From c0b68d2eafaf2b44df9377ba0844bc315163247e Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 10 May 2022 12:40:49 +0200 Subject: [PATCH 01/10] wg-quick: android: use right regex for host-vs-IP Looks like the "is valid ifname" regex was copy and pasted from wg-quick.bash instead of the "is valid IP" regex. Signed-off-by: Jason A. Donenfeld --- src/wg-quick/android.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wg-quick/android.c b/src/wg-quick/android.c index a5a789a..1263ee4 100644 --- a/src/wg-quick/android.c +++ b/src/wg-quick/android.c @@ -855,7 +855,7 @@ static void set_dnses(unsigned int netid, const char *dnses) if (!len) return; - xregcomp(®ex_ipnothost, "^[a-zA-Z0-9_=+.-]{1,15}$", REG_EXTENDED | REG_NOSUB); + xregcomp(®ex_ipnothost, "(^[0-9.]+$)|(^.*:.*$)", REG_EXTENDED | REG_NOSUB); for (char *dns = strtok(mutable, ", \t\n"); dns; dns = strtok(NULL, ", \t\n")) { if (strchr(dns, '\'') || strchr(dns, '\\')) continue; From 5b9c1d6d74376d4983a3055078225d95104194f0 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 10 Jun 2022 19:35:38 +0200 Subject: [PATCH 02/10] global: dual license core files as MIT for FreeBSD To make it easier for FreeBSD to import wg(8), dual license the core files as MIT, so that they don't have any trouble. Signed-off-by: Jason A. Donenfeld --- src/config.c | 2 +- src/config.h | 2 +- src/containers.h | 2 +- src/ctype.h | 2 +- src/curve25519.c | 2 +- src/curve25519.h | 2 +- src/encoding.c | 2 +- src/encoding.h | 2 +- src/genkey.c | 2 +- src/ipc.c | 2 +- src/ipc.h | 2 +- src/pubkey.c | 2 +- src/set.c | 2 +- src/setconf.c | 2 +- src/show.c | 2 +- src/showconf.c | 2 +- src/subcommands.h | 2 +- src/terminal.c | 2 +- src/terminal.h | 2 +- src/wg.c | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/config.c b/src/config.c index 211e887..81ccb47 100644 --- a/src/config.c +++ b/src/config.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/config.h b/src/config.h index c52b9ea..443cf21 100644 --- a/src/config.h +++ b/src/config.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/containers.h b/src/containers.h index fb5434f..a82e8dd 100644 --- a/src/containers.h +++ b/src/containers.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/ctype.h b/src/ctype.h index 98b2283..7c9942c 100644 --- a/src/ctype.h +++ b/src/ctype.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. * diff --git a/src/curve25519.c b/src/curve25519.c index 1739a9e..7121d1e 100644 --- a/src/curve25519.c +++ b/src/curve25519.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2018-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/curve25519.h b/src/curve25519.h index 1569824..b05432f 100644 --- a/src/curve25519.h +++ b/src/curve25519.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/encoding.c b/src/encoding.c index 2540e5b..9b2cda5 100644 --- a/src/encoding.c +++ b/src/encoding.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. * diff --git a/src/encoding.h b/src/encoding.h index 2d2c1e0..3cabe9c 100644 --- a/src/encoding.h +++ b/src/encoding.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/genkey.c b/src/genkey.c index 759a89d..0201b28 100644 --- a/src/genkey.c +++ b/src/genkey.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/ipc.c b/src/ipc.c index 08f9984..1155bd5 100644 --- a/src/ipc.c +++ b/src/ipc.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/ipc.h b/src/ipc.h index c51c8e7..bc0fd60 100644 --- a/src/ipc.h +++ b/src/ipc.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/pubkey.c b/src/pubkey.c index b55c1fe..f191592 100644 --- a/src/pubkey.c +++ b/src/pubkey.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/set.c b/src/set.c index 6f0e0cf..75560fd 100644 --- a/src/set.c +++ b/src/set.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/setconf.c b/src/setconf.c index bfd0a3a..1c5b138 100644 --- a/src/setconf.c +++ b/src/setconf.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/show.c b/src/show.c index 761858b..a61a06e 100644 --- a/src/show.c +++ b/src/show.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/showconf.c b/src/showconf.c index 64f8b6e..62070dc 100644 --- a/src/showconf.c +++ b/src/showconf.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/subcommands.h b/src/subcommands.h index 7c4ed88..4308b5b 100644 --- a/src/subcommands.h +++ b/src/subcommands.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/terminal.c b/src/terminal.c index c10b9f1..d3e6611 100644 --- a/src/terminal.c +++ b/src/terminal.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/terminal.h b/src/terminal.h index 58697fa..50b1686 100644 --- a/src/terminal.h +++ b/src/terminal.h @@ -1,4 +1,4 @@ -/* SPDX-License-Identifier: GPL-2.0 */ +/* SPDX-License-Identifier: GPL-2.0 OR MIT */ /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ diff --git a/src/wg.c b/src/wg.c index aed70b6..6480970 100644 --- a/src/wg.c +++ b/src/wg.c @@ -1,4 +1,4 @@ -// SPDX-License-Identifier: GPL-2.0 +// SPDX-License-Identifier: GPL-2.0 OR MIT /* * Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. */ From 71799a8f6d1450b63071a21cad6ed434b348d3d5 Mon Sep 17 00:00:00 2001 From: Tom Yan Date: Fri, 17 Jun 2022 19:34:19 +0800 Subject: [PATCH 03/10] wg-quick: linux: prevent traffic from momentarily leaking into tunnel The wireguard route table ip rule should stay as a no-op until the `suppress_prefixlength 0 table main` rule is in effect. Therefore, add the wireguard default route to its route table after the latter rule is added. Signed-off-by: Tom Yan Signed-off-by: Jason A. Donenfeld --- src/wg-quick/linux.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index e4d4c4f..69e5bef 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -220,9 +220,9 @@ add_default() { fi local proto=-4 iptables=iptables pf=ip [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 - cmd ip $proto route add "$1" dev "$INTERFACE" table $table cmd ip $proto rule add not fwmark $table table $table cmd ip $proto rule add table main suppress_prefixlength 0 + cmd ip $proto route add "$1" dev "$INTERFACE" table $table local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" From 7b2ae7aa2f52fbac65874a641cbfbb0182d0ba46 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Fri, 28 Oct 2022 20:45:05 -0500 Subject: [PATCH 04/10] ipc: freebsd: move if_wg path to reflect new in-tree location When we re-added if_wg to the tree, we changed directories in dev to strip the if_ (we don't use this prefix for other interfaces' directories). Adjust it here as a convenience, so that when we import wireguard-tools to FreeBSD the path will just work as-is with our usual build. Signed-off-by: Kyle Evans Signed-off-by: Jason A. Donenfeld --- src/ipc-freebsd.h | 2 +- src/uapi/freebsd/dev/{if_wg => wg}/if_wg.h | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename src/uapi/freebsd/dev/{if_wg => wg}/if_wg.h (100%) diff --git a/src/ipc-freebsd.h b/src/ipc-freebsd.h index 2c10c10..b5be15b 100644 --- a/src/ipc-freebsd.h +++ b/src/ipc-freebsd.h @@ -6,7 +6,7 @@ #include #include -#include +#include #define IPC_SUPPORTS_KERNEL_INTERFACE diff --git a/src/uapi/freebsd/dev/if_wg/if_wg.h b/src/uapi/freebsd/dev/wg/if_wg.h similarity index 100% rename from src/uapi/freebsd/dev/if_wg/if_wg.h rename to src/uapi/freebsd/dev/wg/if_wg.h From ca2e89ff21794b1853f628b8d5cb0f91eb140461 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Mon, 31 Oct 2022 15:38:58 +0100 Subject: [PATCH 05/10] show: apply const to right part of pointer Without this -Wcast-qual complains: show.c:30:43: warning: cast from 'const void *' to 'const void **' drops const qualifier [-Wcast-qual] const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; ^ show.c:30:71: warning: cast from 'const void *' to 'const void **' drops const qualifier [-Wcast-qual] const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; Signed-off-by: Jason A. Donenfeld --- src/show.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/show.c b/src/show.c index a61a06e..3fd3d9e 100644 --- a/src/show.c +++ b/src/show.c @@ -27,7 +27,7 @@ static int peer_cmp(const void *first, const void *second) { time_t diff; - const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; + const struct wgpeer *a = *(void *const *)first, *b = *(void *const *)second; if (!a->last_handshake_time.tv_sec && !a->last_handshake_time.tv_nsec && (b->last_handshake_time.tv_sec || b->last_handshake_time.tv_nsec)) return 1; From dbf49a7d17d69b8af365ce2521df110a4710c819 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Thu, 3 Nov 2022 12:59:01 -0500 Subject: [PATCH 06/10] ipc: freebsd: avoid leaking memory in kernel_get_device() Primarily, front-load validation of an allowed-ip entry to before we allocate `aip`, so that we don't need to free() it if we end up skipping this entry. Assert that `aip` is NULL after we exit the loop, as we should have transfered ownership to the `peer` or freed it in all paths through the allowed-ip loop. FreeBSD-Coverity: 1500405 Signed-off-by: Kyle Evans Signed-off-by: Jason A. Donenfeld --- src/ipc-freebsd.h | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/ipc-freebsd.h b/src/ipc-freebsd.h index b5be15b..b78b6c8 100644 --- a/src/ipc-freebsd.h +++ b/src/ipc-freebsd.h @@ -4,6 +4,7 @@ * */ +#include #include #include #include @@ -118,7 +119,7 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) goto skip_peers; for (i = 0; i < peer_count; ++i) { struct wgpeer *peer; - struct wgallowedip *aip; + struct wgallowedip *aip = NULL; const nvlist_t *const *nvl_aips; size_t aip_count, j; @@ -169,11 +170,13 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) if (!aip_count || !nvl_aips) goto skip_allowed_ips; for (j = 0; j < aip_count; ++j) { + if (!nvlist_exists_number(nvl_aips[j], "cidr")) + continue; + if (!nvlist_exists_binary(nvl_aips[j], "ipv4") && !nvlist_exists_binary(nvl_aips[j], "ipv6")) + continue; aip = calloc(1, sizeof(*aip)); if (!aip) goto err_allowed_ips; - if (!nvlist_exists_number(nvl_aips[j], "cidr")) - continue; number = nvlist_get_number(nvl_aips[j], "cidr"); if (nvlist_exists_binary(nvl_aips[j], "ipv4")) { binary = nvlist_get_binary(nvl_aips[j], "ipv4", &size); @@ -184,7 +187,8 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) aip->family = AF_INET; aip->cidr = number; memcpy(&aip->ip4, binary, sizeof(aip->ip4)); - } else if (nvlist_exists_binary(nvl_aips[j], "ipv6")) { + } else { + assert(nvlist_exists_binary(nvl_aips[j], "ipv6")); binary = nvlist_get_binary(nvl_aips[j], "ipv6", &size); if (!binary || number > 128) { ret = EINVAL; @@ -193,14 +197,14 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) aip->family = AF_INET6; aip->cidr = number; memcpy(&aip->ip6, binary, sizeof(aip->ip6)); - } else - continue; + } if (!peer->first_allowedip) peer->first_allowedip = aip; else peer->last_allowedip->next_allowedip = aip; peer->last_allowedip = aip; + aip = NULL; continue; err_allowed_ips: @@ -209,6 +213,9 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname) free(aip); goto err_peer; } + + /* Nothing leaked, hopefully -- ownership transferred or aip freed. */ + assert(aip == NULL); skip_allowed_ips: if (!dev->first_peer) dev->first_peer = peer; From 139aac59a5ab7da913d4b6dd62692fa90e2ccad4 Mon Sep 17 00:00:00 2001 From: Kyle Evans Date: Thu, 3 Nov 2022 13:20:29 -0500 Subject: [PATCH 07/10] ipc: freebsd: NULL out some freed memory in kernel_set_device() The `err` path in kernel_set_device() will attempt to free() allocated nvl_peers, but these two cases meant we could end up attempting a use after free or a double free, as we rely on nvlist_destroy(NULL) being a NOP as well as free(NULL). FreeBSD-Coverity: 1500421 Signed-off-by: Kyle Evans Signed-off-by: Jason A. Donenfeld --- src/ipc-freebsd.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ipc-freebsd.h b/src/ipc-freebsd.h index b78b6c8..fa74edd 100644 --- a/src/ipc-freebsd.h +++ b/src/ipc-freebsd.h @@ -329,6 +329,7 @@ static int kernel_set_device(struct wgdevice *dev) nvlist_destroy(nvl_aips[j]); free(nvl_aips); nvlist_destroy(nvl_peers[i]); + nvl_peers[i] = NULL; goto err; } if (i) { @@ -336,9 +337,11 @@ static int kernel_set_device(struct wgdevice *dev) for (i = 0; i < peer_count; ++i) nvlist_destroy(nvl_peers[i]); free(nvl_peers); + nvl_peers = NULL; } wgd.wgd_data = nvlist_pack(nvl_device, &wgd.wgd_size); nvlist_destroy(nvl_device); + nvl_device = NULL; if (!wgd.wgd_data) goto err; s = get_dgram_socket(); From b4f6b4f229d291daf7c35c6f1e7f4841cc6d69bc Mon Sep 17 00:00:00 2001 From: Dmitry Selivanov Date: Wed, 8 Feb 2023 09:30:16 +0300 Subject: [PATCH 08/10] show: fix show all endpoints output Currently "wg show all endpoints" prints interface name only once while other "show all" commands print it on each line as man says. Signed-off-by: Dmitry Selivanov Signed-off-by: Jason A. Donenfeld --- src/show.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/show.c b/src/show.c index 3fd3d9e..13777cf 100644 --- a/src/show.c +++ b/src/show.c @@ -312,9 +312,9 @@ static bool ugly_print(struct wgdevice *device, const char *param, bool with_int else printf("off\n"); } else if (!strcmp(param, "endpoints")) { - if (with_interface) - printf("%s\t", device->name); for_each_wgpeer(device, peer) { + if (with_interface) + printf("%s\t", device->name); printf("%s\t", key(peer->public_key)); if (peer->endpoint.addr.sa_family == AF_INET || peer->endpoint.addr.sa_family == AF_INET6) printf("%s\n", endpoint(&peer->endpoint.addr)); From e6888dd74ee4215449517f43aba9c11a1633ea4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Gr=C3=B6ber?= Date: Wed, 7 Dec 2022 19:00:31 +0100 Subject: [PATCH 09/10] wg-quick: run PreUp hook after creating interface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently PreUp hooks run before the interface is created. This is problematic for moving the device into a Linux VRFs as this will currently clear all assigned IPv6 addressess (possibly a bug), so if we did this in PostUp (i.e. before add_addr) we'll have to manually re-add all assigned addresses. This is obviously less than ideal. Instead create the wg device just before running PreUp hooks. We apply this to all platforms for consistency. Test case: $ ip link add vrf-test type vrf table 1234 $ ip link add wg-test type wireguard $ ip addr add dev wg-test 192.168.42.42/24 $ ip addr add dev wg-test fe80::/64 $ ip -br addr show wg-test wg-test DOWN 192.168.42.42/24 fe80::/64 $ ip link set dev wg-test master vrf-test $ ip -br addr show wg-test wg-test DOWN 192.168.42.42/32 Signed-off-by: Daniel Gröber Signed-off-by: Jason A. Donenfeld --- src/wg-quick/darwin.bash | 2 +- src/wg-quick/freebsd.bash | 2 +- src/wg-quick/linux.bash | 2 +- src/wg-quick/openbsd.bash | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/wg-quick/darwin.bash b/src/wg-quick/darwin.bash index 8e46818..c938112 100755 --- a/src/wg-quick/darwin.bash +++ b/src/wg-quick/darwin.bash @@ -452,8 +452,8 @@ cmd_up() { local i get_real_interface && die "\`$INTERFACE' already exists as \`$REAL_INTERFACE'" trap 'del_if; del_routes; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/freebsd.bash b/src/wg-quick/freebsd.bash index b529ab2..f72daf6 100755 --- a/src/wg-quick/freebsd.bash +++ b/src/wg-quick/freebsd.bash @@ -420,8 +420,8 @@ cmd_up() { local i [[ -z $(ifconfig "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; del_routes; clean_temp; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index 69e5bef..4193ce5 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -327,8 +327,8 @@ cmd_up() { local i [[ -z $(ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" diff --git a/src/wg-quick/openbsd.bash b/src/wg-quick/openbsd.bash index 2adfe46..b58ecf5 100755 --- a/src/wg-quick/openbsd.bash +++ b/src/wg-quick/openbsd.bash @@ -417,8 +417,8 @@ cmd_up() { local i get_real_interface && die "\`$INTERFACE' already exists as \`$REAL_INTERFACE'" trap 'del_if; del_routes; exit' INT TERM EXIT - execute_hooks "${PRE_UP[@]}" add_if + execute_hooks "${PRE_UP[@]}" set_config for i in "${ADDRESSES[@]}"; do add_addr "$i" From 729242a11466934f47690ddaf9a3465983b859e5 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Thu, 18 May 2023 03:17:02 +0200 Subject: [PATCH 10/10] man: set private key in PreUp rather than PostUp This is probably more sensible, since there's no point in letting traffic flow before the interface is configured. Signed-off-by: Jason A. Donenfeld --- src/man/wg-quick.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/wg-quick.8 b/src/man/wg-quick.8 index b84eb64..bc9e145 100644 --- a/src/man/wg-quick.8 +++ b/src/man/wg-quick.8 @@ -168,7 +168,7 @@ sockets, which bypass Netfilter.) When IPv6 is in use, additional similar lines Or, perhaps it is desirable to store private keys in encrypted form, such as through use of .BR pass (1): - \fBPostUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP + \fBPreUp = wg set %i private-key <(pass WireGuard/private-keys/%i)\fP .br For use on a server, the following is a more complicated example involving multiple peers: