diff -pruN 1.0.20210914-1/debian/changelog 1.0.20210914-1ubuntu3/debian/changelog --- 1.0.20210914-1/debian/changelog 2021-09-28 01:21:06.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/changelog 2023-02-22 12:35:51.000000000 +0000 @@ -1,3 +1,34 @@ +wireguard (1.0.20210914-1ubuntu3) lunar; urgency=medium + + * Drop depends on wireguard-modules (always built-in), wireguard-dkms + (removed from the archive). This makes wireguard package sort of + redundant. LP: #2008086 + * Drop 0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch as + glibc-2.25 has been around since forever. + * Cherry-pick upstream fixups from master. + + -- Dimitri John Ledkov Wed, 22 Feb 2023 12:35:51 +0000 + +wireguard (1.0.20210914-1ubuntu2) jammy; urgency=medium + + * Add better DEP8 tests (LP: #1952102): + - d/t/control, d/t/wireguard-wgquick: test using network namespaces + and wg-quick + - d/t/netns-mini, d/t/control: test using network namespaces + and wg, taken from the wireguard-linux-compat package + * d/rules: add simple build-time test, taken from the existing + DEP8 test to generate keys (LP: #1952767) + + -- Andreas Hasenack Tue, 07 Dec 2021 08:33:57 -0300 + +wireguard (1.0.20210914-1ubuntu1) devel; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Switch alternative dependency order for the wireguard-modules, + wireguard-dkms alternative. + + -- Unit 193 Tue, 23 Nov 2021 11:41:45 -0500 + wireguard (1.0.20210914-1) unstable; urgency=medium * New upstream release. @@ -5,6 +36,14 @@ wireguard (1.0.20210914-1) unstable; urg -- Unit 193 Mon, 27 Sep 2021 21:21:06 -0400 +wireguard (1.0.20210424-1ubuntu1) devel; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Switch alternative dependency order for the wireguard-modules, + wireguard-dkms alternative. + + -- Unit 193 Mon, 16 Aug 2021 14:20:40 -0400 + wireguard (1.0.20210424-1) unstable; urgency=medium * New upstream release. @@ -12,6 +51,14 @@ wireguard (1.0.20210424-1) unstable; urg -- Unit 193 Fri, 13 Aug 2021 17:36:52 -0400 +wireguard (1.0.20210223-1ubuntu1) devel; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Switch alternative dependency order for the wireguard-modules, + wireguard-dkms alternative. + + -- Unit 193 Tue, 16 Mar 2021 17:27:19 -0400 + wireguard (1.0.20210223-1) unstable; urgency=medium * New upstream release. @@ -22,18 +69,45 @@ wireguard (1.0.20210223-1) unstable; urg -- Unit 193 Thu, 25 Feb 2021 02:02:36 -0500 +wireguard (1.0.20200827-1ubuntu1) devel; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Switch alternative dependency order for the wireguard-modules, + wireguard-dkms alternative. + + -- Unit 193 Wed, 30 Sep 2020 18:52:56 -0400 + wireguard (1.0.20200827-1) unstable; urgency=medium * New upstream release. -- Unit 193 Wed, 09 Sep 2020 03:47:59 -0400 +wireguard (1.0.20200820-1ubuntu1) groovy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Switch alternative dependency order for teh wireguard-modules, + wireguard-dkms alternative. + + -- Andy Whitcroft Wed, 26 Aug 2020 10:42:33 +0100 + wireguard (1.0.20200820-1) unstable; urgency=medium * New upstream release. -- Unit 193 Sat, 22 Aug 2020 19:19:51 -0400 +wireguard (1.0.20200513-1ubuntu1) groovy; urgency=medium + + * Switch alternative dependency order for the wireguard-modules, + wireguard-dkms alternative. Whichever is first is deemed the + preferred installation candidate when neither is present. When this is + wireguard-modules this is satisfied by installation of a random kernel + which claims support for wireguard regardless of its applicability. + Repeat after me, do not ever depend on a kernel. (LP: #1890201) + + -- Andy Whitcroft Mon, 03 Aug 2020 22:24:05 +0100 + wireguard (1.0.20200513-1) unstable; urgency=medium * New upstream release. diff -pruN 1.0.20210914-1/debian/control 1.0.20210914-1ubuntu3/debian/control --- 1.0.20210914-1/debian/control 2021-09-28 01:19:37.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/control 2023-02-22 12:35:47.000000000 +0000 @@ -1,7 +1,8 @@ Source: wireguard Section: net Priority: optional -Maintainer: Daniel Kahn Gillmor +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Daniel Kahn Gillmor Uploaders: Unit 193 , Build-Depends: @@ -17,7 +18,6 @@ Rules-Requires-Root: no Package: wireguard Architecture: all Depends: - wireguard-modules (>= 0.0.20191219) | wireguard-dkms (>= 0.0.20200121-2), wireguard-tools (>= ${source:Version}), ${misc:Depends}, Description: fast, modern, secure kernel VPN tunnel (metapackage) @@ -39,7 +39,6 @@ Depends: ${shlibs:Depends}, Recommends: nftables | iptables, - wireguard-modules (>= 0.0.20171001) | wireguard-dkms (>= 0.0.20191219), Suggests: openresolv | resolvconf, Description: fast, modern, secure kernel VPN tunnel (userland utilities) WireGuard is a novel VPN that runs inside the Linux Kernel and uses diff -pruN 1.0.20210914-1/debian/patches/0001-embeddable-wg-library-add-named-wg_endpoint-union.patch 1.0.20210914-1ubuntu3/debian/patches/0001-embeddable-wg-library-add-named-wg_endpoint-union.patch --- 1.0.20210914-1/debian/patches/0001-embeddable-wg-library-add-named-wg_endpoint-union.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/patches/0001-embeddable-wg-library-add-named-wg_endpoint-union.patch 2023-02-22 12:35:51.000000000 +0000 @@ -0,0 +1,46 @@ +From b906ecb614d93a69ef78c67bfd240554fbc95270 Mon Sep 17 00:00:00 2001 +From: Mikael Magnusson +Date: Sat, 7 Nov 2020 13:32:56 +0100 +Subject: [PATCH] embeddable-wg-library: add named wg_endpoint union + +Define wg_endpoint as a named union to allow users of the emeddable +library to use the type in function arguments, variables etc. + +Signed-off-by: Mikael Magnusson +Signed-off-by: Jason A. Donenfeld +--- + contrib/embeddable-wg-library/wireguard.h | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/contrib/embeddable-wg-library/wireguard.h b/contrib/embeddable-wg-library/wireguard.h +index fbd8765ff2..328fcb423d 100644 +--- a/contrib/embeddable-wg-library/wireguard.h ++++ b/contrib/embeddable-wg-library/wireguard.h +@@ -40,17 +40,19 @@ enum wg_peer_flags { + WGPEER_HAS_PERSISTENT_KEEPALIVE_INTERVAL = 1U << 4 + }; + ++typedef union wg_endpoint { ++ struct sockaddr addr; ++ struct sockaddr_in addr4; ++ struct sockaddr_in6 addr6; ++} wg_endpoint; ++ + typedef struct wg_peer { + enum wg_peer_flags flags; + + wg_key public_key; + wg_key preshared_key; + +- union { +- struct sockaddr addr; +- struct sockaddr_in addr4; +- struct sockaddr_in6 addr6; +- } endpoint; ++ wg_endpoint endpoint; + + struct timespec64 last_handshake_time; + uint64_t rx_bytes, tx_bytes; +-- +2.34.1 + diff -pruN 1.0.20210914-1/debian/patches/0001-reresolve-dns-use-EPOCHSECONDS-instead-of-date-s.patch 1.0.20210914-1ubuntu3/debian/patches/0001-reresolve-dns-use-EPOCHSECONDS-instead-of-date-s.patch --- 1.0.20210914-1/debian/patches/0001-reresolve-dns-use-EPOCHSECONDS-instead-of-date-s.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/patches/0001-reresolve-dns-use-EPOCHSECONDS-instead-of-date-s.patch 2023-02-22 12:35:51.000000000 +0000 @@ -0,0 +1,26 @@ +From 1fd95708391088742c139010cc6b821add941dec Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Tue, 4 Jan 2022 13:07:49 +0100 +Subject: [PATCH] reresolve-dns: use $EPOCHSECONDS instead of $(date +%s) + +Signed-off-by: Jason A. Donenfeld +--- + contrib/reresolve-dns/reresolve-dns.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/contrib/reresolve-dns/reresolve-dns.sh b/contrib/reresolve-dns/reresolve-dns.sh +index fd38cd44dc..711c33253f 100755 +--- a/contrib/reresolve-dns/reresolve-dns.sh ++++ b/contrib/reresolve-dns/reresolve-dns.sh +@@ -16,7 +16,7 @@ INTERFACE="${BASH_REMATCH[1]}" + process_peer() { + [[ $PEER_SECTION -ne 1 || -z $PUBLIC_KEY || -z $ENDPOINT ]] && return 0 + [[ $(wg show "$INTERFACE" latest-handshakes) =~ ${PUBLIC_KEY//+/\\+}\ ([0-9]+) ]] || return 0 +- (( ($(date +%s) - ${BASH_REMATCH[1]}) > 135 )) || return 0 ++ (( ($EPOCHSECONDS - ${BASH_REMATCH[1]}) > 135 )) || return 0 + wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT" + reset_peer_section + } +-- +2.34.1 + diff -pruN 1.0.20210914-1/debian/patches/0001-show-apply-const-to-right-part-of-pointer.patch 1.0.20210914-1ubuntu3/debian/patches/0001-show-apply-const-to-right-part-of-pointer.patch --- 1.0.20210914-1/debian/patches/0001-show-apply-const-to-right-part-of-pointer.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/patches/0001-show-apply-const-to-right-part-of-pointer.patch 2023-02-22 12:35:51.000000000 +0000 @@ -0,0 +1,34 @@ +From ca2e89ff21794b1853f628b8d5cb0f91eb140461 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Mon, 31 Oct 2022 15:38:58 +0100 +Subject: [PATCH] show: apply const to right part of pointer + +Without this -Wcast-qual complains: + +show.c:30:43: warning: cast from 'const void *' to 'const void **' drops const qualifier [-Wcast-qual] + const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; + ^ +show.c:30:71: warning: cast from 'const void *' to 'const void **' drops const qualifier [-Wcast-qual] + const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; + +Signed-off-by: Jason A. Donenfeld +--- + src/show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/show.c b/src/show.c +index a61a06ef06..3fd3d9e2a1 100644 +--- a/src/show.c ++++ b/src/show.c +@@ -27,7 +27,7 @@ + static int peer_cmp(const void *first, const void *second) + { + time_t diff; +- const struct wgpeer *a = *(const void **)first, *b = *(const void **)second; ++ const struct wgpeer *a = *(void *const *)first, *b = *(void *const *)second; + + if (!a->last_handshake_time.tv_sec && !a->last_handshake_time.tv_nsec && (b->last_handshake_time.tv_sec || b->last_handshake_time.tv_nsec)) + return 1; +-- +2.34.1 + diff -pruN 1.0.20210914-1/debian/patches/0001-wg-quick-linux-prevent-traffic-from-momentarily-leak.patch 1.0.20210914-1ubuntu3/debian/patches/0001-wg-quick-linux-prevent-traffic-from-momentarily-leak.patch --- 1.0.20210914-1/debian/patches/0001-wg-quick-linux-prevent-traffic-from-momentarily-leak.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/patches/0001-wg-quick-linux-prevent-traffic-from-momentarily-leak.patch 2023-02-22 12:35:51.000000000 +0000 @@ -0,0 +1,35 @@ +From 71799a8f6d1450b63071a21cad6ed434b348d3d5 Mon Sep 17 00:00:00 2001 +From: Tom Yan +Date: Fri, 17 Jun 2022 19:34:19 +0800 +Subject: [PATCH] wg-quick: linux: prevent traffic from momentarily leaking + into tunnel + +The wireguard route table ip rule should stay as a no-op until the +`suppress_prefixlength 0 table main` rule is in effect. Therefore, add +the wireguard default route to its route table after the latter rule is +added. + +Signed-off-by: Tom Yan +Signed-off-by: Jason A. Donenfeld +--- + src/wg-quick/linux.bash | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash +index e4d4c4f08f..69e5bef05c 100755 +--- a/src/wg-quick/linux.bash ++++ b/src/wg-quick/linux.bash +@@ -220,9 +220,9 @@ add_default() { + fi + local proto=-4 iptables=iptables pf=ip + [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 +- cmd ip $proto route add "$1" dev "$INTERFACE" table $table + cmd ip $proto rule add not fwmark $table table $table + cmd ip $proto rule add table main suppress_prefixlength 0 ++ cmd ip $proto route add "$1" dev "$INTERFACE" table $table + + local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd + printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" +-- +2.34.1 + diff -pruN 1.0.20210914-1/debian/patches/0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch 1.0.20210914-1ubuntu3/debian/patches/0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch --- 1.0.20210914-1/debian/patches/0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch 2020-05-15 22:28:58.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/patches/0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ -From: Daniel Kahn Gillmor -Date: Mon, 18 Jun 2018 14:11:10 -0400 -Subject: Avoid requiring glibc 2.25 for wireguard-tools - -Upstream's instructions (https://www.wireguard.com/install/) suggest -enabling the debian unstable repository to run wireguard. - -Without this patch, the current version of wireguard-tools will end up -with a dependency on glibc 2.25 because of the invocation of -getentropy. - -We avoid this situation (and fall through to the syscall interface -for the Linux kernel) by omitting the test here. - -If we move wireguard into testing (and from there to -stretch-backports) then i think we can convince upstream to change -their installation instructions to refer to stretch-backports, and we -can remove this patch. ---- - src/genkey.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/genkey.c b/src/genkey.c -index d1bb643..6cdee42 100644 ---- a/src/genkey.c -+++ b/src/genkey.c -@@ -40,7 +40,7 @@ static inline bool __attribute__((__warn_unused_result__)) get_random_bytes(uint - return false; - } - --#if defined(__OpenBSD__) || (defined(__APPLE__) && MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_12) || (defined(__GLIBC__) && (__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 25))) -+#if defined(__OpenBSD__) || (defined(__APPLE__) && MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_X_VERSION_10_12) - if (!getentropy(out, len)) - return true; - #endif diff -pruN 1.0.20210914-1/debian/patches/series 1.0.20210914-1ubuntu3/debian/patches/series --- 1.0.20210914-1/debian/patches/series 2020-05-15 22:30:23.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/patches/series 2023-02-22 12:35:51.000000000 +0000 @@ -1,2 +1,5 @@ +0001-embeddable-wg-library-add-named-wg_endpoint-union.patch +0001-reresolve-dns-use-EPOCHSECONDS-instead-of-date-s.patch +0001-wg-quick-linux-prevent-traffic-from-momentarily-leak.patch +0001-show-apply-const-to-right-part-of-pointer.patch 0001-Avoid-using-git-during-build.patch -0002-Avoid-requiring-glibc-2.25-for-wireguard-tools.patch diff -pruN 1.0.20210914-1/debian/rules 1.0.20210914-1ubuntu3/debian/rules --- 1.0.20210914-1/debian/rules 2020-05-15 22:28:58.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/rules 2021-12-07 11:33:57.000000000 +0000 @@ -21,3 +21,18 @@ override_dh_fixperms: override_dh_installexamples: dh_installexamples -Xexternal-tests + +define test_wg +set -x; set -e; \ +echo "Testing command $1" && \ +a="$$(src/wg $1)" && b="$$(src/wg $1)" && \ +echo "a=$$a b=$$b" && \ +test -n "$$a" && \ +test -n "$$b" && \ +test "$$a" != "$$b" +endef + +override_dh_auto_test: + test "$$(head -c 32 /dev/zero | base64 | src/wg pubkey)" = "L+V9o0fNYkMVKNqsX7spBzD/9oSvxM/C7ZCZX1jLO3Q=" + $(call test_wg,genpsk) + $(call test_wg,genkey) diff -pruN 1.0.20210914-1/debian/tests/control 1.0.20210914-1ubuntu3/debian/tests/control --- 1.0.20210914-1/debian/tests/control 2020-05-22 07:09:50.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/tests/control 2021-12-06 15:01:00.000000000 +0000 @@ -2,3 +2,16 @@ Tests: keygen Restrictions: superficial Depends: wireguard-tools, + +Tests: wg-quick +Restrictions: needs-root, isolation-machine, allow-stderr +Depends: + iproute2, + @, + +Tests: netns-mini +Restrictions: needs-root, isolation-machine +Depends: + iproute2, + iputils-ping, + @, diff -pruN 1.0.20210914-1/debian/tests/netns-mini 1.0.20210914-1ubuntu3/debian/tests/netns-mini --- 1.0.20210914-1/debian/tests/netns-mini 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/tests/netns-mini 2021-12-06 15:01:00.000000000 +0000 @@ -0,0 +1,55 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (C) 2015-2020 Jason A. Donenfeld . All Rights Reserved. +set -e + +exec 3>&1 +netns0="wg-test-$$-0" +netns1="wg-test-$$-1" +netns2="wg-test-$$-2" +pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; } +pp() { pretty "" "$*"; "$@"; } +n1() { pretty 1 "$*"; ip netns exec $netns1 "$@"; } +n2() { pretty 2 "$*"; ip netns exec $netns2 "$@"; } +ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; } +ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; } +ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; } + +cleanup() { + set +e + exec 2>/dev/null + ip0 link del dev wg0 + ip1 link del dev wg0 + ip2 link del dev wg0 + local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)" + [[ -n $to_kill ]] && kill $to_kill + pp ip netns del $netns1 + pp ip netns del $netns2 + pp ip netns del $netns0 + exit +} +trap cleanup EXIT + +ip netns del $netns0 2>/dev/null || true +ip netns del $netns1 2>/dev/null || true +ip netns del $netns2 2>/dev/null || true +pp ip netns add $netns0 +pp ip netns add $netns1 +pp ip netns add $netns2 +ip0 link set up dev lo +ip0 link add dev wg0 type wireguard +ip0 link set wg0 netns $netns1 +ip0 link add dev wg0 type wireguard +ip0 link set wg0 netns $netns2 +ip1 addr add 192.168.241.1/24 dev wg0 +ip2 addr add 192.168.241.2/24 dev wg0 +key1="$(pp wg genkey)" +key2="$(pp wg genkey)" +pub1="$(pp wg pubkey <<<"$key1")" +pub2="$(pp wg pubkey <<<"$key2")" +n1 wg set wg0 private-key <(echo "$key1") listen-port 1 peer "$pub2" allowed-ips 192.168.241.2/32 +n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" allowed-ips 192.168.241.1/32 +ip1 link set up dev wg0 +ip2 link set up dev wg0 +n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1 +n2 ping -c 10 -f -W 1 192.168.241.1 diff -pruN 1.0.20210914-1/debian/tests/wg-quick 1.0.20210914-1ubuntu3/debian/tests/wg-quick --- 1.0.20210914-1/debian/tests/wg-quick 1970-01-01 00:00:00.000000000 +0000 +++ 1.0.20210914-1ubuntu3/debian/tests/wg-quick 2021-12-06 15:01:00.000000000 +0000 @@ -0,0 +1,171 @@ +#!/bin/bash + +set -e +set -o pipefail + +LEFT_NS="left_ns" +LEFT_GW="10.0.5.1/24" +LEFT_PORT=3001 +LEFT_INT="10.0.1.1/24" +WG_LEFT_INTERFACE="wg_left" +WG_LEFT_INTERFACE_CONF="/etc/wireguard/${WG_LEFT_INTERFACE}.conf" + +RIGHT_NS="right_ns" +RIGHT_GW="10.0.5.2/24" +RIGHT_PORT=3002 +RIGHT_INT="10.0.1.2/24" +WG_RIGHT_INTERFACE="wg_right" +WG_RIGHT_INTERFACE_CONF="/etc/wireguard/${WG_RIGHT_INTERFACE}.conf" + +cleanup() { + if [ $? -ne 0 ]; then + echo "Some test failed, here is some debugging" + dmesg -T | grep wireguard + fi + rm -f "${WG_LEFT_INTERFACE_CONF}" "${WG_RIGHT_INTERFACE_CONF}" + ip netns delete "${LEFT_NS}" &>/dev/null + ip netns delete "${RIGHT_NS}" &>/dev/null +} + +trap cleanup EXIT + + +setup() { + umask 0077 + echo "Generating keys" + LEFT_PRIVKEY="$(wg genkey)" + RIGHT_PRIVKEY="$(wg genkey)" + LEFT_PUBKEY="$(wg pubkey <<<"${LEFT_PRIVKEY}")" + RIGHT_PUBKEY="$(wg pubkey <<<"${RIGHT_PRIVKEY}")" + + echo "Generating wireguard config" + cat > "${WG_LEFT_INTERFACE_CONF}" <<-EOF + [Interface] + ListenPort = ${LEFT_PORT} + PrivateKey = ${LEFT_PRIVKEY} + Address = ${LEFT_GW} + + [Peer] + PublicKey = ${RIGHT_PUBKEY} + AllowedIPs = ${RIGHT_GW%%/*}/32 + Endpoint = ${RIGHT_INT%%/*}:${RIGHT_PORT} + EOF + + cat > "${WG_RIGHT_INTERFACE_CONF}" <<-EOF + [Interface] + ListenPort = ${RIGHT_PORT} + PrivateKey = ${RIGHT_PRIVKEY} + Address = ${RIGHT_GW} + + [Peer] + PublicKey = ${LEFT_PUBKEY} + AllowedIPs = ${LEFT_GW%%/*}/32 + Endpoint = ${LEFT_INT%%/*}:${LEFT_PORT} + EOF + + echo "Cleaning up old namespaces" + ip netns delete "${LEFT_NS}" &> /dev/null || true + ip netns delete "${RIGHT_NS}" &> /dev/null || true + + echo "Creating new namespaces ${LEFT_NS} and ${RIGHT_NS} and adding loopback interface to them" + ip netns add "${LEFT_NS}" + ip netns exec "${LEFT_NS}" ip link set dev lo up + + ip netns add "${RIGHT_NS}" + ip netns exec "${RIGHT_NS}" ip link set dev lo up + + echo "Creating veth interface connecting both namespaces" + ip link add p1 netns "${LEFT_NS}" type veth peer p2 netns "${RIGHT_NS}" + ip -n "${LEFT_NS}" addr add "${LEFT_INT}" dev p1 + ip -n "${LEFT_NS}" link set p1 up + + ip -n "${RIGHT_NS}" addr add "${RIGHT_INT}" dev p2 + ip -n "${RIGHT_NS}" link set p2 up + + echo "Bringing up LEFT wireguard interface in namespace ${LEFT_NS}" + ip netns exec "${LEFT_NS}" wg-quick up "${WG_LEFT_INTERFACE}" + + echo "Bringing up RIGHT wireguard interface in namespace ${RIGHT_NS}" + ip netns exec "${RIGHT_NS}" wg-quick up "${WG_RIGHT_INTERFACE}" +} + +show_config() { + echo "${LEFT_NS} namespace:" + ip netns exec "${LEFT_NS}" wg showconf "${WG_LEFT_INTERFACE}" + echo + echo "${RIGHT_NS} namespace:" + ip netns exec "${RIGHT_NS}" wg showconf "${WG_RIGHT_INTERFACE}" +} + +test_stats() { + local -i ret + local output="" + # to be run after the ping tests + # by now, we MUST have "transfer" and "last handshake" + for ns in "${LEFT_NS}" "${RIGHT_NS}"; do + echo "Namespace ${ns}" + output=$(ip netns exec "${ns}" wg show) + echo "${output}" | grep -E "latest handshake:" || { + ret=$? + echo "Missing \"latest handshake\" from stats in namespace ${ns}" + echo "Got this output:" + echo "${output}" + return $ret + } + echo "${output}" | grep -E "transfer:.*received.*sent" || { + ret=$? + echo "Missing \"transfer\" stats in namespace ${ns}" + echo "Got this output:" + echo "${output}" + return $ret + } + done +} + +test_gw_ping() { + echo "Pinging right gateway, from ${LEFT_NS} namespace" + ip netns exec "${LEFT_NS}" ping -W 2 -c 1 "${RIGHT_GW%%/*}" || return $? + echo + echo "Pinging left gateway, from ${RIGHT_NS} namespace" + ip netns exec "${RIGHT_NS}" ping -W 2 -c 1 "${LEFT_GW%%/*}" || return $? +} + +test_wireguard_ping() { + echo "Pinging right wireguard IP from ${LEFT_NS} namespace" + ip netns exec "${LEFT_NS}" ping -W 2 -c 1 "${RIGHT_INT%%/*}" || return $? + echo + echo "Pinging left wireguard IP from ${RIGHT_NS} namesapce" + ip netns exec "${RIGHT_NS}" ping -W 2 -c 1 "${LEFT_INT%%/*}" || return $? +} + + +echo "Setting things up" +setup || { + echo "Failed vpn test setup" + exit 1 +} + +echo +echo "This is the config" +show_config + +echo +echo "Testing gateway ping" +test_gw_ping || { + echo "Failed gateway ping" + exit 1 +} + +echo +echo "Testing wireguard interface ping" +test_wireguard_ping || { + echo "Failed wireguard interface ping" + exit 1 +} + +echo +echo "Testing vpn stats" +test_stats || { + echo "Failed to verify vpn stats" + exit 1 +}