wg-quick linux: Add strip-and-eval cmd to extract keys from PostUp#3
Open
ypid wants to merge 1 commit intoWireGuard:masterfrom
Open
wg-quick linux: Add strip-and-eval cmd to extract keys from PostUp#3ypid wants to merge 1 commit intoWireGuard:masterfrom
ypid wants to merge 1 commit intoWireGuard:masterfrom
Conversation
ypid
force-pushed
the
feature/wg-quick/strip-and-eval
branch
from
6714da3 to
9762a0b
Compare
The manpage mentions the trick to use PostUp to read the PrivateKey (or PresharedKey) from a command (or file). However, when you actually use that you notice that this is currently not fully supported. The issue is that ```Shell wg syncconf wgnet0 <(wg-quick strip wgnet0) ``` from the manpage now breaks the VPN because it *removes* the private key from the WireGuard interface. The reason is that `strip` removes PostUp of course. This patch tries to add full support to read WireGuard keys from files or command outputs by evaluating PostUp using a best effort approach (using regex). It will not work for everything but when you follow the manpage closely, it will work. I also propose to update the systemd template to make seamless use of this. This is not a must because the sysadmin can easily change the ExecReload using systemd drop-in files. Note that the patchset is incomplete (currently only for Linux). I don’t have all the other OSes laying around. When the patch looks ok, I can apply it to the other versions also. Example use of this patch: https://github.com/ypid/ansible-wireguard/tree/prepare-for-debops Signed-off-by: Robin Schneider <ypid@riseup.net>
ypid
force-pushed
the
feature/wg-quick/strip-and-eval
branch
from
9762a0b to
4963c83
Compare
zx2c4-bot
force-pushed
the
master
branch
9 times, most recently
from
542b7c0 to
4ad6d0d
Compare
zx2c4-bot
force-pushed
the
master
branch
3 times, most recently
from
c39c2ea to
ab264f7
Compare
zx2c4-bot
force-pushed
the
master
branch
2 times, most recently
from
4574b8e to
0b7d982
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I will also submit this to the mailing list. I just open a PR here because I find it easier to get an overview what has been merged and what not.
Note that the patchset is incomplete (currently only for Linux). I don’t have all the other OSes laying around.
The manpage mentions the trick to use PostUp to read the PrivateKey (or PresharedKey) from a command (or file). However, when you actually use that you notice that this is currently not fully supported. The issue is that
wg syncconf wgnet0 <(wg-quick strip wgnet0)from the manpage now breaks the VPN because it removes the private key from the WireGuard interface. The reason is that
stripremoves PostUp of course.This patch tries to add full support to read WireGuard keys from files or command outputs by evaluating PostUp using a best effort approach (using regex). It will not work for everything but when you follow the manpage closely, it will work.
I also propose to update the systemd template to make seamless use of this. This is not a must because the sysadmin can easily change the ExecReload using systemd drop-in files.
Example use of this patch: https://github.com/ypid/ansible-wireguard/tree/prepare-for-debops