[WireGuard] emerge failed once :-|

I was updating @world and wireguard unexpectedly failed... Unfortunately I only saved the build log, attached here. A second attempt merged it without issues, which is kind of bothering. I'll keep an eye and gather more info, if it fails again. Portage 2.3.0 (python 2.7.10-final-0,

[WireGuard] RFE: A notion of VERSION (was: Debugging AllowedIps)

Hi Jason, On Mon, Nov 14, 2016 at 11:28 AM, John Huttley wrote: > RFE: when the module loads and prints its test at startup, please print its > version and compile flags as well. > I second that! There is not (yet) a notion of VERSION in the code, better not wait till

[WireGuard] luci-proto-wireguard: missing input fields #854

Just a note to the ML, current luci integration needs a bit more polishing (or I don't understand wireguard) I filed an issue at https://github.com/openwrt/luci/issues/854 Cheers, Kalin. ___ WireGuard mailing list WireGuard@lists.zx2c4.com

Re: [WireGuard] Wireguard in OpenWRT/LEDE: FYI: Pull Request

On Wed, Nov 16, 2016 at 5:15 PM, Baptiste Jonglez wrote: > On Tue, Nov 15, 2016 at 05:01:14PM +0100, Dan Lüdtke wrote: >> thanks for the various feedback, guys! Here is the next round: >> >> https://github.com/openwrt/packages/pull/3514 > > This one is now merged,

Re: [WireGuard] What is a good way to ingrate (as of now) wireguard into openrc in Gentoo?

Hello Jason, Thanks for the answer! On Sat, Nov 19, 2016 at 10:14 AM, Jason A. Donenfeld wrote: > Funny enough, I can't remember the exact interworkings of that script, > because I didn't write it. A guy named zhasha in #wireguard did. I'll > ask him to document it; that could

Re: DMVPM appreciation

Hmm... Really good high level theory ... On Sun, Dec 4, 2016 at 3:07 AM, John Huttley wrote: > So lets consider a simplified case > A <-> B <-> C > > A is sending a lot of data to C. > > Policy triggers starting a direct A <-> C tunnel. > > We need public key and

Re: Ephemeral key lifetime & system sleep

On Thu, Dec 8, 2016 at 7:04 AM, Daniel Kahn Gillmor wrote: > I think scrubbing the ephemeral keys prior to suspend is the right thing > to do. It's simpler to reason about, sounds straightforward to > implement, the usability cost isn't that great, and it's likely to be >

Re: snapshot 0.0.20170628 broken?

On Thu, Jun 29, 2017 at 6:42 PM, Jason A. Donenfeld wrote: > He said already: 20170613 Ooops! Sorry about the noise, time for evening coffee it seems ;-/ Kalin. ___ WireGuard mailing list WireGuard@lists.zx2c4.com

Re: snapshot 0.0.20170628 broken?

Hello Reuben, And what was the last good version that was working in this same setup? Kalin. ___ WireGuard mailing list WireGuard@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/wireguard

Re: potential preshared-key changes

I finally read through all the thread :-D (and very good write-up, Mathias!) Obeying the KISS principle, while erring on security should lead to "per-client PSK", the proposed method. I see some scenarios where the current method (per-iface) works better, mainly in small private VPNs, usually

Re: Any tool to study the wireguard effect on Bandwidth, memory and processing power.

On Tue, Aug 1, 2017 at 8:42 AM, Sahil Gupta wrote: > Is there any tool which helps to study the effect on using WireGuard VPN on > different OS(including embedded)? > https://github.com/esnet/iperf/ and related. Kalin. ___ WireGuard

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

On Thu, May 25, 2017 at 7:13 PM, B wrote: > And BTW, it is much more dangerous to reveal your keys on the Ternet > than your endpoint IP address… > That just made my day, LoL! I could not help posting it on twitter: https://twitter.com/thinrope/status/867801802724569088

Re: Can't seem to split tunnel using tables the way I can in OpenVPN

Hello Jean-Yves, I apologize for the misunderstanding, I completely agree with your advice! I guess the adding of "LoL" at the end didn't make that clearer, I just re-read my tweet. Thinking about it, I was re-editing it quite a few times to make it fit the length restriction and the end result

Re: List of commercial WireGuard offerings

Great! On Tue, Sep 12, 2017 at 12:14 AM, Jason A. Donenfeld wrote: > Many people have asked me which companies have commercial for-profit > WireGuard offerings. Offhand I can think of 3 at the moment: > > https://www.mullvad.net/guides/wireguard-and-mullvad-vpn/ >

Re: Roaming Mischief

On Tue, Nov 14, 2017 at 2:53 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > > On Nov 14, 2017, at 4:30 AM, Kalin KOZHUHAROV <me.ka...@gmail.com> wrote: >> As for the syntax, and I hate to suggest that, adding a new option >> (breaking compatibility) like &qu

Re: Fixing wg-quick's DNS= directive with a hatchet

On Thu, Oct 26, 2017 at 12:43 AM, Jason A. Donenfeld wrote: > The hatchet works as follows. On interface addition: > > # echo nameserver 1.2.3.4 > /etc/resolv.conf.wg-quick.wg0 > # [ -f /etc/resolv.conf ] || touch /etc/resolv.conf > # mount -o ro --bind

Re: [PATCH] wg-quick: use bind mount for DNS when no openresolv

Just nitpicking on your spellchecker... On Thu, Oct 26, 2017 at 3:32 AM, Jason A. Donenfeld wrote: > + echo "# poses problems, run \`unmount /etc/resolv.conf\`." should be + echo "# poses problems, run \`umount /etc/resolv.conf\`." Kalin.

Re: WG interface to ipv4

I've written that yesterday, but forgot to post it, it was left in the Drafts... While some of the content was touched upon already, so I tried to edit it to reflect the current state of this thread... On Sun, May 6, 2018 at 3:21 AM, Jason A. Donenfeld wrote: > On Sat, May 5,

Re: WG interface to ipv4

On Sat, May 5, 2018 at 10:18 AM, ѽ҉ᶬḳ℠ wrote: > I like to keep things neat/controlled and any necessary open socket is only > sticking out like a sore (wondering why it is opened when not wanted for). > It would certainly instill more confidence in network security/control if it >

Re: Need for HW-clock independent timestamps

On Sat, May 12, 2018 at 12:07 AM, Axel Neumann wrote: > We have the following chicken-egg problem: > We are using WG on openwrt devices which do not have a hardware clock so > that time is resetted after each reboot. > Because internet access shall be routed via WG tunnels the

Re: Need for HW-clock independent timestamps

On Tue, May 15, 2018 at 10:21 PM, Devan Carpenter wrote: > Aaron Jones transcribed 3.1K bytes: >> On 12/05/18 19:29, Axel Neumann wrote: >> > You want WG to secure your network. So the suggestion can not be to open >> > your network for a pretty insecure deamon in order to get WG

Re: Need for HW-clock independent timestamps

Hello Axel, I may have not been clear in my last response, it was to be taken in the context of the whole thread... On Wed, May 16, 2018 at 9:32 PM, Axel Neumann <neum...@cgws.de> wrote: > > > Am 15. Mai 2018 22:49:15 MESZ schrieb Kalin KOZHUHAROV <me.ka...@gmail.com>: &

Re: Cannot ping Windows machines on server network

On Thu, Apr 26, 2018 at 1:06 AM, Eddie wrote: > They are pingable from the server and all other machines on the network. > There are no routing of firewall rules anywhere that call out these 2 > machines either by IP or name. > Are you sure they are pingable? By default

Re: Reflections on WireGuard Design Goals

On Fri, 10 Aug 2018, 19:04 Brian Candler, wrote: > On 10/08/2018 16:03, Roman Mamedov wrote: > > But I'd feel a lot happier if a second level of authentication were > required to establish a wireguard connection, if no packets had been > flowing for more than a configurable amount of time - say,

Re: Connection between two clients

Probanly a routing problem, check `ip route show` on (one) client and server. Also you might need to enable ip forwarding on server (usually enabled on firewalls and routers). No iptables are not necessary if everything is one subnet. Cheers, Kalin.

Re: Reflections on WireGuard Design Goals

Please excuse my brevity, phone typing here... On Fri, 10 Aug 2018, 16:36 Brian Candler, wrote: > Thanks for explaining the project background, and your very sensible > goals of simplicity and robustness. And thanks for releasing this > excellent piece of software. > > From my point of view,

Re: passtos patch

On Thu, Jan 18, 2018 at 12:30 PM, Vadim Zotov wrote: > in some circumstances it is important to set the TOS field in tunnel packet > equivalent to payload packet TOS. > for example, our provider supports three different SLAs, depending on packet > TOS field, with different

Re: Roaming between IPv4 and IPv6?

On Tue, Mar 6, 2018 at 11:14 PM, Jason A. Donenfeld wrote: > On Tue, Mar 6, 2018 at 11:08 PM, Toke Høiland-Jørgensen wrote: >> I think the idea of configuring both v4 and v6 on startup and caching >> them is a reasonable idea. Maybe even configure all available

Re: Mixed MTU hosts on a network

On Fri, Mar 16, 2018 at 10:25 AM, Roman Mamedov wrote: > Hello, > > I have a host which is on PPPoE and has 1492 as underlying MTU. > > When WireGuard starts by default, it sets MTU of its interface to 1420. All > TCP connections trying to send a stream of data over the WG

Re: Using WG for transport security in a p2p network

Hello Ximin, On Thu, Apr 5, 2018 at 5:22 AM, Ximin Luo wrote: > Our network churn is not expected to be very heavy, perhaps on the order of > ~30 new connections per node per week or so. So any extra latency in the > initial > connection caused by this separation of layers,

Re: can't ping remote side IP range from WG instance

I am really not sure, but let me have a stab: On Sun, Mar 25, 2018 at 11:19 AM, Adrián Mihálko wrote: > auto wg0 > iface wg0 inet static > pre-up ip link add dev wg0 type wireguard > post-up wg setconf wg0 /etc/wireguard/wireguard.conf > post-up ip link set dev wg0

Re: add/remove a peer

On Sun, Mar 25, 2018 at 8:10 PM, ST wrote: > PS: if you have over 100 peers it is a bit a headache to find a free IP > when adding a new peer. There is no reason WG could not scan through IPs > it already knows and choose a free one, assign it in its own config file > and print

Re: wireguard for site-to-site VPN use case

On Wed, Mar 21, 2018, 22:41 al so wrote: > How does Wireguard compare to Tinc and ZeroTier in terms of ease of use >> and security. >> >> I looked at Tinc. Seems pretty easy to setup being Decentralized Mesh >> architecture. Security doesn't seem good. No exploits reported

Re: Update: exempting two things from WireGuard tunneling

On Mon, Mar 5, 2018 at 7:59 PM, Nicholas Joll wrote: > I've tried all sorts of things to answer my own question (the question I > asked the list a little while ago; my initial e-mail is appended below) but > to no avail. However, I've found something, on the Wireguard

Re: match on wg packets and redirect

On Sun, Nov 4, 2018 at 10:10 AM Adrian Sevcenco wrote: > > Hi! Is there a way to use iptables to match wireguard packets incoming > on 443 and the redirect them to the actual port? > > In many hotels/hostels and other free wifi it seems that only 80+443 is > allowed but amazingly both tcp and

Re: F Droid build 0.0.20181031 broken

On Fri, Nov 2, 2018 at 8:26 AM Laszlo KERTESZ wrote: > The current FDroid build (version 0.0.20181031) is broken. The Gui starts but > it states "Unknown userspace Go version" and the tunnel activation action > results in an error. > Hmm... just installed (1st time) and started it, seems fine

Re: Syntax for iperf3 to use over pair wireguard interfaces on a LAN?

On Tue, 18 Dec 2018, 20:50 John On bar: > % iperf3 -c 10.0.9.15 -B 10.0.9.16 > iperf3: error - unable to connect to server: Connection timed outa iperf -c 10.0.9.15 Also for the server, omit ipaddr, it listens to all interfaces by default. Kalin. ___

Re: [Android] Wireguard on the Amazon FireTV stick

On Tue, Jan 8, 2019 at 11:27 AM Christophe-Marie Duquesne wrote: > > Hi there, > > I tried to run Wireguard on the FireTV stick. The only other relevant > reference I found for doing this was on reddit [1], where people recommended > to use TunSafe. TunSafe is unfortunately still closed-souce

Re: DNS tunneling only

On Tue, Jan 8, 2019 at 3:25 AM Mario García wrote: > Is it possible to tunnel DNS requests only from the client to the > wireguard server? > Yes... easy, if you want the responses to those requests going through the tunnel as well. It is just a tunnel, what you put in there is up to you. So add

Re: Traffic flow stopping

Hello Mike, On Tue, Jan 8, 2019 at 3:20 AM Mike O'Connor wrote: > So I've been using Wireguard to route part of my class C to my home for > about 4 months now, but for the last few days the traffic stops for a > short while every few minutes. > Does it start on its own "after few minutes"? >

Re: Connections dropped after long in-activity

On Tue, Jan 8, 2019 at 3:20 AM Muhammad Naseer Bhatti wrote: > Facing a strange issue with single and sometimes with double NAT with client > running Wireguard with the server on Public IP address. If client remains > idle for long time (more than 15 minutes) NAT table in the route is dropped

Re: issue with certain apps + wireguard

On Tue, Jan 8, 2019 at 3:22 AM Arpit Gupta wrote: > A new user here. Recently setup wireguard to run on my pi 3 + pi hole. I am > noticing some interesting behavior with certain apps. > Apps running where? Name your hosts (fakename if you prefer) for clarity. > When using Google Duo on my

Re: iOS WG Battery Life

On Fri, Mar 1, 2019 at 11:03 AM kolargol wrote: > I am testing WG on varius OSes and devices and I have noted severe battery > drain on iOS (12.2, iPhone 8). Typically battery drops 40% during night-time > (that is 7 hours of inactivity on the phone) when WireGuard is engaged. > Compared to how

Re: performance query

On Fri, Mar 1, 2019 at 11:11 AM Scott Lipcon wrote: > > I've been experimenting a bit with Wireguard on several ubuntu systems, and > am not seeing the performance I'd expect based on the numbers at > https://www.wireguard.com/performance/ > > I'm wondering if there is a configuration setting

Re: RFC: wg syncpeers wg0 wireguard.conf

On Tue, Jun 11, 2019 at 11:08 PM Lonnie Abelbeck wrote: > > On Jun 11, 2019, at 12:28 PM, Jason A. Donenfeld wrote: > > > > One of the things that always goes wrong with "sync" algorithms in > > software -- and the commit above at the moment is no exception -- is > > that they're kind of racey.

Re: need a hand with WG setup

On Tue, 27 Aug 2019, 20:21 Dimitar Vassilev, wrote: > Hello, > > I'm trying to establish site to site VPN with 2 OpenWRTs 18.6.4 - linux > 4.9.184 > > my problem is that I cannot get any ping running and cannot reach the > remote tunnel ips. > 1. Disable the FW and test. 2. Try ping from one

Re: IPv6 endpoint AND IPv4 fallback endpoint in roadwarrior scenario?

On Mon, Sep 30, 2019 at 9:53 AM Nico Schottelius wrote: > At lookup time this works already. > yup! > The problem is, if the underlying network topology changes and you need to > reconnect via IPv4, > when you had IPv6 underlying before. > Well, "if the underlying network topology changes" it

Re: [PATCH] wg show: Add json output

Hi Barry, Please read the reply below with a smile, it is just friendly sarcasm underlining my personal view. On Tue, Feb 25, 2020 at 1:50 AM Barry Scott wrote: > > On 23 Feb 2020, at 12:45, Arti Zirk wrote: > > > > On E, 2020-02-17 at 15:47 +1100, Matthew Oliver wrote: > >> Someone asked