Re: WireGuard setup in NetBSD 10 [SOLVED]
• Martin Husemann [2024-01-18 11:36]: > > Step 3 has to be a different one: load if_wg module, to make sure wg is > > listed as a clonable interface. > > Yes, indeed, and it is slightly subtle (auto-hiding by module auto-loading). > > I have all my router kernels running securelevl >= 1 and module > auto-loading disabled, so I do have to make sure the if_wg module is > present before we go multi-user. Also in this setup the failure is > more obvious. Thanks for your input! I had a feeling something was wrong, but couldn't easily tell what it was. I'm neither used to loadable kernel modules nor securelevel being -1 by default... -- Kirill
Re: WireGuard setup in NetBSD 10
k...@krot.org (Kirill Miazine) writes: >> Maybe he still has auto_ifconfig=NO ? >no, he didn't... but issue was if_wg not being loaded upon boot -- but >loaded when ifconfig wg0 create was called. The perils of the module autoloader.
Re: WireGuard setup in NetBSD 10 [SOLVED]
On Thu, Jan 18, 2024 at 11:16:16AM +0100, Kirill Miazine wrote: > Step 3 has to be a different one: load if_wg module, to make sure wg is > listed as a clonable interface. Yes, indeed, and it is slightly subtle (auto-hiding by module auto-loading). I have all my router kernels running securelevl >= 1 and module auto-loading disabled, so I do have to make sure the if_wg module is present before we go multi-user. Also in this setup the failure is more obvious. Martin
Re: WireGuard setup in NetBSD 10
• Michael van Elst [2024-01-18 10:10]: > mar...@duskware.de (Martin Husemann) writes: > > >On Thu, Jan 18, 2024 at 10:23:11AM +0100, Kirill Miazine wrote: > >> Does your custom kernel provide some wg devices initially? > > >No, but "ifconfig -C" lists wg as a clonable device, so /etc/ifconfig.wg0 > >is loaded. > > Maybe he still has auto_ifconfig=NO ? no, he didn't... but issue was if_wg not being loaded upon boot -- but loaded when ifconfig wg0 create was called.
Re: WireGuard setup in NetBSD 10 [SOLVED]
Step 3 has to be a different one: load if_wg module, to make sure wg is listed as a clonable interface. • Kirill Miazine [2024-01-18 08:46]: > Hi, NetBSD users > > I've been setting up a NetBSD box, which has to be connected to the wider > WireGuard network. There's a while since I managed NetBSD, so I'd like to > ask for feedback as to whether current setup is considered a "proper" way of > setting up WireGuard on NetBSD: > > 1. Create files with WireGuard private key and pre-shared key > > 2. Create ifconfig.wgN with lines to configure network address, and a bunch > of calls to wgconfig using !. Now while writing this email I discovered that > I can use $int variable in ifconfig.wgN file, and that made wgconfig calls a > lot cleaner. > > 3. Add wgN to net_interfaces in rc.conf. 3. Add if_wg to /etc/modules.conf > Does the above seem sensible? > > The part which bothers me _a little_ is the last one with adding wgN to > net_interfaces, which also made me have to disable auto_ifconfig and thus > having to list also the normal network interface in net_interfaces. Mere > presence of ifconfig.wgN won't create and configure wgN, will it? > > Thanks! >
Re: WireGuard setup in NetBSD 10
• Martin Husemann [2024-01-18 10:46]: > On Thu, Jan 18, 2024 at 10:23:11AM +0100, Kirill Miazine wrote: > > Does your custom kernel provide some wg devices initially? > > No, but "ifconfig -C" lists wg as a clonable device, so /etc/ifconfig.wg0 > is loaded. Ah, of course! I overlooked that one. So the problem was that if_wg wasn't loaded when system booted, but it was added when ifconfig wgN create was getting called. So I added if_wg to modules.conf, and now it works as I thought it should. Thanks for the pointers! > Martin
Re: WireGuard setup in NetBSD 10
mar...@duskware.de (Martin Husemann) writes: >On Thu, Jan 18, 2024 at 10:23:11AM +0100, Kirill Miazine wrote: >> Does your custom kernel provide some wg devices initially? >No, but "ifconfig -C" lists wg as a clonable device, so /etc/ifconfig.wg0 >is loaded. Maybe he still has auto_ifconfig=NO ?
Re: WireGuard setup in NetBSD 10
On Thu, Jan 18, 2024 at 10:23:11AM +0100, Kirill Miazine wrote: > Does your custom kernel provide some wg devices initially? No, but "ifconfig -C" lists wg as a clonable device, so /etc/ifconfig.wg0 is loaded. Martin
Re: WireGuard setup in NetBSD 10
• Martin Husemann [2024-01-18 09:46]: > On Thu, Jan 18, 2024 at 09:27:59AM +0100, Kirill Miazine wrote: > > > > Yet for some reason mine isn't being picked up -- even if I use wg0 instead > > of wg1. > > Oh, sorry - I forgot the obvious part: you need to make sure your kernel > has wg(4) support - it is not part of GENERIC on most architectures currently. WireGuard is working and packetgs are flowing -- the "problem" is that it is not enough to have /etc/ifconfig.wgN to have the system create and configure wgN: I was reading ifconfig.if(5) and also /etc/rc.d/network, and my conclusion was that I had to use net_interfaces, as wgN wouldn't be among the interfaces present on the system and would either have to be created first or specified in net_interfaces. > You can either add it (I have it in GENERIC.local in my config dir) or make > sure the module is loaded (by adding if_wg.kmod to /etc/modules.conf). Does your custom kernel provide some wg devices initially? > You can check it is in-kernel by something like: > > modstat | fgrep wg # modstat |fgrep wg if_wg driver filesys a0 24676 sodium,blake2s > Martin -- -- Kirill Miazine
Re: WireGuard setup in NetBSD 10
Hi, Martin Thanks for sharing your configuration. • Martin Husemann [2024-01-18 09:02]: > On Thu, Jan 18, 2024 at 08:46:11AM +0100, Kirill Miazine wrote: > > Hi, NetBSD users > > > > I've been setting up a NetBSD box, which has to be connected to the wider > > WireGuard network. There's a while since I managed NetBSD, so I'd like to > > ask for feedback as to whether current setup is considered a "proper" way of > > setting up WireGuard on NetBSD: > > > > 1. Create files with WireGuard private key and pre-shared key > > Yes. Good. > > 2. Create ifconfig.wgN with lines to configure network address, and a bunch > > of calls to wgconfig using !. Now while writing this email I discovered that > > I can use $int variable in ifconfig.wgN file, and that made wgconfig calls a > > lot cleaner. > > I use something like this as /etc/ifconfig.wg0: > > -8<- > 192.168.2.42/24 > !wgconfig ${int} set private-key /etc/wg/${int} > !wgconfig ${int} set listen-port 62345 > !wgconfig ${int} add peer . --allowed-ips=192.168.2.32/32 > # more similar "add peer" lines... > up > ->8- Almost identical to mine, except that I use wg1 (because the network is configured on wg1 on all the other peers). > > 3. Add wgN to net_interfaces in rc.conf. > > No need to do that. Good that you say so! Yet for some reason mine isn't being picked up -- even if I use wg0 instead of wg1. So I'll have to dig further, then. > Martin -- -- Kirill Miazine
Re: WireGuard setup in NetBSD 10
On Thu, Jan 18, 2024 at 09:27:59AM +0100, Kirill Miazine wrote: > > Yet for some reason mine isn't being picked up -- even if I use wg0 instead > of wg1. Oh, sorry - I forgot the obvious part: you need to make sure your kernel has wg(4) support - it is not part of GENERIC on most architectures currently. You can either add it (I have it in GENERIC.local in my config dir) or make sure the module is loaded (by adding if_wg.kmod to /etc/modules.conf). You can check it is in-kernel by something like: modstat | fgrep wg Martin
Re: WireGuard setup in NetBSD 10
On Thu, Jan 18, 2024 at 08:46:11AM +0100, Kirill Miazine wrote: > Hi, NetBSD users > > I've been setting up a NetBSD box, which has to be connected to the wider > WireGuard network. There's a while since I managed NetBSD, so I'd like to > ask for feedback as to whether current setup is considered a "proper" way of > setting up WireGuard on NetBSD: > > 1. Create files with WireGuard private key and pre-shared key Yes. > 2. Create ifconfig.wgN with lines to configure network address, and a bunch > of calls to wgconfig using !. Now while writing this email I discovered that > I can use $int variable in ifconfig.wgN file, and that made wgconfig calls a > lot cleaner. I use something like this as /etc/ifconfig.wg0: -8<- 192.168.2.42/24 !wgconfig ${int} set private-key /etc/wg/${int} !wgconfig ${int} set listen-port 62345 !wgconfig ${int} add peer . --allowed-ips=192.168.2.32/32 # more similar "add peer" lines... up ->8- > 3. Add wgN to net_interfaces in rc.conf. No need to do that. Martin
WireGuard setup in NetBSD 10
Hi, NetBSD users I've been setting up a NetBSD box, which has to be connected to the wider WireGuard network. There's a while since I managed NetBSD, so I'd like to ask for feedback as to whether current setup is considered a "proper" way of setting up WireGuard on NetBSD: 1. Create files with WireGuard private key and pre-shared key 2. Create ifconfig.wgN with lines to configure network address, and a bunch of calls to wgconfig using !. Now while writing this email I discovered that I can use $int variable in ifconfig.wgN file, and that made wgconfig calls a lot cleaner. 3. Add wgN to net_interfaces in rc.conf. Does the above seem sensible? The part which bothers me _a little_ is the last one with adding wgN to net_interfaces, which also made me have to disable auto_ifconfig and thus having to list also the normal network interface in net_interfaces. Mere presence of ifconfig.wgN won't create and configure wgN, will it? Thanks! -- Kirill