Cool project! Is there a dsnet quickstart guide? I'm relatively new with wireguard so this could easily be user error, but here are my steps:

Server: Debian Buster

apt -t buster-backports install -y git golang-go iptables iptables-persistent netfilter-persistent

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

apt -t buster-backports -y install wireguard

mkdir /root/go && export GOPATH=/root/go

git clone https://github.com/naggie/dsnet.git

cd dsnet/cmd

go build dsnet.go

mv dsnet /usr/local/bin

cd /root

mv /root/dsnet/etc/dsnet.service /etc/systemd/system/

rm -rf /root/dsnet

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/local.conf
sysctl -p /etc/sysctl.d/local.conf

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i dsnet -o eth0 -j ACCEPT

netfilter-persistent save

dsnet init

sed -i 's/"Networks.*/"Networks": ["0.0.0.0\/0"],/' /etc/dsnetconfig.json

systemctl daemon-reload

systemctl start dsnet && systemctl enable dsnet

Running systemctl status dsnet shows no errors. Good so far.

dsnet add banana > dsnet-banana.conf

I fill out the prompts and then copy the contents of dsnet-banana.conf

Client: Ubuntu 20.04

sudo su

apt install -y wireguard

cat > /etc/wireguard/wg0.conf <<EOF
{{{ PASTE CONTENTS OF DSNET-BANANA.CONF ABOVE HERE }}}
EOF

wg-quick up wg0

Wireguard loads the config and I see the wg0 interface in ip a but I can't connect to any internet site and I can't ping the server above.

Thoughts?

Hello,

found about dsnet today and I am loving it. Thanks.

Care to share how can I make same, identical table like in your README from .json ?

https://raw.githubusercontent.com/naggie/dsnet/master/etc/report.png

Thanks, A.

Hey there,

the generated peer configuration only contains the external IPv4 address and not the external IPv6 address of the server.
Some ISPs may have a better connectivity using IPv6 than IPv4, because of Carrier Grade NAT.

I think the best solution would be to add a configuration option "UseDomain", which uses the domain specified in the "Domain" configuration option as endpoint in the peer configuration. This way the client will automatically decide if it's using IPv6 or IPv4.

Keep up the great work!

Sure, one can edit /etc/dsnetconfig.json, set a custom IP address and run "dsnet sync". But it would be nice to have the ability to config a custom IP address when adding new peers. Because auto-assigning the lowest available IP address is not always wanted.

E.g. something like dsnet add myhost --ipv4 10.80.54.100 would be nice.

I see that currently the config file is hardcoded. It would be useful to have it be configurable via environment or command line argument. That would allow dsnet to use more wireguard interfaces with different configs.

Could install and enable (--now) dsnet.service automatically, copy itself to /usr/local/bin, create a dsnet group with setuid root to enable users in the dsnet group to use it without root.

Hi,

In https://github.com/cirello-io/ezwg/commit/89b2f1710da9e680a6ce07e8f22f85ea345b0bdc#r39533635 it seems that you express discomfort with the fact that I forked and renamed my fork.

What I have in mind will make my fork deep differently than your original. Yet, I believe in giving credits to original authors is important and necessary.

I opened an issue to address the problem.

https://github.com/cirello-io/ezwg/issues/1

But, I think you should somehow express here through license changes or some other device what constitutes an acceptable fork or not. The MIT license is a bit vague regarding attribution to end-users. Perhaps, you could opt to slightly stricter license, like Apache v2 that has explicit attribution requirements written down.

	ConfirmOrAbort("\nDo you want to add the above configuration?")

... should be 'the configuration above' or 'the preceding configuration'. It's a binary choice.

What do you think @naggie? I don't see much value in keeping in the repo and it just adds bloat.

Hello,

is it possible to workaround dynamic IP's by entering some (updated with ddclient) domain name in "ExternalIP" instead of actual IPv4 ?

Hi, I'm trying to add 0.0.0.0/0 in Networks but it doesn't work. (I've tried with "Networks": "0.0.0.0/0", "Networks": "[0.0.0.0/0]", "Networks": 0.0.0.0/0)
Do you have any advice? Thanks in advance.

I just packaged dsnet for ArchLinux in the AUR. This builds from the main branch.
Maybe at some point it would be nice to add a section to README.md where we list all the available packaged versions of dsnet for various distributions.

I know due to go the binaries are very portable but sometimes its nice to just install it via a package manager and keep it up to date this way. I have not yet checked if there exist packages for other distributions.

Hi. What are the ports that are allowed to be used in dsnetconfig.json?
I tried using known UDP ports (53,123,etc) but dnsnet errors out.

Due to some experiences ISP throttling wireguard traffic, there is a need to change the wireguard port to something that will not be throttled by ISP.

Is this limitation in dsnet be considered in the next future releases?

Thanks and kind regards.

Are there any plans for armv8 binaries? Tried to install this onto my odroid-n2 via AUR but said this software wasn't available for my architecture.

This could be great to automate setting up configuration for new endpoints, but from what I saw it only works in interactive mode, where it asks you things, and then uses those answers to generate config. Is there a way to run it from a script, without terminal?

Everything from the tutorial seems to have run without hickup, but dsnet up doesn't appear to do anything. The WG config generated for a peer was good, and the resulting wg-quick up <config> command looks good on the peer. However, on node 0 -- where all of the commands to generate the json config, and the peer WG config was created -- no routing is established:

# dsnet up
# echo $?
0
# dsnet sync
# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         m.n.o.p   0.0.0.0         UG        0 0          0 eth0
m.n.o.0   0.0.0.0         255.255.224.0   U         0 0          0 eth0
m.n.o.0   m.n.o.1   255.255.224.0   UG        0 0          0 eth0
# wg
interface: dsnet
  public key: censored
  private key: (hidden)
  listening port: 51820

peer: censored
  preshared key: (hidden)
  allowed ips: 10.79.56.2/32, censored

peer: censored
  preshared key: (hidden)
  allowed ips: 10.79.56.3/32, censored
# cat /proc/sys/net/ipv4/ip_forward
1

No error, but no network and no information for the wg interface, as if it was never set up. I tried dsnet down and up a few times -- always exit code 0, but no change to the routing that I could detect. The wireguard data toggles in and out. I've made sure the 51820 port is open in the firewall (both TCP and UDP).

As I said, the WG config for the peer imported into wg-quick beautifully and set up the routing correctly.

Node 0 is

• Linux Arch, kernel 5.15, x86_64
• wireguard 1.0
• dsnet 226c61a (Tue May 17 20:52:01 2022)
• compiled with Go 1.19

Please move the config file, like /etc/dsnet/server.json

For when you add featues (inevitable).

I also have the case where I have many configs to use, so in one path by default is handy for me.

I plan to send PR when not on mobile.

If you try to use latest master version it creates broken user configs that looks like this :

[Interface]
Address=fd00:c6f2:a99b:d600:b3a1:e77f:2380:14a2/22
Address=<nil>/64
PrivateKey=8KkQ3rxeiP4/rZn9SLYtTelCrmM0DAvoN5bvjp0o6Fs=

[Peer]
PublicKey=knQBLoy6mWFDWL+XukG0MPOwHgGTSZwTFFmsM9MFnCI=
PresharedKey=eOUvrmUWVSy5SxtJ70UzxToRwwV5EuFtS/6HKiKvck4=
Endpoint=<Public IP is fine>:51820
PersistentKeepalive=0
AllowedIPs={{10.144.60.0 fffffc00}}
AllowedIPs={{fd00:c6f2:a99b:d600:: ffffffffffffffff0000000000000000}}

Cant say when it appeared but this commit works.

Checked a few more. Up to this still works.

I tried the following:

• dsnet init
• dsnet add x2
• wg-quick up <my new config> on each client machine (ubuntu 20.04)

The machines connect to the server and can ping the server over the VPN address, and the server can ping the clients, but the clients can't ping each other. Is there something I missed?

Currently adding extra routes via Networks is a manual step, unlike the automatically routed allocated IP. Adding (and removing) routes should be performed automatically on sync.

Note that wireguard is already told that a peer has a network via dsnetconfg - it then tells the kernel in turn. Routes must be manually added, for instance

sudo ip route add 10.182.0.0/16 dev dsnet

dsnet has no tests at the moment. I'd really appreciate PRs that add unit tests.

Like this: https://github.com/naggie/dstask/blob/master/completions/embed.go#L7

It's quite painful dealing with inlined templates. This will allow individual files so things like syntax highlighting work.

Just opening this here for logo ideas. I'm no designer/icon kind of person, but would love if someone had ideas and or talent they would love to share.

Ideas I've had for logos so far:

• A hash/net style (to represent dsnet)
• Three nodes connected in a v shape

Full error:
Key: 'DsnetConfig.ReportFile' Error:Field validation for 'ReportFile' failed on the 'required' tag - failed to load configuration file
this is with dsnet v.0.7.2.

I'm pretty sure that field used to be filled with a default. In any case, simply making sure the config has something like:

    "ReportFile": "/tmp/dsnetreport.json",

is enough to stop dsnet from complaining and to issue dsnet up successfully.

How do I set MTU?

0.6 is ok. May have been caused the the separation of lib and cli

Could generate a bash script which internally uses the wg-quick template. The bash script could then delete itself.

Useful to install wireguard, openresolv, save config in correct place with correct permissions and then activate/enable via systemd.

ubuntu-bash-wg-quick

Generated address in output config does not include CIDR subnet. Does not seem to matter, though.

In addition to the hostname, aliases would be useful to support virtual hosting when integrated with dns. The parser should simply check for uniqueness.

Are there any plans on releasing dsnet on the Fedora Copr repository?

This gives more flexibility with scripts. It can then also be used remotely via ssh (using a sudo NOPASSWD rule and a restricted command) with more ease.

Such that the server never knows the peer private key. Should be easy, as the only thing that needs changing is the add command prompt.

Peer names should be validated to RFC 1123, as these should be considered hostnames.

Suggest that characters that are not [a-zA-Z0-9\-\.] be either removed entirely or replaced with -, and anything over 63 characters be truncated, and dsnet prompt to confirm the modified name (as default by pressing enter) or user to enter a new one.

So I've set up a configuration and have added 0.0.0.0/0 to the networks array. However, when I connect DNS doesn't work -- I can't ping google.com. I've enabled IP forwarding on both IPv4 and IPv6 and have set up unbound as a DNS server, and have pointed my config at that DNS server. But it still doesn't work. I've even tried 8.8.8.8 as a DNS server and no go. What am I doing wrong?

Hi,

I discovered this tools on HN and decided to move all my current config on it.
Everything is working great and smooth. Unfortunately my old /etc/wireguard/wg0.conf is up and running at boot, how can i set it to launch 'dsnet up' at boot instead ?

Thanks.

As wireguard supports IPv6 out the box, so should dsnet... And it does! Sort of...

Currently, a single /128 IPv6 can be added in as a 'Network', and then any IPv6 networks available via that host can be added after that:

{
    "ExternalIP": "DOOOOOOOOOOOOM",
    "ListenPort": 51820,
    "Domain": "root2.news",
    "InterfaceName": "sqrt2news",
    "Network": "172.18.16.0/24",
    "IP": "172.18.16.1",
    "DNS": "172.18.0.1",
    "Networks": [
        "172.18.0.0/16",
        "fdca:9217:f2de:00b1::/64",
    ],
    "ReportFile": "/var/lib/dsnetreport.json",
    "PrivateKey": "WhydoyoualwaysgettoreadthetopstoryMorbo?",
    "Peers": [
        {
        "Hostname": "MORBOS-TELEPROMPTER",
        "Owner": "MORBO",
        "Description": "I WILL DESTROY YOU",
        "IP": "172.18.16.9",
        "Added": "2020-03-12T20:15:42.798800741Z",
        "Networks": [
            "172.18.1.0/24",
            "fdca:9217:f2de:00b1::9/128",
            "fdca:9217:f2de:cf86::/64"
        ],
        "PublicKey": "WORTHLESSHUMANSARENOTPERMITTEDTOVIEWMORBOSMIGHTYPUBLICKEY",
        "PresharedKey": "ALLHUMANSAREVERMININTHEEYESOFMORBO"
        }
    ]
}

To make it more 'official', I propose the adoption of a IP6 attribute, this should be a single /128 IPv6 address, and a Network6 attribute to define the network range.

{
    "ExternalIP": "DOOOOOOOOOOOOM",
    "ListenPort": 51820,
    "Domain": "root2.news",
    "InterfaceName": "sqrt2news",
    "Network": "172.18.16.0/24",
    "Network6": "fdca:9217:f2de:00b1::/64",
    "IP": "172.18.16.1",
    "IP6": "fdca:9217:f2de:00b1::1",
    "DNS": "172.18.0.1",
    "Networks": [
        "172.18.0.0/16",
        "fdca:9217:f2de::/48"
    ],
    "ReportFile": "/var/lib/dsnetreport.json",
    "PrivateKey": "WhydoyoualwaysgettoreadthetopstoryMorbo?",
    "Peers": [
        {
        "Hostname": "MORBOS-TELEPROMPTER",
        "Owner": "MORBO",
        "Description": "I WILL DESTROY YOU",
        "IP": "172.18.16.9",
        "IP6": "fdca:9217:f2de:00b1::9",
        "Added": "2020-03-12T20:15:42.798800741Z",
        "Networks": [
            "172.18.1.0/24",
            "fdca:9217:f2de:cf86::/64"
        ],
        "PublicKey": "WORTHLESSHUMANSARENOTPERMITTEDTOVIEWMORBOSMIGHTYPUBLICKEY",
        "PresharedKey": "ALLHUMANSAREVERMININTHEEYESOFMORBO"
        }
    ]
}

Since v0.6. Should be 25, previously from const.go

Hello,

is dsnet tested to be working on RPi 4 ?

Currently I have this kernel: Linux wg 5.4.77-1-ARCH #1 SMP PREEMPT Tue Nov 17 20:56:33 UTC 2020 armv7l GNU/Linux

and upon dsnet init I get:

bash: /usr/local/bin/dsnet: cannot execute binary file: Exec format error

Not sure if this is because v7 is not supported or it could be something else..

Never had this issue on x86

It always generates configurations with local only allowed IP. Any way for it to default to 0.0.0.0/0?

Hi,
I may have missed something in the docs, but is there a way to specify either a command or a script to run when starting the wg interface with dsnet, similar to the PostUp and PostDown fields in the wireguard config files?

I'm thinking on the server side, when looking at a basic centralised VPN set-up with multiple clients.

As I've only used dsnet on machines that have IP forwarding enabled, it never occurred to me to add forwarding instructions to the docs. Context: #34

@frillip I've assigned you in the hope of a PR :-)

Report file is missing the keys ExternalHostname and ExternalIP6 that were recently added to dsnetconfig.json

Sample outputs:
/etc/dsnetconfig.json:

{
    "ExternalHostname": "wireguard.example.com",
    "ExternalIP": "198.51.100.2",
    "ExternalIP6": "fd00:7b31:106a::1",
    "ListenPort": 51820,
    "Domain": "dsnet",
    "InterfaceName": "dsnet",
    "Network": "10.164.236.0/24",
    "Network6": "fd00:7b31:106a:ae00::/64",
    "IP": "10.164.236.1",
    "IP6": "fd00:7b31:106a:ae00::1",
    "DNS": "10.164.236.1",
    "Networks": [
    ],
    "ReportFile": "/var/lib/dsnetreport.json",
...

/var/lib/dsnetreport.json:

{
    "ExternalIP": "198.51.100.2",
    "InterfaceName": "dsnet",
    "ListenPort": 51820,
    "Domain": "dsnet",
    "IP": "10.164.236.1",
    "IP6": "fd00:7b31:106a:ae00::1",
    "Network": "10.164.236.0/24",
    "Network6": "fd00:7b31:106a:ae00::/64",
    "DNS": "10.164.236.1",
    "PeersOnline": 3,
...