** Description changed: - Placeholder bug for the upcoming wireguard MIR. + [Availability] + The package wireguard is already in Ubuntu universe, since xenial. + The package wireguard build for the architectures it is designed to work on + It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, riscv64, s390x + Link to package: https://launchpad.net/ubuntu/+source/wireguard + + [Rationale] + The package wireguard will generally be useful for a large part of our user + base. More importantly, the kernel component of wireguard is already in Ubuntu. + + Additional reasons: + Package openvpn covers the same use case as wireguard, but wireguard is simpler + to setup and that is important for a VPN. + + [Security] + No CVEs/security issues in this software in the past + + http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireguard + 0 hits (the one hit is about wireshark dissecting the wireguard protocol) + + site:www.openwall.com/lists/oss-security wireguard + - some hits around CVE-2019-14899 which was about the linux kernel, not wireguard specifically + - another hit on CVE-2021-3773, but that was more about netfilter and not wireguard specific + + Ubuntu CVE tracker + All http://people.ubuntu.com/~ubuntu-security/cve/{main,universe,partner}.html links are redirecting to https://ubuntu.com/security/cve + - just one hit on wireshark + + Upstream + https://www.wireguard.com/known-limitations/ lists some improvements that could be made + - no `suid` or `sgid` binaries + - no executables in `/sbin` and `/usr/sbin` + - Package installs one systemd service file, but it doesn't run by default. It's also not a service per se, as it doesn't start a daemon, but rather can be used to configure wireguard for a particular interface. It's the kernel who will listen on the assigned port directly: + root@i2:~# dpkg -L wireguard-tools|grep systemd/system/ + /lib/systemd/system/wg-quick.target + /lib/systemd/system/wg-quick@.service + + root@i2:~# systemctl cat wg-quick@.service + # /lib/systemd/system/wg-quick@.service + [Unit] + Description=WireGuard via wg-quick(8) for %I + After=network-online.target nss-lookup.target + Wants=network-online.target nss-lookup.target + PartOf=wg-quick.target + Documentation=man:wg-quick(8) + Documentation=man:wg(8) + Documentation=https://www.wireguard.com/ + Documentation=https://www.wireguard.com/quickstart/ + Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 + Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 + + [Service] + Type=oneshot + RemainAfterExit=yes + ExecStart=/usr/bin/wg-quick up %i + ExecStop=/usr/bin/wg-quick down %i + ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' + Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity + + [Install] + WantedBy=multi-user.target + + And after it's running (wg0 in my example), there is no running process listening on the port, it's the kernel directly: + root@i2:~# cat /etc/wireguard/wg0.conf |grep Port + ListenPort = 55246 + + root@i2:~# ss -nlp|grep 55246 + udp UNCONN 0 0 0.0.0.0:55246 0.0.0.0:* + udp UNCONN 0 0 [::]:55246 [::]:* + + - Package does not open privileged ports (ports < 1024) (unless you ask for it I guess) + - the package is VPN software, so it is security-sensitive. Even more, the network traffic goes directly into the kernel. That being said, the kernel is in main already, obviously, and the package subject to this MIR is just the configurator for it. But it does generate the crypto keys, so it is sensitive. + There are hints that this configuration aspect can be made, in the future perhaps, via systemd-networkd and/or netplan directly: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1892798/comments/9. But the wireguard-tools tooling is the "de facto" way of configuring wireguard, and not everybody uses network-manager, for example. + + + [Quality assurance - function/usage] + The package needs post install configuration or reading of documentation, there isn't a safe default because being vpn software it relies on your network setup. + Steps after installation typically require the creation of a /etc/wireguard/wg0.conf file like this: + ``` + [Interface] + ListenPort = 55246 + PrivateKey = <secret generated via "wg genkey"> + Address = 10.0.0.2/24 + + [Peer] + PublicKey = <obtained via "wg pubkey < private-key-file" on peer> + AllowedIPs = 10.0.0.1/32 + Endpoint = 192.168.122.143:37135 + ``` + + And a mirror config is needed on the peer side. Then there is a nice support in systemd for per-interface services, and you can run this to enable and start the vpn: + systemctl enable wg-quick@wg0.service + systemctl start wg-quick@wg0.service + + Debugging is usually needed at first, and it can be enabled by this, prior to starting the services: + # modprobe wireguard + # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control + + Or via /etc/modprobe.d/wireguard.conf (and "sudo depmod -a" after): + install wireguard /sbin/modprobe --ignore-install wireguard; echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control + + Debugging messages will appear in the output of dmesg. + + + [Quality assurance - maintenance] + The package is maintained well in Debian/Ubuntu and has not too many + and long term critical bugs open + - Ubuntu https://bugs.launchpad.net/ubuntu/+source/<TBD>/+bug + https://bugs.launchpad.net/ubuntu/+source/wireguard/+bugs + #1860206 - wg broke after an update in bionic, bug still open + #1864109 - bionic dkms build failure, doesn't even look it was an ubuntu package (version has -wg1~bionic suffix, which is not what is in the archive for bionic) + #1873288 - wireguard-tools in focal recommending wireguard-dkms, easy to fix + #1882260 - doesn't look like an ubuntu package, and sounds like a support request + #1883316 - another dkms build error, this time on xenial + #1892798 - some problem with resolvconf integration, that ended in a flamewar + + - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=0;dist=unstable;ordering=normal;repeatmerged=0;src=wireguard + No important bugs. One about resolvconf integration, another about default configuration, dkms issues (no longer relevant), and support requests + + - The package does not deal with exotic hardware we cannot support + + Fedora/RH: + https://bugzilla.redhat.com/buglist.cgi?quicksearch=wireguard + - 5 bugs atm, 3 of which are about the kernel module, one in network-manager, and the last one requesting wireguard-tools to be added to RHEL9. + + Upstream: + There is no upstream bug tracker, not counting the kernel one, because this MIR is about the userspace part. + Looks like bugs are reported in Linux distributions, and in the upstream mailing list (https://lists.zx2c4.com/mailman/listinfo/wireguard) + + [Quality assurance - testing] + The package does not run a test at build time. + + The package runs a *trivial* autopkgtest, and it's failing in mostly all past + ubuntu releases, but passing on jammy: + https://autopkgtest.ubuntu.com/packages/wireguard + + The only failure in jammy is in i386, because the package isn't built + for i386. + + Failures in older releases seem to be all related to missing some kernel + package dependency. + + We could add a build-time test that is basically the same as the current + autopkgtest, that would be easy. Just generate and check keys. + + Creating a more elaborate DEP8 test needs some work, as this is VPN + software that needs two endpoints. Might be doable in a vm and network + namespaces, but bringing up two other vms or even lxd containers and + orchestrating that in DEP8 is stretching it a bit. Might be best to add + a proper test to qa-regression-testing, like the existing openvpn one. + + Creating a manual test description is trivial and doable, and we can + commit to run it before every upload. + + The contrib directory has some external tests, that require internet + access and connect to a wireguard controlled server. These are not run + by default. + + [Quality assurance - packaging] + debian/watch is present and works: + $ uscan + uscan: Newest version of wireguard on remote site is 1.0.20210914, local version is 1.0.20210424 + uscan: => Newer package available from: + => https://git.zx2c4.com/wireguard-tools refs/tags/v1.0.20210914 + Cloning into bare repository '../wireguard-temporary.744.git'... + remote: Enumerating objects: 176, done. + remote: Counting objects: 100% (176/176), done. + remote: Compressing objects: 100% (150/150), done. + remote: Total 176 (delta 5), reused 40 (delta 0), pack-reused 0 + Receiving objects: 100% (176/176), 158.40 KiB | 540.00 KiB/s, done. + Resolving deltas: 100% (5/5), done. + gpgv: Signature made Mon Sep 13 22:43:31 2021 UTC + gpgv: using RSA key AB9942E6D4A4CFC3412620A749FC7012A5DE03AE + gpgv: Good signature from "Jason A. Donenfeld <ja...@zx2c4.com>" + Successfully symlinked ../wireguard-1.0.20210914.tar.xz to ../wireguard_1.0.20210914.orig.tar.xz. + + + Lintian output is quite good: + $ lintian --pedantic -I + W: wireguard-tools: groff-message usr/share/man/man8/wg-quick.8.gz command exited with status 1: /usr/lib/man-db/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 + W: wireguard-tools: groff-message usr/share/man/man8/wg.8.gz command exited with status 1: /usr/lib/man-db/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 + I: wireguard source: patch-not-forwarded-upstream debian/patches/0001-Avoid-using-git-during-build.patch + I: wireguard-tools: unused-override package-supports-alternative-init-but-no-init.d-script lib/systemd/system/wg-quick@.service + P: wireguard-tools: capitalization-in-override-comment non-standard-dir-perm (line 2) debian Debian + N: 1 hint overridden (1 warning); 1 unused override + + Lintian overrides are present, but ok because they are well explained in + the override file. + + This package does not rely on obsolete or about to be demoted packages. + This package has no python2 or GTK2 dependencies + + The package will not be installed by default + + Packaging and build is easy: + https://git.launchpad.net/ubuntu/+source/wireguard/tree/debian/rules + + + [UI standards] + This is not a GUI app, and it's meant to run as a service, but its tools are user-facing. + In particular: + - wg: low level configuration for the VPN + - wg-quick: a bit high-level, reads a config file and brings interfaces up and down according to the config. It's also used by the shipped systemd service file. + None of these have translations. + + [Dependencies] + No further depends or recommends dependencies that are not yet in main + + [Standards compliance] + This package correctly follows FHS and Debian Policy. I'll just remark that it ships systemd target and service files, and that at install time these are not enabled. The service file is of the "@" type (I forgot what they are called), and depends on the creation of a configuration file named after the vpn interface you want brought up. + + [Maintenance/Owner] + Server Team is not yet subscribed, but will subscribe to the package before promotion + + This does not use static builds + + [Background information] + The Package description explains the package well + Upstream Name is wireguard + Link to upstream project https://www.wireguard.com + Note that this MIR is for the userspace part, which is "just" a configurator. The more critical nuts and bolts are in the Ubuntu kernel already.
** Description changed: [Availability] The package wireguard is already in Ubuntu universe, since xenial. - The package wireguard build for the architectures it is designed to work on + The package wireguard build for the architectures it is designed to work on It currently builds and works for architetcures: amd64, arm64, armhf, ppc64el, riscv64, s390x Link to package: https://launchpad.net/ubuntu/+source/wireguard [Rationale] The package wireguard will generally be useful for a large part of our user base. More importantly, the kernel component of wireguard is already in Ubuntu. Additional reasons: Package openvpn covers the same use case as wireguard, but wireguard is simpler to setup and that is important for a VPN. [Security] No CVEs/security issues in this software in the past http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireguard 0 hits (the one hit is about wireshark dissecting the wireguard protocol) site:www.openwall.com/lists/oss-security wireguard - some hits around CVE-2019-14899 which was about the linux kernel, not wireguard specifically - another hit on CVE-2021-3773, but that was more about netfilter and not wireguard specific Ubuntu CVE tracker All http://people.ubuntu.com/~ubuntu-security/cve/{main,universe,partner}.html links are redirecting to https://ubuntu.com/security/cve - just one hit on wireshark Upstream https://www.wireguard.com/known-limitations/ lists some improvements that could be made - no `suid` or `sgid` binaries - no executables in `/sbin` and `/usr/sbin` - Package installs one systemd service file, but it doesn't run by default. It's also not a service per se, as it doesn't start a daemon, but rather can be used to configure wireguard for a particular interface. It's the kernel who will listen on the assigned port directly: root@i2:~# dpkg -L wireguard-tools|grep systemd/system/ /lib/systemd/system/wg-quick.target /lib/systemd/system/wg-quick@.service root@i2:~# systemctl cat wg-quick@.service # /lib/systemd/system/wg-quick@.service [Unit] Description=WireGuard via wg-quick(8) for %I After=network-online.target nss-lookup.target Wants=network-online.target nss-lookup.target PartOf=wg-quick.target Documentation=man:wg-quick(8) Documentation=man:wg(8) Documentation=https://www.wireguard.com/ Documentation=https://www.wireguard.com/quickstart/ Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/wg-quick up %i ExecStop=/usr/bin/wg-quick down %i ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity [Install] WantedBy=multi-user.target And after it's running (wg0 in my example), there is no running process listening on the port, it's the kernel directly: root@i2:~# cat /etc/wireguard/wg0.conf |grep Port ListenPort = 55246 root@i2:~# ss -nlp|grep 55246 udp UNCONN 0 0 0.0.0.0:55246 0.0.0.0:* udp UNCONN 0 0 [::]:55246 [::]:* - Package does not open privileged ports (ports < 1024) (unless you ask for it I guess) - the package is VPN software, so it is security-sensitive. Even more, the network traffic goes directly into the kernel. That being said, the kernel is in main already, obviously, and the package subject to this MIR is just the configurator for it. But it does generate the crypto keys, so it is sensitive. There are hints that this configuration aspect can be made, in the future perhaps, via systemd-networkd and/or netplan directly: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1892798/comments/9. But the wireguard-tools tooling is the "de facto" way of configuring wireguard, and not everybody uses network-manager, for example. - [Quality assurance - function/usage] The package needs post install configuration or reading of documentation, there isn't a safe default because being vpn software it relies on your network setup. Steps after installation typically require the creation of a /etc/wireguard/wg0.conf file like this: ``` [Interface] ListenPort = 55246 PrivateKey = <secret generated via "wg genkey"> Address = 10.0.0.2/24 [Peer] PublicKey = <obtained via "wg pubkey < private-key-file" on peer> AllowedIPs = 10.0.0.1/32 Endpoint = 192.168.122.143:37135 ``` And a mirror config is needed on the peer side. Then there is a nice support in systemd for per-interface services, and you can run this to enable and start the vpn: systemctl enable wg-quick@wg0.service systemctl start wg-quick@wg0.service Debugging is usually needed at first, and it can be enabled by this, prior to starting the services: # modprobe wireguard # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control Or via /etc/modprobe.d/wireguard.conf (and "sudo depmod -a" after): install wireguard /sbin/modprobe --ignore-install wireguard; echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control Debugging messages will appear in the output of dmesg. - [Quality assurance - maintenance] The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open - Ubuntu https://bugs.launchpad.net/ubuntu/+source/<TBD>/+bug https://bugs.launchpad.net/ubuntu/+source/wireguard/+bugs #1860206 - wg broke after an update in bionic, bug still open #1864109 - bionic dkms build failure, doesn't even look it was an ubuntu package (version has -wg1~bionic suffix, which is not what is in the archive for bionic) #1873288 - wireguard-tools in focal recommending wireguard-dkms, easy to fix #1882260 - doesn't look like an ubuntu package, and sounds like a support request #1883316 - another dkms build error, this time on xenial #1892798 - some problem with resolvconf integration, that ended in a flamewar - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=0;dist=unstable;ordering=normal;repeatmerged=0;src=wireguard No important bugs. One about resolvconf integration, another about default configuration, dkms issues (no longer relevant), and support requests - The package does not deal with exotic hardware we cannot support Fedora/RH: https://bugzilla.redhat.com/buglist.cgi?quicksearch=wireguard - 5 bugs atm, 3 of which are about the kernel module, one in network-manager, and the last one requesting wireguard-tools to be added to RHEL9. Upstream: There is no upstream bug tracker, not counting the kernel one, because this MIR is about the userspace part. Looks like bugs are reported in Linux distributions, and in the upstream mailing list (https://lists.zx2c4.com/mailman/listinfo/wireguard) [Quality assurance - testing] - The package does not run a test at build time. + The package does not run a test at build time. The package runs a *trivial* autopkgtest, and it's failing in mostly all past ubuntu releases, but passing on jammy: https://autopkgtest.ubuntu.com/packages/wireguard The only failure in jammy is in i386, because the package isn't built for i386. Failures in older releases seem to be all related to missing some kernel package dependency. We could add a build-time test that is basically the same as the current autopkgtest, that would be easy. Just generate and check keys. Creating a more elaborate DEP8 test needs some work, as this is VPN software that needs two endpoints. Might be doable in a vm and network namespaces, but bringing up two other vms or even lxd containers and orchestrating that in DEP8 is stretching it a bit. Might be best to add a proper test to qa-regression-testing, like the existing openvpn one. Creating a manual test description is trivial and doable, and we can commit to run it before every upload. The contrib directory has some external tests, that require internet access and connect to a wireguard controlled server. These are not run by default. [Quality assurance - packaging] debian/watch is present and works: $ uscan uscan: Newest version of wireguard on remote site is 1.0.20210914, local version is 1.0.20210424 uscan: => Newer package available from: - => https://git.zx2c4.com/wireguard-tools refs/tags/v1.0.20210914 + => https://git.zx2c4.com/wireguard-tools refs/tags/v1.0.20210914 Cloning into bare repository '../wireguard-temporary.744.git'... remote: Enumerating objects: 176, done. remote: Counting objects: 100% (176/176), done. remote: Compressing objects: 100% (150/150), done. remote: Total 176 (delta 5), reused 40 (delta 0), pack-reused 0 Receiving objects: 100% (176/176), 158.40 KiB | 540.00 KiB/s, done. Resolving deltas: 100% (5/5), done. gpgv: Signature made Mon Sep 13 22:43:31 2021 UTC gpgv: using RSA key AB9942E6D4A4CFC3412620A749FC7012A5DE03AE gpgv: Good signature from "Jason A. Donenfeld <ja...@zx2c4.com>" Successfully symlinked ../wireguard-1.0.20210914.tar.xz to ../wireguard_1.0.20210914.orig.tar.xz. - Lintian output is quite good: $ lintian --pedantic -I W: wireguard-tools: groff-message usr/share/man/man8/wg-quick.8.gz command exited with status 1: /usr/lib/man-db/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 W: wireguard-tools: groff-message usr/share/man/man8/wg.8.gz command exited with status 1: /usr/lib/man-db/zsoelim | /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e UTF-8 | groff -mandoc -Z -rLL=117n -rLT=117n -wmac -Tutf8 I: wireguard source: patch-not-forwarded-upstream debian/patches/0001-Avoid-using-git-during-build.patch I: wireguard-tools: unused-override package-supports-alternative-init-but-no-init.d-script lib/systemd/system/wg-quick@.service P: wireguard-tools: capitalization-in-override-comment non-standard-dir-perm (line 2) debian Debian N: 1 hint overridden (1 warning); 1 unused override Lintian overrides are present, but ok because they are well explained in the override file. This package does not rely on obsolete or about to be demoted packages. This package has no python2 or GTK2 dependencies The package will not be installed by default Packaging and build is easy: https://git.launchpad.net/ubuntu/+source/wireguard/tree/debian/rules - [UI standards] This is not a GUI app, and it's meant to run as a service, but its tools are user-facing. In particular: - wg: low level configuration for the VPN - wg-quick: a bit high-level, reads a config file and brings interfaces up and down according to the config. It's also used by the shipped systemd service file. None of these have translations. [Dependencies] - No further depends or recommends dependencies that are not yet in main + No further depends or recommends dependencies that are not yet in main. Since the kernel code is in main, the wireguard-dkms dependency of the metapackage wireguard should be dropped. [Standards compliance] This package correctly follows FHS and Debian Policy. I'll just remark that it ships systemd target and service files, and that at install time these are not enabled. The service file is of the "@" type (I forgot what they are called), and depends on the creation of a configuration file named after the vpn interface you want brought up. [Maintenance/Owner] Server Team is not yet subscribed, but will subscribe to the package before promotion This does not use static builds [Background information] The Package description explains the package well Upstream Name is wireguard Link to upstream project https://www.wireguard.com Note that this MIR is for the userspace part, which is "just" a configurator. The more critical nuts and bolts are in the Ubuntu kernel already. ** Changed in: wireguard (Ubuntu) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: wireguard (Ubuntu) Status: Triaged => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1950317 Title: [MIR] Wireguard To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1950317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
