From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: e1326252@student.tuwien.ac.at Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 05c407f1 for ; Wed, 14 Feb 2018 14:58:10 +0000 (UTC) Received: from mail1.student.tuwien.ac.at (mail1.student.tuwien.ac.at [193.170.73.221]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7c07d33f for ; Wed, 14 Feb 2018 14:58:09 +0000 (UTC) Received: from [192.168.0.102] ([178.188.66.253]) (authenticated bits=0) by mail1.student.tuwien.ac.at (8.14.7/8.13.8) with ESMTP id w1EF50Di010509 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 14 Feb 2018 16:05:00 +0100 To: wireguard@lists.zx2c4.com From: Max Moser Subject: NetworkManager Plugin Message-ID: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> Date: Wed, 14 Feb 2018 16:05:00 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------67BCE5CF4A6372801BE3574D" List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , This is a multi-part message in MIME format. --------------67BCE5CF4A6372801BE3574D Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Good day, ladies and gentlemen! I have been working on a NM plugin for wireguard as part of my thesis for quite a while, but somehow I've never really found the time to work on that (sorry about that!). *Until recently.* Since we have semester break in February, I have finally found the time (and motivation) to put some effort into this thing. So, I forked the OpenVPN plugin at some point and built my current solution on that foundation. This means that my plugin is actually pretty much pure C, so almost no dependencies (obviously, NM, WG and GLib stuff). After briefly talking to my supervisor about making the thing public (which he considered to be a pretty positive step), I uploaded it from our internal GitLab to GitHub: https://github.com/max-moser/network-manager-wireguard/ The basic workflow of creating a NMConnection (either from scratch through the Connection-Editor UI, or by importing a wg-quick formatted conf file [export works too]) and connecting to it works. However, there are still a ton of issues open, of which I'll list just a few: * the plugin sets up the connection by spawning wg-quick on a temporary conf file instead of implementing that logic directly * the Editor UI isn't quite top notch and there are two tabs (IPv4 and IPv6) that I did not use, but also can't seem to get rid of * internally, everything in the plugin is stored as data-item and not as secret * etc. However, I think that most of those problems are not actually that huge and could be fixed without tremendous effort -- they are just many in number. So, if anybody would be interested in checking it out and maybe even contributing, I'd be very glad about that! :) Best regards, Max --------------67BCE5CF4A6372801BE3574D Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit

Good day, ladies and gentlemen!



I have been working on a NM plugin for wireguard as part of my thesis for quite a while, but somehow I've never really found the time to work on that (sorry about that!).

Until recently.

Since we have semester break in February, I have finally found the time (and motivation) to put some effort into this thing.


So, I forked the OpenVPN plugin at some point and built my current solution on that foundation. This means that my plugin is actually pretty much pure C, so almost no dependencies (obviously, NM, WG and GLib stuff).

After briefly talking to my supervisor about making the thing public (which he considered to be a pretty positive step), I uploaded it from our internal GitLab to GitHub:
https://github.com/max-moser/network-manager-wireguard/


The basic workflow of creating a NMConnection (either from scratch through the Connection-Editor UI, or by importing a wg-quick formatted conf file [export works too]) and connecting to it works.

However, there are still a ton of issues open, of which I'll list just a few:

* the plugin sets up the connection by spawning wg-quick on a temporary conf file instead of implementing that logic directly
* the Editor UI isn't quite top notch and there are two tabs (IPv4 and IPv6) that I did not use, but also can't seem to get rid of
* internally, everything in the plugin is stored as data-item and not as secret
* etc.


However, I think that most of those problems are not actually that huge and could be fixed without tremendous effort -- they are just many in number.

So, if anybody would be interested in checking it out and maybe even contributing, I'd be very glad about that! :)



Best regards,

Max

--------------67BCE5CF4A6372801BE3574D-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 4e7e10cc for ; Wed, 14 Feb 2018 15:22:08 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 014fbe64 for ; Wed, 14 Feb 2018 15:22:08 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e00b0aec for ; Wed, 14 Feb 2018 15:13:17 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 0139e72d (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Wed, 14 Feb 2018 15:13:17 +0000 (UTC) Received: by mail-ot0-f180.google.com with SMTP id w10so7160396ote.13 for ; Wed, 14 Feb 2018 07:29:00 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: "Jason A. Donenfeld" Date: Wed, 14 Feb 2018 16:28:59 +0100 Message-ID: Subject: Re: NetworkManager Plugin To: Max Moser Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hey Max, This is wonderful news. I'm happy to work with you to make sure this comes out perfectly, and maybe when it's finished we can submit it upstream to NetworkManager, similar to how systemd-networkd now has WireGuard support built-in. The biggest hurdle I currently see is entirely removing the dependency on wg-quick and wg, and talking Netlink yourself to the kernel, just like systemd-networkd does. It shouldn't be too hard to adopt the libmnl-based code in wg(8) to be suitable for your usage; I can assist with this. In general, the fwmark/routing logic of wg-quick should probably be done in a NetworkManager-centric way, which means not using wg-quick. Looks like things are off to a great start! Jason From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: dkg@fifthhorseman.net Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 209cc26a for ; Wed, 14 Feb 2018 20:57:38 +0000 (UTC) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a942d97f for ; Wed, 14 Feb 2018 20:57:38 +0000 (UTC) From: Daniel Kahn Gillmor To: "Jason A. Donenfeld" , Max Moser Subject: Re: NetworkManager Plugin In-Reply-To: References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> Date: Wed, 14 Feb 2018 14:47:20 -0500 Message-ID: <87zi4bpd4n.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --=-=-= Content-Type: text/plain On Wed 2018-02-14 16:28:59 +0100, Jason A. Donenfeld wrote: > This is wonderful news. I'm happy to work with you to make sure this > comes out perfectly, and maybe when it's finished we can submit it > upstream to NetworkManager, similar to how systemd-networkd now has > WireGuard support built-in. last time i looked, network-manager included a local copy of a big chunk of systemd code. so it's possible that a newer version of network-manager will already have the systemd-networkd code available to it, and you just need to hook into it correctly from the nm internals. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCWoSSSAAKCRBsHx7ezFD6 U4qOAP9p2j4rTpqNp2u5zC3iMFRYFOh4yW/Wq3apdHvOU1E0rAD/ZkKPboJWjAI9 uwlFs7YY9SrphjvRWFH/ynTg+OSIxwU= =fLwt -----END PGP SIGNATURE----- --=-=-=-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: e1326252@student.tuwien.ac.at Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a5f898d5 for ; Thu, 15 Feb 2018 00:27:17 +0000 (UTC) Received: from mail1.student.tuwien.ac.at (mail1.student.tuwien.ac.at [193.170.73.221]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 62f849db for ; Thu, 15 Feb 2018 00:27:17 +0000 (UTC) Subject: Re: NetworkManager Plugin To: Jordan DeBeer , "Jason A. Donenfeld" References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: Maximilian Moser Message-ID: Date: Thu, 15 Feb 2018 01:34:08 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------9D8DDADF8C005BA0C7FE7CC0" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , This is a multi-part message in MIME format. --------------9D8DDADF8C005BA0C7FE7CC0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Whoa, I actually kind of expected some response like "yeah nice, but we've already done that plugin, so you can go home again" I actually just wanted to get this thesis over with and thought, why not post the result to the mailing list and see if anybody is still intereste= d? So I'm somewhat excited about the acceptance and the possible prospect of this thing getting packaged for distros :D Regarding the issues... About some of them, I did know in one way or the other. E.g. the Endpoint section only accepting IPs -- this one goes even further: you also can't have an IP6 in square brackets as is usually required for specification of ports; only hex digits, colons and maybe a subnet postfix. Also, the conf parsing part splits the input primarily by whitespaces, so it'll give you an error if you have something like "AllowedIPs=3D0.0.0.0/0" instead of "AllowedIPs =3D 0.0.0.0/0" in any lin= e. Most of the others were however issues that I hadn't thought of; maybe it would be smart to put up some issue tracking and post them there? I'm sure to forget half of them in about a week. > The DNS field under Identity does not currently function.=C2=A0 I am no= t > sure how you want to handle this field as NetworkManager has their own > DNS field under the IPv4 tab in the GUI. Yeah, that might be one conceptual challenge which I didn't really want to face: Deciding which parts would be more appropriate in the IPv4 / IPv6 tabs of the UI (which are not so easy to get rid of, if this is possible at all). Alongside the DNS, it might (or might not) make sense to put the [Interface] Address into those tabs, and if possible, the [Peer] Endpoint too... But I think it might also cause more confusion among users if those settings are split up than it would help. > and the last thing I noticed: the Private Key section is required.=C2=A0= > This breaks functionality if you were to have your private key stored > in a password manager.=C2=A0 This is solvable by just pasting a properl= y > formatted key (I just used my public key) into the field and adding a > Post Up script to grab the private key string. I think the private key falls into the category of "secrets" instead of "data items", so that might require an overhaul generally. In the current version, secrets aren't used at all - which makes the auth-dialog currently superfluous. Making the private key into a secret might also legitimate the actual use of the auth-dialog, since its job is primarily searching through whereever (e.g. keyring or just plain asking the user via a dialog, hence the name) and look if it can find the required secrets. In the near future, I'll probably focus more on the written part of the thesis, so fixing the issues will probably have to wait a while on my par= t. > This adds quite a bit of value to Wireguard imo so glad to see you > worked on this.=C2=A0 Thank you!=C2=A0=20 Thank you for your interest and actually testing it on another system ;) Best regards, Max On 14.02.2018 17:58, Jordan DeBeer wrote: > Hello Max, > > I went ahead and tested this on Fedora 27 w/ NetworkManager > 1.8.6-1.fc27 and was able to get it working.=C2=A0 A few things I notic= ed: > > Starting the VPN with SELinux enabled results in a number of alerts.=C2= =A0 > Mostly for the sysctl source process.=C2=A0 This is to be expected as y= ou > mentioned you were testing on Arch.=C2=A0 If this ever ends up getting > packaged for Fedora the policies can probably be added to the RPM. > > The DNS field under Identity does not currently function.=C2=A0 I am no= t > sure how you want to handle this field as NetworkManager has their own > DNS field under the IPv4 tab in the GUI. > > The Endpoint section of the GUI only accepts IP addresses and not FQDNs= =2E > > and the last thing I noticed: the Private Key section is required.=C2=A0= > This breaks functionality if you were to have your private key stored > in a password manager.=C2=A0 This is solvable by just pasting a properl= y > formatted key (I just used my public key) into the field and adding a > Post Up script to grab the private key string. > > I am going to keep playing around with this and possibly work on > packaging it into an RPM.=C2=A0 > > This adds quite a bit of value to Wireguard imo so glad to see you > worked on this.=C2=A0 Thank you!=C2=A0 > > Cheers, > Jordan DeBeer > > On Wed, Feb 14, 2018 at 10:28 AM, Jason A. Donenfeld > wrote: > > Hey Max, > > This is wonderful news. I'm happy to work with you to make sure thi= s > comes out perfectly, and maybe when it's finished we can submit it > upstream to NetworkManager, similar to how systemd-networkd now has= > WireGuard support built-in. > > The biggest hurdle I currently see is entirely removing the depende= ncy > on wg-quick and wg, and talking Netlink yourself to the kernel, jus= t > like systemd-networkd does. It shouldn't be too hard to adopt the > libmnl-based code in wg(8) to be suitable for your usage; I can ass= ist > with this. In general, the fwmark/routing logic of wg-quick should > probably be done in a NetworkManager-centric way, which means not > using wg-quick. > > Looks like things are off to a great start! > > Jason > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > > > --------------9D8DDADF8C005BA0C7FE7CC0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Whoa, I actually kind of expected some response like "yeah nice, but we've already done that plugin, so you can go home again"
I actually just wanted to get this thesis over with and thought, why not post the result to the mailing list and see if anybody is still interested?

So I'm somewhat excited about the acceptance and the possible prospect of this thing getting packaged for distros :D


Regarding the issues... About some of them, I did know in one way or the other.
E.g. the Endpoint section only accepting IPs -- this one goes even further: you also can't have an IP6 in square brackets as is usually required for specification of ports; only hex digits, colons and maybe a subnet postfix.
Also, the conf parsing part splits the input primarily by whitespaces, so it'll give you an error if you have something like "AllowedIPs=0.0.0.0/0" instead of "AllowedIPs = 0.0.0.0/0" in any line.

Most of the others were however issues that I hadn't thought of; maybe it would be smart to put up some issue tracking and post them there? I'm sure to forget half of them in about a week.


The DNS field under Identity does not currently function.  I am not sure how you want to handle this field as NetworkManager has their own DNS field under the IPv4 tab in the GUI.
Yeah, that might be one conceptual challenge which I didn't really want to face: Deciding which parts would be more appropriate in the IPv4 / IPv6 tabs of the UI (which are not so easy to get rid of, if this is possible at all).
Alongside the DNS, it might (or might not) make sense to put the [Interface] Address into those tabs, and if possible, the [Peer] Endpoint too... But I think it might also cause more confusion among users if those settings are split up than it would help.

and the last thing I noticed: the Private Key section is required.  This breaks functionality if you were to have your private key stored in a password manager.  This is solvable by just pasting a properly formatted key (I just used my public key) into the field and adding a Post Up script to grab the private key string.
I think the private key falls into the category of "secrets" instead of "data items", so that might require an overhaul generally.
In the current version, secrets aren't used at all - which makes the auth-dialog currently superfluous.
Making the private key into a secret might also legitimate the actual use of the auth-dialog, since its job is primarily searching through whereever (e.g. keyring or just plain asking the user via a dialog, hence the name) and look if it can find the required secrets.

In the near future, I'll probably focus more on the written part of the thesis, so fixing the issues will probably have to wait a while on my part.


This adds quite a bit of value to Wireguard imo so glad to see you worked on this.  Thank you! 
Thank you for your interest and actually testing it on another system ;)


Best regards,
Max


On 14.02.2018 17:58, Jordan DeBeer wrote:
Hello Max,

I went ahead and tested this on Fedora 27 w/ NetworkManager 1.8.6-1.fc27 and was able to get it working.  A few things I noticed:

Starting the VPN with SELinux enabled results in a number of alerts.  Mostly for the sysctl source process.  This is to be expected as you mentioned you were testing on Arch.  If this ever ends up getting packaged for Fedora the policies can probably be added to the RPM.

The DNS field under Identity does not currently function.  I am not sure how you want to handle this field as NetworkManager has their own DNS field under the IPv4 tab in the GUI.

The Endpoint section of the GUI only accepts IP addresses and not FQDNs.

and the last thing I noticed: the Private Key section is required.  This breaks functionality if you were to have your private key stored in a password manager.  This is solvable by just pasting a properly formatted key (I just used my public key) into the field and adding a Post Up script to grab the private key string.

I am going to keep playing around with this and possibly work on packaging it into an RPM. 

This adds quite a bit of value to Wireguard imo so glad to see you worked on this.  Thank you! 

Cheers,
Jordan DeBeer

On Wed, Feb 14, 2018 at 10:28 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
Hey Max,

This is wonderful news. I'm happy to work with you to make sure this
comes out perfectly, and maybe when it's finished we can submit it
upstream to NetworkManager, similar to how systemd-networkd now has
WireGuard support built-in.

The biggest hurdle I currently see is entirely removing the dependency
on wg-quick and wg, and talking Netlink yourself to the kernel, just
like systemd-networkd does. It shouldn't be too hard to adopt the
libmnl-based code in wg(8) to be suitable for your usage; I can assist
with this. In general, the fwmark/routing logic of wg-quick should
probably be done in a NetworkManager-centric way, which means not
using wg-quick.

Looks like things are off to a great start!

Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard


--------------9D8DDADF8C005BA0C7FE7CC0-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a42227bd for ; Thu, 15 Feb 2018 14:00:57 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id ab1b689a for ; Thu, 15 Feb 2018 14:00:57 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 06e27f22 for ; Thu, 15 Feb 2018 13:52:05 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id da7419b6 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Thu, 15 Feb 2018 13:52:04 +0000 (UTC) Received: by mail-oi0-f41.google.com with SMTP id l124so6910165oib.0 for ; Thu, 15 Feb 2018 06:07:55 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: "Jason A. Donenfeld" Date: Thu, 15 Feb 2018 15:07:54 +0100 Message-ID: Subject: Re: NetworkManager Plugin To: Maximilian Moser Content-Type: text/plain; charset="UTF-8" Cc: Jordan DeBeer , WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hi Max, On Thu, Feb 15, 2018 at 1:34 AM, Maximilian Moser wrote: > I actually just wanted to get this thesis over with and thought, why not > post the result to the mailing list > I'll probably focus more on the written part of the > thesis, so fixing the issues will probably have to wait a while on my part. I'm certainly not interested in "throw it over the fence" coding. I'm happy to work with you on "the acceptance and the possible prospect of this thing getting packaged for distros," as you wrote, but only if you're actually committed to maintaining it. It sounds to me like this is something in your mind that is "over with"? That's disapointing. > Regarding the issues... About some of them, I did know in one way or the > other. > So I'm somewhat excited about the acceptance and the possible prospect of > this thing getting packaged for distros :D As I wrote earlier, this is going to require a lot of work to actually bring to fruition. The first priority should be entirely dispensing with the use of wg-quick. In order to aid these efforts, I spent some time writing a mini single-file-c library that you can drop into your project as a means for talking to the kernel and configuring devices directly: https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library/README Should be pretty straight-forward to integrate. You'll basically only need to use the "wg_set_device" function, and perhaps the "wg_key_from_base64" function too. Jason From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: e1326252@student.tuwien.ac.at Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 0b05911d for ; Thu, 15 Feb 2018 14:28:58 +0000 (UTC) Received: from mail1.student.tuwien.ac.at (mail1.student.tuwien.ac.at [193.170.73.221]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id fce24e13 for ; Thu, 15 Feb 2018 14:28:58 +0000 (UTC) Subject: Re: NetworkManager Plugin To: "Jason A. Donenfeld" References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: Maximilian Moser Message-ID: Date: Thu, 15 Feb 2018 15:35:53 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Cc: Jordan DeBeer , WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hey Jason, >> I actually just wanted to get this thesis over with and thought, why not >> post the result to the mailing list >> I'll probably focus more on the written part of the >> thesis, so fixing the issues will probably have to wait a while on my part. > I'm certainly not interested in "throw it over the fence" coding. I'm > happy to work with you on "the acceptance and the possible prospect of > this thing getting packaged for distros," as you wrote, but only if > you're actually committed to maintaining it. It sounds to me like this > is something in your mind that is "over with"? That's disapointing. Oh sorry, that wasn't my intention to say. What I meant is that I wanted to get a working prototype ASAP, and if nobody is interested in it anymore, that's that. However, this does not seem to be the case and I'll be glad to continue development on it. :) Max On 15/02/18 15:07, Jason A. Donenfeld wrote: > Hi Max, > > On Thu, Feb 15, 2018 at 1:34 AM, Maximilian Moser > wrote: >> I actually just wanted to get this thesis over with and thought, why not >> post the result to the mailing list >> I'll probably focus more on the written part of the >> thesis, so fixing the issues will probably have to wait a while on my part. > I'm certainly not interested in "throw it over the fence" coding. I'm > happy to work with you on "the acceptance and the possible prospect of > this thing getting packaged for distros," as you wrote, but only if > you're actually committed to maintaining it. It sounds to me like this > is something in your mind that is "over with"? That's disapointing. > >> Regarding the issues... About some of them, I did know in one way or the >> other. >> So I'm somewhat excited about the acceptance and the possible prospect of >> this thing getting packaged for distros :D > As I wrote earlier, this is going to require a lot of work to actually > bring to fruition. The first priority should be entirely dispensing > with the use of wg-quick. In order to aid these efforts, I spent some > time writing a mini single-file-c library that you can drop into your > project as a means for talking to the kernel and configuring devices > directly: > > https://git.zx2c4.com/WireGuard/tree/contrib/examples/embeddable-wg-library/README > > Should be pretty straight-forward to integrate. You'll basically only > need to use the "wg_set_device" function, and perhaps the > "wg_key_from_base64" function too. > > Jason From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 7cddd009 for ; Thu, 15 Feb 2018 14:39:46 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5b5deae4 for ; Thu, 15 Feb 2018 14:39:46 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 0c745f46 for ; Thu, 15 Feb 2018 14:30:55 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 97c6c57c (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Thu, 15 Feb 2018 14:30:55 +0000 (UTC) Received: by mail-oi0-f48.google.com with SMTP id t145so1391878oif.8 for ; Thu, 15 Feb 2018 06:46:45 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: "Jason A. Donenfeld" Date: Thu, 15 Feb 2018 15:46:44 +0100 Message-ID: Subject: Re: NetworkManager Plugin To: Maximilian Moser Content-Type: text/plain; charset="UTF-8" Cc: Jordan DeBeer , WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Thu, Feb 15, 2018 at 3:35 PM, Maximilian Moser wrote: > However, this does not seem to be the case and I'll be glad to continue > development on it. :) Wonderful! From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: e1326252@student.tuwien.ac.at Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 66a0f379 for ; Thu, 15 Feb 2018 14:50:53 +0000 (UTC) Received: from mail1.student.tuwien.ac.at (mail1.student.tuwien.ac.at [193.170.73.221]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9e5e11f5 for ; Thu, 15 Feb 2018 14:50:53 +0000 (UTC) Subject: Re: NetworkManager Plugin To: "Jason A. Donenfeld" References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: Maximilian Moser Message-ID: <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> Date: Thu, 15 Feb 2018 15:57:49 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Cc: Jordan DeBeer , WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Since we're already listed on the NetworkManager page [1], it'd be a shame to just drop it. Also, it would be kind of a waste having gone through all the pain of getting a basic grasp on the workings of it all for nothing. Still, I'll gladly accept contributions ;) Oh right, maybe it'd be worth noting that Thomas Haller, one of the NetworkManager guys, has spoken in favour of native NM wireguard integration on the NM mailing list: > Hi Maximilian, > > > cool, thanks for letting us know. > > I added a link tohttps://wiki.gnome.org/Projects/NetworkManager/VPN > > > I still think, it would be great to have wireguard support in > NetworkManager not via a VPN plugin. But that is for another day. > > > best, > Thomas -- Max [1] https://wiki.gnome.org/Projects/NetworkManager/VPN#VPN_Plugins_maintained_by_third_parties On 15/02/18 15:46, Jason A. Donenfeld wrote: > On Thu, Feb 15, 2018 at 3:35 PM, Maximilian Moser > wrote: >> However, this does not seem to be the case and I'll be glad to continue >> development on it. :) > Wonderful! From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: mmoya@mmoya.org Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 18bc3716 for ; Thu, 15 Feb 2018 20:08:45 +0000 (UTC) Received: from mail-wr0-f170.google.com (mail-wr0-f170.google.com [209.85.128.170]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 5102af11 for ; Thu, 15 Feb 2018 20:08:45 +0000 (UTC) Received: by mail-wr0-f170.google.com with SMTP id u15so918027wrg.3 for ; Thu, 15 Feb 2018 12:15:46 -0800 (PST) Return-Path: Received: from ?IPv6:2001:19f0:5001:196::da:b00a? ([2001:19f0:5001:196::da:b00a]) by smtp.googlemail.com with ESMTPSA id 42sm5619969wrx.92.2018.02.15.12.15.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Feb 2018 12:15:45 -0800 (PST) Subject: Re: NetworkManager Plugin To: wireguard@lists.zx2c4.com References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> From: Maykel Moya Message-ID: <2a30ad28-1e5a-0fac-7db6-15b609e3b245@mmoya.org> Date: Thu, 15 Feb 2018 21:15:43 +0100 MIME-Version: 1.0 In-Reply-To: <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> Content-Type: text/plain; charset=utf-8 List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On 15/02/18 15:57, Maximilian Moser wrote: > Since we're already listed on the NetworkManager page [1], it'd be a > shame to just drop it. > Also, it would be kind of a waste having gone through all the pain of > getting a basic grasp on the workings of it all for nothing. > Still, I'll gladly accept contributions ;) Wondering about the pic in slide 8 of https://fosdem.org/2018/schedule/event/bulletinboard_dht/attachments/slides/2204/export/events/attachments/bulletinboard_dht/slides/2204/presentation.pdf Regards, maykel [1] https://fosdem.org/2018/schedule/event/bulletinboard_dht/ From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id d6c4b958 for ; Fri, 16 Feb 2018 05:26:47 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id ee128dc5 for ; Fri, 16 Feb 2018 05:26:47 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 9ed2082c for ; Fri, 16 Feb 2018 05:17:56 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 12aacf84 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Fri, 16 Feb 2018 05:17:56 +0000 (UTC) Received: by mail-oi0-f53.google.com with SMTP id x21so1526090oie.13 for ; Thu, 15 Feb 2018 21:33:51 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <2a30ad28-1e5a-0fac-7db6-15b609e3b245@mmoya.org> References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> <2a30ad28-1e5a-0fac-7db6-15b609e3b245@mmoya.org> From: "Jason A. Donenfeld" Date: Fri, 16 Feb 2018 06:33:50 +0100 Message-ID: Subject: Re: NetworkManager Plugin To: Maykel Moya Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Thu, Feb 15, 2018 at 9:15 PM, Maykel Moya wrote: > Wondering about the pic in slide 8 of > https://fosdem.org/2018/schedule/event/bulletinboard_dht/attachments/slides/2204/export/events/attachments/bulletinboard_dht/slides/2204/presentation.pdf I think he's working on some wilder plugin that incorporates his DHT stuff, which is a separate effort from Max's. My personal preference is getting a lightweight but functional NetworkManager plugin out there for users, that doesn't come with the baggage or bells&whistles of the DHT. But for people using the DHT work, having the plugin for that is undoubtedly useful. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: e1326252@student.tuwien.ac.at Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b4ca43c6 for ; Fri, 16 Feb 2018 10:36:12 +0000 (UTC) Received: from mail1.student.tuwien.ac.at (mail1.student.tuwien.ac.at [193.170.73.221]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e109c081 for ; Fri, 16 Feb 2018 10:36:12 +0000 (UTC) Received: from [192.168.0.103] ([178.188.66.253]) (authenticated bits=0) by mail1.student.tuwien.ac.at (8.14.7/8.13.8) with ESMTP id w1GAhFQE019673 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 16 Feb 2018 11:43:16 +0100 Subject: Re: NetworkManager Plugin To: wireguard@lists.zx2c4.com References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> <2a30ad28-1e5a-0fac-7db6-15b609e3b245@mmoya.org> From: Max Moser Message-ID: Date: Fri, 16 Feb 2018 11:43:14 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , I just read that he's on to something in Rust, don't know any specifics though. I've written him an e-mail a couple of days ago, since some sort of comparison or joining forces may be beneficial for everybody. On 16/02/18 06:33, Jason A. Donenfeld wrote: > On Thu, Feb 15, 2018 at 9:15 PM, Maykel Moya wrote: >> Wondering about the pic in slide 8 of >> https://fosdem.org/2018/schedule/event/bulletinboard_dht/attachments/slides/2204/export/events/attachments/bulletinboard_dht/slides/2204/presentation.pdf > I think he's working on some wilder plugin that incorporates his DHT > stuff, which is a separate effort from Max's. My personal preference > is getting a lightweight but functional NetworkManager plugin out > there for users, that doesn't come with the baggage or bells&whistles > of the DHT. But for people using the DHT work, having the plugin for > that is undoubtedly useful. > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: manuel.schoelling@gmx.de Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id a79cdd29 for ; Fri, 16 Feb 2018 15:00:22 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id ef1ba454 for ; Fri, 16 Feb 2018 15:00:22 +0000 (UTC) Message-ID: <1518793634.23818.33.camel@gmx.de> Subject: Re: NetworkManager Plugin From: Manuel =?ISO-8859-1?Q?Sch=F6lling?= To: "Jason A. Donenfeld" , Maykel Moya Date: Fri, 16 Feb 2018 16:07:14 +0100 In-Reply-To: References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> <2a30ad28-1e5a-0fac-7db6-15b609e3b245@mmoya.org> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hi, On Fri, 2018-02-16 at 06:33 +0100, Jason A. Donenfeld wrote: > I think he's working on some wilder plugin that incorporates his DHT > stuff, which is a separate effort from Max's. My personal preference > is getting a lightweight but functional NetworkManager plugin out > there for users, that doesn't come with the baggage or bells&whistles > of the DHT. But for people using the DHT work, having the plugin for > that is undoubtedly useful. Yeah, I gave that presentation. The plugin I wrote is suppose to work for both: raw wireguard and my wireguard-p2p solution, that lets you circumvent the NAT and dyndns problems. I wrote it in Rust because I really did not go through all the pain with GTK that Max went through ;) My plugin comes independent of the DHT client (it just communicates with it via dbus if the DHT client is installed). However, it's written in Rust, so I don't think that it would be easy to get it accepted upstream. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: debee1jp@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id b2891ec0 for ; Wed, 14 Feb 2018 16:51:48 +0000 (UTC) Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id f2acc4eb for ; Wed, 14 Feb 2018 16:51:48 +0000 (UTC) Received: by mail-it0-f47.google.com with SMTP id j21so13419937ita.1 for ; Wed, 14 Feb 2018 08:58:41 -0800 (PST) MIME-Version: 1.0 In-Reply-To: References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> From: Jordan DeBeer Date: Wed, 14 Feb 2018 11:58:39 -0500 Message-ID: Subject: Re: NetworkManager Plugin To: "Jason A. Donenfeld" Content-Type: multipart/alternative; boundary="94eb2c05ad76e95e6505652f0580" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c05ad76e95e6505652f0580 Content-Type: text/plain; charset="UTF-8" Hello Max, I went ahead and tested this on Fedora 27 w/ NetworkManager 1.8.6-1.fc27 and was able to get it working. A few things I noticed: Starting the VPN with SELinux enabled results in a number of alerts. Mostly for the sysctl source process. This is to be expected as you mentioned you were testing on Arch. If this ever ends up getting packaged for Fedora the policies can probably be added to the RPM. The DNS field under Identity does not currently function. I am not sure how you want to handle this field as NetworkManager has their own DNS field under the IPv4 tab in the GUI. The Endpoint section of the GUI only accepts IP addresses and not FQDNs. and the last thing I noticed: the Private Key section is required. This breaks functionality if you were to have your private key stored in a password manager. This is solvable by just pasting a properly formatted key (I just used my public key) into the field and adding a Post Up script to grab the private key string. I am going to keep playing around with this and possibly work on packaging it into an RPM. This adds quite a bit of value to Wireguard imo so glad to see you worked on this. Thank you! Cheers, Jordan DeBeer On Wed, Feb 14, 2018 at 10:28 AM, Jason A. Donenfeld wrote: > Hey Max, > > This is wonderful news. I'm happy to work with you to make sure this > comes out perfectly, and maybe when it's finished we can submit it > upstream to NetworkManager, similar to how systemd-networkd now has > WireGuard support built-in. > > The biggest hurdle I currently see is entirely removing the dependency > on wg-quick and wg, and talking Netlink yourself to the kernel, just > like systemd-networkd does. It shouldn't be too hard to adopt the > libmnl-based code in wg(8) to be suitable for your usage; I can assist > with this. In general, the fwmark/routing logic of wg-quick should > probably be done in a NetworkManager-centric way, which means not > using wg-quick. > > Looks like things are off to a great start! > > Jason > _______________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > --94eb2c05ad76e95e6505652f0580 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Max,
I went ahead and tested this on Fedora 27 w/ NetworkManager 1.8.= 6-1.fc27 and was able to get it working.=C2=A0 A few things I noticed:
<= /div>
Starting the VPN with SELinux enabled results in a number of alert= s.=C2=A0 Mostly for the sysctl source process.=C2=A0 This is to be expected= as you mentioned you were testing on Arch.=C2=A0 If this ever ends up gett= ing packaged for Fedora the policies can probably be added to the RPM.
<= br>
The DNS field under Identity does not currently function.=C2=A0 I = am not sure how you want to handle this field as NetworkManager has their o= wn DNS field under the IPv4 tab in the GUI.

The Endpoint secti= on of the GUI only accepts IP addresses and not FQDNs.

and the= last thing I noticed: the Private Key section is required.=C2=A0 This brea= ks functionality if you were to have your private key stored in a password = manager.=C2=A0 This is solvable by just pasting a properly formatted key (I= just used my public key) into the field and adding a Post Up script to gra= b the private key string.

I am going to keep playing around wi= th this and possibly work on packaging it into an RPM.=C2=A0

= This adds quite a bit of value to Wireguard imo so glad to see you worked o= n this.=C2=A0 Thank you!=C2=A0

Cheers,
Jordan DeBeer=

On Wed,= Feb 14, 2018 at 10:28 AM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
Hey Max,

This is wonderful news. I'm happy to work with you to make sure this comes out perfectly, and maybe when it's finished we can submit it
upstream to NetworkManager, similar to how systemd-networkd now has
WireGuard support built-in.

The biggest hurdle I currently see is entirely removing the dependency
on wg-quick and wg, and talking Netlink yourself to the kernel, just
like systemd-networkd does. It shouldn't be too hard to adopt the
libmnl-based code in wg(8) to be suitable for your usage; I can assist
with this. In general, the fwmark/routing logic of wg-quick should
probably be done in a NetworkManager-centric way, which means not
using wg-quick.

Looks like things are off to a great start!

Jason
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com<= br> https://lists.zx2c4.com/mailman/listinfo/wire= guard

--94eb2c05ad76e95e6505652f0580-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: bounce+6f817a.2e38e-wireguard=lists.zx2c4.com@jbeta.is Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 18366e06 for ; Fri, 16 Feb 2018 20:53:24 +0000 (UTC) Received: from rs224.mailgun.us (rs224.mailgun.us [209.61.151.224]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 3e271ab0 for ; Fri, 16 Feb 2018 20:53:24 +0000 (UTC) Sender: jarteaga@jbeta.is Received: by mail-pl0-f44.google.com with SMTP id f4so2310225plr.10 for ; Fri, 16 Feb 2018 13:00:32 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <1518793634.23818.33.camel@gmx.de> References: <7d5325a3-fa07-f67f-a31e-aadd44458d41@student.tuwien.ac.at> <5b85fcc4-4091-ce5d-7f4f-6dcee645f81d@student.tuwien.ac.at> <2a30ad28-1e5a-0fac-7db6-15b609e3b245@mmoya.org> <1518793634.23818.33.camel@gmx.de> From: Javier Arteaga Date: Fri, 16 Feb 2018 21:00:31 +0000 Message-ID: Subject: Re: NetworkManager Plugin To: Max Moser Content-Type: text/plain; charset="UTF-8" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Hi all, First off, thanks for WireGuard and this effort! I've tested the NM plugin on my Arch/GNOME3 setup and it works for me too - congrats! I'm looking to get a bit more involved with the community, so it would be my pleasure to contribute something back. On Thu, Feb 15, 2018 at 2:07 PM, Jason A. Donenfeld wrote: > As I wrote earlier, this is going to require a lot of work to actually > bring to fruition. The first priority should be entirely dispensing > with the use of wg-quick. In order to aid these efforts, I spent some > time writing a mini single-file-c library that you can drop into your > project as a means for talking to the kernel and configuring devices > directly: If nobody else is on this already then I'd like to take a stab at it. Otherwise, I'll figure out other ways to help get this upstreamed :) Cheers! -- Javier Arteaga