
631 lines
20 KiB
Raw Normal View History

2023-03-09 09:42:11 +00:00
use std::collections::HashMap;
2023-03-09 12:04:54 +00:00
use std::net::{IpAddr, SocketAddr, SocketAddrV4, ToSocketAddrs, UdpSocket};
2023-03-09 09:42:11 +00:00
use std::process::Command;
use std::sync::Mutex;
use std::thread;
use std::time::Duration;
2023-03-09 12:04:54 +00:00
use anyhow::{anyhow, bail, Result};
2023-03-09 09:42:11 +00:00
use log::*;
use serde::{Deserialize, Serialize};
/// Keep at most this many addresses for each peer
const KEEP_MAX_ADDRESSES: usize = 5;
/// Number of peers to gossip with
const GOSSIP_PEERS: usize = 10;
2023-03-09 11:51:00 +00:00
/// Interval at which to try new addresses when disconnected
const TRY_INTERVAL: Duration = Duration::from_secs(30);
2023-03-09 09:42:11 +00:00
/// Time before a peer is considered dead (5 minutes)
const TIMEOUT: Duration = Duration::from_secs(300);
/// Interval at which to gossip last_seen info
const GOSSIP_INTERVAL: Duration = Duration::from_secs(300);
const LAN_BROADCAST_INTERVAL: Duration = Duration::from_secs(60);
2023-03-09 12:04:54 +00:00
const IGD_INTERVAL: Duration = Duration::from_secs(60);
const IGD_LEASE_DURATION: Duration = Duration::from_secs(300);
2023-03-09 09:42:11 +00:00
type Pubkey = String;
struct Config {
/// The Wireguard interface name
interface: Pubkey,
/// The port to use for gossip inside the Wireguard mesh (must be the same on all nodes)
gossip_port: u16,
2023-03-09 13:23:40 +00:00
/// The secret to use to authenticate nodes between them
gossip_secret: Option<String>,
gossip_secret_file: Option<String>,
/// Enable LAN discovery
lan_discovery: bool,
/// Forward an external port to Wiregard using UPnP IGD
upnp_forward_external_port: Option<u16>,
2023-03-09 09:42:11 +00:00
/// The list of peers we try to connect to
peers: Vec<Peer>,
struct Peer {
/// The peer's Wireguard public key
pubkey: Pubkey,
/// The peer's Wireguard address
address: IpAddr,
/// An optionnal Wireguard endpoint used to initialize a connection to this peer
2023-03-09 11:51:00 +00:00
endpoint: Option<String>,
2023-03-09 09:42:11 +00:00
fn main() -> Result<()> {
let args: Vec<String> = std::env::args().collect();
let config_path = match args.len() {
0 | 1 => "/etc/wgautomesh.toml",
2 => &args[1],
_ => bail!(
"Usage: {} [path_to_config_file]",
2023-03-09 13:23:40 +00:00
let mut config: Config = {
2023-03-09 09:42:11 +00:00
let config_str = std::fs::read_to_string(config_path)?;
2023-03-09 13:23:40 +00:00
if let Some(f) = &config.gossip_secret_file {
if config.gossip_secret.is_some() {
bail!("both gossip_secret and gossip_secret_file are given in config file");
config.gossip_secret = Some(std::fs::read_to_string(f)?);
2023-03-09 09:42:11 +00:00
// ============ UTIL =================
fn time() -> u64 {
fn fasthash(data: &[u8]) -> u64 {
use xxhash_rust::xxh3::Xxh3;
let mut h = Xxh3::new();
2023-03-09 13:23:40 +00:00
fn kdf(secret: &str) -> xsalsa20poly1305::Key {
let hash = blake3::hash(format!("wgautomesh: {}", secret).as_bytes());
2023-03-09 10:04:27 +00:00
fn wg_dump(config: &Config) -> Result<(Pubkey, u16, Vec<(Pubkey, Option<SocketAddr>, u64)>)> {
2023-03-09 10:54:44 +00:00
let output = Command::new("wg")
.args(["show", &config.interface, "dump"])
2023-03-09 09:42:11 +00:00
let mut lines = std::str::from_utf8(&output.stdout)?.split('\n');
let ourself = lines.next().unwrap().split('\t').collect::<Vec<_>>();
if ourself.len() < 3 {
"Unable to fetch wireguard status for interface {}",
2023-03-09 09:42:11 +00:00
let our_pubkey = ourself[1].to_string();
2023-03-09 10:04:27 +00:00
let listen_port = ourself[2].parse::<u16>()?;
2023-03-09 09:42:11 +00:00
let peers = lines
.filter_map(|line| {
let fields = line.split('\t').collect::<Vec<_>>();
if fields.len() < 5 {
} else {
2023-03-09 10:04:27 +00:00
Ok((our_pubkey, listen_port, peers))
2023-03-09 09:42:11 +00:00
// ============ DAEMON CODE =================
struct Daemon {
config: Config,
2023-03-09 13:23:40 +00:00
gossip_key: xsalsa20poly1305::Key,
2023-03-09 10:04:27 +00:00
our_pubkey: Pubkey,
listen_port: u16,
2023-03-09 09:42:11 +00:00
socket: UdpSocket,
state: Mutex<State>,
struct PeerInfo {
2023-03-09 12:52:53 +00:00
// Info known from config
2023-03-09 09:42:11 +00:00
gossip_ip: IpAddr,
gossip_prio: u64,
2023-03-09 12:52:53 +00:00
// Info retrieved from wireguard
endpoint: Option<SocketAddr>,
last_seen: u64,
// Info received by LAN broadcast
lan_endpoint: Option<(SocketAddr, u64)>,
2023-03-09 09:42:11 +00:00
#[derive(Serialize, Deserialize, Debug)]
enum Gossip {
Announce {
pubkey: Pubkey,
endpoints: Vec<(SocketAddr, u64)>,
LanBroadcast {
pubkey: Pubkey,
listen_port: u16,
2023-03-09 12:52:53 +00:00
2023-03-09 09:42:11 +00:00
impl Daemon {
fn new(config: Config) -> Result<Self> {
2023-03-09 13:23:40 +00:00
let gossip_key = kdf(config.gossip_secret.as_deref().unwrap_or_default());
2023-03-09 10:04:27 +00:00
let (our_pubkey, listen_port, _peers) = wg_dump(&config)?;
2023-03-09 09:42:11 +00:00
let socket = UdpSocket::bind(SocketAddr::new("".parse()?, config.gossip_port))?;
2023-03-09 13:00:57 +00:00
2023-03-09 09:42:11 +00:00
Ok(Daemon {
2023-03-09 13:23:40 +00:00
2023-03-09 10:04:27 +00:00
2023-03-09 09:42:11 +00:00
state: Mutex::new(State {
peers: HashMap::new(),
gossip: HashMap::new(),
fn run(&self) -> Result<()> {
2023-03-09 11:06:56 +00:00
if let Err(e) = self.state.lock().unwrap().setup_wg_peers(self, 0) {
error!("Error initializing wireguard peers: {}", e);
2023-03-09 13:23:40 +00:00
let request = self.make_packet(&Gossip::Request)?;
2023-03-09 09:42:11 +00:00
for peer in self.config.peers.iter() {
let addr = SocketAddr::new(peer.address, self.config.gossip_port);
2023-03-09 11:06:56 +00:00
if let Err(e) = self.socket.send_to(&request, addr) {
error!("Error sending initial request to {}: {}", addr, e);
2023-03-09 09:42:11 +00:00
thread::scope(|s| {
s.spawn(|| self.wg_loop());
s.spawn(|| self.recv_loop());
s.spawn(|| self.lan_broadcast_loop());
2023-03-09 12:04:54 +00:00
s.spawn(|| self.igd_loop());
2023-03-09 09:42:11 +00:00
fn wg_loop(&self) -> ! {
let mut i = 0;
loop {
if let Err(e) = self.wg_loop_iter(i) {
2023-03-09 13:29:31 +00:00
error!("Wireguard configuration loop error: {}", e);
2023-03-09 09:42:11 +00:00
i = i + 1;
fn wg_loop_iter(&self, i: usize) -> Result<()> {
let mut state = self.state.lock().unwrap();
// 1. Update local peers info of peers
2023-03-09 09:42:11 +00:00
// 2. Send gossip for peers where there is a big update
let announces = state
.filter_map(|(pk, info)| info.endpoint.map(|ip| (pk, ip, info.last_seen)))
.filter(|(pk, ip, last_seen)| {
2023-03-09 12:12:47 +00:00
2023-03-09 09:42:11 +00:00
2023-03-09 12:12:47 +00:00
.all(|(a, t)| a != ip || *last_seen > t + GOSSIP_INTERVAL.as_secs())
2023-03-09 09:42:11 +00:00
.map(|(pk, ip, last_seen)| (pk.to_string(), vec![(ip, last_seen)]))
for (pubkey, endpoints) in announces {
state.handle_announce(self, pubkey, endpoints)?;
// 3. Try new address for disconnected peers
state.setup_wg_peers(self, i)?;
2023-03-09 09:42:11 +00:00
fn recv_loop(&self) -> ! {
loop {
if let Err(e) = self.recv_loop_iter() {
error!("Receive loop error: {}", e);
fn recv_loop_iter(&self) -> Result<()> {
let (from, gossip) = self.recv_gossip()?;
let mut state = self.state.lock().unwrap();
match gossip {
Gossip::Announce { pubkey, endpoints } => {
state.handle_announce(self, pubkey, endpoints)?;
Gossip::Request => {
for (pubkey, endpoints) in state.gossip.iter() {
2023-03-09 13:23:40 +00:00
let packet = self.make_packet(&Gossip::Announce {
2023-03-09 09:42:11 +00:00
pubkey: pubkey.clone(),
endpoints: endpoints.clone(),
self.socket.send_to(&packet, from)?;
2023-03-09 12:52:53 +00:00
Gossip::LanBroadcast {
} => {
if self.config.lan_discovery {
if let Some(peer) = state.peers.get_mut(&pubkey) {
2023-03-09 12:52:53 +00:00
let addr = SocketAddr::new(from.ip(), listen_port);
peer.lan_endpoint = Some((addr, time()));
2023-03-09 09:42:11 +00:00
fn recv_gossip(&self) -> Result<(SocketAddr, Gossip)> {
2023-03-09 13:23:40 +00:00
use xsalsa20poly1305::{
aead::{Aead, KeyInit},
XSalsa20Poly1305, NONCE_SIZE,
2023-03-09 09:42:11 +00:00
let mut buf = vec![0u8; 1500];
let (amt, src) = self.socket.recv_from(&mut buf)?;
2023-03-09 13:23:40 +00:00
if amt < NONCE_SIZE {
bail!("invalid packet");
2023-03-09 09:42:11 +00:00
2023-03-09 13:23:40 +00:00
let cipher = XSalsa20Poly1305::new(&self.gossip_key);
let plaintext = cipher
.decrypt(buf[..NONCE_SIZE].try_into().unwrap(), &buf[NONCE_SIZE..amt])
.map_err(|e| anyhow!("decrypt error: {}", e))?;
let gossip = bincode::deserialize(&plaintext)?;
2023-03-09 13:29:31 +00:00
trace!("RECV {}\t{:?}", src, gossip);
2023-03-09 09:42:11 +00:00
Ok((src, gossip))
2023-03-09 12:04:54 +00:00
fn lan_broadcast_loop(&self) {
if self.config.lan_discovery {
loop {
if let Err(e) = self.lan_broadcast_iter() {
error!("LAN broadcast loop error: {}", e);
fn lan_broadcast_iter(&self) -> Result<()> {
2023-03-09 13:23:40 +00:00
let packet = self.make_packet(&Gossip::LanBroadcast {
pubkey: self.our_pubkey.clone(),
listen_port: self.listen_port,
let addr = SocketAddr::new("".parse().unwrap(), self.config.gossip_port);
self.socket.send_to(&packet, addr)?;
2023-03-09 12:04:54 +00:00
fn igd_loop(&self) {
if let Some(external_port) = self.config.upnp_forward_external_port {
loop {
if let Err(e) = self.igd_loop_iter(external_port) {
error!("IGD loop error: {}", e);
fn igd_loop_iter(&self, external_port: u16) -> Result<()> {
let gateway = igd::search_gateway(Default::default())?;
let gwa = gateway.addr.ip().octets();
let cmplen = match gwa {
[192, 168, _, _] => 3,
[10, _, _, _] => 2,
_ => bail!(
"Gateway IP does not appear to be in a local network ({})",
let private_ip = get_if_addrs::get_if_addrs()?
.map(|i| i.addr.ip())
.filter_map(|a| match a {
std::net::IpAddr::V4(a4) if a4.octets()[..cmplen] == gwa[..cmplen] => Some(a4),
_ => None,
.ok_or(anyhow!("No interface has an IP on same subnet as gateway"))?;
"IGD: gateway is {}, private IP is {}, making announce",
gateway.addr, private_ip
SocketAddrV4::new(private_ip, self.listen_port),
IGD_LEASE_DURATION.as_secs() as u32,
"Wireguard via wgautomesh",
2023-03-09 13:23:40 +00:00
fn make_packet(&self, gossip: &Gossip) -> Result<Vec<u8>> {
use xsalsa20poly1305::{
aead::{Aead, KeyInit, OsRng},
let plaintext = bincode::serialize(&gossip)?;
let cipher = XSalsa20Poly1305::new(&self.gossip_key);
let nonce = XSalsa20Poly1305::generate_nonce(&mut OsRng);
let ciphertext = cipher
.encrypt(&nonce, &plaintext[..])
.map_err(|e| anyhow!("encrypt error: {}", e))?;
Ok([&nonce[..], &ciphertext[..]].concat())
2023-03-09 09:42:11 +00:00
struct State {
peers: HashMap<Pubkey, PeerInfo>,
gossip: HashMap<Pubkey, Vec<(SocketAddr, u64)>>,
impl State {
fn send_gossip(&self, daemon: &Daemon, gossip: Gossip) -> Result<()> {
2023-03-09 13:23:40 +00:00
let packet = daemon.make_packet(&gossip)?;
2023-03-09 09:42:11 +00:00
let now = time();
let mut peer_vec = self
.filter(|(_, info)| now < info.last_seen + TIMEOUT.as_secs() && info.endpoint.is_some())
.map(|(_, info)| (info.gossip_ip, info.gossip_prio))
peer_vec.sort_by_key(|(_, prio)| *prio);
for (gossip_ip, _) in peer_vec.into_iter().take(GOSSIP_PEERS) {
let addr = SocketAddr::new(gossip_ip, daemon.config.gossip_port);
2023-03-09 13:29:31 +00:00
trace!("SEND {}\t{:?}", addr, gossip);
2023-03-09 09:42:11 +00:00
daemon.socket.send_to(&packet, addr)?;
fn handle_announce(
&mut self,
daemon: &Daemon,
pubkey: Pubkey,
mut endpoints: Vec<(SocketAddr, u64)>,
) -> Result<()> {
let propagate = {
match self.gossip.get_mut(&pubkey) {
Some(existing) => {
let mut has_new = false;
for (new_addr, new_t) in endpoints {
2023-03-09 12:12:47 +00:00
if existing
2023-03-09 09:42:11 +00:00
2023-03-09 12:12:47 +00:00
.all(|(addr, t)| *addr != new_addr || *t < new_t)
2023-03-09 09:42:11 +00:00
existing.retain(|(addr, _)| *addr != new_addr);
existing.push((new_addr, new_t));
has_new = true;
if has_new {
2023-03-09 12:12:47 +00:00
existing.sort_by_key(|(_, t)| -(*t as i64));
2023-03-09 09:42:11 +00:00
Some(Gossip::Announce {
endpoints: existing.clone(),
} else {
None => {
endpoints.sort_by_key(|(_, t)| -(*t as i64));
2023-03-09 09:42:11 +00:00
self.gossip.insert(pubkey.clone(), endpoints.clone());
Some(Gossip::Announce { pubkey, endpoints })
if let Some(propagate) = propagate {
2023-03-09 13:29:31 +00:00
debug!("Propagating announce: {:?}", propagate);
2023-03-09 09:42:11 +00:00
self.send_gossip(daemon, propagate)?;
2023-03-09 11:06:56 +00:00
fn read_wg_peers(&mut self, daemon: &Daemon) -> Result<()> {
let (_, _, wg_peers) = wg_dump(&daemon.config)?;
for (pk, endpoint, last_seen) in wg_peers {
match self.peers.get_mut(&pk) {
Some(i) => {
i.endpoint = endpoint;
i.last_seen = last_seen;
None => {
let gossip_ip = match daemon.config.peers.iter().find(|x| x.pubkey == pk) {
Some(x) => x.address,
None => continue,
let gossip_prio = fasthash(format!("{}-{}", daemon.our_pubkey, pk).as_bytes());
PeerInfo {
lan_endpoint: None,
2023-03-09 12:52:53 +00:00
fn setup_wg_peers(&mut self, daemon: &Daemon, i: usize) -> Result<()> {
2023-03-09 11:06:56 +00:00
let now = time();
2023-03-09 12:52:53 +00:00
for peer_cfg in daemon.config.peers.iter() {
2023-03-09 11:51:00 +00:00
// Skip ourself
2023-03-09 12:52:53 +00:00
if peer_cfg.pubkey == daemon.our_pubkey {
2023-03-09 11:51:00 +00:00
2023-03-09 12:52:53 +00:00
if let Some(peer) = self.peers.get_mut(&peer_cfg.pubkey) {
// remove LAN endpoint info if it is obsolete
if matches!(peer.lan_endpoint, Some((_, t)) if now > t + TIMEOUT.as_secs()) {
peer.lan_endpoint = None;
// make sure we aren't skipping this peer (see below) if we can switch to LAN
// endpoint instead of currently connected one
let bad_endpoint = match (&peer.lan_endpoint, &peer.endpoint) {
(Some((addr1, _)), Some(addr2)) => addr1 != addr2,
_ => false,
// if peer is connected and endpoint is the correct one,
// set higher keepalive and then skip reconfiguring it
if !bad_endpoint && now < peer.last_seen + TIMEOUT.as_secs() {
2023-03-09 11:06:56 +00:00
2023-03-09 11:51:00 +00:00
2023-03-09 12:52:53 +00:00
// For disconnected peers, cycle through the endpoint addresses that we know of
let lan_endpoint = self
.and_then(|peer| peer.lan_endpoint);
let endpoints = match lan_endpoint {
Some(endpoint) => vec![endpoint],
None => {
2023-03-09 12:52:53 +00:00
let mut endpoints = self
if let Some(endpoint) = &peer_cfg.endpoint {
match endpoint.to_socket_addrs() {
Err(e) => error!("Could not resolve DNS for {}: {}", endpoint, e),
Ok(iter) => {
for addr in iter {
endpoints.push((addr, 0));
2023-03-09 12:04:54 +00:00
2023-03-09 11:51:00 +00:00
2023-03-09 11:06:56 +00:00
2023-03-09 11:51:00 +00:00
2023-03-09 11:13:41 +00:00
if !endpoints.is_empty() {
2023-03-09 13:35:59 +00:00
let endpoint = endpoints[i % endpoints.len()].0;
if self.peers.get(&peer_cfg.pubkey).map(|x| x.endpoint == Some(endpoint)).unwrap_or(false) {
// Skip if we are already using that endpoint
info!("Configure {} with endpoint {}", peer_cfg.pubkey, endpoint);
2023-03-09 11:06:56 +00:00
2023-03-09 12:52:53 +00:00
2023-03-09 11:06:56 +00:00
2023-03-09 13:35:59 +00:00
2023-03-09 11:06:56 +00:00
2023-03-09 11:51:00 +00:00
2023-03-09 11:06:56 +00:00
2023-03-09 12:52:53 +00:00
&format!("{}/32", peer_cfg.address),
2023-03-09 11:06:56 +00:00
} else {
2023-03-09 12:52:53 +00:00
info!("Configure {} with no known endpoint", peer_cfg.pubkey);
2023-03-09 12:52:53 +00:00
2023-03-09 12:52:53 +00:00
&format!("{}/32", peer_cfg.address),
2023-03-09 11:06:56 +00:00
2023-03-09 11:06:56 +00:00
2023-03-09 09:42:11 +00:00