search

r-pufky / wireguard-initramfs

Use dropbear over wireguard.
The Unlicense
277 stars 27 forks source link

add psk #10

Closed a1ad closed 8 months ago

a1ad commented 9 months ago

Is it possible to add the PSK to the config?

r-pufky commented 8 months ago

Heya, thanks for asking.

The init image basically handles the autogeneration of the WG configs using the pre-defined settings, so adding that in shouldn't be an issue.

I am currently traveling however and won't be able to look into this right away. If you have a solution for it already, please submit a pull request against this bug.

Otherwise, I'll take a look when I get access to a computer. Is it just PSK support? Anything else you specifically need?

r-pufky commented 8 months ago

I cut a pull request adding initial PSK support -- note this hasn't been tested.

If you want you can patch this and see if it works for you. I'll actually test it when I am back and have my systems to test against.

a1ad commented 8 months ago

that was quick. I am going to test it when I have some spare time.

r-pufky commented 8 months ago

Any updates on whether it worked for you? I will be able to start testing it tonight. I suspect there's a edge case where a user whose never used PSK's might fail to get the adapter setup on boot.

r-pufky commented 8 months ago

I tested on my setups and it looks like the change is good. I've committed it to head, but won't cut a release until you can independently confirm the PSK is working. There should be no build errors with existing configurations, blank, or new PSK configs aside from user error.

Be sure to reinstall wireguard-initramfs (make install) before attempting to configure as init scripts and hooks have changed.

a1ad commented 8 months ago

Tested on a new vm:

cat /etc/wireguard-initramfs/pre_shared_key
9e812pAjr3d1OXxHTWN/inGGGXH6U5HVO+7luyBxDr0=

and added this in config: PRE_SHARED_KEY=/etc/wireguard-initramfs/pre_shared_key

But when I run update-initramfs -u i get the following error:

 update-initramfs -u && update-grub
update-initramfs: Generating /boot/initrd.img-6.1.0-12-amd64
/etc/initramfs-tools/hooks/wireguard: 47: │: not found
cp: target '│': No such file or directory

I added 2 echo's in the hook script like this:

echo ${PRE_SHARED_KEY}
echo ${DESTDIR} "/etc/wireguard/pre_shared_key"
if [ ! -z ${PRE_SHARED_KEY} ]; then                                                      │
  cp -p "${PRE_SHARED_KEY}" "${DESTDIR}/etc/wireguard/pre_shared_key"                    │
fi

And the echo output seems good:

 update-initramfs -u
update-initramfs: Generating /boot/initrd.img-6.1.0-12-amd64
/etc/wireguard-initramfs/pre_shared_key
/var/tmp/mkinitramfs_wYEpFg /etc/wireguard/pre_shared_key
/etc/initramfs-tools/hooks/wireguard: 50: │: not found
cp: target '│': No such file or directory

Any ideas?

r-pufky commented 8 months ago

There's pipes at the eol.

On Wed, Oct 18, 2023 at 2:03 AM Jeroen @.***> wrote:

Tested on a new vm:

cat /etc/wireguard-initramfs/pre_shared_key 9e812pAjr3d1OXxHTWN/inGGGXH6U5HVO+7luyBxDr0=

and added this in config: PRE_SHARED_KEY=/etc/wireguard-initramfs/pre_shared_key

But when I run update-initramfs -u i get the following error:

update-initramfs -u && update-grub update-initramfs: Generating /boot/initrd.img-6.1.0-12-amd64 /etc/initramfs-tools/hooks/wireguard: 47: │: not found cp: target '│': No such file or directory

I added 2 echo's in the hook script like this:

echo ${PRE_SHARED_KEY} echo ${DESTDIR} "/etc/wireguard/pre_shared_key" if [ ! -z ${PRE_SHARED_KEY} ]; then │ cp -p "${PRE_SHARED_KEY}" "${DESTDIR}/etc/wireguard/pre_shared_key" │ fi

And the echo output seems good:

update-initramfs -u update-initramfs: Generating /boot/initrd.img-6.1.0-12-amd64 /etc/wireguard-initramfs/pre_shared_key /var/tmp/mkinitramfs_wYEpFg /etc/wireguard/pre_shared_key /etc/initramfs-tools/hooks/wireguard: 50: │: not found cp: target '│': No such file or directory

Any ideas?

— Reply to this email directly, view it on GitHub https://github.com/r-pufky/wireguard-initramfs/issues/10#issuecomment-1768008627, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEOQPSENOJSOFOKETCRKG3X76LPHAVCNFSM6AAAAAA5PKHRXSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRYGAYDQNRSG4 . You are receiving this because you modified the open/close state.Message ID: @.***>

r-pufky commented 8 months ago

That issue should be fixed now; somehow when updating the change before submitting pipes were added at the eol. Very strange.

a1ad commented 8 months ago

Totally missed that. Now I get (at preboot):

afbeelding
r-pufky commented 8 months ago

please share your config / setup so I can reproduce, thanks!

On Wed, Oct 18, 2023 at 6:31 AM Jeroen @.***> wrote:

Totally missed that. Now I get (at preboot): [image: afbeelding] https://user-images.githubusercontent.com/29516835/276264903-8bc241d4-b840-48e6-afcd-16fd70de165b.png

— Reply to this email directly, view it on GitHub https://github.com/r-pufky/wireguard-initramfs/issues/10#issuecomment-1768468463, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABEOQPU2GKAK2BHF4IKWPETX77K4BAVCNFSM6AAAAAA5PKHRXSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRYGQ3DQNBWGM . You are receiving this because you modified the open/close state.Message ID: @.***>

a1ad commented 8 months ago 
cat /etc/wireguard-initramfs/pre_shared_key
cd3imOOievtYaOdpVMrDWq7tFJHcwdfl8Z92RqDa2HI=

cat /etc/wireguard-initramfs/private_key 
MSfOTeyYI8wKrCSECbTToWh3ZfPOmX7CnCUtiaOSjyk=

cat /etc/wireguard-initramfs/config
# Wireguard initramfs configuration.
#
# NOTE: As most systems do not encrypt /boot, private key material is exposed
#       and compromised/untrusted. Boot wireguard network should be
#       **different** & untrusted; versus the network used after booting.
#       Always restrict ports and access on the wireguard server.
#
# Be sure to test wireguard config with a running system before setting
# options. See: https://manpages.debian.org/unstable/wireguard-tools/wg.8.en.html
#
# Restricting dropbear connections to **only** wireguard:
# * Confirm wireguard/dropbear work without restriction first.
# * Set dropbear listen address to only wireguard client interface address.
#
#   /etc/dropbear-initramfs/config
#     DROPBEAR_OPTIONS='... -p 172.31.255.10:22 ...'
#

# Wireguard interface name.
INTERFACE=vps_vpn

# CIDR wireguard interface address.
INTERFACE_ADDR=10.11.12.13/24

# Peer public key (server's public key).
PEER_PUBLIC_KEY=1hXM3f6ZaYM16BmbrD0qjRBx5wnKjpdPSbf7nHjcvJM=

# IP:PORT of the peer (server); any reachable IP/DNS.
PEER_ENDPOINT=100.110.120.130:123

# Client Private key. Specify location of file containing only the private key.
CLIENT_PRIVATE_KEYFILE=/etc/wireguard-initramfs/private_key

PRE_SHARED_KEY=/etc/wireguard-initramfs/pre_shared_key

# Persistent Keepalive. Required to ensure connection for non-exposed ports.
PERSISTENT_KEEPALIVES=25

# Allowed IP's (CIDR) on wireguard; for boot this should be the peer (server).
ALLOWED_IPS=0.0.0.0/0

I replaced the keys and such with dummy data ofc.

Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:    12
Codename:   bookworm

Linux DBS 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64 GNU/Linux

r-pufky commented 8 months ago

Thank you, I'll spin up a few VM's tonight with this config and see what I find; appreciate the quick response!

r-pufky commented 8 months ago

I was able to reproduce this in my environment. Thank you for the details. Looking into it today.

r-pufky commented 8 months ago

This looks to be an actual bug in the wg tool provided by wireguard-tools; the error happens because the option does not exist in the device container. I suspect using it with wg-quick applies the preshared-key in some other fashion?

Etherway, 'preshared-key' is a valid option that is not supported in the wg tool. I'm going to work it a little more but this may be a wg patch.

https://git.zx2c4.com/wireguard-tools/tree/src/containers.h#n84

a1ad commented 8 months ago

I only used conf files like this one:

[Interface]
PrivateKey = OHipr3HLfhnd3Q9cYnA=
Address = 10.12.1.1/24
DNS = 10.1.1.2

[Peer]
PublicKey = mEkq3q9Nr0IYnA=
PresharedKey = EzofxvCzTMEhDDcaU=
AllowedIPs = 10.10.10.10/32
Endpoint = 1.1.1.1:443

wg0.conf wg-quick up wg0

r-pufky commented 8 months ago

Yeap, so that's the actual issue. The wg set tool (which is used here to setup the connection) uses wgdevice for the setup, whereas wgpeer actually contains the preshared-key information. This is at the wireguard tool level, and not within this tool itself. So it looks like an actual bug; or an option that should be removed from the wg set command as supported. This will have to be a discussion with the wireguard developer, I think.

https://git.zx2c4.com/wireguard-tools/tree/src/containers.h#n49

https://git.zx2c4.com/wireguard-tools/tree/src/set.c

The configuration file and tool you are using is a separate tool. I'm digging through wireguard source right now to figure out what they do for preshared-key implementation outside of wg

r-pufky commented 8 months ago

@a1ad I just pushed a fix to head. The preshared-key argument for wg set is positional. This fixed the boot issue for my reproduction case. Can you confirm?

546123ae4c8cffcb8b7f5cefc1e5c57113221ffe

a1ad commented 8 months ago

Confirmed!

r-pufky commented 8 months ago

Thank you. Cutting a new release now.