Re: Shouldn't devices tethered to a device using Wireguard share the same IP?
Thank you. I will try it out. Fingers crossed!!! On Thursday, May 21, 2020, 10:29:12 AM EDT, Harsh Shandilya wrote: On May 21 2020, at 7:52 pm, Jose Marinez wrote: > Thank you so much Harsh. What's the best way to make my kernel > available to you? Even if you could allow me to push to the repo I > wouldn't know where to save it. The repo is maintained on GitHub so you will have to fork the repository and create a pull request with your changes, help.github.com has very beginner friendly documentation if this is your first time around this. The process for adding a kernel is a bit involved and the documentation isn't quite fleshed out. You can check the steps out here[1] and an example of adding a new device to the repository here[2]. 1: https://github.com/WireGuard/android-wireguard-module-builder#adding-your-phones-kernel 2: https://github.com/WireGuard/android-wireguard-module-builder/pull/3/files
Re: Shouldn't devices tethered to a device using Wireguard share the same IP?
Thank you so much Harsh. What's the best way to make my kernel available to you? Even if you could allow me to push to the repo I wouldn't know where to save it. Thank you for this and your work on the apps.
Re: Shouldn't devices tethered to a device using Wireguard share the same IP?
Thanks Mehdi. I'll take a look. @Harsh, Thank you for the clarification. I will reach out to both. I know that on macOS Catalina, Apple implemented new APIs for loading kernel modules now that the core of the OS is read-only. Not sure if they've done the same for iOS. Perhaps they'll announce that next month. > @Harsh - I do have a rooted Android device with Wireguard on I can use > for tethering. Say I build my kernel module from the list you sent. > How do I go about integrating it into the Wireguard Android app? >>>The app will automatically detect the kernel module and work with it, >>>there's no user-facing work to be done. Let me see if I understand you correctly. Are you saying that if I take my rooted phone make the /kernels folder add the manifest.xml and corresponding version kernel, the regular Wireguard app in the Play Store will utilize it? I'm trying to make sure I follow. Will it show this extended UI in Settings? Thanks again, Jose On Wednesday, May 20, 2020, 03:00:18 PM EDT, Mehdi Sadeghi wrote: Hi Marinez and the list, There is a very nice open source app that can share the VPN connection of a rooted device with clients on Android. Here is the link: https://github.com/Mygod/VPNHotspot/blob/master/README.md Cheers, Mehdi Am 20. Mai 2020 20:40:31 MESZ schrieb Jose Marinez : > Thank you all or the responses.Wow. This seems like a big issue for Android >and iOS. How many people like me that are tethering, go about convinced their >devices are inheriting the VPN connection? Are there channels to communicate >with both Google and Apple about this? @Harsh - I do have a rooted Android >device with Wireguard on I can use for tethering. Say I build my kernel module >from the list you sent. How do I go about integrating it into the Wireguard >Android app?Thanks,JoseOn Wednesday, May 20, 2020, 1:53 PM, Harsh Shandilya > wrote:> >> >> On May 20 2020, at 10:57 pm, Jose Marinez wrote: >> >>> Hi Guys, >>> >>> Can you tell me if this is working as it should?... >>> >>> I have a phone with Wireguard on. I share the connection via >>> tethering/hotspot. When I check the IP on the tethered device I don't >>> see the same IP as my Wireguard endpoint. What I do see is an IP from >>> the phone's mobile network, the one running Wireguard. >>> >>> Is this right? Does this mean that traffic from that tethered device >>> not using the Wireguard connection? I'm confused. >>> >>> >>> Thanks, >>> Jose >> >>> >> >> At least on Android, tethering data is *not* routed through your VPN. If >> you want that to happen, you will have to use the WireGuard kernel >> module which requires a rooted device and a custom kernel. On some >> supported devices >> (https://github.com/WireGuard/android-wireguard-module-builder/tree/master/kernels) >> you can use root access to install the required module automatically >> through the app, on your stock kernel. >> >> Harsh >>> -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
Re: Shouldn't devices tethered to a device using Wireguard share the same IP?
Thank you all or the responses. Wow. This seems like a big issue for Android and iOS. How many people like me that are tethering, go about convinced their devices are inheriting the VPN connection? Are there channels to communicate with both Google and Apple about this? @Harsh - I do have a rooted Android device with Wireguard on I can use for tethering. Say I build my kernel module from the list you sent. How do I go about integrating it into the Wireguard Android app? Thanks, Jose On Wednesday, May 20, 2020, 1:53 PM, Harsh Shandilya wrote: > > > On May 20 2020, at 10:57 pm, Jose Marinez wrote: > >> Hi Guys, >> >> Can you tell me if this is working as it should?... >> >> I have a phone with Wireguard on. I share the connection via >> tethering/hotspot. When I check the IP on the tethered device I don't >> see the same IP as my Wireguard endpoint. What I do see is an IP from >> the phone's mobile network, the one running Wireguard. >> >> Is this right? Does this mean that traffic from that tethered device >> not using the Wireguard connection? I'm confused. >> >> >> Thanks, >> Jose > >> > > At least on Android, tethering data is *not* routed through your VPN. If > you want that to happen, you will have to use the WireGuard kernel > module which requires a rooted device and a custom kernel. On some > supported devices > (https://github.com/WireGuard/android-wireguard-module-builder/tree/master/kernels) > you can use root access to install the required module automatically > through the app, on your stock kernel. > > Harsh >>
Shouldn't devices tethered to a device using Wireguard share the same IP?
Hi Guys, Can you tell me if this is working as it should?... I have a phone with Wireguard on. I share the connection via tethering/hotspot. When I check the IP on the tethered device I don't see the same IP as my Wireguard endpoint. What I do see is an IP from the phone's mobile network, the one running Wireguard. Is this right? Does this mean that traffic from that tethered device not using the Wireguard connection? I'm confused. Thanks, Jose
Re: WireGuard deployment considerations for improved privacy
Hi Fredrik, I appreciate this proposition as well as your summary for the current state of Wireguard for this particular case. I agree with you wholeheartedly that before the mass adoption of Wireguard happens these use cases should be addressed properly. I'd love to hear what Jason has to say about this and what he proposes. I too have been thinking about all the edge cases for Wireguard. My approach has been to look at it from a penetration test perspective. Reality is that Wireguard doesn't live in isolation. As a system - hardware, OS and all it's settings + Wireguard - connected to the Internet and a user(s) presents many hostile dynamics. Ultimately, whatever solution emerges needs to supplement the goals and features of Wireguard, otherwise it deafts the purpose. Would it make sense to create a small group to tackle this and other use cases - scaling, simplicity, etc? On my end, I'm not a cryptologist, but I can write software that would test the security of any system. I'm sure other members of this list have a ton of skills and experience to bring to this. Here's a list of things I'd like to see and would be willing to participate/create if they don't exist yet: 1. A honeypot server with public logs for a small team to gather and record real-time traffic as an authorized user of the server - root.2. A test suite that goes through all the domain specific scenarios from the results of #1 and provides a verification at the end once completed.3. Provide feedback from all this back to Jason for enhancements, etc. in upstream Wireguard. Feel free to reach out off-list. Thanks,Jose On Tuesday, January 15, 2019, 9:27 AM, Fredrik Strömberg wrote: On Tue, Jan 15, 2019 at 1:05 PM Henning Reich wrote: > > Thank for your reply too, > > I "use" this list and conversation to get a bit more information about crypto > at all (it looks like I need that :-) > I see. When I wanted to learn more about network security protocols I read the RFC for TLS from start to finish a few times. Every time I didn't understand a word or concept I looked it up on Wikipedia, often reading the entire article on that concept. In your case maybe read the WireGuard paper a few times and reference Wikipedia. That's a good start. > I try to explain how I understood the problem, and anybdoy can tell me, where > I have make a mistake :-) > From https://www.wireguard.com/protocol/#key-exchange-and-data-packets > the initiation message and the response use > initiator.ephemeral_private = DH_GENERATE() and > responder.ephemeral_private = DH_GENERATE() > Correct. Although to be exact DH-Generate returns a keypair (private, public). > This means (I think), that for every new connection, a new DH-Key is > generated. For me (not a programmer) it looks like all other private > informations in the messages a encrypted/hashed with values derived from this > DH-Key. Almost. It uses Diffie-Hellman with the ephemeral private key as one component. In the first message, msg.static is encrypted using a key derived from DH of the Initiator's ephemeral private key, and the Responder's static public key (which is already known to Initiator). The first message also includes the field msg.ephemeral which contains the Initiator's ephemeral public key, transmitted in the clear. When the message is received by the Responder, she is able to decrypt msg.static and learn the Initiator's static public key. You might ask how that is possible when she doesn't have the Initiator's ephemeral private key. The reason is that she can derive the correct encryption key using the Initiator's ephemeral public key, previously transmitted in the clear, and her (the Responder) static private key. ECDH ( Initiator's ephemeral private key, Responder's static pubkey ) = ECDH ( Initiator's ephemeral public key, Responder's static private key ) > Because both site knows the other static key, I would look in the "XX" Row, > and there is your quoted destination proberty not exisintg. > WireGuard uses Noise_IK, not Noise_XX. > It's probably possible that I ignore some cryptographic basics or > misunderstood same facts. So I hope somebody takes the time and give me some > more hints. Thanks > No worries. We're all learning something. If you want to learn more about cryptographic protocols just put in the time. And when you don't understand something, or suspect that you are wrong, read the whole thing again. That's what I did :) Cheers, Fredrik ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
ExcludedApplication UI for Wireguard iOS
Hi Jason, I checked the iOS Todo list and noticed that there's no mention of an iOS excluded application list ala Android. Would you mind adding it to the list? Thanks,Jose___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: WireGuard for iOS - TestFlight
Thank you Jason and all those involved. Question for you... not sure how familiar you are with iOS kernel internals, but considering Apple's "Interest in privacy," what would it take for iOS to have similar kernel changes to support Wireguard natively akin to IKEv2, etc? Keep in mind that Darwin - iOS/macOS underpinnings are FreeBSD based. Thanks,Jose On Monday, November 5, 2018, 9:06 PM, Jose Marinez wrote: Thank you Jason and all those involved. Question for you... not sure how familiar you are with iOS kernel internals, but considering Apple's "Interest in privacy," what would it take for iOS to have similar kernel changes to support Wireguard natively akin to IKEv2, etc? Keep in mind that Darwin - iOS/macOS underpinnings are FreeBSD based. Thanks,Jose On Monday, November 5, 2018, 4:27 PM, Jason A. Donenfeld wrote: Hey folks, For the last few weeks, Roopesh and I have been hard at work on the WireGuard for iOS app. Today we're happy to share a likely-buggy-and-broken TestFlight that you can run on your phone: <https://testflight.apple.com/join/63I19SDT>. As usual, use at your own risk, especially since it's alpha quality. Please let us know about any bugs as you find them -- you can send them to me or to t...@wireguard.com. Our current TODO list lives here [1], linked via the main project TODO list [2], and if you're an iOS person and want to contribute code, we'd be happy to have you on board. The app costs $3.99 and requires an email address to sign up; we manage all your tunnels for you in the cloud. JUST KIDDING! Like the rest of WireGuard, the iOS app is free and open source [3]. I make this rather tasteless joke, because of the rather surprising quantities of people encouraging me to do the iOS stuff as proprietary paid software, because "apple users will pay" or because "open source is cool, but iphone folks don't care about it so you can get away with charging" or because "none of the other vpn players are doing open source mobile implementations" or even because "apple is more likely to accept paid software into its app store" and so on and so forth. But, as usual, I much prefer for this to be a community project than a closed one, and so like everything else, it's FLOSS. Enjoy! And do let us know about the bugs as you run into them. I'm sure there are plenty. Regards, Jason [1] https://docs.google.com/document/d/1BnzImOF8CkungFnuRlWhnEpY2OmEHSckat62aZ6LYGY [2] https://www.wireguard.com/todo/ [3] https://git.zx2c4.com/wireguard-ios/ ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Is it still necessary to run edge for Alpine Linux?
Hi Guys, I'd like to run Wireguard on Alpine Linux perhaps at Scaleway. From the start of Wireguard's support for Alpine, edge repositories and kernel were necessary. Is that still the case? Thanks,Jose___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wireguard on android w/o kernel module
Hi Jason, I'm looking into that specific aspect as we speak. Google at times has "peculiar ways" to conceive of how users would interact with Android, maybe this is one of them. However, I've seen developers abuse APIs in self interest for a number of reasons. On iOS, once a VPN app is disconnected, it automatically ceases the right to "always on." I'll dig around and get back to you on this. Thanks,Jose On Saturday, June 2, 2018, 5:49 PM, Jason A. Donenfeld wrote: On Sat, Jun 2, 2018 at 11:47 PM Jose Marinez wrote: > Pardon me, as I just sent a related message without reading this one first. > The fact remains, there should be a better way to handle and prevent this. Care to poke around in the APIs and see if you can come up with something automatic and useful? Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Wireguard on android w/o kernel module
Pardon me, as I just sent a related message without reading this one first. The fact remains, there should be a better way to handle and prevent this. Perhaps, at a minimum and in the interim, to suggest investigating the installation of another VPN client settings right in the error message. Thanks,Jose On Friday, June 1, 2018, 12:54 PM, Maximilian Eschenbacher wrote: Hey Jason, thanks for the quick response. On 01/06/2018 18:42:41, Jason A. Donenfeld wrote: >You can investigate (b) by fishing around in the system VPN settings >and seeing what's there, possibly removing authorization for those. >Afterwards, close the application, reopen it, and it should prompt you >to accept permissions. This was exactly what had happened. Best regards Max ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Android error, fix and next steps
Hello guys, I encountered this error while testing on a LG V30 running Oreo. "Error binging up tunnel: VPN service not authorized by user" It turned out that due to an existing StrongSwan installation, the Wireguard client could not work. The fix involved deleting the StrongSwan client from the phone. Next steps: I can't imagine the Wireguard client to expect exclusivity as the sole VPN client to run on any device. In the case of StrongSwan, it had an "Always On" setting which I believe prevented Wireguard from making network changes. What's the best way to approach this? I don't want to assume this is a Wireguard Android client bug. Perhaps on Android only one client can have the "always on" setting at once. Any clarity on this would help, to at a minimum figure out which party to approach: Google vs. StrongSwan vs. Wireguard Thanks,Jose___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Re: Formally Verified Cryptographic Primitive Implementations
Great work. Impressive On Friday, January 19, 2018, 8:26 AM, Jason A. Donenfeld wrote: On Fri, Jan 19, 2018 at 9:29 AM, Greg KH wrote: > No questions, just a general, "Wow, this is great work!" > > It's wonderful to see this happen, thanks so much for pushing this > forward. Glad you like it. The real work, of course, will be parlaying this work into kernel crypto api 2.0... Jason ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
Android wg binary
On the latest snapshot I noticed there’s a wg-quick port. One needs to build a “wg” binary for Android to be able to test. At the moment, there’s no instructions to do so from source on the installation section of wireguard.com. What’s the best way to build the binary? Thanks,Jose___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard
[Question] - Would it be possible to have the ip commands in ifconfig?
blockquote, div.yahoo_quoted { margin-left: 0 !important; border-left:1px
#715FFA solid !important; padding-left:1ex !important; background-color:white
!important; } Hi Guys,
First, great work on Wireguard!!
I have a linux server configured with wireguard running well with other linux
computers working. I’d like to extend that to a few macOS computers we have. I
know the project at the moment is only for Linux, but I saw the distribution
package and decided to give it a try. For the last 4 days I’ve been jumping
through hoops trying to get this working. At first, it took so long mainly
because I was attempting to connect from the latest macOS 10.13 beta - bad
idea, yes I know. However, when I attempted to do this from the stable version,
things were much better, but still haven’t been able to connect. Here’s why:
The package for wireguard on the mac only includes wg, you don’t get wg-quick
or any other tools. Not a big deal, but it makes a difference specially because
the quick start instructions use ip-link and other ip related commands.
Unfortunately, on the mac there’s no official release of ip-link and the
iproute2mac brew package is only a subset of iproute2 so it doesn’t work. I
know that ip is the future replacement for ifconfig, but ifconfig is
practically everywhere there’s a POSIX-like OS. To make matters worse, even the
“classic” capabilities for setting up routing on linux with netns are not
available on the mac either.
Forgive my naïveté - I’m a developer, not a network engineer - but if I had the
ifconfig (perhaps also vconfig) versions of the following quick start commands,
plus the official wg for the mac, wouldn’t I be able to connect?:
ip link add dev wg0 type wireguard
ip address add dev wg0 IPRANGEip link set up dev wg0
Last, but not least... I’m very interested in the Rust version of wireguard. I
read the code and the readme, but I couldn’t tell what the exact capabilities
and limitations are as a cross-platform userspace implementation. Could one
redirect all internet traffic through it? Would it work on the mac as it is?
Thanks again,Jose
___
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
