On 2025/09/05 04:05, obsd@mulh.net wrote:
> On 2025-09-04 22:44:30, Stuart Henderson wrote:
> > i would recommend against using undocumented syntax in these files
> 
> Good advice, most should pkg_add wireguard-tools and use it to configure wireguard.

I don't think that is good advice. You can't rely on wireguard-tools
working after an OS update until you've updated packages (and even then
sometimes a recompile is not enough; it may need code changes after
some changes to the kernel).

> I'd rather stick to openbsd's base, it has everything needed and documented well.

makes sense for basic system config like this.

> After reading "man ifconfig" and "man wg" the hostname.if
> would probibly have to look something like this:
> (and this is where I started)
> 
> inet 192.0.2.1 0xffffff00
> wgport 51820
> wgkey A7NT9n6DIV6iLfdX0mRgcHgcCJPdvpSXanOMPV25xbQ=
> wgpeer kk3TQeCO683Y2OaGkpFztWfKTaPez3bx0TbAPgRxs94= wgpsk V1cnMjMUyB3KthU3L2YXauQHcCM4beqtJfjQaFFm9C8= wgendpoint 198.51.100.42 51820 wgaip 192.0.2.2/32
> wgpeer SFy0vTvtSlPOO7WFOf1lcqssziaw399vuafpH4tWgpA= wgpsk kNehxEObqhD6OqzLsvdyHCCBh2Ydc7ttpBQR4CkHW4I= wgendpoint 198.51.100.80 51820 wgaip 192.0.2.3/32
> 
> I just wantted to make my configuration easier to read and secure the keys.

if you really want to split them, this would stay within the documented
syntax:

/etc/hostname.wg0
> !/etc/wgconfig-wg0
> inet 192.0.2.1 0xffffff00
> wgport 51820
> wgpeer kk3TQeCO683Y2OaGkpFztWfKTaPez3bx0TbAPgRxs94= wgpsk V1cnMjMUyB3KthU3L2YXauQHcCM4beqtJfjQaFFm9C8= wgendpoint 198.51.100.42 51820 wgaip 192.0.2.2/32
> wgpeer SFy0vTvtSlPOO7WFOf1lcqssziaw399vuafpH4tWgpA= wgpsk kNehxEObqhD6OqzLsvdyHCCBh2Ydc7ttpBQR4CkHW4I= wgendpoint 198.51.100.80 51820 wgaip 192.0.2.3/32

/etc/wgconfig-wg0 (executable)
> #!/bin/sh
> ifconfig wg0 wgkey A7NT9n6DIV6iLfdX0mRgcHgcCJPdvpSXanOMPV25xbQ=

like you, I remove the + from /etc/hostname.* in changelist (I prefer
to have the emailed diff and full copy in /var/backups for changes to
those files) and don't worry about the key showing in diffs, but
I'm not sending those mails off anywhere untrusted..

> "man hostname.if" has the line:
> "Any lines not matching these packed formats are passed directly to ifconfig"
> and this is confirmed with "sh netstart -n wg0".
> 
> /etc/netstart uses the shell to run ifconfig and it's the shell supporting "$()".
> 
> But none the less, it's my local config and my problem when it breaks.
> I'd just hope if the parser gets updated it'll add include support.

that's currently how it works but I would not rely on implementation
details.

not such a problem if it's local or you have OOB access, but some
readers may be using wg for remote access (e.g. to a machine behind NAT
that is otherwise not directly reachable) and for some of those it would
really suck to have to get physical access to the machine if it fails
after an upgrade.

> > (especially for any interfaces you might rely on for accessing a remote
> > system to fix it), in case the parser gets changed
> >
> > executing a script is documented so you could expect that to stay
> > working or at least ger a warning in upgrade notes, e.g.
> 
> Great advise for aspiring admins to follow.
> That's why everyone tests changes, upgrades, etc.  And keep backups!
> 
> Truely I appreciate all the work the OpenBSD devs do, always amazed!
> 
> Forgive me as I have strayed too far from my original message.
>