Re: wireguard confusion

On 10/8/24 19:48, Polarian wrote:
> Hello,
> 
> As for the scripts not being ported, wg-quick can be omitted and you
> could use ifconfig directly within rc.conf.
> 
> However, this is not clean, nor secure in the slightest, as you would
> need to stick your private key in the rc.conf which by default can be
> read by any user.
> 
> It would be nice if WG(4) could load configs natively without needing a
> script to do so, in the same format as wg-quick does (look for
> /etc/wireguard/<interface>.conf), therefore no bash needed, and it can
> be baked into the base system easily without relying on third party
> scripts. I assume the problem with this is someone has to code it.
 >

wg(8) can read that style of configuration, but wg-quick(8) adds some 
niceties on top of that that it won't understand.  I think DNS is the 
main one, which I wouldn't think would be too hard to parse out.

>>>>> Little nitpick at this, can't you exclude wg from the port then?
>>>    
>>>> At this point we probably could- all supported versions should have
>>>> it- but I have no opinion.  CC decke@
>>>
>>> Note that the rc bit would have to be modified in that case, as it
>>> hardcodes the pathname to /usr/local/bin/wg.
>>>    
>>
>> That can be fixed.
> 
> I am a little confused why you would hardcode the path to wg in the
> script and not use whats in $PATH (which, as I explained in my first
> email in this thread, defaults to /usr/bin/wg), maybe someone knows the
> reason for this? (I am curious)
> 

You can't count on /usr/local/bin being in $PATH in rc scripts, so for 
things that come from ports you have to hardcode it.  For wg in 
particular, the version in base comes along quite far after the version 
in ports and the ports script just hasn't been adopted to use it.  The 
version in base is technically safer, though, as we could theoretically 
change the configuration interface for wg interfaces and the version in 
base is generally guaranteed to work with the kmod that it ships with.

Thanks,

Kyle Evans