This update adds new relay integration for NetBird clients. The new relay is based on web sockets and listens on a single port.
- Adds new relay implementation with websocket with single port relaying mechanism
- refactor peer connection logic, allowing upgrade and downgrade from/to P2P connection
- peer connections are faster since it connects first to relay and then upgrades to P2P
- maintains compatibility with old clients by not using the new relay
- updates infrastructure scripts with new relay service
wait on engine down to not only wait for the interface to be down but completely removed. If the waiting loop reaches the timeout we will trigger an interface destroy. On the up command, it now waits until the engine is fully running before sending the response to the CLI. Includes a small refactor of probes to comply with sonar rules about parameter count in the function call
Rely on net.ListenUDP to get an available port for wireguard in case the configured one is in use
---------
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>
* Enable network monitoring by default for Windows and Darwin
* Enable network monitoring by default on Windows and macOS
* fix merge
* Prevent updating config if no changes
* compile client under freebsd (#1620)
Compile netbird client under freebsd and now support netstack and userspace modes.
Refactoring linux specific code to share same code with FreeBSD, move to *_unix.go files.
Not implemented yet:
Kernel mode not supported
DNS probably does not work yet
Routing also probably does not work yet
SSH support did not tested yet
Lack of test environment for freebsd (dedicated VM for github runners under FreeBSD required)
Lack of tests for freebsd specific code
info reporting need to review and also implement, for example OS reported as GENERIC instead of FreeBSD (lack of FreeBSD icon in management interface)
Lack of proper client setup under FreeBSD
Lack of FreeBSD port/package
* Add DNS routes (#1943)
Given domains are resolved periodically and resolved IPs are replaced with the new ones. Unless the flag keep_route is set to true, then only new ones are added.
This option is helpful if there are long-running connections that might still point to old IP addresses from changed DNS records.
* Add process posture check (#1693)
Introduces a process posture check to validate the existence and active status of specific binaries on peer systems. The check ensures that files are present at specified paths, and that corresponding processes are running. This check supports Linux, Windows, and macOS systems.
Co-authored-by: Evgenii <mail@skillcoder.com>
Co-authored-by: Pascal Fischer <pascal@netbird.io>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>
Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
This changes the default behavior for new peers, by requiring the agent to be executed with allow-server-ssh set to true in order for the management configuration to take effect.
* Adds management, signal, and relay (STUN/TURN) health probes to the status command.
* Adds a reason when the management or signal connections are disconnected.
* Adds last wireguard handshake and received/sent bytes per peer
This PR aims to integrate Rosenpass with NetBird. It adds a manager for Rosenpass that starts a Rosenpass server and handles the managed peers. It uses the cunicu/go-rosenpass implementation. Rosenpass will then negotiate a pre-shared key every 2 minutes and apply it to the wireguard connection.
The Feature can be enabled by setting a flag during the netbird up --enable-rosenpass command.
If two peers are both support and have the Rosenpass feature enabled they will create a post-quantum secure connection. If one of the peers or both don't have this feature enabled or are running an older version that does not have this feature yet, the NetBird client will fall back to a plain Wireguard connection without pre-shared keys for those connections (keeping Rosenpass negotiation for the rest).
Additionally, this PR includes an update of all Github Actions workflows to use go version 1.21.0 as this is a requirement for the integration.
---------
Co-authored-by: braginini <bangvalo@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
* starting engine by passing file descriptor on engine start
* inject logger that does not compile
* logger and first client
* first working connection
* support for routes and working connection
* small refactor for better code quality in swift
* trying to add DNS
* fix
* updated
* fix route deletion
* trying to bind the DNS resolver dialer to an interface
* use dns.Client.Exchange
* fix metadata send on startup
* switching between client to query upstream
* fix panic on no dns response
* fix after merge changes
* add engine ready listener
* replace engine listener with connection listener
* disable relay connection for iOS until proxy is refactored into bind
* Extract private upstream for iOS and fix function headers for other OS
* Update mock Server
* Fix dns server and upstream tests
* Fix engine null pointer with mobile dependencies for other OS
* Revert back to disabling upstream on no response
* Fix some of the remarks from the linter
* Fix linter
* re-arrange duration calculation
* revert exported HostDNSConfig
* remove unused engine listener
* remove development logs
* refactor dns code and interface name propagation
* clean dns server test
* disable upstream deactivation for iOS
* remove files after merge
* fix dns server darwin
* fix server mock
* fix build flags
* move service listen back to initialize
* add wgInterface to hostManager initialization on android
* fix typo and remove unused function
* extract upstream exchange for ios and rest
* remove todo
* separate upstream logic to ios file
* Fix upstream test
* use interface and embedded struct for upstream
* set properly upstream client
* remove placeholder
* remove ios specific attributes
* fix upstream test
* merge ipc parser and wg configurer for mobile
* fix build annotation
* use json for DNS settings handover through gomobile
* add logs for DNS json string
* bring back check on ios for private upstream
* remove wrong (and unused) line
* fix wrongly updated comments on DNSSetting export
---------
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
In case of 'always-on' feature has switched on, after the reboot the service do not start properly in all cases.
If the device is in offline state (no internet connection) the auth login steps will fail and the service will stop.
For the auth steps make no sense in this case because if the OS start the service we do not have option for
the user interaction.
* Add DNS list argument for mobile client
* Write testable code
Many places are checked the wgInterface != nil condition.
It is doing it just because to avoid the real wgInterface creation for tests.
Instead of this involve a wgInterface interface what is moc-able.
* Refactor the DNS server internal code structure
With the fake resolver has been involved several
if-else statement and generated some unused
variables to distinguish the listener and fake
resolver solutions at running time. With this
commit the fake resolver and listener based
solution has been moved into two separated
structure. Name of this layer is the 'service'.
With this modification the unit test looks
simpler and open the option to add new logic for
the permanent DNS service usage for mobile
systems.
* Remove is running check in test
We can not ensure the state well so remove this
check. The test will fail if the server is not
running well.
Add new feature to notify the user when new client route has arrived.
Refactor the initial route handling. I move every route logic into the route
manager package.
* Add notification management for client rules
* Export the route notification for Android
* Compare the notification based on network range instead of id.
This PR adds supports for the WireGuard userspace implementation
using Bind interface from wireguard-go.
The newly introduced ICEBind struct implements Bind with UDPMux-based
structs from pion/ice to handle hole punching using ICE.
The core implementation was taken from StdBind of wireguard-go.
The result is a single WireGuard port that is used for host and server reflexive candidates.
Relay candidates are still handled separately and will be integrated in the following PRs.
ICEBind checks the incoming packets for being STUN or WireGuard ones
and routes them to UDPMux (to handle hole punching) or to WireGuard respectively.
Refactored updateServerStates and calculateState
added some checks to ensure we are not sending connecting on context canceled
removed some state updates from the RunClient function
On Android, because of the hard SELinux policies can not list the
interfaces of the ICE package. Without it can not generate a host type
candidate. In this pull request, the list of interfaces comes via the Java
interface.
Fix the status indication in the client service. The status of the
management server and the signal server was incorrect if the network
connection was broken. Basically the status update was not used by
the management and signal library.
The ConnStatus is a custom type based on iota
like an enum. The problem was nowhere used to the
benefits of this implementation. All ConnStatus
instances has been compared with strings. I
suppose the reason to do it to avoid a circle
dependency. In this commit the separated status
package has been moved to peer package.
Remove unused, exported functions from engine
Code cleaning in the config.go of the client. This change keep the
logic in original state. The name of the exported function was not
covered well the internal workflow. Without read the comment was not
understandable what is the difference between the GetConfig and
ReadConfig. By the way both of them doing write operation.
avoid sending admin or management URLs on service start
as it doesn't have an input
Parse management and admin URL when needed
Pass empty admin url on commands to prevent default overwrite
Adding --external-ip-map and --dns-resolver-address to up command and shorthand option to global flags.
Refactor get and read config functions with new ConfigInput type.
updated cobra package to latest release.
If peer is deleted in the console,
we set its state as needs login
On Down command we clean any previous state errors
this prevents need for daemon restart
Removed state error wrapping when engine exits, log is enough
Use stdout and stderr log path only if on Linux and attempt to create the path
Update status system with FQDN fields and
status command to display the domain names of remote and local peers
Set some DNS logs to tracing
update readme file
* Add additional check for needed kernel modules
* Check if wireguard and tun modules are loaded
If modules are loaded return true, otherwise attempt to load them
* fix state check
* Add module function tests
* Add test execution in container
* run client package tests on docker
* add package comment to new file
* force entrypoint
* add --privileged flag
* clean only if tables where created
* run from within the directories
Added additional common blacklisted interfaces
Updated the signal protocol to pass the peer port and netbird version
Co-authored-by: braginini <bangvalo@gmail.com>
