aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/wg-quick (follow)
Commit message (Collapse)AuthorAgeFilesLines
* global: bump copyrightJason A. Donenfeld2020-01-025-5/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: quote ifname for nftJason A. Donenfeld2019-12-281-1/+1
| | | | | | | Otherwise nft(8) has strange ideas of what a string is. Suggested-by: RistiCore <RistiCore@mail.ee> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: use already configured addresses instead of in-memoryJason A. Donenfeld2019-12-171-6/+6
| | | | | | | | | | | The ADDRESSES array might not have addresses added during PreUp. But moreover, nft(8) and iptables(8) don't like ip addresses in the form somev6prefix::someipv4suffix, such as fd00::1.2.3.4, while ip(8) can handle it. So by adding these first and then asking for them back, we always get normalized addresses suitable for nft(8) and iptables(8). Reported-by: Silvan Nagl <mail@53c70r.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: try both iptables(8) and nft(8) on teardownJason A. Donenfeld2019-12-121-1/+2
| | | | | | | | Daniel argues that technically a package manager could install nft(8) after previously having started wg-quick(8) using iptables(8). Suggested-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: support older nft(8)Jason A. Donenfeld2019-12-121-5/+5
| | | | | | | | Older nft(8), such as that on Ubuntu, does not accept the - parameter to the -f argument and doesn't accept symbolic priority names. So instead use the canonical numeric priority forms and use <(echo) instead of -. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: fix up spellingJosh Soref2019-12-121-2/+2
| | | | | Signed-off-by: Josh Soref <jsoref@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: add support for nft and prefer itJason A. Donenfeld2019-12-121-20/+39
| | | | | | | | If nft(8) is installed, use it. These rules should be identical to the iptables-restore(8) ones, with the advantage that cleanup is easy because we use custom table names. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: ignore save warnings for iptables-nftJason A. Donenfeld2019-12-061-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: suppress more warnings on weird kernelsJason A. Donenfeld2019-12-061-4/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: some iptables don't like empty linesJason A. Donenfeld2019-12-051-6/+6
| | | | | Reported-by: Kenneth R. Crudup <kenny@panix.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: iptables-* -w is not widely supportedJason A. Donenfeld2019-12-051-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: have remove_iptables return trueJason A. Donenfeld2019-12-051-1/+1
| | | | | Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: ensure postdown hooks executeJason A. Donenfeld2019-12-051-2/+2
| | | | | Reported-by: Thomas Sattler <sattler@med.uni-frankfurt.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: suppress error when finding unused tableJason A. Donenfeld2019-11-271-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: filter bogus injected packets and don't disable rpfilterJason A. Donenfeld2019-11-271-8/+29
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: only touch net.ipv4 for v4Jason A. Donenfeld2019-11-261-3/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: check for null in binder cleanup functionsJason A. Donenfeld2019-10-161-3/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: use Binder for setting DNS on Android 10Nicolas Douma2019-10-121-7/+429
| | | | | Signed-off-by: Nicolas Douma <nicolas@serveur.io> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: linux: don't fail down when using systemd-resolvedRonan Pigott2019-08-271-1/+1
| | | | | | | | | | | | | | | | | systemd-resolved has a compatibility interface for use with resolvconf scripts when resolvectl is called from a symlink from resolvconf. However, when tearing down the interface, cmd_down calls del_if and then unset_dns. In the case of systemd-resolved, deleting the interface also removes the systemd-resolved entry and causes resolvconf -d to fail when resolvconf really is a symlink to resolvectl. This causes `wg-quick down` and 'wg-quick@.service' to exit with failure. Instead we use the resolvconf '-f' flag to ignore non-existent interfaces, supported by both openresolv and sd-resolved resolvconf. Signed-off-by: Ronan Pigott <rpigott@berkeley.edu> [zx2c4: moved -f argument to end to remain compatible with Debian's resolvconf] Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: openbsd: fix alternate routing table syntaxAnkur Kothari2019-08-071-1/+1
| | | | | | | | route(8) has always used the `-T` option to specify the routing table; there is no `rdomain` option. Signed-off-by: Ankur Kothari <ankur@lipidity.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: refactor and add incoming allow rulesJason A. Donenfeld2019-07-081-65/+73
| | | | | Suggested-by: Yağmur Oymak <yagmur.oymak@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: darwin: support being called from launchdJason A. Donenfeld2019-06-241-1/+16
| | | | | | | | This causes wg-quick up to wait for the monitor to exit before it exits, so that launchd can correctly wait on it. Reported-by: Cameron Palmer <cameron@promon.no> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: specify protocol to ip(8), because of inconsistenciesJason A. Donenfeld2019-05-291-3/+7
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: look up existing routes properlyJason A. Donenfeld2019-05-291-1/+1
| | | | | | | This was never really correct, and then 5.1 broke it entirely. Reported-by: piraty1@inbox.ru Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: make darwin and freebsd path search strict like linuxJason A. Donenfeld2019-04-232-2/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: freebsd: workaround SIOCGIFSTATUS race in FreeBSD kernelJason A. Donenfeld2019-04-231-9/+22
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: add 'strip' subcommandLuis Ressel2019-03-234-4/+36
| | | | | | | | | | `wg-quick strip` prints the config file to stdout after stripping it of all wg-quick-specific options. This enables tricks such as `wg addconf $DEV <(wg-quick strip $DEV)`. Signed-off-by: Luis Ressel <aranea@aixah.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: freebsd: export TMPDIR when restoring and don't make emptyJason A. Donenfeld2019-03-181-1/+2
| | | | | | Otherwise mktemp doesn't see it, and if it's empty we wind up in /. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: freebsd: rebreak interface loopback, while fixing localhostJason A. Donenfeld2019-02-281-1/+1
| | | | | | | | | | | | The commit 7c833642 ("wg-quick: freebsd: allow loopback to work") was supposed to make things better, but actually it just started sending legitimate localhost traffic over the WireGuard interface, which is really quite bad. This reverts commit 7c833642dfa342218602ab18e7091e86408d2982. Reported-by: Matt Smith <matt.xtaz@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: freebsd: allow loopback to workJason A. Donenfeld2019-01-241-1/+1
| | | | | | | | | | | | | | FreeBSD adds a route for point-to-point destination addresses. We don't really want to specify any destination address, but unfortunately we have to. Before we tried to cheat by giving our own address as the destination, but this had the unfortunate effect of preventing loopback from working on our local ip address. We work around this with yet another kludge: we set the destination address to 127.0.0.1. Since 127.0.0.1 is already assigned to an interface, this has the same effect of not specifying a destination address, and therefore we accomplish the intended behavior. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: update copyrightJason A. Donenfeld2019-01-075-5/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: bring interface up while setting MTUAaron Jones2018-12-181-9/+4
| | | | | | | | This avoids another ip(8) invocation for little benefit. Confirmed to work with iproute2 and busybox. Signed-off-by: Aaron Jones <aaronmdjones@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: do not choke on empty allowed-ipsJason A. Donenfeld2018-11-111-1/+4
| | | | | Reported-by: Samuel Holland <samuel@sholland.org> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: wait for interface to disappear on freebsdJason A. Donenfeld2018-10-131-0/+9
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* global: put SPDX identifier on its own lineJason A. Donenfeld2018-09-201-2/+2
| | | | | | | The kernel has very specific rules correlating file type with comment type, and also SPDX identifiers can't be merged with other comments. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: check correct variable for route deduplicationJason A. Donenfeld2018-08-211-1/+1
| | | | | Reported-by: John Sager <john@sager.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: darwin: prefer system paths for toolsJason A. Donenfeld2018-08-121-1/+1
| | | | | | | | | | | | | The only things wg-quick(8) needs from Homebrew are bash(1) and wg(8). Other than that, it's explicitly coded against the native system utilities. Since wg-quick(8) and bash(1) are invoked in auto_su by their full absolute path (via $SELF and $BASH, respectively), we can simply set the $PATH to be prefixed by the default system binary paths. This way, if users install tools that conflict with system tools -- such as GNU coreutils -- we won't accidently call those. Reported-by: Deirdre Connolly <durumcrustulum@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: remove compat codeJason A. Donenfeld2018-07-241-10/+0
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: allow package to be overriddenJason A. Donenfeld2018-07-241-4/+9
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: allow link local default gatewayJason A. Donenfeld2018-07-163-3/+0
| | | | | | | | It's unclear why it was like this in the first place, but it apparently broke certain IPv6 setups. Reported-by: Jonas Blahut <j@die-blahuts.de> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: support excluding applicationsJason A. Donenfeld2018-07-051-9/+102
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: prevent outgoing handshake packets from being droppedJason A. Donenfeld2018-06-251-0/+4
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: don't forget to free compiled regexesJason A. Donenfeld2018-06-171-5/+6
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: disable roaming to v6 networks when v4 is specifiedJason A. Donenfeld2018-06-171-1/+54
| | | | | | This works around an unfortunate bug in 464XLAT transitions. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: change name of intentJason A. Donenfeld2018-06-041-1/+1
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: android: delay setting users until endJason A. Donenfeld2018-05-311-1/+6
| | | | | | | | | `ndc users add` eventually invokes SOCK_DESTROY on user sockets, causing them to reconnect. By delaying this until after routes are set, we ensure that the sockets reconnect using the tunnel, rather than the old route. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: darwin: set DNS servers after delay on route changeJason A. Donenfeld2018-05-311-2/+6
| | | | | | | | This works around a race condition in macOS's network daemons, while also adding one in the form of possibly calling kill -ALRM on a stale PID; unfortunately bash can't wait from a trap. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: freebsd: configure as p2p linkJason A. Donenfeld2018-05-271-3/+5
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: darwin: add multiple IP addressesJason A. Donenfeld2018-05-271-2/+2
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wg-quick: determine IPs when saving interfaceJason A. Donenfeld2018-05-273-12/+14
| | | | Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.