README
¶
kernel wireguard
kernelwg is a tiny program that runs as root. It's sole job is to alter
WireGuard state. Changing WireGuard state and IP routes requires root
priviledges. Instead of running our entire service as root, we only run this
portion as root, and we communicate over a socket.
I don't really know what I'm doing here. I suspect I ought to be looking into tools like https://justine.lol/pledge/.
Run
go run cmd/kernelwg/*.go
Build
go build -o kernelwg cmd/kernelwg/*.go
Docker
I initially tried running this in Docker, but I couldn't get it to work. It failed with "operation not permitted". I specified "user:root" in the compose file, but this is obviously not sufficient.
Because of this, I've decided to run the proxy outside of Docker.
Documentation
¶
Index ¶
Constants ¶
const Debug = false
const WireguardDeviceName = "cyclops"
This is the name of our wireguard device, which is the same on the HTTPS proxy server and on a camera server.
Variables ¶
This section is empty.
Functions ¶
func DropPrivileges ¶
Drop privileges of this process to the specified username, so that we reduce our attack surface. Returns the home directory of 'username'
func LaunchRootModeSubProcess ¶
Launch a copy of this process, but with the --kernelwg command line argument. This other process will run with root privileges, because it needs to be able to create and/or alter Wireguard interfaces.
This is one of the first things we do when starting up the cyclops server or the HTTPS proxy server.
Returns a secret that is used to authenticate ourselves to the root-mode spawned process.
Types ¶
This section is empty.
Source Files