* Make sure our iOS dialer does not get overwritten
* set dial timeout for both clients on ios
---------
Co-authored-by: Pascal Fischer <pascal@netbird.io>
sends an extra server reflexive candidate to the remote peer with our related port (usually the Wireguard port)
this is useful when a network has an existing port forwarding rule for the Wireguard port and the local peer and avoids creating a 1:1 NAT on the local network.
Ensure we use WG address instead of loopback addresses for eBPF.
- First try to use 53 port
- Try to use 5053 port on WG interface for eBPF
- Try to use 5053 on WG interface or loopback interface
In the case of disabled stub listeren the list of name servers is unordered. The solution is to configure the resolv.conf file directly instead of dbus API.
Because third-party services also can manipulate the DNS settings the agent watch the resolv.conf file and keep it up to date.
- apply file type DNS manager if in the name server list does not exist the 127.0.0.53 address
- watching the resolv.conf file with inotify service and overwrite all the time if the configuration has changed and it invalid
- fix resolv.conf generation algorithm
* Adds management, signal, and relay (STUN/TURN) health probes to the status command.
* Adds a reason when the management or signal connections are disconnected.
* Adds last wireguard handshake and received/sent bytes per peer
* replace the preshared key attribute in LoginRequest protobuff with an optional replacement
* mark old field as deprecated
* fix ui client to also keep preshared key
This PR aims to integrate Rosenpass with NetBird. It adds a manager for Rosenpass that starts a Rosenpass server and handles the managed peers. It uses the cunicu/go-rosenpass implementation. Rosenpass will then negotiate a pre-shared key every 2 minutes and apply it to the wireguard connection.
The Feature can be enabled by setting a flag during the netbird up --enable-rosenpass command.
If two peers are both support and have the Rosenpass feature enabled they will create a post-quantum secure connection. If one of the peers or both don't have this feature enabled or are running an older version that does not have this feature yet, the NetBird client will fall back to a plain Wireguard connection without pre-shared keys for those connections (keeping Rosenpass negotiation for the rest).
Additionally, this PR includes an update of all Github Actions workflows to use go version 1.21.0 as this is a requirement for the integration.
---------
Co-authored-by: braginini <bangvalo@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
Add netstack support for the agent to run it without privileges.
- use interface for tun device
- use common IPC for userspace WireGuard integration
- move udpmux creation and sharedsock to tun layer
By copying the emulator driver next to our binary, our GUI setting popup works on remote desktop connections
the dll is added as part of our sign pipelines workflow
Before, netbird would exit and prevent the agent from starting if getting the system name using WMI was an issue.
This change returns a default value in this case
* starting engine by passing file descriptor on engine start
* inject logger that does not compile
* logger and first client
* first working connection
* support for routes and working connection
* small refactor for better code quality in swift
* trying to add DNS
* fix
* updated
* fix route deletion
* trying to bind the DNS resolver dialer to an interface
* use dns.Client.Exchange
* fix metadata send on startup
* switching between client to query upstream
* fix panic on no dns response
* fix after merge changes
* add engine ready listener
* replace engine listener with connection listener
* disable relay connection for iOS until proxy is refactored into bind
* Extract private upstream for iOS and fix function headers for other OS
* Update mock Server
* Fix dns server and upstream tests
* Fix engine null pointer with mobile dependencies for other OS
* Revert back to disabling upstream on no response
* Fix some of the remarks from the linter
* Fix linter
* re-arrange duration calculation
* revert exported HostDNSConfig
* remove unused engine listener
* remove development logs
* refactor dns code and interface name propagation
* clean dns server test
* disable upstream deactivation for iOS
* remove files after merge
* fix dns server darwin
* fix server mock
* fix build flags
* move service listen back to initialize
* add wgInterface to hostManager initialization on android
* fix typo and remove unused function
* extract upstream exchange for ios and rest
* remove todo
* separate upstream logic to ios file
* Fix upstream test
* use interface and embedded struct for upstream
* set properly upstream client
* remove placeholder
* remove ios specific attributes
* fix upstream test
* merge ipc parser and wg configurer for mobile
* fix build annotation
* use json for DNS settings handover through gomobile
* add logs for DNS json string
* bring back check on ios for private upstream
* remove wrong (and unused) line
* fix wrongly updated comments on DNSSetting export
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* update cli commands to respect an empty string and handle different from undefined
* remove test for unintended behaviour
* remove test for unintended behaviour
Users can filter status based on peers fully qualified names.
e.g., netbird status -d --filter-by-names peer-a,peer-b.netbird.cloud
enable detailed info when using only filter flags
* Added function to check user access by JWT groups in the account management mock server and account manager
* Refactor auth middleware for group-based JWT access control
* Add group-based JWT access control on adding new peer with JWT
* Remove mapping error as the token validation error is already present in grpc error codes
* use GetAccountFromToken to prevent single mode issues
* handle foreground login message
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
This PR adds `gosec` linter with the following checks disabled:
- G102: Bind to all interfaces
- G107: Url provided to HTTP request as taint input
- G112: Potential slowloris attack
- G114: Use of net/http serve function that has no support for setting timeouts
- G204: Audit use of command execution
- G401: Detect the usage of DES, RC4, MD5 or SHA1
- G402: Look for bad TLS connection settings
- G404: Insecure random number source (rand)
- G501: Import blocklist: crypto/md5
- G505: Import blocklist: crypto/sha1
We have complaints related to the checks above. They have to be addressed separately.
* Add gocritic linter
`gocritic` provides diagnostics that check for bugs, performance, and style issues
We disable the following checks:
- commentFormatting
- captLocal
- deprecatedComment
This PR contains many `//nolint:gocritic` to disable `appendAssign`.
Most operating systems add a /32 route for the default gateway address to its routing table
This will allow routes to be configured into the system even when the incoming range contains the default gateway.
In case a range is a sub-range of an existing route and this range happens to contain the default gateway it attempts to create a default gateway route to prevent loop issues
* Change SetShellVarContext scope to create program links for standard users
* Include guidelines for building the Windows Netbird installer during development
* Add Wireguard driver requirement to Windows build instructions
With this change we should be able to collect and expose the following histograms:
* `management.updatechannel.create.duration.ms` with `closed` boolean label
* `management.updatechannel.create.duration.micro` with `closed` boolean label
* `management.updatechannel.close.one.duration.ms`
* `management.updatechannel.close.one.duration.micro`
* `management.updatechannel.close.multiple.duration.ms`
* `management.updatechannel.close.multiple.duration.micro`
* `management.updatechannel.close.multiple.channels`
* `management.updatechannel.send.duration.ms` with `found` and `dropped` boolean labels
* `management.updatechannel.send.duration.micro` with `found` and `dropped` boolean labels
* `management.updatechannel.get.all.duration.ms`
* `management.updatechannel.get.all.duration.micro`
* `management.updatechannel.get.all.peers`
- dupword checks for duplicate words in the source code
- durationcheck checks for two durations multiplied together
- forbidigo forbids identifiers
- mirror reports wrong mirror patterns of bytes/strings usage
- misspell finds commonly misspelled English words in comments
- predeclared finds code that shadows one of Go's predeclared identifiers
- thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers
Handle original search domains in resolv.conf type implementations.
- parse the original resolv.conf file
- merge the search domains
- ignore the domain keyword
- append any other config lines (sortstlist, options)
- fix read origin resolv.conf from bkp in resolvconf implementation
- fix line length validation
- fix number of search domains validation
Periodically fetch the latest available version, and the UI will shows a new menu for the download link. It checks both the daemon version and the UI version.
