-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/wireguard: add options to punch-through non-symmetric NATs #128014
base: master
Are you sure you want to change the base?
Conversation
|
||
# Query the peer announcing other peers, | ||
# for setting the current endpoint of all configured peers. | ||
script = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is some nontrivial level of bash and quoting.
Given that Wireguard is highly security relevant, would you be up for doing the same in a safer-by-default script like Python instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I am no Pythoner, I personnaly would not be able to produce something more secure than this Bash script, in which I see no obvious problem.
AFAIU, because the Bash script is initiating the connection, inside the WireGuard tunnel, and only to the first hop, the input validation is not needed from a security point of view (unless the announcing peer is itself compromised). If that's correct, then that validation is here only from a feature point of view (updating only the peers configured in the peers' NixOS and not all those known by the announcing peer).
But feel free to point out if I'm mistaken or forgetting something here.
I have added timeouting (-t
) and input limiting (-n
) flags to the read
in order to be more resilient/sane, but this is likely useless.
I don't think I really like the idea of logic like this, which is applicable outside the context of NixOS and even nixpkgs, living within nixpkgs. IMHO this deserves its own repository and a package, for better reusability e.g. on other distributions, rather than being inlined into the NixOS wireguard module. What it does is pretty cool though :) |
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, while the functionality is cool and the implementation looks fair enough at a glance, I don't think this should be in nixpkgs. Would you be willing to move this into its own repo instead?
@lheckemann, this PR adds:
Do you know if I can "move this into its own repo", without copying/replacing the whole |
Yes, this should be possible by replicating the structure and introducing your extra options:
The NixOS module system is smart and merges these as appropriate. |
This PR is ready for reviewing.
Motivation for this change
Having peer-to-peer VPN with WireGuard by having all peers connecting to the same peer (usually publicly reachable),
hence giving it their own public endpoint, and then initiating a periodic TCP connection to that peer (within the VPN)
to receive the endpoints of other peers, in order to punch-through non-symmetric NATs.
Note that it can also work with two hosts behind the same NAT if that NAT can reflect (to its internal network) connections from its internal network to its external IP address, which may require
persistentKeepalive
s as low as 1 and/or redirecting at least one host's WireGuard port, eg. with UPnP.This is a much simpler alternative to WireGuard Endpoint Discovery and NAT Traversal using DNS-SD or natpunch-go.
Things done
peersAnnouncing.{enable,port}
creating a systemd socket triggering a
wg show ${iface} dump
to send the known endpoints.endpointsUpdater.{enable,addr,port,refreshSeconds}
running a
netcat
to the (announcing) peer to receive the endpoints.networking.wireguard
NixOS module.BindToDevice
,IPAddressAllow
andMaxConnectionsPerSource
):sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)