Commit Graph

349 Commits

Author SHA1 Message Date
Jason A. Donenfeld f59f63f462 Makefile: add standard 'all' target
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Bruno Wolff III <bruno@wolff.to>
2020-01-03 21:22:22 +01:00
Jason A. Donenfeld bfb31ac953 Makefile: remove pwd from compile output
We previously included $(pwd) in the compile output pretty printer,
because it matched our parent out-of-tree module build. Since we're no
longer coupled to the module, we can return to a prettier scheme of just
using the object name.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Fixes: eb68ad07 ("Makefile: even prettier output")
2020-01-03 12:36:10 +01:00
Jason A. Donenfeld 3bf1b64d44 version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-02 19:53:11 +01:00
Jason A. Donenfeld d8230ea0dc global: bump copyright
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-02 19:52:25 +01:00
Jason A. Donenfeld 16e20de722 wg-quick: linux: quote ifname for nft
Otherwise nft(8) has strange ideas of what a string is.

Suggested-by: RistiCore <RistiCore@mail.ee>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-28 18:35:41 +01:00
Jason A. Donenfeld 3bfe9c41ab Makefile: rework automatic version.h mangling
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reported-by: Joe Doss <joe@solidadmin.com>
2019-12-27 18:33:55 +01:00
Jason A. Donenfeld 2d000809dd fuzz: find bugs when parsing uapi input
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 18:33:55 +01:00
Jason A. Donenfeld cde6f312e4 fuzz: find bugs in the config syntax parser
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 18:33:55 +01:00
Devin Smith 318253d932 man: add documentation about removing explicit listen-port
Signed-off-by: Devin Smith <thundza@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 11:52:29 +01:00
Jason A. Donenfeld f9f1ba795e Makefile: port static analysis check
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 16:54:25 +01:00
Jason A. Donenfeld ff7e5dfe30 Makefile: DEBUG_TOOLS -> DEBUG and document
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 16:51:58 +01:00
Jason A. Donenfeld 7861d89b7c systemd: update documentation URL
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:59:27 +01:00
Jason A. Donenfeld ae659490cf version: bump
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:59:11 +01:00
Jason A. Donenfeld 9130fa0450 Makefile: add git versioning to dev builds
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:57:58 +01:00
Jason A. Donenfeld 011bf3b9f4 README: consolidate with INSTALL and rewrite
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:10:42 +01:00
Jason A. Donenfeld 262b5196cf wg: include tools version
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 13:10:42 +01:00
Jason A. Donenfeld 2f74ac29cf wg: add back source formerly shared with kernel module
We used to reach back into parent directories for this, but with the
repo split, we now require our own copy.

We use -idirafter in case system headers are installed for the
wireguard.h netlink definitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-26 12:55:41 +01:00
Jason A. Donenfeld 6262906e5c wg-quick: linux: use already configured addresses instead of in-memory
The ADDRESSES array might not have addresses added during PreUp. But
moreover, nft(8) and iptables(8) don't like ip addresses in the form
somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can
handle it. So by adding these first and then asking for them back, we
always get normalized addresses suitable for nft(8) and iptables(8).

Reported-by: Silvan Nagl <mail@53c70r.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-17 14:18:09 +01:00
Kai Haberzettl 64f83e6161 wg: adjust wg.8 syntax for consistency in COMMANDS section
Signed-off-by: Kai Haberzettl <khaberz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-13 16:22:19 +01:00
Jason A. Donenfeld 6fbfa0d7bb wg-quick: linux: try both iptables(8) and nft(8) on teardown
Daniel argues that technically a package manager could install nft(8)
after previously having started wg-quick(8) using iptables(8).

Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 17:24:04 +01:00
Jason A. Donenfeld 45417c5c0d wg-quick: linux: support older nft(8)
Older nft(8), such as that on Ubuntu, does not accept the - parameter to
the -f argument and doesn't accept symbolic priority names. So instead
use the canonical numeric priority forms and use <(echo) instead of -.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 12:24:05 +01:00
Josh Soref a863be0148 global: fix up spelling
Signed-off-by: Josh Soref <jsoref@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 12:24:05 +01:00
Jason A. Donenfeld 17c78d31c2 wg-quick: linux: add support for nft and prefer it
If nft(8) is installed, use it. These rules should be identical to the
iptables-restore(8) ones, with the advantage that cleanup is easy
because we use custom table names.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-12 12:24:05 +01:00
Jason A. Donenfeld bc8bf54185 wg-quick: linux: ignore save warnings for iptables-nft
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-06 16:51:05 +01:00
Jason A. Donenfeld 8d4e4f3a86 wg-quick: linux: suppress more warnings on weird kernels
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-06 16:22:18 +01:00
Jason A. Donenfeld 3928ebb87d wg-quick: linux: some iptables don't like empty lines
Reported-by: Kenneth R. Crudup <kenny@panix.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 18:33:18 +01:00
Jason A. Donenfeld 9eab3487cd wg-quick: linux: iptables-* -w is not widely supported
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld faa55d8b19 ipc: make sure userspace communication frees wgdevice
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld 207aeed010 wg-quick: linux: have remove_iptables return true
Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld af69113e02 wg-quick: linux: ensure postdown hooks execute
Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 11:48:25 +01:00
Jason A. Donenfeld a9abb21575 wg-quick: linux: suppress error when finding unused table
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 17:12:15 +01:00
Jason A. Donenfeld ae374129ab wg: add syncconf command
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 14:42:34 +01:00
Jason A. Donenfeld ebcf1ef8b1 wg-quick: linux: filter bogus injected packets and don't disable rpfilter
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 13:45:58 +01:00
Jason A. Donenfeld a59aa6c404 wg-quick: linux: only touch net.ipv4 for v4
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-26 11:33:33 +01:00
Jason A. Donenfeld cf7ec31d2d wg-quick: android: check for null in binder cleanup functions
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-10-16 14:23:27 +02:00
Nicolas Douma 792727cf64 wg-quick: android: use Binder for setting DNS on Android 10
Signed-off-by: Nicolas Douma <nicolas@serveur.io>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-10-12 16:49:52 +02:00
Jason A. Donenfeld 959937672a wg: windows: enforce named pipe ownership and use protected prefix
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-08-31 08:48:39 -06:00
Ronan Pigott 4154476d89 wg-quick: linux: don't fail down when using systemd-resolved
systemd-resolved has a compatibility interface for use with resolvconf
scripts when resolvectl is called from a symlink from resolvconf.
However, when tearing down the interface, cmd_down calls del_if and then
unset_dns. In the case of systemd-resolved, deleting the interface also
removes the systemd-resolved entry and causes resolvconf -d to fail when
resolvconf really is a symlink to resolvectl. This causes `wg-quick
down` and 'wg-quick@.service' to exit with failure.

Instead we use the resolvconf '-f' flag to ignore non-existent
interfaces, supported by both openresolv and sd-resolved resolvconf.

Signed-off-by: Ronan Pigott <rpigott@berkeley.edu>
[zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-08-27 20:29:17 -06:00
Ankur Kothari 5df58a945d wg-quick: openbsd: fix alternate routing table syntax
route(8) has always used the `-T` option to specify the
routing table; there is no `rdomain` option.

Signed-off-by: Ankur Kothari <ankur@lipidity.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-08-07 10:41:26 +02:00
Jason A. Donenfeld 6a5906608c wg-quick: android: refactor and add incoming allow rules
Suggested-by: Yağmur Oymak <yagmur.oymak@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-07-08 13:48:17 +02:00
Jason A. Donenfeld b30e74b595 wg-quick: darwin: support being called from launchd
This causes wg-quick up to wait for the monitor to exit before it exits,
so that launchd can correctly wait on it.

Reported-by: Cameron Palmer <cameron@promon.no>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-06-24 11:19:18 +02:00
Jason A. Donenfeld 15f2e2ef34 wg: pass WG_ENDPOINT_RESOLUTION_RETRIES=infinity to systemd unit
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-31 21:10:41 +02:00
Jason A. Donenfeld 838039b879 wg: add wincompat layer to wg(8)
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-31 18:30:59 +02:00
Jason A. Donenfeld 10487e7215 wg: allow setting WG_ENDPOINT_RESOLUTION_RETRIES
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29 01:23:24 +02:00
Jason A. Donenfeld 604b5a9fa7 wg-quick: specify protocol to ip(8), because of inconsistencies
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29 01:23:24 +02:00
Jason A. Donenfeld ce55f857ff wg-quick: look up existing routes properly
This was never really correct, and then 5.1 broke it entirely.

Reported-by: piraty1@inbox.ru
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-05-29 01:23:24 +02:00
Jason A. Donenfeld c2355e00aa wg-quick: make darwin and freebsd path search strict like linux
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-23 20:12:54 +09:00
Jason A. Donenfeld 090639ae90 wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernel
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-04-23 20:12:54 +09:00
Luis Ressel 4471ee711c wg: avoid unneccessary next_peer assignments in sort_peers()
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-23 12:50:52 +01:00
Luis Ressel cdb687cc0b wg-quick: add 'strip' subcommand
`wg-quick strip` prints the config file to stdout after stripping it of
all wg-quick-specific options.

This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`.

Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-23 12:49:48 +01:00
Luis Ressel 84cf22da0d wg: warn if an AllowedIP has a nonzero host part
Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-23 12:49:41 +01:00
Jason A. Donenfeld 7c20ac5ce2 wg-quick: freebsd: export TMPDIR when restoring and don't make empty
Otherwise mktemp doesn't see it, and if it's empty we wind up in /.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-03-18 14:50:36 -06:00
Alexander von Gluck IV fc719b7d7e wg: add support for Haiku
Signed-off-by: Alexander von Gluck IV <kallisti5@unixzen.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-28 23:54:25 +01:00
Jason A. Donenfeld 74a6f97b7a wg: genkey: account for short reads of /dev/urandom
Apparently Haiku has a misbehaving /dev/urandom.

While we're at it, simplify the function signature to completely succeed
or completely fail and make sure the caller checks the result.

Reported-by: Alexander von Gluck IV <kallisti5@unixzen.com>
Nitpicked-by: Aaron Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-28 23:53:00 +01:00
Jason A. Donenfeld 2c6cabd73d wg-quick: freebsd: rebreak interface loopback, while fixing localhost
The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was
supposed to make things better, but actually it just started sending
legitimate localhost traffic over the WireGuard interface, which is
really quite bad.

This reverts commit 7c833642dfa342218602ab18e7091e86408d2982.

Reported-by: Matt Smith <matt.xtaz@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-28 21:25:49 +01:00
Jason A. Donenfeld 86e0c306b8 wg: c_acc doesn't need to be initialized
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-08 02:32:15 +01:00
Jason A. Donenfeld 8ba5498590 wg: fight compiler slightly harder
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-05 01:00:52 +01:00
Jason A. Donenfeld 17281d9369 noise: store clamped key instead of raw key
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-03 21:51:18 +01:00
Jason A. Donenfeld 4bc6ef0089 systemd: wg-quick should depend on nss-lookup.target
Since wg-quick(8) calls wg(8) which does hostname lookups, we should
probably only run this after we're allowed to look up hostnames.

Reported-by: Anton Castelli <anton.c42@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-30 18:53:37 +01:00
Jason A. Donenfeld 643a002603 wg: remove unused check phony declaration
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-24 18:14:38 +01:00
Jason A. Donenfeld 3f7a31faea wg-quick: freebsd: allow loopback to work
FreeBSD adds a route for point-to-point destination addresses. We don't
really want to specify any destination address, but unfortunately we
have to. Before we tried to cheat by giving our own address as the
destination, but this had the unfortunate effect of preventing
loopback from working on our local ip address. We work around this with
yet another kludge: we set the destination address to 127.0.0.1. Since
127.0.0.1 is already assigned to an interface, this has the same effect
of not specifying a destination address, and therefore we accomplish the
intended behavior.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-24 03:28:54 +01:00
Jason A. Donenfeld a6e4ec487d netlink: use __kernel_timespec for handshake time
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23 14:29:44 +01:00
Jason A. Donenfeld 777fe674c4 global: normalize -> clamp
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-23 14:29:44 +01:00
Jason A. Donenfeld b8e89f3a09 global: update copyright
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-01-07 19:26:10 -05:00
Jason A. Donenfeld 53f9023e7e wg: curve25519: handle unaligned loads/stores safely
Reported-by: Chris Hewitt <chris@chrishewitt.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-20 18:32:40 +01:00
Aaron Jones 48a31572f1 wg-quick: bring interface up while setting MTU
This avoids another ip(8) invocation for little benefit.
Confirmed to work with iproute2 and busybox.

Signed-off-by: Aaron Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-12-18 14:41:27 +01:00
Jason A. Donenfeld 7e106d3a4c wg-quick: android: do not choke on empty allowed-ips
Reported-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-11-11 22:15:01 -05:00
Jason A. Donenfeld d9f06cbced wg.8: AllowedIPs isn't actually required
An empty allowed IPs is totally valid, for folks wishing to move IP
addresses between multiple peers atomically.

Suggested-by: Comex <comexk@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-19 03:35:25 +02:00
Jason A. Donenfeld b37a1f46ae wg.8: specify that wg(8) shows runtime info too
Suggested-by: Comex <comexk@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-19 03:33:53 +02:00
Jason A. Donenfeld 4410c87c39 wg-quick: wait for interface to disappear on freebsd
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-13 01:55:31 +02:00
Jason A. Donenfeld 599b84fbd1 wg: don't fail if a netlink interface dump is inconsistent
Netlink returns NLM_F_DUMP_INTR if the set of all tunnels changed
during the dump. That's unfortunate, but is pretty common on busy
systems that are adding and removing tunnels all the time. Rather
than retrying, potentially indefinitely, we just work with the
partial results.

Reported-by: Robert Gerus <ar@is-a.cat>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-13 01:55:31 +02:00
Jason A. Donenfeld 9b1394b2dc wg: compile on gnu99
We don't actually use any C11 features, so we can at least compile with
ancient gcc.

Reported-by: Aaron M. D. Jones <aaronmdjones@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-09 15:23:42 +02:00
Jason A. Donenfeld c1ca487f63 wg: use libc's endianness macro if no compiler macro
This lets us be compiled with ancient gcc.

Reported-by: Jeff Brandt <jeff@jeffcolo.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-09 15:21:27 +02:00
Jason A. Donenfeld 54569b7999 netlink: do not stuff index into nla type
It's not used for anything, and LKML doesn't like the type being used as
an index value.

Suggested-by: Eugene Syromiatnikov <esyr@redhat.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-08 03:14:52 +02:00
Jason A. Donenfeld 6790b07868 crypto: clean up remaining .h->.c
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-07 16:35:54 +02:00
Jason A. Donenfeld 09c7ab77e9 wg-quick.8: add policy routing example
Suggested-by: Toke Høiland-Jørgensen <toke@toke.dk>
Suggested-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-10-05 19:20:52 +02:00
Jason A. Donenfeld 646d7a5c78 crypto: make constant naming scheme consistent
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-25 03:01:21 +02:00
Jason A. Donenfeld cef7ac9ef9 global: put SPDX identifier on its own line
The kernel has very specific rules correlating file type with comment
type, and also SPDX identifiers can't be merged with other comments.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-20 19:41:22 +02:00
Jason A. Donenfeld 17546fcd75 global: prefer sizeof(*pointer) when possible
Suggested-by: Sultan Alsawaf <sultanxda@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-04 11:08:29 -06:00
Jason A. Donenfeld 4d59d1f2c5 crypto: import zinc
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-03 23:52:11 -06:00
Jason A. Donenfeld 407b0cb311 wg: ipc: do not warn on unrecognized netlink attributes
It makes extending things more difficult.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-09-02 23:59:44 -06:00
Jason A. Donenfeld 66054f3638 crypto: use unaligned helpers
This is not useful for WireGuard, but for the general use case we
probably want it this way, and the speed difference is mostly lost in
the noise.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-28 23:20:13 -06:00
Jason A. Donenfeld b2ec7892c8 wg-quick: check correct variable for route deduplication
Reported-by: John Sager <john@sager.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-21 15:42:17 -07:00
Jason A. Donenfeld ffcc09358e wg-quick: darwin: prefer system paths for tools
The only things wg-quick(8) needs from Homebrew are bash(1) and wg(8).
Other than that, it's explicitly coded against the native system
utilities. Since wg-quick(8) and bash(1) are invoked in auto_su by their
full absolute path (via $SELF and $BASH, respectively), we can simply
set the $PATH to be prefixed by the default system binary paths. This
way, if users install tools that conflict with system tools -- such as
GNU coreutils -- we won't accidently call those.

Reported-by: Deirdre Connolly <durumcrustulum@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-08-12 00:28:28 -07:00
Jason A. Donenfeld 544d965d5f wg-quick: android: remove compat code
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-24 18:15:17 +02:00
Jason A. Donenfeld f621f36800 wg-quick: android: allow package to be overridden
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-24 18:15:17 +02:00
Jason A. Donenfeld 4349005f4e wg-quick: allow link local default gateway
It's unclear why it was like this in the first place, but it apparently
broke certain IPv6 setups.

Reported-by: Jonas Blahut <j@die-blahuts.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-16 17:27:00 +02:00
Jason A. Donenfeld 4502f4f2b7 wg: only error on wg show if all interfaces fail
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-08 22:38:34 +02:00
Jason A. Donenfeld 4367cd0d3d wg-quick: android: support excluding applications
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-07-05 19:26:13 +02:00
Jason A. Donenfeld b3b6d97db8 wg-quick: android: prevent outgoing handshake packets from being dropped
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-25 16:15:35 +02:00
Jonathan Neuschäfer a54a133500 wg: fix misspelling of strchrnul in comment
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-22 04:09:39 +02:00
Jonathan Neuschäfer ef54cbf568 manpages: eliminate whitespace at the end of the line
This eliminates a few style warnings from "mandoc -T lint src/tools/wg*.8".

Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-22 04:09:39 +02:00
Jason A. Donenfeld 02733c681b wg-quick: android: don't forget to free compiled regexes
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17 19:36:37 +02:00
Jason A. Donenfeld 3bbacaaf14 wg-quick: android: disable roaming to v6 networks when v4 is specified
This works around an unfortunate bug in 464XLAT transitions.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-17 19:36:37 +02:00
Jason A. Donenfeld 6f85449d79 wg: getentropy requires 10.12
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-14 05:25:23 +02:00
Jason A. Donenfeld 0632c8af68 wg: support getentropy(3)
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-08 03:24:46 +02:00
Jason A. Donenfeld d90e49599b wg: encoding: add missing static array constraints
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-06 00:05:58 +02:00
Jason A. Donenfeld 8c4cf156d5 wg-quick: android: change name of intent
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-06-04 07:05:58 +02:00
Jason A. Donenfeld 2044bb026d wg-quick: android: delay setting users until end
`ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing
them to reconnect. By delaying this until after routes are set, we
ensure that the sockets reconnect using the tunnel, rather than the old
route.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 16:38:08 +02:00
Jason A. Donenfeld 2bca99893f wg: constanter time encoding
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 01:24:51 +02:00