sends an extra server reflexive candidate to the remote peer with our related port (usually the Wireguard port)
this is useful when a network has an existing port forwarding rule for the Wireguard port and the local peer and avoids creating a 1:1 NAT on the local network.
* Adds management, signal, and relay (STUN/TURN) health probes to the status command.
* Adds a reason when the management or signal connections are disconnected.
* Adds last wireguard handshake and received/sent bytes per peer
This PR aims to integrate Rosenpass with NetBird. It adds a manager for Rosenpass that starts a Rosenpass server and handles the managed peers. It uses the cunicu/go-rosenpass implementation. Rosenpass will then negotiate a pre-shared key every 2 minutes and apply it to the wireguard connection.
The Feature can be enabled by setting a flag during the netbird up --enable-rosenpass command.
If two peers are both support and have the Rosenpass feature enabled they will create a post-quantum secure connection. If one of the peers or both don't have this feature enabled or are running an older version that does not have this feature yet, the NetBird client will fall back to a plain Wireguard connection without pre-shared keys for those connections (keeping Rosenpass negotiation for the rest).
Additionally, this PR includes an update of all Github Actions workflows to use go version 1.21.0 as this is a requirement for the integration.
---------
Co-authored-by: braginini <bangvalo@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* starting engine by passing file descriptor on engine start
* inject logger that does not compile
* logger and first client
* first working connection
* support for routes and working connection
* small refactor for better code quality in swift
* trying to add DNS
* fix
* updated
* fix route deletion
* trying to bind the DNS resolver dialer to an interface
* use dns.Client.Exchange
* fix metadata send on startup
* switching between client to query upstream
* fix panic on no dns response
* fix after merge changes
* add engine ready listener
* replace engine listener with connection listener
* disable relay connection for iOS until proxy is refactored into bind
* Extract private upstream for iOS and fix function headers for other OS
* Update mock Server
* Fix dns server and upstream tests
* Fix engine null pointer with mobile dependencies for other OS
* Revert back to disabling upstream on no response
* Fix some of the remarks from the linter
* Fix linter
* re-arrange duration calculation
* revert exported HostDNSConfig
* remove unused engine listener
* remove development logs
* refactor dns code and interface name propagation
* clean dns server test
* disable upstream deactivation for iOS
* remove files after merge
* fix dns server darwin
* fix server mock
* fix build flags
* move service listen back to initialize
* add wgInterface to hostManager initialization on android
* fix typo and remove unused function
* extract upstream exchange for ios and rest
* remove todo
* separate upstream logic to ios file
* Fix upstream test
* use interface and embedded struct for upstream
* set properly upstream client
* remove placeholder
* remove ios specific attributes
* fix upstream test
* merge ipc parser and wg configurer for mobile
* fix build annotation
* use json for DNS settings handover through gomobile
* add logs for DNS json string
* bring back check on ios for private upstream
* remove wrong (and unused) line
* fix wrongly updated comments on DNSSetting export
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
- dupword checks for duplicate words in the source code
- durationcheck checks for two durations multiplied together
- forbidigo forbids identifiers
- mirror reports wrong mirror patterns of bytes/strings usage
- misspell finds commonly misspelled English words in comments
- predeclared finds code that shadows one of Go's predeclared identifiers
- thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers
In case of 'always-on' feature has switched on, after the reboot the service do not start properly in all cases.
If the device is in offline state (no internet connection) the auth login steps will fail and the service will stop.
For the auth steps make no sense in this case because if the OS start the service we do not have option for
the user interaction.
EBPF proxy between TURN (relay) and WireGuard to reduce number of used ports used by the NetBird agent.
- Separate the wg configuration from the proxy logic
- In case if eBPF type proxy has only one single proxy instance
- In case if the eBPF is not supported fallback to the original proxy Implementation
Between the signature of eBPF type proxy and original proxy has
differences so this is why the factory structure exists
Reduce the peer status notifications
When receive new network map invoke multiple notifications for
every single peers. It cause high cpu usage We handle the in a
batch the peer notification in update network map.
- Remove the unnecessary UpdatePeerFQDN calls in addNewPeer
- Fix notification in RemovePeer function
- Involve FinishPeerListModifications logic
Prevent peer updates if the status is not changing from disconnected to connected and vice versa.
Fixed route score calculation, added tests and changed the log message
fixed installer /usr/local/bin creation
This PR brings support of a shared port between stun (ICE agent) and
the kernel WireGuard
It implements a single port mode for execution with kernel WireGuard
interface using a raw socket listener.
BPF filters ensure that only STUN packets hit the NetBird userspace app
Removed a lot of the proxy logic and direct mode exchange.
Now we are doing an extra hole punch to the remote WireGuard
port for best-effort cases and support to old client's direct mode.
This PR adds supports for the WireGuard userspace implementation
using Bind interface from wireguard-go.
The newly introduced ICEBind struct implements Bind with UDPMux-based
structs from pion/ice to handle hole punching using ICE.
The core implementation was taken from StdBind of wireguard-go.
The result is a single WireGuard port that is used for host and server reflexive candidates.
Relay candidates are still handled separately and will be integrated in the following PRs.
ICEBind checks the incoming packets for being STUN or WireGuard ones
and routes them to UDPMux (to handle hole punching) or to WireGuard respectively.
Refactored updateServerStates and calculateState
added some checks to ensure we are not sending connecting on context canceled
removed some state updates from the RunClient function
On Android, because of the hard SELinux policies can not list the
interfaces of the ICE package. Without it can not generate a host type
candidate. In this pull request, the list of interfaces comes via the Java
interface.
Fix the status indication in the client service. The status of the
management server and the signal server was incorrect if the network
connection was broken. Basically the status update was not used by
the management and signal library.
Before defining if we will use direct or proxy connection we will exchange a
message with the other peer if the modes match we keep the decision
from the shouldUseProxy function otherwise we skip using direct connection.
Added a feature support message to the signal protocol
The peer login expiration ACL check introduced in #714
filters out peers that are expired and agents receive a network map
without that expired peers.
However, the agents should see those peers in status "Disconnected".
This PR extends the Agent <-> Management protocol
by introducing a new field OfflinePeers
that contain expired peers. Agents keep track of those and display
then just in the Status response.
The ConnStatus is a custom type based on iota
like an enum. The problem was nowhere used to the
benefits of this implementation. All ConnStatus
instances has been compared with strings. I
suppose the reason to do it to avoid a circle
dependency. In this commit the separated status
package has been moved to peer package.
Remove unused, exported functions from engine
Added additional common blacklisted interfaces
Updated the signal protocol to pass the peer port and netbird version
Co-authored-by: braginini <bangvalo@gmail.com>
Before this change, NetBird Agent wasn't handling
peer interface configuration changes dynamically.
Also, remote peer configuration changes have
not been applied (e.g. AllowedIPs changed).
Not a very common cause, but still it should be handled.
Now, Agent reacts to PeerConfig changes sent from the
management service and restarts remote connections
if AllowedIps have been changed.
When stopping engine, all peer conns have to be closed
and for each peer WireGuard iface is called
to remove WireGuard peer.
This operation happens in a goroutine causing
Engine to remove the whole WireGuard interface before.
Therefore consequent calls to RemovePeer are unsuccessful.
This fix just adds a small delay before removing interface.
When one of the peers has a static public host IP
or both peers are in the same local network
we establish a direct Wireguard connection
bypassing proxy usage.
This helps reduce FD usage and improves
performance.
* Create temp file before saving data
On the event of full disk, we may encounter the case where the
destination file get replaced by an empty file as the
ioutil.WriteFile truncates the destination before write.
* Close the tempFile instance before moving it
* Blacklist Wireguard interfaces for ICE checks