New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[th/wireguard-pt3 (v2)] #295
Conversation
c697299
to
896b171
Compare
ff66c2b
to
e7709d9
Compare
e7709d9
to
aaf7fb3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
aaf7fb3
to
cdf47b1
Compare
cdf47b1
to
dc1baa8
Compare
dc1baa8
to
489a6ab
Compare
Change in binary size when building with
on x64_86, Fedora 29 commit 9a4cd1e (before) vs 489a6ab (after):
|
ef55e09
to
c674633
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Branch LGTM
For now only add the core settings, no peers' data. To support peers and the allowed-ips of the peers is more complicated and will be done later. It's more complicated because these are nested lists (allowed-ips) inside a list (peers). That is quite unusual and to conveniently support that in D-Bus API, in keyfile format, in libnm, and nmcli, is a effort. Also, it's further complicated by the fact that each peer has a secret (the preshared-key). Thus we probably need secret flags for each peer, which is a novelty as well (until now we require a fixed set of secrets per profile that is well known).
…rd profile Use the script to test how GObject introspection with libnm's WireGuard support works. Also, since support for WireGuard peers is not yet implemented in nmcli (or other clients), this script is rather useful.
Configuring peers (and allowed-ips of the peers) is not yet supported.
That is slightly complex, because we need to (DNS) resolve the endpoints, and we also have to retry periodically. For example, initially we may be unable to resolve an endpoint, but later we may be. What is also interesting is that during assume and reapply, we may not have all information in the profile. Most notably, the private keys will be missing. We need to cope with that and not reconfigure keys. However, we still need to resolve names and update the endpoints.
Thanks @fgiudici. Addresses your comments and repushed. |
c674633
to
6d5aa85
Compare
LGTM |
Thanks!! merged. |
This resurrects the work from #281 and is based on #293.
I think this is ready to merged. A few things are still missing. They are documented in
TODO
comments insrc/devices/nm-device-wireguard.c
. But these things should not block this branch. And I don't even think they would block a1.16.0
release (with this branch in).Please test and review. Thanks