* Re: [PATCH] Revert "dns-hatchet: apply resolv.conf's selinux context to new resolv.conf"
From: Jason A. Donenfeld @ 2026-06-12 17:04 UTC (permalink / raw)
To: Robert Frohl; +Cc: wireguard
In-Reply-To: <20260608133610.108416-1-rfrohl@suse.com>
On Mon, Jun 08, 2026 at 03:36:10PM +0200, Robert Frohl wrote:
> This reverts commit 2ce4680bd34f371aacd3c09673c3c907274321cd.
>
> selinux does not allow every domain to set file contexts and will raise
> relabelto/relabelfrom AVCs and block these changes if a domain tries to update
> the selinux context.
>
> It is better to ignore selinux and leave the proper labeling to the
> selinux policy, which can add proper file transitions for the right
> context.
Does any existent selinux policy have anything to handle this? Or is this
purely speculative/future-facing?
Also, wondering if any distros are still shipping the hatchet.
^ permalink raw reply
* [PATCH] Revert "dns-hatchet: apply resolv.conf's selinux context to new resolv.conf"
From: Robert Frohl @ 2026-06-08 13:36 UTC (permalink / raw)
To: wireguard; +Cc: Robert Frohl
This reverts commit 2ce4680bd34f371aacd3c09673c3c907274321cd.
selinux does not allow every domain to set file contexts and will raise
relabelto/relabelfrom AVCs and block these changes if a domain tries to update
the selinux context.
It is better to ignore selinux and leave the proper labeling to the
selinux policy, which can add proper file transitions for the right
context.
This also allows for a cleaner change in the selinux policy, because
otherwise it will need infrastructure to hide the relabel AVCs as well.
For reference please see the selinux policy PR:
https://github.com/fedora-selinux/selinux-policy/pull/3030
Signed-off-by: Robert Frohl <rfrohl@suse.com>
---
contrib/dns-hatchet/hatchet.bash | 2 --
1 file changed, 2 deletions(-)
diff --git a/contrib/dns-hatchet/hatchet.bash b/contrib/dns-hatchet/hatchet.bash
index bc4d090..6f167cc 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,11 +20,9 @@ set_dns() {
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
- context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
cat > /dev/shm/resolv.conf
- [[ -z \$context || \$context == "?" ]] || chcon "\$context" /dev/shm/resolv.conf 2>/dev/null || true
mount -o remount,ro /dev/shm
mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
_EOF
--
2.53.0
^ permalink raw reply related
* [syzbot] [wireguard?] KCSAN: data-race in wg_socket_send_skb_to_peer / wg_socket_send_skb_to_peer (9)
From: syzbot @ 2026-06-01 14:33 UTC (permalink / raw)
To: Jason, andrew+netdev, davem, edumazet, kuba, linux-kernel, netdev,
pabeni, syzkaller-bugs, wireguard
Hello,
syzbot found the following issue on:
HEAD commit: 9215e74f228f Merge tag 'block-7.1-20260529' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10465ef2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f571f22917457cd8
dashboard link: https://syzkaller.appspot.com/bug?extid=9ca7674fa7521a3f1bc2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1ddf3069118d/disk-9215e74f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0913e4ffbdb8/vmlinux-9215e74f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3fe3943ae796/bzImage-9215e74f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9ca7674fa7521a3f1bc2@syzkaller.appspotmail.com
==================================================================
BUG: KCSAN: data-race in wg_socket_send_skb_to_peer / wg_socket_send_skb_to_peer
read-write to 0xffff88811af99028 of 8 bytes by task 310 on cpu 1:
wg_socket_send_skb_to_peer+0xe8/0x130 drivers/net/wireguard/socket.c:182
wg_socket_send_buffer_to_peer+0xf1/0x120 drivers/net/wireguard/socket.c:199
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10d/0x160 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3397
worker_thread+0x58a/0x780 kernel/workqueue.c:3478
kthread+0x22a/0x280 kernel/kthread.c:436
ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
read-write to 0xffff88811af99028 of 8 bytes by task 15360 on cpu 0:
wg_socket_send_skb_to_peer+0xe8/0x130 drivers/net/wireguard/socket.c:182
wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
wg_packet_tx_worker+0x12d/0x330 drivers/net/wireguard/send.c:276
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0x4f0/0x9c0 kernel/workqueue.c:3397
worker_thread+0x58a/0x780 kernel/workqueue.c:3478
kthread+0x22a/0x280 kernel/kthread.c:436
ret_from_fork+0x146/0x330 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
value changed: 0x0000000000000a2c -> 0x0000000000000ac0
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 15360 Comm: kworker/0:2 Tainted: G W syzkaller #0 PREEMPT(lazy)
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: wg-crypt-wg2 wg_packet_tx_worker
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply
* [PATCH 1/2] extract-handshakes: fix compatibility with upstream WireGuard module
From: Peter Wu @ 2026-05-31 22:55 UTC (permalink / raw)
To: wireguard
In-Reply-To: <20260531225521.576473-1-peter@lekensteyn.nl>
Fix probe target, it got prefixed with wg_ in WireGuard 0.0.20181006 to
prepare for upstream Linux inclusion. Fix the trace directory, since
Linux v6.17 the old location has been disabled by default.
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
---
.../extract-handshakes/extract-handshakes.sh | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/contrib/extract-handshakes/extract-handshakes.sh b/contrib/extract-handshakes/extract-handshakes.sh
index 135a0d3..57d397e 100755
--- a/contrib/extract-handshakes/extract-handshakes.sh
+++ b/contrib/extract-handshakes/extract-handshakes.sh
@@ -34,17 +34,22 @@ for key in "${!OFFSETS[@]}"; do
done
done
+# Use the new tracefs dir, since Linux v4.1. The old debugfs tracing directory
+# is gone since Linux v6.17 without CONFIG_TRACEFS_AUTOMOUNT_DEPRECATED=y.
+tracefs=/sys/kernel/tracing
+[ -e "$tracefs" ] || tracefs=/sys/kernel/debug/tracing
+
turn_off() {
set +e
- [[ -f /sys/kernel/debug/tracing/events/wireguard/idxadd/enable ]] || exit
- echo 0 > /sys/kernel/debug/tracing/events/wireguard/idxadd/enable
- echo "-:wireguard/idxadd" >> /sys/kernel/debug/tracing/kprobe_events
+ [[ -f "$tracefs/events/wireguard/idxadd/enable" ]] || exit
+ echo 0 > "$tracefs/events/wireguard/idxadd/enable"
+ echo "-:wireguard/idxadd" >> "$tracefs/kprobe_events"
exit
}
trap turn_off INT TERM EXIT
-echo "p:wireguard/idxadd index_hashtable_insert ${ARGS[*]}" >> /sys/kernel/debug/tracing/kprobe_events
-echo 1 > /sys/kernel/debug/tracing/events/wireguard/idxadd/enable
+echo "p:wireguard/idxadd wg_index_hashtable_insert ${ARGS[*]}" >> "$tracefs/kprobe_events"
+echo 1 > "$tracefs/events/wireguard/idxadd/enable"
unpack_u64() {
local i expanded="$1"
@@ -77,4 +82,4 @@ while read -r line; do
done
echo " $key = $(printf "$bytes" | base64)"
done
-done < /sys/kernel/debug/tracing/trace_pipe
+done < "$tracefs/trace_pipe"
--
2.54.0
^ permalink raw reply related
* [PATCH 2/2] extract-handshakes: add a more user-friendly BTF approach
From: Peter Wu @ 2026-05-31 22:55 UTC (permalink / raw)
To: wireguard
In-Reply-To: <20260531225521.576473-1-peter@lekensteyn.nl>
The previous implementation requires a copy of WireGuard kernel module
module sources matching the current kernel and a writeable directory.
Add an alternative implementation that reads the module offsets at
runtime using BTF (BPF Type Format).
The previous module-based implementation is maintained in case BTF is
unavailable, like hardened systems with structure layout randomization.
A fprobetrace-based approach was also considered as that would avoid the
need to manually extract BTF offsets. It is currently not feasible
however since the wg_index_hashtable_insert entry parameter cannot be
typecast to the larger structure it was embedded in.
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
---
contrib/extract-handshakes/README | 7 +-
.../extract-handshakes/extract-handshakes.sh | 8 ++-
contrib/extract-handshakes/make-offsets.sh | 70 +++++++++++++++++++
3 files changed, 82 insertions(+), 3 deletions(-)
create mode 100755 contrib/extract-handshakes/make-offsets.sh
diff --git a/contrib/extract-handshakes/README b/contrib/extract-handshakes/README
index 1d030fa..568d142 100644
--- a/contrib/extract-handshakes/README
+++ b/contrib/extract-handshakes/README
@@ -6,7 +6,12 @@ to them being sent, via kprobes. It exports the bare minimum to be
able to then decrypt all packets in the handshake and in the subsequent
transport data session.
-Build:
+These probes depend on knowledge of kernel structure offsets. Ideally
+from BTF (BPF Type Format), available with CONFIG_DEBUG_INFO_BTF=y
+and Linux 5.2+. On systems where this is not available, an alternative
+approach is possible when WireGuard module sources are available.
+
+Build (only if BTF is unavailable):
$ make
diff --git a/contrib/extract-handshakes/extract-handshakes.sh b/contrib/extract-handshakes/extract-handshakes.sh
index 57d397e..284749f 100755
--- a/contrib/extract-handshakes/extract-handshakes.sh
+++ b/contrib/extract-handshakes/extract-handshakes.sh
@@ -2,13 +2,17 @@
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2015-2026 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
-# Copyright (C) 2017-2018 Peter Wu <peter@lekensteyn.nl>. All Rights Reserved.
+# Copyright (C) 2017-2026 Peter Wu <peter@lekensteyn.nl>. All Rights Reserved.
set -e
ME_DIR="${BASH_SOURCE[0]}"
ME_DIR="${ME_DIR%/*}"
-source "$ME_DIR/offsets.include" || { echo "Did you forget to run make?" >&2; exit 1; }
+if [ -e "$ME_DIR/offsets.include" ]; then
+ source "$ME_DIR/offsets.include"
+else
+ source "$ME_DIR/make-offsets.sh"
+fi
case "$(uname -m)" in
x86_64) ARGUMENT_REGISTER="%si" ;;
diff --git a/contrib/extract-handshakes/make-offsets.sh b/contrib/extract-handshakes/make-offsets.sh
new file mode 100755
index 0000000..ed7e6b4
--- /dev/null
+++ b/contrib/extract-handshakes/make-offsets.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Copyright (C) 2026 Peter Wu <peter@lekensteyn.nl>. All Rights Reserved.
+
+set -eu -o pipefail
+
+if ! [ -e /sys/kernel/btf/vmlinux ]; then
+ echo "kernel BTF is missing, requires Linux v5.2+ with CONFIG_DEBUG_INFO_BTF=y" >&2
+ exit 1
+fi
+
+if ! [ -e /sys/kernel/btf/wireguard ]; then
+ echo "BTF not available for wireguard, ensure kernel module is loaded." >&2
+ exit 1
+fi
+
+for tool in bpftool jq; do
+ if ! type "$tool" &>/dev/null; then
+ echo "Extracting offsets using BTF requires tool: $tool" >&2
+ exit 1
+ fi
+done
+
+declare -A struct_offsets
+while read -r struct field offset; do
+ struct_offsets["$struct.$field"]="$offset"
+done < <(
+ bpftool -j btf dump file /sys/kernel/btf/wireguard |
+ jq -cr '.types[]|select(.kind=="STRUCT" and
+ (.name=="noise_handshake" or .name=="noise_static_identity")
+ ) as $t|.members[]|[$t.name, .name, .bits_offset/8]|@tsv'
+)
+
+struct_offset() {
+ local struct="$1" field="$2" offset
+ offset="${struct_offsets[$struct.$field]:-}"
+ if [ -z "$offset" ]; then
+ echo "Failed to find offset for struct $struct $field" >&2
+ exit 1
+ fi
+ echo "$offset"
+}
+
+declare -A OFFSETS
+OFFSETS[LOCAL_STATIC_PRIVATE_KEY]=$(struct_offset noise_static_identity static_private),$(struct_offset noise_handshake static_identity)
+OFFSETS[LOCAL_EPHEMERAL_PRIVATE_KEY]=$(struct_offset noise_handshake ephemeral_private)
+OFFSETS[REMOTE_STATIC_PUBLIC_KEY]=$(struct_offset noise_handshake remote_static)
+OFFSETS[PRESHARED_KEY]=$(struct_offset noise_handshake preshared_key)
+
+if [ -e /sys/kernel/cpu_byteorder ]; then
+ # Since Linux 6.2 (February 2023)
+ read -r ENDIAN < /sys/kernel/cpu_byteorder
+else
+ [[ "$(lscpu)" == *Byte\ Order:*Big* ]] && ENDIAN=big || ENDIAN=little
+fi
+
+# Pretty-print values if not sourced.
+if ! (return 0 2>/dev/null); then
+ # Pretty-print version of 'declare -p OFFSETS'
+ cat <<EOF
+declare -A OFFSETS=(
+ [LOCAL_STATIC_PRIVATE_KEY]=${OFFSETS[LOCAL_STATIC_PRIVATE_KEY]}
+ [LOCAL_EPHEMERAL_PRIVATE_KEY]=${OFFSETS[LOCAL_EPHEMERAL_PRIVATE_KEY]}
+ [REMOTE_STATIC_PUBLIC_KEY]=${OFFSETS[REMOTE_STATIC_PUBLIC_KEY]}
+ [PRESHARED_KEY]=${OFFSETS[PRESHARED_KEY]}
+)
+ENDIAN=$ENDIAN
+EOF
+fi
--
2.54.0
^ permalink raw reply related
* [PATCH 0/2] extract-handshakes: add BTF approach and fix compatibility
From: Peter Wu @ 2026-05-31 22:55 UTC (permalink / raw)
To: wireguard
While trying to decrypt WireGuard traffic in Wireshark, I noticed the
extract-handshakes utility broke since upstreaming in Linux v5.6 (2019).
Attached is a patch to fix the main issue, and another one to remove a
dependency on the WireGuard kernel module sources by relying on BTF.
Tested on Arch Linux (7.0.10-arch1-1) and Ubuntu 24.04
(6.8.0-41-generic), both have BTF support.
Peter Wu (2):
extract-handshakes: fix compatibility with upstream WireGuard module
extract-handshakes: add a more user-friendly BTF approach
contrib/extract-handshakes/README | 7 +-
.../extract-handshakes/extract-handshakes.sh | 25 ++++---
contrib/extract-handshakes/make-offsets.sh | 70 +++++++++++++++++++
3 files changed, 93 insertions(+), 9 deletions(-)
create mode 100755 contrib/extract-handshakes/make-offsets.sh
--
2.54.0
^ permalink raw reply
* Add instructions to verify android APK to wireguard.com
From: Douglas Silva @ 2026-05-20 20:27 UTC (permalink / raw)
To: wireguard@lists.zx2c4.com
The instructions were posted on the mailing list [1] in 2023, but it's still not available on the site.
Assuming they're still relevant, I think it's a good idea to put them on the installation page [2]. Even a link to that mailing list message would help.
[1] https://lists.zx2c4.com/pipermail/wireguard/2023-May/008057.html
[2] https://www.wireguard.com/install/#android-play-store-direct-apk-file
^ permalink raw reply
* Re: crypto/ahash.c:1073:1: warning: the frame size of 1040 bytes is larger than 1024 bytes
From: Christophe Leroy (CS GROUP) @ 2026-05-19 14:54 UTC (permalink / raw)
To: Geert Uytterhoeven, kernel test robot
Cc: Herbert Xu, oe-kbuild-all, linux-kernel, linux-mips, linuxppc-dev,
wireguard
In-Reply-To: <CAMuHMdXPeUnjN__PvY+HQg+cSxKe-RLnyT-A5KGe=4cmjnUNbg@mail.gmail.com>
Le 11/05/2026 à 08:42, Geert Uytterhoeven a écrit :
> On Sat, 9 May 2026 at 19:07, kernel test robot <lkp@intel.com> wrote:
>> FYI, the error/warning still remains.
>>
>> tree: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel.org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Ftorvalds%2Flinux.git&data=05%7C02%7Cchristophe.leroy2%40cs-soprasteria.com%7Cb57c2e1952ea48b306d508deaf28809f%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639140785686768547%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=MBIlFF0TKur9ZxxdvLflUjFXN8BiEIWx%2FW2eO2rQteM%3D&reserved=0 master
>> head: ec89572766744e844df24c27d31c97b4c00f4e07
>> commit: 9d9b193ed73a65ec47cf1fd39925b09da8216461 crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390)
>> date: 9 months ago
>> config: mips-eyeq5_defconfig (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.01.org%2F0day-ci%2Farchive%2F20260510%2F202605100125.l4JVHppO-lkp%40intel.com%2Fconfig&data=05%7C02%7Cchristophe.leroy2%40cs-soprasteria.com%7Cb57c2e1952ea48b306d508deaf28809f%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639140785686802803%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=9mLXlRz5JrVhRQ0Ft4c3tQJGrDtlSSmYmd7vZ4pneYc%3D&reserved=0)
>> compiler: mips64-linux-gcc (GCC) 15.2.0
>> reproduce (this is a W=1 build): (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdownload.01.org%2F0day-ci%2Farchive%2F20260510%2F202605100125.l4JVHppO-lkp%40intel.com%2Freproduce&data=05%7C02%7Cchristophe.leroy2%40cs-soprasteria.com%7Cb57c2e1952ea48b306d508deaf28809f%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639140785686823501%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NNAWk0DHq2gD1%2FToE%2FXk75Mz3sKpppwVkpkDG6amzD0%3D&reserved=0)
>>
>> If you fix the issue in a separate patch/commit (i.e. not just a new version of
>> the same patch/commit), kindly add following tags
>> | Fixes: 9d9b193ed73a ("crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390)")
>> | Reported-by: kernel test robot <lkp@intel.com>
>> | Closes: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Foe-kbuild-all%2F202605100125.l4JVHppO-lkp%40intel.com%2F&data=05%7C02%7Cchristophe.leroy2%40cs-soprasteria.com%7Cb57c2e1952ea48b306d508deaf28809f%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639140785686842796%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=2M0BnhyxISt3rrzxPXkX4p%2Ba1bIVz%2FhjwSNokIVueuE%3D&reserved=0
>>
>> All warnings (new ones prefixed by >>):
>>
>> crypto/ahash.c: In function 'crypto_hash_digest':
>>>> crypto/ahash.c:1073:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]
>> 1073 | }
>> | ^
>
> This is one of the few defconfigs that still use CONFIG_FRAME_WARN=1024.
> The default value for 32-bit systems was lifted from 1024 to 1280 in
> commit 32115734c0ed8b46 ("Increase the default 32-bit build frame size
> warning limit to 1280 bytes") in v6.18, so perhaps the downgrade to
> 1024 should be dropped from the following defconfigs:
>
> $ git grep CONFIG_FRAME_WARN=1024
> arch/mips/configs/eyeq5_defconfig:CONFIG_FRAME_WARN=1024
> arch/mips/configs/eyeq6_defconfig:CONFIG_FRAME_WARN=1024
> arch/mips/configs/eyeq6lplus_defconfig:CONFIG_FRAME_WARN=1024
> arch/mips/configs/lemote2f_defconfig:CONFIG_FRAME_WARN=1024
> arch/mips/configs/loongson2k_defconfig:CONFIG_FRAME_WARN=1024
> arch/powerpc/configs/fsl-emb-nonhw.config:CONFIG_FRAME_WARN=1024
I agree for that one, lets drop the downgrade, don't know why it was
added at the first place as it was the default, most likely someone
didn't use make savedefconfig
So feel from to drop that in a treewide cleanup with my Acked-by:
Christophe Leroy (CS GROUP) <chleroy@kernel.org>
> tools/testing/selftests/wireguard/qemu/arch/arm.config:CONFIG_FRAME_WARN=1024
> tools/testing/selftests/wireguard/qemu/arch/armeb.config:CONFIG_FRAME_WARN=1024
> tools/testing/selftests/wireguard/qemu/arch/i686.config:CONFIG_FRAME_WARN=1024
> tools/testing/selftests/wireguard/qemu/arch/m68k.config:CONFIG_FRAME_WARN=1024
> tools/testing/selftests/wireguard/qemu/arch/mips.config:CONFIG_FRAME_WARN=1024
> tools/testing/selftests/wireguard/qemu/arch/mipsel.config:CONFIG_FRAME_WARN=1024
> tools/testing/selftests/wireguard/qemu/arch/powerpc.config:CONFIG_FRAME_WARN=1024
>
> I am not sure about the wireguard selftests: they might use the lower
> value deliberately for testing?
>
> Gr{oetje,eeting}s,
>
> Geert
>
^ permalink raw reply
* [PATCH] feat: add Import from Clipboard and Paste/Type config options
From: me @ 2026-05-13 16:32 UTC (permalink / raw)
To: wireguard
Changes:
- AddTunnelsSheet: two new buttons + REQUEST_CLIPBOARD / REQUEST_TEXT
- TunnelListFragment: handles both new request methods; showSnackbar
promoted to internal so PasteConfigDialogFragment can call it
- PasteConfigDialogFragment: new dialog fragment with auto-fill and
inline validation
- dialog_paste_config.xml: monospace multi-line TextInputEditText
- add_tunnels_bottom_sheet.xml: two new Material buttons wired up
- strings.xml: all new user-visible strings added
---
.../android/fragment/AddTunnelsSheet.kt | 18 ++++
.../fragment/PasteConfigDialogFragment.kt | 102 ++++++++++++++++++
.../android/fragment/TunnelListFragment.kt | 25 ++++-
.../res/layout/add_tunnels_bottom_sheet.xml | 60 +++++++++--
.../main/res/layout/dialog_paste_config.xml | 35 ++++++
ui/src/main/res/values/strings.xml | 8 ++
6 files changed, 241 insertions(+), 7 deletions(-)
create mode 100644
ui/src/main/java/com/wireguard/android/fragment/PasteConfigDialogFragment.kt
create mode 100644 ui/src/main/res/layout/dialog_paste_config.xml
diff --git
a/ui/src/main/java/com/wireguard/android/fragment/AddTunnelsSheet.kt
b/ui/src/main/java/com/wireguard/android/fragment/AddTunnelsSheet.kt
index 161709c3..c0e10afd 100644
--- a/ui/src/main/java/com/wireguard/android/fragment/AddTunnelsSheet.kt
+++ b/ui/src/main/java/com/wireguard/android/fragment/AddTunnelsSheet.kt
@@ -68,6 +68,14 @@ class AddTunnelsSheet : BottomSheetDialogFragment() {
dismiss()
onRequestScanQRCode()
}
+
dialog.findViewById<View>(R.id.create_from_clipboard)?.setOnClickListener
{
+ dismiss()
+ onRequestImportFromClipboard()
+ }
+
dialog.findViewById<View>(R.id.create_from_text)?.setOnClickListener {
+ dismiss()
+ onRequestImportFromText()
+ }
}
})
val gradientDrawable = GradientDrawable().apply {
@@ -93,11 +101,21 @@ class AddTunnelsSheet : BottomSheetDialogFragment()
{
setFragmentResult(REQUEST_KEY_NEW_TUNNEL, Bundle().apply {
putString(REQUEST_METHOD, REQUEST_SCAN) })
}
+ private fun onRequestImportFromClipboard() {
+ setFragmentResult(REQUEST_KEY_NEW_TUNNEL, Bundle().apply {
putString(REQUEST_METHOD, REQUEST_CLIPBOARD) })
+ }
+
+ private fun onRequestImportFromText() {
+ setFragmentResult(REQUEST_KEY_NEW_TUNNEL, Bundle().apply {
putString(REQUEST_METHOD, REQUEST_TEXT) })
+ }
+
companion object {
const val REQUEST_KEY_NEW_TUNNEL = "request_new_tunnel"
const val REQUEST_METHOD = "request_method"
const val REQUEST_CREATE = "request_create"
const val REQUEST_IMPORT = "request_import"
const val REQUEST_SCAN = "request_scan"
+ const val REQUEST_CLIPBOARD = "request_clipboard"
+ const val REQUEST_TEXT = "request_text"
}
}
diff --git
a/ui/src/main/java/com/wireguard/android/fragment/PasteConfigDialogFragment.kt
b/ui/src/main/java/com/wireguard/android/fragment/PasteConfigDialogFragment.kt
new file mode 100644
index 00000000..f6e86236
--- /dev/null
+++
b/ui/src/main/java/com/wireguard/android/fragment/PasteConfigDialogFragment.kt
@@ -0,0 +1,102 @@
+/*
+ * Copyright © 2017-2025 WireGuard LLC. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package com.wireguard.android.fragment
+
+import android.app.Dialog
+import android.content.ClipboardManager
+import android.content.Context
+import android.os.Bundle
+import android.text.Editable
+import android.text.TextWatcher
+import android.view.LayoutInflater
+import android.widget.Button
+import androidx.appcompat.app.AlertDialog
+import androidx.fragment.app.DialogFragment
+import androidx.lifecycle.lifecycleScope
+import com.google.android.material.textfield.TextInputEditText
+import com.google.android.material.textfield.TextInputLayout
+import com.wireguard.android.R
+import com.wireguard.android.util.TunnelImporter
+import kotlinx.coroutines.launch
+
+/**
+ * Dialog that lets the user paste or manually type a WireGuard config
INI block.
+ * Fields ([Interface] / [Peer] sections) are auto-detected from the
input text.
+ * On "Import", the config is validated and handed to [TunnelImporter].
+ */
+class PasteConfigDialogFragment : DialogFragment() {
+
+ override fun onCreateDialog(savedInstanceState: Bundle?): Dialog {
+ val inflater = LayoutInflater.from(requireContext())
+ val view = inflater.inflate(R.layout.dialog_paste_config, null)
+
+ val textInputLayout =
view.findViewById<TextInputLayout>(R.id.config_text_input_layout)
+ val editText =
view.findViewById<TextInputEditText>(R.id.config_edit_text)
+
+ // Pre-fill from clipboard if it looks like a WireGuard config
+ val clipboard =
requireContext().getSystemService(Context.CLIPBOARD_SERVICE) as
ClipboardManager
+ val clipText =
clipboard.primaryClip?.getItemAt(0)?.coerceToText(requireContext())?.toString()
+ if (!clipText.isNullOrBlank() &&
looksLikeWireGuardConfig(clipText)) {
+ editText.setText(clipText)
+ }
+
+ val dialog = AlertDialog.Builder(requireContext())
+ .setTitle(R.string.paste_config_dialog_title)
+ .setView(view)
+ .setPositiveButton(R.string.paste_config_import, null) //
set below to prevent auto-dismiss on error
+ .setNegativeButton(android.R.string.cancel, null)
+ .create()
+
+ dialog.setOnShowListener {
+ val importButton: Button =
dialog.getButton(AlertDialog.BUTTON_POSITIVE)
+
+ // Validate on every keystroke — highlight error inline
+ editText.addTextChangedListener(object : TextWatcher {
+ override fun beforeTextChanged(s: CharSequence?, start:
Int, count: Int, after: Int) = Unit
+ override fun onTextChanged(s: CharSequence?, start:
Int, before: Int, count: Int) = Unit
+ override fun afterTextChanged(s: Editable?) {
+ textInputLayout.error = null
+ importButton.isEnabled = !s.isNullOrBlank()
+ }
+ })
+ importButton.isEnabled = !editText.text.isNullOrBlank()
+
+ importButton.setOnClickListener {
+ val configText =
editText.text?.toString().orEmpty().trim()
+ if (configText.isEmpty()) {
+ textInputLayout.error =
getString(R.string.paste_config_empty_error)
+ return@setOnClickListener
+ }
+ lifecycleScope.launch {
+ TunnelImporter.importTunnel(parentFragmentManager,
configText) { message ->
+ // Show result via the parent fragment's
snackbar mechanism
+ (parentFragment as? TunnelListFragment)?.let {
+ it.showSnackbar(message)
+ }
+ }
+ }
+ dismiss()
+ }
+ }
+
+ return dialog
+ }
+
+ companion object {
+ /**
+ * Heuristic: a string contains at least one [Interface] or
[Peer] section header
+ * and at least one key = value pair typical of WireGuard
configs.
+ */
+ fun looksLikeWireGuardConfig(text: String): Boolean {
+ val hasSection = text.contains("[Interface]", ignoreCase =
true) ||
+ text.contains("[Peer]", ignoreCase = true)
+ val hasKeyValue = text.contains("PrivateKey", ignoreCase =
true) ||
+ text.contains("PublicKey", ignoreCase = true) ||
+ text.contains("Address", ignoreCase = true) ||
+ text.contains("Endpoint", ignoreCase = true)
+ return hasSection && hasKeyValue
+ }
+ }
+}
diff --git
a/ui/src/main/java/com/wireguard/android/fragment/TunnelListFragment.kt
b/ui/src/main/java/com/wireguard/android/fragment/TunnelListFragment.kt
index 119b6afe..6ade6279 100644
---
a/ui/src/main/java/com/wireguard/android/fragment/TunnelListFragment.kt
+++
b/ui/src/main/java/com/wireguard/android/fragment/TunnelListFragment.kt
@@ -4,6 +4,8 @@
*/
package com.wireguard.android.fragment
+import android.content.ClipboardManager
+import android.content.Context
import android.content.Intent
import android.content.res.Resources
import android.os.Bundle
@@ -122,6 +124,15 @@ class TunnelListFragment : BaseFragment() {
.setPrompt(getString(R.string.qr_code_hint))
)
}
+
+ AddTunnelsSheet.REQUEST_CLIPBOARD -> {
+ onRequestImportFromClipboard()
+ }
+
+ AddTunnelsSheet.REQUEST_TEXT -> {
+ PasteConfigDialogFragment()
+ .show(childFragmentManager,
"PASTE_CONFIG")
+ }
}
}
bottomSheet.showNow(childFragmentManager,
"BOTTOM_SHEET")
@@ -154,6 +165,18 @@ class TunnelListFragment : BaseFragment() {
}
}
+ private fun onRequestImportFromClipboard() {
+ val clipboard =
requireContext().getSystemService(Context.CLIPBOARD_SERVICE) as
ClipboardManager
+ val text =
clipboard.primaryClip?.getItemAt(0)?.coerceToText(requireContext())?.toString()
+ if (text.isNullOrBlank()) {
+ showSnackbar(getString(R.string.clipboard_empty_error))
+ return
+ }
+ lifecycleScope.launch {
+ TunnelImporter.importTunnel(parentFragmentManager, text) {
showSnackbar(it) }
+ }
+ }
+
private fun onTunnelDeletionFinished(count: Int, throwable:
Throwable?) {
val message: String
val ctx = activity ?: Application.get()
@@ -194,7 +217,7 @@ class TunnelListFragment : BaseFragment() {
}
}
- private fun showSnackbar(message: CharSequence) {
+ internal fun showSnackbar(message: CharSequence) {
val binding = binding
if (binding != null)
Snackbar.make(binding.mainContainer, message,
Snackbar.LENGTH_LONG)
diff --git a/ui/src/main/res/layout/add_tunnels_bottom_sheet.xml
b/ui/src/main/res/layout/add_tunnels_bottom_sheet.xml
index 0ad1ef23..c2224f83 100644
--- a/ui/src/main/res/layout/add_tunnels_bottom_sheet.xml
+++ b/ui/src/main/res/layout/add_tunnels_bottom_sheet.xml
@@ -42,22 +42,22 @@
android:layout_marginEnd="@dimen/normal_margin"
android:layout_marginRight="@dimen/normal_margin"
android:nextFocusUp="@id/create_from_file"
- android:nextFocusDown="@id/create_empty"
- android:nextFocusForward="@id/create_empty"
+ android:nextFocusDown="@id/create_from_clipboard"
+ android:nextFocusForward="@id/create_from_clipboard"
android:text="@string/create_from_qr_code"
android:textAlignment="viewStart"
android:textColor="?attr/colorOnSurface"
app:icon="@drawable/ic_action_scan_qr_code"
app:iconPadding="@dimen/bottom_sheet_icon_padding"
app:iconTint="?attr/colorSecondary"
- app:layout_constraintBottom_toBottomOf="@+id/create_empty"
+
app:layout_constraintBottom_toTopOf="@+id/create_from_clipboard"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@+id/create_from_file"
app:rippleColor="?attr/colorSecondary" />
<com.google.android.material.button.MaterialButton
- android:id="@+id/create_empty"
+ android:id="@+id/create_from_clipboard"
style="@style/Widget.Material3.Button.TextButton.Icon"
android:layout_width="match_parent"
android:layout_height="@dimen/bottom_sheet_item_height"
@@ -66,16 +66,64 @@
android:layout_marginEnd="@dimen/normal_margin"
android:layout_marginRight="@dimen/normal_margin"
android:nextFocusUp="@id/create_from_qrcode"
- android:text="@string/create_empty"
+ android:nextFocusDown="@id/create_from_text"
+ android:nextFocusForward="@id/create_from_text"
+ android:text="@string/create_from_clipboard"
+ android:textAlignment="viewStart"
+ android:textColor="?attr/colorOnSurface"
+ app:icon="@drawable/ic_action_copy"
+ app:iconPadding="@dimen/bottom_sheet_icon_padding"
+ app:iconTint="?attr/colorSecondary"
+ app:layout_constraintBottom_toTopOf="@+id/create_from_text"
+ app:layout_constraintEnd_toEndOf="parent"
+ app:layout_constraintStart_toStartOf="parent"
+ app:layout_constraintTop_toBottomOf="@+id/create_from_qrcode"
+ app:rippleColor="?attr/colorSecondary" />
+
+ <com.google.android.material.button.MaterialButton
+ android:id="@+id/create_from_text"
+ style="@style/Widget.Material3.Button.TextButton.Icon"
+ android:layout_width="match_parent"
+ android:layout_height="@dimen/bottom_sheet_item_height"
+ android:layout_marginStart="@dimen/normal_margin"
+ android:layout_marginLeft="@dimen/normal_margin"
+ android:layout_marginEnd="@dimen/normal_margin"
+ android:layout_marginRight="@dimen/normal_margin"
+ android:nextFocusUp="@id/create_from_clipboard"
+ android:nextFocusDown="@id/create_empty"
+ android:nextFocusForward="@id/create_empty"
+ android:text="@string/create_from_text"
android:textAlignment="viewStart"
android:textColor="?attr/colorOnSurface"
app:icon="@drawable/ic_action_edit"
app:iconPadding="@dimen/bottom_sheet_icon_padding"
app:iconTint="?attr/colorSecondary"
+ app:layout_constraintBottom_toTopOf="@+id/create_empty"
+ app:layout_constraintEnd_toEndOf="parent"
+ app:layout_constraintStart_toStartOf="parent"
+
app:layout_constraintTop_toBottomOf="@+id/create_from_clipboard"
+ app:rippleColor="?attr/colorSecondary" />
+
+ <com.google.android.material.button.MaterialButton
+ android:id="@+id/create_empty"
+ style="@style/Widget.Material3.Button.TextButton.Icon"
+ android:layout_width="match_parent"
+ android:layout_height="@dimen/bottom_sheet_item_height"
+ android:layout_marginStart="@dimen/normal_margin"
+ android:layout_marginLeft="@dimen/normal_margin"
+ android:layout_marginEnd="@dimen/normal_margin"
+ android:layout_marginRight="@dimen/normal_margin"
+ android:nextFocusUp="@id/create_from_text"
+ android:text="@string/create_empty"
+ android:textAlignment="viewStart"
+ android:textColor="?attr/colorOnSurface"
+ app:icon="@drawable/ic_action_add"
+ app:iconPadding="@dimen/bottom_sheet_icon_padding"
+ app:iconTint="?attr/colorSecondary"
app:layout_constraintBottom_toBottomOf="parent"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintStart_toStartOf="parent"
- app:layout_constraintTop_toBottomOf="@+id/create_from_qrcode"
+ app:layout_constraintTop_toBottomOf="@+id/create_from_text"
app:rippleColor="?attr/colorSecondary" />
</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/ui/src/main/res/layout/dialog_paste_config.xml
b/ui/src/main/res/layout/dialog_paste_config.xml
new file mode 100644
index 00000000..75ae5133
--- /dev/null
+++ b/ui/src/main/res/layout/dialog_paste_config.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?><!--
+ ~ Copyright © 2017-2025 WireGuard LLC. All Rights Reserved.
+ ~ SPDX-License-Identifier: Apache-2.0
+ -->
+<LinearLayout
xmlns:android="http://schemas.android.com/apk/res/android"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:orientation="vertical"
+ android:paddingStart="@dimen/normal_margin"
+ android:paddingEnd="@dimen/normal_margin"
+ android:paddingTop="8dp"
+ android:paddingBottom="8dp">
+
+ <com.google.android.material.textfield.TextInputLayout
+ android:id="@+id/config_text_input_layout"
+ style="@style/Widget.Material3.TextInputLayout.OutlinedBox"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:hint="@string/paste_config_hint">
+
+ <com.google.android.material.textfield.TextInputEditText
+ android:id="@+id/config_edit_text"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:fontFamily="monospace"
+ android:gravity="top|start"
+ android:inputType="textMultiLine|textNoSuggestions"
+ android:minLines="10"
+ android:maxLines="20"
+ android:scrollbars="vertical"
+ android:textSize="12sp" />
+
+ </com.google.android.material.textfield.TextInputLayout>
+
+</LinearLayout>
diff --git a/ui/src/main/res/values/strings.xml
b/ui/src/main/res/values/strings.xml
index 32e797e6..6b07c79b 100644
--- a/ui/src/main/res/values/strings.xml
+++ b/ui/src/main/res/values/strings.xml
@@ -97,8 +97,16 @@
<string name="create_bin_dir_error">Cannot create local binary
directory</string>
<string name="create_downloads_file_error">Cannot create file in
downloads directory</string>
<string name="create_empty">Create from scratch</string>
+ <string name="create_from_clipboard">Import from clipboard</string>
<string name="create_from_file">Import from file or
archive</string>
<string name="create_from_qr_code">Scan from QR code</string>
+ <string name="create_from_text">Paste or type config</string>
+ <string name="paste_config_dialog_title">Import tunnel
configuration</string>
+ <string name="paste_config_hint">Paste or type your WireGuard
config here…</string>
+ <string name="paste_config_import">Import</string>
+ <string name="paste_config_empty_error">Configuration text cannot
be empty</string>
+ <string name="clipboard_empty_error">Clipboard does not contain any
text</string>
+ <string name="clipboard_import_success">Tunnel imported from
clipboard</string>
<string name="create_output_dir_error">Cannot create output
directory</string>
<string name="create_temp_dir_error">Cannot create local temporary
directory</string>
<string name="create_tunnel">Create Tunnel</string>
--
2.43.0
^ permalink raw reply related
* [PATCH] Added space to allowedNameFormat
From: konstantineb @ 2026-05-12 14:50 UTC (permalink / raw)
To: wireguard; +Cc: Konstantine
From: Konstantine <konstantineb@pm.me>
Commit message:
fix(windows): support adapter names containing spaces
WireGuardNT permits NIC names with spaces (e.g., WireGuardCreateAdapter(L"Data Center", ...)),
but the Windows implementation previously rejected them.
This update removes that limitation and enables full compatibility.
Signed-off-by: Konstantine <konstantineb@pm.me>
---
conf/name.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/conf/name.go b/conf/name.go
index c34db900..3f5c680e 100644
--- a/conf/name.go
+++ b/conf/name.go
@@ -24,7 +24,7 @@ const (
specialChars = "/\\<>:\"|?*\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x00"
)
-var allowedNameFormat = regexp.MustCompile("^[a-zA-Z0-9_=+.-]{1,32}$")
+var allowedNameFormat = regexp.MustCompile("^[a-zA-Z0-9_=+. -]{1,32}$")
func isReserved(name string) bool {
if len(name) == 0 {
--
2.50.1.windows.1
^ permalink raw reply related
* Re: Unable to use wireguard 0.6 / 1.0 / 1.0.1 on Windows 24H2
From: Jason A. Donenfeld @ 2026-05-12 7:08 UTC (permalink / raw)
To: Justin; +Cc: wireguard
In-Reply-To: <CAJQz1VbZJuzcrC_BkV=Rdaehj_-irhXQYZrt2kCCg+FG_TTW6w@mail.gmail.com>
Hi Justin,
I'm working on this now. I think I have a decent idea of what's
happening (odd windows bug), but could you email me (privately) all of
the logs in \windows\inf\, including the historical backup ones, the
offline ones, the upgrade ones, the setup ones, etc, so I can try to
figure out the whole flow of the bug?
Thanks,
Jason
^ permalink raw reply
* Re: crypto/ahash.c:1073:1: warning: the frame size of 1040 bytes is larger than 1024 bytes
From: Geert Uytterhoeven @ 2026-05-11 6:42 UTC (permalink / raw)
To: kernel test robot
Cc: Herbert Xu, oe-kbuild-all, linux-kernel, linux-mips, linuxppc-dev,
wireguard
In-Reply-To: <202605100125.l4JVHppO-lkp@intel.com>
On Sat, 9 May 2026 at 19:07, kernel test robot <lkp@intel.com> wrote:
> FYI, the error/warning still remains.
>
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: ec89572766744e844df24c27d31c97b4c00f4e07
> commit: 9d9b193ed73a65ec47cf1fd39925b09da8216461 crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390)
> date: 9 months ago
> config: mips-eyeq5_defconfig (https://download.01.org/0day-ci/archive/20260510/202605100125.l4JVHppO-lkp@intel.com/config)
> compiler: mips64-linux-gcc (GCC) 15.2.0
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260510/202605100125.l4JVHppO-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Fixes: 9d9b193ed73a ("crypto: hash - Increase HASH_MAX_DESCSIZE for hmac(sha3-224-s390)")
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202605100125.l4JVHppO-lkp@intel.com/
>
> All warnings (new ones prefixed by >>):
>
> crypto/ahash.c: In function 'crypto_hash_digest':
> >> crypto/ahash.c:1073:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]
> 1073 | }
> | ^
This is one of the few defconfigs that still use CONFIG_FRAME_WARN=1024.
The default value for 32-bit systems was lifted from 1024 to 1280 in
commit 32115734c0ed8b46 ("Increase the default 32-bit build frame size
warning limit to 1280 bytes") in v6.18, so perhaps the downgrade to
1024 should be dropped from the following defconfigs:
$ git grep CONFIG_FRAME_WARN=1024
arch/mips/configs/eyeq5_defconfig:CONFIG_FRAME_WARN=1024
arch/mips/configs/eyeq6_defconfig:CONFIG_FRAME_WARN=1024
arch/mips/configs/eyeq6lplus_defconfig:CONFIG_FRAME_WARN=1024
arch/mips/configs/lemote2f_defconfig:CONFIG_FRAME_WARN=1024
arch/mips/configs/loongson2k_defconfig:CONFIG_FRAME_WARN=1024
arch/powerpc/configs/fsl-emb-nonhw.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/arm.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/armeb.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/i686.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/m68k.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/mips.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/mipsel.config:CONFIG_FRAME_WARN=1024
tools/testing/selftests/wireguard/qemu/arch/powerpc.config:CONFIG_FRAME_WARN=1024
I am not sure about the wireguard selftests: they might use the lower
value deliberately for testing?
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply
* [PATCH wireguard-go] conn: allow StdNetBind to bind to specific host addresses
From: Mukul Sabharwal @ 2026-05-10 19:58 UTC (permalink / raw)
To: wireguard; +Cc: Jason, Mukul Sabharwal
Currently StdNetBind opens its IPv4 and IPv6 sockets on the unspecified
address (0.0.0.0 and [::]). Embedders that want the WireGuard listener
restricted to a specific local address — for example an Android
application that wants its inbound peers to reach it only over Wi-Fi
and never over the cellular interface, or a host with multiple
interfaces where listening on a single one is preferable for routing
or security reasons — currently have to reimplement Bind from scratch
just to substitute a different bind address, losing the recvmmsg /
sendmmsg / GSO optimizations along the way.
Add a NewStdNetBindWithBindHost(host4, host6 string) constructor that
records optional per-family bind hosts on the StdNetBind. Open() passes
them through to listenNet, which now uses net.JoinHostPort instead of
the hardcoded ":port" wildcard. Empty strings preserve the existing
any-address behavior, so NewStdNetBind() is unchanged for existing
callers.
Tests verify that an explicit loopback host pins both v4 and v6
listeners to loopback, and that the default constructor still binds to
the unspecified address.
Signed-off-by: Mukul Sabharwal <mjsabby@gmail.com>
---
conn/bind_std.go | 35 ++++++++++++++++++++++++++++----
conn/bind_std_test.go | 46 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 77 insertions(+), 4 deletions(-)
diff --git a/conn/bind_std.go b/conn/bind_std.go
index f5c8816..9291b4b 100644
--- a/conn/bind_std.go
+++ b/conn/bind_std.go
@@ -46,10 +46,37 @@ type StdNetBind struct {
blackhole4 bool
blackhole6 bool
+
+ // Optional bind hosts for the IPv4 and IPv6 listeners. An empty
+ // string preserves the historical behavior of binding to the
+ // unspecified address (0.0.0.0 / [::]). These are read in Open()
+ // under mu and not mutated thereafter.
+ bindHost4 string
+ bindHost6 string
}
func NewStdNetBind() Bind {
+ return newStdNetBind("", "")
+}
+
+// NewStdNetBindWithBindHost returns a StdNetBind whose IPv4 / IPv6 listeners
+// bind to the supplied hosts instead of the unspecified address. An empty
+// string for either argument preserves the default any-address behavior for
+// that family. This is useful on hosts with multiple addresses where the
+// caller wants the WireGuard listener pinned to one of them — e.g. an
+// Android app that wants its inbound peers to reach it only over Wi-Fi
+// and never over the cellular interface.
+//
+// The hosts must parse as literal IP addresses (no DNS lookups are
+// performed). They are not validated until Open() is called.
+func NewStdNetBindWithBindHost(host4, host6 string) Bind {
+ return newStdNetBind(host4, host6)
+}
+
+func newStdNetBind(host4, host6 string) Bind {
return &StdNetBind{
+ bindHost4: host4,
+ bindHost6: host6,
udpAddrPool: sync.Pool{
New: func() any {
return &net.UDPAddr{
@@ -119,8 +146,8 @@ func (e *StdNetEndpoint) DstToString() string {
return e.AddrPort.String()
}
-func listenNet(network string, port int) (*net.UDPConn, int, error) {
- conn, err := listenConfig().ListenPacket(context.Background(), network, ":"+strconv.Itoa(port))
+func listenNet(network, host string, port int) (*net.UDPConn, int, error) {
+ conn, err := listenConfig().ListenPacket(context.Background(), network, net.JoinHostPort(host, strconv.Itoa(port)))
if err != nil {
return nil, 0, err
}
@@ -156,13 +183,13 @@ again:
var v4pc *ipv4.PacketConn
var v6pc *ipv6.PacketConn
- v4conn, port, err = listenNet("udp4", port)
+ v4conn, port, err = listenNet("udp4", s.bindHost4, port)
if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
return nil, 0, err
}
// Listen on the same port as we're using for ipv4.
- v6conn, port, err = listenNet("udp6", port)
+ v6conn, port, err = listenNet("udp6", s.bindHost6, port)
if uport == 0 && errors.Is(err, syscall.EADDRINUSE) && tries < 100 {
v4conn.Close()
tries++
diff --git a/conn/bind_std_test.go b/conn/bind_std_test.go
index 34a3c9a..e5d6650 100644
--- a/conn/bind_std_test.go
+++ b/conn/bind_std_test.go
@@ -27,6 +27,52 @@ func TestStdNetBindReceiveFuncAfterClose(t *testing.T) {
}
}
+func TestStdNetBindWithBindHost(t *testing.T) {
+ bind := NewStdNetBindWithBindHost("127.0.0.1", "::1").(*StdNetBind)
+ if _, _, err := bind.Open(0); err != nil {
+ t.Fatal(err)
+ }
+ defer bind.Close()
+ if bind.ipv4 == nil {
+ t.Fatal("ipv4 listener not opened")
+ }
+ la4, ok := bind.ipv4.LocalAddr().(*net.UDPAddr)
+ if !ok {
+ t.Fatalf("ipv4 LocalAddr is not *net.UDPAddr: %T", bind.ipv4.LocalAddr())
+ }
+ if !la4.IP.IsLoopback() {
+ t.Errorf("ipv4 listener bound to %v, want loopback", la4.IP)
+ }
+ if bind.ipv6 != nil {
+ la6, ok := bind.ipv6.LocalAddr().(*net.UDPAddr)
+ if !ok {
+ t.Fatalf("ipv6 LocalAddr is not *net.UDPAddr: %T", bind.ipv6.LocalAddr())
+ }
+ if !la6.IP.IsLoopback() {
+ t.Errorf("ipv6 listener bound to %v, want loopback", la6.IP)
+ }
+ }
+}
+
+func TestStdNetBindDefaultBindHost(t *testing.T) {
+ // Empty host strings must preserve the historical wildcard behavior.
+ bind := NewStdNetBind().(*StdNetBind)
+ if _, _, err := bind.Open(0); err != nil {
+ t.Fatal(err)
+ }
+ defer bind.Close()
+ if bind.ipv4 == nil {
+ t.Fatal("ipv4 listener not opened")
+ }
+ la4, ok := bind.ipv4.LocalAddr().(*net.UDPAddr)
+ if !ok {
+ t.Fatalf("ipv4 LocalAddr is not *net.UDPAddr: %T", bind.ipv4.LocalAddr())
+ }
+ if !la4.IP.IsUnspecified() {
+ t.Errorf("ipv4 listener bound to %v, want unspecified", la4.IP)
+ }
+}
+
func mockSetGSOSize(control *[]byte, gsoSize uint16) {
*control = (*control)[:cap(*control)]
binary.LittleEndian.PutUint16(*control, gsoSize)
--
2.53.0
^ permalink raw reply related
* Re: WireGuard obfuscation & active probing: staying virtuous under pressure
From: Ian Chen @ 2026-04-26 4:50 UTC (permalink / raw)
To: Leonid Evdokimov, wireguard
In-Reply-To: <1fa035ae8cbcf09df9bd196228f5a3d6cc1a6faa.camel@hotmail.com>
On Wed, 2026-04-22 at 19:32 +0800, Ian Chen wrote:
> > WireGuard over Shadowsocks-2022
> > ===============================
> >
> > TL;DR: Too much crypto + deployment challenges.
> >
> > Shadowsocks is a good solution against censor, but it strips 40
> > more
> > bytes from MTU and AEADs data twice: XChaCha20-Poly1305 of
> > Shadowsocks +
> > ChaCha20-Poly1305 of WireGuard burning twice as much carbon
> > credits.
> > Performance matters: e.g. Mullvad introduces LWO claiming
> > performance
> > improvement over Shadowsocks.
>
> I developed swgp-go around the same time I wrote the spec for
> Shadowsocks 2022. At the time, I intentionally left replay protection
> out of swgp-go, because I thought WireGuard wouldn't need it.
>
> Thanks to your work, I now understand that this assumption was wrong!
> So I added it into swgp-go:
> https://github.com/database64128/swgp-go/commit/207a055ab0a1058579f299fc1021cc64c95b21db
>
> The new "zero-overhead-2026" and "paranoid-2026" modes provide replay
> protection for handshake packets. Replayed packets are dropped by
> checking the nonce and an encrypted unix epoch timestamp, similar to
> how Shadowsocks 2022's TCP construction does it.
>
> This won't address the "DoSer" scenario, but should provide enough
> protection against censors without knowledge of the OBFSK.
I sent the previous email a few days ago, and it never showed up on the
mailing list archive, probably due to all that PGP signing stuff I
didn't turn off. Let's see if this one works.
^ permalink raw reply
* [PATCH] Revert "dns-hatchet: apply resolv.conf's selinux context to new resolv.conf"
From: Robert Frohl @ 2026-04-24 9:33 UTC (permalink / raw)
To: wireguard; +Cc: Robert Frohl
This reverts commit 2ce4680bd34f371aacd3c09673c3c907274321cd.
selinux does not allow every domain to set file contexts and will raise
relabelto/relabelfrom AVCs and block these changes if a domain tries to update
the selinux context.
It is better to ignore selinux and leave the proper labeling to the
selinux policy, which can add proper file transitions for the right
context.
This also allows for a cleaner change in the selinux policy, because
otherwise it will need infrastructure to hide the relabel AVCs as well.
For reference please see the selinux policy PR:
https://github.com/fedora-selinux/selinux-policy/pull/3030
Signed-off-by: Robert Frohl <rfrohl@suse.com>
---
contrib/dns-hatchet/hatchet.bash | 2 --
1 file changed, 2 deletions(-)
diff --git a/contrib/dns-hatchet/hatchet.bash b/contrib/dns-hatchet/hatchet.bash
index bc4d090..6f167cc 100644
--- a/contrib/dns-hatchet/hatchet.bash
+++ b/contrib/dns-hatchet/hatchet.bash
@@ -20,11 +20,9 @@ set_dns() {
[[ ${#DNS_SEARCH[@]} -eq 0 ]] || printf 'search %s\n' "${DNS_SEARCH[*]}"
} | unshare -m --propagation shared bash -c "$(cat <<-_EOF
set -e
- context="\$(stat -c %C /etc/resolv.conf 2>/dev/null)" || unset context
mount --make-private /dev/shm
mount -t tmpfs none /dev/shm
cat > /dev/shm/resolv.conf
- [[ -z \$context || \$context == "?" ]] || chcon "\$context" /dev/shm/resolv.conf 2>/dev/null || true
mount -o remount,ro /dev/shm
mount -o bind,ro /dev/shm/resolv.conf /etc/resolv.conf
_EOF
--
2.53.0
^ permalink raw reply related
* Unable to use wireguard 0.6 / 1.0 / 1.0.1 on Windows 24H2
From: Justin @ 2026-04-24 3:19 UTC (permalink / raw)
To: wireguard
[-- Attachment #1: Type: text/plain, Size: 508 bytes --]
I've been using 0.5.3 for a long time.
I upgraded to 0.6/1.0/1.0.1 and haven't been able to connect. The
install appeared to succeed.
I've uninstalled, rebooted, and reinstalled 0.5.3 and it works fine.
It seems the kernel driver is not installing for me.
What logs would be useful? I've attached some that I could find. Let
me know if I can provide additional information.
In case it matters: I run as a regular user, and I open tunnels by
starting them in an elevated command prompt.
--
---
Justin Ho
[-- Attachment #2: setupapi.txt --]
[-- Type: text/plain, Size: 6864 bytes --]
Get-Content "$env:windir\inf\setupapi.dev.log" | Select-String -Pattern "wireguard|wintun|fffff" -Context 2,5 | Select-Object -Last 30
> idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\wireguard.inf_amd64_053a7fe4b9f21442\wireguard.inf} 19:50:32.534
> idb: Created driver package object 'wireguard.inf_amd64_053a7fe4b9f21442' in DRIVERS database node.
idb: Created driver INF file object 'oem36.inf' in DRIVERS database node.
> idb: Registered driver package 'wireguard.inf_amd64_053a7fe4b9f21442' with 'oem36.inf'.
idb: {Register Driver Package: exit(0x00000000)} 19:50:32.538
> idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\wireguard.inf_amd64_053a7fe4b9f21442\wireguard.inf} 19:50:32.539
> idb: Activating driver package 'wireguard.inf_amd64_053a7fe4b9f21442'.
> cpy: Published 'wireguard.inf_amd64_053a7fe4b9f21442\wireguard.inf' to 'oem36.inf'.
> idb: Indexed 2 device IDs for 'wireguard.inf_amd64_053a7fe4b9f21442'.
sto: Flushed driver database node 'DRIVERS'. Time = 0 ms
sto: Flushed driver database node 'SYSTEM'. Time = 0 ms
idb: {Publish Driver Package: exit(0x00000000)} 19:50:32.548
sto: {DRIVERSTORE IMPORT END} 19:50:32.550
dvi: Flushed all driver package files to disk. Time = 1 ms
> sig: Installed catalog 'wireguard.cat' as 'oem36.cat'.
sto: {DRIVERSTORE IMPORT END: exit(0x00000000)} 19:50:32.606
sto: {Core Driver Package Import: exit(0x00000000)} 19:50:32.607
sto: {Stage Driver Package: exit(0x00000000)} 19:50:32.608
> ! dvi: Unable to locate device 'ROOT\WIREGUARD\0000'. cr = 0x0D
sto: {Setup Import Driver Package - exit (0x00000000)} 19:50:32.735
> inf: Driver Store Path: C:\Windows\System32\DriverStore\FileRepository\wireguard.inf_amd64_053a7fe4b9f21442\wireguard.inf
inf: Published Inf Path: C:\Windows\INF\oem36.inf
<<< Section end 2026/04/23 19:50:32.778
<<< [Exit status: SUCCESS]
> >>> [Device Install (Hardware initiated) - SWD\WireGuard\{06A6F956-B04C-FB24-8D43-BCF8C102B460}]
>>> Section start 2026/04/23 19:50:32.807
ump: Install needed due to device having problem code CM_PROB_REINSTALL
> utl: {Select Drivers - SWD\WireGuard\{06A6F956-B04C-FB24-8D43-BCF8C102B460}} 19:50:32.815
utl: Driver Node:
utl: Status - Selected
> utl: Driver INF - oem36.inf (C:\Windows\System32\DriverStore\FileRepository\wireguard.inf_amd64_053a7fe4b9f21442\wireguard.inf)
utl: Class GUID - {4d36e972-e325-11ce-bfc1-08002be10318}
utl: Driver Version - 04/18/2026,1.0.0.0
> utl: Configuration - WireGuard
utl: Driver Rank - 00FF0000
utl: Signer Score - WHQL (0D000005)
utl: Submission ID - 58177670_13751989183616671_1152921505700876788
utl: Attributes - Universal
utl: {Select Drivers - exit(0x00000000} 19:50:32.822
dvi: Install flags: 0x00010000
dvi: {Core Device Install} 19:50:32.825
> dvi: {Configure Device - SWD\WireGuard\{06A6F956-B04C-FB24-8D43-BCF8C102B460}} 19:50:32.826
dvi: Device Status: 0x01802400 [0x12 - 0xc0000493]
dvi: Config Flags: 0x00000000
dvi: Parent Device: HTREE\ROOT\0
> sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\wireguard.inf_amd64_053a7fe4b9f21442\wireguard.inf} 19:50:32.829
> sto: Source Filter = WireGuard
inf: Config Options = IsolationCompat
inf: Class GUID = {4d36e972-e325-11ce-bfc1-08002be10318}
inf: Class Options = Configurable
> inf: {Configure Driver: WireGuard Tunnel}
> inf: Section Name = WireGuard.Install
> inf: {Add Service: WireGuard}
inf: Flags = 0x2
inf: Start Type = 3
inf: Service Type = 1
inf: Error Control = 1
> inf: Image Path = \SystemRoot\System32\drivers\wireguard.sys
> inf: Display Name = WireGuard
> inf: Description = WireGuard Tunnel
> inf: Updated service 'WireGuard'.
inf: {Add Service: exit(0x00000000)}
> inf: Hardware Id = WireGuard
> inf: {Configure Driver Configuration: WireGuard.Install}
> inf: Service Name = WireGuard
inf: Config Flags = 0x00000000
inf: {Configure Driver Configuration: exit(0x00000000)}
inf: {Configure Driver: exit(0x00000000)}
flq: {FILE_QUEUE_COMMIT} 19:50:32.848
!!! bak: Failed to create temp file under 'C:\Windows\Temp'. Error = 0x00000570
> ! cpy: Unable to backup file 'C:\Windows\System32\drivers\wireguard.sys'. Error = 0x00000570
!!! flq: Failed to commit copy queue. Error = 0x000003e3
!!! flq: FileQueueCommit aborting
!!! flq: Error 995: The I/O operation has been aborted because of either a thread exit or an application request.
flq: {FILE_QUEUE_COMMIT - exit(0x000003e3)} 19:50:32.852
!!! sto: Failed to configure driver package. Error = 0x000003E3
! dvi: Unable to configure device, falling back to standard device installation.
dvi: Searching for hardware ID(s):
> dvi: wireguard
dvi: Searching for compatible ID(s):
dvi: swd\generic
dvi: Class GUID of device changed to: {4d36e972-e325-11ce-bfc1-08002be10318}.
ndv: {Core Device Install} 19:50:32.866
> dvi: {Install Device - SWD\WIREGUARD\{06A6F956-B04C-FB24-8D43-BCF8C102B460}} 19:50:32.867
dvi: Device Status: 0x01802400 [0x12 - 0xc0000493]
dvi: Config Flags: 0x00000000
dvi: Parent Device: HTREE\ROOT\0
dvi: {DIF_ALLOW_INSTALL} 19:50:32.870
dvi: Default installer: Enter 19:50:32.871
[-- Attachment #3: wireguard-log-2026-04-23T171320.txt --]
[-- Type: text/plain, Size: 2159 bytes --]
2026-04-23 17:08:18.943111: [MGR] Starting WireGuard/1.0.1 (Windows 10.0.26100; amd64)
2026-04-23 17:08:49.676728: [TUN] [redacted] Starting WireGuard/1.0.1 (Windows 10.0.26100; amd64)
2026-04-23 17:08:49.676728: [TUN] [redacted] Watching network interfaces
2026-04-23 17:08:49.678331: [TUN] [redacted] Resolving DNS names
2026-04-23 17:08:49.685827: [TUN] [redacted] Creating network adapter
2026-04-23 17:08:49.854975: [TUN] [redacted] Installing driver 1.0
2026-04-23 17:08:49.855756: [TUN] [redacted] Extracting driver
2026-04-23 17:08:49.856819: [TUN] [redacted] Installing driver
2026-04-23 17:08:50.317910: [TUN] [redacted] Creating adapter
2026-04-23 17:09:05.335011: [TUN] [redacted] Timed out waiting for device query: The wait operation timed out. (Code 0x00000102)
2026-04-23 17:09:05.335544: [TUN] [redacted] Failed to setup adapter (problem code: 0x12, ntstatus: 0xC0000493): The property set specified does not exist on the object. (Code 0x00000492)
2026-04-23 17:09:05.409463: [TUN] [redacted] Unable to create network adapter: Error creating adapter: The property set specified does not exist on the object.
2026-04-23 17:09:05.409969: [TUN] [redacted] Shutting down
2026-04-23 17:10:10.303316: [TUN] [redacted] Starting WireGuard/1.0.1 (Windows 10.0.26100; amd64)
2026-04-23 17:10:10.303316: [TUN] [redacted] Watching network interfaces
2026-04-23 17:10:10.304997: [TUN] [redacted] Resolving DNS names
2026-04-23 17:10:10.311380: [TUN] [redacted] Creating network adapter
2026-04-23 17:10:10.358084: [TUN] [redacted] Using existing driver 1.0
2026-04-23 17:10:10.372308: [TUN] [redacted] Creating adapter
2026-04-23 17:10:25.387161: [TUN] [redacted] Timed out waiting for device query: The wait operation timed out. (Code 0x00000102)
2026-04-23 17:10:25.387580: [TUN] [redacted] Failed to setup adapter (problem code: 0x12, ntstatus: 0xC0000493): The property set specified does not exist on the object. (Code 0x00000492)
2026-04-23 17:10:25.457324: [TUN] [redacted] Unable to create network adapter: Error creating adapter: The property set specified does not exist on the object.
2026-04-23 17:10:25.457324: [TUN] [redacted] Shutting down
^ permalink raw reply
* Re: WireGuard obfuscation & active probing: staying virtuous under pressure
From: Ian Chen @ 2026-04-22 11:32 UTC (permalink / raw)
To: Leonid Evdokimov, wireguard
In-Reply-To: <CAB-U=tBRwE+CkfF4XF1C9yiYLRLzHQsnXdEeVR=bs9jqCAwwYw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]
> WireGuard over Shadowsocks-2022
> ===============================
>
> TL;DR: Too much crypto + deployment challenges.
>
> Shadowsocks is a good solution against censor, but it strips 40 more
> bytes from MTU and AEADs data twice: XChaCha20-Poly1305 of
> Shadowsocks +
> ChaCha20-Poly1305 of WireGuard burning twice as much carbon credits.
> Performance matters: e.g. Mullvad introduces LWO claiming performance
> improvement over Shadowsocks.
I developed swgp-go around the same time I wrote the spec for
Shadowsocks 2022. At the time, I intentionally left replay protection
out of swgp-go, because I thought WireGuard wouldn't need it.
Thanks to your work, I now understand that this assumption was wrong!
So I added it into swgp-go:
https://github.com/database64128/swgp-go/commit/207a055ab0a1058579f299fc1021cc64c95b21db
The new "zero-overhead-2026" and "paranoid-2026" modes provide replay
protection for handshake packets. Replayed packets are dropped by
checking the nonce and an encrypted unix epoch timestamp, similar to
how Shadowsocks 2022's TCP construction does it.
This won't address the "DoSer" scenario, but should provide enough
protection against censors without knowledge of the OBFSK.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply
* Re: [PATCH] wg-quick: fix darwin MTU detection
From: Florian Uekermann @ 2026-05-08 13:42 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: wireguard, A Jonas, Carl Dong
In-Reply-To: <CAHmME9pFJyEtgrYLv2h-SFKLuRCwsv=SoMjhteFZPh4B6CfHBw@mail.gmail.com>
Hi Jason,
On 06/05/2026 23:28, Jason A. Donenfeld wrote:
> Could you test this?
> https://git.zx2c4.com/wireguard-tools/commit/?id=a998407747005ea7e4e0258d96f105c97241e1d3
Yes, it seems to work. I tested this commit and the previous one after
connecting to another VPN (to lower MTU of the default interface to
1280) and got a MTUs of 1420 and 1200 respectively. Thanks!
Best regards,
Florian
^ permalink raw reply
* Re: Sunsetting support for old Windows versions
From: Jason A. Donenfeld @ 2026-05-07 13:01 UTC (permalink / raw)
To: WireGuard mailing list; +Cc: Simon Rozman
In-Reply-To: <CAHmME9q4gC3Ag4hW0ERTkZNi6VMv1-qMExO6+OfOKYZ5rC4mgg@mail.gmail.com>
On Mon, Mar 23, 2026 at 6:09 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> I must admit, however, that I am a bit sad about this. After coding up
> [1] this dialog box for the installer, I felt a few pangs of sadness
> when testing it for the first time on Windows 7 and seeing the tragic
> result: https://data.zx2c4.com/bye-bye-wg-win7.png . But it was a
> familiar feeling. For, long ago, I'd already watched the beauty of
> Windows fall to pieces. To me, Windows 2000 is the most beautiful of
In order to reduce user confusion, this dialog box for old Windows
installations is now augmented with this email thread opening:
https://data.zx2c4.com/windows7-update-sunset-flow.gif . This
especially helps with the update flow on old Windows, where dialog
boxes aren't shown. Hopefully this reduces the amount of confused
emails I've been receiving, while also not lulling old Windows users
into a false sense of security by disabling all update notifications.
Jason
^ permalink raw reply
* Re: [PATCH] wg-quick: fix darwin MTU detection
From: Jason A. Donenfeld @ 2026-05-06 21:28 UTC (permalink / raw)
To: Florian Uekermann; +Cc: wireguard, A Jonas, Carl Dong
In-Reply-To: <8358be3e-d696-454e-a970-2305f23fce2f@uekermann.me>
Hi Florian,
Could you test this?
https://git.zx2c4.com/wireguard-tools/commit/?id=a998407747005ea7e4e0258d96f105c97241e1d3
Thanks,
Jason
^ permalink raw reply
* Re: [PATCH] wg-quick: fix darwin MTU detection
From: Florian Uekermann @ 2026-05-05 16:47 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: wireguard, A Jonas, Carl Dong
In-Reply-To: <afiJFxeMxJw-n9-G@zx2c4.com>
Hi Jason,
Thanks for following up.
On 04/05/2026 13:55, Jason A. Donenfeld wrote:
> If you're submitting a patch with your name on it, please do the
> research to make sure it's correct! Otherwise, what you're submitting is
> more of a bug report than a patch.
Please treat this as a bug report. That's why I added the disclaimer.
I tried a number of different things before sending this patch with ack,
because I wasn't able to get the bug report through the filter (mailing
list,
mod-mail) or noticed (IRC, Github) after many failed attempts to report it.
Some avenue for drive-by bug reports may be beneficial (maybe Github
issues).
I had given up on reporting this until your reply. Anyway, happy you saw
this now.
> Should this be changed for the other invocations of `netstat -nr -f ...`
> in the code? It's a bit confusing because in del_route(), it looks like
> the first invocation (for inet) is aware that it's the 6th parameter,
> while the second invocation (for inet6) seems to stick with this
> presumption that it's the 4th. So what's going on here?
I also suspect del_route needs to be adjusted too, but I have no idea
what's going on here.
> I'd like to get to the bottom of this before applying this patch. When
> you submit a v2, please include your explanation as part of the commit
> message.
Sorry, I'm not very familiar with the Apple ecosystem and can't figure
out what exactly happened or should be done here with the necessary
confidence. Please just take this as a bug report.
Best regards,
Florian
^ permalink raw reply
* Re: [PATCH wireguard] wireguard: prevent ipv6 addrconf via IFF_NO_ADDRCONF flag
From: Jason A. Donenfeld @ 2026-05-05 15:05 UTC (permalink / raw)
To: Valentin Spreckels
Cc: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, wireguard, netdev, linux-kernel
In-Reply-To: <afefejiY8SX8UfTm@zx2c4.com>
On Sun, May 03, 2026 at 09:18:18PM +0200, Jason A. Donenfeld wrote:
> On Sat, Mar 21, 2026 at 08:20:53PM +0100, Valentin Spreckels wrote:
> > Hi Jason,
> >
> > On 11/03/2026 23:59, Jason A. Donenfeld wrote:
> > > Hi Valentin,
> > >
> > > On Sun, Feb 08, 2026 at 06:05:45PM +0100, Valentin Spreckels wrote:
> > >> Use the flag introduced in commit 8a321cf7becc6 ("net: add
> > >> IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf")
> > >> instead of mangling the addr_gen_mode to prevent ipv6 addrconf.
> > >
> > > Can you give some more context here? Why was IFF_NO_ADDRCONF added when
> > > the IN6_ADDR_GEN_MODE_NONE method has been working fine? What's the
> > > difference between these approaches? I don't doubt that your patch is
> > > correct, but I would like to better understand this.
> >
> > Only wireguard configures addr_gen_mode inside the kernel, otherwise it
> > is only set by userspace; userspace is also able to overwrite the
> > IFF_NO_ADDRCONF set by wireguard.
> >
> > Commit 8a321cf7becc ("net: add IFF_NO_ADDRCONF and use it in bonding to
> > prevent ipv6 addrconf") introduces the private interface flag
> > IFF_NO_ADDRCONF, which isn't accessible by userspace.
> >
> > Thus use the IFF_NO_ADDRCONF flag in wireguard.
> >
> >
> > Does that answer your questions? If yes, I will submit a v2 with this as
> > commit message.
>
> I applied this here:
> https://git.zx2c4.com/wireguard-linux/commit/?id=88427bcbe5bd3711de387b1c1f6540ef6fc05a78
>
> Sorry for the delay! Patch looks good as-is, once I looked into the
> internal mechanism.
I'm backing this patch out for now. It seems to break the selftests:
[+] NS2: ping6 -c 10 -f -W 1 fd00::1
ping6: connect: Network unreachable
Try it yourself with:
$ make -C tools/testing/selftests/wireguard/qemu -j$(nproc)
I assume it's because of:
case NETDEV_UP:
case NETDEV_CHANGE:
if (idev && idev->cnf.disable_ipv6)
break;
if (dev->priv_flags & IFF_NO_ADDRCONF) {
[...]
break;
}
Feel free to submit a v2 if you think this is fixable or if the tests
themselves are wrong.
Jason
^ permalink raw reply
* Re: [PATCH] wg-quick: fix darwin MTU detection
From: Jason A. Donenfeld @ 2026-05-04 11:55 UTC (permalink / raw)
To: Florian Uekermann; +Cc: wireguard, A Jonas, Carl Dong
In-Reply-To: <20251020142254.16546-2-florian@uekermann.me>
Hi Florian,
Sorry I didn't see this. I filtered this out because it wasn't formatted
correctly (explanation below the break, commit subject not matching
other wg-quick commits). Some notes:
On Mon, Oct 20, 2025 at 04:22:55PM +0200, Florian Uekermann wrote:
> I used macOS 15.4 for testing, but I am not particularly familiar with
> the Apple ecosystem. I'm not sure if this never worked, the netstat
> shipped by Apple changed at some point and how/which other platforms
> (iOS?) may be affected. So please keep that in mind before merging.
If you're submitting a patch with your name on it, please do the
research to make sure it's correct! Otherwise, what you're submitting is
more of a bug report than a patch.
> src/wg-quick/darwin.bash | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/wg-quick/darwin.bash b/src/wg-quick/darwin.bash
> index 1b7fe5e..0467f0e 100755
> --- a/src/wg-quick/darwin.bash
> +++ b/src/wg-quick/darwin.bash
> @@ -177,7 +177,7 @@ set_mtu() {
> cmd ifconfig "$REAL_INTERFACE" mtu "$MTU"
> return
> fi
> - while read -r destination _ _ _ _ netif _; do
> + while read -r destination _ _ netif _; do
Should this be changed for the other invocations of `netstat -nr -f ...`
in the code? It's a bit confusing because in del_route(), it looks like
the first invocation (for inet) is aware that it's the 6th parameter,
while the second invocation (for inet6) seems to stick with this
presumption that it's the 4th. So what's going on here?
Consulting the source from Apple, it looks like the 4th param is indeed
the right one?
https://github.com/apple-oss-distributions/network_cmds/blob/97e27e6244c16d399bfeb254315ddc5828711c56/netstat.tproj/route.c#L328
What circumstances cause this to change? v4 vs v6? Something else?
I'd like to get to the bottom of this before applying this patch. When
you submit a v2, please include your explanation as part of the commit
message.
Thanks,
Jason
^ permalink raw reply
* Re: [PATCH wireguard] wireguard: prevent ipv6 addrconf via IFF_NO_ADDRCONF flag
From: Jason A. Donenfeld @ 2026-05-03 19:18 UTC (permalink / raw)
To: Valentin Spreckels
Cc: Andrew Lunn, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, wireguard, netdev, linux-kernel
In-Reply-To: <c486b63c-521f-4972-80bf-ebb2bfe04724@spreckels.dev>
On Sat, Mar 21, 2026 at 08:20:53PM +0100, Valentin Spreckels wrote:
> Hi Jason,
>
> On 11/03/2026 23:59, Jason A. Donenfeld wrote:
> > Hi Valentin,
> >
> > On Sun, Feb 08, 2026 at 06:05:45PM +0100, Valentin Spreckels wrote:
> >> Use the flag introduced in commit 8a321cf7becc6 ("net: add
> >> IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf")
> >> instead of mangling the addr_gen_mode to prevent ipv6 addrconf.
> >
> > Can you give some more context here? Why was IFF_NO_ADDRCONF added when
> > the IN6_ADDR_GEN_MODE_NONE method has been working fine? What's the
> > difference between these approaches? I don't doubt that your patch is
> > correct, but I would like to better understand this.
>
> Only wireguard configures addr_gen_mode inside the kernel, otherwise it
> is only set by userspace; userspace is also able to overwrite the
> IFF_NO_ADDRCONF set by wireguard.
>
> Commit 8a321cf7becc ("net: add IFF_NO_ADDRCONF and use it in bonding to
> prevent ipv6 addrconf") introduces the private interface flag
> IFF_NO_ADDRCONF, which isn't accessible by userspace.
>
> Thus use the IFF_NO_ADDRCONF flag in wireguard.
>
>
> Does that answer your questions? If yes, I will submit a v2 with this as
> commit message.
I applied this here:
https://git.zx2c4.com/wireguard-linux/commit/?id=88427bcbe5bd3711de387b1c1f6540ef6fc05a78
Sorry for the delay! Patch looks good as-is, once I looked into the
internal mechanism.
Jason
^ permalink raw reply
* [PATCH v2] wg-quick: add SocketNamespace for UDP socket netns
From: Sybil Isabel Dorsett @ 2026-05-01 13:31 UTC (permalink / raw)
To: wireguard
wg-quick cannot express WireGuard's supported deployment model in
which the UDP socket resides in a different network namespace than
the interface. This model is documented and used in practice for
cases such as keeping routing policy and tunnel endpoints in separate
namespaces (e.g. container or policy isolation setups). Achieving this
today requires reimplementing substantial parts of wg-quick externally,
including interface lifecycle, address assignment, routing, and
teardown.
Add a SocketNamespace option to select the network namespace in which
the WireGuard UDP socket is created, while keeping the interface in
the invoking namespace. Create the interface in the target namespace
so that sockets are bound there, then move it back to the caller's
namespace before executing PreUp hooks.
Limit the scope to selecting the socket namespace only, without
introducing general network namespace management, persistent state,
or changes to default behavior.
Document SocketNamespace in the man page and update highlighters.
Signed-off-by: Sybil Isabel Dorsett <sybdorsett@proton.me>
---
v2:
- Resend for visibility; no functional changes
- Clarify commit message
Reference (earlier discussion on mailing list):
- https://lists.zx2c4.com/pipermail/wireguard/2020-March/005143.html
Implementation notes:
- Limit scope to socket namespace only (no general netns management)
- Return the interface to the caller namespace before hook execution
- Use PID-based netns targeting instead of fixed namespace IDs
- Ensure userspace fallback (wireguard-go) runs in SocketNamespace,
preserving socket placement
- Prevent namespace errors from triggering kernel/userspace fallback
paths
contrib/highlighter/gui/highlight.cpp | 1 +
contrib/highlighter/highlight.c | 1 +
contrib/highlighter/highlighter.c | 23 +++++++++++++++++++++++
contrib/highlighter/highlighter.h | 1 +
src/man/wg-quick.8 | 5 +++++
src/wg-quick/linux.bash | 15 ++++++++++++---
6 files changed, 43 insertions(+), 3 deletions(-)
diff --git a/contrib/highlighter/gui/highlight.cpp b/contrib/highlighter/gui/highlight.cpp
index a95857b..7c4e4ac 100644
--- a/contrib/highlighter/gui/highlight.cpp
+++ b/contrib/highlighter/gui/highlight.cpp
@@ -25,6 +25,7 @@ static QColor colormap[] = {
[HighlightDelimiter] = QColor("#7aa6da"),
#ifndef MOBILE_WGQUICK_SUBSET
[HighlightTable] = QColor("#c397d8"),
+ [HighlightSocketNamespace] = QColor("#c397d8"),
[HighlightFwMark] = QColor("#c397d8"),
[HighlightSaveConfig] = QColor("#c397d8"),
[HighlightCmd] = QColor("#969896"),
diff --git a/contrib/highlighter/highlight.c b/contrib/highlighter/highlight.c
index 8dc0d49..a18f039 100644
--- a/contrib/highlighter/highlight.c
+++ b/contrib/highlighter/highlight.c
@@ -51,6 +51,7 @@ static const char *colormap[] = {
[HighlightDelimiter] = TERMINAL_FG_CYAN,
#ifndef MOBILE_WGQUICK_SUBSET
[HighlightTable] = TERMINAL_FG_BLUE,
+ [HighlightSocketNamespace] = TERMINAL_FG_BLUE,
[HighlightFwMark] = TERMINAL_FG_BLUE,
[HighlightSaveConfig] = TERMINAL_FG_BLUE,
[HighlightCmd] = TERMINAL_FG_WHITE,
diff --git a/contrib/highlighter/highlighter.c b/contrib/highlighter/highlighter.c
index 3c34f1c..5264ac9 100644
--- a/contrib/highlighter/highlighter.c
+++ b/contrib/highlighter/highlighter.c
@@ -223,6 +223,24 @@ static bool is_valid_persistentkeepalive(string_span_t s)
#ifndef MOBILE_WGQUICK_SUBSET
+static bool is_valid_filename(string_span_t s)
+{
+ if (s.len > 128 || !s.len)
+ return false;
+ if (s.len == 1 && s.s[0] == '.')
+ return false;
+ if (s.len == 2 && s.s[0] == '.' && s.s[1] == '.')
+ return false;
+ if (s.s[0] == '-')
+ return false;
+ for (size_t i = 0; i < s.len; ++i) {
+ if (!is_alphabet(s.s[i]) && !is_decimal(s.s[i]) &&
+ s.s[i] != '_' && s.s[i] != '-' && s.s[i] != '.')
+ return false;
+ }
+ return true;
+}
+
static bool is_valid_fwmark(string_span_t s)
{
if (is_same(s, "off"))
@@ -345,6 +363,7 @@ enum field {
DNS,
MTU,
#ifndef MOBILE_WGQUICK_SUBSET
+ SocketNamespace,
FwMark,
Table,
PreUp, PostUp, PreDown, PostDown,
@@ -384,6 +403,7 @@ static enum field get_field(string_span_t s)
check_enum(Endpoint);
check_enum(PersistentKeepalive);
#ifndef MOBILE_WGQUICK_SUBSET
+ check_enum(SocketNamespace);
check_enum(FwMark);
check_enum(Table);
check_enum(PreUp);
@@ -526,6 +546,9 @@ static void highlight_value(struct highlight_span_array *ret, const string_span_
case SaveConfig:
append_highlight_span(ret, parent.s, s, is_valid_saveconfig(s) ? HighlightSaveConfig : HighlightError);
break;
+ case SocketNamespace:
+ append_highlight_span(ret, parent.s, s, is_valid_filename(s) ? HighlightSocketNamespace : HighlightError);
+ break;
case FwMark:
append_highlight_span(ret, parent.s, s, is_valid_fwmark(s) ? HighlightFwMark : HighlightError);
break;
diff --git a/contrib/highlighter/highlighter.h b/contrib/highlighter/highlighter.h
index ecbce00..d7d6600 100644
--- a/contrib/highlighter/highlighter.h
+++ b/contrib/highlighter/highlighter.h
@@ -21,6 +21,7 @@ enum highlight_type {
HighlightDelimiter,
#ifndef MOBILE_WGQUICK_SUBSET
HighlightTable,
+ HighlightSocketNamespace,
HighlightFwMark,
HighlightSaveConfig,
HighlightCmd,
diff --git a/src/man/wg-quick.8 b/src/man/wg-quick.8
index bc9e145..1a7c9a6 100644
--- a/src/man/wg-quick.8
+++ b/src/man/wg-quick.8
@@ -102,6 +102,11 @@ the commands are executed in order.
SaveConfig \(em if set to `true', the configuration is saved from the current state of the
interface upon shutdown. Any changes made to the configuration file before the
interface is removed will therefore be overwritten.
+.IP \(bu
+SocketNamespace \(em the name of an existing network namespace (netns)
+in which the interface's UDP sockets are created. If specified, the interface
+is first added to that netns, then moved to the invoking process's native netns
+before any other interface settings are applied.
.P
Recommended \fIINTERFACE\fP names include `wg0' or `wgvpn0' or even `wgmgmtlan0'.
diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash
index 18e266c..1349d70 100755
--- a/src/wg-quick/linux.bash
+++ b/src/wg-quick/linux.bash
@@ -13,6 +13,7 @@ export PATH="${SELF%/*}:$PATH"
WG_CONFIG=""
INTERFACE=""
+SOCKET_NAMESPACE=""
ADDRESSES=( )
MTU=""
DNS=( )
@@ -56,6 +57,7 @@ parse_options() {
[[ $key == "[Interface]" ]] && interface_section=1
if [[ $interface_section -eq 1 ]]; then
case "$key" in
+ SocketNamespace) SOCKET_NAMESPACE="$value"; continue ;;
Address) ADDRESSES+=( ${value//,/ } ); continue ;;
MTU) MTU="$value"; continue ;;
DNS) for v in ${value//,/ }; do
@@ -88,12 +90,14 @@ auto_su() {
add_if() {
local ret
- if ! cmd ip link add dev "$INTERFACE" type wireguard; then
+ trap 'cmd "${netns_exec[@]}" ip link delete dev "$INTERFACE"; exit' INT TERM EXIT
+ if ! cmd "${netns_exec[@]}" ip link add dev "$INTERFACE" type wireguard; then
ret=$?
[[ -e /sys/module/wireguard ]] || ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" >/dev/null && exit $ret
echo "[!] Missing WireGuard kernel module. Falling back to slow userspace implementation." >&2
- cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE"
+ cmd "${netns_exec[@]}" "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE"
fi
+ [[ -z "$SOCKET_NAMESPACE" ]] || cmd "${netns_exec[@]}" ip link set "$INTERFACE" netns $$
}
del_if() {
@@ -256,6 +260,7 @@ save_config() {
local old_umask new_config current_config address cmd
[[ $(ip -all -brief address show dev "$INTERFACE") =~ ^$INTERFACE\ +\ [A-Z]+\ +(.+)$ ]] || true
new_config=$'[Interface]\n'
+ [[ -z "$SOCKET_NAMESPACE" ]] || new_config+="SocketNamespace = $SOCKET_NAMESPACE"$'\n'
for address in ${BASH_REMATCH[1]}; do
new_config+="Address = $address"$'\n'
done
@@ -326,9 +331,13 @@ cmd_usage() {
cmd_up() {
local i
+ local netns_exec=()
+ [[ -z "$SOCKET_NAMESPACE" ]] || netns_exec=(ip netns exec "$SOCKET_NAMESPACE")
+ "${netns_exec[@]}" true || die "Network namespace '${SOCKET_NAMESPACE:-<unset>}' does not exist"
[[ -z $(ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists"
- trap 'del_if; exit' INT TERM EXIT
+ [[ -z $("${netns_exec[@]}" ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists in network namespace '${SOCKET_NAMESPACE:-<unset>}'"
add_if
+ trap 'del_if; exit' INT TERM EXIT
execute_hooks "${PRE_UP[@]}"
set_config
for i in "${ADDRESSES[@]}"; do
--
2.39.5
^ permalink raw reply related
page: next (older)
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox