From 551051968621f3de277abc0f1a4eabcd33bd713b Mon Sep 17 00:00:00 2001 From: Jonathan Giannuzzi Date: Wed, 10 May 2023 14:43:34 +0100 Subject: [PATCH] Initial commit --- .devcontainer/devcontainer.json | 22 ++ .github/dependabot.yml | 11 + .github/workflows/release.yml | 27 +++ .gitignore | 2 + .goreleaser.yaml | 33 +++ LICENSE | 201 +++++++++++++++++ README.md | 80 +++++++ go.mod | 18 ++ go.sum | 25 +++ main.go | 369 ++++++++++++++++++++++++++++++++ 10 files changed, 788 insertions(+) create mode 100644 .devcontainer/devcontainer.json create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/release.yml create mode 100644 .gitignore create mode 100644 .goreleaser.yaml create mode 100644 LICENSE create mode 100644 README.md create mode 100644 go.mod create mode 100644 go.sum create mode 100644 main.go diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..8a63cb2 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,22 @@ +// For format details, see https://aka.ms/devcontainer.json. For config options, see the +// README at: https://github.com/devcontainers/templates/tree/main/src/go +{ + "name": "Go", + // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile + "image": "mcr.microsoft.com/devcontainers/go:0-bullseye" + + // Features to add to the dev container. More info: https://containers.dev/features. + // "features": {}, + + // Use 'forwardPorts' to make a list of ports inside the container available locally. + // "forwardPorts": [], + + // Use 'postCreateCommand' to run commands after the container is created. + // "postCreateCommand": "go version", + + // Configure tool-specific properties. + // "customizations": {}, + + // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. + // "remoteUser": "root" +} diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f570027 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..eef7cfc --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,27 @@ +name: release + +on: + push: + tags: + - '*' + +permissions: + contents: write + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - run: git fetch --force --tags + - uses: actions/setup-go@v4 + with: + go-version: stable + - uses: goreleaser/goreleaser-action@v4 + with: + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cde0123 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ + +dist/ diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..139cef2 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,33 @@ + +builds: + - env: + - CGO_ENABLED=0 + goos: + - linux + - windows + - darwin + +archives: + - format: tar.gz + # this name template makes the OS and Arch compatible with the results of uname. + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + # use zip for windows archives + format_overrides: + - goos: windows + format: zip +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ incpatch .Version }}-next" +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..8dada3e --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..217daef --- /dev/null +++ b/README.md @@ -0,0 +1,80 @@ +# wgfwd + +## Description + +`wgfwd` is a user-space Wireguard implementation that can forward TCP and UDP ports from one node to another. +You can think of it as SSH port-forwarding, but with lower latency as Wireguard uses UDP under the hood. + +## Install + +Browse the [releases](https://github.com/jgiannuzzi/wgfwd/releases) and download a binary for your platform. + +Alternatively, you can build it yourself after having installed the [Go](https://go.dev) SDK by running the following command: +```sh +go install github.com/jgiannuzzi/wgfwd@latest +``` + +## Usage + +### Basic + +`wgfwd` works like regular Wireguard. + +Here is an example configuration of `wgfwd` acting as a client that forwards TCP and UDP ports 4000 through the tunnel: + +```sh +wgfwd \ +-wg-private-key mMw8xmuUyfiEwn1Q9v5EEAPqtLtU5aO5gc00+tegiWA= \ +-wg-public-key jwYGod+ALPjuKAvEQ7Os1RLgGfcMnwXL97G5mbDW5XU= \ +-wg-local-ip 192.168.4.2 \ +-wg-remote-ip 192.168.4.1 \ +-wg-endpoint 10.8.43.5:58120 \ +-wg-keepalive 25 \ +-fwd tcp:4000:192.168.4.1:4000,udp:4000:192.168.4.1:4000 +``` + +It connects to a regular Wireguard server running on `10.8.43.5:58120` with this configuration file: +```ini +[Interface] +PrivateKey = WJiRwPPp1NnNl1PbEAtH0yeG160xxPXXe+8OFxk6H1o= +Address = 192.168.4.1/32 +ListenPort = 58120 + +[Peer] +PublicKey = +t6LAA9uaC1RXp2GzXQKCuwkys6Q2188EnAgU26P6xc= +AllowedIPs = 192.168.4.2/32 +``` + +The server could also use `wgfwd` as follows: +```sh +wgfwd \ +-wg-private-key WJiRwPPp1NnNl1PbEAtH0yeG160xxPXXe+8OFxk6H1o= \ +-wg-public-key +t6LAA9uaC1RXp2GzXQKCuwkys6Q2188EnAgU26P6xc= \ +-wg-local-ip 192.168.4.1 \ +-wg-remote-ip 192.168.4.2 \ +-wg-listen-port 58120 \ +-fwd tcp:192.168.4.1:4000:localhost:4000,udp:192.168.4.1:4000:localhost:4000 +``` + +Note that in this case, we need to forward the 2 ports back onto the real host, as opposed to when regular Wireguard is used. + +### Advanced + +`-wg-config` can be used to point to a config file that uses the [Wireguard configuration protocol](https://www.wireguard.com/xplatform/#configuration-protocol) format. + +Here is what the file would look like for the client case above: +``` +private_key=98cc3cc66b94c9f884c27d50f6fe441003eab4bb54e5a3b981cd34fad7a08960 +public_key=8f0606a1df802cf8ee280bc443b3acd512e019f70c9f05cbf7b1b999b0d6e575 +allowed_ip=192.168.4.1/32 +endpoint=10.8.43.5:58120 +persistent_keepalive_interval=25 +``` + +The corresponding command line is: +``` +wgfwd \ +-wg-local-ip 192.168.4.2 \ +-wg-config client.cfg \ +-fwd tcp:4000:192.168.4.1:4000,udp:4000:192.168.4.1:4000 +``` diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..c181df6 --- /dev/null +++ b/go.mod @@ -0,0 +1,18 @@ +module github.com/jgiannuzzi/wgfwd + +go 1.20 + +require ( + github.com/sirupsen/logrus v1.8.1 + golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675 + gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 +) + +require ( + github.com/google/btree v1.0.1 // indirect + golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect + golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect + golang.org/x/sys v0.2.0 // indirect + golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect + golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..d929f78 --- /dev/null +++ b/go.sum @@ -0,0 +1,25 @@ +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= +github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= +github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY= +golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= +golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675 h1:/J/RVnr7ng4fWPRH3xa4WtBJ1Jp+Auu4YNLmGiPv5QU= +golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675/go.mod h1:whfbyDBt09xhCYQWtO2+3UVjlaq6/9hDZrjg2ZE6SyA= +gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY= +gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA= diff --git a/main.go b/main.go new file mode 100644 index 0000000..6541548 --- /dev/null +++ b/main.go @@ -0,0 +1,369 @@ +package main + +import ( + "context" + "encoding/base64" + "encoding/hex" + "flag" + "fmt" + "io" + "log" + "net" + "net/netip" + "os" + "os/signal" + "strings" + "sync" + "syscall" + "time" + + "github.com/sirupsen/logrus" + "golang.zx2c4.com/wireguard/conn" + "golang.zx2c4.com/wireguard/device" + "golang.zx2c4.com/wireguard/tun/netstack" +) + +var version = "dev" + +func main() { + forwards := flag.String("fwd", "", "TCP/UDP forwarding list (:[local-ip]:local-port:remote-ip:remote-port,...)") + wgConfig := flag.String("wg-config", "", "Wireguard config file") + wgListenPort := flag.Int("wg-listen-port", 0, "Wireguard listen port") + wgLocalIP := flag.String("wg-local-ip", "", "Wireguard local IP") + wgRemoteIP := flag.String("wg-remote-ip", "", "Wireguard remote IP") + wgPrivateKey := flag.String("wg-private-key", "", "Wireguard private key") + wgPublicKey := flag.String("wg-public-key", "", "Wireguard public key") + wgEndpoint := flag.String("wg-endpoint", "", "Wireguard endpoint") + wgKeepalive := flag.Int("wg-keepalive", 0, "Wireguard keepalive") + logLevelString := flag.String("log-level", "info", "Log level") + showVersion := flag.Bool("version", false, "Show version") + flag.Parse() + + if *showVersion { + fmt.Printf("wgfwd %s\n", version) + return + } + + logLevel, err := logrus.ParseLevel(*logLevelString) + if err != nil { + log.Fatal(err) + } + logrus.SetLevel(logLevel) + + if *wgConfig == "" { + if *wgPrivateKey == "" { + logrus.Fatal("Wireguard private key is required") + } + + if *wgPublicKey == "" { + logrus.Fatal("Wireguard public key is required") + } + + if *wgRemoteIP == "" { + logrus.Fatal("Wireguard remote IP is required") + } + } + + if *wgLocalIP == "" { + logrus.Fatal("Wireguard local IP is required") + } + + if !strings.Contains(*wgRemoteIP, "/") { + *wgRemoteIP = *wgRemoteIP + "/32" + } + + tun, tnet, err := netstack.CreateNetTUN( + []netip.Addr{netip.MustParseAddr(*wgLocalIP)}, + []netip.Addr{}, + 1420, + ) + if err != nil { + logrus.Fatalf("Error creating tunnel interface: %s", err) + } + + dev := device.NewDevice(tun, conn.NewDefaultBind(), &device.Logger{ + Verbosef: logrus.Debugf, + Errorf: logrus.Errorf, + }) + + var config string + if *wgConfig != "" { + content, err := os.ReadFile(*wgConfig) + if err != nil { + logrus.Fatalf("Error reading Wireguard config file: %s", err) + } + config = string(content) + } else { + configBuilder := strings.Builder{} + fmt.Fprintf(&configBuilder, "private_key=%s\n", base64ToHex(*wgPrivateKey)) + if *wgListenPort != 0 { + fmt.Fprintf(&configBuilder, "listen_port=%d\n", *wgListenPort) + } + fmt.Fprintf(&configBuilder, "public_key=%s\n", base64ToHex(*wgPublicKey)) + fmt.Fprintf(&configBuilder, "allowed_ip=%s\n", *wgRemoteIP) + if *wgEndpoint != "" { + fmt.Fprintf(&configBuilder, "endpoint=%s\n", *wgEndpoint) + } + if *wgKeepalive != 0 { + fmt.Fprintf(&configBuilder, "persistent_keepalive_interval=%d\n", *wgKeepalive) + } + config = configBuilder.String() + } + + if err := dev.IpcSet(config); err != nil { + logrus.Fatalf("Error setting device configuration: %s", err) + } + + if err := dev.Up(); err != nil { + logrus.Fatalf("Error bringing up device: %s", err) + } + logrus.Infof("Wireguard device up") + defer dev.Down() + + var wg sync.WaitGroup + defer wg.Wait() + + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + var localNetOp = &localNetOp{} + var tunnelNetOp = &tunnelNetOp{tnet} + + if len(*forwards) != 0 { + for _, fwd := range strings.Split(*forwards, ",") { + components := strings.Split(fwd, ":") + if len(components) == 4 { + components = append([]string{components[0], "127.0.0.1"}, components[1:]...) + } + if len(components) != 5 { + logrus.Fatalf("Invalid forward: %s", fwd) + } + proto := components[0] + var lNet netOp + var rNet netOp + if components[1] == *wgLocalIP { + lNet = tunnelNetOp + rNet = localNetOp + } else { + lNet = localNetOp + rNet = tunnelNetOp + } + lAddr := strings.Join(components[1:3], ":") + rAddr := strings.Join(components[3:], ":") + if err := forward(ctx, &wg, proto, lNet, lAddr, rNet, rAddr); err != nil { + log.Fatalf("Error forwarding %s: %s", fwd, err) + } + } + } + + sigChan := make(chan os.Signal, 1) + signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM) + <-sigChan +} + +// decode base64 string and encode it to hex string +func base64ToHex(s string) string { + b, err := base64.StdEncoding.DecodeString(s) + if err != nil { + logrus.Fatalf("Error decoding base64: %s", err) + } + return hex.EncodeToString(b) +} + +type netOp interface { + Dial(ctx context.Context, network string, address string) (net.Conn, error) + Listen(ctx context.Context, network string, address string) (net.Listener, error) + ListenPacket(ctx context.Context, network string, address string) (net.PacketConn, error) +} + +type localNetOp struct{} + +func (n *localNetOp) Dial(ctx context.Context, network string, address string) (net.Conn, error) { + var d net.Dialer + return d.DialContext(ctx, network, address) +} + +func (n *localNetOp) Listen(ctx context.Context, network string, address string) (net.Listener, error) { + var l net.ListenConfig + return l.Listen(ctx, network, address) +} + +func (n *localNetOp) ListenPacket(ctx context.Context, network string, address string) (net.PacketConn, error) { + var l net.ListenConfig + return l.ListenPacket(ctx, network, address) +} + +type tunnelNetOp struct { + tun *netstack.Net +} + +func (n *tunnelNetOp) Dial(ctx context.Context, network string, address string) (net.Conn, error) { + return n.tun.DialContext(ctx, network, address) +} + +func (n *tunnelNetOp) Listen(ctx context.Context, network string, address string) (net.Listener, error) { + addr, err := net.ResolveTCPAddr(network, address) + if err != nil { + return nil, err + } + return n.tun.ListenTCP(addr) +} + +func (n *tunnelNetOp) ListenPacket(ctx context.Context, network string, address string) (net.PacketConn, error) { + addr, err := net.ResolveUDPAddr(network, address) + if err != nil { + return nil, err + } + return n.tun.ListenUDP(addr) +} + +func forward(ctx context.Context, wg *sync.WaitGroup, proto string, lNet netOp, lAddr string, rNet netOp, rAddr string) error { + switch proto { + case "tcp": + return forwardTCP(ctx, wg, lNet, lAddr, rNet, rAddr) + case "udp": + return forwardUDP(ctx, wg, lNet, lAddr, rNet, rAddr) + default: + return fmt.Errorf("unknown protocol: %s", proto) + } +} + +func forwardTCP(ctx context.Context, wg *sync.WaitGroup, lNet netOp, lAddr string, rNet netOp, rAddr string) error { + wg.Add(1) + + listener, err := lNet.Listen(ctx, "tcp", lAddr) + if err != nil { + return err + } + + go func() { + <-ctx.Done() + logrus.Infof("Stopping TCP forwarder for %s -> %s", lAddr, rAddr) + listener.Close() + }() + + go func() { + defer wg.Done() + for { + conn, err := listener.Accept() + if err != nil { + logrus.Debugf("Error accepting TCP connection: %s", err) + return + } + logrus.Debugf("Accepted TCP connection from %s for %s", conn.RemoteAddr(), lAddr) + + remote, err := rNet.Dial(ctx, "tcp", rAddr) + if err != nil { + logrus.Errorf("Error connecting to remote TCP: %s", err) + conn.Close() + continue + } + logrus.Debugf("TCP connection forwarded from %s to %s", conn.RemoteAddr(), rAddr) + + var iwg sync.WaitGroup + go func() { + defer iwg.Done() + defer remote.Close() + defer conn.Close() + _, err := io.Copy(remote, conn) + if err != nil && err != io.EOF { + logrus.Debugf("Error copying from %s: %s", conn.RemoteAddr(), err) + } + }() + go func() { + defer iwg.Done() + defer remote.Close() + defer conn.Close() + _, err := io.Copy(conn, remote) + if err != nil { + logrus.Debugf("Error copying to %s: %s", conn.RemoteAddr(), err) + } + }() + iwg.Add(2) + go func() { + iwg.Wait() + logrus.Debugf("Connection from %s closed", conn.RemoteAddr()) + }() + } + }() + + logrus.Infof("TCP forwarder started for %s -> %s", lAddr, rAddr) + + return nil +} + +func forwardUDP(ctx context.Context, wg *sync.WaitGroup, lNet netOp, lAddr string, rNet netOp, rAddr string) error { + wg.Add(1) + + remoteConns := make(map[string]net.Conn) + + localConn, err := lNet.ListenPacket(ctx, "udp", lAddr) + if err != nil { + return err + } + + go func() { + <-ctx.Done() + logrus.Infof("Stopping UDP forwarder for %s -> %s", lAddr, rAddr) + for _, c := range remoteConns { + c.Close() + } + localConn.Close() + }() + + buffer := make([]byte, 1392) + go func() { + defer wg.Done() + + for { + n, addr, err := localConn.ReadFrom(buffer) + if err != nil { + logrus.Debugf("Error reading from UDP socket: %#v", err) + return + } + logrus.Debugf("Received %d bytes from %s for %s", n, addr, lAddr) + + remote, ok := remoteConns[addr.String()] + if !ok { + remote, err = rNet.Dial(ctx, "udp", rAddr) + if err != nil { + logrus.Errorf("Error connecting to remote UDP: %s", err) + continue + } + remoteConns[addr.String()] = remote + + go func() { + defer delete(remoteConns, addr.String()) + + buffer := make([]byte, 1392) + for { + remote.SetReadDeadline(time.Now().Add(3 * time.Second)) + n, err = remote.Read(buffer) + if err != nil { + logrus.Debugf("Error reading from UDP socket: %s", err) + return + } + logrus.Debugf("Received %d bytes from %s for %s", n, rAddr, remote.LocalAddr()) + _, err = localConn.WriteTo(buffer[:n], addr) + if err != nil { + logrus.Debugf("Error writing to local: %s", err) + return + } + logrus.Debugf("Forwarded %d bytes from %s to %s", n, rAddr, addr) + } + }() + } + + n, err = remote.Write(buffer[:n]) + if err != nil { + logrus.Errorf("Error writing to remote UDP from %s: %s", addr, err) + continue + } + logrus.Debugf("Forwarded %d bytes from %s to %s", n, addr, rAddr) + } + }() + + logrus.Infof("UDP forwarder started for %s -> %s", lAddr, rAddr) + + return nil +}