Policy-based routing

Hello, I'm trying to set up a policy-based routing on a wireguard instance. I didn't want to call it server, because it acts more like a proxy. Let's say I have 6 peers plus this wireguard server. Peer 2  Peer 3   Peer 4  \/   \/   \/ __ | | | W

Re: Policy-based routing

could be possible to achieve the same results with just one interface. Bruno On 04/13/2018 11:09 PM, Jason A. Donenfeld wrote: Hi Bruno, You can't set multiple peers to use 0.0.0.0/0 at the same time on the same interface. How would it be able to choose which peer to send traffic to the

Re: MacOS app update needed

Any plans for some update? Regards Bruno Le 21/09/2022 à 09:52, Houman a écrit : Hi Simon, Not only that, even the repo https://github.com/WireGuard/wireguard-apple hasn't been updated since 27 Sep 2021. There are a number of useful contributions in the form of pull requests waiting t

Re: MacOS app update needed

e, but the question remained opened. I really admire your work and simply asked if something was planned. I understand you have priorities and won't bother you any longer. Regards. Bruno Le 22/09/2022 à 14:04, Lewis Donzis a écrit : - On Sep 22, 2022, at 6:43 AM, Jason A. Donenfeld

Windows Client - Issue with Tray Icon

ibility to synchronize the status? Thank you for this great VPN, Regards. Bruno

Windows Client - issue with LimitedOperatorUI rights

appears. But I don't want to force that reboot (I use SCCM and it don't like reboots before install is complete). So I think there is a first start issue that needs administrator rights even with LimitedOperatorUI  active. Regards, Bruno ps: I send another message (06/28) fo

[Windows Client] Out of date Title scare my users

Hi, Thank you again for your great work. I have a suggestion for the Windows Client (maybe applicable for others). I install Wireguard in my university on about 500 computers in 2 phases: Phase 1 : validation Phase 2 : production So my end users have not, most of the time, the last version.

Re: [Windows Client] Out of date Title scare my users

the english one? I don't know who leads this language translation, but I suggest him (or her) to change the Windows title "Obsolète" (out of date) to something softer, or nothing in the title just the update tab. Thank for your time too, Bruno ANDRY Le 25/11/2021 à 15:23, lazer

Re: [Windows Client] Out of date Title scare my users

ter or worse (though as Bruno said, it would be great if 5) is considered somewhere down the line). Since this route was chosen, I suggest that we also reword the update prompt itself as I feel that is equally responsible for users "freaking out". After all, it is literally telling us

Re: WireGuard Upstreaming Roadmap (November 2017)

On Thu, Dec 07, 2017 at 11:22:04 +0100, Stefan Tatschner wrote: Assuming I am right according the crypto agility, what's the upgrade path if any of the involved cryptographic algorithms will be declared insecure/broken? From my point of view wireguard tries to stay as simple as possible and in

Re: 34C3 - WireGuard Workshop - Dec 29th

On Thu, Dec 21, 2017 at 02:11:31 +0100, "Jason A. Donenfeld" wrote: https://events.ccc.de/congress/2017/wiki/index.php/Session:WireGuard Is this going to get recorded? ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mai

Netdev 2.2 video posted

The video from the netdev 2.2 talk has been posted on youtube: https://www.youtube.com/watch?v=3rAeStfIXgM I'm downloading it now and haven't reviewed it yet. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo

Re: Question about Wireguard server

On Thu, Jan 04, 2018 at 16:51:19 -0500, Stoyan Mihov wrote: Greetings dear wireguards! I am running wireguard on ubuntu 16.04 server and LEDE on router. When I have everything set up on the router - I decided to upgrade to a newer version of LEDE. So I did, and then my router would not connect

gcc 8 warning

While there were a few other warnings about sibling call from callable instruction with modified stack frame, the following looked more significant if it isn't a gcc bug. CC [M] /home/bruno/WireGuard/src/crypto/chacha20poly1305.o In file included from ./include/linux/bitma

Re: Using WG for transport security in a p2p network

On Thu, Apr 05, 2018 at 09:13:03 +0200, Matthias Urlichs wrote: Hi, Another option would be to run insecure QUIC or SCTP on top of WireGuard, You cannot run SCTP on the Internet anyway. Too many routers block anything that's not TCP

Re: WG: Need for HW-clock independent timestamps

On Mon, May 21, 2018 at 15:53:10 +0200, Matthias Urlichs wrote: On 21.05.2018 14:35, Reto Brunner wrote: If you just want a single write cycle, then you loose the ability to graceful handle unexpected shutdowns. Why? Even if you increment the counter by 10'000 when restoring it, who's to say

Re: Wireguard doesn't work with Linux 4.18-rc1

On Sat, Jun 23, 2018 at 08:23:08 -0400, Jordan Glover wrote: Hi, I can't make wireguard work with linux 4.18-rc1 and mainline from 06.22.2018. It has been working for me. I use Fedora rawhide nodebug kernels and haven't noticed any problems with WireGuard. I build WireGuard from source (HE

Wireguard not building on pre-rc1 4.19 kernels (Fedora)

[bruno@cerberus src]$ make KERNELDIR=/lib/modules/4.19.0-0.rc0.git6.1.fc30.x86_64/build clean all CLEAN /home/bruno/WireGuard/src/.tmp_versions CLEAN /home/bruno/WireGuard/src/tools/{wg,*.o,*.d} CC [M] /home/bruno/WireGuard/src/main.o In file included from : /home/bruno/WireGuard/src

Re: Wireguard not building on pre-rc1 4.19 kernels (Fedora)

On Mon, Aug 20, 2018 at 14:43:53 +, Aaron Jones wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This will be because Jason's RNG patch landed in mainline, but the kernel version number won't get bumped (so compat.h can use it properly) until 4.19 is released. Thanks. That was enou

Re: Wireguard not building on pre-rc1 4.19 kernels (Fedora)

Jason pushed a fix for this and now I am able to use vanilla WireGuard with 4.19 kernels. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [PATCH 0/7] Allow changing the transit namespace

On Sat, Sep 08, 2018 at 14:18:34 +0200, Julian Orth wrote: wg set transit-net The distinction is made based on the format of the argument. If it is an unsigned 32 bit integer, then it is interpreted as a process id. Otherwise it is interpreted as a file path. /proc does not need to be mount

Re: WireGuard for iOS - TestFlight

On Mon, Nov 05, 2018 at 22:27:24 +0100, "Jason A. Donenfeld" wrote: Hey folks, For the last few weeks, Roopesh and I have been hard at work on the WireGuard for iOS app. Today we're happy to share a I thought you went on vacation, as it was so quite since V8 got posted. _

The Linux Plumbers Conference videos are up

The links redirect to youtube. Zinc https://linuxplumbersconf.org/event/2/contributions/254/attachments/152/225/go WireGuard https://linuxplumbersconf.org/event/2/contributions/66/attachments/158/240/go ___ WireGuard mailing list WireGuard@lists.zx2c4.

Re: The Linux Plumbers Conference videos are up

On Tue, Dec 04, 2018 at 01:47:41 +0100, "Jason A. Donenfeld" wrote: Thanks Bruno. I've updated the webpage with these: https://www.wireguard.com/presentations/ I've never been able to find a link to the presentations starting from the main wireguard page. There is p

Re: The Linux Plumbers Conference videos are up

On Tue, Dec 04, 2018 at 18:55:49 +1100, Aleksa Sarai wrote: On 2018-12-04, Bruno Wolff III wrote: > Thanks Bruno. I've updated the webpage with these: > https://www.wireguard.com/presentations/ I've never been able to find a link to the presentations starting from the mai

Re: The Linux Plumbers Conference videos are up

On Tue, Dec 04, 2018 at 02:03:47 -0600, Bruno Wolff III wrote: Thanks. That explains why I can't get there, even though there is a path. That drop down appears to only work with javascript enabled, which I don't normally have enabled. This might be a gecko bug. When I use lynx

Re: Android and Manjaro road warriors behind dynamic IP addresses/Carrier Grade NAT?

On Sat, Dec 29, 2018 at 14:49:56 +0100, "Rene 'Renne' Bartsch, B.Sc. Informatics" wrote: Is there any way for Wireguard peers with static IP addresses to push endpoint information of all connected peers to all other peers? Or at least a hook which allows to dump changing endpoints into a file

Re: [ANNOUNCE] WireGuard Snapshot `0.0.20190123` Available

On Wed, Jan 23, 2019 at 21:32:20 +0100, "Jason A. Donenfeld" wrote: On Wed, Jan 23, 2019 at 2:40 PM Jason A. Donenfeld wrote: * netlink: use __kernel_timespec for handshake time This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info. Sorry, I didn't realize that

Pre 5.1-rc1 build issue

Commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2c5c103b1337f590b7edf1509a6e294bdf22402 removed net/netfilter/nf_nat_core.h, which breaks wireguard builds for 5.1.0-0.rc0.git5.2.fc31.x86_64. It sounds like it isn't needed any more from the commit message. _

Re: Pre 5.1-rc1 build issue

On Wed, Mar 13, 2019 at 13:38:18 -0500, Bruno Wolff III wrote: Commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d2c5c103b1337f590b7edf1509a6e294bdf22402 removed net/netfilter/nf_nat_core.h, which breaks wireguard builds for 5.1.0-0.rc0.git5.2.fc31.x86_64

Re: Pre 5.1-rc1 build issue

On Wed, Mar 13, 2019 at 14:44:33 -0600, "Jason A. Donenfeld" wrote: On Wed, Mar 13, 2019 at 12:53 PM Bruno Wolff III wrote: I got something that seems to be working. So I'm good until the real fixes are ready. Perhaps your [fake?!] fixes could become the real fixes if yo

[PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

It looks like net/netfilter/nf_nat_core.h isn't needed any more and things seemed to work without it. --- src/compat/compat.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/compat/compat.h b/src/compat/compat.h index 7a61e4c1a5cd..2dcdbaeb0ad6 100644 --- a/src/compat/compat.h +++ b/src/

[PATCH] Merge two rcu types

Paul McKenney made it harder to mess up ending rcu sections with an incorrect function call by using the same functions to end multiple types of rcu sections. I replaced synchronize_rcu_bh with synchronize_rcu, rcu_barrier_bh with rcu_barrier and call_rcu_bh with call_rcu. I'm not sure how this s

[PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

It looks like net/netfilter/nf_nat_core.h isn't needed any more and things seemed to work without it. --- src/compat/compat.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/compat/compat.h b/src/compat/compat.h index 7a61e4c1a5cd..2dcdbaeb0ad6 100644 --- a/src/compat/compat.h +++ b/src/

[PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

It looks like net/netfilter/nf_nat_core.h isn't needed any more and things seemed to work without it. --- src/compat/compat.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/compat/compat.h b/src/compat/compat.h index 7a61e4c1a5cd..2dcdbaeb0ad6 100644 --- a/src/compat/compat.h +++ b/src/

[PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

It looks like net/netfilter/nf_nat_core.h isn't needed any more and things seemed to work without it. --- src/compat/compat.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/compat/compat.h b/src/compat/compat.h index 7a61e4c1a5cd..2dcdbaeb0ad6 100644 --- a/src/compat/compat.h +++ b/src/

Re: [PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

Sorry about the duplicates. I git confused trying to use git email-send. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: [PATCH] Merge two rcu types

On Thu, Mar 14, 2019 at 00:16:08 -0500, Bruno Wolff III wrote: Paul McKenney made it harder to mess up ending rcu sections with an incorrect function call by using the same functions to end multiple types of rcu sections. There are a number of commits involved in this change, but this commit

Re: [PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

On Thu, Mar 14, 2019 at 18:10:24 +1100, Aleksa Sarai wrote: For future reference, you want to send a patch series. The way I do it is I first generate all of the patches: Thanks. That isn't what I was trying to do here, but something I might do in the future. Here the two patches were separ

Re: [PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

On Thu, Mar 14, 2019 at 00:14:52 -0500, Bruno Wolff III wrote: It looks like net/netfilter/nf_nat_core.h isn't needed any more and things seemed to work without it. I'll redo this one with a signed off by. Probably late tonight. ___

Re: [PATCH] Merge two rcu types

On Thu, Mar 14, 2019 at 07:32:11 -0500, Bruno Wolff III wrote: In case it isn't obvious, the patch I supplied is only good for 5.1+ kernels. I'm not sure how you wanted to handle doing compatibility for older kernels and didn't even have a good idea how to start. If I

[PATCH] net/netfilter/nf_nat_core.h was removed by d2c5c103b1337f590b7edf1509a6e294bdf22402

It looks like net/netfilter/nf_nat_core.h isn't needed any more and things seemed to work without it. Signed-off-by: Bruno Wolff III --- src/compat/compat.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/compat/compat.h b/src/compat/compat.h index 7a61e4c1a5cd..2dcdbaeb0ad6 1

Re: [PATCH] Merge two rcu types

On Thu, Mar 14, 2019 at 12:58:41 -0600, "Jason A. Donenfeld" wrote: IIRC, the _bh variant of those functions has been aliased to non-_bh since a few versions. Do you know the first time it was the same? At this point I don't know. I knew of the change because I usually like to watch Paul's t

Re: [PATCH] global: the _bh variety of rcu helpers have been unified

On Thu, Mar 14, 2019 at 23:14:39 -0600, "Jason A. Donenfeld" wrote: --- Hey Bruno, Based on your research, how does the below strike you? It's certainly not pretty, but I'm struggling to come up with a better solution. I think anything that doesn't try to keep t

Working on change for: genetlink: make policy common to family

Wireguard isn't building on 5.2 right now because of commit: 3b0f31f2b8c9fb348e4530b88f6b64f9621f83d6 genetlink: make policy common to family I've got Wireguard building, but need to do basic testing, then add a kernel version test in and do some other testing. If that all goes OK I'll submit a

Re: Working on change for: genetlink: make policy common to family

On Mon, May 13, 2019 at 14:52:13 -0500, Bruno Wolff III wrote: Wireguard isn't building on 5.2 right now because of commit: 3b0f31f2b8c9fb348e4530b88f6b64f9621f83d6 genetlink: make policy common to family I've got Wireguard building, but need to do basic testing, then add a kern

Re: Working on change for: genetlink: make policy common to family

On Mon, May 13, 2019 at 15:24:53 -0500, Bruno Wolff III wrote: On Mon, May 13, 2019 at 14:52:13 -0500, Bruno Wolff III wrote: Wireguard isn't building on 5.2 right now because of commit: 3b0f31f2b8c9fb348e4530b88f6b64f9621f83d6 genetlink: make policy common to family I've got

Re: Working on change for: genetlink: make policy common to family

On Mon, May 13, 2019 at 16:21:10 -0500, Bruno Wolff III wrote: On Mon, May 13, 2019 at 15:24:53 -0500, Bruno Wolff III wrote: On Mon, May 13, 2019 at 14:52:13 -0500, Bruno Wolff III wrote: Wireguard isn't building on 5.2 right now because of commit: 3b0f31f2b8c9fb348e4530b88f6b64f9621

Re: Working on change for: genetlink: make policy common to family

I think 8cb081746c031fb164089322e2336a0bf5b3070c netlink: make validation more configurable for future strictness, might be the other commit causing problems. Some nla functions have changed. It looks like renamed, deprecated versions of the functions will exist for a while. So it should be eas

Re: Working on change for: genetlink: make policy common to family

On Wed, May 15, 2019 at 05:50:14 -0500, Bruno Wolff III wrote: I think 8cb081746c031fb164089322e2336a0bf5b3070c netlink: make validation more configurable for future strictness, might be the other commit causing problems. Some nla functions have changed. It looks like renamed, deprecated

Re: Working on change for: genetlink: make policy common to family

Now I'm looking at: f6ad55a6a184ebdf3d98a90eab0895f73ce9797e Merge branch 'nla_nest_start', which looks like it might also cause a problem. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Working on change for: genetlink: make policy common to family

On Wed, May 15, 2019 at 06:18:30 -0500, Bruno Wolff III wrote: Now I'm looking at: f6ad55a6a184ebdf3d98a90eab0895f73ce9797e Merge branch 'nla_nest_start', which looks like it might also cause a problem. Changing nla_nest_start to nla_nest_start_noflag didn't seem to h

Re: Working on change for: genetlink: make policy common to family

On Fri, May 17, 2019 at 13:12:07 +0200, "Jason A. Donenfeld" wrote: Thanks for getting this started. This commit should take care of it: https://git.zx2c4.com/WireGuard/commit/?id=7a83d1e6da8aa27da8fd4d06e6b7d11198c7c049 Thanks for the fix. I'm using it with Fedora's 5.2.0-0.rc0.git8.1.fc31.

Commit 4659d637e271d7f2814c6763035553331cca3a3f seems broken

I got builds error with 4659d637e271d7f2814c6763035553331cca3a3f, but not with dcca03f27879701d7377109517176a3aae86619f. [bruno@laptop2 src]$ make KERNELDIR=/lib/modules/5.3.0-0.rc6.git2.2.fc32.x86_64/build clean all CLEAN /home/bruno/WireGuard/src CLEAN /home/bruno/WireGuard/src

Re: WireGuard to port to existing Crypto API

Are there going to be two branches, one for using the current API and one using Zinc? ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

ENDPROC and ENTRY changing in 5.5

There are a few commits changing ENTRY to SYM_FUNC_START and ENDPROC to SYM_FUNC_END and a few other related changes. A few example commits authored by Jiri Slaby: 6dcc5627f6aec4cb1d1494d06a48d8061db06a04 6d685e5318e51b843ca50adeca50dc6300bf2cbb 5e63306f1629527799e34a9814dd8035df6ca854 __

Re: ENDPROC and ENTRY changing in 5.5

On Thu, Dec 05, 2019 at 16:11:50 +0100, "Jason A. Donenfeld" wrote: Thanks. Fixes for this and two other 5.5 changes are in the master branch. Thanks. I confirmed it builds now. I'll be testing that it works in a few hours when I get back. If it doesn't, I'll let you know. _

wireguard-tools and "make all"

Is "make all" intentionally not provided in wireguard-tools? While you can do "make" instead of "make all", you need to run make twice to do the equivalent of "make clean all". ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.co

Wireguard is now in Linus' tree

Linus pulled in net-next about a half hour ago. So WireGuard is now officially upstream. Yeah! ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: WireGuard connecting hosts WAN->LAN

On Sat, Mar 14, 2020 at 16:33:44 +0100, Germano Massullo wrote: A simple question to Wireguard developers, since while asking for help in OpenWRT forum[1] I have been told that I am asking a thing that Wireguard cannot do, so I want to ask upstream if it is possible or not Scenario: A = intern

Re: Wireguard not available for CentOS Stream

On Mon, Jan 04, 2021 at 13:42:22 -0600, Joe Doss wrote: On 1/4/21 1:20 PM, Jack Craig wrote: how is fedora looking? is it stable enough for a small home network? It's in the Fedora kernel and I use it daily. It works great and it is very stable. Wireguard works fine in Fedora. I have two l

[WireGuard] Using wireguard link as a proxy?

I am trying to test using a wireguard link as a proxy and I am having trouble. On the source machine I am trying to route packets through wg0 using a routing entry that has the remote end point tunnel address on a via command. The idea is to have the packets sent through the tunnel and then to d

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 10:18:21 +0200, Baptiste Jonglez wrote: Yes, the notion of "immediate next destinaton" does not make sense for Wireguard. It encapsulates plain IP, not Ethernet. I thought that the next IP address might have been available for wireguard to see as the information see

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 11:32:11 +0200, Baptiste Jonglez wrote: Ok, excellent! Wireguard really doesn't care or even know about the source NAT you may apply on the server (well, at least when thinking about it at a high level). I got this working now. I need to work a bit on setting up the

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 14:42:52 +0200, "Jason A. Donenfeld" wrote: I usually do something like: wg set wg0 peer ABCD allowed-ips 0.0.0.0/0 ip route add 0/1 dev wg0 ip route add 128/1 dev wg0 The idea I am working on now is to use policy writing and rules, so that packets sent to the proxy

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 23:35:02 +0800, Quan Zhou wrote: I happen to have a similar problem, using `AllowedIPs = 0.0.0.0/0` on both sides of a wireguard link works, but when I try to add more peers, all but one gets `(none)`. I know this is by design, but it would be sweet if I can manually set

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 17:30:37 +0200, "Jason A. Donenfeld" wrote: $ ip rule add to 1.2.3.4 lookup main pref 30 $ ip rule add to all lookup 80 pref 40 $ ip route add default dev wg0 table 80 OK. That is more or less what I am doing. I was trying to name the routing table because I saw that

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 17:30:37 +0200, "Jason A. Donenfeld" wrote: $ ip rule add to 1.2.3.4 lookup main pref 30 $ ip rule add to all lookup 80 pref 40 $ ip route add default dev wg0 table 80 This thread might interest you: http://marc.info/?l=linux-netdev&m=145452157719655&w=2 While this

Re: [WireGuard] Using wireguard link as a proxy?

On Fri, Jul 22, 2016 at 13:05:27 -0500, Bruno Wolff III wrote: So for a real example that appears to be working, my systemd service I had another issue and that is the proxy server was used for some other services and I didn't want to connect to those from outside the tunnel. So I w

Re: [WireGuard] Using wireguard link as a proxy?

On Sat, Jul 23, 2016 at 11:36:37 -0500, Bruno Wolff III wrote: The explanations for marking and policy routing aren't explicit about how you need to handle the source address issue and why it happens, though there are lots of mentions that there are problems related to the source ad

Re: [WireGuard] Using wireguard link as a proxy?

On Mon, Jul 25, 2016 at 14:57:56 +0200, "Jason A. Donenfeld" wrote: Hi Bruno, Jeeze louise. Seems woefully complex. Inspired by your attempts here, I thought of another method involving network namespaces that you might consider instead. Voila: https://www.wireguard.io/netns/ So

Re: [WireGuard] Fedora WireGuard RPMs

On Wed, Aug 17, 2016 at 14:39:16 -0500, Joe Doss wrote: Also, SELinux is set enforcing by default on Fedora. I am not sure if that is going to cause any issues either. Users run unconfined (technically there are confined by a policy that lets them do almost anything) so generally there won

Re: [WireGuard] wg set - unexpected change of routes

On Tue, Aug 30, 2016 at 07:44:54 +0100, Ivan Labáth wrote: I think repeating subnets in different peers is most probably an error and in such circumstances the most useful action would be to fail and report it as such. Except in some cases it is convenient to use a large network for one peer

Re: [WireGuard] auth-only wireguard

On Wed, Oct 05, 2016 at 19:12:57 -0700, Jehan Tremback wrote: Are there any plans, or would you even consider, adding an option to WireGuard to disable encryption, and only authenticate packets? I'm assuming that an authentication-only mode would be significantly faster (maybe I'm wrong though)

Re: [WireGuard] auth-only wireguard

On Thu, Oct 06, 2016 at 19:32:36 +0200, "Jason A. Donenfeld" wrote: On Thu, Oct 6, 2016 at 5:03 PM, Bruno Wolff III wrote: Without encryption you authentication won't be useful against attackers that can modify packets or insert packets with the source address of your contact

Kernel commit d35a00b8e33dab7385f724e713ae71c8be0a49f4 breaks wireguard

When building wireguard for Fedora's 4.11.0-0.rc0.git4.2.fc26.x86_64 kernel I get the following error: /home/bruno/WireGuard/src/device.c: In function ‘open’: /home/bruno/WireGuard/src/device.c:44:9: error: ‘struct inet6_dev’ has no member named ‘addr_gen_mode’ dev_v6->addr_

Re: Kernel commit d35a00b8e33dab7385f724e713ae71c8be0a49f4 breaks wireguard

On Mon, Feb 27, 2017 at 12:10:41 -0800, "Jason A. Donenfeld" wrote: Hey Bruno, This has now been fixed in the repo. Note that since rc1 hasn't been released, you'll need to adjust the kernel's make file to show 4.11 yourself. Alternatively, just wait a few days

Re: Kernel commit d35a00b8e33dab7385f724e713ae71c8be0a49f4 breaks wireguard

On Mon, Feb 27, 2017 at 14:22:05 -0600, Bruno Wolff III wrote: I think Fedora already does that. The build gets further, but it looks like another structure change is breaking things as well. I'll see if I can verify the change and get you the commit number. In the meantime here

Re: Kernel commit d35a00b8e33dab7385f724e713ae71c8be0a49f4 breaks wireguard

On Mon, Feb 27, 2017 at 14:10:18 -0800, "Jason A. Donenfeld" wrote: Thanks! I wasn't compiling with the options to hit this, so I didn't see it before. Should be fixed now. Thank you. It now builds cleanly and it at least appears to be working correctly in simple testing. _

Re: Kernel commit d35a00b8e33dab7385f724e713ae71c8be0a49f4 breaks wireguard

On Mon, Feb 27, 2017 at 16:14:44 -0600, Bruno Wolff III wrote: On Mon, Feb 27, 2017 at 14:10:18 -0800, "Jason A. Donenfeld" wrote: Thanks! I wasn't compiling with the options to hit this, so I didn't see it before. Should be fixed now. Thank you. It now builds cle

Re: Kernel commit d35a00b8e33dab7385f724e713ae71c8be0a49f4 breaks wireguard

On Mon, Feb 27, 2017 at 15:03:45 -0800, "Jason A. Donenfeld" wrote: Fixed Thanks! I rebuilt the latest version on both 4.11 and 4.10 Fedora kernels and it seems to be working as expected. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https

Wireguard is not building on Fedora with 4.12 rc1 kernels

It looks like the test for memneq is broken and both the kernel and compat versions get used at the same time. [bruno@cerberus src]$ make make -C /lib/modules/4.12.0-0.rc1.git0.1.fc27.x86_64/build M=/home/bruno/WireGuard/src modules make[1]: Entering directory '/usr/src/kernels/4.12.0-

Re: Wireguard is not building on Fedora with 4.12 rc1 kernels

On Wed, May 17, 2017 at 17:16:20 +0200, "Jason A. Donenfeld" wrote: Hi again, I think I might have fixed this. git fetch && git reset --hard origin/master And then see if it builds now? It builds now. In about 15 minutes I'll have it tested. ___

Re: Wireguard is not building on Fedora with 4.12 rc1 kernels

On Wed, May 17, 2017 at 10:25:46 -0500, Bruno Wolff III wrote: On Wed, May 17, 2017 at 17:16:20 +0200, "Jason A. Donenfeld" wrote: Hi again, I think I might have fixed this. git fetch && git reset --hard origin/master And then see if it builds now? It builds now. I

Re: Compatibiliyt issues between 0.0.20170115 and 0.0.20170517

On Thu, May 18, 2017 at 15:39:48 -0400, Daniel Kahn Gillmor wrote: On Thu 2017-05-18 20:43:11 +0200, Jason A. Donenfeld wrote: Only use 0.0.20170517. i think this was the first incompatible revision that has been released. is that correct? No. There have been a few incompatible upgrades.

Re: I will mail you WireGuard stickers

On Thu, May 18, 2017 at 15:17:35 +0200, "Jason A. Donenfeld" wrote: Today an order of WireGuard stickers arrived. If you've come to any conferences where there's been a WireGuard talk, then you've undoubtedly gotten some stickers. If not, however, you might be missing out. Want me to send you

Looks like 4.13 introduces a new incompatibility

With Fedora's 4.13.0-0.rc0.git3.1.fc27 kernel, master no longer compiles. It is still a week before rc1 and I can use 4.12 on the relevant machines, but I thought I'd give a heads up. [bruno@wolff src]$ make clean all make -C /lib/modules/4.13.0-0.rc0.git3.1.fc27.i686+PAE/build M=/

Re: Looks like 4.13 introduces a new incompatibility

On Mon, Jul 10, 2017 at 04:01:04 +0200, "Jason A. Donenfeld" wrote: Hey Bruno, Thanks for the heads up. Does this fix it? https://git.zx2c4.com/WireGuard/commit/?id=dd007ad550b3def8a858e57aa718af9b00047a28 It looks like it fixed the problem. (At least device.o gets built.) But

Re: Looks like 4.13 introduces a new incompatibility

On Mon, Jul 10, 2017 at 05:03:42 +0200, "Jason A. Donenfeld" wrote: I need to annoy Ted Tso about this. It'll get merged for rc1 or rc2. OK. I'll confirm when it builds again. I might try it out early if Tso has it in a public develoment tree before it gets to Linus' tree. This might show

Re: Looks like 4.13 introduces a new incompatibility

On Mon, Jul 10, 2017 at 05:26:50 +0200, "Jason A. Donenfeld" wrote: These two commits: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/random.git/patch/?id=e297a783e41560b44e3c14f38e420cba518113b8 https://git.kernel.org/pub/scm/linux/kernel/git/tytso/random.git/patch/?id=da9ba564bd683374

Re: Looks like 4.13 introduces a new incompatibility

On Mon, Jul 10, 2017 at 05:03:42 +0200, "Jason A. Donenfeld" wrote: I need to annoy Ted Tso about this. It'll get merged for rc1 or rc2. Linus merged it a couple of hours ago, so it will make rc1. I'll be able to use Fedora kernels again early next week. I'm going to build another kernel m

Compile time assertion failure

I'm seeing the following: [bruno@wolff src]$ make clean all make -C /lib/modules/4.13.0-0.rc3.git0.1.fc27.i686+PAE/build M=/home/bruno/WireGuard/src clean make[1]: Entering directory '/usr/src/kernels/4.13.0-0.rc3.git0.1.fc27.i686+PAE' CLEAN /home/bruno/WireGuard/src/.tmp_

Re: Compile time assertion failure

The problem seems to have been triggered by a recent (in the last few commits) rather than by a change to the Fedora kernel. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: Compile time assertion failure

On Wed, Aug 02, 2017 at 07:24:30 -0500, Bruno Wolff III wrote: The problem seems to have been triggered by a recent (in the last few commits) rather than by a change to the Fedora kernel. It starts happening with the following commit: commit 18fe2082601b79cb27936b5910d2ef36cc94d5d3 (HEAD

Re: Compile time assertion failure

On Wed, Aug 02, 2017 at 14:38:59 +0200, "Jason A. Donenfeld" wrote: Thanks for the report. Looks like I was relying on optimization behavior of a gcc newer than yours. I'll revert. commit 107735eaea0f48c1f5bfc0a6ca82f1879a850b98 (HEAD -> master, origin/master, origin/HEAD) Author: Jason A.

Re: trouble installing on Fedora and CentOS

On Tue, Aug 08, 2017 at 12:58:58 -0700, adam souzis wrote: The bad news is I was unable to get Wireguard working on either CentOS 7, Fedora 26 or Fedora 25 (running these on AWS), it doesn't appear to be installing the kernel module properly. I run it on rawhide (Fedora 27 effectivel) by bui

crypto routing with subnets?

I want to try to route a local network over wireguard through my router while not breaking a direct connection from my server while I'm testing the new setup. And I'm wondering if I'm going to need two wg devices or if I can use one? On the destination the config would be something like: [peer

Re: crypto routing with subnets?

On Fri, Oct 20, 2017 at 20:02:43 +0200, "Jason A. Donenfeld" wrote: Hi Bruno, Fortunately the inquires of this email are things that you could figure out simply by trying, so if you want to learn-by-doing, you can stop reading here and finish reading afterward. I'm doing tha

Re: Fixing wg-quick's DNS= directive with a hatchet

On Fri, Oct 27, 2017 at 17:02:55 +0200, "Jason A. Donenfeld" wrote: I don't even... Are they serious? Who knows, but I've gotten a lot of these, some via IRC, some sent to t...@wireguard.com. Kind of disheartening to receive, but at least their complaints, however rude, are something addressab

Re: wg showconf

On Sun, Nov 05, 2017 at 01:05:18 +0100, Markus Woschank wrote: I imaging specifying an endpoint IP for a peer and than discovering that it connected from a different IP may be surprising to some. I generally prefer for things to break if I configure them the wrong way and not work "sometimes"

  1   2   >