Luci-app-wireguard + QR generation

timur.davletshin · August 17, 2023, 9:11am

Am I right that QR code generation is somewhat broken in current stable release (all updated installed so far)? Allowed IPs are missing in generated QR, like those IPs from simplest config bellow (192.168.10.128/32 and fd00:10::128/128). In order to finish client configuration in official Android client I have to fill in those manually.

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key 'longkeygoeshere='
	list addresses '192.168.10.1/24'
	list addresses 'fd00:10::1/64'

config wireguard_vpn 'wgclient'
	option preshared_key 'longkeygoeshere='
	option private_key 'longkeygoeshere='
	option public_key 'longkeygoeshere='
	list allowed_ips '192.168.10.128/32'
	list allowed_ips 'fd00:10::128/128'

Any chance to fix it?

lleachii · August 17, 2023, 12:10pm

There's a long discussion on this:

krazeh · August 17, 2023, 12:29pm

Do you mean they're not being added to the peer (i.e. on the android device) as addresses? They shouldn't be allowed IPs on both end of the tunnel.

egc · August 17, 2023, 12:31pm

The Allowed IPs on the "server" side are different from the allowed IPs on the "client".

On the "server" side they are e.g. 192.168.10.128/32 while on the client side they are e.g.: 0.0.0.0/0 , ::/0

You can argue that the QR code should contain the default Allowed IPs: 0.0.0.0/0 , ::/0 or perhaps the LAN subnet of the router?

timur.davletshin · August 17, 2023, 12:34pm

I'm just saying that QR code is useless (from user's standpoint) if it requires additional manipulation like entering client IP address or DNS-server.

lleachii · August 17, 2023, 12:36pm

Yep - one valid use case is transferring a Wireguard config from an OpenWrt to another device via QR Code:

krazeh · August 17, 2023, 12:38pm

How would you programmatically determine the correct IP address or DNS server that should be used on the client device? What do you do in cases where the allowed IPs in the peer config is more than a single /32 address?

You either need to add further information prior to generating the QR code or after scanning it on the client device. What the QR code does do, however, is allow the transfer of the 'complex' data like the keys.

timur.davletshin · August 17, 2023, 12:39pm

There is no need to debate about showing or not showing private key (or any other optional information). Let user decide what he wants to encode - one (or several) check boxes will make many happier.

timur.davletshin · August 17, 2023, 12:40pm

I assume it is the main use case.

lleachii · August 17, 2023, 12:41pm

That's not a debate - as the private key should never be shown, unless it's to move the account, hence my posting a discussion about why there's a misconception about what the QR Code is for. It seems you're under that misconception.

I don't understand this statement. Are you making a Feature Request?

timur.davletshin · August 17, 2023, 12:42pm

Is wireguard already compatible DHCP? I doubt. Wonder why Wireguard client denies working without providing IP address?

lleachii · August 17, 2023, 12:43pm

Wireguard is a Layer 3 protocol, so Layer 2 protocols like DHCP are not compatible.

See: https://www.wireguard.com/#cryptokey-routing

timur.davletshin · August 17, 2023, 12:43pm

Wireguard for Android is under the same misconception?

lleachii · August 17, 2023, 12:43pm

I don't understand your question. Additionally, this is an OpenWrt discussion forum.

The misconception is that the QR Code is to make a new peer. It doesn't. It moves an already existing peer config.

timur.davletshin · August 17, 2023, 12:45pm

If you are a developer

krazeh · August 17, 2023, 12:45pm

I'm not sure what you're asking here? If the generated QR code were to include an IP address and DNS server for the client device then that information needs to come from somewhere. Either you derive it programmatically from other information (hence my query about how you think that could work in practice) or you manually add it. And if you're doing the latter then does it matter whether you do that before you generate the QR code or after you create the config on the client?

lleachii · August 17, 2023, 12:45pm

You make your post for Feature Request here: https://forum.openwrt.org/c/feature-requests/16
Or you can always contribute the code - I'm sure the Developers would prefer that

timur.davletshin · August 17, 2023, 12:47pm

This is exactly why I questioned statement about "How would you programmatically determine the correct IP address or DNS server".

lleachii · August 17, 2023, 12:48pm

That's the question we asked you. I think there's a logical circle forming here...

You seem to want OpenWrt to guess a DNS server for a Wireguard config and add it to a generated QR Code, correct?

Also note, we already discussed that the QR Code doesn't do what you're describing - so you're asking for a Feature Request too?

timur.davletshin · August 17, 2023, 12:49pm

My idea is that QR code generated by OpenWRT should provide enough information to configure peers by using official WIreguard client for Android.