Re: WireGuard root-less support for android

[Samuel Holland]

Hello,

On 11/06/17 22:38, Aurélien Chabot wrote:

I worked on a set of change to add root-less support of WireGuard for
android. The solution I choose is to use the wireguard-go library 
inside the android application. Golang as a mechanism to export some 
native binding quite easily to java. The set of patch need some 
feedback but it's actually working well. I'd like to know if you 
think this is a good direction to take for the android application.


Thanks for your contribution! This is definitely the direction we want
to work toward; the Go implementation is much more accessible to
non-rooted devices. I had assumed we would have to run wireguard-go as a
separate process (my only experience with Go-on-Android is syncthing[1],
which pretends its Go binary is a native library[2]). If we can run
wireguard-go in process, that would be much better!

[1]: https://github.com/syncthing/syncthing-android
[2]: 
https://github.com/syncthing/syncthing-android/blob/master/make-syncthing.bash


The patch are in the thread but I used a submodule to integrate the 
wireguard-go library inside the wireguard-android so at least this 
need to be change with the official url if it's get merge.


Also, your patch 2 won't work as-is with the upstream version since it
won't have the same commit hash.

You can also find the set of change on my github : 
https://github.com/trishika/wireguard-android 
https://github.com/trishika/wireguard-go


I've started looking through your Java changes, and they're generally
looking good. The actual wireguard-go glue can't be merged until after
the changes to the other repository (hooray submodules!), but I'll go
ahead and try to integrate your service abstraction layer. That way I
can reuse it for switching the kernel-space interface from wg-quick to
wg proper (an existing to-do item).


Aurélien

Thanks,
Samuel
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Windows Subsystem for Linux & wireguard

[Michał Kowalski]

Hi

I s it possible to  create interface for
wiregurad in Windows Subsystem for Linux (e.g UBUNTU) ?

Regards,
Michal
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Production usage of Wireguard

[Fredrik Strömberg]

On Tue, Nov 7, 2017 at 10:38 AM, Greg KH  wrote:
> On Mon, Nov 06, 2017 at 09:41:18PM +, Ferris Ellis wrote:
>> Hello Wireguard mailing list!
>>
>> I have been very interested in the WireGuard project for a little while now
>> and am in the process of evaluating it. While benchmarks and code reviews
>> are useful, they don’t uncover many of the issues that can potentially wake
>> one up at 3am. I’d hunted around on the web for a while but wasn’t able to
>> find any articles on running WireGuard in a production environment. I know
>> the project is still young but was wondering if anyone on the mailing list
>> had started using WireGuard in production? And, if so, if they’d be willing
>> to share some details about their use case and experience?
>
> There are at least two companies offering Wireguard as a VPN service
> "commercially" right now, so it is being used in that manner already.
>

Hi everyone,

We (Mullvad) use it in production on a bunch of our servers. Here's a
blog post I wrote about it that might be of interest to you Ferris:
https://mullvad.net/blog/2017/9/27/wireguard-future/

> But as "production environment" always means different things for
> different people, perhaps only you can answer this question?  What would
> it take for _you_ to be comfortable with it in your network environment?

I second Greg's question. What are your criteria?

Cheers,
Fredrik Strömberg
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

WireGuard-Go Android support

[Aurélien Chabot]

Hi,

This is a set of patch the wireguard-go project adding some needed stuff
to have android support. 
The idea is to use the wireguard-go project as a library that is exposed
with a "gomobile" binding to an android application.
I posted a set of patch on the wireguard-android project too and it is
worth for anyone looking at those change to have a look there too, at
least at the couple of go file that live there.
The change look a bit intrusive here (I had to move most of the code to
a folder...) but I did not find any other clean solution to be able to
use this code as an outside library (although I am not a go expert). I
am open to any better idea.

Regarding the change itself, there is one item that i'd like to
highlight, it's the change on that add a "tun device close". I am not
sure why I had to add this code, maybe I miss something else more
general, but it was actually never called in my case.   

Aurélien

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

[PATCH 2/2] Add android support

[Aurélien Chabot]

Signed-off-by: Aurélien Chabot 
---
 src/wireguard/conn.go  | 16 ++
 src/wireguard/device.go|  1 +
 src/wireguard/send.go  | 77 +-
 src/wireguard/tun_linux.go |  2 ++
 src/wireguard/uapi.go  | 36 +-
 5 files changed, 83 insertions(+), 49 deletions(-)

diff --git a/src/wireguard/conn.go b/src/wireguard/conn.go
index 89b79ba..2706273 100644
--- a/src/wireguard/conn.go
+++ b/src/wireguard/conn.go
@@ -87,3 +87,19 @@ func closeUDPConn(device *Device) {
netc.mutex.Unlock()
signalSend(device.signal.newUDPConn)
 }
+
+func GetUDPConn(device *Device) (uintptr, error) {
+   netc := 
+   netc.mutex.Lock()
+   defer netc.mutex.Unlock()
+
+   if netc.conn == nil {
+return 0, nil
+}
+
+file, err := netc.conn.File()
+if err != nil {
+return 0, err
+}
+return file.Fd(), nil
+}
diff --git a/src/wireguard/device.go b/src/wireguard/device.go
index 2928ab5..5400d0e 100644
--- a/src/wireguard/device.go
+++ b/src/wireguard/device.go
@@ -205,6 +205,7 @@ func (device *Device) Close() {
device.RemoveAllPeers()
close(device.signal.stop)
closeUDPConn(device)
+   device.tun.device.Close()
 }
 
 func (device *Device) WaitChannel() chan struct{} {
diff --git a/src/wireguard/send.go b/src/wireguard/send.go
index d781c40..d081b90 100644
--- a/src/wireguard/send.go
+++ b/src/wireguard/send.go
@@ -141,53 +141,60 @@ func (device *Device) RoutineReadFromTUN() {
 
for {
 
-   // read packet
-
-   elem.packet = elem.buffer[MessageTransportHeaderSize:]
-   size, err := device.tun.device.Read(elem.packet)
-   if err != nil {
-   logError.Println("Failed to read packet from TUN 
device:", err)
-   device.Close()
+   select {
+   case <-device.signal.stop:
+   logDebug.Println("Routine, TUN Reader worker, stopped")
return
-   }
-
-   if size == 0 || size > MaxContentSize {
-   continue
-   }
 
-   elem.packet = elem.packet[:size]
+   default:
+   // read packet
 
-   // lookup peer
+   elem.packet = elem.buffer[MessageTransportHeaderSize:]
+   size, err := device.tun.device.Read(elem.packet)
+   if err != nil {
+   logError.Println("Failed to read packet from 
TUN device:", err)
+   device.Close()
+   return
+   }
 
-   var peer *Peer
-   switch elem.packet[0] >> 4 {
-   case ipv4.Version:
-   if len(elem.packet) < ipv4.HeaderLen {
+   if size == 0 || size > MaxContentSize {
continue
}
-   dst := elem.packet[IPv4offsetDst : 
IPv4offsetDst+net.IPv4len]
-   peer = device.routingTable.LookupIPv4(dst)
 
-   case ipv6.Version:
-   if len(elem.packet) < ipv6.HeaderLen {
+   elem.packet = elem.packet[:size]
+
+   // lookup peer
+
+   var peer *Peer
+   switch elem.packet[0] >> 4 {
+   case ipv4.Version:
+   if len(elem.packet) < ipv4.HeaderLen {
+   continue
+   }
+   dst := elem.packet[IPv4offsetDst : 
IPv4offsetDst+net.IPv4len]
+   peer = device.routingTable.LookupIPv4(dst)
+
+   case ipv6.Version:
+   if len(elem.packet) < ipv6.HeaderLen {
+   continue
+   }
+   dst := elem.packet[IPv6offsetDst : 
IPv6offsetDst+net.IPv6len]
+   peer = device.routingTable.LookupIPv6(dst)
+
+   default:
+   logDebug.Println("Receieved packet with unknown 
IP version")
+   }
+
+   if peer == nil {
continue
}
-   dst := elem.packet[IPv6offsetDst : 
IPv6offsetDst+net.IPv6len]
-   peer = device.routingTable.LookupIPv6(dst)
 
-   default:
-   logDebug.Println("Receieved packet with unknown IP 
version")
-   }
+   // insert into nonce/pre-handshake queue
 
-   if peer == nil {
-   continue
+   signalSend(peer.signal.handshakeReset)
+  

[PATCH 1/2] Put the code in a 'wireguard' go package

[Aurélien Chabot]

Signed-off-by: Aurélien Chabot 
---
 src/Makefile|  2 +-
 src/main.go | 23 ---
 src/{ => wireguard}/conn.go |  2 +-
 src/{ => wireguard}/conn_default.go |  2 +-
 src/{ => wireguard}/conn_linux.go   |  2 +-
 src/{ => wireguard}/constants.go|  2 +-
 src/{ => wireguard}/cookie.go   |  2 +-
 src/{ => wireguard}/cookie_test.go  |  2 +-
 src/{ => wireguard}/daemon_darwin.go|  2 +-
 src/{ => wireguard}/daemon_linux.go |  2 +-
 src/{ => wireguard}/daemon_windows.go   |  2 +-
 src/{ => wireguard}/device.go   |  6 +++---
 src/{ => wireguard}/helper_test.go  |  2 +-
 src/{ => wireguard}/index.go|  2 +-
 src/{ => wireguard}/ip.go   |  2 +-
 src/{ => wireguard}/kdf_test.go |  2 +-
 src/{ => wireguard}/keypair.go  |  2 +-
 src/{ => wireguard}/logger.go   |  2 +-
 src/{ => wireguard}/misc.go |  2 +-
 src/{ => wireguard}/noise_helpers.go|  2 +-
 src/{ => wireguard}/noise_protocol.go   |  4 ++--
 src/{ => wireguard}/noise_test.go   |  2 +-
 src/{ => wireguard}/noise_types.go  |  2 +-
 src/{ => wireguard}/peer.go |  2 +-
 src/{ => wireguard}/ratelimiter.go  |  2 +-
 src/{ => wireguard}/ratelimiter_test.go |  2 +-
 src/{ => wireguard}/receive.go  | 18 +-
 src/{ => wireguard}/replay.go   |  2 +-
 src/{ => wireguard}/replay_test.go  |  2 +-
 src/{ => wireguard}/routing.go  |  2 +-
 src/{ => wireguard}/send.go | 12 ++--
 src/{ => wireguard}/tai64.go|  2 +-
 src/{ => wireguard}/timers.go   | 12 ++--
 src/{ => wireguard}/trie.go |  2 +-
 src/{ => wireguard}/trie_rand_test.go   |  2 +-
 src/{ => wireguard}/trie_test.go|  2 +-
 src/{ => wireguard}/tun.go  |  6 +++---
 src/{ => wireguard}/tun_darwin.go   |  2 +-
 src/{ => wireguard}/tun_linux.go|  2 +-
 src/{ => wireguard}/tun_windows.go  |  2 +-
 src/{ => wireguard}/uapi.go | 18 +-
 src/{ => wireguard}/uapi_darwin.go  |  2 +-
 src/{ => wireguard}/uapi_linux.go   |  2 +-
 src/{ => wireguard}/uapi_windows.go |  2 +-
 src/{ => wireguard}/xchacha20.go|  2 +-
 src/{ => wireguard}/xchacha20_test.go   |  2 +-
 46 files changed, 88 insertions(+), 87 deletions(-)
 rename src/{ => wireguard}/conn.go (98%)
 rename src/{ => wireguard}/conn_default.go (85%)
 rename src/{ => wireguard}/conn_linux.go (99%)
 rename src/{ => wireguard}/constants.go (98%)
 rename src/{ => wireguard}/cookie.go (99%)
 rename src/{ => wireguard}/cookie_test.go (99%)
 rename src/{ => wireguard}/daemon_darwin.go (84%)
 rename src/{ => wireguard}/daemon_linux.go (96%)
 rename src/{ => wireguard}/daemon_windows.go (90%)
 rename src/{ => wireguard}/device.go (97%)
 rename src/{ => wireguard}/helper_test.go (98%)
 rename src/{ => wireguard}/index.go (98%)
 rename src/{ => wireguard}/ip.go (93%)
 rename src/{ => wireguard}/kdf_test.go (99%)
 rename src/{ => wireguard}/keypair.go (97%)
 rename src/{ => wireguard}/logger.go (97%)
 rename src/{ => wireguard}/misc.go (98%)
 rename src/{ => wireguard}/noise_helpers.go (99%)
 rename src/{ => wireguard}/noise_protocol.go (99%)
 rename src/{ => wireguard}/noise_test.go (99%)
 rename src/{ => wireguard}/noise_types.go (98%)
 rename src/{ => wireguard}/peer.go (99%)
 rename src/{ => wireguard}/ratelimiter.go (99%)
 rename src/{ => wireguard}/ratelimiter_test.go (99%)
 rename src/{ => wireguard}/receive.go (97%)
 rename src/{ => wireguard}/replay.go (98%)
 rename src/{ => wireguard}/replay_test.go (99%)
 rename src/{ => wireguard}/routing.go (98%)
 rename src/{ => wireguard}/send.go (97%)
 rename src/{ => wireguard}/tai64.go (96%)
 rename src/{ => wireguard}/timers.go (93%)
 rename src/{ => wireguard}/trie.go (99%)
 rename src/{ => wireguard}/trie_rand_test.go (99%)
 rename src/{ => wireguard}/trie_test.go (99%)
 rename src/{ => wireguard}/tun.go (95%)
 rename src/{ => wireguard}/tun_darwin.go (99%)
 rename src/{ => wireguard}/tun_linux.go (99%)
 rename src/{ => wireguard}/tun_windows.go (99%)
 rename src/{ => wireguard}/uapi.go (95%)
 rename src/{ => wireguard}/uapi_darwin.go (98%)
 rename src/{ => wireguard}/uapi_linux.go (99%)
 rename src/{ => wireguard}/uapi_windows.go (98%)
 rename src/{ => wireguard}/xchacha20.go (99%)
 rename src/{ => wireguard}/xchacha20_test.go (99%)

diff --git a/src/Makefile b/src/Makefile
index 5b23ecc..5f47aa7 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -1,6 +1,6 @@
 all: wireguard-go
 
-wireguard-go: $(wildcard *.go)
+wireguard-go: main.go $(wildcard wireguard/*.go)
go build -o $@
 
 clean:
diff --git a/src/main.go b/src/main.go
index 196a4c6..9800c46 100644
--- a/src/main.go
+++ b/src/main.go
@@ -6,6 +6,7 @@ import (
"os"
"os/signal"
"runtime"
+   "wireguard"
 )
 
 func printUsage() {
@@ 

Re: Production usage of Wireguard

[Outback Dingo]

On Tue, Nov 7, 2017 at 10:38 AM, Greg KH  wrote:
> On Mon, Nov 06, 2017 at 09:41:18PM +, Ferris Ellis wrote:
>> Hello Wireguard mailing list!
>>
>> I have been very interested in the WireGuard project for a little while now
>> and am in the process of evaluating it. While benchmarks and code reviews
>> are useful, they don’t uncover many of the issues that can potentially wake
>> one up at 3am. I’d hunted around on the web for a while but wasn’t able to
>> find any articles on running WireGuard in a production environment. I know
>> the project is still young but was wondering if anyone on the mailing list
>> had started using WireGuard in production? And, if so, if they’d be willing
>> to share some details about their use case and experience?
>
> There are at least two companies offering Wireguard as a VPN service
> "commercially" right now, so it is being used in that manner already.
>
> But as "production environment" always means different things for
> different people, perhaps only you can answer this question?  What would
> it take for _you_ to be comfortable with it in your network environment?

FreeBSD kernel module :) and Im all in

>
> thanks,
>
> greg k-h
> ___
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: WireGuard root-less support for android

[Jason A. Donenfeld]

Hi Aurélien,

Thanks for this patchset. I'll review it ASAP.

As an administrative situation, your set of Go changes will likely
need to be merged back up with the official Go repository; putting
your fork in the Android one isn't really tenable.

So please submit your changes to the wireguard-go project to this list too.

I intend to give a pass at this patchset as soon as I'm back from netdevconf.

Mathias, CCd will also review the Go code, and Samuel, CCd will review
the Java code.

Thanks for this contribution!

By the way, please poke me on IRC; it'd be nice to coordinate this
terrific development you're doing; this was a pleasant surprise out of
the blue.

Jason
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

parallel crypto leads to performance degradation

[k]

I posted about this problem month ago but nobody replied.
This  summer WIREGUARD_PARALLEL option was removed and parallel crypto
became unconditional.
This  seems  to slow performance 1.5 times on slow 1 core systems such
as routers. Task switch eats cpu time.
Do you have plans to mitigate this slowdown or return option to skip
pcrypto ?


wireguard: WireGuard 0.0.20170517 loaded. See www.wireguard.io for information.

[  3]  0.0- 1.0 sec  3.75 MBytes  31.5 Mbits/sec
[  3]  1.0- 2.0 sec  3.62 MBytes  30.4 Mbits/sec
[  3]  2.0- 3.0 sec  3.75 MBytes  31.5 Mbits/sec
[  3]  3.0- 4.0 sec  3.38 MBytes  28.3 Mbits/sec
[  3]  4.0- 5.0 sec  3.75 MBytes  31.5 Mbits/sec
[  3]  5.0- 6.0 sec  3.75 MBytes  31.5 Mbits/sec
[  3]  6.0- 7.0 sec  3.75 MBytes  31.5 Mbits/sec
[  3]  7.0- 8.0 sec  3.88 MBytes  32.5 Mbits/sec
[  3]  8.0- 9.0 sec  4.00 MBytes  33.6 Mbits/sec
[  3]  9.0-10.0 sec  4.25 MBytes  35.7 Mbits/sec

CPU:   1% usr   0% sys   0% nic   6% idle   0% io   0% irq  90% sirq


16.03%  [wireguard]   [k] chacha20_generic_block 
 7.66%  [wireguard]   [k] poly1305_generic_blocks
 3.61%  [ip_tables]   [k] ipt_do_table   
 3.05%  [kernel]  [k] crypto_xor 
 3.03%  [kernel]  [k] csum_partial   
 2.66%  [kernel]  [k] __copy_user_common 
 1.23%  [kernel]  [k] nf_iterate 
 1.07%  [nf_conntrack][k] __nf_conntrack_find_get
 0.91%  [kernel]  [k] fib_table_lookup   
 0.89%  [kernel]  [k] __bzero
 0.88%  [kernel]  [k] r4k_blast_dcache_page_dc32 
 0.85%  [kernel]  [k] __netif_receive_skb_core   
 0.85%  [kernel]  [k] ag71xx_poll
 0.85%  [kernel]  [k] do_ade 
 0.82%  [kernel]  [k] get_page_from_freelist 
 0.71%  [kernel]  [k] ip_rcv 



wireguard: WireGuard 0.0.20170918 loaded. See www.wireguard.com for information.

[  3]  0.0- 1.0 sec  2.62 MBytes  22.0 Mbits/sec
[  3]  1.0- 2.0 sec  2.75 MBytes  23.1 Mbits/sec
[  3]  2.0- 3.0 sec  2.25 MBytes  18.9 Mbits/sec
[  3]  3.0- 4.0 sec  2.12 MBytes  17.8 Mbits/sec
[  3]  4.0- 5.0 sec  2.25 MBytes  18.9 Mbits/sec
[  3]  5.0- 6.0 sec  2.50 MBytes  21.0 Mbits/sec
[  3]  6.0- 7.0 sec  2.75 MBytes  23.1 Mbits/sec
[  3]  7.0- 8.0 sec  2.75 MBytes  23.1 Mbits/sec
[  3]  8.0- 9.0 sec  2.75 MBytes  23.1 Mbits/sec
[  3]  9.0-10.0 sec  2.75 MBytes  23.1 Mbits/sec
[  3]  0.0-10.0 sec  25.6 MBytes  21.4 Mbits/sec

CPU:   1% usr  54% sys   0% nic   0% idle   0% io   0% irq  44% sirq


 6.84%  [wireguard] [k] chacha20_generic_block 
 3.46%  [wireguard] [k] poly1305_generic_blocks
 3.12%  [kernel][k] finish_task_switch 
 2.80%  [ip_tables] [k] ipt_do_table   
 2.30%  [kernel][k] __copy_user_common 
 2.23%  [kernel][k] queue_work_on  
 1.73%  [kernel][k] ag71xx_poll
 1.46%  [kernel][k] __dev_queue_xmit   
 1.35%  [kernel][k] crypto_xor 
 1.31%  [kernel][k] csum_partial   
 1.25%  [kernel][k] __do_softirq   
 1.14%  [kernel][k] ag71xx_hard_start_xmit 
 1.10%  [nf_conntrack]  [k] __nf_conntrack_find_get 

___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Production usage of Wireguard

[Jonathon Fernyhough]

On 06/11/17 21:41, Ferris Ellis wrote:
> I know the project is still young but was
> wondering if anyone on the mailing list had started using WireGuard in
> production? And, if so, if they’d be willing to share some details about
> their use case and experience?
> 

I use on on several high-traffic web servers to secure backend
communication to a separate Redis instance.

It's configured as a mesh to remove any reliance on a single WireGuard
"server" node (that is, each server knows the endpoint and single
allowed IP of each of the others).

It has worked without issue since deployment (March 2017). It's easily
one of the most satisfying layers I've added to any stack.


J



signature.asc
Description: OpenPGP digital signature
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Production usage of Wireguard

[Greg KH]

On Mon, Nov 06, 2017 at 09:41:18PM +, Ferris Ellis wrote:
> Hello Wireguard mailing list!
> 
> I have been very interested in the WireGuard project for a little while now
> and am in the process of evaluating it. While benchmarks and code reviews
> are useful, they don’t uncover many of the issues that can potentially wake
> one up at 3am. I’d hunted around on the web for a while but wasn’t able to
> find any articles on running WireGuard in a production environment. I know
> the project is still young but was wondering if anyone on the mailing list
> had started using WireGuard in production? And, if so, if they’d be willing
> to share some details about their use case and experience?

There are at least two companies offering Wireguard as a VPN service
"commercially" right now, so it is being used in that manner already.

But as "production environment" always means different things for
different people, perhaps only you can answer this question?  What would
it take for _you_ to be comfortable with it in your network environment?

thanks,

greg k-h
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard