Re: WireGuard root-less support for android
Hello, On 11/06/17 22:38, Aurélien Chabot wrote: I worked on a set of change to add root-less support of WireGuard for android. The solution I choose is to use the wireguard-go library inside the android application. Golang as a mechanism to export some native binding quite easily to java. The set of patch need some feedback but it's actually working well. I'd like to know if you think this is a good direction to take for the android application. Thanks for your contribution! This is definitely the direction we want to work toward; the Go implementation is much more accessible to non-rooted devices. I had assumed we would have to run wireguard-go as a separate process (my only experience with Go-on-Android is syncthing[1], which pretends its Go binary is a native library[2]). If we can run wireguard-go in process, that would be much better! [1]: https://github.com/syncthing/syncthing-android [2]: https://github.com/syncthing/syncthing-android/blob/master/make-syncthing.bash The patch are in the thread but I used a submodule to integrate the wireguard-go library inside the wireguard-android so at least this need to be change with the official url if it's get merge. Also, your patch 2 won't work as-is with the upstream version since it won't have the same commit hash. You can also find the set of change on my github : https://github.com/trishika/wireguard-android https://github.com/trishika/wireguard-go I've started looking through your Java changes, and they're generally looking good. The actual wireguard-go glue can't be merged until after the changes to the other repository (hooray submodules!), but I'll go ahead and try to integrate your service abstraction layer. That way I can reuse it for switching the kernel-space interface from wg-quick to wg proper (an existing to-do item). Aurélien Thanks, Samuel ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Windows Subsystem for Linux & wireguard
Hi Is it possible to create interface for wiregurad in Windows Subsystem for Linux (e.g UBUNTU) ? Regards, Michal ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Production usage of Wireguard
On Tue, Nov 7, 2017 at 10:38 AM, Greg KHwrote: > On Mon, Nov 06, 2017 at 09:41:18PM +, Ferris Ellis wrote: >> Hello Wireguard mailing list! >> >> I have been very interested in the WireGuard project for a little while now >> and am in the process of evaluating it. While benchmarks and code reviews >> are useful, they don’t uncover many of the issues that can potentially wake >> one up at 3am. I’d hunted around on the web for a while but wasn’t able to >> find any articles on running WireGuard in a production environment. I know >> the project is still young but was wondering if anyone on the mailing list >> had started using WireGuard in production? And, if so, if they’d be willing >> to share some details about their use case and experience? > > There are at least two companies offering Wireguard as a VPN service > "commercially" right now, so it is being used in that manner already. > Hi everyone, We (Mullvad) use it in production on a bunch of our servers. Here's a blog post I wrote about it that might be of interest to you Ferris: https://mullvad.net/blog/2017/9/27/wireguard-future/ > But as "production environment" always means different things for > different people, perhaps only you can answer this question? What would > it take for _you_ to be comfortable with it in your network environment? I second Greg's question. What are your criteria? Cheers, Fredrik Strömberg ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
WireGuard-Go Android support
Hi, This is a set of patch the wireguard-go project adding some needed stuff to have android support. The idea is to use the wireguard-go project as a library that is exposed with a "gomobile" binding to an android application. I posted a set of patch on the wireguard-android project too and it is worth for anyone looking at those change to have a look there too, at least at the couple of go file that live there. The change look a bit intrusive here (I had to move most of the code to a folder...) but I did not find any other clean solution to be able to use this code as an outside library (although I am not a go expert). I am open to any better idea. Regarding the change itself, there is one item that i'd like to highlight, it's the change on that add a "tun device close". I am not sure why I had to add this code, maybe I miss something else more general, but it was actually never called in my case. Aurélien ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[PATCH 2/2] Add android support
Signed-off-by: Aurélien Chabot--- src/wireguard/conn.go | 16 ++ src/wireguard/device.go| 1 + src/wireguard/send.go | 77 +- src/wireguard/tun_linux.go | 2 ++ src/wireguard/uapi.go | 36 +- 5 files changed, 83 insertions(+), 49 deletions(-) diff --git a/src/wireguard/conn.go b/src/wireguard/conn.go index 89b79ba..2706273 100644 --- a/src/wireguard/conn.go +++ b/src/wireguard/conn.go @@ -87,3 +87,19 @@ func closeUDPConn(device *Device) { netc.mutex.Unlock() signalSend(device.signal.newUDPConn) } + +func GetUDPConn(device *Device) (uintptr, error) { + netc := + netc.mutex.Lock() + defer netc.mutex.Unlock() + + if netc.conn == nil { +return 0, nil +} + +file, err := netc.conn.File() +if err != nil { +return 0, err +} +return file.Fd(), nil +} diff --git a/src/wireguard/device.go b/src/wireguard/device.go index 2928ab5..5400d0e 100644 --- a/src/wireguard/device.go +++ b/src/wireguard/device.go @@ -205,6 +205,7 @@ func (device *Device) Close() { device.RemoveAllPeers() close(device.signal.stop) closeUDPConn(device) + device.tun.device.Close() } func (device *Device) WaitChannel() chan struct{} { diff --git a/src/wireguard/send.go b/src/wireguard/send.go index d781c40..d081b90 100644 --- a/src/wireguard/send.go +++ b/src/wireguard/send.go @@ -141,53 +141,60 @@ func (device *Device) RoutineReadFromTUN() { for { - // read packet - - elem.packet = elem.buffer[MessageTransportHeaderSize:] - size, err := device.tun.device.Read(elem.packet) - if err != nil { - logError.Println("Failed to read packet from TUN device:", err) - device.Close() + select { + case <-device.signal.stop: + logDebug.Println("Routine, TUN Reader worker, stopped") return - } - - if size == 0 || size > MaxContentSize { - continue - } - elem.packet = elem.packet[:size] + default: + // read packet - // lookup peer + elem.packet = elem.buffer[MessageTransportHeaderSize:] + size, err := device.tun.device.Read(elem.packet) + if err != nil { + logError.Println("Failed to read packet from TUN device:", err) + device.Close() + return + } - var peer *Peer - switch elem.packet[0] >> 4 { - case ipv4.Version: - if len(elem.packet) < ipv4.HeaderLen { + if size == 0 || size > MaxContentSize { continue } - dst := elem.packet[IPv4offsetDst : IPv4offsetDst+net.IPv4len] - peer = device.routingTable.LookupIPv4(dst) - case ipv6.Version: - if len(elem.packet) < ipv6.HeaderLen { + elem.packet = elem.packet[:size] + + // lookup peer + + var peer *Peer + switch elem.packet[0] >> 4 { + case ipv4.Version: + if len(elem.packet) < ipv4.HeaderLen { + continue + } + dst := elem.packet[IPv4offsetDst : IPv4offsetDst+net.IPv4len] + peer = device.routingTable.LookupIPv4(dst) + + case ipv6.Version: + if len(elem.packet) < ipv6.HeaderLen { + continue + } + dst := elem.packet[IPv6offsetDst : IPv6offsetDst+net.IPv6len] + peer = device.routingTable.LookupIPv6(dst) + + default: + logDebug.Println("Receieved packet with unknown IP version") + } + + if peer == nil { continue } - dst := elem.packet[IPv6offsetDst : IPv6offsetDst+net.IPv6len] - peer = device.routingTable.LookupIPv6(dst) - default: - logDebug.Println("Receieved packet with unknown IP version") - } + // insert into nonce/pre-handshake queue - if peer == nil { - continue + signalSend(peer.signal.handshakeReset) +
[PATCH 1/2] Put the code in a 'wireguard' go package
Signed-off-by: Aurélien Chabot--- src/Makefile| 2 +- src/main.go | 23 --- src/{ => wireguard}/conn.go | 2 +- src/{ => wireguard}/conn_default.go | 2 +- src/{ => wireguard}/conn_linux.go | 2 +- src/{ => wireguard}/constants.go| 2 +- src/{ => wireguard}/cookie.go | 2 +- src/{ => wireguard}/cookie_test.go | 2 +- src/{ => wireguard}/daemon_darwin.go| 2 +- src/{ => wireguard}/daemon_linux.go | 2 +- src/{ => wireguard}/daemon_windows.go | 2 +- src/{ => wireguard}/device.go | 6 +++--- src/{ => wireguard}/helper_test.go | 2 +- src/{ => wireguard}/index.go| 2 +- src/{ => wireguard}/ip.go | 2 +- src/{ => wireguard}/kdf_test.go | 2 +- src/{ => wireguard}/keypair.go | 2 +- src/{ => wireguard}/logger.go | 2 +- src/{ => wireguard}/misc.go | 2 +- src/{ => wireguard}/noise_helpers.go| 2 +- src/{ => wireguard}/noise_protocol.go | 4 ++-- src/{ => wireguard}/noise_test.go | 2 +- src/{ => wireguard}/noise_types.go | 2 +- src/{ => wireguard}/peer.go | 2 +- src/{ => wireguard}/ratelimiter.go | 2 +- src/{ => wireguard}/ratelimiter_test.go | 2 +- src/{ => wireguard}/receive.go | 18 +- src/{ => wireguard}/replay.go | 2 +- src/{ => wireguard}/replay_test.go | 2 +- src/{ => wireguard}/routing.go | 2 +- src/{ => wireguard}/send.go | 12 ++-- src/{ => wireguard}/tai64.go| 2 +- src/{ => wireguard}/timers.go | 12 ++-- src/{ => wireguard}/trie.go | 2 +- src/{ => wireguard}/trie_rand_test.go | 2 +- src/{ => wireguard}/trie_test.go| 2 +- src/{ => wireguard}/tun.go | 6 +++--- src/{ => wireguard}/tun_darwin.go | 2 +- src/{ => wireguard}/tun_linux.go| 2 +- src/{ => wireguard}/tun_windows.go | 2 +- src/{ => wireguard}/uapi.go | 18 +- src/{ => wireguard}/uapi_darwin.go | 2 +- src/{ => wireguard}/uapi_linux.go | 2 +- src/{ => wireguard}/uapi_windows.go | 2 +- src/{ => wireguard}/xchacha20.go| 2 +- src/{ => wireguard}/xchacha20_test.go | 2 +- 46 files changed, 88 insertions(+), 87 deletions(-) rename src/{ => wireguard}/conn.go (98%) rename src/{ => wireguard}/conn_default.go (85%) rename src/{ => wireguard}/conn_linux.go (99%) rename src/{ => wireguard}/constants.go (98%) rename src/{ => wireguard}/cookie.go (99%) rename src/{ => wireguard}/cookie_test.go (99%) rename src/{ => wireguard}/daemon_darwin.go (84%) rename src/{ => wireguard}/daemon_linux.go (96%) rename src/{ => wireguard}/daemon_windows.go (90%) rename src/{ => wireguard}/device.go (97%) rename src/{ => wireguard}/helper_test.go (98%) rename src/{ => wireguard}/index.go (98%) rename src/{ => wireguard}/ip.go (93%) rename src/{ => wireguard}/kdf_test.go (99%) rename src/{ => wireguard}/keypair.go (97%) rename src/{ => wireguard}/logger.go (97%) rename src/{ => wireguard}/misc.go (98%) rename src/{ => wireguard}/noise_helpers.go (99%) rename src/{ => wireguard}/noise_protocol.go (99%) rename src/{ => wireguard}/noise_test.go (99%) rename src/{ => wireguard}/noise_types.go (98%) rename src/{ => wireguard}/peer.go (99%) rename src/{ => wireguard}/ratelimiter.go (99%) rename src/{ => wireguard}/ratelimiter_test.go (99%) rename src/{ => wireguard}/receive.go (97%) rename src/{ => wireguard}/replay.go (98%) rename src/{ => wireguard}/replay_test.go (99%) rename src/{ => wireguard}/routing.go (98%) rename src/{ => wireguard}/send.go (97%) rename src/{ => wireguard}/tai64.go (96%) rename src/{ => wireguard}/timers.go (93%) rename src/{ => wireguard}/trie.go (99%) rename src/{ => wireguard}/trie_rand_test.go (99%) rename src/{ => wireguard}/trie_test.go (99%) rename src/{ => wireguard}/tun.go (95%) rename src/{ => wireguard}/tun_darwin.go (99%) rename src/{ => wireguard}/tun_linux.go (99%) rename src/{ => wireguard}/tun_windows.go (99%) rename src/{ => wireguard}/uapi.go (95%) rename src/{ => wireguard}/uapi_darwin.go (98%) rename src/{ => wireguard}/uapi_linux.go (99%) rename src/{ => wireguard}/uapi_windows.go (98%) rename src/{ => wireguard}/xchacha20.go (99%) rename src/{ => wireguard}/xchacha20_test.go (99%) diff --git a/src/Makefile b/src/Makefile index 5b23ecc..5f47aa7 100644 --- a/src/Makefile +++ b/src/Makefile @@ -1,6 +1,6 @@ all: wireguard-go -wireguard-go: $(wildcard *.go) +wireguard-go: main.go $(wildcard wireguard/*.go) go build -o $@ clean: diff --git a/src/main.go b/src/main.go index 196a4c6..9800c46 100644 --- a/src/main.go +++ b/src/main.go @@ -6,6 +6,7 @@ import ( "os" "os/signal" "runtime" + "wireguard" ) func printUsage() { @@
Re: Production usage of Wireguard
On Tue, Nov 7, 2017 at 10:38 AM, Greg KHwrote: > On Mon, Nov 06, 2017 at 09:41:18PM +, Ferris Ellis wrote: >> Hello Wireguard mailing list! >> >> I have been very interested in the WireGuard project for a little while now >> and am in the process of evaluating it. While benchmarks and code reviews >> are useful, they don’t uncover many of the issues that can potentially wake >> one up at 3am. I’d hunted around on the web for a while but wasn’t able to >> find any articles on running WireGuard in a production environment. I know >> the project is still young but was wondering if anyone on the mailing list >> had started using WireGuard in production? And, if so, if they’d be willing >> to share some details about their use case and experience? > > There are at least two companies offering Wireguard as a VPN service > "commercially" right now, so it is being used in that manner already. > > But as "production environment" always means different things for > different people, perhaps only you can answer this question? What would > it take for _you_ to be comfortable with it in your network environment? FreeBSD kernel module :) and Im all in > > thanks, > > greg k-h > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard root-less support for android
Hi Aurélien, Thanks for this patchset. I'll review it ASAP. As an administrative situation, your set of Go changes will likely need to be merged back up with the official Go repository; putting your fork in the Android one isn't really tenable. So please submit your changes to the wireguard-go project to this list too. I intend to give a pass at this patchset as soon as I'm back from netdevconf. Mathias, CCd will also review the Go code, and Samuel, CCd will review the Java code. Thanks for this contribution! By the way, please poke me on IRC; it'd be nice to coordinate this terrific development you're doing; this was a pleasant surprise out of the blue. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
parallel crypto leads to performance degradation
I posted about this problem month ago but nobody replied. This summer WIREGUARD_PARALLEL option was removed and parallel crypto became unconditional. This seems to slow performance 1.5 times on slow 1 core systems such as routers. Task switch eats cpu time. Do you have plans to mitigate this slowdown or return option to skip pcrypto ? wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information. [ 3] 0.0- 1.0 sec 3.75 MBytes 31.5 Mbits/sec [ 3] 1.0- 2.0 sec 3.62 MBytes 30.4 Mbits/sec [ 3] 2.0- 3.0 sec 3.75 MBytes 31.5 Mbits/sec [ 3] 3.0- 4.0 sec 3.38 MBytes 28.3 Mbits/sec [ 3] 4.0- 5.0 sec 3.75 MBytes 31.5 Mbits/sec [ 3] 5.0- 6.0 sec 3.75 MBytes 31.5 Mbits/sec [ 3] 6.0- 7.0 sec 3.75 MBytes 31.5 Mbits/sec [ 3] 7.0- 8.0 sec 3.88 MBytes 32.5 Mbits/sec [ 3] 8.0- 9.0 sec 4.00 MBytes 33.6 Mbits/sec [ 3] 9.0-10.0 sec 4.25 MBytes 35.7 Mbits/sec CPU: 1% usr 0% sys 0% nic 6% idle 0% io 0% irq 90% sirq 16.03% [wireguard] [k] chacha20_generic_block 7.66% [wireguard] [k] poly1305_generic_blocks 3.61% [ip_tables] [k] ipt_do_table 3.05% [kernel] [k] crypto_xor 3.03% [kernel] [k] csum_partial 2.66% [kernel] [k] __copy_user_common 1.23% [kernel] [k] nf_iterate 1.07% [nf_conntrack][k] __nf_conntrack_find_get 0.91% [kernel] [k] fib_table_lookup 0.89% [kernel] [k] __bzero 0.88% [kernel] [k] r4k_blast_dcache_page_dc32 0.85% [kernel] [k] __netif_receive_skb_core 0.85% [kernel] [k] ag71xx_poll 0.85% [kernel] [k] do_ade 0.82% [kernel] [k] get_page_from_freelist 0.71% [kernel] [k] ip_rcv wireguard: WireGuard 0.0.20170918 loaded. See www.wireguard.com for information. [ 3] 0.0- 1.0 sec 2.62 MBytes 22.0 Mbits/sec [ 3] 1.0- 2.0 sec 2.75 MBytes 23.1 Mbits/sec [ 3] 2.0- 3.0 sec 2.25 MBytes 18.9 Mbits/sec [ 3] 3.0- 4.0 sec 2.12 MBytes 17.8 Mbits/sec [ 3] 4.0- 5.0 sec 2.25 MBytes 18.9 Mbits/sec [ 3] 5.0- 6.0 sec 2.50 MBytes 21.0 Mbits/sec [ 3] 6.0- 7.0 sec 2.75 MBytes 23.1 Mbits/sec [ 3] 7.0- 8.0 sec 2.75 MBytes 23.1 Mbits/sec [ 3] 8.0- 9.0 sec 2.75 MBytes 23.1 Mbits/sec [ 3] 9.0-10.0 sec 2.75 MBytes 23.1 Mbits/sec [ 3] 0.0-10.0 sec 25.6 MBytes 21.4 Mbits/sec CPU: 1% usr 54% sys 0% nic 0% idle 0% io 0% irq 44% sirq 6.84% [wireguard] [k] chacha20_generic_block 3.46% [wireguard] [k] poly1305_generic_blocks 3.12% [kernel][k] finish_task_switch 2.80% [ip_tables] [k] ipt_do_table 2.30% [kernel][k] __copy_user_common 2.23% [kernel][k] queue_work_on 1.73% [kernel][k] ag71xx_poll 1.46% [kernel][k] __dev_queue_xmit 1.35% [kernel][k] crypto_xor 1.31% [kernel][k] csum_partial 1.25% [kernel][k] __do_softirq 1.14% [kernel][k] ag71xx_hard_start_xmit 1.10% [nf_conntrack] [k] __nf_conntrack_find_get ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Production usage of Wireguard
On 06/11/17 21:41, Ferris Ellis wrote: > I know the project is still young but was > wondering if anyone on the mailing list had started using WireGuard in > production? And, if so, if they’d be willing to share some details about > their use case and experience? > I use on on several high-traffic web servers to secure backend communication to a separate Redis instance. It's configured as a mesh to remove any reliance on a single WireGuard "server" node (that is, each server knows the endpoint and single allowed IP of each of the others). It has worked without issue since deployment (March 2017). It's easily one of the most satisfying layers I've added to any stack. J signature.asc Description: OpenPGP digital signature ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Production usage of Wireguard
On Mon, Nov 06, 2017 at 09:41:18PM +, Ferris Ellis wrote: > Hello Wireguard mailing list! > > I have been very interested in the WireGuard project for a little while now > and am in the process of evaluating it. While benchmarks and code reviews > are useful, they don’t uncover many of the issues that can potentially wake > one up at 3am. I’d hunted around on the web for a while but wasn’t able to > find any articles on running WireGuard in a production environment. I know > the project is still young but was wondering if anyone on the mailing list > had started using WireGuard in production? And, if so, if they’d be willing > to share some details about their use case and experience? There are at least two companies offering Wireguard as a VPN service "commercially" right now, so it is being used in that manner already. But as "production environment" always means different things for different people, perhaps only you can answer this question? What would it take for _you_ to be comfortable with it in your network environment? thanks, greg k-h ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard