* Debian-based configuration for wireguard
@ 2017-07-10 20:14 raul
0 siblings, 0 replies; 13+ messages in thread
From: raul @ 2017-07-10 20:14 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 993 bytes --]
>
> On Sun, Jul 09, 2017 at 11:30:20PM +0200, Baptiste Jonglez wrote:
> >* Hi,
> *> >* I wrote up some configuration I use for Wireguard on Debian:
> *> >* https://wiki.debian.org/Wireguard#Configuration_on_Debian <https://wiki.debian.org/Wireguard#Configuration_on_Debian>
> *> >* The goal is to reuse functionalities from /etc/network/interfaces, which
> *>* is quite natural on Debian. Simple use-cases like the point-to-point
> *>* tunnel don't need wg-quick at all.
> *
> Terrific, thanks! Indeed, having nice integration into OSs' native
> configuration interfaces is preferred.
>
> Jason
>
>
Just to offer another POV a utility like wg-quick is very useful when
orchestrating across Linux distributions by offering a standardized
interface to manage Wireguard networks.
It's user friendly and sets up routes automatically depending on the
/etc/wireguard/configuration. In a dynamic changing environment that's
useful to have or you will have to manage the routes manually.
Raul
[-- Attachment #2: Type: text/html, Size: 1311 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-11 22:48 ` Jason A. Donenfeld
@ 2017-07-11 23:12 ` Daniel Kahn Gillmor
0 siblings, 0 replies; 13+ messages in thread
From: Daniel Kahn Gillmor @ 2017-07-11 23:12 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
On Wed 2017-07-12 00:48:59 +0200, Jason A. Donenfeld wrote:
> It is for this reason that wg(8)'s private-key and preshared-key
> arguments take a file to the key, not the actual key itself.
Right. but the ifupdown configuration that Egbert has proposed tries to
pull some info from the /etc/network/interfaces stanza and then some
other info from a wireguard configuration file. To a novice user it
looks pretty confusing because the split seems arbitrary.
So the extension to ifupdown should really take just the path to the key
file as an extra argument, not a path to a full wg(8) conf file. I
agree with Egbert that this patch isn't ready for integration with
ifupdown, unfortunately.
--dkg
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-11 22:19 ` Daniel Kahn Gillmor
@ 2017-07-11 22:48 ` Jason A. Donenfeld
2017-07-11 23:12 ` Daniel Kahn Gillmor
0 siblings, 1 reply; 13+ messages in thread
From: Jason A. Donenfeld @ 2017-07-11 22:48 UTC (permalink / raw)
To: Daniel Kahn Gillmor; +Cc: WireGuard mailing list
On Wed, Jul 12, 2017 at 12:19 AM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> Good point! it'd be great to be able to separate the private key
> information from the standard network information for that reason; it's
> not like people can't inspect the rest of the network config once the
> device is configured, so it would be nice to be able to just have the
> private key in an isolated file.
It is for this reason that wg(8)'s private-key and preshared-key
arguments take a file to the key, not the actual key itself.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-11 13:04 ` jomat+wireguard.io
@ 2017-07-11 22:19 ` Daniel Kahn Gillmor
2017-07-11 22:48 ` Jason A. Donenfeld
0 siblings, 1 reply; 13+ messages in thread
From: Daniel Kahn Gillmor @ 2017-07-11 22:19 UTC (permalink / raw)
To: jomat+wireguard.io; +Cc: wireguard
On Tue 2017-07-11 13:04:40 +0000, jomat+wireguard.io@jmt.gr wrote:
> [ dkg wrote: ]
>> * it looks to me like configuring a wireguard link this way will
>> require an entry in /etc/network/interfaces (or interfaces.d) *and*
>> a
>> config file in /etc/wireguard/*.conf. It seems like it would be
>> cleaner to have all the configuration in one place, no?
>
> /etc/network/interfaces is usually world readable, /etc/wireguard/ not
> as your private keys are stored there.
Good point! it'd be great to be able to separate the private key
information from the standard network information for that reason; it's
not like people can't inspect the rest of the network config once the
device is configured, so it would be nice to be able to just have the
private key in an isolated file.
--dkg
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-10 21:20 ` Daniel Kahn Gillmor
2017-07-11 1:59 ` Jason A. Donenfeld
2017-07-11 10:22 ` Egbert Verhage
@ 2017-07-11 13:04 ` jomat+wireguard.io
2017-07-11 22:19 ` Daniel Kahn Gillmor
2 siblings, 1 reply; 13+ messages in thread
From: jomat+wireguard.io @ 2017-07-11 13:04 UTC (permalink / raw)
To: Daniel Kahn Gillmor; +Cc: wireguard
Hi,
> * it looks to me like configuring a wireguard link this way will
> require an entry in /etc/network/interfaces (or interfaces.d) *and*
> a
> config file in /etc/wireguard/*.conf. It seems like it would be
> cleaner to have all the configuration in one place, no?
/etc/network/interfaces is usually world readable, /etc/wireguard/ not
as your private keys are stored there.
Bye,
jomat
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-10 21:20 ` Daniel Kahn Gillmor
2017-07-11 1:59 ` Jason A. Donenfeld
@ 2017-07-11 10:22 ` Egbert Verhage
2017-07-11 13:04 ` jomat+wireguard.io
2 siblings, 0 replies; 13+ messages in thread
From: Egbert Verhage @ 2017-07-11 10:22 UTC (permalink / raw)
To: Daniel Kahn Gillmor, Jason A. Donenfeld, jomat+wireguard.io; +Cc: wireguard
Hey dkg,
On Mon, 2017-07-10 at 17:20 -0400, Daniel Kahn Gillmor wrote:
>
> thanks for these pointers, Egbert!
>
> i have a few questions about the proposed modification for ifupdown:
>
> * do we really want this to be a new interface type instead of
> extending the capabilities of some other configuration type?
Was easy for me to recognize the wireguard interface as a config type
in a network/interface config.
And wanted to learn how the package of ifupdown work.
>
> * if we can't just extend an existing type, wireguard seems more
> analogous to the "tunnel" type than to the "static" type, which is
> what this seems to have evolved from.
Indeed it is just a copy of the static type and I have not seen the
tunnel type.
>
> * it looks to me like configuring a wireguard link this way will
> require an entry in /etc/network/interfaces (or interfaces.d)
> *and* a
> config file in /etc/wireguard/*.conf. It seems like it would be
> cleaner to have all the configuration in one place, no?
Yes I would be cleaner, but the config of wg can change so I have keep
it separate.
>
> * would you consider submitting these changes to ifupdown in the
> debian
> BTS? Is there a reason that they should remain in your PPA?
Nop, just a proof of concept (My case used with ansible to rollout ~10
machines).
>
> fwiw, some of us do also run debian systems without ifupdown these
> days.
> I'm looking forward to systemd-networkd integration personally :)
Me to, I hope in the next ubuntu lts ifupdown has been replaced with
systemd-networkd. Then works _network-online.target_ proper in a
systemd service. (And ofc the wg is in the main stream kernel).
I made the update to ifupdown when wg-quick was not around.
Besides that, the only thing I don't like about wg-quick if you put
0.0.0.0 in the AllowedIPs it automaticly make a default route to the wg
endpoint.
Greetz,
Egbert
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-10 21:20 ` Daniel Kahn Gillmor
@ 2017-07-11 1:59 ` Jason A. Donenfeld
2017-07-11 10:22 ` Egbert Verhage
2017-07-11 13:04 ` jomat+wireguard.io
2 siblings, 0 replies; 13+ messages in thread
From: Jason A. Donenfeld @ 2017-07-11 1:59 UTC (permalink / raw)
To: Daniel Kahn Gillmor; +Cc: WireGuard mailing list
>
> fwiw, some of us do also run debian systems without ifupdown these days.
> I'm looking forward to systemd-networkd integration personally :)
>
> --dkg
I really need to leap into action and start on the Netlink stuff,
which is the only thing currently blocking the systemd-networkd
integration. It's been hard to get motivated for this kind of thing,
but it seems like everything everyone wants to do with WireGuard is
waiting for it, so I should probably get to it soon...
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-10 19:53 ` Egbert Verhage
@ 2017-07-10 21:20 ` Daniel Kahn Gillmor
2017-07-11 1:59 ` Jason A. Donenfeld
` (2 more replies)
0 siblings, 3 replies; 13+ messages in thread
From: Daniel Kahn Gillmor @ 2017-07-10 21:20 UTC (permalink / raw)
To: Egbert Verhage, Jason A. Donenfeld, jomat+wireguard.io; +Cc: wireguard
[-- Attachment #1: Type: text/plain, Size: 1257 bytes --]
On Mon 2017-07-10 21:53:57 +0200, Egbert Verhage wrote:
> Hey Baptiste,
>
> Jep, I did that.
> See the ifupdown package of my own wireguard ppa:
>
> https://launchpad.net/~eggiecode/+archive/ubuntu/wireguard
>
> And here is the diff:
> http://test.egbert.online/diff_ifupdown_ppa.txt
thanks for these pointers, Egbert!
i have a few questions about the proposed modification for ifupdown:
* do we really want this to be a new interface type instead of
extending the capabilities of some other configuration type?
* if we can't just extend an existing type, wireguard seems more
analogous to the "tunnel" type than to the "static" type, which is
what this seems to have evolved from.
* it looks to me like configuring a wireguard link this way will
require an entry in /etc/network/interfaces (or interfaces.d) *and* a
config file in /etc/wireguard/*.conf. It seems like it would be
cleaner to have all the configuration in one place, no?
* would you consider submitting these changes to ifupdown in the debian
BTS? Is there a reason that they should remain in your PPA?
fwiw, some of us do also run debian systems without ifupdown these days.
I'm looking forward to systemd-networkd integration personally :)
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-10 2:53 ` Jason A. Donenfeld
@ 2017-07-10 19:53 ` Egbert Verhage
2017-07-10 21:20 ` Daniel Kahn Gillmor
0 siblings, 1 reply; 13+ messages in thread
From: Egbert Verhage @ 2017-07-10 19:53 UTC (permalink / raw)
To: Jason A. Donenfeld, jomat+wireguard.io; +Cc: wireguard
Hey Baptiste,
Jep, I did that.
See the ifupdown package of my own wireguard ppa:
https://launchpad.net/~eggiecode/+archive/ubuntu/wireguard
And here is the diff:
http://test.egbert.online/diff_ifupdown_ppa.txt
Greetz,
Egbert
On Mon, 2017-07-10 at 04:53 +0200, Jason A. Donenfeld wrote:
> On Sun, Jul 09, 2017 at 11:17:04PM +0000, jomat+wireguard.io@jmt.gr
> wrote:
> > Nice! I also don't like wg-quick too much, but also dislike the
> > pre-/post-/-up/-down directives in my /etc/network/interfaces, so
> > I put this script to /etc/network/if-pre-up.d/ and if-post-down.d
> > which could work for Debian, too:
> >
> > https://github.com/jomat/aports/blob/master/testing/wireguard/wireg
> > uard.ifupdown
>
> I think Egbert might have also written an ifupdown thing? Adding him
> to
> the CC in case you guys want to standardize on one Debian way of
> doing
> things?
>
> Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-09 23:17 ` jomat+wireguard.io
@ 2017-07-10 2:53 ` Jason A. Donenfeld
2017-07-10 19:53 ` Egbert Verhage
0 siblings, 1 reply; 13+ messages in thread
From: Jason A. Donenfeld @ 2017-07-10 2:53 UTC (permalink / raw)
To: jomat+wireguard.io; +Cc: Egbert Verhage, wireguard
On Sun, Jul 09, 2017 at 11:17:04PM +0000, jomat+wireguard.io@jmt.gr wrote:
> Nice! I also don't like wg-quick too much, but also dislike the
> pre-/post-/-up/-down directives in my /etc/network/interfaces, so
> I put this script to /etc/network/if-pre-up.d/ and if-post-down.d
> which could work for Debian, too:
>
> https://github.com/jomat/aports/blob/master/testing/wireguard/wireguard.ifupdown
I think Egbert might have also written an ifupdown thing? Adding him to
the CC in case you guys want to standardize on one Debian way of doing
things?
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-09 21:30 Baptiste Jonglez
2017-07-09 23:17 ` jomat+wireguard.io
@ 2017-07-10 2:51 ` Jason A. Donenfeld
1 sibling, 0 replies; 13+ messages in thread
From: Jason A. Donenfeld @ 2017-07-10 2:51 UTC (permalink / raw)
To: Baptiste Jonglez; +Cc: wireguard
Hey Baptiste,
On Sun, Jul 09, 2017 at 11:30:20PM +0200, Baptiste Jonglez wrote:
> Hi,
>
> I wrote up some configuration I use for Wireguard on Debian:
>
> https://wiki.debian.org/Wireguard#Configuration_on_Debian
>
> The goal is to reuse functionalities from /etc/network/interfaces, which
> is quite natural on Debian. Simple use-cases like the point-to-point
> tunnel don't need wg-quick at all.
Terrific, thanks! Indeed, having nice integration into OSs' native
configuration interfaces is preferred.
Jason
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: Debian-based configuration for wireguard
2017-07-09 21:30 Baptiste Jonglez
@ 2017-07-09 23:17 ` jomat+wireguard.io
2017-07-10 2:53 ` Jason A. Donenfeld
2017-07-10 2:51 ` Jason A. Donenfeld
1 sibling, 1 reply; 13+ messages in thread
From: jomat+wireguard.io @ 2017-07-09 23:17 UTC (permalink / raw)
To: Baptiste Jonglez; +Cc: wireguard
Hi,
On 2017-07-09 21:30, Baptiste Jonglez wrote:
> The goal is to reuse functionalities from /etc/network/interfaces,
> which
> is quite natural on Debian. Simple use-cases like the point-to-point
> tunnel don't need wg-quick at all.
Nice! I also don't like wg-quick too much, but also dislike the
pre-/post-/-up/-down directives in my /etc/network/interfaces, so
I put this script to /etc/network/if-pre-up.d/ and if-post-down.d
which could work for Debian, too:
https://github.com/jomat/aports/blob/master/testing/wireguard/wireguard.ifupdown
Bye,
jomat
^ permalink raw reply [flat|nested] 13+ messages in thread
* Debian-based configuration for wireguard
@ 2017-07-09 21:30 Baptiste Jonglez
2017-07-09 23:17 ` jomat+wireguard.io
2017-07-10 2:51 ` Jason A. Donenfeld
0 siblings, 2 replies; 13+ messages in thread
From: Baptiste Jonglez @ 2017-07-09 21:30 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 318 bytes --]
Hi,
I wrote up some configuration I use for Wireguard on Debian:
https://wiki.debian.org/Wireguard#Configuration_on_Debian
The goal is to reuse functionalities from /etc/network/interfaces, which
is quite natural on Debian. Simple use-cases like the point-to-point
tunnel don't need wg-quick at all.
Baptiste
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2017-07-11 22:54 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-10 20:14 Debian-based configuration for wireguard raul
-- strict thread matches above, loose matches on Subject: below --
2017-07-09 21:30 Baptiste Jonglez
2017-07-09 23:17 ` jomat+wireguard.io
2017-07-10 2:53 ` Jason A. Donenfeld
2017-07-10 19:53 ` Egbert Verhage
2017-07-10 21:20 ` Daniel Kahn Gillmor
2017-07-11 1:59 ` Jason A. Donenfeld
2017-07-11 10:22 ` Egbert Verhage
2017-07-11 13:04 ` jomat+wireguard.io
2017-07-11 22:19 ` Daniel Kahn Gillmor
2017-07-11 22:48 ` Jason A. Donenfeld
2017-07-11 23:12 ` Daniel Kahn Gillmor
2017-07-10 2:51 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).