Dynamic Adresses

Dynamic Adresses

[Mytril]

Hello,

i have tried wireguard for several days. But if a client get a new ip
adress, the other client don't lookup this address by the given domain.
Only a reset with "ifdown wg0 && ifup wg0" changes the ip address to the
new one.
So is it a bug, or is it so inteded that i need to use a conjob to
actalisate the ip?

Re: Dynamic Adresses

[Jason A. Donenfeld]

Hello Mytril,

This isn't a bug. DNS is resolved at configuration time. If you'd like
to continually reresolve the DNS, you can do this with a script in any
way you wish. WireGuard is a building block, meant to be used with a
variety of other things like this.

The contrib/examples directory has one such script that can be used:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns

I'm sure you can come up with one well suited for your uses.

Regards,
Jason

Re: Dynamic Adresses

[Mytril]

> Hello Mytril,
> 
> This isn't a bug. DNS is resolved at configuration time. If you'd like
> to continually reresolve the DNS, you can do this with a script in any
> way you wish. WireGuard is a building block, meant to be used with a
> variety of other things like this.
> 
> The contrib/examples directory has one such script that can be used:
> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns
> 
> I'm sure you can come up with one well suited for your uses.
> 
> Regards,
> Jason
> 

Yes i have written a similar script for the german ubuntuusers.de wiki.
And this works fine. But i think (I'm not a professional), it could be
maybe a security issue. Let me try to explain:

If Bob and Alice are two Clients which have an whireguard vpn to each
other. Eve could steal the private key of bob and the public key of
alice and wait till bob has a disconnect and get a new ip. Than eve
could register this ip and have 30 seconds or so access to the private
network of alice.

Is this not possible? I could be a problem for people, which want to
communicate with the network of the company. So if this case works, it
could be a problem.

Re: Dynamic Adresses

[Jason A. Donenfeld]

On Wed, Nov 29, 2017 at 2:35 PM, Mytril <mytril42@posteo.de> wrote:
> Yes i have written a similar script for the german ubuntuusers.de wiki.

Care to share?

> If Bob and Alice are two Clients which have an whireguard vpn to each
> other. Eve could steal the private key of bob and the public key of
> alice and wait till bob has a disconnect and get a new ip. Than eve
> could register this ip and have 30 seconds or so access to the private
> network of alice.

If Eve has Bob's private key, he will always be able to impersonate
Bob to anybody. This is by design and not a security vulnerability.
Your private key is your identity. Just like SSH and a variety of
other well known protocols.

Re: Dynamic Adresses

[Georg Faerber]

[-- Attachment #1: Type: text/plain, Size: 303 bytes --]

On 17-11-29 14:40:25, Jason A. Donenfeld wrote:
> On Wed, Nov 29, 2017 at 2:35 PM, Mytril <mytril42@posteo.de> wrote:
> > Yes i have written a similar script for the german ubuntuusers.de wiki.
> 
> Care to share?

https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Dynamic Adresses

[Jason A. Donenfeld]

On Wed, Nov 29, 2017 at 2:44 PM, Georg Faerber <georg@riseup.net> wrote:
> On 17-11-29 14:40:25, Jason A. Donenfeld wrote:
>> On Wed, Nov 29, 2017 at 2:35 PM, Mytril <mytril42@posteo.de> wrote:
>> > Yes i have written a similar script for the german ubuntuusers.de wiki.
>>
>> Care to share?
>
> https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP

It looks like you're calling ifup/ifdown. This is not a very nice
solution at all. I'd suggest you instead link to the script I shared
earlier in this thread, which does things correctly.

Re: Dynamic Adresses

[Mytril]

> On Wed, Nov 29, 2017 at 2:35 PM, Mytril <mytril42@posteo.de> wrote:
>> Yes i have written a similar script for the german ubuntuusers.de wiki.
> 
> Care to share?
> 

Yes if you want:
https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP

This artikel is work in progress, later it will be accessable under:
https://wiki.ubuntuusers.de/WireGuard/#Probleme-mit-der-dynamischen-IP

>> If Bob and Alice are two Clients which have an whireguard vpn to each
>> other. Eve could steal the private key of bob and the public key of
>> alice and wait till bob has a disconnect and get a new ip. Than eve
>> could register this ip and have 30 seconds or so access to the private
>> network of alice.
> 
> If Eve has Bob's private key, he will always be able to impersonate
> Bob to anybody. This is by design and not a security vulnerability.
> Your private key is your identity. Just like SSH and a variety of
> other well known protocols.

Re: Dynamic Adresses

[Georg Faerber]

[-- Attachment #1: Type: text/plain, Size: 755 bytes --]

On 17-11-29 14:46:31, Jason A. Donenfeld wrote:
> On Wed, Nov 29, 2017 at 2:44 PM, Georg Faerber <georg@riseup.net> wrote:
> > On 17-11-29 14:40:25, Jason A. Donenfeld wrote:
> >> On Wed, Nov 29, 2017 at 2:35 PM, Mytril <mytril42@posteo.de> wrote:
> >> > Yes i have written a similar script for the german ubuntuusers.de wiki.
> >>
> >> Care to share?
> >
> > https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP
> 
> It looks like you're calling ifup/ifdown. This is not a very nice
> solution at all. I'd suggest you instead link to the script I shared
> earlier in this thread, which does things correctly.

I'm neither the author, nor a user of this script, I've just shared the
link.. :)

Cheers,
Georg

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Dynamic Adresses

[Jason A. Donenfeld]

On Wed, Nov 29, 2017 at 2:47 PM, Mytril <mytril42@posteo.de> wrote:
> Yes if you want:
> https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP
>
> This artikel is work in progress, later it will be accessable under:
> https://wiki.ubuntuusers.de/WireGuard/#Probleme-mit-der-dynamischen-IP

As I mentioned to Georg, this really should link to
https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns
instead of using ifup&&ifdown, which is a pretty ugly solution. I'd
edit it myself, except I don't [yet?] read German.

Jason

Re: Dynamic Adresses

[Mytril]

Am 29.11.2017 um 14:54 schrieb Jason A. Donenfeld:
> On Wed, Nov 29, 2017 at 2:47 PM, Mytril <mytril42@posteo.de> wrote:
>> Yes if you want:
>> https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP
>>
>> This artikel is work in progress, later it will be accessable under:
>> https://wiki.ubuntuusers.de/WireGuard/#Probleme-mit-der-dynamischen-IP
> 
> As I mentioned to Georg, this really should link to
> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns
> instead of using ifup&&ifdown, which is a pretty ugly solution. I'd
> edit it myself, except I don't [yet?] read German.
> 
> Jason
> 

Ok, i have edited the article, so that it link to this script you
mentioned. And i will give it a try.

PS: German is not so difficult :D

Re: Dynamic Adresses

[Lonnie Abelbeck]

On Nov 29, 2017, at 7:44 AM, Georg Faerber <georg@riseup.net> wrote:

> On 17-11-29 14:40:25, Jason A. Donenfeld wrote:
>> On Wed, Nov 29, 2017 at 2:35 PM, Mytril <mytril42@posteo.de> wrote:
>>> Yes i have written a similar script for the german ubuntuusers.de =
wiki.
>>=20
>> Care to share?
>=20

In this season of sharing :-) last week I took Jason's reresolve-dns =
script as a reference and created a persistent background script =
"wireguard-monitor" that is started/stopped along side wireguard in our =
AstLinux project.

wireguard-monitor
=
https://github.com/astlinux-project/astlinux/blob/master/package/wireguard=
/wireguard-monitor

Currently wireguard-monitor only updates DNS endpoints when =
WIREGUARD_DNS_UPDATE=3D"yes" in the sourced /etc/rc.conf file.  =
wireguard-monitor can be stopped by deleting the PIDFILE.

One minor improvement over Jason's example is only DNS endpoints are =
updated, I test for manual IPv4/IPv6 addresses.  I also wrote it hoping =
someday [Peer-peername] will be a valid config syntax.

Note, there are several things specific to our project, such as we =
create /var/lock/wireguard.lock when wireguard is active, and we include =
/usr/lib/bash/sleep as a bash builtin, but there might be a few ideas to =
take away.

Lonnie

Re: Dynamic Adresses

[Mytril]

> Am 29.11.2017 um 14:54 schrieb Jason A. Donenfeld:
>> On Wed, Nov 29, 2017 at 2:47 PM, Mytril <mytril42@posteo.de> wrote:
>>> Yes if you want:
>>> https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP
>>>
>>> This artikel is work in progress, later it will be accessable under:
>>> https://wiki.ubuntuusers.de/WireGuard/#Probleme-mit-der-dynamischen-IP
>>
>> As I mentioned to Georg, this really should link to
>> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns
>> instead of using ifup&&ifdown, which is a pretty ugly solution. I'd
>> edit it myself, except I don't [yet?] read German.
>>
>> Jason
>>
> 
> Ok, i have edited the article, so that it link to this script you
> mentioned. And i will give it a try.
> 
> PS: German is not so difficult :D
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
> 

The script doesn't update the dynamic ip... It looks like, that it does
nothing. Are there any Requirements? I see that it looks after .conf
files in /etc/wireguard/ and i have there wg0.conf. But nothing happens.

Btw: Any Documentation and echo messages in the file would be nice :D

Re: Dynamic Adresses

[Mytril]

>> Am 29.11.2017 um 14:54 schrieb Jason A. Donenfeld:
>>> On Wed, Nov 29, 2017 at 2:47 PM, Mytril <mytril42@posteo.de> wrote:
>>>> Yes if you want:
>>>> https://wiki.ubuntuusers.de/Baustelle/WireGuard/#Probleme-mit-der-dynamischen-IP
>>>>
>>>> This artikel is work in progress, later it will be accessable under:
>>>> https://wiki.ubuntuusers.de/WireGuard/#Probleme-mit-der-dynamischen-IP
>>>
>>> As I mentioned to Georg, this really should link to
>>> https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns
>>> instead of using ifup&&ifdown, which is a pretty ugly solution. I'd
>>> edit it myself, except I don't [yet?] read German.
>>>
>>> Jason
>>>
>>
>> Ok, i have edited the article, so that it link to this script you
>> mentioned. And i will give it a try.
>>
>> PS: German is not so difficult :D
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
> 
> The script doesn't update the dynamic ip... It looks like, that it does
> nothing. Are there any Requirements? I see that it looks after .conf
> files in /etc/wireguard/ and i have there wg0.conf. But nothing happens.
> 
> Btw: Any Documentation and echo messages in the file would be nice :D
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
> 

Hello,

to specify it a little bit. On Ubuntu 16.04 and Debian Stretch it does
what it had to do, but on raspian stretch it doesn't do anything.