Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • NetworkManager NetworkManager
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 164
    • Issues 164
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • NetworkManagerNetworkManager
  • NetworkManagerNetworkManager
  • Issues
  • #358
Closed
Open
Issue created Feb 10, 2020 by Thomas Haller@thallerOwner

[RFE] add support for nmcli for configuring WireGuard peers

NetworkManager has native support for WireGuard ([1]). But still, nmcli does not support configuring WireGuard peers of a connection profile.


The workarounds are:

  • edit the keyfile under /etc/NetworkManager/system-connections and reload the profile with nmcli connection reload or nmcli connection load $FILENAME.

  • re-import a new profile from a wg-quick configuration file with nmcli connection import type wireguard file $FILENAME. The downside of this is that it always creates a new profile.

  • use the example script or the D-Bus API directly in any way you see fit.

  • use recent plasma-nm or nm-connection-editor which supports peers. nm-applet support is still missing (https://gitlab.gnome.org/GNOME/network-manager-applet/issues/77) and gnome-control-center/gnome-shell (both don't support WireGuard at the moment).


The difficulty is that currently nmcli has a static list of properties that it supports. But for peers, the properties should be multilayered and dynamic. E.g.

  nmcli connection modify "$PROFILE" 'wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.endpoint' 'my.host.tld:8000'

should work as you'd expect. Likewise, nmcli connection show "$PROFILE" should list:

wireguard.private-key-flags:                                         0 (none)
wireguard.listen-port:                                               8001
wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.endpoint      my.host.tld:8000
wireguard.v6+0YmFFqm/ZNlzxBp05qAOIhD+E1tw29eFqAq8yFi0=.allowed-ips   192.168.75.3/32
...

It should not treat WireGuard peers like ipv4.addresses, vpn.data or bond.options. Instead, those properties should unfold in nmcli.

This is currently not how nmcli works, so it's a larger effort...


Edited Nov 05, 2020 by Thomas Haller
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking