Re: Wireguard Plugin for NM
On Thu, 2018-02-15 at 16:07 +0100, Jason A. Donenfeld wrote: > Hi Thomas, > > Upstream WireGuard here. Hi Jason, thanks for reaching out. > > I still think, it would be great to have wireguard support in > > NetworkManager not via a VPN plugin. But that is for another day. > > I fully agree, and I'd be happy to work with you on doing this, if > you're interested. For this, you can either attempt to reuse the > systemd-networkd stuff, or roll it yourself, likely using some > derivative of this code: > https://lists.zx2c4.com/pipermail/wireguard/2018-February/002387.html > . It doesn't look like you're using any of the systemd netlink > library > stuff now, so it may indeed be best to roll it yourself. > > I've been suggesting to Max that he makes his plugin talk to the > kernel directly, because the current implementation of shelling out > to > wg-quick has numerous problems and so the current plugin shouldn't be > used as is. But hopefully it'll get there. > > Are you interested in working on real non-plugin NetworkManager > integration? If so, maybe find me on freenode (I'm zx2c4), and we can > discuss. Yes, we are interested in that, but currently nobody did any work on that (AFAIK). But once somebody picks it up, it should be doable quickly. As wireguard support got added to networkd, I supposed the netlink API is reasonably stable? We were still waiting until the kernel part is merged upstream. But that is not a blocker, merely a reason for wireguard support not having a sufficiently high priority to implement it -- until now. Looking forward for that, best, Thomas === PS: a few details that might help with implementation. I think it would be a better expirience if wireguard would by directly supported by NetworkManager. The main reason for that is, that the VPN API is not as powerful as it should be, so VPN plugins unfortunately feel a bit alien. That should possibly be improved. But there is really no strong reason why wireguard has to be a VPN "plugin". It certainly is more complex to get a great expirience and the only benefit seems to be that it's maintained outside of NetworkManager's source tree. NetworkManager knows "device plugin". These are shared libraries loaded by NM to support certain device types. There is no stable ABI, hence all plugins must be in-tree and match NM's version. The use of them is mainly to reduce package dependencies of the core NetworkManager package, and reduce the binary size if you don't need it. Device plugin sources are sub directories in [1]. Essentially, device plugins consist of subclass of NMDevice and a factory to create them. Since a wireguard plugin has no external dependencies, probably it shouldn't be a "device plugin" but just statically linked into the core daemon. The only downside would be an increase of the binary size -- which is probably better then the burden of a separate package. All you need is a "nm-device-wireguard.c" file in [1]. Maybe looking at "NMDeviceMacsec" would be a good start [2]. [1] https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/devices?id=7621fe4e1a6da7d61fe9e9398937bc5dd536c8be [2] https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=1a24f528c8645148e9612adff34d6edf70fdbb34 What is also needed, is how clients (nmcli, nm-connection-editor) configure a wireguard setting. That commonly works by having a "NMSettingWireguard" in libnm-core to contain all properties relevant for wireguard. Unfortunately, it tends to be a bit combersome to implement these setting classes. See also [2] for how it was done for Macsec. Wireguard's peers are complex objects, similar to NMSettingIPConfig's NMIPRoute/NMIPAddress. I think NM would not re-use systemd's netlink implementation. We fork (copy + paste) parts of systemd's source tree [3], but we only use the parts that we really want from there (like DHCPv4, DHCPv6, LLDP). We don't use any netlink related systemd API directly, and I think we shouldn't. The main reason is that we already have our way to handle netlink (which works quite well). Switching to systemd API would be a large effort, only to end up with something that is less flexible to our needs. [3] https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/systemd/src?id=7621fe4e1a6da7d61fe9e9398937bc5dd536c8be The embeddable-wg-library is very nice! and we certainly should look at that for inspiration, same for the networkd code. But I think we should take the relevant netlink parts and extend our existing netlink code. We are about to drop using libnl3 [4]. I personally think that netlink is convenient enough, hence for a large project like NetworkManager it seems preferrable to craft our own netlink code that suits our needs best. [4] https://github.com/NetworkManager/NetworkManager/pull/67 We need to support rtnetlink for wireguard, which all happens in NMPlatform [5] [6]. [5] https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/p
Re: Wireguard Plugin for NM
Hi Thomas, Upstream WireGuard here. > I still think, it would be great to have wireguard support in > NetworkManager not via a VPN plugin. But that is for another day. I fully agree, and I'd be happy to work with you on doing this, if you're interested. For this, you can either attempt to reuse the systemd-networkd stuff, or roll it yourself, likely using some derivative of this code: https://lists.zx2c4.com/pipermail/wireguard/2018-February/002387.html . It doesn't look like you're using any of the systemd netlink library stuff now, so it may indeed be best to roll it yourself. I've been suggesting to Max that he makes his plugin talk to the kernel directly, because the current implementation of shelling out to wg-quick has numerous problems and so the current plugin shouldn't be used as is. But hopefully it'll get there. Are you interested in working on real non-plugin NetworkManager integration? If so, maybe find me on freenode (I'm zx2c4), and we can discuss. Regards, Jason ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Wireguard Plugin for NM
Hey Thomas, I added a link to https://wiki.gnome.org/Projects/NetworkManager/VPN Pretty damn cool, thanks! I still think, it would be great to have wireguard support in NetworkManager not via a VPN plugin. But that is for another day. Yeah, maybe we're not so far away from that point (excerpt from the wireguard mailing list): This is wonderful news. I'm happy to work with you to make sure this comes out perfectly, and maybe when it's finished we can submit it upstream to NetworkManager, similar to how systemd-networkd now has WireGuard support built-in. last time i looked, network-manager included a local copy of a big chunk of systemd code. so it's possible that a newer version of network-manager will already have the systemd-networkd code available to it, and you just need to hook into it correctly from the nm internals. --dkg Best regards, Max On 15/02/18 12:39, Thomas Haller wrote: On Tue, 2018-02-13 at 13:20 +0100, Maximilian Moser wrote: Good day, ladies and gentlemen! It has been a while, but recently I have finally found time to work on the VPN Plugin for Wireguard for my Bachelor's thesis. The project is based on the OpenVPN plugin (which means it's more or less pure C) and can now be found on github: https://github.com/max-moser/network-manager-wireguard At this point, I'd like to thank Manuel Schölling and Thomas Haller for indirectly providing me with hints regarding the completion of connection set-up (SetConfig(), anyone?) through their mail exchange! Hi Maximilian, cool, thanks for letting us know. I added a link to https://wiki.gnome.org/Projects/NetworkManager/VPN I still think, it would be great to have wireguard support in NetworkManager not via a VPN plugin. But that is for another day. best, Thomas ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Re: Wireguard Plugin for NM
On Tue, 2018-02-13 at 13:20 +0100, Maximilian Moser wrote: > Good day, ladies and gentlemen! > > > It has been a while, but recently I have finally found time to work > on > the VPN Plugin for Wireguard for my Bachelor's thesis. > The project is based on the OpenVPN plugin (which means it's more or > less pure C) and can now be found on github: > https://github.com/max-moser/network-manager-wireguard > > At this point, I'd like to thank Manuel Schölling and Thomas Haller > for > indirectly providing me with hints regarding the completion of > connection set-up (SetConfig(), anyone?) through their mail exchange! Hi Maximilian, cool, thanks for letting us know. I added a link to https://wiki.gnome.org/Projects/NetworkManager/VPN I still think, it would be great to have wireguard support in NetworkManager not via a VPN plugin. But that is for another day. best, Thomas signature.asc Description: This is a digitally signed message part ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
Wireguard Plugin for NM
Good day, ladies and gentlemen! It has been a while, but recently I have finally found time to work on the VPN Plugin for Wireguard for my Bachelor's thesis. The project is based on the OpenVPN plugin (which means it's more or less pure C) and can now be found on github: https://github.com/max-moser/network-manager-wireguard At this point, I'd like to thank Manuel Schölling and Thomas Haller for indirectly providing me with hints regarding the completion of connection set-up (SetConfig(), anyone?) through their mail exchange! Of course, there is still a ton of issues open, of which only a few are: * it currently uses wg-quick with temporary files to set up the connection instead of directly implementing its logic * the Editor UI does not make use of the IPv4 and IPv6 tabs* configuration items are stored as details, not secrets * after setting up the connection, one could implement a ping to a known host and tear down the connection again if that fails? * no translation The basic workflow however is functional: * creating a new Connection via nm-connection-editor (and of course updating connections) * import and export of wg-quick formatted conf files * setting up a live connection from what was stored (a basic wireguard-demo[1] connection was tried) Also, I have added a bit of documentation about the rough workings of the plugin (see README.md on the project page). So, I guess that's that. In case anyone is interested, feel free to check it out and maybe even help improve it! Best regards, Max Moser [1]: https://www.wireguard.com/quickstart/#demo-server ___ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
