* [WireGuard] Pull-based peer configuration
@ 2016-11-22 13:08 Baptiste Jonglez
2016-11-22 16:31 ` Jason A. Donenfeld
0 siblings, 1 reply; 7+ messages in thread
From: Baptiste Jonglez @ 2016-11-22 13:08 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 942 bytes --]
Hi,
Right now, the only method for configuring peers is "push-based",
i.e. using `wg` to push the public key and AllowedIPs for each peer to the
running wireguard instance.
I'm toying with the idea of a pull-based model, for instance storing peer
configuration in a Radius or SQL database. But it seems like an
incredibly bad idea to integrate a Radius or SQL library inside the
kernel.
What about having a userspace daemon that wireguard can query from
kernelspace when a new peer connects? Wireguard would basically ask "Is
this public key allowed to connect, and what are its AllowedIPs?". The
daemon would then use whatever method it wants (flat file, SQL/Radius
database, LDAP…) to determine whether the peer is allowed and its
configuration.
I guess it looks a bit like the IKE daemon in IPsec (though not exactly,
since wireguard handles rekeying itself), which I'm not sure is a good
sign :)
Baptiste
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [WireGuard] Pull-based peer configuration
2016-11-22 13:08 [WireGuard] Pull-based peer configuration Baptiste Jonglez
@ 2016-11-22 16:31 ` Jason A. Donenfeld
2017-02-08 23:23 ` mint (ubuntu) kernel Signing john huttley
2017-02-11 12:18 ` [WireGuard] Pull-based peer configuration jens
0 siblings, 2 replies; 7+ messages in thread
From: Jason A. Donenfeld @ 2016-11-22 16:31 UTC (permalink / raw)
To: Baptiste Jonglez; +Cc: WireGuard mailing list
Hey,
I've thought about the same sort of thing, too. Indeed this would be
different from an IKE daemon, because it would just be a datastructure
provider, rather than a crypto protocol situation.
I envision two uses of a pull model: "please compute this ECDH
multiplication using some daemon-controlled private key" and "do you
recognize this public key? if so, please tell me the allowed-ips for
it." The former would allow easy integration into userspace smartcard
daemons. The latter would allow easy integration into database
systems.
All and all, this isn't that hard to do. All things that have to do
with public key crypto are already strictly ratelimited and running in
a relatively friendly and safe kthread, which can do things like sleep
and yield to userspace processes. It's just a matter of adding the
machinery and exposing the APIs. I can do this.
But it does add _just a tiny little bit_ of extra complexity, which
can quickly snowball into something dreadful. My general plan for
these more enterprise-centric features is to wait until after the
initial codebase is merged into mainline. I'd like to do the best job
we can do on the core principles and components, and once we have a
solid foundation, consider the best ways of building up. (IPsec did
the opposite -- a massive set of committees designed the whole thing,
and oy gevalt...)
What do you think of this approach to that?
Jason
^ permalink raw reply [flat|nested] 7+ messages in thread
* mint (ubuntu) kernel Signing
2016-11-22 16:31 ` Jason A. Donenfeld
@ 2017-02-08 23:23 ` john huttley
2017-02-11 9:14 ` Jason A. Donenfeld
2017-02-11 12:18 ` [WireGuard] Pull-based peer configuration jens
1 sibling, 1 reply; 7+ messages in thread
From: john huttley @ 2017-02-08 23:23 UTC (permalink / raw)
To: wireguard
Hi Team,
I had been using the git version on my Mint 18.1 laptop
4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:09:55 UTC 2017 i686 i686
i686 GNU/Linux
After upgrading the kernel to the above, it won't install the module.
I understand that this is because the module must be signed.
Does anyone have any experience with this?
Regards,
John
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: mint (ubuntu) kernel Signing
2017-02-08 23:23 ` mint (ubuntu) kernel Signing john huttley
@ 2017-02-11 9:14 ` Jason A. Donenfeld
0 siblings, 0 replies; 7+ messages in thread
From: Jason A. Donenfeld @ 2017-02-11 9:14 UTC (permalink / raw)
To: john huttley; +Cc: WireGuard mailing list
Hey John,
Indeed if you have a secure-boot enabled kernel, you need to sign your
kernel modules before they can be inserted. One option is just to
disable secureboot and then restart:
sudo apt install mokutil
sudo mokutil --disable-validation
But if you'd like to retain the security of secureboot, then you can
add your own signing key to UEFI and sign the kernel module with it.
You can follow basically the same process as described in this
article: http://www.pellegrino.link/2015/11/29/signing-nvidia-proprietary-driver-on-fedora.html
Except you sign wireguard.ko in the end.
Let me know if you have trouble or require more explanation. If this
becomes a real sore point, I'll write some WireGuard-specific
documentation or even write some automated scripts. But I'd be
interested in your feedback first on the above.
Thanks,
Jason
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [WireGuard] Pull-based peer configuration
2016-11-22 16:31 ` Jason A. Donenfeld
2017-02-08 23:23 ` mint (ubuntu) kernel Signing john huttley
@ 2017-02-11 12:18 ` jens
2017-02-11 14:49 ` Jason A. Donenfeld
2019-12-26 1:36 ` F. Hölzlwimmer
1 sibling, 2 replies; 7+ messages in thread
From: jens @ 2017-02-11 12:18 UTC (permalink / raw)
To: WireGuard mailing list
On 22.11.2016 17:31, Jason A. Donenfeld wrote:
> But it does add _just a tiny little bit_ of extra complexity, which
> can quickly snowball into something dreadful. My general plan for
> these more enterprise-centric features is to wait until after the
> initial codebase is merged into mainline.
just a small comment, freifunk a like we would love to see something
like this, but are also happy to wait a while - because we are used to
prefilled lists/configs with valid keys.
this would make things a lot easier. ;)
thx
--
make the world nicer, please use PGP encryption
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-01-30 1:53 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-22 13:08 [WireGuard] Pull-based peer configuration Baptiste Jonglez
2016-11-22 16:31 ` Jason A. Donenfeld
2017-02-08 23:23 ` mint (ubuntu) kernel Signing john huttley
2017-02-11 9:14 ` Jason A. Donenfeld
2017-02-11 12:18 ` [WireGuard] Pull-based peer configuration jens
2017-02-11 14:49 ` Jason A. Donenfeld
2019-12-26 1:36 ` F. Hölzlwimmer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).