Re: Android app whitelist/blacklist feature
On Tue, Jul 3, 2018 at 8:12 PM Samuel Holland wrote: > Right, trying to make it a global setting requires either some sort of > out-of-band way to pass the information to wg-quick, or rewriting the > configuration file every time the tunnel is brought up. > > Since from netd's point of view, this is a per-network setting anyway, I agree > it makes sense to configure it per-tunnel. ExemptedApplications works as a > configuration key, though I prefer ExcludedApplications--the application isn't > just not required to use the tunnel, it's not allowed to use the tunnel. > > In that case, here are my UI suggestions: > - Add a button in the editor that switches to a fragment or pops up a Dialog > similar to a MultiSelectListPreference. > - For consistency, checked means excluded -- everything defaults to unchecked. > - The package names of excluded apps are put in the > com.wireguard.config.Interface, and wg-quick handles package name to uid > translation. > > How does that sound? All of that sounds right-on to me, and I think you're right that ExcludedApplications is the better key. (This also provides a good basis for later adding a "ExcludeLocalNetwork" option.) Eric's git access should be all setup now, so we can watch the commits coming on in. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Android app whitelist/blacklist feature
On 07/02/18 21:31, Jason A. Donenfeld wrote: > On Tue, Jul 3, 2018 at 4:27 AM Eric Kuck wrote: >> >> I was originally thinking the new fragment would be a per-tunnel thing >> (set when you create the tunnel or edit it), but you’re right - making it >> a general setting likely makes a whole lot more sense. I can’t think of >> any use-cases for different tunnels handling different apps. > > It might actually make most sense to make it a per-tunnel thing. We'd then > have to introduce conf key called, "ExemptedApplications=" or something. > Samuel - any thoughts on this? Right, trying to make it a global setting requires either some sort of out-of-band way to pass the information to wg-quick, or rewriting the configuration file every time the tunnel is brought up. Since from netd's point of view, this is a per-network setting anyway, I agree it makes sense to configure it per-tunnel. ExemptedApplications works as a configuration key, though I prefer ExcludedApplications--the application isn't just not required to use the tunnel, it's not allowed to use the tunnel. In that case, here are my UI suggestions: - Add a button in the editor that switches to a fragment or pops up a Dialog similar to a MultiSelectListPreference. - For consistency, checked means excluded -- everything defaults to unchecked. - The package names of excluded apps are put in the com.wireguard.config.Interface, and wg-quick handles package name to uid translation. How does that sound? Samuel ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: src/crypto/curve25519-x86_64.h:1319: Error: no such instruction while compiling in centos 6
On 03.07.2018 11:59, Vbook A1 wrote: WARNING: if you want to use ELrepo kernel - make sure your server does not have the Matrox G200 series video card! CentOS 6.x with kernel 4.x will not boot on Matrox GPU. On Tue, Jun 26, 2018 at 1:10 PM, Lucian Cristian wrote: On 26.06.2018 05:57, karthik kumar wrote: Hi, I did see the yum repo already being there RPMs available. But we use only centos 6 and are desperately looking for alternate of strongswan :( Is there any other suggestion for me, other than Centos 7 ? Is it worth trying to rebuild the kernel with 8.1 gcc ? Is there an option like --without-elliptic-curve that I can use ? Thanks On Tue, Jun 26, 2018 at 5:58 AM Jason A. Donenfeld wrote: Hello, Please use CentOS 7. Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard search the mailing list, I proposed a patch for centos 6, see if it's working, but you have to use elrepo kernels http://elrepo.org/linux/kernel/el6/x86_64/RPMS/ Regards ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard I don't remember having trouble on a fujitsu rx300 with 10:05.0 VGA compatible controller: Matrox Electronics Systems Ltd. MGA G200e [Pilot] ServerEngines (SEP1) (rev 02) but I've updated since then Regards ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: src/crypto/curve25519-x86_64.h:1319: Error: no such instruction while compiling in centos 6
WARNING: if you want to use ELrepo kernel - make sure your server does not have the Matrox G200 series video card! CentOS 6.x with kernel 4.x will not boot on Matrox GPU. On Tue, Jun 26, 2018 at 1:10 PM, Lucian Cristian wrote: > On 26.06.2018 05:57, karthik kumar wrote: > > Hi, > I did see the yum repo already being there RPMs available. But we use only > centos 6 and are desperately looking for alternate of strongswan :( > Is there any other suggestion for me, other than Centos 7 ? Is it worth > trying to rebuild the kernel with 8.1 gcc ? Is there an option like > --without-elliptic-curve that I can use ? > > Thanks > > On Tue, Jun 26, 2018 at 5:58 AM Jason A. Donenfeld wrote: >> >> Hello, >> >> Please use CentOS 7. >> >> Jason > > > > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > > search the mailing list, I proposed a patch for centos 6, see if it's > working, but you have to use elrepo kernels > http://elrepo.org/linux/kernel/el6/x86_64/RPMS/ > > > Regards > > > ___ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard > ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
MTU on public wifi
I was testing wireguard via a public wifi service (Icomera on-train wifi) and found that the tunnel MTU wireguard had chosen was too large: TCP connections got stuck as soon as any large amount of data was sent (e.g. just running "top") The MTU of the wifi service itself is 1440: MacBook-Pro-2:~ $ ping -s1412 -D 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 1412 data bytes 1420 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=46.006 ms 1420 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=40.847 ms ^C --- 8.8.8.8 ping statistics --- [Interface] 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 40.847/43.427/46.006/2.579 ms MacBook-Pro-2:~ $ ping -s1414 -D 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 1414 data bytes 556 bytes from 10.101.2.1: frag needed and DF set (MTU 1440) Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 a205 33b6 0 40 01 e44d 10.101.2.227 8.8.8.8 (Payload 1412 + 20 bytes IP header + 8 bytes ICMP header = 1440) The client is macOS wireguard-tools/wireguard-go. Wireguard itself had set an MTU on utun1 of 1440. With some experimentation, I found that setting MTU of 1400 was fine, but 1410 was too big. With "MTU = 1400" in wg0.conf it now appears to work correctly, although I'm not sure how safe that value is - does Wireguard compress data before encapsulation, and therefore is there a chance that worst-case encapsulated packets could still be too big? But I did try "dd if=/dev/urandom bs=1024 count=100" and it did send the whole random splurge without locking up the TCP connection. I also wonder if wireguard could automatically reduce its MTU in response to ICMP "frag needed" packets, at least down to a configured minimum? Regards, Brian Candler. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
