bateast
/
wireguard-tools
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-01-23. You can view files and clone it, but cannot push or open issues or pull requests.
456 Commits 1 Branch 0 Tags 763 KiB
C 68.5%
Shell 15.1%
Roff 4.3%
C++ 3.8%
Haskell 1.6%
Other 6.7%
Go to file
Matt Dunwoodie 84ac6add7e wg-quick: openbsd: set DNS with resolvd(8) 
OpenBSD has introduced a new daemon named resolvd(8) to manage
resolv.conf. This creates problems with the old "horrible way" of
completely replacing resolv.conf. Resolvd will attempt to merge manual
changes with DNS servers discovered through dhcpleased(8) and slaacd(8).
Unfortunately, resolvd puts any manual modifications at the end of
resolv.conf, meaning that the wg-quick name servers will be queried
last.

The process for handling multiple name servers (at least with libc) is
to try a name server, and if the query times out, try the next, until
out of name servers, then repeat trying all name servers until a maximum
number of retries are performed. The name servers are queried in the
order listed in resolv.conf and the timeout is 5 seconds.

With this patch, we ensure the wg-quick name server is first in
resolv.conf (as route creates the name server with "static" priority),
but cannot ensure it is exclusive. Therfore, it may be possible that
queries are leaked to other name servers if the wg-quick name server
doesn't respond within 5 seconds.

We have another problem however, and that is if resolvd detects unwind
is running, it will set 127.0.0.1 as the only name server in
resolv.conf. unwind does not have deterministic name server selection in
the default configuration.  This means, all a user would need to do to
inadvertently cause persistent query leaks would be to run `rcctl enable
unwind`.

There are warnings added when these situations may occur.

The next step is to add an exclusive flag and search to route and
resolvd.

Reported-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Matt Dunwoodie <ncon@noconroy.net>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 		2021-09-14 00:40:51 +02:00
contrib contrib/launchd: fix xml syntax error 2021-05-17 11:43:06 +02:00
src wg-quick: openbsd: set DNS with resolvd(8) 2021-09-14 00:40:51 +02:00
.gitattributes git: add gitattributes so tarball doesn't have gitignore files 2020-04-08 23:54:42 -06:00
.gitignore ipc: add wireguard-nt support 2021-07-20 13:24:18 +02:00
COPYING Initial commit 2016-06-25 16:48:39 +02:00
README.md netlink: remove libmnl requirement 2020-02-03 18:17:27 +01:00

README.md

wireguard-tools — tools for configuring WireGuard

This supplies the main userspace tooling for using and configuring WireGuard tunnels, including the wg(8) and wg-quick(8) utilities. This project supports Linux, OpenBSD, FreeBSD, macOS, Windows, and Android.

More information may be found at WireGuard.com.

Building

$ cd src
$ make

There are no dependencies other than a good C compiler and a sane libc.

Installing

# make install

This command takes into account several environment variables:

  • PREFIX default: /usr

  • DESTDIR default:

  • BINDIR default: $(PREFIX)/bin

  • LIBDIR default: $(PREFIX)/lib

  • MANDIR default: $(PREFIX)/share/man

  • BASHCOMPDIR default: $(PREFIX)/share/bash-completion/completions

  • RUNSTATEDIR default: /var/run

  • PKG_CONFIG default: pkg-config

  • WITH_BASHCOMPLETION default: [auto-detect]

  • WITH_WGQUICK default: [auto-detect]

  • WITH_SYSTEMDUNITS default: [auto-detect]

  • DEBUG default:

The first section is rather standard. The second section is not:

  • WITH_BASHCOMPLETION decides whether or not bash completion files for the tools are installed. This is just a nice thing for people who have bash. If you don't have bash, or don't want this, set the environment variable to no. If you'd like to force its use, even if bash-completion isn't detected in DESTDIR, then set it to yes.

  • WITH_WGQUICK decides whether or not the wg-quick(8) script is installed. This is a very quick and dirty bash script for reading a few extra variables from wg(8)-style configuration files, and automatically configures the interface. If you don't have bash, you probably don't want this at all. Likewise, if you already have a working network management tool or configuration, you probably want to integrate wg(8) or the direct WireGuard API into your network manager, rather than using wg-quick(8). But for folks who like simple quick and dirty scripts, this is nice. If you'd like to force its use, even if bash isn't detected in DESTDIR, then set it to yes.

  • WITH_SYSTEMDUNITS decides whether or not systemd units are installed for wg-quick(8). If you don't use systemd, you certainly don't want this, and should set it to no. If systemd isn't auto-detected, but you still would like to install it, set this to yes.

  • DEBUG decides whether to build with -g, when set to yes.

If you're a simple make && make install kind of user, you can get away with not setting these variables and relying on the auto-detection. However, if you're writing a package for a distro, you'll want to explicitly set these, depending on what you want.

contrib/

The contrib/ subdirectory contains various scripts and examples. Most of these are not immediately useful for production use, but should provide inspiration for creating fully-featured tools. See the README in each directory.

License

This project is released under the GPLv2.