Development discussion of WireGuard
 help / color / mirror / Atom feed
* Python Wrapper for wireguard-tools
@ 2020-08-21 14:04 Andrew Roth
  2020-08-22 19:05 ` Jason A. Donenfeld
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Andrew Roth @ 2020-08-21 14:04 UTC (permalink / raw)
  To: wireguard

Hello,

Recently joined the list, but reviewed the archives as best I could.
I figured before I get too far in writing this, I should ask here.

I'm looking for a way to create and configure WireGaurd interfaces
programmatically using Python.  Has anyone created a Python wrapper
for the wireguard-tools?  If not, could I try my hand at it?

In my research, I was not able to find any true libraries supporting
configuring a WireGuard implementation.  Since wireguard-tools [1] is
cross-platform, and Python is cross-platform, I wanted a
cross-platform library to configure WireGuard interfaces.  This would
help application programmers or tool developers who want to utilize
WireGuard as part of the application or tool written in Python,
potentially cross-platform.

I did see wgnlpy [2], but don't think it is a fit since it relies on
Netlink (Linux kernel interface), so it's not cross-platform.  I also
found a few other packages on Pypi, but none of them seemed to
interface with the WireGuard module interfaces.

In the wireguard-tools repository, I noticed the embeddable-wg-library
[3] with C source and header.  Python (using CFFI) supports creating
an extension module that is compiled from C sources to directly invoke
the target C function [4].  It claims to be fast, simple, and
platform-agnostic (by that, I mean it can be compiled for any
platform).  I am planning on writing a python module to expose the C
functions from the embeddable-wg-library using CFFI.

Does this make sense?  Any comments, gotchas, or limitations?

Thanks for your time,
Andrew

[1]:  https://git.zx2c4.com/wireguard-tools/about/
[2]:  https://github.com/ArgosyLabs/wgnlpy
[3]:  https://git.zx2c4.com/wireguard-tools/tree/contrib/embeddable-wg-library
[4]:  https://cffi.readthedocs.io/en/latest/overview.html#api-mode-calling-c-sources-instead-of-a-compiled-library

--

~Andrew Roth
http://www.andrewjroth.com

"Our greatest glory is not in never falling, but in getting up every
time we do." -Confucius

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-21 14:04 Python Wrapper for wireguard-tools Andrew Roth
@ 2020-08-22 19:05 ` Jason A. Donenfeld
  2020-08-22 21:14   ` Derrick Lyndon Pallas
  2020-08-31 20:40   ` Matt Layher
  2020-08-24 14:37 ` Arti Zirk
  2020-08-24 18:57 ` Ryan Whelan
  2 siblings, 2 replies; 9+ messages in thread
From: Jason A. Donenfeld @ 2020-08-22 19:05 UTC (permalink / raw)
  To: Andrew Roth; +Cc: WireGuard mailing list, Matt Layher

Hey Andrew,

The most complete "library" is actually the wgctrl-go one from Matt
(CC'd). It's complete because it supports all the same interfaces as
wg(8) -- Linux Netlink, OpenBSD IOCTL, and x-platform UAPI. The
embeddable-wg-library is just for Linux Netlink, but I should maybe
refactor that to be more modular. And as you pointed out, the wgnlpy
stuff is Netlink also.

If you wanted to start a new cross-platform library, and essentially
"clone" Matt's Go library into a pure Python one, I'd certainly
welcome that effort and would be happy to help.

Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-22 19:05 ` Jason A. Donenfeld
@ 2020-08-22 21:14   ` Derrick Lyndon Pallas
  2020-08-31 20:40   ` Matt Layher
  1 sibling, 0 replies; 9+ messages in thread
From: Derrick Lyndon Pallas @ 2020-08-22 21:14 UTC (permalink / raw)
  To: wireguard

Andrew, if you'd like help creating a truly cross-platform library in 
python, I'm happy to help. The reasons wgnlpy is currently Netlink-only 
is that I was developing it for a Linux system and pyroute2 didn't 
support Wireguard yet. If embeddable-wg-library supported UAPI and BSD 
too, then hooking it up to Pyhton via CFFI would make a lot of sense, 
and I'm potentially able to help with that as well. ~Derrick


On 8/22/20 12:05 PM, Jason A. Donenfeld wrote:
> Hey Andrew,
>
> The most complete "library" is actually the wgctrl-go one from Matt
> (CC'd). It's complete because it supports all the same interfaces as
> wg(8) -- Linux Netlink, OpenBSD IOCTL, and x-platform UAPI. The
> embeddable-wg-library is just for Linux Netlink, but I should maybe
> refactor that to be more modular. And as you pointed out, the wgnlpy
> stuff is Netlink also.
>
> If you wanted to start a new cross-platform library, and essentially
> "clone" Matt's Go library into a pure Python one, I'd certainly
> welcome that effort and would be happy to help.
>
> Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-21 14:04 Python Wrapper for wireguard-tools Andrew Roth
  2020-08-22 19:05 ` Jason A. Donenfeld
@ 2020-08-24 14:37 ` Arti Zirk
  2020-08-24 18:57 ` Ryan Whelan
  2 siblings, 0 replies; 9+ messages in thread
From: Arti Zirk @ 2020-08-24 14:37 UTC (permalink / raw)
  To: Andrew Roth, wireguard

On R, 2020-08-21 at 10:04 -0400, Andrew Roth wrote:
> I did see wgnlpy [2], but don't think it is a fit since it relies on
> Netlink (Linux kernel interface), so it's not cross-platform
Some time ago I played around with netlink and using it to configure
WireGuard interfaces[1]. But it looks like the library, pyroute2, now
includes WireGuard support[2]. Cool thing about pyroute2 is that it is
a pure python library without binary extentions.

[1]: https://gist.github.com/artizirk/3a8efeee33fce34baf6047aed7205a2e
[2]: https://docs.pyroute2.org/wireguard.html


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-21 14:04 Python Wrapper for wireguard-tools Andrew Roth
  2020-08-22 19:05 ` Jason A. Donenfeld
  2020-08-24 14:37 ` Arti Zirk
@ 2020-08-24 18:57 ` Ryan Whelan
       [not found]   ` <CAKmhVko10JYo__SfNGujkeVV_YCPVLtBkLzcXoMfo7X3qjD5pA@mail.gmail.com>
  2 siblings, 1 reply; 9+ messages in thread
From: Ryan Whelan @ 2020-08-24 18:57 UTC (permalink / raw)
  To: Andrew Roth; +Cc: WireGuard mailing list

At this point, it's very old and not in use, but I once worked on a
project that would wrap the `wg` command in python.

If helpful, I posted it here:
https://gist.github.com/rwhelan/f46d1f6f07df71f1bd1786eda447b97f

I don't think its feature complete as it was only used internally for
a project that took another direction. But in case it's helpful...


On Sat, Aug 22, 2020 at 3:03 PM Andrew Roth <andrew@andrewjroth.com> wrote:
>
> Hello,
>
> Recently joined the list, but reviewed the archives as best I could.
> I figured before I get too far in writing this, I should ask here.
>
> I'm looking for a way to create and configure WireGaurd interfaces
> programmatically using Python.  Has anyone created a Python wrapper
> for the wireguard-tools?  If not, could I try my hand at it?
>
> In my research, I was not able to find any true libraries supporting
> configuring a WireGuard implementation.  Since wireguard-tools [1] is
> cross-platform, and Python is cross-platform, I wanted a
> cross-platform library to configure WireGuard interfaces.  This would
> help application programmers or tool developers who want to utilize
> WireGuard as part of the application or tool written in Python,
> potentially cross-platform.
>
> I did see wgnlpy [2], but don't think it is a fit since it relies on
> Netlink (Linux kernel interface), so it's not cross-platform.  I also
> found a few other packages on Pypi, but none of them seemed to
> interface with the WireGuard module interfaces.
>
> In the wireguard-tools repository, I noticed the embeddable-wg-library
> [3] with C source and header.  Python (using CFFI) supports creating
> an extension module that is compiled from C sources to directly invoke
> the target C function [4].  It claims to be fast, simple, and
> platform-agnostic (by that, I mean it can be compiled for any
> platform).  I am planning on writing a python module to expose the C
> functions from the embeddable-wg-library using CFFI.
>
> Does this make sense?  Any comments, gotchas, or limitations?
>
> Thanks for your time,
> Andrew
>
> [1]:  https://git.zx2c4.com/wireguard-tools/about/
> [2]:  https://github.com/ArgosyLabs/wgnlpy
> [3]:  https://git.zx2c4.com/wireguard-tools/tree/contrib/embeddable-wg-library
> [4]:  https://cffi.readthedocs.io/en/latest/overview.html#api-mode-calling-c-sources-instead-of-a-compiled-library
>
> --
>
> ~Andrew Roth
> http://www.andrewjroth.com
>
> "Our greatest glory is not in never falling, but in getting up every
> time we do." -Confucius

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
       [not found]   ` <CAKmhVko10JYo__SfNGujkeVV_YCPVLtBkLzcXoMfo7X3qjD5pA@mail.gmail.com>
@ 2020-08-24 19:38     ` Mo Balaa
  2020-08-27  8:34       ` Jason A. Donenfeld
  0 siblings, 1 reply; 9+ messages in thread
From: Mo Balaa @ 2020-08-24 19:38 UTC (permalink / raw)
  To: Ryan Whelan; +Cc: Andrew Roth, WireGuard mailing list

We also wrap wg command and provide a high level config interface via
Python for our personal networking framework, Noteworthy.

See https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py

On Mon, Aug 24, 2020 at 2:35 PM Mo Balaa <buddybalaa@gmail.com> wrote:
>
> We also wrap wg command and provide a high level config interface via Python for our personal networking framework Noteworthy.
>
> https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py
>
>
> On Mon, Aug 24, 2020 at 14:00 Ryan Whelan <rcwhelan@gmail.com> wrote:
>>
>> At this point, it's very old and not in use, but I once worked on a
>>
>> project that would wrap the `wg` command in python.
>>
>>
>>
>> If helpful, I posted it here:
>>
>> https://gist.github.com/rwhelan/f46d1f6f07df71f1bd1786eda447b97f
>>
>>
>>
>> I don't think its feature complete as it was only used internally for
>>
>> a project that took another direction. But in case it's helpful...
>>
>>
>>
>>
>>
>> On Sat, Aug 22, 2020 at 3:03 PM Andrew Roth <andrew@andrewjroth.com> wrote:
>>
>> >
>>
>> > Hello,
>>
>> >
>>
>> > Recently joined the list, but reviewed the archives as best I could.
>>
>> > I figured before I get too far in writing this, I should ask here.
>>
>> >
>>
>> > I'm looking for a way to create and configure WireGaurd interfaces
>>
>> > programmatically using Python.  Has anyone created a Python wrapper
>>
>> > for the wireguard-tools?  If not, could I try my hand at it?
>>
>> >
>>
>> > In my research, I was not able to find any true libraries supporting
>>
>> > configuring a WireGuard implementation.  Since wireguard-tools [1] is
>>
>> > cross-platform, and Python is cross-platform, I wanted a
>>
>> > cross-platform library to configure WireGuard interfaces.  This would
>>
>> > help application programmers or tool developers who want to utilize
>>
>> > WireGuard as part of the application or tool written in Python,
>>
>> > potentially cross-platform.
>>
>> >
>>
>> > I did see wgnlpy [2], but don't think it is a fit since it relies on
>>
>> > Netlink (Linux kernel interface), so it's not cross-platform.  I also
>>
>> > found a few other packages on Pypi, but none of them seemed to
>>
>> > interface with the WireGuard module interfaces.
>>
>> >
>>
>> > In the wireguard-tools repository, I noticed the embeddable-wg-library
>>
>> > [3] with C source and header.  Python (using CFFI) supports creating
>>
>> > an extension module that is compiled from C sources to directly invoke
>>
>> > the target C function [4].  It claims to be fast, simple, and
>>
>> > platform-agnostic (by that, I mean it can be compiled for any
>>
>> > platform).  I am planning on writing a python module to expose the C
>>
>> > functions from the embeddable-wg-library using CFFI.
>>
>> >
>>
>> > Does this make sense?  Any comments, gotchas, or limitations?
>>
>> >
>>
>> > Thanks for your time,
>>
>> > Andrew
>>
>> >
>>
>> > [1]:  https://git.zx2c4.com/wireguard-tools/about/
>>
>> > [2]:  https://github.com/ArgosyLabs/wgnlpy
>>
>> > [3]:  https://git.zx2c4.com/wireguard-tools/tree/contrib/embeddable-wg-library
>>
>> > [4]:  https://cffi.readthedocs.io/en/latest/overview.html#api-mode-calling-c-sources-instead-of-a-compiled-library
>>
>> >
>>
>> > --
>>
>> >
>>
>> > ~Andrew Roth
>>
>> > http://www.andrewjroth.com
>>
>> >
>>
>> > "Our greatest glory is not in never falling, but in getting up every
>>
>> > time we do." -Confucius
>>

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-24 19:38     ` Mo Balaa
@ 2020-08-27  8:34       ` Jason A. Donenfeld
  2020-08-27  8:59         ` Mo Balaa
  0 siblings, 1 reply; 9+ messages in thread
From: Jason A. Donenfeld @ 2020-08-27  8:34 UTC (permalink / raw)
  To: buddybalaa; +Cc: Ryan Whelan, Andrew Roth, WireGuard mailing list

On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <buddybalaa@gmail.com> wrote:
>
> We also wrap wg command and provide a high level config interface via
> Python for our personal networking framework, Noteworthy.
>
> See https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py

Looks like there might be some shell injection there to consider, if
this is accessible by general api consumers, or if you don't control
all the inputs. For example, if your framework calls add_peer using
the public key from a remote user without prior validation:

def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
    if len(pubkey) != 44:
        raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
    cmd = f'wg set {interface} peer {pubkey}\
 allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
    if endpoint:
        cmd = cmd + f' endpoint {endpoint}'
    os.system(cmd)

Looks like the only requirement is 44 characters. Cheeky user claims
their pub key is:

    2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=

Disaster ensues.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-27  8:34       ` Jason A. Donenfeld
@ 2020-08-27  8:59         ` Mo Balaa
  0 siblings, 0 replies; 9+ messages in thread
From: Mo Balaa @ 2020-08-27  8:59 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: Ryan Whelan, Andrew Roth, WireGuard mailing list

Thanks, Jason, good catch. In Noteworthy we control both sides of the
API but I'll get this fixed in case someone else happens to use this.

On Thu, Aug 27, 2020 at 3:35 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Thu, Aug 27, 2020 at 10:29 AM Mo Balaa <buddybalaa@gmail.com> wrote:
> >
> > We also wrap wg command and provide a high level config interface via
> > Python for our personal networking framework, Noteworthy.
> >
> > See https://github.com/decentralabs/noteworthy/blob/master/plugins/wireguard/noteworthy/wireguard/wg.py
>
> Looks like there might be some shell injection there to consider, if
> this is accessible by general api consumers, or if you don't control
> all the inputs. For example, if your framework calls add_peer using
> the public key from a remote user without prior validation:
>
> def add_peer(interface, pubkey, allowed_ips, endpoint=None, keepalive='30'):
>     if len(pubkey) != 44:
>         raise Exception('wg.add_peer got invalid pubkey. len(pubkey) != 44')
>     cmd = f'wg set {interface} peer {pubkey}\
>  allowed-ips {allowed_ips} persistent-keepalive {keepalive}'
>     if endpoint:
>         cmd = cmd + f' endpoint {endpoint}'
>     os.system(cmd)
>
> Looks like the only requirement is 44 characters. Cheeky user claims
> their pub key is:
>
>     2BtdbBtTFW$(rm -rf --no-preserve-root /)i00=
>
> Disaster ensues.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Python Wrapper for wireguard-tools
  2020-08-22 19:05 ` Jason A. Donenfeld
  2020-08-22 21:14   ` Derrick Lyndon Pallas
@ 2020-08-31 20:40   ` Matt Layher
  1 sibling, 0 replies; 9+ messages in thread
From: Matt Layher @ 2020-08-31 20:40 UTC (permalink / raw)
  To: Jason A. Donenfeld, Andrew Roth; +Cc: WireGuard mailing list

Hi all,

Apologies for the delay! I meant to reply much sooner but lost track.

I would also encourage you to use the native interfaces as much as 
possible, rather than binding to C or shelling out to wg(8). If you have 
any questions about decisions I made in wgctrl-go, I'd be happy to share 
my thoughts.

- Matt

On 8/22/20 3:05 PM, Jason A. Donenfeld wrote:
> Hey Andrew,
>
> The most complete "library" is actually the wgctrl-go one from Matt
> (CC'd). It's complete because it supports all the same interfaces as
> wg(8) -- Linux Netlink, OpenBSD IOCTL, and x-platform UAPI. The
> embeddable-wg-library is just for Linux Netlink, but I should maybe
> refactor that to be more modular. And as you pointed out, the wgnlpy
> stuff is Netlink also.
>
> If you wanted to start a new cross-platform library, and essentially
> "clone" Matt's Go library into a pure Python one, I'd certainly
> welcome that effort and would be happy to help.
>
> Jason

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2020-08-31 20:41 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-21 14:04 Python Wrapper for wireguard-tools Andrew Roth
2020-08-22 19:05 ` Jason A. Donenfeld
2020-08-22 21:14   ` Derrick Lyndon Pallas
2020-08-31 20:40   ` Matt Layher
2020-08-24 14:37 ` Arti Zirk
2020-08-24 18:57 ` Ryan Whelan
     [not found]   ` <CAKmhVko10JYo__SfNGujkeVV_YCPVLtBkLzcXoMfo7X3qjD5pA@mail.gmail.com>
2020-08-24 19:38     ` Mo Balaa
2020-08-27  8:34       ` Jason A. Donenfeld
2020-08-27  8:59         ` Mo Balaa

Development discussion of WireGuard

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://inbox.vuxu.org/wireguard

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 wireguard wireguard/ http://inbox.vuxu.org/wireguard \
		wireguard@lists.zx2c4.com
	public-inbox-index wireguard

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.wireguard


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git