All routes are now installed in a custom netbird routing table.
Management and wireguard traffic is now marked with a custom fwmark.
When the mark is present the traffic is routed via the main routing table, bypassing the VPN.
When the mark is absent the traffic is routed via the netbird routing table, if:
- there's no match in the main routing table
- it would match the default route in the routing table
IPv6 traffic is blocked when a default route IPv4 route is configured to avoid leakage.
* Make SQLite default for new installations
* if var is not set, return empty string
this allows getStoreEngineFromDatadir to detect json store files
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
This PR aims to integrate Rosenpass with NetBird. It adds a manager for Rosenpass that starts a Rosenpass server and handles the managed peers. It uses the cunicu/go-rosenpass implementation. Rosenpass will then negotiate a pre-shared key every 2 minutes and apply it to the wireguard connection.
The Feature can be enabled by setting a flag during the netbird up --enable-rosenpass command.
If two peers are both support and have the Rosenpass feature enabled they will create a post-quantum secure connection. If one of the peers or both don't have this feature enabled or are running an older version that does not have this feature yet, the NetBird client will fall back to a plain Wireguard connection without pre-shared keys for those connections (keeping Rosenpass negotiation for the rest).
Additionally, this PR includes an update of all Github Actions workflows to use go version 1.21.0 as this is a requirement for the integration.
---------
Co-authored-by: braginini <bangvalo@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* Move StoreKind under own StoreConfig configuration parameter
* Rename StoreKind option to Engine
* Rename StoreKind internal methods and types to Engine
* Add template engine value test
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
Restructure data handling for improved performance and flexibility.
Introduce 'G'-prefixed fields to represent Gorm relations, simplifying resource management.
Eliminate complexity in lookup tables for enhanced query and write speed.
Enable independent operations on data structures, requiring adjustments in the Store interface and Account Manager.
This PR showcases the implementation of additional linter rules. I've updated the golangci-lint GitHub Actions to the latest available version. This update makes sure that the tool works the same way locally - assuming being updated regularly - and with the GitHub Actions.
I've also taken care of keeping all the GitHub Actions up to date, which helps our code stay current. But there's one part, goreleaser that's a bit tricky to test on our computers. So, it's important to take a close look at that.
To make it easier to understand what I've done, I've made separate changes for each thing that the new linters found. This should help the people reviewing the changes see what's going on more clearly. Some of the changes might not be obvious at first glance.
Things to consider for the future
CI runs on Ubuntu so the static analysis only happens for Linux. Consider running it for the rest: Darwin, Windows
This PR brings support of a shared port between stun (ICE agent) and
the kernel WireGuard
It implements a single port mode for execution with kernel WireGuard
interface using a raw socket listener.
BPF filters ensure that only STUN packets hit the NetBird userspace app
Removed a lot of the proxy logic and direct mode exchange.
Now we are doing an extra hole punch to the remote WireGuard
port for best-effort cases and support to old client's direct mode.
This PR adds supports for the WireGuard userspace implementation
using Bind interface from wireguard-go.
The newly introduced ICEBind struct implements Bind with UDPMux-based
structs from pion/ice to handle hole punching using ICE.
The core implementation was taken from StdBind of wireguard-go.
The result is a single WireGuard port that is used for host and server reflexive candidates.
Relay candidates are still handled separately and will be integrated in the following PRs.
ICEBind checks the incoming packets for being STUN or WireGuard ones
and routes them to UDPMux (to handle hole punching) or to WireGuard respectively.
On Android, because of the hard SELinux policies can not list the
interfaces of the ICE package. Without it can not generate a host type
candidate. In this pull request, the list of interfaces comes via the Java
interface.
This PR adds system activity tracking.
The management service records events like
add/remove peer, group, rule, route, etc.
The activity events are stored in the SQLite event store
and can be queried by the HTTP API.
Updated tests, API, and account manager methods
Sync routes to peers in the distribution groups
Added store upgrade by adding the All group to routes that don't have them
Add DNS package and Nameserver group objects
Add CRUD operations for Nameserver Groups to account manager
Add Routes and Nameservers to Account Copy method
Run docker tests with timeout and serial flags
* Add additional check for needed kernel modules
* Check if wireguard and tun modules are loaded
If modules are loaded return true, otherwise attempt to load them
* fix state check
* Add module function tests
* Add test execution in container
* run client package tests on docker
* add package comment to new file
* force entrypoint
* add --privileged flag
* clean only if tables where created
* run from within the directories
split setup.env with example and base
add setup.env to .gitignore to avoid overwrite from new versions
Added test workflow for docker-compose
and validated configure.sh generated variables
Agent systray UI has been extended with
a setting window that allows configuring
management URL, admin URL and
supports pre-shared key.
While for the Netbird managed version
the Settings are not necessary, it helps
to properly configure the self-hosted version.
Add method for rotating access token with refresh tokens
This will be useful for catching expired sessions and
offboarding users
Also added functions to handle secrets. They have to be revisited
as some tests didn't run on CI as they waited some user input, like password
Updates test workflows with serial execution to avoid collision
of ports and resource names.
Also, used -exec sudo flag for UNIX tests and removed not-needed
limits configuration on Linux and added a 5 minutes timeout.
Updated the multi-peer tests in the client/internal/engine_test.go
to provide proper validation when creating or starting
a peer engine instance fails.
As some operations of the tests running on windows
are slow, we will experiment with disabling the Defender before
restoring cache and checkout a repository, then we reenable
it to run the tests.
disabled extra logs for windows interface
* update interface tests and configuration messages
* little debug
* little debug on both errors
* print all devs
* list of devices
* debug func
* handle interface close
* debug socks
* debug socks
* if ports match
* use random assigned ports
* remove unused const
* close management client connection when stopping engine
* GracefulStop when management clients are closed
* enable workflows on PRs too
* remove iface_test debug code
* script to generate syso files
* test wireguard-windows driver package
* set int log
* add windows test
* add windows test
* verbose bash
* use cd
* move checkout
* exit 0
* removed tty flag
* artifact path
* fix tags and add cache
* fix cache
* fix cache
* test dir
* restore artifacts in the root
* try dll file
* try dll file
* copy dll
* typo in copy dll
* compile test
* checkout first
* updated cicd
* fix add address issue and gen GUID
* psexec typo
* accept eula
* mod tidy before tests
* regular test exec and verbose test with psexec
* test all
* return WGInterface Interface
* use WgIfaceName and timeout after 30 seconds
* different ports and validate connect 2 peers
* Use time.After for timeout and close interface
* Use time.After for testing connect peers
* WG Interface struct
* Update engine and parse address
* refactor Linux create and assignAddress
* NewWGIface and configuration methods
* Update proxy with interface methods
* update up command test
* resolve lint warnings
* remove psexec test
* close copied files
* add goos before build
* run tests on mac,windows and linux
* cache by testing os
* run on push
* fix indentation
* adjust test timeouts
* remove parallel flag
* mod tidy before test
* ignore syso files
* removed functions and renamed vars
* different IPs for connect peers test
* Generate syso with DLL
* Single Close method
* use port from test constant
* test: remove wireguard interfaces after finishing engine test
* use load_wgnt_from_rsrc
Co-authored-by: braginini <bangvalo@gmail.com>