usage would indeed involve setting up and tearing down interfaces ~30
> times
> a week in an automated fashion, which might be "strange" going by the above.
No certainly not strange. Actually, there's no amount of setting up
and tearing down that should be considered a bad thing. I have a
script I run during development that sets up thousands of interfaces,
each with hundreds of thousands of peers, connects them to each other,
and then toggles everything up and down over and over. I have another
script that just adds and removes interfaces really fast. The purpose
is to stress test WireGuard to ensure it's resilient in these types of
configurations. So... I think you should be good with a mere 30 a week
;-).
>
> I'm also wondering how easy this would be to program. It would clearly be
> much
> more heavyweight than simply opening a socket, but I guess it can be done
> via
> invocations of the `wg` or `wg-quick` tools. Has anyone had any experience
> with
> this level of WG automation, could you share your thoughts? Would the
> program
> need any extra system-level privileges? Ideally we wouldn't need root, of
> course - does that mean we're forced to wait for a userspace WG library such
> as
> wireguard-rs? I understand there is a performance penalty here, but I'd have
> to
> run benchmarks to know if this affects our use-case significantly.
The overhead and performance penalty is minimal, and you should easily
be able to get away with doing this. You can script it pretty easily
using wg (it needs only CAP_NET_ADMIN), or if you want closer
integration and more sophisticated priv separation, you could open the
netlink socket, then drop privs, and use something like the
embeddable-wg-library to automate everything:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library
Let me know if you have any more questions or ways in which I can help
you guys out with the p2p protocol.
Regards,
Jason
next prev parent reply other threads:[~2018-04-06 17:46 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-05 3:22 Ximin Luo
2018-04-05 7:13 ` Matthias Urlichs
2018-04-05 16:06 ` Tim Sedlmeyer
2018-04-05 19:00 ` Ximin Luo
2018-04-05 18:07 ` Ximin Luo
2018-04-05 19:49 ` Matthias Urlichs
2018-04-14 16:01 ` Bruno Wolff III
2018-04-14 18:33 ` Matthias Urlichs
2018-04-05 15:32 ` Kalin KOZHUHAROV
2018-04-05 18:17 ` Ximin Luo
2018-04-06 17:59 ` Jason A. Donenfeld [this message]
2018-04-20 15:20 ` Ximin Luo
2018-04-20 15:44 ` Ximin Luo
2018-04-20 19:27 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9racrutSPmM_Oy6eHAx3B=ah1=xzchzb_msZ5F9Zf-rGA@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
--cc=ximin@dfinity.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).