2022-01-10 18:43:13 +01:00
|
|
|
package peer
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2023-03-16 16:46:17 +01:00
|
|
|
"fmt"
|
2022-01-10 18:43:13 +01:00
|
|
|
"net"
|
2023-12-18 11:46:58 +01:00
|
|
|
"runtime"
|
2022-06-04 20:15:41 +02:00
|
|
|
"strings"
|
2022-01-10 18:43:13 +01:00
|
|
|
"sync"
|
|
|
|
"time"
|
2022-02-16 20:00:21 +01:00
|
|
|
|
2023-12-20 23:02:42 +01:00
|
|
|
"github.com/pion/ice/v3"
|
|
|
|
"github.com/pion/stun/v2"
|
2022-02-16 20:00:21 +01:00
|
|
|
log "github.com/sirupsen/logrus"
|
2023-07-26 14:00:47 +02:00
|
|
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
2023-03-03 19:49:18 +01:00
|
|
|
|
2023-03-24 08:40:39 +01:00
|
|
|
"github.com/netbirdio/netbird/client/internal/stdnet"
|
2023-07-26 14:00:47 +02:00
|
|
|
"github.com/netbirdio/netbird/client/internal/wgproxy"
|
2023-03-03 19:49:18 +01:00
|
|
|
"github.com/netbirdio/netbird/iface"
|
2023-05-03 14:47:44 +02:00
|
|
|
"github.com/netbirdio/netbird/iface/bind"
|
2023-03-16 16:46:17 +01:00
|
|
|
signal "github.com/netbirdio/netbird/signal/client"
|
|
|
|
sProto "github.com/netbirdio/netbird/signal/proto"
|
2023-03-24 08:40:39 +01:00
|
|
|
"github.com/netbirdio/netbird/version"
|
2022-01-10 18:43:13 +01:00
|
|
|
)
|
|
|
|
|
2023-04-28 16:26:54 +02:00
|
|
|
const (
|
|
|
|
iceKeepAliveDefault = 4 * time.Second
|
|
|
|
iceDisconnectedTimeoutDefault = 6 * time.Second
|
2023-07-26 14:00:47 +02:00
|
|
|
|
|
|
|
defaultWgKeepAlive = 25 * time.Second
|
2023-04-28 16:26:54 +02:00
|
|
|
)
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
type WgConfig struct {
|
|
|
|
WgListenPort int
|
|
|
|
RemoteKey string
|
|
|
|
WgInterface *iface.WGIface
|
|
|
|
AllowedIps string
|
|
|
|
PreSharedKey *wgtypes.Key
|
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
// ConnConfig is a peer Connection configuration
|
|
|
|
type ConnConfig struct {
|
|
|
|
|
|
|
|
// Key is a public key of a remote peer
|
|
|
|
Key string
|
|
|
|
// LocalKey is a public key of a local peer
|
|
|
|
LocalKey string
|
|
|
|
|
|
|
|
// StunTurn is a list of STUN and TURN URLs
|
2023-12-20 23:02:42 +01:00
|
|
|
StunTurn []*stun.URI
|
2022-01-10 18:43:13 +01:00
|
|
|
|
|
|
|
// InterfaceBlackList is a list of machine interfaces that should be filtered out by ICE Candidate gathering
|
|
|
|
// (e.g. if eth0 is in the list, host candidate of this interface won't be used)
|
2022-11-23 11:03:29 +01:00
|
|
|
InterfaceBlackList []string
|
|
|
|
DisableIPv6Discovery bool
|
2022-01-10 18:43:13 +01:00
|
|
|
|
|
|
|
Timeout time.Duration
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
WgConfig WgConfig
|
2022-02-16 20:00:21 +01:00
|
|
|
|
|
|
|
UDPMux ice.UDPMux
|
|
|
|
UDPMuxSrflx ice.UniversalUDPMux
|
2022-09-02 19:33:35 +02:00
|
|
|
|
|
|
|
LocalWgPort int
|
2022-11-23 08:42:12 +01:00
|
|
|
|
|
|
|
NATExternalIPs []string
|
2023-04-13 17:00:01 +02:00
|
|
|
|
|
|
|
// UsesBind indicates whether the WireGuard interface is userspace and uses bind.ICEBind
|
|
|
|
UserspaceBind bool
|
2024-01-08 12:25:35 +01:00
|
|
|
|
|
|
|
// RosenpassPubKey is this peer's Rosenpass public key
|
|
|
|
RosenpassPubKey []byte
|
|
|
|
// RosenpassPubKey is this peer's RosenpassAddr server address (IP:port)
|
|
|
|
RosenpassAddr string
|
2022-09-02 19:33:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// OfferAnswer represents a session establishment offer or answer
|
|
|
|
type OfferAnswer struct {
|
|
|
|
IceCredentials IceCredentials
|
|
|
|
// WgListenPort is a remote WireGuard listen port.
|
|
|
|
// This field is used when establishing a direct WireGuard connection without any proxy.
|
|
|
|
// We can set the remote peer's endpoint with this port.
|
|
|
|
WgListenPort int
|
|
|
|
|
|
|
|
// Version of NetBird Agent
|
|
|
|
Version string
|
2024-01-08 12:25:35 +01:00
|
|
|
// RosenpassPubKey is the Rosenpass public key of the remote peer when receiving this message
|
|
|
|
// This value is the local Rosenpass server public key when sending the message
|
|
|
|
RosenpassPubKey []byte
|
|
|
|
// RosenpassAddr is the Rosenpass server address (IP:port) of the remote peer when receiving this message
|
|
|
|
// This value is the local Rosenpass server address when sending the message
|
|
|
|
RosenpassAddr string
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// IceCredentials ICE protocol credentials struct
|
|
|
|
type IceCredentials struct {
|
|
|
|
UFrag string
|
|
|
|
Pwd string
|
|
|
|
}
|
|
|
|
|
|
|
|
type Conn struct {
|
|
|
|
config ConnConfig
|
|
|
|
mu sync.Mutex
|
|
|
|
|
|
|
|
// signalCandidate is a handler function to signal remote peer about local connection candidate
|
|
|
|
signalCandidate func(candidate ice.Candidate) error
|
|
|
|
// signalOffer is a handler function to signal remote peer our connection offer (credentials)
|
2023-03-16 16:46:17 +01:00
|
|
|
signalOffer func(OfferAnswer) error
|
|
|
|
signalAnswer func(OfferAnswer) error
|
|
|
|
sendSignalMessage func(message *sProto.Message) error
|
2024-01-08 12:25:35 +01:00
|
|
|
onConnected func(remoteWireGuardKey string, remoteRosenpassPubKey []byte, wireGuardIP string, remoteRosenpassAddr string)
|
|
|
|
onDisconnected func(remotePeer string, wgIP string)
|
2022-01-10 18:43:13 +01:00
|
|
|
|
|
|
|
// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
|
2022-09-02 19:33:35 +02:00
|
|
|
remoteOffersCh chan OfferAnswer
|
2022-01-10 18:43:13 +01:00
|
|
|
// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
|
2022-09-02 19:33:35 +02:00
|
|
|
remoteAnswerCh chan OfferAnswer
|
2022-01-10 18:43:13 +01:00
|
|
|
closeCh chan struct{}
|
|
|
|
ctx context.Context
|
|
|
|
notifyDisconnected context.CancelFunc
|
|
|
|
|
|
|
|
agent *ice.Agent
|
|
|
|
status ConnStatus
|
|
|
|
|
2023-03-03 19:49:18 +01:00
|
|
|
statusRecorder *Status
|
2022-07-02 12:02:17 +02:00
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
wgProxyFactory *wgproxy.Factory
|
|
|
|
wgProxy wgproxy.Proxy
|
|
|
|
|
2023-03-16 16:46:17 +01:00
|
|
|
remoteModeCh chan ModeMessage
|
|
|
|
meta meta
|
2023-03-24 08:40:39 +01:00
|
|
|
|
2024-02-08 16:50:37 +01:00
|
|
|
adapter iface.TunAdapter
|
|
|
|
iFaceDiscover stdnet.ExternalIFaceDiscover
|
|
|
|
sentExtraSrflx bool
|
2023-03-16 16:46:17 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// meta holds meta information about a connection
|
|
|
|
type meta struct {
|
|
|
|
protoSupport signal.FeaturesSupport
|
|
|
|
}
|
|
|
|
|
|
|
|
// ModeMessage represents a connection mode chosen by the peer
|
|
|
|
type ModeMessage struct {
|
|
|
|
// Direct indicates that it decided to use a direct connection
|
|
|
|
Direct bool
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2022-06-04 19:41:01 +02:00
|
|
|
// GetConf returns the connection config
|
|
|
|
func (conn *Conn) GetConf() ConnConfig {
|
|
|
|
return conn.config
|
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
// WgConfig returns the WireGuard config
|
|
|
|
func (conn *Conn) WgConfig() WgConfig {
|
|
|
|
return conn.config.WgConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateStunTurn update the turn and stun addresses
|
2023-12-20 23:02:42 +01:00
|
|
|
func (conn *Conn) UpdateStunTurn(turnStun []*stun.URI) {
|
2023-07-26 14:00:47 +02:00
|
|
|
conn.config.StunTurn = turnStun
|
2022-07-21 22:07:38 +02:00
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
// NewConn creates a new not opened Conn to the remote peer.
|
|
|
|
// To establish a connection run Conn.Open
|
2023-07-26 14:00:47 +02:00
|
|
|
func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.Factory, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
|
2022-01-10 18:43:13 +01:00
|
|
|
return &Conn{
|
|
|
|
config: config,
|
|
|
|
mu: sync.Mutex{},
|
|
|
|
status: StatusDisconnected,
|
|
|
|
closeCh: make(chan struct{}),
|
2022-09-02 19:33:35 +02:00
|
|
|
remoteOffersCh: make(chan OfferAnswer),
|
|
|
|
remoteAnswerCh: make(chan OfferAnswer),
|
2022-07-02 12:02:17 +02:00
|
|
|
statusRecorder: statusRecorder,
|
2023-03-16 16:46:17 +01:00
|
|
|
remoteModeCh: make(chan ModeMessage, 1),
|
2023-07-26 14:00:47 +02:00
|
|
|
wgProxyFactory: wgProxyFactory,
|
2023-03-24 08:40:39 +01:00
|
|
|
adapter: adapter,
|
|
|
|
iFaceDiscover: iFaceDiscover,
|
2022-01-10 18:43:13 +01:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (conn *Conn) reCreateAgent() error {
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
|
|
|
|
failedTimeout := 6 * time.Second
|
2023-03-24 08:40:39 +01:00
|
|
|
|
|
|
|
var err error
|
|
|
|
transportNet, err := conn.newStdNet()
|
2023-03-17 10:37:27 +01:00
|
|
|
if err != nil {
|
2023-04-13 17:00:01 +02:00
|
|
|
log.Errorf("failed to create pion's stdnet: %s", err)
|
2023-03-17 10:37:27 +01:00
|
|
|
}
|
2023-04-28 16:26:54 +02:00
|
|
|
|
2023-05-29 13:50:40 +02:00
|
|
|
iceKeepAlive := iceKeepAlive()
|
|
|
|
iceDisconnectedTimeout := iceDisconnectedTimeout()
|
2023-04-28 16:26:54 +02:00
|
|
|
|
2022-11-23 11:03:29 +01:00
|
|
|
agentConfig := &ice.AgentConfig{
|
2023-04-28 16:26:54 +02:00
|
|
|
MulticastDNSMode: ice.MulticastDNSModeDisabled,
|
|
|
|
NetworkTypes: []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
|
|
|
|
Urls: conn.config.StunTurn,
|
2023-05-29 13:50:40 +02:00
|
|
|
CandidateTypes: conn.candidateTypes(),
|
2023-04-28 16:26:54 +02:00
|
|
|
FailedTimeout: &failedTimeout,
|
|
|
|
InterfaceFilter: stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
|
|
|
|
UDPMux: conn.config.UDPMux,
|
|
|
|
UDPMuxSrflx: conn.config.UDPMuxSrflx,
|
|
|
|
NAT1To1IPs: conn.config.NATExternalIPs,
|
|
|
|
Net: transportNet,
|
|
|
|
DisconnectedTimeout: &iceDisconnectedTimeout,
|
|
|
|
KeepaliveInterval: &iceKeepAlive,
|
2022-11-23 11:03:29 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if conn.config.DisableIPv6Discovery {
|
|
|
|
agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
|
|
|
|
}
|
|
|
|
|
|
|
|
conn.agent, err = ice.NewAgent(agentConfig)
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = conn.agent.OnCandidate(conn.onICECandidate)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = conn.agent.OnConnectionStateChange(conn.onICEConnectionStateChange)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = conn.agent.OnSelectedCandidatePairChange(conn.onICESelectedCandidatePair)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-05-29 13:50:40 +02:00
|
|
|
func (conn *Conn) candidateTypes() []ice.CandidateType {
|
|
|
|
if hasICEForceRelayConn() {
|
|
|
|
return []ice.CandidateType{ice.CandidateTypeRelay}
|
2023-04-28 16:26:54 +02:00
|
|
|
}
|
2023-12-18 11:46:58 +01:00
|
|
|
// TODO: remove this once we have refactored userspace proxy into the bind package
|
|
|
|
if runtime.GOOS == "ios" {
|
|
|
|
return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
|
|
|
|
}
|
2023-05-29 13:50:40 +02:00
|
|
|
return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
|
2023-04-28 16:26:54 +02:00
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
// Open opens connection to the remote peer starting ICE candidate gathering process.
|
|
|
|
// Blocks until connection has been closed or connection timeout.
|
|
|
|
// ConnStatus will be set accordingly
|
|
|
|
func (conn *Conn) Open() error {
|
|
|
|
log.Debugf("trying to connect to peer %s", conn.config.Key)
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
peerState := State{
|
|
|
|
PubKey: conn.config.Key,
|
|
|
|
IP: strings.Split(conn.config.WgConfig.AllowedIps, "/")[0],
|
|
|
|
ConnStatusUpdate: time.Now(),
|
|
|
|
ConnStatus: conn.status,
|
|
|
|
}
|
2022-07-02 12:02:17 +02:00
|
|
|
err := conn.statusRecorder.UpdatePeerState(peerState)
|
|
|
|
if err != nil {
|
2023-11-07 13:37:57 +01:00
|
|
|
log.Warnf("error while updating the state of peer %s,err: %v", conn.config.Key, err)
|
2022-07-02 12:02:17 +02:00
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
defer func() {
|
|
|
|
err := conn.cleanup()
|
|
|
|
if err != nil {
|
2022-03-13 15:16:16 +01:00
|
|
|
log.Warnf("error while cleaning up peer connection %s: %v", conn.config.Key, err)
|
2022-01-10 18:43:13 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
2022-07-02 12:02:17 +02:00
|
|
|
err = conn.reCreateAgent()
|
2022-01-10 18:43:13 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = conn.sendOffer()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Debugf("connection offer sent to peer %s, waiting for the confirmation", conn.config.Key)
|
|
|
|
|
|
|
|
// Only continue once we got a connection confirmation from the remote peer.
|
|
|
|
// The connection timeout could have happened before a confirmation received from the remote.
|
|
|
|
// The connection could have also been closed externally (e.g. when we received an update from the management that peer shouldn't be connected)
|
2022-09-02 19:33:35 +02:00
|
|
|
var remoteOfferAnswer OfferAnswer
|
2022-01-10 18:43:13 +01:00
|
|
|
select {
|
2022-09-02 19:33:35 +02:00
|
|
|
case remoteOfferAnswer = <-conn.remoteOffersCh:
|
2022-01-10 18:43:13 +01:00
|
|
|
// received confirmation from the remote peer -> ready to proceed
|
|
|
|
err = conn.sendAnswer()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-09-02 19:33:35 +02:00
|
|
|
case remoteOfferAnswer = <-conn.remoteAnswerCh:
|
2022-01-10 18:43:13 +01:00
|
|
|
case <-time.After(conn.config.Timeout):
|
|
|
|
return NewConnectionTimeoutError(conn.config.Key, conn.config.Timeout)
|
|
|
|
case <-conn.closeCh:
|
|
|
|
// closed externally
|
|
|
|
return NewConnectionClosedError(conn.config.Key)
|
|
|
|
}
|
|
|
|
|
2022-09-02 19:33:35 +02:00
|
|
|
log.Debugf("received connection confirmation from peer %s running version %s and with remote WireGuard listen port %d",
|
|
|
|
conn.config.Key, remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort)
|
2022-01-10 18:43:13 +01:00
|
|
|
|
2022-02-16 20:00:21 +01:00
|
|
|
// at this point we received offer/answer and we are ready to gather candidates
|
2022-01-10 18:43:13 +01:00
|
|
|
conn.mu.Lock()
|
|
|
|
conn.status = StatusConnecting
|
|
|
|
conn.ctx, conn.notifyDisconnected = context.WithCancel(context.Background())
|
|
|
|
defer conn.notifyDisconnected()
|
|
|
|
conn.mu.Unlock()
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
peerState = State{
|
|
|
|
PubKey: conn.config.Key,
|
|
|
|
ConnStatus: conn.status,
|
|
|
|
ConnStatusUpdate: time.Now(),
|
|
|
|
}
|
2022-07-02 12:02:17 +02:00
|
|
|
err = conn.statusRecorder.UpdatePeerState(peerState)
|
|
|
|
if err != nil {
|
2023-11-07 13:37:57 +01:00
|
|
|
log.Warnf("error while updating the state of peer %s,err: %v", conn.config.Key, err)
|
2022-07-02 12:02:17 +02:00
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
err = conn.agent.GatherCandidates()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// will block until connection succeeded
|
|
|
|
// but it won't release if ICE Agent went into Disconnected or Failed state,
|
|
|
|
// so we have to cancel it with the provided context once agent detected a broken connection
|
|
|
|
isControlling := conn.config.LocalKey > conn.config.Key
|
|
|
|
var remoteConn *ice.Conn
|
|
|
|
if isControlling {
|
2022-09-02 19:33:35 +02:00
|
|
|
remoteConn, err = conn.agent.Dial(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
|
2022-01-10 18:43:13 +01:00
|
|
|
} else {
|
2022-09-02 19:33:35 +02:00
|
|
|
remoteConn, err = conn.agent.Accept(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-09-02 19:33:35 +02:00
|
|
|
// dynamically set remote WireGuard port is other side specified a different one from the default one
|
|
|
|
remoteWgPort := iface.DefaultWgPort
|
|
|
|
if remoteOfferAnswer.WgListenPort != 0 {
|
|
|
|
remoteWgPort = remoteOfferAnswer.WgListenPort
|
|
|
|
}
|
2022-07-02 12:02:17 +02:00
|
|
|
// the ice connection has been established successfully so we are ready to start the proxy
|
2024-01-08 12:25:35 +01:00
|
|
|
remoteAddr, err := conn.configureConnection(remoteConn, remoteWgPort, remoteOfferAnswer.RosenpassPubKey,
|
|
|
|
remoteOfferAnswer.RosenpassAddr)
|
2022-01-10 18:43:13 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
log.Infof("connected to peer %s, endpoint address: %s", conn.config.Key, remoteAddr.String())
|
2022-01-10 18:43:13 +01:00
|
|
|
|
|
|
|
// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
|
|
|
|
select {
|
|
|
|
case <-conn.closeCh:
|
|
|
|
// closed externally
|
|
|
|
return NewConnectionClosedError(conn.config.Key)
|
|
|
|
case <-conn.ctx.Done():
|
|
|
|
// disconnected from the remote peer
|
|
|
|
return NewConnectionDisconnectedError(conn.config.Key)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-04-13 17:00:01 +02:00
|
|
|
func isRelayCandidate(candidate ice.Candidate) bool {
|
|
|
|
return candidate.Type() == ice.CandidateTypeRelay
|
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
// configureConnection starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
|
2024-01-08 12:25:35 +01:00
|
|
|
func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, remoteRosenpassPubKey []byte, remoteRosenpassAddr string) (net.Addr, error) {
|
2022-01-10 18:43:13 +01:00
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
|
2022-03-01 14:07:33 +01:00
|
|
|
pair, err := conn.agent.GetSelectedCandidatePair()
|
|
|
|
if err != nil {
|
2023-07-26 14:00:47 +02:00
|
|
|
return nil, err
|
2022-03-01 14:07:33 +01:00
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
var endpoint net.Addr
|
|
|
|
if isRelayCandidate(pair.Local) {
|
|
|
|
log.Debugf("setup relay connection")
|
|
|
|
conn.wgProxy = conn.wgProxyFactory.GetProxy()
|
|
|
|
endpoint, err = conn.wgProxy.AddTurnConn(remoteConn)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
} else {
|
2024-01-08 12:25:35 +01:00
|
|
|
// To support old version's with direct mode we attempt to punch an additional role with the remote WireGuard port
|
2023-07-26 14:00:47 +02:00
|
|
|
go conn.punchRemoteWGPort(pair, remoteWgPort)
|
|
|
|
endpoint = remoteConn.RemoteAddr()
|
|
|
|
}
|
|
|
|
|
|
|
|
endpointUdpAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
|
|
|
|
|
|
|
|
err = conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
|
2022-01-10 18:43:13 +01:00
|
|
|
if err != nil {
|
2023-07-26 14:00:47 +02:00
|
|
|
if conn.wgProxy != nil {
|
|
|
|
_ = conn.wgProxy.CloseConn()
|
|
|
|
}
|
|
|
|
return nil, err
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
2022-03-01 14:07:33 +01:00
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
conn.status = StatusConnected
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
peerState := State{
|
2024-01-22 12:20:24 +01:00
|
|
|
PubKey: conn.config.Key,
|
|
|
|
ConnStatus: conn.status,
|
|
|
|
ConnStatusUpdate: time.Now(),
|
|
|
|
LocalIceCandidateType: pair.Local.Type().String(),
|
|
|
|
RemoteIceCandidateType: pair.Remote.Type().String(),
|
|
|
|
LocalIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
|
|
|
|
RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
|
|
|
|
Direct: !isRelayCandidate(pair.Local),
|
2023-07-26 14:00:47 +02:00
|
|
|
}
|
2022-07-02 12:02:17 +02:00
|
|
|
if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
|
|
|
|
peerState.Relayed = true
|
|
|
|
}
|
|
|
|
|
|
|
|
err = conn.statusRecorder.UpdatePeerState(peerState)
|
|
|
|
if err != nil {
|
|
|
|
log.Warnf("unable to save peer's state, got error: %v", err)
|
|
|
|
}
|
|
|
|
|
2024-01-08 12:25:35 +01:00
|
|
|
_, ipNet, err := net.ParseCIDR(conn.config.WgConfig.AllowedIps)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if conn.onConnected != nil {
|
|
|
|
conn.onConnected(conn.config.Key, remoteRosenpassPubKey, ipNet.IP.String(), remoteRosenpassAddr)
|
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
return endpoint, nil
|
2023-03-16 16:46:17 +01:00
|
|
|
}
|
|
|
|
|
2023-05-03 14:47:44 +02:00
|
|
|
func (conn *Conn) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
|
|
|
|
// wait local endpoint configuration
|
|
|
|
time.Sleep(time.Second)
|
|
|
|
addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
|
2023-03-16 16:46:17 +01:00
|
|
|
if err != nil {
|
2023-05-03 14:47:44 +02:00
|
|
|
log.Warnf("got an error while resolving the udp address, err: %s", err)
|
|
|
|
return
|
2023-03-16 16:46:17 +01:00
|
|
|
}
|
|
|
|
|
2023-05-03 14:47:44 +02:00
|
|
|
mux, ok := conn.config.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
|
|
|
|
if !ok {
|
|
|
|
log.Warn("invalid udp mux conversion")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
_, err = mux.GetSharedConn().WriteTo([]byte{0x6e, 0x62}, addr)
|
|
|
|
if err != nil {
|
|
|
|
log.Warnf("got an error while sending the punch packet, err: %s", err)
|
2023-03-16 16:46:17 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
// cleanup closes all open resources and sets status to StatusDisconnected
|
|
|
|
func (conn *Conn) cleanup() error {
|
|
|
|
log.Debugf("trying to cleanup %s", conn.config.Key)
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
|
2024-02-08 16:50:37 +01:00
|
|
|
conn.sentExtraSrflx = false
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
var err1, err2, err3 error
|
2022-01-10 18:43:13 +01:00
|
|
|
if conn.agent != nil {
|
2023-07-26 14:00:47 +02:00
|
|
|
err1 = conn.agent.Close()
|
|
|
|
if err1 == nil {
|
|
|
|
conn.agent = nil
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
if conn.wgProxy != nil {
|
|
|
|
err2 = conn.wgProxy.CloseConn()
|
|
|
|
conn.wgProxy = nil
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
// todo: is it problem if we try to remove a peer what is never existed?
|
|
|
|
err3 = conn.config.WgConfig.WgInterface.RemovePeer(conn.config.WgConfig.RemoteKey)
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
if conn.notifyDisconnected != nil {
|
|
|
|
conn.notifyDisconnected()
|
|
|
|
conn.notifyDisconnected = nil
|
|
|
|
}
|
|
|
|
|
2024-01-08 12:25:35 +01:00
|
|
|
if conn.status == StatusConnected && conn.onDisconnected != nil {
|
|
|
|
conn.onDisconnected(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps)
|
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
conn.status = StatusDisconnected
|
|
|
|
|
2023-07-26 14:00:47 +02:00
|
|
|
peerState := State{
|
|
|
|
PubKey: conn.config.Key,
|
|
|
|
ConnStatus: conn.status,
|
|
|
|
ConnStatusUpdate: time.Now(),
|
|
|
|
}
|
2022-07-02 12:02:17 +02:00
|
|
|
err := conn.statusRecorder.UpdatePeerState(peerState)
|
|
|
|
if err != nil {
|
2022-08-01 17:52:22 +02:00
|
|
|
// pretty common error because by that time Engine can already remove the peer and status won't be available.
|
2023-12-18 11:46:58 +01:00
|
|
|
// todo rethink status updates
|
2022-08-01 17:52:22 +02:00
|
|
|
log.Debugf("error while updating peer's %s state, err: %v", conn.config.Key, err)
|
2022-07-02 12:02:17 +02:00
|
|
|
}
|
2024-01-22 12:20:24 +01:00
|
|
|
if err := conn.statusRecorder.UpdateWireguardPeerState(conn.config.Key, iface.WGStats{}); err != nil {
|
|
|
|
log.Debugf("failed to reset wireguard stats for peer %s: %s", conn.config.Key, err)
|
|
|
|
}
|
2022-07-02 12:02:17 +02:00
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
log.Debugf("cleaned up connection to peer %s", conn.config.Key)
|
2023-07-26 14:00:47 +02:00
|
|
|
if err1 != nil {
|
|
|
|
return err1
|
|
|
|
}
|
|
|
|
if err2 != nil {
|
|
|
|
return err2
|
|
|
|
}
|
|
|
|
return err3
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// SetSignalOffer sets a handler function to be triggered by Conn when a new connection offer has to be signalled to the remote peer
|
2022-09-02 19:33:35 +02:00
|
|
|
func (conn *Conn) SetSignalOffer(handler func(offer OfferAnswer) error) {
|
2022-01-10 18:43:13 +01:00
|
|
|
conn.signalOffer = handler
|
|
|
|
}
|
|
|
|
|
2024-01-08 12:25:35 +01:00
|
|
|
// SetOnConnected sets a handler function to be triggered by Conn when a new connection to a remote peer established
|
|
|
|
func (conn *Conn) SetOnConnected(handler func(remoteWireGuardKey string, remoteRosenpassPubKey []byte, wireGuardIP string, remoteRosenpassAddr string)) {
|
|
|
|
conn.onConnected = handler
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetOnDisconnected sets a handler function to be triggered by Conn when a connection to a remote disconnected
|
|
|
|
func (conn *Conn) SetOnDisconnected(handler func(remotePeer string, wgIP string)) {
|
|
|
|
conn.onDisconnected = handler
|
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
// SetSignalAnswer sets a handler function to be triggered by Conn when a new connection answer has to be signalled to the remote peer
|
2022-09-02 19:33:35 +02:00
|
|
|
func (conn *Conn) SetSignalAnswer(handler func(answer OfferAnswer) error) {
|
2022-01-10 18:43:13 +01:00
|
|
|
conn.signalAnswer = handler
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetSignalCandidate sets a handler function to be triggered by Conn when a new ICE local connection candidate has to be signalled to the remote peer
|
|
|
|
func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error) {
|
|
|
|
conn.signalCandidate = handler
|
|
|
|
}
|
|
|
|
|
2023-03-16 16:46:17 +01:00
|
|
|
// SetSendSignalMessage sets a handler function to be triggered by Conn when there is new message to send via signal
|
|
|
|
func (conn *Conn) SetSendSignalMessage(handler func(message *sProto.Message) error) {
|
|
|
|
conn.sendSignalMessage = handler
|
|
|
|
}
|
|
|
|
|
2022-01-10 18:43:13 +01:00
|
|
|
// onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
|
|
|
|
// and then signals them to the remote peer
|
|
|
|
func (conn *Conn) onICECandidate(candidate ice.Candidate) {
|
|
|
|
if candidate != nil {
|
2022-11-23 08:42:12 +01:00
|
|
|
// TODO: reported port is incorrect for CandidateTypeHost, makes understanding ICE use via logs confusing as port is ignored
|
2022-07-21 22:07:38 +02:00
|
|
|
log.Debugf("discovered local candidate %s", candidate.String())
|
2022-01-10 18:43:13 +01:00
|
|
|
go func() {
|
|
|
|
err := conn.signalCandidate(candidate)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed signaling candidate to the remote peer %s %s", conn.config.Key, err)
|
|
|
|
}
|
2024-02-08 16:50:37 +01:00
|
|
|
|
|
|
|
// sends an extra server reflexive candidate to the remote peer with our related port (usually the wireguard port)
|
|
|
|
// this is useful when network has an existing port forwarding rule for the wireguard port and this peer
|
|
|
|
if !conn.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
|
|
|
|
relatedAdd := candidate.RelatedAddress()
|
|
|
|
extraSrflx, err := ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
|
|
|
|
Network: candidate.NetworkType().String(),
|
|
|
|
Address: candidate.Address(),
|
|
|
|
Port: relatedAdd.Port,
|
|
|
|
Component: candidate.Component(),
|
|
|
|
RelAddr: relatedAdd.Address,
|
|
|
|
RelPort: relatedAdd.Port,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed creating extra server reflexive candidate %s", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
err = conn.signalCandidate(extraSrflx)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("failed signaling the extra server reflexive candidate to the remote peer %s: %s", conn.config.Key, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
conn.sentExtraSrflx = true
|
|
|
|
}
|
2022-01-10 18:43:13 +01:00
|
|
|
}()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (conn *Conn) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
|
2022-02-17 08:36:37 +01:00
|
|
|
log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
|
|
|
|
conn.config.Key)
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// onICEConnectionStateChange registers callback of an ICE Agent to track connection state
|
|
|
|
func (conn *Conn) onICEConnectionStateChange(state ice.ConnectionState) {
|
|
|
|
log.Debugf("peer %s ICE ConnectionState has changed to %s", conn.config.Key, state.String())
|
|
|
|
if state == ice.ConnectionStateFailed || state == ice.ConnectionStateDisconnected {
|
|
|
|
conn.notifyDisconnected()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (conn *Conn) sendAnswer() error {
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
|
|
|
|
localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-09-02 19:33:35 +02:00
|
|
|
log.Debugf("sending answer to %s", conn.config.Key)
|
|
|
|
err = conn.signalAnswer(OfferAnswer{
|
2024-01-08 12:25:35 +01:00
|
|
|
IceCredentials: IceCredentials{localUFrag, localPwd},
|
|
|
|
WgListenPort: conn.config.LocalWgPort,
|
|
|
|
Version: version.NetbirdVersion(),
|
|
|
|
RosenpassPubKey: conn.config.RosenpassPubKey,
|
|
|
|
RosenpassAddr: conn.config.RosenpassAddr,
|
2022-09-02 19:33:35 +02:00
|
|
|
})
|
2022-01-10 18:43:13 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// sendOffer prepares local user credentials and signals them to the remote peer
|
|
|
|
func (conn *Conn) sendOffer() error {
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
|
|
|
|
localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-09-02 19:33:35 +02:00
|
|
|
err = conn.signalOffer(OfferAnswer{
|
2024-01-08 12:25:35 +01:00
|
|
|
IceCredentials: IceCredentials{localUFrag, localPwd},
|
|
|
|
WgListenPort: conn.config.LocalWgPort,
|
|
|
|
Version: version.NetbirdVersion(),
|
|
|
|
RosenpassPubKey: conn.config.RosenpassPubKey,
|
|
|
|
RosenpassAddr: conn.config.RosenpassAddr,
|
2022-09-02 19:33:35 +02:00
|
|
|
})
|
2022-01-10 18:43:13 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Close closes this peer Conn issuing a close event to the Conn closeCh
|
|
|
|
func (conn *Conn) Close() error {
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
select {
|
|
|
|
case conn.closeCh <- struct{}{}:
|
2022-01-21 13:52:19 +01:00
|
|
|
return nil
|
2022-01-10 18:43:13 +01:00
|
|
|
default:
|
|
|
|
// probably could happen when peer has been added and removed right after not even starting to connect
|
|
|
|
// todo further investigate
|
|
|
|
// this really happens due to unordered messages coming from management
|
|
|
|
// more importantly it causes inconsistency -> 2 Conn objects for the same peer
|
|
|
|
// e.g. this flow:
|
|
|
|
// update from management has peers: [1,2,3,4]
|
|
|
|
// engine creates a Conn for peers: [1,2,3,4] and schedules Open in ~1sec
|
|
|
|
// before conn.Open() another update from management arrives with peers: [1,2,3]
|
|
|
|
// engine removes peer 4 and calls conn.Close() which does nothing (this default clause)
|
|
|
|
// before conn.Open() another update from management arrives with peers: [1,2,3,4,5]
|
|
|
|
// engine adds a new Conn for 4 and 5
|
|
|
|
// therefore peer 4 has 2 Conn objects
|
2022-06-04 19:41:01 +02:00
|
|
|
log.Warnf("connection has been already closed or attempted closing not started coonection %s", conn.config.Key)
|
2022-01-21 13:52:19 +01:00
|
|
|
return NewConnectionAlreadyClosed(conn.config.Key)
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Status returns current status of the Conn
|
|
|
|
func (conn *Conn) Status() ConnStatus {
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
return conn.status
|
|
|
|
}
|
|
|
|
|
2022-01-21 13:52:19 +01:00
|
|
|
// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
|
|
|
|
// doesn't block, discards the message if connection wasn't ready
|
2022-09-02 19:33:35 +02:00
|
|
|
func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {
|
2022-01-10 18:43:13 +01:00
|
|
|
log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())
|
|
|
|
|
|
|
|
select {
|
2022-09-02 19:33:35 +02:00
|
|
|
case conn.remoteOffersCh <- offer:
|
2022-01-21 13:52:19 +01:00
|
|
|
return true
|
2022-01-10 18:43:13 +01:00
|
|
|
default:
|
|
|
|
log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
|
2022-02-16 20:00:21 +01:00
|
|
|
// connection might not be ready yet to receive so we ignore the message
|
2022-01-21 13:52:19 +01:00
|
|
|
return false
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-01-21 13:52:19 +01:00
|
|
|
// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
|
|
|
|
// doesn't block, discards the message if connection wasn't ready
|
2022-09-02 19:33:35 +02:00
|
|
|
func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) bool {
|
2022-01-10 18:43:13 +01:00
|
|
|
log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())
|
|
|
|
|
|
|
|
select {
|
2022-09-02 19:33:35 +02:00
|
|
|
case conn.remoteAnswerCh <- answer:
|
2022-01-21 13:52:19 +01:00
|
|
|
return true
|
2022-01-10 18:43:13 +01:00
|
|
|
default:
|
2022-02-16 20:00:21 +01:00
|
|
|
// connection might not be ready yet to receive so we ignore the message
|
2022-01-10 18:43:13 +01:00
|
|
|
log.Debugf("OnRemoteAnswer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
|
2022-01-21 13:52:19 +01:00
|
|
|
return false
|
2022-01-10 18:43:13 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
|
|
|
|
func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
|
|
|
|
log.Debugf("OnRemoteCandidate from peer %s -> %s", conn.config.Key, candidate.String())
|
|
|
|
go func() {
|
|
|
|
conn.mu.Lock()
|
|
|
|
defer conn.mu.Unlock()
|
|
|
|
|
|
|
|
if conn.agent == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err := conn.agent.AddRemoteCandidate(candidate)
|
|
|
|
if err != nil {
|
|
|
|
log.Errorf("error while handling remote candidate from peer %s", conn.config.Key)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
2022-01-18 16:44:58 +01:00
|
|
|
|
|
|
|
func (conn *Conn) GetKey() string {
|
|
|
|
return conn.config.Key
|
|
|
|
}
|
2023-03-16 16:46:17 +01:00
|
|
|
|
|
|
|
// RegisterProtoSupportMeta register supported proto message in the connection metadata
|
|
|
|
func (conn *Conn) RegisterProtoSupportMeta(support []uint32) {
|
|
|
|
protoSupport := signal.ParseFeaturesSupported(support)
|
|
|
|
conn.meta.protoSupport = protoSupport
|
|
|
|
}
|