void/amneziawg-tools
2
0
Fork 0
mirror of https://github.com/amnezia-vpn/amneziawg-tools.git synced 2025-04-18 14:46:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: void:v1.0.20240201
Branches Tags
void:master
void:new_fields_to_config
void:build/deb
void:v1.0.20241018
void:v1.0.20240213
void:v1.0.20240202
void:v1.0.20240201
void:v1.0.20240102
void:v1.0.20240120
void:v0.0.1-kmod
void:v1.0.20231215
...
compare: void:master
Branches Tags
void:master
void:new_fields_to_config
void:build/deb
void:v1.0.20241018
void:v1.0.20240213
void:v1.0.20240202
void:v1.0.20240201
void:v1.0.20240102
void:v1.0.20240120
void:v0.0.1-kmod
void:v1.0.20231215

18 commits
v1.0.20240 ... master

Author SHA1 Message Date
Iurii Egorov
c0b400c6df Update wg-json to support AmneziaWG parameters 2024-10-01 16:02:42 +03:00
Iurii Egorov
f69cd16056 Auth notifications for unknown peers 2024-09-15 21:29:49 +03:00
Iurii Egorov
dafa38e4b0 Support for legacy clients 2024-09-03 14:48:33 +03:00
pokamest
e42813caac
Merge pull request #12 from RomikB/pipe_rebranding 
unsafe rebranding: change pipe name for windows
 2024-05-06 09:53:51 -07:00
RomikB
776a1b5e19 unsafe rebranding: change pipe name for windows 2024-05-05 10:31:44 +02:00
pokamest
d33c4b6936
Merge pull request #11 from amnezia-vpn/fix/android 
Fix android.c
 2024-03-16 13:45:39 +00:00
albexk
2fdea58d2b Fix android.c 2024-03-16 14:33:02 +03:00
tiaga
6eb1abfa4f
Merge pull request #10 from amnezia-vpn/update_actions 
Improve pipeline
 2024-02-13 20:18:12 +07:00
tiaga
eb9ef8a1fd Improve pipeline 
- rename `wg.exe` to `awg.exe`
- set release name automatically
 2024-02-13 20:16:15 +07:00
tiaga
da1e7bcea3
Merge pull request #9 from amnezia-vpn/update_linux_build 
Update linux-build.yml
 2024-02-13 07:07:51 +07:00
AlexanderGalkov
ff229c0c82
Update linux-build.yml 
Signed-off-by: AlexanderGalkov <143902290+AlexanderGalkov@users.noreply.github.com>
 2024-02-12 22:46:26 +07:00
pokamest
af245c000e
Merge pull request #8 from amnezia-vpn/fix/android 
Fix missing brackets and package name
 2024-02-11 09:08:09 -08:00
albexk
7b234cf29b Fix missing brackets and package name 2024-02-11 19:20:52 +03:00
tiaga
c1148485e0
Merge pull request #7 from AlexanderGalkov/test 
Update linux-build.yml
 2024-02-04 01:42:40 +07:00
AlexanderGalkov
5e05aab557
Update linux-build.yml 
Signed-off-by: AlexanderGalkov <143902290+AlexanderGalkov@users.noreply.github.com>
 2024-02-03 18:29:28 +07:00
Iurii Egorov
72776bc507
UAPI changes for Amnezia kernel module (#4) 
* UAPI changes for Amnezia kernel module

* Fix indents

* Fix indents

* Fix indents

* Change protocol type

* Change protocol type

* Change protocol type

* Change protocol type

* Revert "Change protocol type"

* K

* Fix wg-quick

* Prepare packaging

* Prepare packaging

* Prepare packaging

* Prepare packaging

* naming convention fix

* Bash completions

* Naming unify

* Naming unify

* SPEC file for RPM build

* SPEC file for RPM build

* SPEC file for RPM build

* SPEC file for RPM build

---------

Co-authored-by: Mark Puha <marko10@inf.elte.hu>
 2024-02-02 16:44:20 +03:00
tiaga
3ff2272d00
Merge pull request #6 from amnezia-vpn/linux-build 
Improve builds
 2024-02-02 18:20:05 +07:00
tiaga
422b69f410 Improve builds 
- simplify pipeline for Windows and add the `retry` parameter for cURL in case of issues with downloading dependencies
- add a pipeline to make Linux builds for Ubuntu and Alpine
 2024-02-02 18:14:41 +07:00
54 changed files with 2597 additions and 184 deletions
Show stats Expand all files Collapse all files

85
.github/workflows/linux-build.yml vendored Normal file
View file

@ -0,0 +1,85 @@
name: Linux
on: [push]
jobs:
Build-for-Ubuntu:
name: Build for Ubuntu
runs-on: ubuntu-latest
container:
image: ubuntu:22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build AmneziaWG tools
run: |
apt -y update &&
apt -y install build-essential &&
cd src &&
make &&
mkdir build &&
cp wg ./build/awg &&
cp wg-quick/linux.bash ./build/awg-quick
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ubuntu-22.04-amneziawg-tools
path: ./src/build
Build-for-Alpine:
name: Build for Alpine
runs-on: ubuntu-latest
container:
image: alpine:3.19
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build AmneziaWG tools
run: |
apk add linux-headers build-base &&
cd src &&
make &&
mkdir build &&
cp wg ./build/awg &&
cp wg-quick/linux.bash ./build/awg-quick
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: alpine-3.19-amneziawg-tools
path: ./src/build
GitHub-Release:
name: GitHub Release
needs: [Build-for-Ubuntu, Build-for-Alpine]
strategy:
matrix:
include:
- os: "ubuntu"
release: "22.04"
- os: "alpine"
release: "3.19"
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Download artifacts
uses: actions/download-artifact@v4
- name: Calculate checksums
run: for file in $(find ./${{ matrix.os }}-${{ matrix.release }}-amneziawg-tools/ -type f); do openssl dgst -sha256 -r "$file" | awk '{print $1}' > "${file}.sha256"; done
- name: Zip files
run: zip -r ${{ matrix.os }}-${{ matrix.release }}-amneziawg-tools.zip ${{ matrix.os }}-${{ matrix.release }}-amneziawg-tools
- name: Upload binaries to Release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ./${{ matrix.os }}-${{ matrix.release }}-amneziawg-tools.zip
tag: ${{ github.ref }}
release_name: ${{ github.ref_name }}
overwrite: true
file_glob: true

62
.github/workflows/windows-build.yml vendored
View file

@ -1,69 +1,57 @@
name: windows-wg
name: Windows
on: [push]
jobs:
Build-Libs-WireGuard-Windows:
name: 'Build-Libs-WireGuard-Windows'
Build-for-Windows:
name: Build for Windows
runs-on: windows-latest
steps:
- name: 'Setup ccache'
- name: Setup ccache
uses: hendrikmuhs/ccache-action@v1.2
- name: 'Get sources'
uses: actions/checkout@v3
- name: 'Get Wireguard-Tools'
uses: actions/checkout@v3
with:
repository: amnezia-vpn/amnezia-wg-tools
ref: master
path: windows/wireguard-tools-windows
- name: Checkout
uses: actions/checkout@v4
- name: 'Build WireGuard Tools binary'
working-directory: windows/wireguard-tools-windows
- name: Build AmneziaWG tools
run: |
cmd /c build.cmd
mkdir build
move x64 build\x64
move x86 build\x86
move arm64 build\arm64
- name: Archive WG Windows
uses: actions/upload-artifact@v3
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
retention-days: 1
name: windows-wireguard-tools
path: windows/wireguard-tools-windows/build
github-release:
name: windows-amneziawg-tools
path: build
GitHub-Release:
name: GitHub Release
needs: Build-Libs-WireGuard-Windows
needs: Build-for-Windows
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Setup | Checkout
uses: actions/checkout@v2
- name: Checkout
uses: actions/checkout@v4
- name: Setup | Artifacts
uses: actions/download-artifact@v2
- name: Download artifacts
uses: actions/download-artifact@v4
- name: Setup | Checksums
- name: Calculate checksums
run: for file in $(find ./ -name '*.exe' ); do openssl dgst -sha256 -r "$file" | awk '{print $1}' > "${file}.sha256"; done
- name: Zip ALL
- name: Zip files
run: for file in *; do zip -r ${file%.*}.zip $file; done
- name: Upload binaries to release
- name: Upload binaries to Release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: windows-wireguard-tools.zip
file: windows-amneziawg-tools.zip
tag: ${{ github.ref }}
release_name: ${{ github.ref_name }}
overwrite: true
file_glob: true
file_glob: true

4
README.md
View file

@ -2,8 +2,8 @@
This supplies the main userspace tooling for using and configuring WireGuard
tunnels, including the
[`wg(8)`](https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8) and
[`wg-quick(8)`](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8)
[`awg(8)`](https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8) and
[`awg-quick(8)`](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8)
utilities. This project supports Linux, OpenBSD, FreeBSD, macOS, Windows, and
Android.

374
amneziawg-tools.spec Normal file
View file

@ -0,0 +1,374 @@
Name: amneziawg-tools
Version: 1.0.20240201
Release: 1%{?dist}
URL: https://www.wireguard.com/
Summary: Fast, modern, secure VPN tunnel
License: GPLv2
Source0: https://github.com/amnezia-vpn/amneziawg-tools/archive/refs/tags/v%{version}.tar.gz
%{?systemd_requires}
BuildRequires: make
BuildRequires: systemd
BuildRequires: gcc
%description
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
faster, simpler, leaner, and more useful than IPSec, while avoiding
the massive headache. It intends to be considerably more performant
than OpenVPN. WireGuard is designed as a general purpose VPN for
running on embedded interfaces and super computers alike, fit for
many different circumstances. It runs over UDP.
This package provides the wg binary for controlling WireGuard.
%prep
%autosetup -p1
%build
%set_build_flags
## Start DNS Hatchet
%if (0%{?fedora} && 0%{?fedora} < 33) || (0%{?rhel} && 0%{?rhel} < 9)
pushd contrib/dns-hatchet
./apply.sh
popd
%endif
## End DNS Hatchet
%make_build RUNSTATEDIR=%{_rundir} -C src
%install
%make_install BINDIR=%{_bindir} MANDIR=%{_mandir} RUNSTATEDIR=%{_rundir} \
WITH_BASHCOMPLETION=yes WITH_WGQUICK=yes WITH_SYSTEMDUNITS=yes -C src
%files
%doc README.md contrib
%license COPYING
%{_bindir}/awg
%{_bindir}/awg-quick
%{_sysconfdir}/amnezia/amneziawg/
%{_datadir}/bash-completion/completions/awg
%{_datadir}/bash-completion/completions/awg-quick
%{_unitdir}/awg-quick@.service
%{_unitdir}/awg-quick.target
%{_mandir}/man8/awg.8*
%{_mandir}/man8/awg-quick.8*
%changelog
* Thu Feb 1 2024 Yuri Egorov <ye@amnezia.org> - 1.0.20240201-1
- Update to 1.0.20240201
* Tue Sep 21 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210914-1
- contrib/launchd: fix xml syntax error
- wg-quick: darwin: account for "link#XX" gateways
- ipc: add wireguard-nt support
- ipc: cache windows lookups to avoid O(n^2) with nested lookups
- ipc: remove windows elevation
- ipc: windows: don't display disabled adapters
- ipc: windows: use devpkey instead of nci for name
- wg-quick: android: adjust for android 12
- wg-quick: openbsd: set DNS with resolvd(8)
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.20210424-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Apr 30 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210424-1
- wg-quick: freebsd: check for socket using -S, not -f
- wg-quick: freebsd: do not assume point-to-point interface flag
- wg-quick: freebsd: use ifconfig for determining if interface is up
- wg-quick: kill route monitor when loop terminates
* Mon Mar 15 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210315-1
- Makefile: fix version indicator
- wireguard-tools: const correctness
- wireguard-tools: drag in headers for prototypes
- ipc: uniformly ignore preshared keys that are zero
- wg-quick: freebsd: add kernel support
- ipc: freebsd: add initial FreeBSD support
- wg-quick: freebsd: avoid writing private keys to /tmp
* Tue Feb 23 2021 Joe Doss <joe@solidadmin.com> - 1.0.20210223-1
- wg-quick: android: do not free iterated pointer
- wg-quick: openbsd: no use for userspace support
- embeddable-wg-library: sync latest from netlink.h
- wincompat: recent mingw has inet_ntop/inet_pton
- wincompat: add resource and manifest and enable lto
- wincompat: do not elevate by default
- completion: add help and syncconf completions
- sticky-sockets: do not use SO_REUSEADDR
- man: LOG_LEVEL variables changed name
- ipc: do not use fscanf with trailing \n
- ipc: read trailing responses after set operation
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.20200827-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Oct 02 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200827-2
- Disable contrib/dns-hatchet/apply.sh on Fedora 33+ and RHEL9+
* Sat Aug 29 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200827-1
- Update to 1.0.20200827
- wg-quick: android: use iproute2 to bring up interface instead of ndc
- wg-quick: Revert wait on process substitutions
* Thu Aug 20 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200820-1
- Update to 1.0.20200820
- ipc: split into separate files per-platform
- wincompat: fold random into genkey
- systemd: add reload target to systemd unit
- man: wg-quick: use syncconf instead of addconf for strip example
- pubkey: isblank is a subset of isspace
- ctype: use non-locale-specific ctype.h
- wg-quick: wait on process substitutions
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.20200513-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed May 13 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200513-1
- Update to 1.0.20200513
- Makefile: remember to install all systemd units
- ipc: openbsd: switch to array ioctl interface
* Mon May 11 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200510-1
- Update to 1.0.20200510
- ipc: add support for openbsd kernel implementation
- ipc: cleanup openbsd support
- wg-quick: add support for openbsd kernel implementation
- wg-quick: cleanup openbsd support
- wg-quick: support dns search domains
- Makefile: simplify silent cleaning
- ipc: remove extra space
- git: add gitattributes so tarball doesn't have gitignore files
- terminal: specialize color_mode to stdout only
- wg-quick: android: support application whitelist
- systemd: add wg-quick.target
* Wed Apr 15 2020 Leigh Scott <leigh123linux@gmail.com> - 1.0.20200319-2
- Add missing config directory
- Remove default buildroot BuildRequires
- Simplify doc install
- Remove commented lines
- Use correct macro for bash-completion
* Fri Mar 20 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200319-1
- Update to 1.0.20200319
* Thu Feb 6 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200206-1
- Update to 1.0.20200206
- Remove libmnl dependency
* Tue Jan 21 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200121-1
- Update to 1.0.20200121
- Spec changes to pass Fedora RPM review
* Thu Jan 2 2020 Joe Doss <joe@solidadmin.com> - 1.0.20200102-1
- Update to 1.0.20200102
- Remove patch to fix dns-hatchet path
* Thu Dec 26 2019 Joe Doss <joe@solidadmin.com> - 1.0.20191226-1
- Update to 1.0.20191226
- Split wireguard-tools back into it's own spec file
- Add in patch to fix dns-hatchet path
* Mon Oct 14 2019 Joe Doss <joe@solidadmin.com> - 0.0.20191012-1
- Update to 0.0.20191012
* Mon Sep 16 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190913-1
- Update to 0.0.20190913
* Mon Sep 9 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190905-1
- Update to 0.0.20190905
* Tue Jul 2 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190702-1
- Update to 0.0.20190702
* Sat Jun 1 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190601-1
- Update to 0.0.20190601
* Fri May 31 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190531-1
- Update to 0.0.20190531
* Sat Apr 6 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190406-1
- Update to 0.0.20190406
* Wed Feb 27 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190227-1
- Update to 0.0.20190227
* Thu Jan 24 2019 Joe Doss <joe@solidadmin.com> - 0.0.20190123-1
- Update to 0.0.20190123
* Wed Dec 19 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181218-1
- Update to 0.0.20181218
* Thu Nov 15 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181115-1
- Update to 0.0.20181115
* Sun Oct 14 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181018-1
- Update to 0.0.20181018
* Sun Oct 14 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181007-2
- Add make as a build dependency
* Sun Oct 7 2018 Joe Doss <joe@solidadmin.com> - 0.0.20181007-1
- Update to 0.0.20181007
* Tue Sep 25 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180925-1
- Update to 0.0.20180925
* Tue Sep 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180918-2
- Add BuildRequires gcc to fix builds on F29 and Rawhide
* Tue Sep 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180918-1
- Update to 0.0.20180918
* Mon Sep 10 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180910-1
- Update to 0.0.20180910
* Wed Sep 5 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180904-1
- Update to 0.0.20180904
* Thu Aug 9 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180809-1
- Update to 0.0.20180809
* Sun Aug 5 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180802-1
- Update to 0.0.20180802
* Wed Jul 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180718-1
- Update to 0.0.20180718
* Tue Jul 10 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180708-1
- Update to 0.0.20180708
* Fri Jun 29 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180625-1
- Update to 0.0.20180625
* Wed Jun 20 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180620-1
- Update to 0.0.20180620
* Wed Jun 13 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180613-1
- Update to 0.0.20180613
* Wed May 30 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180531-1
- Update to 0.0.20180531
* Wed May 23 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180524-1
- Update to 0.0.20180524
* Thu May 17 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180519-1
- Update to 0.0.20180519
* Sun May 13 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180513-1
- Update to 0.0.20180513
- Drop support for RHEL 7.4, moving on instead to RHEL 7.5
* Fri Apr 20 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180420-1
- Update to 0.0.20180420
* Sun Apr 15 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180413-1
- Update to 0.0.20180413
* Mon Mar 05 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180304-1
- Update to 0.0.20180304
* Mon Feb 19 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180218-1
- Update to 0.0.20180218
* Sun Feb 04 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180202-1
- Update to 0.0.20180202
* Thu Jan 18 2018 Joe Doss <joe@solidadmin.com> - 0.0.20180118-1
- Update to 0.0.20180118
* Thu Dec 21 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171221-1
- Update to 0.0.20171221
* Tue Dec 12 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171211-1
- Update to 0.0.20171211
* Mon Nov 27 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171127-1
- Update to 0.0.20171127
* Thu Nov 23 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171122-1
- Update to 0.0.20171122
* Sat Nov 11 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171111-1
- Update to 0.0.20171111
* Wed Nov 01 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171101-1
- Update to 0.0.20171101
- Add temporary DNS hatchet to wg-quick
* Thu Oct 26 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171017-1
- Update to 0.0.20171017
* Wed Oct 11 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171011-1
- Update to 0.0.20171011
* Fri Oct 6 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171005-1
- Update to 0.0.20171005
- Update RPM spec URL to www.wireguard.com
* Mon Oct 2 2017 Joe Doss <joe@solidadmin.com> - 0.0.20171001-1
- Update to 0.0.20171001
* Mon Sep 18 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170918-1
- Update to 0.0.20170918
- Drop support for RHEL 7.3, moving on instead to RHEL 7.4.
* Thu Sep 7 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170907-1
- Update to 0.0.20170907
* Wed Aug 9 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170810-1
- Update to 0.0.20170810
* Mon Jul 31 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170726-1
- Update to 0.0.20170726
* Thu Jun 29 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170629-1
- Update to 0.0.20170629
* Tue Jun 13 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170613-1
- Update to 0.0.20170613
* Mon Jun 12 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170612-1
- Update to 0.0.20170612
* Wed May 31 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170531-1
- Update to 0.0.20170531
* Wed May 17 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170517-1
- Update to 0.0.20170517
* Mon Apr 24 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170421-1
- Update to 0.0.20170421
* Mon Apr 10 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170409-1
- Update to 0.0.20170409
* Fri Mar 24 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170324-1
- Update to 0.0.20170324
* Mon Mar 20 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170320.1-1
- Update to 0.0.20170320.1
* Thu Mar 2 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170223-1
- Update to 0.0.20170223
* Thu Feb 16 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170214-1
- Update to 0.0.20170214
* Thu Jan 5 2017 Joe Doss <joe@solidadmin.com> - 0.0.20170105-1
- Update to 0.0.20170105
- Add wg-quick, bash-completion, and systemd service
* Mon Dec 19 2016 Jason A. Donenfeld <jason@zx2c4.com> - 0.0.20161218-1
- Spec adjustments
* Wed Aug 17 2016 Joe Doss <joe@solidadmin.com> - 0.0.20160808-2
- Spec adjustments
* Mon Aug 15 2016 Joe Doss <joe@solidadmin.com> - 0.0.20160808-1
- Initial WireGuard Tools RPM
- Version 0.0.20160808

4
build.cmd
View file

@ -29,7 +29,7 @@ if exist .deps/prepared goto :build
:download
echo [+] Downloading %1
curl -#fLo %1 %2 || exit /b 1
curl --retry 3 -#fLo %1 %2 || exit /b 1
echo [+] Verifying %1
for /f %%a in ('CertUtil -hashfile %1 SHA256 ^| findstr /r "^[0-9a-f]*$"') do if not "%%a"=="%~3" exit /b 1
echo [+] Extracting %1
@ -46,7 +46,7 @@ if exist .deps/prepared goto :build
del src\*.exe src\*.o src\wincompat\*.o src\wincompat\*.lib 2> NUL
set LDFLAGS=-s
make --no-print-directory -C src PLATFORM=windows CC=%~2-w64-mingw32-gcc WINDRES=%~2-w64-mingw32-windres V=1 RUNSTATEDIR= SYSTEMDUNITDIR= -j%NUMBER_OF_PROCESSORS% || exit /b 1
move /Y src\wg.exe "%~1\wg.exe" > NUL || exit /b 1
move /Y src\wg.exe "%~1\awg.exe" > NUL || exit /b 1
goto :eof
:error

15
contrib/embeddable-wg-library/wireguard.c
View file

@ -26,7 +26,7 @@
/* wireguard.h netlink uapi: */
#define WG_GENL_NAME "wireguard"
#define WG_GENL_NAME "amneziawg"
#define WG_GENL_VERSION 1
enum wg_cmd {
@ -48,12 +48,22 @@ enum wgdevice_attribute {
WGDEVICE_A_LISTEN_PORT,
WGDEVICE_A_FWMARK,
WGDEVICE_A_PEERS,
WGDEVICE_A_JC,
WGDEVICE_A_JMIN,
WGDEVICE_A_JMAX,
WGDEVICE_A_S1,
WGDEVICE_A_S2,
WGDEVICE_A_H1,
WGDEVICE_A_H2,
WGDEVICE_A_H3,
WGDEVICE_A_H4,
__WGDEVICE_A_LAST
};
enum wgpeer_flag {
WGPEER_F_REMOVE_ME = 1U << 0,
WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1
WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1,
WGPEER_F_HAS_ADVANCED_SECURITY = 1U << 3
};
enum wgpeer_attribute {
WGPEER_A_UNSPEC,
@ -67,6 +77,7 @@ enum wgpeer_attribute {
WGPEER_A_TX_BYTES,
WGPEER_A_ALLOWEDIPS,
WGPEER_A_PROTOCOL_VERSION,
WGPEER_A_ADVANCED_SECURITY,
__WGPEER_A_LAST
};

14
contrib/json/wg-json
View file

@ -2,20 +2,30 @@
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
# Copyright (C) 2024 Amnezia VPN. All Rights Reserved.
exec < <(exec wg show all dump)
exec < <(exec awg show all dump)
printf '{'
while read -r -d $'\t' device; do
if [[ $device != "$last_device" ]]; then
[[ -z $last_device ]] && printf '\n' || printf '%s,\n' "$end"
last_device="$device"
read -r private_key public_key listen_port fwmark
read -r private_key public_key listen_port jc jmin jmax s1 s2 h1 h2 h3 h4 fwmark
printf '\t"%s": {' "$device"
delim=$'\n'
[[ $private_key == "(none)" ]] || { printf '%s\t\t"privateKey": "%s"' "$delim" "$private_key"; delim=$',\n'; }
[[ $public_key == "(none)" ]] || { printf '%s\t\t"publicKey": "%s"' "$delim" "$public_key"; delim=$',\n'; }
[[ $listen_port == "0" ]] || { printf '%s\t\t"listenPort": %u' "$delim" $(( $listen_port )); delim=$',\n'; }
[[ $jc == "0" ]] || { printf '%s\t\t"jc": %u' "$delim" $(( $jc )); delim=$',\n'; }
[[ $jmin == "0" ]] || { printf '%s\t\t"jmin": %u' "$delim" $(( $jmin )); delim=$',\n'; }
[[ $jmax == "0" ]] || { printf '%s\t\t"jmax": %u' "$delim" $(( $jmax )); delim=$',\n'; }
[[ $s1 == "0" ]] || { printf '%s\t\t"s1": %u' "$delim" $(( $s1 )); delim=$',\n'; }
[[ $s2 == "0" ]] || { printf '%s\t\t"s2": %u' "$delim" $(( $s2 )); delim=$',\n'; }
[[ $h1 == "1" ]] || { printf '%s\t\t"h1": %u' "$delim" $(( $h1 )); delim=$',\n'; }
[[ $h2 == "2" ]] || { printf '%s\t\t"h2": %u' "$delim" $(( $h2 )); delim=$',\n'; }
[[ $h3 == "3" ]] || { printf '%s\t\t"h3": %u' "$delim" $(( $h3 )); delim=$',\n'; }
[[ $h4 == "4" ]] || { printf '%s\t\t"h4": %u' "$delim" $(( $h4 )); delim=$',\n'; }
[[ $fwmark == "off" ]] || { printf '%s\t\t"fwmark": %u' "$delim" $(( $fwmark )); delim=$',\n'; }
printf '%s\t\t"peers": {' "$delim"; end=$'\n\t\t}\n\t}'
delim=$'\n'

24
contrib/peer-approver/README Normal file
View file

@ -0,0 +1,24 @@
=== Dynamic peers authentication example ===
This example shows how to utilize netlink's multicast notifications
in AmneziaWG kernel module to provide dynamic peer authentication.
To compile it, you must install some pre-requisites:
```shell
apt-get install build-essential pkg-config libnl-3-dev libnl-genl-3-dev
```
After that, build example with the following command:
```shell
gcc notification-listener.c $(pkg-config --cflags --libs libnl-3.0 libnl-genl-3.0) -o notification-listener
```
Bring up AWG interface with `awg-quick` as usually, edit `accounts.csv` file accordingly to your needs and then run:
```shell
sudo ./notification-listener ./approve.sh ./accounts.csv
```
### **PLEASE NOTE: THIS EXAMPLE AS WELL AS OVERALL DYNAMIC AUTHENTICATION MECHANISM AND LEGACY CLIENTS' SUPPORT IN AMNEZIAWG IS SPONSORED BY [WINDSCRIBE LIMITED](https://windscribe.com)**

2
contrib/peer-approver/accounts.csv Normal file
View file

@ -0,0 +1,2 @@
Public Key,Allowed Ips,PSK
/Ca5004uiLJVBqSPaBUKg5zBszO9qbzEUCWmVkelkjY=,"10.8.1.10/32",E37VXqGtGvwftop/uFsbZcIO76Ox1kMmB6Sz/JoIw2I=
1 Public Key Allowed Ips PSK
2 /Ca5004uiLJVBqSPaBUKg5zBszO9qbzEUCWmVkelkjY= 10.8.1.10/32 E37VXqGtGvwftop/uFsbZcIO76Ox1kMmB6Sz/JoIw2I=

26
contrib/peer-approver/approve.sh Executable file
View file

@ -0,0 +1,26 @@
#!/usr/bin/env bash
ACCOUNTS_FILE=$1
INTERFACE_NAME=$2
PUBLIC_KEY=$3
ENDPOINT=$4
ADVANCED_SECURITY=$5
ACCOUNT_STR=`grep "${PUBLIC_KEY}" "${ACCOUNTS_FILE}"`
if [ "${ACCOUNT_STR}" == "" ]; then
echo "Public key not found in accounts file!"
exit 255
fi
ACCOUNT=(${ACCOUNT_STR//,/ })
ALLOWED_IPS=$(echo ${ACCOUNT[1]}|tr -d '"')
PSK=$(echo ${ACCOUNT[2]}|tr -d '"')
PSK_FILE=$(tempfile)
echo "${PSK}" > "${PSK_FILE}"
awg set "${INTERFACE_NAME}" peer "${PUBLIC_KEY}" allowed-ips "${ALLOWED_IPS}" endpoint "${ENDPOINT}" allowed-ips "${ALLOWED_IPS}" preshared-key "${PSK_FILE}" advanced-security "${ADVANCED_SECURITY}"
EXIT_CODE=$?
rm -f "{$PSK_FILE}"
exit ${EXIT_CODE}

263
contrib/peer-approver/notification-listener.c Normal file
View file

@ -0,0 +1,263 @@
#include <errno.h>
#include <signal.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netlink/netlink.h>
#include <netlink/socket.h>
#include <netlink/msg.h>
#include <netlink/attr.h>
#include <netlink/genl/genl.h>
#include <netlink/genl/ctrl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include "../../src/uapi/linux/linux/wireguard.h"
#define prerr(...) fprintf(stderr, "Error: " __VA_ARGS__)
#define WG_KEY_LEN 32
#define WG_KEY_LEN_BASE64 ((((WG_KEY_LEN) + 2) / 3) * 4 + 1)
static struct nl_sock *sk = NULL;
static char **cb_argv;
static int cb_argc;
static int cleanup_and_exit(int ret)
{
if (sk != NULL)
nl_socket_free(sk);
exit(ret);
}
static void signal_handler(int sig)
{
cleanup_and_exit(EXIT_SUCCESS);
}
static inline void encode_base64(char dest[static 4], const uint8_t src[static 3])
{
const uint8_t input[] = { (src[0] >> 2) & 63, ((src[0] << 4) | (src[1] >> 4)) & 63, ((src[1] << 2) | (src[2] >> 6)) & 63, src[2] & 63 };
for (unsigned int i = 0; i < 4; ++i)
dest[i] = input[i] + 'A'
+ (((25 - input[i]) >> 8) & 6)
- (((51 - input[i]) >> 8) & 75)
- (((61 - input[i]) >> 8) & 15)
+ (((62 - input[i]) >> 8) & 3);
}
void key_to_base64(char base64[static WG_KEY_LEN_BASE64], const uint8_t key[static WG_KEY_LEN])
{
unsigned int i;
for (i = 0; i < WG_KEY_LEN / 3; ++i)
encode_base64(&base64[i * 4], &key[i * 3]);
encode_base64(&base64[i * 4], (const uint8_t[]){ key[i * 3 + 0], key[i * 3 + 1], 0 });
base64[WG_KEY_LEN_BASE64 - 2] = '=';
base64[WG_KEY_LEN_BASE64 - 1] = '\0';
}
static char *key(const uint8_t key[static WG_KEY_LEN])
{
static char base64[WG_KEY_LEN_BASE64];
key_to_base64(base64, key);
return base64;
}
static char *endpoint(const struct sockaddr *addr)
{
char host[4096 + 1];
char service[512 + 1];
static char buf[sizeof(host) + sizeof(service) + 4];
int ret;
socklen_t addr_len = 0;
memset(buf, 0, sizeof(buf));
if (addr->sa_family == AF_INET)
addr_len = sizeof(struct sockaddr_in);
else if (addr->sa_family == AF_INET6)
addr_len = sizeof(struct sockaddr_in6);
ret = getnameinfo(addr, addr_len, host, sizeof(host), service, sizeof(service), NI_DGRAM | NI_NUMERICSERV | NI_NUMERICHOST);
if (ret) {
strncpy(buf, gai_strerror(ret), sizeof(buf) - 1);
buf[sizeof(buf) - 1] = '\0';
} else
snprintf(buf, sizeof(buf), (addr->sa_family == AF_INET6 && strchr(host, ':')) ? "[%s]:%s" : "%s:%s", host, service);
return buf;
}
static int get_ifname(struct nlattr *tb[], char **ifname)
{
if (tb[WGDEVICE_A_IFNAME] == NULL)
return -1;
*ifname = nla_data(tb[WGDEVICE_A_IFNAME]);
return 0;
}
static int get_pubkey(struct nlattr *peer[], char **pubkey)
{
if (peer[WGPEER_A_PUBLIC_KEY] == NULL)
return -1;
*pubkey = key(nla_data(peer[WGPEER_A_PUBLIC_KEY]));
return 0;
}
static int get_endpoint(struct nlattr *peer[], char **endpoint_ip)
{
if (peer[WGPEER_A_ENDPOINT] == NULL)
return -1;
*endpoint_ip = endpoint(nla_data(peer[WGPEER_A_ENDPOINT]));
return 0;
}
static int run_callback(char *ifname, char *pubkey, char *endpoint_ip, bool advanced_security)
{
char** new_argv = malloc((cb_argc + 2) * sizeof *new_argv);
new_argv[0] = cb_argv[1];
for (int i = 2; i < cb_argc - 3; i++) {
new_argv[i - 1] = cb_argv[i];
}
new_argv[cb_argc - 4] = ifname;
new_argv[cb_argc - 3] = pubkey;
new_argv[cb_argc - 2] = endpoint_ip;
new_argv[cb_argc - 1] = (advanced_security ? "on\0" : "off\0");
new_argv[cb_argc] = NULL;
int child_pid = fork(), ret;
if (child_pid < 0) {
prerr("failed to spawn child process: %d\n", child_pid);
return child_pid;
} else if (child_pid == 0) {
execv(cb_argv[1], new_argv);
exit(0);
} else {
waitpid(child_pid, &ret, 0);
}
free(new_argv);
return ret;
}
static int netlink_callback(struct nl_msg *msg, void *arg)
{
struct nlmsghdr *ret_hdr = nlmsg_hdr(msg);
struct genlmsghdr *gnlh = nlmsg_data(ret_hdr);
struct nlattr *tb[WGDEVICE_A_MAX + 1];
struct nlattr *peer[WGPEER_A_MAX + 1];
nla_parse(tb, WGDEVICE_A_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL);
char *ifname, *pubkey, *endpoint_ip;
bool advanced_security = false;
int cb_ret;
switch (gnlh->cmd) {
case WG_CMD_UNKNOWN_PEER:
if (get_ifname(tb, &ifname) < 0) {
prerr("unknown interface name!\n");
return NL_SKIP;
}
if (nla_parse_nested(peer, WGPEER_A_MAX, tb[WGDEVICE_A_PEER], NULL)) {
prerr("failed to parse nested peer!\n");
return NL_SKIP;
}
if (get_pubkey(peer, &pubkey)) {
prerr("invalid public key!\n");
return NL_SKIP;
}
if (get_endpoint(peer, &endpoint_ip)) {
prerr("invalid endpoint!\n");
return NL_SKIP;
}
if (nla_get_flag(peer[WGPEER_A_ADVANCED_SECURITY])) {
advanced_security = true;
}
if (cb_ret = run_callback(ifname, pubkey, endpoint_ip, advanced_security)) {
prerr("failed to execute callback script: %d!\n", cb_ret);
return NL_SKIP;
}
printf("Callback executed successfully.\n");
break;
default:
return NL_SKIP;
}
return 0;
}
int main(int argc, char *argv[])
{
int ret;
int sk_fd;
fd_set rfds;
if (argc < 2) {
prerr("usage: %s <callback>\n", argv[0]);
cleanup_and_exit(EXIT_FAILURE);
}
cb_argc = argc + 3;
cb_argv = argv;
signal(SIGTERM, signal_handler);
signal(SIGINT, signal_handler);
sk = nl_socket_alloc();
if (sk == NULL) {
prerr("unable to allocate Netlink socket!\n");
exit(EXIT_FAILURE);
}
ret = genl_connect(sk);
if (ret < 0) {
prerr("no connect %d!\n", ret);
cleanup_and_exit(EXIT_FAILURE);
}
printf("Netlink socket connected.\n");
ret = genl_ctrl_resolve_grp(sk, WG_GENL_NAME, WG_MULTICAST_GROUP_AUTH);
if (ret < 0) {
prerr("auth group not found %d!\n", ret);
cleanup_and_exit(EXIT_FAILURE);
}
ret = nl_socket_add_membership(sk, ret);
if (ret < 0) {
prerr("unable to join multicast group %d!\n", ret);
cleanup_and_exit(EXIT_FAILURE);
}
nl_socket_disable_seq_check(sk);
ret = nl_socket_modify_cb(sk, NL_CB_VALID, NL_CB_CUSTOM, netlink_callback, NULL);
if (ret < 0) {
prerr("unable to register callback %d!\n", ret);
cleanup_and_exit(EXIT_FAILURE);
}
while (1) {
FD_ZERO(&rfds);
sk_fd = nl_socket_get_fd(sk);
FD_SET(sk_fd, &rfds);
ret = select(sk_fd + 1, &rfds, NULL, NULL, NULL);
if (ret < 0)
break;
ret = nl_recvmsgs_default(sk);
if (ret < 0) {
prerr("error receiving message %d!\n", ret);
cleanup_and_exit(EXIT_FAILURE);
}
}
cleanup_and_exit(EXIT_FAILURE);
}

11
debian/NEWS vendored Normal file
View file

@ -0,0 +1,11 @@
amneziawg (1.0.20200206-2) unstable; urgency=medium
As of wireguard-linux-compat and wireguard-dkms version 0.0.20200215-2,
we no longer treat installation of the wireguard metapackage as a reason
to try to reload the kernel module upon upgrade.
See the discussion on
https://salsa.debian.org/debian/wireguard-linux-compat/merge_requests/2
for more details.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Feb 2020 10:08:35 -0500

15
debian/TODO vendored Normal file
View file

@ -0,0 +1,15 @@
Debian Packaging work for WireGuard:
* wireguard metapackage should accept a 5.6 (or later) kernel instead
of a module
* consider make check for wg during build: this depends on
scan-build, which is part of clang, but also wants to clean the
build tree first. Currently, we don't do any build-time tests.
* autopkgtest:
- from src/, run "make check" (depending on clang-tools and sparse)
and make sure it looks plausible.
- Can we add other tests?

16
debian/amneziawg-tools.README.Debian vendored Normal file
View file

@ -0,0 +1,16 @@
Using the WireGuard VPN and encrypted network tunnel
====================================================
To use WireGuard, you'll need an additional kernel module which will
probably be built in for Linux 5.6 and later.
On debian systems with a kernel older than 5.6, you should be able to
build and install the kernel module with only:
apt install linux-headers-$(uname -r) wireguard-dkms
Please see https://www.wireguard.com/quickstart for more details on
using WireGuard.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Wed, 15 Jan 2020 10:41:35 -0500

1
debian/amneziawg-tools.examples vendored Normal file
View file

@ -0,0 +1 @@
contrib/*

8
debian/amneziawg-tools.lintian-overrides vendored Normal file
View file

@ -0,0 +1,8 @@
# upstream prefers the less-user-friendly locked-down /etc/wireguard by default
# to avoid leaking local system secrets. I've adjusted the debian package to follow its lead.
# see also https://bugs.debian.org/902831
amneziawg-tools: non-standard-dir-perm etc/amneziawg/ 0700 != 0755
# wg-quick@.service is a generator, not an initscript. On systems with sysvinit,
# the admin probably wants to integrate with something like /etc/network/interfaces
# rather than seeing a new script in /etc/init.d/.
amneziawg-tools: package-supports-alternative-init-but-no-init.d-script lib/systemd/system/awg-quick@.service

839
debian/changelog vendored Normal file
View file

@ -0,0 +1,839 @@
amneziawg (1.0.20210914-1ubuntu2) jammy; urgency=medium
* Add better DEP8 tests (LP: #1952102):
- d/t/control, d/t/wireguard-wgquick: test using network namespaces
and wg-quick
- d/t/netns-mini, d/t/control: test using network namespaces
and wg, taken from the wireguard-linux-compat package
* d/rules: add simple build-time test, taken from the existing
DEP8 test to generate keys (LP: #1952767)
-- Andreas Hasenack <andreas@canonical.com> Tue, 07 Dec 2021 08:33:57 -0300
amneziawg (1.0.20210914-1ubuntu1) devel; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Switch alternative dependency order for the wireguard-modules,
wireguard-dkms alternative.
-- Unit 193 <unit193@ubuntu.com> Tue, 23 Nov 2021 11:41:45 -0500
amneziawg (1.0.20210914-1) unstable; urgency=medium
* New upstream release.
* Update Standards-Version to 4.6.0.
-- Unit 193 <unit193@debian.org> Mon, 27 Sep 2021 21:21:06 -0400
amneziawg (1.0.20210424-1ubuntu1) devel; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Switch alternative dependency order for the wireguard-modules,
wireguard-dkms alternative.
-- Unit 193 <unit193@ubuntu.com> Mon, 16 Aug 2021 14:20:40 -0400
amneziawg (1.0.20210424-1) unstable; urgency=medium
* New upstream release.
- Refresh patch.
-- Unit 193 <unit193@debian.org> Fri, 13 Aug 2021 17:36:52 -0400
amneziawg (1.0.20210223-1ubuntu1) devel; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Switch alternative dependency order for the wireguard-modules,
wireguard-dkms alternative.
-- Unit 193 <unit193@ubuntu.com> Tue, 16 Mar 2021 17:27:19 -0400
amneziawg (1.0.20210223-1) unstable; urgency=medium
* New upstream release.
* d/control:
- Bump dh compat to 13.
- Drop Build-Depend on dkms.
* Update Standards-Version to 4.5.1.
-- Unit 193 <unit193@debian.org> Thu, 25 Feb 2021 02:02:36 -0500
amneziawg (1.0.20200827-1ubuntu1) devel; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Switch alternative dependency order for the wireguard-modules,
wireguard-dkms alternative.
-- Unit 193 <unit193@ubuntu.com> Wed, 30 Sep 2020 18:52:56 -0400
amneziawg (1.0.20200827-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Wed, 09 Sep 2020 03:47:59 -0400
amneziawg (1.0.20200820-1ubuntu1) groovy; urgency=low
* Merge from Debian unstable. Remaining changes:
- Switch alternative dependency order for teh wireguard-modules,
wireguard-dkms alternative.
-- Andy Whitcroft <apw@ubuntu.com> Wed, 26 Aug 2020 10:42:33 +0100
amneziawg (1.0.20200820-1) unstable; urgency=medium
* New upstream release.
-- Unit 193 <unit193@debian.org> Sat, 22 Aug 2020 19:19:51 -0400
amneziawg (1.0.20200513-1ubuntu1) groovy; urgency=medium
* Switch alternative dependency order for the wireguard-modules,
wireguard-dkms alternative. Whichever is first is deemed the
preferred installation candidate when neither is present. When this is
wireguard-modules this is satisfied by installation of a random kernel
which claims support for wireguard regardless of its applicability.
Repeat after me, do not ever depend on a kernel. (LP: #1890201)
-- Andy Whitcroft <apw@ubuntu.com> Mon, 03 Aug 2020 22:24:05 +0100
amneziawg (1.0.20200513-1) unstable; urgency=medium
* New upstream release.
- Drop upstream patch.
* d/control: Lower 'openresolv | resolvconf' to suggests.
-- Unit 193 <unit193@debian.org> Fri, 15 May 2020 18:32:16 -0400
amneziawg (1.0.20200510-1) unstable; urgency=medium
[ Daniel Kahn Gillmor ]
* Add Unit193 to Uploaders
* wrap-and-sort -ast
* prefer wireguard-modules (from a kernel package) over wireguard-dkms
* keygen test only needs wireguard-tools package, not wireguard metapackage
[ Jason A. Donenfeld ]
* debian: tests: replace ncat-client with keygen
* debian: control: set Recommends order same as Depends order
[ Unit 193 ]
* New upstream release.
- Refresh patch.
- Grab an upstream commit to install wg-quick.target.
* d/control:
- Update my email address.
- Recommend openresolv | resolvconf. (Closes: #930735)
* d/copyright: Update attribution.
* d/wireguard-tools.lintian-overrides: Drop override about .gitignore.
-- Unit 193 <unit193@debian.org> Tue, 12 May 2020 01:33:42 -0400
amneziawg (1.0.20200319-1) unstable; urgency=medium
[ Unit 193 ]
* New upstream release.
* d/watch: Update to find new releases.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 21 Mar 2020 21:30:26 -0400
amneziawg (1.0.20200206-2) unstable; urgency=medium
* add NEWS file documenting that the metapackage will no longer cause a
reload.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Feb 2020 10:08:35 -0500
amneziawg (1.0.20200206-1) unstable; urgency=medium
* new upstream release.
* d/copyright: note import of bits from libmnl
* refresh patches
* drop libmnl-dev from build-deps
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Feb 2020 14:06:44 -0500
amneziawg (1.0.20200121-2) unstable; urgency=medium
* Transfer module reload postinst script to wireguard-dkms package
* standards-version: bump to 4.5.0 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 22 Jan 2020 13:16:57 -0500
amneziawg (1.0.20200121-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 21 Jan 2020 10:12:22 -0500
amneziawg (1.0.20200102-1) unstable; urgency=medium
* new upstream release
* drop wireguard-dkms binary package, now supplied by the
wireguard-linux-compat source package
* refresh patches
* drop lintian override of version-substvar-for-external-package
* ship examples from new upstream path
* update debian/copyright
* avoid using git during build to override src/version.h
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 15 Jan 2020 11:25:16 -0500
amneziawg (0.0.20191219-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 Dec 2019 11:33:41 -0500
amneziawg (0.0.20191212-1) unstable; urgency=medium
* new upstream release
* encourage nftables instead of iptables
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 12 Dec 2019 10:53:37 -0500
amneziawg (0.0.20191206-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 06 Dec 2019 17:32:38 -0500
amneziawg (0.0.20191127-2) unstable; urgency=medium
* wireguard-tools now Recommends: iptables because of wg-quick
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 04 Dec 2019 10:46:36 -0500
amneziawg (0.0.20191127-1) unstable; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 02 Dec 2019 09:44:34 -0500
amneziawg (0.0.20191012-1) unstable; urgency=medium
* new upstream release
* d/clean: clean up generated assembler
* more notes about autopkgtest
* standards-version: bump to 4.4.1 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 15 Oct 2019 17:41:38 +0200
amneziawg (0.0.20190913-1) unstable; urgency=medium
* new upstream release
* verbose build to satisfy compiler-flags-hidden complaint from bls
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 26 Sep 2019 10:29:32 +0200
amneziawg (0.0.20190905-1) unstable; urgency=medium
* new upstream release
* refresh patches
* include ${perl:Depends} in wireguard-dkms
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 08 Sep 2019 15:42:09 -0400
amneziawg (0.0.20190702-3) unstable; urgency=medium
* clean up wireguard-modules versioned dependency (Closes: #930432)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Aug 2019 20:52:22 -0400
amneziawg (0.0.20190702-2) unstable; urgency=medium
* Work around faulty siphash backport (Closes: #934763)
* standards-version: bump to 4.4.0 (no changes needed)
* override package-supports-alternative-init-but-no-init.d-script for
wireguard-tools
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Aug 2019 18:07:59 -0400
amneziawg (0.0.20190702-1) unstable; urgency=medium
* new upstream version
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 02 Jul 2019 09:02:32 -0400
amneziawg (0.0.20190601-1) unstable; urgency=medium
* new upstream version
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 17 Jun 2019 12:25:58 -0400
amneziawg (0.0.20190406-1) unstable; urgency=medium
* New upstream version
* refresh patches
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Apr 2019 17:09:41 -0400
amneziawg (0.0.20190227-1) unstable; urgency=medium
* New upstream version
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Mar 2019 13:34:53 -0500
amneziawg (0.0.20190123-1) unstable; urgency=medium
[ Fabian Grünbichler ]
* wireguard.postinst: Add module reload on upgrade (Closes: #913446)
[ Daniel Kahn Gillmor ]
* New upstream version (Closes: #919232)
* Tighten dependencies and description of wireguard metapackage
* Fine-tune module reload code on wireguard.postinst
* Standards-Version: bump to 4.3.0 (no changes needed)
* Update debian/copyright
* override lintian warning version-substvar-for-external-package
* move to debhelper-compat 12
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 28 Jan 2019 14:31:53 -0500
amneziawg (0.0.20181218-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 18 Dec 2018 13:50:07 -0500
amneziawg (0.0.20181119-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 19 Nov 2018 13:30:22 -0500
amneziawg (0.0.20181115-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 15 Nov 2018 17:47:30 -0500
amneziawg (0.0.20181018-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Oct 2018 09:42:59 -0400
amneziawg (0.0.20181007-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 18 Oct 2018 09:42:44 -0400
amneziawg (0.0.20180925-1) unstable; urgency=medium
* new upstream snapshot release
* d/copyright: update for licensing tweaks
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 27 Sep 2018 17:02:13 -0400
amneziawg (0.0.20180918-1) unstable; urgency=medium
* new upstream snapshot release
* d/copyright: note zinc change to MIT license
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 19 Sep 2018 15:44:54 -0400
amneziawg (0.0.20180910-1) unstable; urgency=medium
* new upstream snapshot release
* d/copyright update for new code sources
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 12 Sep 2018 00:28:31 -0400
amneziawg (0.0.20180904-2) unstable; urgency=medium
* dkms: use upstream version instead of debian version (closes: #906019)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Sep 2018 13:08:44 -0400
amneziawg (0.0.20180904-1) unstable; urgency=medium
* New upstream snapshot release
* Standards-Version: bump to 4.2.1 (no changes needed)
* debian/copyright: update move of sources to zinc
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Sep 2018 16:24:17 -0400
amneziawg (0.0.20180809-1) unstable; urgency=medium
* Standards-Version: bump to 4.2.0 (no changes needed)
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Sep 2018 16:24:06 -0400
amneziawg (0.0.20180802-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 03 Aug 2018 09:31:12 -0400
amneziawg (0.0.20180731-2) unstable; urgency=medium
* ship /etc/wireguard mode 0700 by default (closes: #902831)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 31 Jul 2018 18:00:49 -0400
amneziawg (0.0.20180731-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 31 Jul 2018 15:42:42 -0400
amneziawg (0.0.20180718-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 31 Jul 2018 15:42:30 -0400
amneziawg (0.0.20180708-1) unstable; urgency=medium
* New upstream snapshot release
* Standards-Version: bumped to 4.1.5 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 09 Jul 2018 15:03:15 -0400
amneziawg (0.0.20180625-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 25 Jun 2018 14:02:58 -0400
amneziawg (0.0.20180620-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 21 Jun 2018 10:25:55 -0400
amneziawg (0.0.20180613-3) unstable; urgency=medium
[ Helmut Grohne ]
* Fix FTCBFS (Closes: #900891) Thanks, Helmut Grohne!
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Jun 2018 14:35:37 -0400
amneziawg (0.0.20180613-2) unstable; urgency=medium
* avoid requiring glibc-2.25 for wireguard-tools (Closes: #901802)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Jun 2018 14:18:31 -0400
amneziawg (0.0.20180613-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 14 Jun 2018 09:59:56 -0400
amneziawg (0.0.20180531-1) unstable; urgency=medium
* New upstream snapshot release
* update debian/copyright
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 01 Jun 2018 16:08:33 -0400
amneziawg (0.0.20180524-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 24 May 2018 10:38:53 -0400
amneziawg (0.0.20180519-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 21 May 2018 13:42:17 -0400
amneziawg (0.0.20180513-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 14 May 2018 17:28:50 -0400
amneziawg (0.0.20180420-1) unstable; urgency=medium
* New upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 14 May 2018 17:28:31 -0400
amneziawg (0.0.20180413-1) unstable; urgency=medium
* New upstream snapshot release
* Standards-Version: bump to 4.1.4 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 20 Apr 2018 12:43:32 -0700
amneziawg (0.0.20180304-1) unstable; urgency=medium
* new upstream snapshot release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 16 Mar 2018 01:31:06 +0000
amneziawg (0.0.20180218-1) unstable; urgency=medium
* new upstream snapshot release
* update Jason's signing key
* d/control: set Rules-Requires-Root: no
* convert packaging VCS branchnames to DEP-14
* d/copyright: embeddable-wg-library is LGPL-2.1+
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 20 Feb 2018 14:51:20 -0800
amneziawg (0.0.20180202-1) unstable; urgency=medium
* new upstream snapshot release
* loosen versioned dependencies of wireguard metapackage
* d/copyright: update
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 02 Feb 2018 15:26:24 -0500
amneziawg (0.0.20180118-1) unstable; urgency=medium
* New upstream snapshot release
* d/copyright: update
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 19 Jan 2018 00:04:53 -0500
amneziawg (0.0.20171221-5) unstable; urgency=medium
* New debian package for source-only upload
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 13 Jan 2018 11:35:16 -0500
amneziawg (0.0.20171221-4) unstable; urgency=medium
* d/copyright: annotate a few additional files
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Jan 2018 16:51:08 -0500
amneziawg (0.0.20171221-3) unstable; urgency=medium
* make inter-package recommendations tightly versioned
* add new wireguard metapackage
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 11 Jan 2018 17:48:05 -0500
amneziawg (0.0.20171221-2) unstable; urgency=medium
* wrap-and-sort -ast
* standards-version: bump to 4.1.3 (no changes needed)
* move to debhelper 11
* move Vcs to salsa.debian.org
* clean up lintian-overrides
* include upstream changelog
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Jan 2018 16:30:38 -0500
amneziawg (0.0.20171221-1) unstable; urgency=medium
* New upstream release
* drop workaround curve25519_generate.js, fixed upstream
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 20 Dec 2017 22:13:31 -0500
amneziawg (0.0.20171211-1) unstable; urgency=medium
* New upstream release
* refresh patches
* Standards-Version: bump to 4.1.2 (no changes needed)
* examples: avoid shipping pre-generated javascript artifact
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 11 Dec 2017 20:56:53 -0500
amneziawg (0.0.20171127-1) unstable; urgency=medium
* New upstream release.
* d/copyright: annotate new assembler
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 28 Nov 2017 17:29:39 -0500
amneziawg (0.0.20171111-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 11 Nov 2017 18:32:19 +0800
amneziawg (0.0.20171101-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 07 Nov 2017 02:05:29 +0100
amneziawg (0.0.20171017-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 22 Oct 2017 10:11:26 -0400
amneziawg (0.0.20171011-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Oct 2017 10:22:23 -0400
amneziawg (0.0.20171005-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 06 Oct 2017 15:29:08 -0700
amneziawg (0.0.20171001+dfsg1-1) unstable; urgency=medium
* New upstream release
- use dfsg-free version of upstream release, dropping accidentally
shipped contrib/examples/sticky-sockets/a.out
- subsequent releases should not need dfsg-free cleanup
* Standards-Version: bump to 4.1.1 (no changes needed)
* move wireguard-dkms to Section: kernel (thanks, Lintian!)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 02 Oct 2017 10:08:23 -0700
amneziawg (0.0.20170918-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Sep 2017 13:13:43 -0400
amneziawg (0.0.20170907-1) unstable; urgency=medium
* New upstream release
* Standards-Version: bump to 4.1.0 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 07 Sep 2017 10:58:53 -0400
amneziawg (0.0.20170810-1) unstable; urgency=medium
* New upstream release
* Standards-Version: bumped to 4.0.1 (Priority: extra -> optional)
* added autopkgtest to wireguard demo server
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Aug 2017 20:48:34 -0400
amneziawg (0.0.20170726-1) unstable; urgency=medium
* New upstream release
* switch documentation/metadata from wireguard.io to wireguard.com,
following upstream
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 26 Jul 2017 11:52:36 -0400
amneziawg (0.0.20170706-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 06 Jul 2017 18:24:04 -0400
amneziawg (0.0.20170629-1) unstable; urgency=medium
* New upstream release
* bumped Standards-Version to 4.0.0 (no changes needed)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 05 Jul 2017 15:14:20 -0400
amneziawg (0.0.20170613-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 14 Jun 2017 13:38:22 -0400
amneziawg (0.0.20170531-2) unstable; urgency=medium
* add systemd to build-dependencies to learn systemdsystemunitdir
(thanks, Lintian!)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 May 2017 15:15:07 -0400
amneziawg (0.0.20170531-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 May 2017 11:48:41 -0400
amneziawg (0.0.20170517-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 17 May 2017 15:36:03 -0400
amneziawg (0.0.20170421-2) unstable; urgency=medium
* update/correct debian/copyright
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 25 Apr 2017 12:56:14 -0400
amneziawg (0.0.20170421-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Apr 2017 10:00:55 -0400
amneziawg (0.0.20170409-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 10 Apr 2017 01:50:46 -0400
amneziawg (0.0.20170324-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 Mar 2017 00:46:22 -0400
amneziawg (0.0.20170320.1-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 20 Mar 2017 11:43:36 -0400
amneziawg (0.0.20170223-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 23 Feb 2017 11:29:01 -0500
amneziawg (0.0.20170214-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 14 Feb 2017 08:51:02 -0500
amneziawg (0.0.20170213-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 13 Feb 2017 19:06:05 -0500
amneziawg (0.0.20170115-1) unstable; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 06 Feb 2017 04:40:14 -0500
amneziawg (0.0.20170105-1) UNRELEASED; urgency=medium
* New upstream release
- adds wg-quick
- adds bash tab completion for wg
- adds systemd .service template for wg-quick
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Jan 2017 23:19:09 -0500
amneziawg (0.0.20161230-1) unstable; urgency=medium
* New upstream release.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 03 Jan 2017 02:21:26 -0500
amneziawg (0.0.20161223-1) unstable; urgency=medium
* New upstream release.
* use uptream's install-dkms Makefile target and dkms.conf instead of
maintaining our own.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 24 Dec 2016 16:58:46 -0500
amneziawg (0.0.20161218-1) unstable; urgency=medium
* New upstream release.
* Move from experimental to unstable. Upstream isn't committed to a
long-term stable branch, so we should keep this from migrating to
stretch, but it has stabilized enough for wider distribution.
* Note: we are not using upstream's install-dkms Makefile target.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 22 Dec 2016 08:25:15 -0500
amneziawg (0.0.20161129-experimental1) experimental; urgency=medium
* new upstream release
* generate src/version.h from debian package version instead of git
repo.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 05 Dec 2016 23:01:22 -0500
amneziawg (0.0.20161116.1-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 17 Nov 2016 08:07:52 +0900
amneziawg (0.0.20161110-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 Nov 2016 12:25:50 -0800
amneziawg (0.0.20161105-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 06 Nov 2016 01:47:35 -0400
amneziawg (0.0.20161103-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 04 Nov 2016 10:34:52 -0400
amneziawg (0.0.20161102-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 02 Nov 2016 12:52:58 -0400
amneziawg (0.0.20161025-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 25 Oct 2016 10:05:12 -0400
amneziawg (0.0.20161014-experimental1) experimental; urgency=medium
* new upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 24 Oct 2016 14:04:50 -0400
amneziawg (0.0.20160808-experimental2) experimental; urgency=medium
[ Jason A. Donenfeld ]
* properly ship self-tests (Closes: #833961)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Aug 2016 01:45:04 -0400
amneziawg (0.0.20160808-experimental1) experimental; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 08 Aug 2016 16:54:39 -0400
amneziawg (0.0.20160722-experimental1) experimental; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 22 Jul 2016 17:21:11 -0400
amneziawg (0.0.20160711-experimental1) experimental; urgency=medium
* New upstream release
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 Jul 2016 13:20:26 +0200
amneziawg (0.0.20160708.1-experimental1) experimental; urgency=medium
* New upstream release
* build-depend on pkg-config
* ship upstream examples
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 08 Jul 2016 23:13:54 +0200
amneziawg (0.0.20160630-experimental2) experimental; urgency=medium
* avoid shipping example/demo scripts at request of upstream
* limit wireguard-tools to only linux platforms, since it makes no sense
elsewhere.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 02 Jul 2016 10:32:49 -0400
amneziawg (0.0.20160630-experimental1) experimental; urgency=medium
* First package upload (Closes: #829107)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 30 Jun 2016 12:50:33 -0400

3
debian/clean vendored Normal file
View file

@ -0,0 +1,3 @@
src/*.o
src/*.d
src/wg

1
debian/compat vendored Normal file
View file

@ -0,0 +1 @@
9

57
debian/control vendored Normal file
View file

@ -0,0 +1,57 @@
Source: amneziawg
Section: net
Priority: optional
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Uploaders:
Unit 193 <unit193@debian.org>,
Build-Depends:
debhelper,
pkg-config,
systemd,
Standards-Version: 4.6.0
Homepage: https://www.wireguard.com
Vcs-Git: https://github.com/amnezia-vpn/amnezia-wg-tools.git
Vcs-Browser: https://github.com/amnezia-vpn/amnezia-wg-tools
Rules-Requires-Root: no
Package: amneziawg
Architecture: all
Depends:
amneziawg-dkms (>= 0.0.20200121-2) | amneziawg-modules (>= 0.0.20191219),
amneziawg-tools (>= ${source:Version}),
${misc:Depends},
Description: fast, modern, secure kernel VPN tunnel (metapackage)
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
faster, simpler, leaner, and more useful than IPSec, while avoiding
the massive headache. It intends to be considerably more performant
than OpenVPN. WireGuard is designed as a general purpose VPN for
running on embedded interfaces and super computers alike, fit for
many different circumstances. It runs over UDP.
.
This metapackage explicitly depends on both the kernel module and the
userspace tooling.
Package: amneziawg-tools
Architecture: linux-any
Depends:
${misc:Depends},
${shlibs:Depends},
Recommends:
nftables | iptables,
amneziawg-modules (>= 0.0.20171001) | amneziawg-dkms (>= 0.0.20191219),
Suggests: openresolv | resolvconf,
Description: fast, modern, secure kernel VPN tunnel (userland utilities)
WireGuard is a novel VPN that runs inside the Linux Kernel and uses
state-of-the-art cryptography (the "Noise" protocol). It aims to be
faster, simpler, leaner, and more useful than IPSec, while avoiding
the massive headache. It intends to be considerably more performant
than OpenVPN. WireGuard is designed as a general purpose VPN for
running on embedded interfaces and super computers alike, fit for
many different circumstances. It runs over UDP.
.
This package contains command-line tools to interact with the
WireGuard kernel module. Currently, it provides only a single tool:
.
awg: set and retrieve configuration of WireGuard interfaces

85
debian/copyright vendored Normal file
View file

@ -0,0 +1,85 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: WireGuard command-line tools
Source: https://www.wireguard.com/
Upstream-Contact: WireGuard mailing list <wireguard@lists.zx2c4.com>
Files: *
Copyright: 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2
Files: contrib/external-tests/python/main.py
Copyright: 2018 Piotr Lizonczyk <plizonczyk.public@gmail.com>
License: MIT
Files: src/netlink.h contrib/embeddable-wg-library/*
Copyright: 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>
2008-2012 Pablo Neira Ayuso <pablo@netfilter.org>
License: LGPL-2.1+
Files: src/curve25519-fiat32.h
Copyright: 2015-2016 The fiat-crypto Authors.
2018-2020 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2 or MIT
Files: src/curve25519-hacl64.h
Copyright: 2016-2017 INRIA and Microsoft Corporation.
2018-2020 Jason A. Donenfeld <Jason@zx2c4.com>
License: GPL-2 or MIT
Files: src/uapi/openbsd/net/if_wg.h
Copyright: 2020 Matt Dunwoodie <ncon@noconroy.net>
2020 Jason A. Donenfeld <Jason@zx2c4.com>
License: ISC
Files: debian/*
Copyright: 2016-2020 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
License: GPL-2
License: GPL-2
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2.
.
On Debian systems, the complete text of the GNU General Public License
version 2 can be found in file "/usr/share/common-licenses/GPL-2".
License: LGPL-2.1+
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; version 2.1 or later.
.
On Debian systems, the complete text of the GNU Lesser General Public
License version 2.1 can be found in file
"/usr/share/common-licenses/LGPL-2.1".
License: MIT
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
.
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
License: ISC
Permission to use, copy, modify, and/or distribute this software for
any purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

4
debian/files vendored Normal file
View file

@ -0,0 +1,4 @@
amneziawg-tools-dbgsym_1.0.20210914-1ubuntu2_amd64.ddeb debug optional automatic=yes
amneziawg-tools_1.0.20210914-1ubuntu2_amd64.deb net optional
amneziawg_1.0.20210914-1ubuntu2_all.deb net optional
amneziawg_1.0.20210914-1ubuntu2_amd64.buildinfo net optional

6
debian/gbp.conf vendored Normal file
View file

@ -0,0 +1,6 @@
[DEFAULT]
debian-branch = debian/master
upstream-tag = v%(version)s
[buildpackage]
compression = xz

21
debian/patches/0001-Avoid-using-git-during-build.patch vendored Normal file
View file

@ -0,0 +1,21 @@
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 15 Jan 2020 11:23:27 -0500
Subject: Avoid using git during build
---
src/Makefile | 4 ----
1 file changed, 4 deletions(-)
--- a/src/Makefile 2021-08-13 17:36:03.385973646 -0400
+++ b/src/Makefile 2021-08-13 17:36:03.369973776 -0400
@@ -48,10 +48,6 @@
ifeq ($(DEBUG),yes)
CFLAGS += -g
endif
-WIREGUARD_TOOLS_VERSION = $(patsubst v%,%,$(shell GIT_DIR="$(PWD)/../.git" git describe --dirty 2>/dev/null))
-ifneq ($(WIREGUARD_TOOLS_VERSION),)
-CFLAGS += -D'WIREGUARD_TOOLS_VERSION="$(WIREGUARD_TOOLS_VERSION)"'
-endif
ifeq ($(PLATFORM),freebsd)
LDLIBS += -lnv
endif

35
debian/patches/0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch vendored Normal file
View file

@ -0,0 +1,35 @@
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Mon, 18 Jun 2018 14:11:10 -0400
Subject: Avoid requiring glibc 2.25 for wireguard-tools
Upstream's instructions (https://www.wireguard.com/install/) suggest
enabling the debian unstable repository to run wireguard.
Without this patch, the current version of wireguard-tools will end up
with a dependency on glibc 2.25 because of the invocation of
getentropy.
We avoid this situation (and fall through to the syscall interface
for the Linux kernel) by omitting the test here.
If we move wireguard into testing (and from there to
stretch-backports) then i think we can convince upstream to change
their installation instructions to refer to stretch-backports, and we
can remove this patch.
---
src/genkey.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/genkey.c b/src/genkey.c
index d1bb643..6cdee42 100644
--- a/src/genkey.c
+++ b/src/genkey.c
@@ -40,7 +40,7 @@ static inline bool __attribute__((__warn_unused_result__)) get_random_bytes(uint
return false;
}
-#if defined(__OpenBSD__) || (defined(__APPLE__) && MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_12) || (defined(__GLIBC__) && (__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 25)))
+#if defined(__OpenBSD__) || (defined(__APPLE__) && MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_12)
if (!getentropy(out, len))
return true;
#endif

2
debian/patches/series vendored Normal file
View file

@ -0,0 +1,2 @@
0001-Avoid-using-git-during-build.patch
0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch

38
debian/rules vendored Executable file
View file

@ -0,0 +1,38 @@
#!/usr/bin/make -f
include /usr/share/dpkg/default.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
export DEB_VERSION_UPSTREAM
AMNEZIAWG_ARGS = WITH_BASHCOMPLETION=yes WITH_WGQUICK=yes WITH_SYSTEMDUNITS=yes V=1
%:
dh $@
override_dh_auto_build-arch:
dh_auto_build --sourcedirectory=src -- $(AMNEZIAWG_ARGS)
override_dh_auto_install-arch:
$(MAKE) -C src DESTDIR=../debian/amneziawg-tools $(AMNEZIAWG_ARGS) install
override_dh_fixperms:
dh_fixperms -Xetc/amnezia
override_dh_installexamples:
dh_installexamples -Xexternal-tests
define test_wg
set -x; set -e; \
echo "Testing command $1" && \
a="$$(src/wg $1)" && b="$$(src/wg $1)" && \
echo "a=$$a b=$$b" && \
test -n "$$a" && \
test -n "$$b" && \
test "$$a" != "$$b"
endef
override_dh_auto_test:
test "$$(head -c 32 /dev/zero | base64 | src/wg pubkey)" = "L+V9o0fNYkMVKNqsX7spBzD/9oSvxM/C7ZCZX1jLO3Q="
$(call test_wg,genpsk)
$(call test_wg,genkey)

1
debian/source/format vendored Normal file
View file

@ -0,0 +1 @@
3.0 (quilt)

17
debian/tests/control vendored Normal file
View file

@ -0,0 +1,17 @@
Tests: keygen
Restrictions: superficial
Depends:
wireguard-tools,
Tests: wg-quick
Restrictions: needs-root, isolation-machine, allow-stderr
Depends:
iproute2,
@,
Tests: netns-mini
Restrictions: needs-root, isolation-machine
Depends:
iproute2,
iputils-ping,
@,

5
debian/tests/keygen vendored Executable file
View file

@ -0,0 +1,5 @@
#!/bin/bash
set -e
[[ $(head -c 32 /dev/zero | base64 | wg pubkey) == "L+V9o0fNYkMVKNqsX7spBzD/9oSvxM/C7ZCZX1jLO3Q=" ]]
[[ $(wg genpsk) != "$(wg genpsk)" ]]

55
debian/tests/netns-mini vendored Executable file
View file

@ -0,0 +1,55 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
set -e
exec 3>&1
netns0="wg-test-$$-0"
netns1="wg-test-$$-1"
netns2="wg-test-$$-2"
pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
pp() { pretty "" "$*"; "$@"; }
n1() { pretty 1 "$*"; ip netns exec $netns1 "$@"; }
n2() { pretty 2 "$*"; ip netns exec $netns2 "$@"; }
ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
cleanup() {
set +e
exec 2>/dev/null
ip0 link del dev wg0
ip1 link del dev wg0
ip2 link del dev wg0
local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)"
[[ -n $to_kill ]] && kill $to_kill
pp ip netns del $netns1
pp ip netns del $netns2
pp ip netns del $netns0
exit
}
trap cleanup EXIT
ip netns del $netns0 2>/dev/null || true
ip netns del $netns1 2>/dev/null || true
ip netns del $netns2 2>/dev/null || true
pp ip netns add $netns0
pp ip netns add $netns1
pp ip netns add $netns2
ip0 link set up dev lo
ip0 link add dev wg0 type wireguard
ip0 link set wg0 netns $netns1
ip0 link add dev wg0 type wireguard
ip0 link set wg0 netns $netns2
ip1 addr add 192.168.241.1/24 dev wg0
ip2 addr add 192.168.241.2/24 dev wg0
key1="$(pp wg genkey)"
key2="$(pp wg genkey)"
pub1="$(pp wg pubkey <<<"$key1")"
pub2="$(pp wg pubkey <<<"$key2")"
n1 wg set wg0 private-key <(echo "$key1") listen-port 1 peer "$pub2" allowed-ips 192.168.241.2/32
n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" allowed-ips 192.168.241.1/32
ip1 link set up dev wg0
ip2 link set up dev wg0
n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
n2 ping -c 10 -f -W 1 192.168.241.1

171
debian/tests/wg-quick vendored Executable file
View file

@ -0,0 +1,171 @@
#!/bin/bash
set -e
set -o pipefail
LEFT_NS="left_ns"
LEFT_GW="10.0.5.1/24"
LEFT_PORT=3001
LEFT_INT="10.0.1.1/24"
WG_LEFT_INTERFACE="wg_left"
WG_LEFT_INTERFACE_CONF="/etc/wireguard/${WG_LEFT_INTERFACE}.conf"
RIGHT_NS="right_ns"
RIGHT_GW="10.0.5.2/24"
RIGHT_PORT=3002
RIGHT_INT="10.0.1.2/24"
WG_RIGHT_INTERFACE="wg_right"
WG_RIGHT_INTERFACE_CONF="/etc/wireguard/${WG_RIGHT_INTERFACE}.conf"
cleanup() {
if [ $? -ne 0 ]; then
echo "Some test failed, here is some debugging"
dmesg -T | grep wireguard
fi
rm -f "${WG_LEFT_INTERFACE_CONF}" "${WG_RIGHT_INTERFACE_CONF}"
ip netns delete "${LEFT_NS}" &>/dev/null
ip netns delete "${RIGHT_NS}" &>/dev/null
}
trap cleanup EXIT
setup() {
umask 0077
echo "Generating keys"
LEFT_PRIVKEY="$(wg genkey)"
RIGHT_PRIVKEY="$(wg genkey)"
LEFT_PUBKEY="$(wg pubkey <<<"${LEFT_PRIVKEY}")"
RIGHT_PUBKEY="$(wg pubkey <<<"${RIGHT_PRIVKEY}")"
echo "Generating wireguard config"
cat > "${WG_LEFT_INTERFACE_CONF}" <<-EOF
[Interface]
ListenPort = ${LEFT_PORT}
PrivateKey = ${LEFT_PRIVKEY}
Address = ${LEFT_GW}
[Peer]
PublicKey = ${RIGHT_PUBKEY}
AllowedIPs = ${RIGHT_GW%%/*}/32
Endpoint = ${RIGHT_INT%%/*}:${RIGHT_PORT}
EOF
cat > "${WG_RIGHT_INTERFACE_CONF}" <<-EOF
[Interface]
ListenPort = ${RIGHT_PORT}
PrivateKey = ${RIGHT_PRIVKEY}
Address = ${RIGHT_GW}
[Peer]
PublicKey = ${LEFT_PUBKEY}
AllowedIPs = ${LEFT_GW%%/*}/32
Endpoint = ${LEFT_INT%%/*}:${LEFT_PORT}
EOF
echo "Cleaning up old namespaces"
ip netns delete "${LEFT_NS}" &> /dev/null || true
ip netns delete "${RIGHT_NS}" &> /dev/null || true
echo "Creating new namespaces ${LEFT_NS} and ${RIGHT_NS} and adding loopback interface to them"
ip netns add "${LEFT_NS}"
ip netns exec "${LEFT_NS}" ip link set dev lo up
ip netns add "${RIGHT_NS}"
ip netns exec "${RIGHT_NS}" ip link set dev lo up
echo "Creating veth interface connecting both namespaces"
ip link add p1 netns "${LEFT_NS}" type veth peer p2 netns "${RIGHT_NS}"
ip -n "${LEFT_NS}" addr add "${LEFT_INT}" dev p1
ip -n "${LEFT_NS}" link set p1 up
ip -n "${RIGHT_NS}" addr add "${RIGHT_INT}" dev p2
ip -n "${RIGHT_NS}" link set p2 up
echo "Bringing up LEFT wireguard interface in namespace ${LEFT_NS}"
ip netns exec "${LEFT_NS}" wg-quick up "${WG_LEFT_INTERFACE}"
echo "Bringing up RIGHT wireguard interface in namespace ${RIGHT_NS}"
ip netns exec "${RIGHT_NS}" wg-quick up "${WG_RIGHT_INTERFACE}"
}
show_config() {
echo "${LEFT_NS} namespace:"
ip netns exec "${LEFT_NS}" wg showconf "${WG_LEFT_INTERFACE}"
echo
echo "${RIGHT_NS} namespace:"
ip netns exec "${RIGHT_NS}" wg showconf "${WG_RIGHT_INTERFACE}"
}
test_stats() {
local -i ret
local output=""
# to be run after the ping tests
# by now, we MUST have "transfer" and "last handshake"
for ns in "${LEFT_NS}" "${RIGHT_NS}"; do
echo "Namespace ${ns}"
output=$(ip netns exec "${ns}" wg show)
echo "${output}" | grep -E "latest handshake:" || {
ret=$?
echo "Missing \"latest handshake\" from stats in namespace ${ns}"
echo "Got this output:"
echo "${output}"
return $ret
}
echo "${output}" | grep -E "transfer:.*received.*sent" || {
ret=$?
echo "Missing \"transfer\" stats in namespace ${ns}"
echo "Got this output:"
echo "${output}"
return $ret
}
done
}
test_gw_ping() {
echo "Pinging right gateway, from ${LEFT_NS} namespace"
ip netns exec "${LEFT_NS}" ping -W 2 -c 1 "${RIGHT_GW%%/*}" || return $?
echo
echo "Pinging left gateway, from ${RIGHT_NS} namespace"
ip netns exec "${RIGHT_NS}" ping -W 2 -c 1 "${LEFT_GW%%/*}" || return $?
}
test_wireguard_ping() {
echo "Pinging right wireguard IP from ${LEFT_NS} namespace"
ip netns exec "${LEFT_NS}" ping -W 2 -c 1 "${RIGHT_INT%%/*}" || return $?
echo
echo "Pinging left wireguard IP from ${RIGHT_NS} namesapce"
ip netns exec "${RIGHT_NS}" ping -W 2 -c 1 "${LEFT_INT%%/*}" || return $?
}
echo "Setting things up"
setup || {
echo "Failed vpn test setup"
exit 1
}
echo
echo "This is the config"
show_config
echo
echo "Testing gateway ping"
test_gw_ping || {
echo "Failed gateway ping"
exit 1
}
echo
echo "Testing wireguard interface ping"
test_wireguard_ping || {
echo "Failed wireguard interface ping"
exit 1
}
echo
echo "Testing vpn stats"
test_stats || {
echo "Failed to verify vpn stats"
exit 1
}

52
debian/upstream/signing-key.asc vendored Normal file
View file

@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE0yIvABEADc7Zn9kj02BBd1JQMtyidTHLbY2JnmMlGFx2pwoBCuw3ObDo3G
s7GDxhiK7KoupaUbPklp8NSk914kusr0IOfCcis6lINOKEt3v31yJOpZzWxa0Wha
DXUDWVJc4XhKSdg1LeNtFpLIl1CuOtmaMdOaH8lpKkr/5sL4FeG0g/a3R3ZOzOOj
zoGAx79pyhp92L/qo5FfATTzmD2Pq9m6rxcftiO312gpT7ztKlWvsDmc4iJyyL54
1m57zSkG5aJqFexwW3C/iJOCSAiY/r6QTmqkbVA2BSSPANOXX9v0A1GX1rcayywR
w7qZelYpaH6pBLUioI2mmnO432kxK2UKrxd3+1wz1G+fg3GWjaabruVnR+KBV4uJ
Q140o6oj/r9k1Busl6elyDeFAdmO6D6i9Pj90oXJIEk0/wxf+DPmag8lVmxEH1CL
ST0M1t68sR38VhNSeyTdcwnsW20D1Ag55aGk3ZN5eXDIw3ccGzFPBfV3w5wfGwWz
idMmAQMxAmhnQCqwSjIXzv1Gv4NeVGze+/t28zUQInTZyZmxi5niMiz0NUeLqREX
bepmUJulYPeXrty/6/7N6jkakXp7kNGIK2Zigadca/18x9H5DgEXHl0eW7ZOgSUH
qQmmnvNNrArhYXlckYapIAZhwLJDGgv3ZhRyYRCEQ9BktVcE0+2R6zb3GQARAQAB
tCRKYXNvbiBBLiBEb25lbmZlbGQgPEphc29uQHp4MmM0LmNvbT6JAlUEEwECAD8C
GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEq5lC5tSkz8NBJiCnSfxwEqXe
A64FAlp2RGIFCRLnu/IACgkQSfxwEqXeA67KJg//QxU7sM0SCN97+bu/Z7cRAffx
MW+X84rRZRrZvAwkDutTSsvSaBn3dwF5VEnCB25q3px4ybjl0bJF7Klp0RVOBJZo
FEo5BivXH9Ib6eCBn3EGk9g/K9ZZtJP44yF5oW/WZGjlTQdo/plYTd/8COkNA9LX
z3f59ljvQaJNMOUBxnMJVqgvNufbdQehS5dbimhDn5CmBfC7mEpMbrlC7e0O43yl
Tu+BuNssvrX/d3hU7zCYVDDZjVgqSY78YMpvre9xj1WdSdCx9FHo97UcGRHAlm2m
IFIunvZB4s2nWafYAjZ2mg0/gEmn6pIUO+yTSziscoZOedwYDY6FRR26YDjDebF3
oy5AqgfF8pYACtaKRShJjEfncJhZGKYshuZbuRtXs3yfIQi3QT2MCaCpcZ7C2llS
/ire0qpq1Fp8a6tcyY/8ycr5fp7FO+SHPAQ9tnCZvej7N8guEF/LxkiekxQtkAYM
Fk3Ve4ihFpfy+vT7eF4k95nd067dOwWC+wo/RZMpl5ZBxZJ1ZNzR/Uf9WQ+26KpN
V3pu1cWuh4wjq9auz4MbU/sUMoC69HLDzxgPr8B0aKyU16nyy882R3Xp/SpKqhak
2l95vVi+vjz5YJ9xwoELQCGyb0HscmwNktOqNuev2tze7DpBq6SouK7mibVc9nhD
s9cpv6qFWLLPG9nXC2G5Ag0ETTIi8AEQAL7FzsM9ztt7nCWg8CD8uT5JB0rwGcZT
GZLKSHZAySNO1Gb0Zl0sKkp77UbBy1Unc7VAHmvfFVyUk8xuvkju/kKrLXu3xHNZ
tdIu/o/db4KgDi+ty7YyOrQrmT2a8/Gv5bwAdbtnYvK3i5FMC52iYK+Jd5I4TNAR
ajl+BaJXeuZ99Lf3GiBdkxVQ9B2Q9avUhwkqN0eYUHrZhGgsQ48LfFSnDS7RxBOY
3XX8/+28EqpQjDvHe34vVQXQ6xwusH1ZqD8Q9w1c+DkvS7aqa7pGMRVgcrejYp6e
rcXH4G5S/tzIqcnA0wTX3570grpsSNM1lIQ43f5mcfYuSdIpE0YiHwKVlvBiHnq/
elyVZEB6Ul00SuW8FbsnrC/w6EFO1Mw1W8nFPHAM2hBuMXYgb4nwNxfFcT0X7Bt1
1dxIZo3isTRckzwkoXjwB09w1QQK5VvDh4vRS8mCEWRKq3jIZACxYq0wvCMwfbzj
SpFwXlz3VEYAqOxZvbrOQ+0e8YBkrqxpygBI+Gw/yQMkh1KPUtswNyLzoQ4+Mul1
fDvpAJ44wIFZDnIrr77xzfJ7h6Br0m6o5TinaF87Oxd1QsrY2ba0UfEza8atMmN/
kwcHdzW4lvJyzzGr+skvhsMdTj/qdyVmCyr/F6FoUyGrq9C+Ww3iXjSbV5g5i/Ol
qurBVLPww8zdABEBAAGJAjwEGAECACYCGwwWIQSrmULm1KTPw0EmIKdJ/HASpd4D
rgUCWnZEdAUJEue8BAAKCRBJ/HASpd4DrlguEACoHU3QB6p7bTY2HdEMRTpz0+pe
E+OYJdB8/1JKqtW/odkTCQmodcJD1AO0jw5NGcFr0SyIzgXxrxFgCBTNGDNIoE+D
gw9Nm6sXwDkeuoyEWHMGPdAYA0da8R9VHmJAG9ezMlHzggpgXMR5DTs16usIqrhG
/gGEgvQWKl3snE+IDiGPLR8VwgF6g1dNEXvwCKhvnM700CBrQqbbmlL+JNVD0q8K
qgtGaf1vqdoDWTalsrqfHLusRUoJOLkJcnaxJnx7mGoBQSjGLuDWlQhg+laQr/H+
pgTbOAvfTPLIMQNUJDPg4FenoG2uMlAadDEKJnsyo0jblPuaE7b9VBIFAHgrRO2/
Dgi3/3lUC/srZtPWp+yde10BgFadCgz/jbcfoD2Uq8uOJ8notSFHkqwu5UH/T0qZ
Dd8H4HIgDCrIgOt2WaIriP/317xv5nqDCT/m7yKVxn/Uabu4GW5BFgLv1jUCrmNK
eLGNYnN6xg1djR9hrD7Bvoi4fOU+EnrDmslXr1XZzjrn5ricsY5ezyD1lKPFXEnM
X3gdVkKVzsBx0ZmhkFGiu1qZzGeWfLMDPNHmAZLN7Ovl/oEv7aVfWzzAaAy4kHPJ
utFoKSYJ9MjfAiFlY9XiihNMJ2ZL8csKEGNE6AC0fiArfzh6WBMUU0xFRlVE/D8/
UqdkAOEzK8aNJzzwqg==
=cPUl
-----END PGP PUBLIC KEY BLOCK-----

4
debian/watch vendored Normal file
View file

@ -0,0 +1,4 @@
version=4
opts=mode=git,pgpmode=gittag \
https://github.com/amnezia-vpn/amnezia-wg-tools.git \
refs/tags/v?([\d\.]+)

15
src/Makefile
View file

@ -92,18 +92,19 @@ clean:
$(RM) wg *.o *.d $(wildcard wincompat/*.o wincompat/*.lib wincompat/*.dll)
install: wg
@install -v -d "$(DESTDIR)$(BINDIR)" && install -v -m 0755 wg "$(DESTDIR)$(BINDIR)/wg"
@install -v -d "$(DESTDIR)$(MANDIR)/man8" && install -v -m 0644 man/wg.8 "$(DESTDIR)$(MANDIR)/man8/wg.8"
@install -v -d "$(DESTDIR)$(BINDIR)" && install -v -m 0755 wg "$(DESTDIR)$(BINDIR)/awg"
@install -v -d "$(DESTDIR)$(MANDIR)/man8" && install -v -m 0644 man/wg.8 "$(DESTDIR)$(MANDIR)/man8/awg.8"
@[ "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \
install -v -d "$(DESTDIR)$(BASHCOMPDIR)" && install -v -m 0644 completion/wg.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg"
install -v -d "$(DESTDIR)$(BASHCOMPDIR)" && install -v -m 0644 completion/wg.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/awg"
@[ "$(WITH_WGQUICK)" = "yes" ] || exit 0; \
install -v -m 0755 wg-quick/$(PLATFORM).bash "$(DESTDIR)$(BINDIR)/wg-quick" && install -v -m 0700 -d "$(DESTDIR)$(SYSCONFDIR)/wireguard"
install -v -m 0755 wg-quick/$(PLATFORM).bash "$(DESTDIR)$(BINDIR)/awg-quick" && install -v -m 0700 -d "$(DESTDIR)$(SYSCONFDIR)/amnezia/amneziawg"
@[ "$(WITH_WGQUICK)" = "yes" ] || exit 0; \
install -v -m 0644 man/wg-quick.8 "$(DESTDIR)$(MANDIR)/man8/wg-quick.8"
install -v -m 0644 man/wg-quick.8 "$(DESTDIR)$(MANDIR)/man8/awg-quick.8"
@[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_BASHCOMPLETION)" = "yes" ] || exit 0; \
install -v -m 0644 completion/wg-quick.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/wg-quick"
install -v -m 0644 completion/wg-quick.bash-completion "$(DESTDIR)$(BASHCOMPDIR)/awg-quick"
@[ "$(WITH_WGQUICK)" = "yes" -a "$(WITH_SYSTEMDUNITS)" = "yes" ] || exit 0; \
install -v -d "$(DESTDIR)$(SYSTEMDUNITDIR)" && install -v -m 0644 systemd/* "$(DESTDIR)$(SYSTEMDUNITDIR)/"
install -v -d "$(DESTDIR)$(SYSTEMDUNITDIR)" && install -v -m 0644 systemd/wg-quick.target "$(DESTDIR)$(SYSTEMDUNITDIR)/awg-quick.target" && \
install -v -m 0644 systemd/wg-quick@.service "$(DESTDIR)$(SYSTEMDUNITDIR)/awg-quick@.service"
check: clean
scan-build --html-title=wireguard-tools -maxloop 100 --view --keep-going $(MAKE) wg

6
src/completion/wg-quick.bash-completion
View file

@ -1,7 +1,7 @@
# SPDX-License-Identifier: GPL-2.0
# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
_wg_quick_completion() {
_awg_quick_completion() {
local p i a search_paths old_glob
search_paths=( /etc/wireguard )
@ -27,7 +27,7 @@ _wg_quick_completion() {
COMPREPLY+=( "${a[@]}" )
elif [[ ${COMP_WORDS[1]} == down ]]; then
if [[ $OSTYPE == *openbsd* || $OSTYPE == *darwin* ]]; then
for i in /var/run/wireguard/*.name; do
for i in /var/run/amneziawg/*.name; do
i="${i##*/}"; i="${i%.name}"
mapfile -t a < <(compgen -W "$i" -- "${COMP_WORDS[2]}")
COMPREPLY+=( "${a[@]}" )
@ -40,4 +40,4 @@ _wg_quick_completion() {
eval "$old_glob"
}
complete -o filenames -o nosort -F _wg_quick_completion wg-quick
complete -o filenames -o nosort -F _awg_quick_completion awg-quick

4
src/completion/wg.bash-completion
View file

@ -1,7 +1,7 @@
# SPDX-License-Identifier: GPL-2.0
# Copyright (C) 2015-2020 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
_wg_completion() {
_awg_completion() {
local a
if [[ $COMP_CWORD -eq 1 ]]; then
@ -96,4 +96,4 @@ _wg_completion() {
COMPREPLY+=( $(compgen -W "${words[*]}" -- "${COMP_WORDS[COMP_CWORD]}") )
}
complete -o nosort -F _wg_completion wg
complete -o nosort -F _awg_completion awg

45
src/config.c
View file

@ -447,6 +447,41 @@ static inline bool parse_uint32(uint32_t *device_value, const char *name, const
return true;
}
static inline bool parse_bool(bool *device_value, const char *name, const char *value) {
if (!strlen(value)) {
fprintf(stderr, "Unable to parse empty string\n");
return false;
}
if (!strcasecmp(value, "off")) {
*device_value = false;
return true;
}
if (!strcasecmp(value, "on")) {
*device_value = true;
return true;
}
if (!char_is_digit(value[0]))
goto err;
char *end;
uint32_t ret;
ret = strtoul(value, &end, 10);
if (*end) {
fprintf(stderr, "Unable to parse %s: `%s'\n", name, value);
exit(1);
}
*device_value = ret != 0;
return true;
err:
fprintf(stderr, "Boolean value is neither on/off nor 0/1: `%s'\n", value);
return false;
}
static bool process_line(struct config_ctx *ctx, const char *line)
{
const char *value;
@ -540,6 +575,10 @@ static bool process_line(struct config_ctx *ctx, const char *line)
ret = parse_key(ctx->last_peer->preshared_key, value);
if (ret)
ctx->last_peer->flags |= WGPEER_HAS_PRESHARED_KEY;
} else if (key_match("AdvancedSecurity")) {
ret = parse_bool(&ctx->last_peer->advanced_security, "AdvancedSecurity", value);
if (ret)
ctx->last_peer->flags |= WGPEER_HAS_ADVANCED_SECURITY;
} else
goto error;
} else
@ -774,6 +813,12 @@ struct wgdevice *config_read_cmd(const char *argv[], int argc)
peer->flags |= WGPEER_HAS_PRESHARED_KEY;
argv += 2;
argc -= 2;
} else if (!strcmp(argv[0], "advanced-security") && argc >= 2 && peer) {
if (!parse_bool(&peer->advanced_security, "AdvancedSecurity", argv[1]))
goto error;
peer->flags |= WGPEER_HAS_ADVANCED_SECURITY;
argv += 2;
argc -= 2;
} else {
fprintf(stderr, "Invalid argument: %s\n", argv[0]);
goto error;

8
src/containers.h
View file

@ -7,6 +7,7 @@
#define CONTAINERS_H
#include <stdint.h>
#include <stdbool.h>
#include <stdlib.h>
#include <time.h>
#include <sys/socket.h>
@ -43,7 +44,8 @@ enum {
WGPEER_REPLACE_ALLOWEDIPS = 1U << 1,
WGPEER_HAS_PUBLIC_KEY = 1U << 2,
WGPEER_HAS_PRESHARED_KEY = 1U << 3,
WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL = 1U << 4
WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL = 1U << 4,
WGPEER_HAS_ADVANCED_SECURITY = 1U << 5
};
struct wgpeer {
@ -62,6 +64,8 @@ struct wgpeer {
uint64_t rx_bytes, tx_bytes;
uint16_t persistent_keepalive_interval;
bool advanced_security;
struct wgallowedip *first_allowedip, *last_allowedip;
struct wgpeer *next_peer;
};
@ -96,7 +100,7 @@ struct wgdevice {
uint16_t listen_port;
struct wgpeer *first_peer, *last_peer;
uint16_t junk_packet_count;
uint16_t junk_packet_min_size;
uint16_t junk_packet_max_size;

54
src/ipc-freebsd.h
View file

@ -91,64 +91,64 @@ static int kernel_get_device(struct wgdevice **device, const char *ifname)
dev->flags |= WGDEVICE_HAS_LISTEN_PORT;
}
}
if (nvlist_exists_number(nvl_device, "junk_packet_count")) {
number = nvlist_get_number(nvl_device, "junk_packet_count");
if (nvlist_exists_number(nvl_device, "jc")) {
number = nvlist_get_number(nvl_device, "jc");
if (number <= UINT16_MAX){
dev->junk_packet_count = number;
dev->flags |= WGDEVICE_HAS_JC;
}
}
if (nvlist_exists_number(nvl_device, "junk_packet_min_size")) {
number = nvlist_get_number(nvl_device, "junk_packet_min_size");
if (nvlist_exists_number(nvl_device, "jmin")) {
number = nvlist_get_number(nvl_device, "jmin");
if (number <= UINT16_MAX){
dev->junk_packet_min_size = number;
dev->flags |= WGDEVICE_HAS_JMIN;
}
}
if (nvlist_exists_number(nvl_device, "junk_packet_max_size")) {
number = nvlist_get_number(nvl_device, "junk_packet_max_size");
if (nvlist_exists_number(nvl_device, "jmax")) {
number = nvlist_get_number(nvl_device, "jmax");
if (number <= UINT16_MAX){
dev->junk_packet_max_size = number;
dev->flags |= WGDEVICE_HAS_JMAX;
}
}
if (nvlist_exists_number(nvl_device, "init_packet_junk_size")) {
number = nvlist_get_number(nvl_device, "init_packet_junk_size");
if (nvlist_exists_number(nvl_device, "s1")) {
number = nvlist_get_number(nvl_device, "s1");
if (number <= UINT16_MAX){
dev->init_packet_junk_size = number;
dev->flags |= WGDEVICE_HAS_S1;
}
}
if (nvlist_exists_number(nvl_device, "response_packet_junk_size")) {
number = nvlist_get_number(nvl_device, "response_packet_junk_size");
if (nvlist_exists_number(nvl_device, "s2")) {
number = nvlist_get_number(nvl_device, "s2");
if (number <= UINT16_MAX){
dev->response_packet_junk_size = number;
dev->flags |= WGDEVICE_HAS_S2;
}
}
if (nvlist_exists_number(nvl_device, "init_packet_magic_header")) {
number = nvlist_get_number(nvl_device, "init_packet_magic_header");
if (nvlist_exists_number(nvl_device, "h1")) {
number = nvlist_get_number(nvl_device, "h1");
if (number <= UINT32_MAX){
dev->init_packet_magic_header = number;
dev->flags |= WGDEVICE_HAS_H1;
}
}
if (nvlist_exists_number(nvl_device, "response_packet_magic_header")) {
number = nvlist_get_number(nvl_device, "response_packet_magic_header");
if (nvlist_exists_number(nvl_device, "h2")) {
number = nvlist_get_number(nvl_device, "h2");
if (number <= UINT32_MAX){
dev->response_packet_magic_header = number;
dev->flags |= WGDEVICE_HAS_H2;
}
}
if (nvlist_exists_number(nvl_device, "underload_packet_magic_header")) {
number = nvlist_get_number(nvl_device, "underload_packet_magic_header");
if (nvlist_exists_number(nvl_device, "h3")) {
number = nvlist_get_number(nvl_device, "h3");
if (number <= UINT32_MAX){
dev->underload_packet_magic_header = number;
dev->flags |= WGDEVICE_HAS_H3;
}
}
if (nvlist_exists_number(nvl_device, "transport_packet_magic_header")) {
number = nvlist_get_number(nvl_device, "transport_packet_magic_header");
if (nvlist_exists_number(nvl_device, "h4")) {
number = nvlist_get_number(nvl_device, "h4");
if (number <= UINT32_MAX){
dev->transport_packet_magic_header = number;
dev->flags |= WGDEVICE_HAS_H4;
@ -337,23 +337,23 @@ static int kernel_set_device(struct wgdevice *dev)
if (dev->flags & WGDEVICE_HAS_LISTEN_PORT)
nvlist_add_number(nvl_device, "listen-port", dev->listen_port);
if (dev->flags & WGDEVICE_HAS_JC)
nvlist_add_number(nvl_device, "junk_packet_count", dev->junk_packet_count);
nvlist_add_number(nvl_device, "jc", dev->junk_packet_count);
if (dev->flags & WGDEVICE_HAS_JMIN)
nvlist_add_number(nvl_device, "junk_packet_min_size", dev->junk_packet_min_size);
nvlist_add_number(nvl_device, "jmin", dev->junk_packet_min_size);
if (dev->flags & WGDEVICE_HAS_JMAX)
nvlist_add_number(nvl_device, "junk_packet_max_size", dev->junk_packet_max_size);
nvlist_add_number(nvl_device, "jmax", dev->junk_packet_max_size);
if (dev->flags & WGDEVICE_HAS_S1)
nvlist_add_number(nvl_device, "init_packet_junk_size", dev->init_packet_junk_size);
nvlist_add_number(nvl_device, "s1", dev->init_packet_junk_size);
if (dev->flags & WGDEVICE_HAS_S2)
nvlist_add_number(nvl_device, "response_packet_junk_size", dev->response_packet_junk_size);
nvlist_add_number(nvl_device, "s2", dev->response_packet_junk_size);
if (dev->flags & WGDEVICE_HAS_H1)
nvlist_add_number(nvl_device, "init_packet_magic_header", dev->init_packet_magic_header);
nvlist_add_number(nvl_device, "h1", dev->init_packet_magic_header);
if (dev->flags & WGDEVICE_HAS_H2)
nvlist_add_number(nvl_device, "response_packet_magic_header", dev->response_packet_magic_header);
nvlist_add_number(nvl_device, "h2", dev->response_packet_magic_header);
if (dev->flags & WGDEVICE_HAS_H3)
nvlist_add_number(nvl_device, "underload_packet_magic_header", dev->underload_packet_magic_header);
nvlist_add_number(nvl_device, "h3", dev->underload_packet_magic_header);
if (dev->flags & WGDEVICE_HAS_H4)
nvlist_add_number(nvl_device, "transport_packet_magic_header", dev->transport_packet_magic_header);
nvlist_add_number(nvl_device, "h4", dev->transport_packet_magic_header);
if (dev->flags & WGDEVICE_HAS_FWMARK)
nvlist_add_number(nvl_device, "user-cookie", dev->fwmark);
if (dev->flags & WGDEVICE_REPLACE_PEERS)

78
src/ipc-linux.h
View file

@ -221,6 +221,11 @@ again:
goto toobig_peers;
}
}
if (peer->flags & WGPEER_HAS_ADVANCED_SECURITY) {
if (peer->advanced_security)
mnl_attr_put_check(nlh, SOCKET_BUFFER_SIZE, WGPEER_A_ADVANCED_SECURITY, 0, NULL);
flags |= WGPEER_F_HAS_ADVANCED_SECURITY;
}
if (flags) {
if (!mnl_attr_put_u32_check(nlh, SOCKET_BUFFER_SIZE, WGPEER_A_FLAGS, flags))
goto toobig_peers;
@ -389,6 +394,25 @@ static int parse_peer(const struct nlattr *attr, void *data)
if (!mnl_attr_validate(attr, MNL_TYPE_U64))
peer->tx_bytes = mnl_attr_get_u64(attr);
break;
case WGPEER_A_FLAGS:
if (!mnl_attr_validate(attr, MNL_TYPE_U32)) {
uint32_t flags = mnl_attr_get_u32(attr);
if (flags & WGPEER_F_HAS_ADVANCED_SECURITY && !(peer->flags & WGPEER_HAS_ADVANCED_SECURITY)) {
peer->flags |= WGPEER_HAS_ADVANCED_SECURITY;
peer->advanced_security = false;
}
}
break;
case WGPEER_A_ADVANCED_SECURITY:
if (!mnl_attr_validate(attr, MNL_TYPE_FLAG)) {
peer->advanced_security = true;
if (!(peer->flags & WGPEER_HAS_ADVANCED_SECURITY)) {
peer->flags |= WGPEER_HAS_ADVANCED_SECURITY;
}
}
break;
case WGPEER_A_ALLOWEDIPS:
return mnl_attr_parse_nested(attr, parse_allowedips, peer);
}
@ -459,41 +483,59 @@ static int parse_device(const struct nlattr *attr, void *data)
break;
case WGDEVICE_A_PEERS:
return mnl_attr_parse_nested(attr, parse_peers, device);
case WGDEVICE_HAS_JC:
if (!mnl_attr_validate(attr, MNL_TYPE_U16))
case WGDEVICE_A_JC:
if (!mnl_attr_validate(attr, MNL_TYPE_U16)) {
device->junk_packet_count = mnl_attr_get_u16(attr);
device->flags |= WGDEVICE_HAS_JC;
}
break;
case WGDEVICE_HAS_JMIN:
if (!mnl_attr_validate(attr, MNL_TYPE_U16))
case WGDEVICE_A_JMIN:
if (!mnl_attr_validate(attr, MNL_TYPE_U16)) {
device->junk_packet_min_size = mnl_attr_get_u16(attr);
device->flags |= WGDEVICE_HAS_JMIN;
}
break;
case WGDEVICE_HAS_JMAX:
if (!mnl_attr_validate(attr, MNL_TYPE_U16))
case WGDEVICE_A_JMAX:
if (!mnl_attr_validate(attr, MNL_TYPE_U16)) {
device->junk_packet_max_size = mnl_attr_get_u16(attr);
device->flags |= WGDEVICE_HAS_JMAX;
}
break;
case WGDEVICE_HAS_S1:
if (!mnl_attr_validate(attr, MNL_TYPE_U16))
case WGDEVICE_A_S1:
if (!mnl_attr_validate(attr, MNL_TYPE_U16)) {
device->init_packet_junk_size = mnl_attr_get_u16(attr);
device->flags |= WGDEVICE_HAS_S1;
}
break;
case WGDEVICE_HAS_S2:
if (!mnl_attr_validate(attr, MNL_TYPE_U16))
case WGDEVICE_A_S2:
if (!mnl_attr_validate(attr, MNL_TYPE_U16)) {
device->response_packet_junk_size = mnl_attr_get_u16(attr);
device->flags |= WGDEVICE_HAS_S2;
}
break;
case WGDEVICE_HAS_H1:
if (!mnl_attr_validate(attr, MNL_TYPE_U32))
case WGDEVICE_A_H1:
if (!mnl_attr_validate(attr, MNL_TYPE_U32)) {
device->init_packet_magic_header = mnl_attr_get_u32(attr);
device->flags |= WGDEVICE_HAS_H1;
}
break;
case WGDEVICE_HAS_H2:
if (!mnl_attr_validate(attr, MNL_TYPE_U32))
case WGDEVICE_A_H2:
if (!mnl_attr_validate(attr, MNL_TYPE_U32)) {
device->response_packet_magic_header = mnl_attr_get_u32(attr);
device->flags |= WGDEVICE_HAS_H2;
}
break;
case WGDEVICE_HAS_H3:
if (!mnl_attr_validate(attr, MNL_TYPE_U32))
case WGDEVICE_A_H3:
if (!mnl_attr_validate(attr, MNL_TYPE_U32)) {
device->underload_packet_magic_header = mnl_attr_get_u32(attr);
device->flags |= WGDEVICE_HAS_H3;
}
break;
case WGDEVICE_HAS_H4:
if (!mnl_attr_validate(attr, MNL_TYPE_U32))
case WGDEVICE_A_H4:
if (!mnl_attr_validate(attr, MNL_TYPE_U32)) {
device->transport_packet_magic_header = mnl_attr_get_u32(attr);
device->flags |= WGDEVICE_HAS_H4;
}
break;
}

2
src/ipc-uapi-unix.h
View file

@ -14,7 +14,7 @@
#include <sys/stat.h>
#include <sys/un.h>
#define SOCK_PATH RUNSTATEDIR "/wireguard/"
#define SOCK_PATH RUNSTATEDIR "/amneziawg/"
#define SOCK_SUFFIX ".sock"
static FILE *userspace_interface_file(const char *iface)

6
src/ipc-uapi-windows.h
View file

@ -26,7 +26,7 @@ static FILE *userspace_interface_file(const char *iface)
if (!CreateWellKnownSid(WinLocalSystemSid, NULL, &expected_sid, &bytes))
goto err;
snprintf(fname, sizeof(fname), "\\\\.\\pipe\\ProtectedPrefix\\Administrators\\WireGuard\\%s", iface);
snprintf(fname, sizeof(fname), "\\\\.\\pipe\\ProtectedPrefix\\Administrators\\AmneziaWG\\%s", iface);
pipe_handle = CreateFileA(fname, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (pipe_handle == INVALID_HANDLE_VALUE)
goto err;
@ -62,7 +62,7 @@ static bool userspace_has_wireguard_interface(const char *iface)
if (have_cached_interfaces)
return hashtable_find_entry(&cached_interfaces, iface) != NULL;
snprintf(fname, sizeof(fname), "ProtectedPrefix\\Administrators\\WireGuard\\%s", iface);
snprintf(fname, sizeof(fname), "ProtectedPrefix\\Administrators\\AmneziaWG\\%s", iface);
find_handle = FindFirstFile("\\\\.\\pipe\\*", &find_data);
if (find_handle == INVALID_HANDLE_VALUE)
return -EIO;
@ -78,7 +78,7 @@ static bool userspace_has_wireguard_interface(const char *iface)
static int userspace_get_wireguard_interfaces(struct string_list *list)
{
static const char prefix[] = "ProtectedPrefix\\Administrators\\WireGuard\\";
static const char prefix[] = "ProtectedPrefix\\Administrators\\AmneziaWG\\";
WIN32_FIND_DATA find_data;
HANDLE find_handle;
char *iface;

4
src/ipc-uapi.h
View file

@ -73,6 +73,10 @@ static int userspace_set_device(struct wgdevice *dev)
for_each_wgpeer(dev, peer) {
key_to_hex(hex, peer->public_key);
fprintf(f, "public_key=%s\n", hex);
if (peer->flags & WGPEER_HAS_ADVANCED_SECURITY) {
ret = -EINVAL;
goto out;
}
if (peer->flags & WGPEER_REMOVE_ME) {
fprintf(f, "remove=true\n");
continue;

2
src/set.c
View file

@ -18,7 +18,7 @@ int set_main(int argc, const char *argv[])
int ret = 1;
if (argc < 3) {
fprintf(stderr, "Usage: %s %s <interface> [listen-port <port>] [fwmark <mark>] [private-key <file path>] [peer <base64 public key> [remove] [preshared-key <file path>] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...] ]...\n", PROG_NAME, argv[0]);
fprintf(stderr, "Usage: %s %s <interface> [listen-port <port>] [fwmark <mark>] [private-key <file path>] [peer <base64 public key> [remove] [preshared-key <file path>] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>] [advanced-security <on|off>]...] ]...\n", PROG_NAME, argv[0]);
return 1;
}

3
src/showconf.c
View file

@ -73,6 +73,9 @@ int showconf_main(int argc, const char *argv[])
key_to_base64(base64, peer->preshared_key);
printf("PresharedKey = %s\n", base64);
}
if (peer->flags & WGPEER_HAS_ADVANCED_SECURITY) {
printf("AdvancedSecurity = %s\n", peer->advanced_security ? "on" : "off");
}
if (peer->first_allowedip)
printf("AllowedIPs = ");
for_each_wgallowedip(peer, allowedip) {

12
src/systemd/wg-quick@.service
View file

@ -2,9 +2,9 @@
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target
Wants=network-online.target nss-lookup.target
PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
PartOf=awg-quick.target
Documentation=man:awg-quick(8)
Documentation=man:awg(8)
Documentation=https://www.wireguard.com/
Documentation=https://www.wireguard.com/quickstart/
Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
@ -13,9 +13,9 @@ Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/wg-quick up %i
ExecStop=/usr/bin/wg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
ExecStart=/usr/bin/awg-quick up %i
ExecStop=/usr/bin/awg-quick down %i
ExecReload=/bin/bash -c 'exec /usr/bin/awg syncconf %i <(exec /usr/bin/awg-quick strip %i)'
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
[Install]

30
src/uapi/linux/linux/wireguard.h
View file

@ -111,6 +111,9 @@
* most recent protocol will be used when
* this is unset. Otherwise, must be set
* to 1.
* WGPEER_A_ADVANCED_SECURITY: flag indicating that advanced security
* techniques provided by AmneziaWG should
* be used.
* 0: NLA_NESTED
* ...
* ...
@ -126,19 +129,41 @@
* of a peer, it likely should not be specified in subsequent fragments.
*
* If an error occurs, NLMSG_ERROR will reply containing an errno.
*
* WG_CMD_UNKNOWN_PEER
* ----------------------
*
* This command is sent on the multicast group WG_MULTICAST_GROUP_AUTH
* when the initiation message received from a peer with an unknown public
* key.
* The kernel will send a single message containing the
* following tree of nested items:
*
* WGDEVICE_A_IFINDEX: NLA_U32
* WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
* WGDEVICE_A_PEER: NLA_NESTED
* WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
* WGPEER_A_ENDPOINT: NLA_MIN_LEN(struct sockaddr), struct sockaddr_in or struct sockaddr_in6
* WGPEER_A_ADVANCED_SECURITY: flag indicating that advanced security
* techniques provided by AmneziaWG should
* be used.
*
*/
#ifndef _WG_UAPI_WIREGUARD_H
#define _WG_UAPI_WIREGUARD_H
#define WG_GENL_NAME "wireguard"
#define WG_GENL_NAME "amneziawg"
#define WG_GENL_VERSION 1
#define WG_KEY_LEN 32
#define WG_MULTICAST_GROUP_AUTH "auth"
enum wg_cmd {
WG_CMD_GET_DEVICE,
WG_CMD_SET_DEVICE,
WG_CMD_UNKNOWN_PEER,
__WG_CMD_MAX
};
#define WG_CMD_MAX (__WG_CMD_MAX - 1)
@ -166,6 +191,7 @@ enum wgdevice_attribute {
WGDEVICE_A_H2,
WGDEVICE_A_H3,
WGDEVICE_A_H4,
WGDEVICE_A_PEER,
__WGDEVICE_A_LAST
};
#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)
@ -174,6 +200,7 @@ enum wgpeer_flag {
WGPEER_F_REMOVE_ME = 1U << 0,
WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1,
WGPEER_F_UPDATE_ONLY = 1U << 2,
WGPEER_F_HAS_ADVANCED_SECURITY = 1U << 3,
__WGPEER_F_ALL = WGPEER_F_REMOVE_ME | WGPEER_F_REPLACE_ALLOWEDIPS |
WGPEER_F_UPDATE_ONLY
};
@ -189,6 +216,7 @@ enum wgpeer_attribute {
WGPEER_A_TX_BYTES,
WGPEER_A_ALLOWEDIPS,
WGPEER_A_PROTOCOL_VERSION,
WGPEER_A_ADVANCED_SECURITY,
__WGPEER_A_LAST
};
#define WGPEER_A_MAX (__WGPEER_A_LAST - 1)

72
src/wg-quick/android.c
View file

@ -27,11 +27,11 @@
#include <sys/param.h>
#include <sys/system_properties.h>
#ifndef WG_PACKAGE_NAME
#define WG_PACKAGE_NAME "com.wireguard.android"
#ifndef AWG_PACKAGE_NAME
#define AWG_PACKAGE_NAME "org.amnezia.awg"
#endif
#ifndef WG_CONFIG_SEARCH_PATHS
#define WG_CONFIG_SEARCH_PATHS "/data/misc/wireguard /data/data/" WG_PACKAGE_NAME "/files"
#ifndef AWG_CONFIG_SEARCH_PATHS
#define AWG_CONFIG_SEARCH_PATHS "/data/misc/amneziawg /data/data/" AWG_PACKAGE_NAME "/files"
#endif
#define _printf_(x, y) __attribute__((format(printf, x, y)))
@ -41,6 +41,7 @@
static bool is_exiting = false;
static bool binder_available = false;
static unsigned int sdk_version;
static bool is_asecurity_on = false;
static void *xmalloc(size_t size)
{
@ -632,7 +633,10 @@ static void auto_su(int argc, char *argv[])
static void add_if(const char *iface)
{
cmd("ip link add %s type wireguard", iface);
if (is_asecurity_on)
cmd("amneziawg-go %s", iface);
else
cmd("ip link add %s type amneziawg", iface);
}
static void del_if(const char *iface)
@ -644,7 +648,7 @@ static void del_if(const char *iface)
regmatch_t matches[2];
char *netid = NULL;
_cleanup_free_ char *rule_regex = concat("0xc([0-9a-f]+)/0xcffff lookup ", iface, NULL);
_cleanup_free_ char *iptables_regex = concat("^-A (.* --comment \"wireguard rule ", iface, "\"[^\n]*)\n*$", NULL);
_cleanup_free_ char *iptables_regex = concat("^-A (.* --comment \"amneziawg rule ", iface, "\"[^\n]*)\n*$", NULL);
xregcomp(&rule_reg, rule_regex, REG_EXTENDED);
xregcomp(&iptables_reg, iptables_regex, REG_EXTENDED);
@ -680,7 +684,7 @@ static bool should_block_ipv6(const char *iface)
DEFINE_CMD(c);
bool has_ipv6 = false, has_all_none = true;
for (char *endpoint = cmd_ret(&c, "wg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c, NULL)) {
for (char *endpoint = cmd_ret(&c, "awg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c, NULL)) {
char *start = strchr(endpoint, '\t');
if (!start)
@ -701,7 +705,7 @@ static uint16_t determine_listen_port(const char *iface)
char *value;
cmd("ip link set up dev %s", iface);
value = cmd_ret(&c, "wg show %s listen-port", iface);
value = cmd_ret(&c, "awg show %s listen-port", iface);
if (!value)
goto set_back_down;
listen_port = strtoul(value, NULL, 10);
@ -721,12 +725,12 @@ static void up_if(unsigned int *netid, const char *iface, uint16_t listen_port)
while (*netid < 4096)
*netid = random() & 0xfffe;
cmd("wg set %s fwmark 0x20000", iface);
cmd("iptables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface);
cmd("ip6tables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"wireguard rule %s\"", iface);
cmd("awg set %s fwmark 0x20000", iface);
cmd("iptables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"amneziawg rule %s\"", iface);
cmd("ip6tables -I OUTPUT 1 -m mark --mark 0x20000 -j ACCEPT -m comment --comment \"amneziawg rule %s\"", iface);
if (listen_port) {
cmd("iptables -I INPUT 1 -p udp --dport %u -j ACCEPT -m comment --comment \"wireguard rule %s\"", listen_port, iface);
cmd("ip6tables -I INPUT 1 -p udp --dport %u -j %s -m comment --comment \"wireguard rule %s\"", listen_port, should_block_ipv6(iface) ? "DROP" : "ACCEPT", iface);
cmd("iptables -I INPUT 1 -p udp --dport %u -j ACCEPT -m comment --comment \"amneziawg rule %s\"", listen_port, iface);
cmd("ip6tables -I INPUT 1 -p udp --dport %u -j %s -m comment --comment \"amneziawg rule %s\"", listen_port, should_block_ipv6(iface) ? "DROP" : "ACCEPT", iface);
}
cmd("ip link set up dev %s", iface);
cndc(sdk_version < 31 ? "network create %u vpn 1 1" : "network create %u vpn 1", *netid);
@ -1007,7 +1011,7 @@ static void set_mtu(const char *iface, unsigned int mtu)
if (endpoint_mtu == -1)
endpoint_mtu = 1500;
for (char *endpoint = cmd_ret(&c_endpoints, "wg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c_endpoints, NULL)) {
for (char *endpoint = cmd_ret(&c_endpoints, "awg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c_endpoints, NULL)) {
if (regexec(&regex_endpoint, endpoint, ARRAY_SIZE(matches), matches, 0))
continue;
endpoint[matches[1].rm_eo] = '\0';
@ -1030,7 +1034,7 @@ static void set_routes(const char *iface, unsigned int netid)
{
DEFINE_CMD(c);
for (char *allowedips = cmd_ret(&c, "wg show %s allowed-ips", iface); allowedips; allowedips = cmd_ret(&c, NULL)) {
for (char *allowedips = cmd_ret(&c, "awg show %s allowed-ips", iface); allowedips; allowedips = cmd_ret(&c, NULL)) {
char *start = strchr(allowedips, '\t');
if (!start)
@ -1047,7 +1051,7 @@ static void set_routes(const char *iface, unsigned int netid)
static void set_config(const char *iface, const char *config)
{
FILE *config_writer;
_cleanup_free_ char *cmd = concat("wg setconf ", iface, " /proc/self/fd/0", NULL);
_cleanup_free_ char *cmd = concat("awg setconf ", iface, " /proc/self/fd/0", NULL);
int ret;
printf("[#] %s\n", cmd);
@ -1070,13 +1074,13 @@ static void broadcast_change(void)
{
const char *pkg = getenv("CALLING_PACKAGE");
if (!pkg || strcmp(pkg, WG_PACKAGE_NAME))
cmd("am broadcast -a com.wireguard.android.action.REFRESH_TUNNEL_STATES " WG_PACKAGE_NAME);
if (!pkg || strcmp(pkg, AWG_PACKAGE_NAME))
cmd("am broadcast -a org.amnezia.awg.action.REFRESH_TUNNEL_STATES " AWG_PACKAGE_NAME);
}
static void print_search_paths(FILE *file, const char *prefix)
{
_cleanup_free_ char *paths = strdup(WG_CONFIG_SEARCH_PATHS);
_cleanup_free_ char *paths = strdup(AWG_CONFIG_SEARCH_PATHS);
for (char *path = strtok(paths, " "); path; path = strtok(NULL, " "))
fprintf(file, "%s%s\n", prefix, path);
@ -1090,7 +1094,7 @@ static void cmd_usage(const char *program)
" followed by `.conf'. Otherwise, INTERFACE is an interface name, with\n"
" configuration found at:\n\n", program);
print_search_paths(stdout, " - ");
printf( "\n It is to be readable by wg(8)'s `setconf' sub-command, with the exception\n"
printf( "\n It is to be readable by awg(8)'s `setconf' sub-command, with the exception\n"
" of the following additions to the [Interface] section, which are handled by\n"
" this program:\n\n"
" - Address: may be specified one or more times and contains one or more\n"
@ -1099,7 +1103,7 @@ static void cmd_usage(const char *program)
" - DNS: an optional DNS server to use while the device is up.\n"
" - ExcludedApplications: optional blacklist of applications to exclude from the tunnel.\n\n"
" - IncludedApplications: optional whitelist of applications to include in the tunnel.\n\n"
" See wg-quick(8) for more info and examples.\n");
" See awg-quick(8) for more info and examples.\n");
}
static char *cleanup_iface = NULL;
@ -1147,7 +1151,7 @@ static void cmd_down(const char *iface)
DEFINE_CMD(c);
bool found = false;
char *ifaces = cmd_ret(&c, "wg show interfaces");
char *ifaces = cmd_ret(&c, "awg show interfaces");
if (ifaces) {
for (char *eiface = strtok(ifaces, " \n"); eiface; eiface = strtok(NULL, " \n")) {
if (!strcmp(iface, eiface)) {
@ -1157,7 +1161,7 @@ static void cmd_down(const char *iface)
}
}
if (!found) {
fprintf(stderr, "Error: %s is not a WireGuard interface\n", iface);
fprintf(stderr, "Error: %s is not a AmneziaWG interface\n", iface);
exit(EMEDIUMTYPE);
}
@ -1171,7 +1175,7 @@ static void parse_options(char **iface, char **config, unsigned int *mtu, char *
_cleanup_fclose_ FILE *file = NULL;
_cleanup_free_ char *line = NULL;
_cleanup_free_ char *filename = NULL;
_cleanup_free_ char *paths = strdup(WG_CONFIG_SEARCH_PATHS);
_cleanup_free_ char *paths = strdup(AWG_CONFIG_SEARCH_PATHS);
_cleanup_regfree_ regex_t regex_iface = { 0 }, regex_conf = { 0 };
regmatch_t matches[2];
struct stat sbuf;
@ -1256,6 +1260,24 @@ static void parse_options(char **iface, char **config, unsigned int *mtu, char *
} else if (!strncasecmp(clean, "MTU=", 4) && j > 4) {
*mtu = atoi(clean + 4);
continue;
} else if (!strncasecmp(clean, "Jc=", 3) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "Jmin=", 5) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "Jmax=", 5) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "S1=", 3) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "S2=", 3) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "H1=", 3) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "H2=", 3) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "H3=", 3) && j > 4) {
is_asecurity_on = true;
} else if (!strncasecmp(clean, "H4=", 3) && j > 4) {
is_asecurity_on = true;
}
}
*config = concat_and_free(*config, "", line);
@ -1300,4 +1322,4 @@ int main(int argc, char *argv[])
return 1;
}
return 0;
}
}

0
src/wg-quick/wg → src/wg-quick/awg
View file

18
src/wg-quick/darwin.bash
View file

@ -41,7 +41,7 @@ die() {
[[ ${BASH_VERSINFO[0]} -ge 4 ]] || die "Version mismatch: bash ${BASH_VERSINFO[0]} detected, when bash 4+ required"
CONFIG_SEARCH_PATHS=( /etc/wireguard /usr/local/etc/wireguard )
CONFIG_SEARCH_PATHS=( /etc/amnezia/amneziawg /usr/local/etc/amnezia/amneziawg )
parse_options() {
local interface_section=0 line key value stripped path v
@ -110,10 +110,10 @@ auto_su() {
get_real_interface() {
local interface diff
wg show interfaces >/dev/null
[[ -f "/var/run/wireguard/$INTERFACE.name" ]] || return 1
interface="$(< "/var/run/wireguard/$INTERFACE.name")"
[[ -n $interface && -S "/var/run/wireguard/$interface.sock" ]] || return 1
diff=$(( $(stat -f %m "/var/run/wireguard/$interface.sock" 2>/dev/null || echo 200) - $(stat -f %m "/var/run/wireguard/$INTERFACE.name" 2>/dev/null || echo 100) ))
[[ -f "/var/run/amneziawg/$INTERFACE.name" ]] || return 1
interface="$(< "/var/run/amneziawg/$INTERFACE.name")"
[[ -n $interface && -S "/var/run/amneziawg/$interface.sock" ]] || return 1
diff=$(( $(stat -f %m "/var/run/amneziawg/$interface.sock" 2>/dev/null || echo 200) - $(stat -f %m "/var/run/wireguard/$INTERFACE.name" 2>/dev/null || echo 100) ))
[[ $diff -ge 2 || $diff -le -2 ]] && return 1
REAL_INTERFACE="$interface"
echo "[+] Interface for $INTERFACE is $REAL_INTERFACE" >&2
@ -121,9 +121,9 @@ get_real_interface() {
}
add_if() {
export WG_TUN_NAME_FILE="/var/run/wireguard/$INTERFACE.name"
mkdir -p "/var/run/wireguard/"
cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" utun
export WG_TUN_NAME_FILE="/var/run/amneziawg/$INTERFACE.name"
mkdir -p "/var/run/amneziawg/"
cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" utun
get_real_interface
}
@ -519,4 +519,4 @@ fi
[[ -n $LAUNCHED_BY_LAUNCHD ]] && wait
exit 0
exit 0

29
src/wg-quick/freebsd.bash
View file

@ -28,6 +28,8 @@ CONFIG_FILE=""
PROGRAM="${0##*/}"
ARGS=( "$@" )
IS_ASESCURITY_ON=0
cmd() {
echo "[#] $*" >&3
"$@"
@ -38,7 +40,7 @@ die() {
exit 1
}
CONFIG_SEARCH_PATHS=( /etc/wireguard /usr/local/etc/wireguard )
CONFIG_SEARCH_PATHS=( /etc/amnezia/amneziawg /usr/local/etc/amnezia/amneziawg )
unset ORIGINAL_TMPDIR
make_temp() {
@ -96,6 +98,17 @@ parse_options() {
PostDown) POST_DOWN+=( "$value" ); continue ;;
SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;;
esac
case "$key" in
Jc);&
Jmin);&
Jmax);&
S1);&
S2);&
H1);&
H2);&
H3);&
H4) IS_ASESCURITY_ON=1;;
esac
fi
WG_CONFIG+="$line"$'\n'
done < "$CONFIG_FILE"
@ -116,7 +129,11 @@ auto_su() {
add_if() {
local ret rc
if ret="$(cmd ifconfig wg create name "$INTERFACE" 2>&1 >/dev/null)"; then
local cmd="ifconfig wg create name "$INTERFACE""
if [[ $IS_ASESCURITY_ON == 1 ]]; then
cmd="amneziawg-go "$INTERFACE"";
fi
if ret="$(cmd $cmd 2>&1 >/dev/null)"; then
return 0
fi
rc=$?
@ -125,7 +142,7 @@ add_if() {
return $rc
fi
echo "[!] Missing WireGuard kernel support ($ret). Falling back to slow userspace implementation." >&3
cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE"
cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" "$INTERFACE"
}
del_routes() {
@ -154,8 +171,8 @@ del_routes() {
del_if() {
[[ $HAVE_SET_DNS -eq 0 ]] || unset_dns
if [[ -S /var/run/wireguard/$INTERFACE.sock ]]; then
cmd rm -f "/var/run/wireguard/$INTERFACE.sock"
if [[ -S /var/run/amneziawg/$INTERFACE.sock ]]; then
cmd rm -f "/var/run/amneziawg/$INTERFACE.sock"
else
cmd ifconfig "$INTERFACE" destroy
fi
@ -484,4 +501,4 @@ else
exit 1
fi
exit 0
exit 0

38
src/wg-quick/linux.bash
View file

@ -40,7 +40,7 @@ die() {
parse_options() {
local interface_section=0 line key value stripped v
CONFIG_FILE="$1"
[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf"
[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/amnezia/amneziawg/$CONFIG_FILE.conf"
[[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist"
[[ $CONFIG_FILE =~ (^|/)([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf"
CONFIG_FILE="$(readlink -f "$CONFIG_FILE")"
@ -87,11 +87,11 @@ auto_su() {
add_if() {
local ret
if ! cmd ip link add "$INTERFACE" type wireguard; then
if ! cmd ip link add "$INTERFACE" type amneziawg; then
ret=$?
[[ -e /sys/module/wireguard ]] || ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" >/dev/null && exit $ret
echo "[!] Missing WireGuard kernel module. Falling back to slow userspace implementation." >&2
cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE"
[[ -e /sys/module/amneziawg ]] || ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null && exit $ret
echo "[!] Missing WireGuard (Amnezia VPN) kernel module. Falling back to slow userspace implementation." >&2
cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" "$INTERFACE"
fi
}
@ -99,7 +99,7 @@ del_if() {
local table
[[ $HAVE_SET_DNS -eq 0 ]] || unset_dns
[[ $HAVE_SET_FIREWALL -eq 0 ]] || remove_firewall
if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then
if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(awg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then
while [[ $(ip -4 rule show 2>/dev/null) == *"lookup $table"* ]]; do
cmd ip -4 rule delete table $table
done
@ -132,7 +132,7 @@ set_mtu_up() {
[[ $endpoint =~ ^\[?([a-z0-9:.]+)\]?:[0-9]+$ ]] || continue
output="$(ip route get "${BASH_REMATCH[1]}" || true)"
[[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}"
done < <(wg show "$INTERFACE" endpoints)
done < <(awg show "$INTERFACE" endpoints)
if [[ $mtu -eq 0 ]]; then
read -r output < <(ip route show default || true) || true
[[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}"
@ -180,7 +180,7 @@ add_route() {
get_fwmark() {
local fwmark
fwmark="$(wg show "$INTERFACE" fwmark)" || return 1
fwmark="$(awg show "$INTERFACE" fwmark)" || return 1
[[ -n $fwmark && $fwmark != off ]] || return 1
printf -v "$1" "%d" "$fwmark"
return 0
@ -199,7 +199,7 @@ remove_firewall() {
for iptables in iptables ip6tables; do
restore="" found=0
while read -r line; do
[[ $line == "*"* || $line == COMMIT || $line == "-A "*"-m comment --comment \"wg-quick(8) rule for $INTERFACE\""* ]] || continue
[[ $line == "*"* || $line == COMMIT || $line == "-A "*"-m comment --comment \"awg-quick(8) rule for $INTERFACE\""* ]] || continue
[[ $line == "-A"* ]] && found=1
printf -v restore '%s%s\n' "$restore" "${line/#-A/-D}"
done < <($iptables-save 2>/dev/null)
@ -216,7 +216,7 @@ add_default() {
while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do
((table++))
done
cmd wg set "$INTERFACE" fwmark $table
cmd awg set "$INTERFACE" fwmark $table
fi
local proto=-4 iptables=iptables pf=ip
[[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6
@ -224,7 +224,7 @@ add_default() {
cmd ip $proto rule add table main suppress_prefixlength 0
cmd ip $proto route add "$1" dev "$INTERFACE" table $table
local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd
local marker="-m comment --comment \"awg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd
printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable"
printf -v nftcmd '%sadd chain %s %s preraw { type filter hook prerouting priority -300; }\n' "$nftcmd" "$pf" "$nftable"
printf -v nftcmd '%sadd chain %s %s premangle { type filter hook prerouting priority -150; }\n' "$nftcmd" "$pf" "$nftable"
@ -248,7 +248,7 @@ add_default() {
}
set_config() {
cmd wg setconf "$INTERFACE" <(echo "$WG_CONFIG")
cmd awg setconf "$INTERFACE" <(echo "$WG_CONFIG")
}
save_config() {
@ -278,7 +278,7 @@ save_config() {
done
old_umask="$(umask)"
umask 077
current_config="$(cmd wg showconf "$INTERFACE")"
current_config="$(cmd awg showconf "$INTERFACE")"
trap 'rm -f "$CONFIG_FILE.tmp"; exit' INT TERM EXIT
echo "${current_config/\[Interface\]$'\n'/$new_config}" > "$CONFIG_FILE.tmp" || die "Could not write configuration file"
sync "$CONFIG_FILE.tmp"
@ -302,8 +302,8 @@ cmd_usage() {
CONFIG_FILE is a configuration file, whose filename is the interface name
followed by \`.conf'. Otherwise, INTERFACE is an interface name, with
configuration found at /etc/wireguard/INTERFACE.conf. It is to be readable
by wg(8)'s \`setconf' sub-command, with the exception of the following additions
configuration found at /etc/amnezia/INTERFACE.conf. It is to be readable
by awg(8)'s \`setconf' sub-command, with the exception of the following additions
to the [Interface] section, which are handled by $PROGRAM:
- Address: may be specified one or more times and contains one or more
@ -319,7 +319,7 @@ cmd_usage() {
- SaveConfig: if set to \`true', the configuration is saved from the current
state of the interface upon shutdown.
See wg-quick(8) for more info and examples.
See awg-quick(8) for more info and examples.
_EOF
}
@ -335,7 +335,7 @@ cmd_up() {
done
set_mtu_up
set_dns
for i in $(while read -r _ i; do for i in $i; do [[ $i =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$i"; done; done < <(wg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /); do
for i in $(while read -r _ i; do for i in $i; do [[ $i =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$i"; done; done < <(awg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /); do
add_route "$i"
done
execute_hooks "${POST_UP[@]}"
@ -343,7 +343,7 @@ cmd_up() {
}
cmd_down() {
[[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
[[ " $(awg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
execute_hooks "${PRE_DOWN[@]}"
[[ $SAVE_CONFIG -eq 0 ]] || save_config
del_if
@ -353,7 +353,7 @@ cmd_down() {
}
cmd_save() {
[[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
[[ " $(awg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface"
save_config
}

35
src/wg-quick/openbsd.bash
View file

@ -27,6 +27,7 @@ SAVE_CONFIG=0
CONFIG_FILE=""
PROGRAM="${0##*/}"
ARGS=( "$@" )
IS_ASESCURITY_ON=0
cmd() {
echo "[#] $*" >&3
@ -41,7 +42,7 @@ die() {
parse_options() {
local interface_section=0 line key value stripped
CONFIG_FILE="$1"
[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf"
[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/amnezia/amneziawg/$CONFIG_FILE.conf"
[[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist"
[[ $CONFIG_FILE =~ (^|/)([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf"
CONFIG_FILE="$(readlink -f "$CONFIG_FILE")"
@ -68,6 +69,17 @@ parse_options() {
PostDown) POST_DOWN+=( "$value" ); continue ;;
SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;;
esac
case "$key" in
Jc);&
Jmin);&
Jmax);&
S1);&
S2);&
H1);&
H2);&
H3);&
H4) IS_ASESCURITY_ON=1;;
esac
fi
WG_CONFIG+="$line"$'\n'
done < "$CONFIG_FILE"
@ -106,14 +118,19 @@ add_if() {
while true; do
local -A existing_ifs="( $(wg show interfaces | sed 's/\([^ ]*\)/[\1]=1/g') )"
local index ret
for ((index=0; index <= 2147483647; ++index)); do [[ -v existing_ifs[wg$index] ]] || break; done
if ret="$(cmd ifconfig wg$index create description "wg-quick: $INTERFACE" 2>&1)"; then
REAL_INTERFACE="wg$index"
return 0
if [[ $IS_ASESCURITY_ON == 1 ]]; then
cmd "amneziawg-go "$INTERFACE"";
return $?
else
for ((index=0; index <= 2147483647; ++index)); do [[ -v existing_ifs[wg$index] ]] || break; done
if ret="$(cmd ifconfig wg$index create description "wg-quick: $INTERFACE" 2>&1)"; then
REAL_INTERFACE="wg$index"
return 0
fi
[[ $ret == *"ifconfig: SIOCIFCREATE: File exists"* ]] && continue
echo "$ret" >&3
return 1
fi
[[ $ret == *"ifconfig: SIOCIFCREATE: File exists"* ]] && continue
echo "$ret" >&3
return 1
done
}
@ -478,4 +495,4 @@ else
exit 1
fi
exit 0
exit 0