Commit Graph

1472 Commits

Author SHA1 Message Date
Klemens Nanni
834680045a
Create admin socket synchronously before privdrop (#1201)
Creating UNIX sockets the listen() goroutine that races against the main
one dropping to an unprivileged user may cause startup failure when
privdrop happens before privileged filesystem access.

Setup or fail in New() and only do listen(2) in listen() to avoid this.

```
# yggdrasil -autoconf -user nobody
2024/11/03 21:15:27 Build name: yggdrasil-go
2024/11/03 21:15:27 Build version: 0.5.9
...
2024/11/03 21:15:27 Admin socket failed to listen: listen unix /var/run/yggdrasil.sock: bind: permission denied
```

Rerun, now the order is flipped:
```
# yggdrasil -autoconf -user nobody
2024/11/03 21:15:34 Build name: yggdrasil-go
2024/11/03 21:15:34 Build version: 0.5.9
[...]
2024/11/03 21:15:34 UNIX admin socket listening on /var/run/yggdrasil.sock
[...]
```

Fixes #927.
2024-11-11 19:27:02 +00:00
Neil Alexander
eef613993f
Raise link error when SNI supplied on unsupported link type
Some checks failed
Yggdrasil / Lint (push) Has been cancelled
Yggdrasil / Analyse (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.23) (push) Has been cancelled
Yggdrasil / All tests passed (push) Has been cancelled
Closes #1196
2024-10-27 21:06:56 +00:00
Neil Alexander
ff0ef7ff56
Update comments in default configuration file 2024-10-27 20:59:05 +00:00
Neil Alexander
b20ad846a1
When IfName is none, start queue goroutine, otherwise iprwc blocks and some handlers don't run
Some checks failed
Yggdrasil / Lint (push) Has been cancelled
Yggdrasil / Analyse (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.23) (push) Has been cancelled
Yggdrasil / All tests passed (push) Has been cancelled
2024-10-20 21:28:04 +01:00
Klemens Nanni
a6429390da
Use UNIX socket patch from url struct (#1186)
No need to extract it again when the url package provides it for us:
```
$ jq -n '{"AdminListen":"unix:///tmp/ygg.sock"}' | ./yggdrasil -useconf | grep 'admin socket'
2024/10/08 22:41:11 UNIX admin socket listening on /tmp/ygg.sock
```

Follow-up on #1176
2024-10-17 13:22:46 +01:00
Neil Alexander
d22dc9ecc9
TUN: Skip ErrTooManySegments 2024-10-10 09:23:13 +01:00
Klemens Nanni
874083da79
Replace repeated subscripts with single TrimPrefix (#1176)
This stood out to me while reading the code: [7:] is skipping "unix://",
so why not do that?

Doing so reveals a bug in the last line changed, where chmod(2) failure
would print just the prefix, not everything but it... easy to miss, but
now this kind of bug can no longer happen.
2024-09-30 14:25:04 +01:00
Klemens Nanni
ccda1075c0
Fix ioctl(2) code for OpenBSD (#1175)
This cleans up the mess to configure an IP address on a tun(4) device.

Handrolling a hardcoded ioctl(2) request is far from perfect, but Go
(golang.org/sys/unix) is to blame here.

Tested on OpenBSD 7.6 -current where yggdrasil now drives the interface
would use of ifconfig or other helpers.
2024-09-30 14:24:20 +01:00
Neil Alexander
6d5243bd9a
Add unit test for AllowedPublicKeys 2024-09-29 22:04:41 +01:00
Neil Alexander
377bc664c9
The AllowedPublicKeys option should not apply to multicast listeners
Another fix for #1141.
2024-09-29 21:38:56 +01:00
Neil Alexander
d1b849588f
Fix bug where ephemeral links would try to reconnect in a fast loop
Helps #1141, although not a complete solution.
2024-09-29 21:24:39 +01:00
Klemens Nanni
98a6fdb4f2
tun: bsd: remove redundant ioctl to set MTU (#1172)
wireguard's CreateTUN() sets the MTU using the same ioctl(2), on both
FreeBSD and OpenBSD.

Tested on OpenBSD (outputwith this patch):

```
# ktrace ./yggdrasil -autoconf | grep Interface
2024/09/24 17:26:29 Interface name: tun0
2024/09/24 17:26:29 Interface IPv6: 201:26e:68f0:502e:f445:13eb:2fe1:f7cd/7
2024/09/24 17:26:29 Interface MTU: 16384
```

```
$ ifconfig tun0 | head -n1
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 16384
```

```
# kdump | grep ioctl
 53097 yggdrasil CALL  ioctl(10,SIOCGIFMTU,0xc0000376b8)
 53097 yggdrasil RET   ioctl 0
 53097 yggdrasil CALL  ioctl(10,SIOCSIFMTU,0xc0000376c0)
 53097 yggdrasil RET   ioctl 0
 53097 yggdrasil CALL  ioctl(10,SIOCGIFMTU,0xc0000377f8)
 53097 yggdrasil RET   ioctl 0
 53097 yggdrasil CALL  ioctl(10,_IOW('i',12,0x20),0xc00003777c)
 53097 yggdrasil RET   ioctl -1 errno 25 Inappropriate ioctl for device
       "2024/09/24 17:26:29 Error in SIOCSIFADDR_IN6: inappropriate ioctl for device
```

(The completely broken address ioctl is another story...)
2024-09-29 21:05:38 +01:00
Neil Alexander
c00779c7d3
Multicast interface detection and shutdown tweaks
May help with #1173.
2024-09-29 20:58:10 +01:00
Neil Alexander
b8ab843a98
Update admin socket response sorting 2024-09-23 22:40:52 +01:00
Neil Alexander
e138fa679c
Fix link panic when shutting down (closes #1168) 2024-09-22 17:05:25 +01:00
Neil Alexander
361b9fd6fc
Update WebSocket dependency to new import path 2024-09-22 16:54:58 +01:00
Neil
c4b29b735c
Link costing based on average RTT (#1171)
This PR updates Ironwood to include the new RTT-based link costing and
updates `yggdrasilctl` to report the cost in `getPeers`.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2024-09-21 22:05:23 +00:00
Sergey Bobrenok
947b6ad7aa
Restore local peer discovery mechanism on Android 11+ (#1158)
This solution is bases on https://github.com/wlynxg/anet project.
`github.com/wlynxg/anet` is a partial alternative implementation of the
`golang.org/x/net` module. The goal of `anet` module is to provide
workarounds of the issues https://github.com/golang/go/issues/40569 and
https://github.com/golang/go/issues/68082 on Android 11+.

Tested on AOSP 13.

Resolves: #1149
2024-08-16 18:28:57 +01:00
Neil Alexander
b1283e15f6
Link state tracking tweaks and improved shutdown 2024-08-11 10:42:25 +01:00
Neil Alexander
ef989bef63
Multicast module state tweaks 2024-08-11 10:41:58 +01:00
Neil Alexander
af9ff34995
Fix macOS build 2024-08-07 19:55:10 +01:00
Neil Alexander
63cd757525
Remove waitForTUNUp from TUN
Causes issues such as #1156.
2024-08-07 19:52:19 +01:00
Revertron
5e5de3a343
Fixed wait for TUN to come up (#1157)
So, the function waiting for TUN to come up never succeeds:
```
func waitForTUNUp(ch <-chan wgtun.Event) bool {
	t := time.After(time.Second * 5)
	for {
		select {
		case ev := <-ch:
			if ev == wgtun.EventUp {
				return true
			}
		case <-t:
			return false
		}
	}
}
```
I've tried the sleep for one second, and it works flawlessly on several
PCs.

Another point - sometimes, if the service stop abruptly (in case of some
errors) there is an old hidden device in the system, that we need to
uninstall, and then create new.
2024-08-06 10:28:15 +01:00
Neil Alexander
9950d1225d
Improve link and handshake errors 2024-08-01 21:53:48 +01:00
Vasyl Gello
5ea16e63a1
Implement websocket (ws:// and wss://) links (#1152)
ws:// can be listened and dialed
wss:// is a convenience link for ws:// that supports dialing to ws://
peer.

---------

Signed-off-by: Vasyl Gello <vasek.gello@gmail.com>
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2024-07-23 22:58:11 +01:00
Neil
02d92ff81c
TUN vectorised reads/writes (#1145)
This PR updates the Wireguard dependency and updates to use new
vectorised reads/writes, which should reduce the number of syscalls and
improve performance.

This will only make a difference on Linux as this is the only platform
for which the Wireguard TUN library supports vectorised reads/writes.
For other platforms, single reads and writes will be performed as usual.

---------

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2024-07-20 15:24:30 +01:00
Neil Alexander
04c0acf71b
Various clean-ups 2024-07-20 12:31:58 +01:00
Neil Alexander
8ecc402d7c
Allow multiple connections to the same link-local address
Note that this may mean that currently we end up with two links to each multicast-discovered peer, one incoming and one outgoing
2024-07-20 11:31:08 +01:00
Neil
f788a18bef
Measure RTT, report in getPeers (#1143)
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2024-05-30 22:46:06 +01:00
Neil Alexander
fcefb20993
Fix interval check when sending multicast beacons 2024-05-28 10:03:48 +01:00
Paul Donald
f56f9c124c
Minor Fixes (#1107)
* Minor comment fixes.

* Optimize PeerEntry for memory efficiency

* Improve NodeConfig for memory alignment
2024-05-27 21:57:28 +01:00
Arceliar
6cbe56adfe fix incorrect pool use 2024-05-25 06:15:36 -05:00
Neil
180d7bf499
Adjust default backoff max to just over 1 hour, add ?maxbackoff= peer option (#1124)
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2024-01-15 23:09:07 +00:00
Neil Alexander
768278a8e6
Improve getPeers sorting 2024-01-11 22:37:05 +00:00
Neil Alexander
1e9a59edf9
Update behaviour in QUIC listener handler 2024-01-05 11:45:20 +00:00
Neil Alexander
3dfa6d0cc9
Validate public key lengths on debug_ API endpoints (fixes #1113) 2023-12-03 17:55:12 +00:00
Neil Alexander
6b6cd0bed5
Fix PPROFLISTEN 2023-11-28 13:24:54 +00:00
Neil Alexander
fef553ed18
Tweak logging 2023-11-26 16:28:48 +00:00
Neil Alexander
f6f669617f
Fix -normaliseconf when using PrivateKeyPath 2023-11-26 16:20:52 +00:00
Neil Alexander
39c4b24395
Don't use 0-RTT for QUIC 2023-11-26 16:19:00 +00:00
Neil Alexander
a0b3897278
Cap link backoff at roughly 4.5 hours 2023-11-21 23:54:27 +00:00
Neil Alexander
7aca869170
Tweak backoff success handling 2023-11-21 10:35:17 +00:00
Neil
0346af46da
Don't panic when connect returns nil (fixes #1086) (#1089)
* Don't panic when connect returns `nil` (fixes #1086)

It isn't clear to me why this would happen but let's guard the condition anyway.

* Log inconsistent error state

---------

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2023-11-04 18:42:42 +00:00
Neil
93a5adfd18
Add sockstls:// (#1090)
Closes #1087.

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2023-11-04 17:57:15 +00:00
Neil
ddb75700a0
Report errors during handshake stage (#1091)
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2023-11-04 17:57:04 +00:00
Neil
ae997a5acb
Improve TUN setup logging (#1093) (#1095)
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2023-11-04 17:56:52 +00:00
Neil Alexander
e41b838d8f
Don't panic at startup when duplicate peers are configured
Fixes #1077
2023-10-28 21:34:15 +01:00
Neil
0b578a637a
Debian package updates (#1073)
* Update Debian package

* Don't put `AdminListen` in config by default, fix path in Debian package

* Fix path in unit file

* Preserve original service files for other packages

---------

Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2023-10-28 14:58:52 +01:00
Arceliar
82c54f87ea clean up some debug API output 2023-10-28 06:36:01 -05:00
Arceliar
d17ac39789 update ironwood dependency, add a debug API call for lookups 2023-10-28 05:26:43 -05:00