Re: [PATCH] wg: Allow config to read private key from file

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: Michael Tokarev <mjt@tls.msk.ru>
To: "Daniel Gröber" <dxld@darkboxed.org>, wireguard@lists.zx2c4.com
Cc: "Jason A . Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH] wg: Allow config to read private key from file
Date: Mon, 21 Nov 2022 09:31:41 +0300	[thread overview]
Message-ID: <bd851ce5-c45b-b6ed-986e-4d9f3cf54494@msgid.tls.msk.ru> (raw)
In-Reply-To: <20221120224601.77300-1-dxld@darkboxed.org>

21.11.2022 01:46, Daniel Gröber wrote:
> This adds a new config key PrivateKeyFile= that simply hooks up the
> existing code for the `wg set ... private-key /file` codepath.
> 
> Using this new option the interface configs can be much easier to deploy in
> an automated fashion as they don't contain secrets anymore. The private key
> can easily be provisioned out of band or using a one-time provisioning step
> instead.

This is definitely a very welcome option in my PoV.

Add my
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

for this.

> Before this patch we were using a neat hack: it's possible to simply omit
> PrivateKey= and set it using PostUp= wg set %i private-key /some/file.

Well, this isn't really neat, it is a hackish workaround for the missing
functionality ;)

On a side, note, almost a year ago I sent a patch for wg utility to recognize
and discard some keywords which are processed by wg-quick script - like,
Address=. This way, there's no need to pre-process the config file anymore,
and in order to recognize more peers, one doesn't have to restart the
tunnel interface, instead, a regular wg syncconf wgif.conf is sufficient,
and many things can be simplified too (removing the preprocessing).
I've never got any reply for these patches.

/mjt

next prev parent reply	other threads:[~2022-11-21  6:31 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-20 22:46 Daniel Gröber
2022-11-21  6:31 ` Michael Tokarev [this message]
2022-11-21 13:28   ` dxld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bd851ce5-c45b-b6ed-986e-4d9f3cf54494@msgid.tls.msk.ru \
    --to=mjt@tls.msk.ru \
    --cc=Jason@zx2c4.com \
    --cc=dxld@darkboxed.org \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).