From nobody Wed Oct 09 00:54:40 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XNZD850Sdz5Ybd1 for ; Wed, 09 Oct 2024 00:54:48 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XNZD847CCz4nBc for ; Wed, 9 Oct 2024 00:54:48 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728435288; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tiWYsUl2LJIU4pObjZ7e3NkvsflihDaMqMHwBwwcXe8=; b=VcLNT5+tieEKK16vNrslbSVE9rPIjFL/YLkCs7pVmbIN1IXaQXR6AKbZ6xocHviYccP1B0 OvS+xNUzE1gDiolxNWfK7d+KEtRAw5ipyEZQCVIn5LHIbVbZpoULl4BVEdB9RjU/yfMn4O jIEyeZAb6Vq5fW336xF7rAHWnc4pLbtaH5bEt8gXoN7+6XXo3KcFPM/6/PJmc1sSmUaz71 uG1b9zGBD5tyRa7/2KWZxc+iezFhIm/WEYb6ZV/ScX844BENpLtnygXQYK0AXv8J/8wvhM a1YMewAiAhG8hp48020yeJBdhg5vHoLz4mct6sqkGm8WoSkbqcyqkYXylb2aaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1728435288; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tiWYsUl2LJIU4pObjZ7e3NkvsflihDaMqMHwBwwcXe8=; b=LjwRX9PefWRN6BEoxHTm9qsU1c/lo9ZCCMiNMmX25MgZTMJFPSfzuKoSbBt39RLUXGr6do 0ln6xlZMVDfA2jawNxgBhRIVKK/7b9WaGtxjdq1XURQpL0DjxkrqXHC6GSpCP2LhSXQDWm 7tNnT9YtFECkZAODud1sYPxUTEtqysNJ7W14jPr4U2rZNzFsM3OH6DKkxY9iG7yYW297lV 1WvUkLx7oBqIay/gbOugyGOcNM88jIfNFCMTJywylRXYaTnG0scXkb7n7HDU+tr1AjW6QJ YQxJAd9uEavmdGgIm7s5gQ0rBCK8gnJetW8CAeZoMwdg4BPYNN48x9FFkyKcTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1728435288; a=rsa-sha256; cv=none; b=qId0KAEXt8uWJxxAA07y+RNQEqkITYxpo+Axjb3DclVxvIUnG42qTLnirSQFvG5qbuk/5f 6qm8EW5KdX7vL6A8BMVJyB8HYQF+0o5KOysvb29tO7vrvwaP4Eo+T+ElTatWmm9y6AnrIZ m0tfeqDnDaji4qMqj3vjxK+XHJdRmvo+u3uBF92CrZpP/cG8rgeH/PMZNNiC1Jq4laEnoH uC4mSWpRCaLabr3Z7uA3XaQDQajZFBNaYu9XQlgjOdYwKUR8a/9DhfBWpYh7pylxloOEfs dQWRlMXfIEx80bgABnA0Dqgt3bGJ5bP1ZgyaN/k+y8gS9lYDQE+RcjgWY/o7iw== Received: from [10.9.4.95] (unknown [209.182.120.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XNZD73Qpdzbv4 for ; Wed, 9 Oct 2024 00:54:46 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <9f0e1fff-daf5-4dd5-a972-1ed73618533a@FreeBSD.org> Date: Tue, 8 Oct 2024 19:54:40 -0500 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: wireguard confusion To: questions@freebsd.org References: <29044f1d-f835-459d-8e1c-17832580b5d9@FreeBSD.org> <20241008024304.5ff138a9@Hydrogen> <4e50caf7-dd15-4c8c-9a69-b2f7dbee8b46@FreeBSD.org> <20241009014801.60e084f9@Hydrogen> Content-Language: en-US From: Kyle Evans In-Reply-To: <20241009014801.60e084f9@Hydrogen> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 10/8/24 19:48, Polarian wrote: > Hello, > > As for the scripts not being ported, wg-quick can be omitted and you > could use ifconfig directly within rc.conf. > > However, this is not clean, nor secure in the slightest, as you would > need to stick your private key in the rc.conf which by default can be > read by any user. > > It would be nice if WG(4) could load configs natively without needing a > script to do so, in the same format as wg-quick does (look for > /etc/wireguard/.conf), therefore no bash needed, and it can > be baked into the base system easily without relying on third party > scripts. I assume the problem with this is someone has to code it. > wg(8) can read that style of configuration, but wg-quick(8) adds some niceties on top of that that it won't understand. I think DNS is the main one, which I wouldn't think would be too hard to parse out. >>>>> Little nitpick at this, can't you exclude wg from the port then? >>> >>>> At this point we probably could- all supported versions should have >>>> it- but I have no opinion. CC decke@ >>> >>> Note that the rc bit would have to be modified in that case, as it >>> hardcodes the pathname to /usr/local/bin/wg. >>> >> >> That can be fixed. > > I am a little confused why you would hardcode the path to wg in the > script and not use whats in $PATH (which, as I explained in my first > email in this thread, defaults to /usr/bin/wg), maybe someone knows the > reason for this? (I am curious) > You can't count on /usr/local/bin being in $PATH in rc scripts, so for things that come from ports you have to hardcode it. For wg in particular, the version in base comes along quite far after the version in ports and the ports script just hasn't been adopted to use it. The version in base is technically safer, though, as we could theoretically change the configuration interface for wg interfaces and the version in base is generally guaranteed to work with the kmod that it ships with. Thanks, Kyle Evans