From: Stuart Henderson Subject: Re: Update stripcom function in netstart To: obsd@mulh.net Cc: tech@openbsd.org Date: Fri, 5 Sep 2025 11:30:42 +0100 On 2025/09/05 04:05, obsd@mulh.net wrote: > On 2025-09-04 22:44:30, Stuart Henderson wrote: > > i would recommend against using undocumented syntax in these files > > Good advice, most should pkg_add wireguard-tools and use it to configure wireguard. I don't think that is good advice. You can't rely on wireguard-tools working after an OS update until you've updated packages (and even then sometimes a recompile is not enough; it may need code changes after some changes to the kernel). > I'd rather stick to openbsd's base, it has everything needed and documented well. makes sense for basic system config like this. > After reading "man ifconfig" and "man wg" the hostname.if > would probibly have to look something like this: > (and this is where I started) > > inet 192.0.2.1 0xffffff00 > wgport 51820 > wgkey A7NT9n6DIV6iLfdX0mRgcHgcCJPdvpSXanOMPV25xbQ= > wgpeer kk3TQeCO683Y2OaGkpFztWfKTaPez3bx0TbAPgRxs94= wgpsk V1cnMjMUyB3KthU3L2YXauQHcCM4beqtJfjQaFFm9C8= wgendpoint 198.51.100.42 51820 wgaip 192.0.2.2/32 > wgpeer SFy0vTvtSlPOO7WFOf1lcqssziaw399vuafpH4tWgpA= wgpsk kNehxEObqhD6OqzLsvdyHCCBh2Ydc7ttpBQR4CkHW4I= wgendpoint 198.51.100.80 51820 wgaip 192.0.2.3/32 > > I just wantted to make my configuration easier to read and secure the keys. if you really want to split them, this would stay within the documented syntax: /etc/hostname.wg0 > !/etc/wgconfig-wg0 > inet 192.0.2.1 0xffffff00 > wgport 51820 > wgpeer kk3TQeCO683Y2OaGkpFztWfKTaPez3bx0TbAPgRxs94= wgpsk V1cnMjMUyB3KthU3L2YXauQHcCM4beqtJfjQaFFm9C8= wgendpoint 198.51.100.42 51820 wgaip 192.0.2.2/32 > wgpeer SFy0vTvtSlPOO7WFOf1lcqssziaw399vuafpH4tWgpA= wgpsk kNehxEObqhD6OqzLsvdyHCCBh2Ydc7ttpBQR4CkHW4I= wgendpoint 198.51.100.80 51820 wgaip 192.0.2.3/32 /etc/wgconfig-wg0 (executable) > #!/bin/sh > ifconfig wg0 wgkey A7NT9n6DIV6iLfdX0mRgcHgcCJPdvpSXanOMPV25xbQ= like you, I remove the + from /etc/hostname.* in changelist (I prefer to have the emailed diff and full copy in /var/backups for changes to those files) and don't worry about the key showing in diffs, but I'm not sending those mails off anywhere untrusted.. > "man hostname.if" has the line: > "Any lines not matching these packed formats are passed directly to ifconfig" > and this is confirmed with "sh netstart -n wg0". > > /etc/netstart uses the shell to run ifconfig and it's the shell supporting "$()". > > But none the less, it's my local config and my problem when it breaks. > I'd just hope if the parser gets updated it'll add include support. that's currently how it works but I would not rely on implementation details. not such a problem if it's local or you have OOB access, but some readers may be using wg for remote access (e.g. to a machine behind NAT that is otherwise not directly reachable) and for some of those it would really suck to have to get physical access to the machine if it fails after an upgrade. > > (especially for any interfaces you might rely on for accessing a remote > > system to fix it), in case the parser gets changed > > > > executing a script is documented so you could expect that to stay > > working or at least ger a warning in upgrade notes, e.g. > > Great advise for aspiring admins to follow. > That's why everyone tests changes, upgrades, etc. And keep backups! > > Truely I appreciate all the work the OpenBSD devs do, always amazed! > > Forgive me as I have strayed too far from my original message. >