Re: [PATCH] Handle (a) changes in Screech and (b) borrow issue

[Jason Dusek]

Hi Jason,

It was necessary to "vendor" Screech. A separate Git repo makes for a
cleaner patch than downloading and including all of Screech. The patch
makes some stuff public again that was once public and then went private:

https://github.com/solidsnack/screech/commit/6d91d075ad2f98f03c807a471953495c720a5696

I assume Trevor made them private for a reason; but also that the original
developer of the client used them for a reason. I would like to better
understand the application before making a suggestion as regards the
Screech API; but I would also really like the Rust client to build (as I
think we all would).

Kind Regards,
Jason

Jason A. Donenfeld  schrieb am Fr. 17. Feb. 2017 um 05:50:

> Hey,
>
> Thanks for the patch. This changes the screech repository to your own.
> Has Trevor agreed for you to officially take over that project? If so,
> please link me to the moderncrypto mailing list post about this. If
> not, why should things switch to yours rather than moving your patches
> upstream to Trevor?
>
> Regards,
> Jason
>
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Instability during large transfers

[Samuel Holland]

Hello,

On 02/17/17 07:36, Jason A. Donenfeld wrote:

The stack trace does indicate that the OOPS is happening in padata,
not in wireguard, so I wonder if this is some bug caused either by
grsecurity or by something else that was then fixed, but since your
kernel is a bit old (4.7.10) maybe the fix didn't make it. In either
case, I'll try to reproduce on that kernel and on newer kernels and
will get back to you.


There do not appear to be any relevant changes to padata in the past few
years, and grsecurity doesn't look like it affects padata much, but that
doesn't rule it out:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?qt=grep=padata
https://grsecurity.net/changelog-test.txt


I presume you have most PaX options turned on?


Attached is my config.gz (it's the same on all machines).


Thanks,
Jason


Thanks,
Samuel



config-4.7.10-hardened.gz
Description: application/gzip
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

[wireguard-devel] About ip management

[nicolas prochazka]

Hello,
I hope not to have misunderstood ip management with wireguard,
in a "server mode operation" , as many peers -> one peer ( server ) ,
private ip configuration must be coherent. In fact, as server / client
example in contrib, server must delivery ip to clients, there's no way for
client to know good private_ip .
We cannot use dhcp, layer 3 , so ...
we need to implement a pool ip manager , is it correct ?

Regards,
Nicolas Prochazka.
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Some questions about wireguard

[Nicolas Prochazka]

hello,
sorry for my english.
This question(udp tunnel ..)  is not relevant, I learn a lot with the read
of mailing list.
Regards,
Nicolas

2017-02-17 14:48 GMT+01:00 Jason A. Donenfeld :

> On Wed, Feb 15, 2017 at 11:12 AM, Nicolas Prochazka
>  wrote:
> > - how many tunnels a peer can manage ?
> > In our environnement, ~ 10 000 clients --> "server"|peer
>
> Each interface can have 65536 peers. Each linux system can have
> multiple interfaces.
>
> (If that peer limit becomes a problem for somebody, it wouldn't be
> difficult to remove it and expand it to 4294967296.)
>
> > how wireguard manage this ( udp tunnel from kernel ? )
>
> Not sure I understand your question. Could you rephrase?
>
> >
> > - about peer key management ?
> > with 10 000 peer keys, how can we manage it
>
> You can load the keys into the interface using wg(8). At some later
> date there may be support for dynamic database stuff.
>
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Wanted: Novice Guides

[Jason A. Donenfeld]

Hi Daniel,

On Wed, Feb 15, 2017 at 3:53 PM, Daniel Kahn Gillmor
 wrote:
> A good "novice guide" usually has the following pattern:

This is a nice list of suggestions on how to structure guides. Thanks for that.

> Those of us who are not novices understand that tools like WireGuard can
> be used on a lot of different platforms (c) to perform a lot of
> different tasks (a), but how those tasks are carried out might have more
> to do with policy details (where do you get the peer's public keys from?
> how do you verify that they're the right public keys?  How do peers find
> each other if there are no stable public IP addresses?  How do you
> allocate IP addresses for the wg interfaces?  Which traffic should each
> peer route over which wg interfaces?) than with WireGuard itself.

Right. The concepts are simple, and simplify a lot of the things
WireGuard is supposed to replace, but they're still somewhat new
concepts. That means there's going to need to be explanations and
diagrams and good solid descriptions for people who don't even know
the prior concepts.

> The fact that the WireGuard-specific instructions for any such guide are
> likely to be minimal is one of the strengths of WireGuard, i think.  But
> that also means that any novice guide is going to be at least as much
> about non-WireGuard details as it is about WireGuard itself.

Right. This also raises the question of the role of WireGuard in
general. It's being designed as sort of a fundumental basic build
block, on which other tools and simple bash scripts should be built.
How much should I build those larger things? (Such as wg-quick.) How
much should I wait for others to integrate this into existing
utilities (such as NetworkManager or systemd-networkd)? How much
should other people simply build new tools ontop of the WireGuard
core? I suspect the answer is: all of those things all at once, and
then we'll have a flourishing ecosystem. This, though, makes the focus
of beginner guides non obvious.

>
> Jason, what kinds of novice guides are people asking for?

"How do I set up my laptop with my server?" "How do I set up my laptop
with my home router?" "How do I put it on a RasPi at home and connect
to it from the Internet with my laptop?" "How do I hook all my servers
together with it?" "What's the difference between a tunnel IP address
and an endpoint?" "What do I put in AllowedIPs and what do I put as
the interface IP and what's the difference?" "What's the difference
between AllowedIPs and the normal routing table?" etc etc
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: version mismatch

[Jason A. Donenfeld]

Hi David,

Since WireGuard is still in active development, it's probably best to
run the latest versions if you can, since every version is better than
the previous.

Jason
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard