Hey list, wg(8) is the main WireGuard configuration tool. It takes a fairly strict set of inputs, and is supposed to perform acceptable input validation on them.
https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 wg-quick(8), on the other and, is a dinky bash script, that is useful for making some common limited use cases a bit easier. https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 wg-quick(8) has the very handy feature of allowing PostUp/PostDown/PreUp/PreDown directives, to execute some helpers, such as iptables or whatever else you want in a custom setup. These have proven very useful to folks. And because these allow arbitrary execution anyway, wg-quick(8) doesn't try very hard to do proper input validation either. I just saw this nice post pointing out a problem in OpenVPN: https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da The same thing applies to wg-quick(8) with PostUp/PostDown/PreUp/PreDown. The question is how seriously we should take the problem presented by this blog post. Namely, you can't trust configuration files given to you by outside parties. Maybe you shouldn't reconfigure your network without inspecting what those reconfigurations are first. However, one could argue that code execution is a bit beyond networking config. So, the question we need to ask is whether this problem is important enough that these useful features should be _removed_? Or if there's a way to make them safer? Or if it just doesn't matter that much and we shouldn't do anything. Thoughts? Jason _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
