[MIR] Wireguard
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wireguard (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Availability]
The package wireguard is already in Ubuntu universe, since xenial.
The package wireguard build for the architectures it is designed to work on
It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package: https:/
[Rationale]
The package wireguard will generally be useful for a large part of our user
base. More importantly, the kernel component of wireguard is already in Ubuntu.
Additional reasons:
Package openvpn covers the same use case as wireguard, but wireguard is simpler
to setup and that is important for a VPN.
[Security]
No CVEs/security issues in this software in the past
http://
0 hits (the one hit is about wireshark dissecting the wireguard protocol)
site:www.
- some hits around CVE-2019-14899 which was about the linux kernel, not wireguard specifically
- another hit on CVE-2021-3773, but that was more about netfilter and not wireguard specific
Ubuntu CVE tracker
All http://
- just one hit on wireshark
Upstream
https:/
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package installs one systemd service file, but it doesn't run by default. It's also not a service per se, as it doesn't start a daemon, but rather can be used to configure wireguard for a particular interface. It's the kernel who will listen on the assigned port directly:
root@i2:~# dpkg -L wireguard-
/lib/systemd/
/lib/systemd/
root@i2:~# systemctl cat wg-quick@.service
# /lib/systemd/
[Unit]
Description=
After=network-
Wants=network-
PartOf=
Documentation=
Documentation=
Documentation=https:/
Documentation=https:/
Documentation=https:/
Documentation=https:/
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=
ExecStop=
ExecReload=
Environment=
[Install]
WantedBy=
And after it's running (wg0 in my example), there is no running process listening on the port, it's the kernel directly:
root@i2:~# cat /etc/wireguard/
ListenPort = 55246
root@i2:~# ss -nlp|grep 55246
udp UNCONN 0 0 0.0.0.0:55246 0.0.0.0:*
udp UNCONN 0 0 [::]:55246 [::]:*
- Package does not open privileged ports (ports < 1024) (unless you ask for it I guess)
- the package is VPN software, so it is security-sensitive. Even more, the network traffic goes directly into the kernel. That being said, the kernel is in main already, obviously, and the package subject to this MIR is just the configurator for it. But it does generate the crypto keys, so it is sensitive.
There are hints that this configuration aspect can be made, in the future perhaps, via systemd-networkd and/or netplan directly: https:/
[Quality assurance - function/usage]
The package needs post install configuration or reading of documentation, there isn't a safe default because being vpn software it relies on your network setup.
Steps after installation typically require the creation of a /etc/wireguard/
```
[Interface]
ListenPort = 55246
PrivateKey = <secret generated via "wg genkey">
Address = 10.0.0.2/24
[Peer]
PublicKey = <obtained via "wg pubkey < private-key-file" on peer>
AllowedIPs = 10.0.0.1/32
Endpoint = 192.168.
```
And a mirror config is needed on the peer side. Then there is a nice support in systemd for per-interface services, and you can run this to enable and start the vpn:
systemctl enable <email address hidden>
systemctl start <email address hidden>
Debugging is usually needed at first, and it can be enabled by this, prior to starting the services:
# modprobe wireguard
# echo module wireguard +p > /sys/kernel/
Or via /etc/modprobe.
install wireguard /sbin/modprobe --ignore-install wireguard; echo module wireguard +p > /sys/kernel/
Debugging messages will appear in the output of dmesg.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https:/
https:/
#1860206 - wg broke after an update in bionic, bug still open
#1864109 - bionic dkms build failure, doesn't even look it was an ubuntu package (version has -wg1~bionic suffix, which is not what is in the archive for bionic)
#1873288 - wireguard-tools in focal recommending wireguard-dkms, easy to fix
#1882260 - doesn't look like an ubuntu package, and sounds like a support request
#1883316 - another dkms build error, this time on xenial
#1892798 - some problem with resolvconf integration, that ended in a flamewar
- Debian https:/
No important bugs. One about resolvconf integration, another about default configuration, dkms issues (no longer relevant), and support requests
- The package does not deal with exotic hardware we cannot support
Fedora/RH:
https:/
- 5 bugs atm, 3 of which are about the kernel module, one in network-manager, and the last one requesting wireguard-tools to be added to RHEL9.
Upstream:
There is no upstream bug tracker, not counting the kernel one, because this MIR is about the userspace part.
Looks like bugs are reported in Linux distributions, and in the upstream mailing list (https:/
[Quality assurance - testing]
The package does not run a test at build time.
The package runs a *trivial* autopkgtest, and it's failing in mostly all past
ubuntu releases, but passing on jammy:
https:/
The only failure in jammy is in i386, because the package isn't built for i386.
Failures in older releases seem to be all related to missing some kernel package dependency.
We could add a build-time test that is basically the same as the current autopkgtest, that would be easy. Just generate and check keys.
Creating a more elaborate DEP8 test needs some work, as this is VPN software that needs two endpoints. Might be doable in a vm and network namespaces, but bringing up two other vms or even lxd containers and orchestrating that in DEP8 is stretching it a bit. Might be best to add a proper test to qa-regression-
Creating a manual test description is trivial and doable, and we can commit to run it before every upload.
The contrib directory has some external tests, that require internet access and connect to a wireguard controlled server. These are not run by default.
[Quality assurance - packaging]
debian/watch is present and works:
$ uscan
uscan: Newest version of wireguard on remote site is 1.0.20210914, local version is 1.0.20210424
uscan: => Newer package available from:
=> https:/
Cloning into bare repository '../wireguard-
remote: Enumerating objects: 176, done.
remote: Counting objects: 100% (176/176), done.
remote: Compressing objects: 100% (150/150), done.
remote: Total 176 (delta 5), reused 40 (delta 0), pack-reused 0
Receiving objects: 100% (176/176), 158.40 KiB | 540.00 KiB/s, done.
Resolving deltas: 100% (5/5), done.
gpgv: Signature made Mon Sep 13 22:43:31 2021 UTC
gpgv: using RSA key AB9942E6D4A4CFC
gpgv: Good signature from "Jason A. Donenfeld <email address hidden>"
Successfully symlinked ../wireguard-
Lintian output is quite good:
$ lintian --pedantic -I
W: wireguard-tools: groff-message usr/share/
W: wireguard-tools: groff-message usr/share/
I: wireguard source: patch-not-
I: wireguard-tools: unused-override package-
P: wireguard-tools: capitalization-
N: 1 hint overridden (1 warning); 1 unused override
Lintian overrides are present, but ok because they are well explained in the override file.
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies
The package will not be installed by default
Packaging and build is easy: https:/
[UI standards]
This is not a GUI app, and it's meant to run as a service, but its tools are user-facing.
In particular:
- wg: low level configuration for the VPN
- wg-quick: a bit high-level, reads a config file and brings interfaces up and down according to the config. It's also used by the shipped systemd service file.
None of these have translations.
[Dependencies]
No further depends or recommends dependencies that are not yet in main. Since the kernel code is in main, the wireguard-dkms dependency of the metapackage wireguard should be dropped.
[Standards compliance]
This package correctly follows FHS and Debian Policy. I'll just remark that it ships systemd target and service files, and that at install time these are not enabled. The service file is of the "@" type (I forgot what they are called), and depends on the creation of a configuration file named after the vpn interface you want brought up.
[Maintenance/Owner]
Server Team is not yet subscribed, but will subscribe to the package before promotion
This does not use static builds
[Background information]
The Package description explains the package well
Upstream Name is wireguard
Link to upstream project https:/
Note that this MIR is for the userspace part, which is "just" a configurator. The more critical nuts and bolts are in the Ubuntu kernel already.
Related branches
- Robie Basak: Approve
- Canonical Server: Pending requested
-
Diff: 11 lines (+1/-0)1 file modifiedsupported-misc-servers (+1/-0)
description: | updated |
description: | updated |
Changed in wireguard (Ubuntu): | |
assignee: | Andreas Hasenack (ahasenack) → nobody |
Changed in wireguard (Ubuntu): | |
status: | Triaged → New |
Changed in wireguard (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
Changed in wireguard (Ubuntu): | |
milestone: | ubuntu-22.02 → ubuntu-22.04-feature-freeze |
Changed in wireguard (Ubuntu): | |
status: | Confirmed → Fix Committed |
Update: I believe I'm able to create a better DEP8 test using a VM and network namespaces, establishing a wireguard vpn between them.