search

PiRogueToolSuite / pirogue-admin

PiRogue administration agent
GNU General Public License v3.0
0 stars 0 forks source link

Investigate WireGuard options: PersistentKeepalive, PresharedKey, MTU #13

Open CyrilBrulebois opened 2 months ago

CyrilBrulebois commented 2 months ago

Initially I left a FIXME in the code around this option for the [Peer] section of the peer config:

# FIXME: Do we want this value (picked from https://wiki.debian.org/WireGuard),
# something else, or do we want to use whatever the default is?
DEFAULT_WG_PERSISTENT_KEEP_ALIVE = 20
…
        lines.append(f'PersistentKeepAlive = {DEFAULT_WG_PERSISTENT_KEEP_ALIVE}')

but this issue is not only about this specific option.

The wg manpage mentions this about PersistentKeepalive:

PersistentKeepalive — a seconds interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds. If set to 0 or "off", this option is disabled. By default or when unspecified, this option is off. Most users will not need this. Optional.

It might make sense to have 20 or 25 everywhere (including on the WireGuard “server”) to be on the safe side.

Still for the [Peer] section, we have the PresharedKey option:

PresharedKey — a base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.

I'll leave it up to someone like @U039b to draw the line regarding post-quantum resistance, esp. for traffic traveling through the public intarwebz…

Finally, for the [Interface] section, documented in the wg-quick manpage:

MTU — if not specified, the MTU is automatically determined from the endpoint addresses or the system default route, which is usually a sane choice. However, to manually specify an MTU to override this automatic discovery, this value may be specified explicitly.

I've heard from people having forced MTU=1280 and being very happy with it, maybe we'll want to do something similar?

U039b commented 2 months ago

How much it cost to generate the PSK? I suggest we do not set the MTU and leave it "automagic".

CyrilBrulebois commented 2 months ago

ACK on the MTU.

I'll investigate the PSK thing (cost) a little later, once I've tackled a few other issues.

CyrilBrulebois commented 1 month ago

I think I'll consider this out of scope for my initial work on ViRogue, and focus on the remaining few topics mentioned today.