made IGD implementation compatible with IPv6 implementation, updated documentation for config structure changes

# Conflicts:
#	Cargo.lock
#	Cargo.toml
#	src/main.rs

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "wgautomesh"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
@@ -11,11 +11,12 @@ anyhow = "1.0"
 log = "0.4"
 pretty_env_logger = "0.5"
 
-serde = { version = "1.0", features = ["derive"] }
+serde = { version = "1.0.215", features = ["derive"] }
 bincode = "1.3"
 toml = { version = "0.8", default-features = false, features = ["parse"] }
 xsalsa20poly1305 = "0.9"
 blake3 = "1.5"
-
+pnet = "0.35.0"
-igd = { version = "0.12", default-features = false }
+rupnp = "2.0.0"
-get_if_addrs = "0.5"
+tokio = { version = "1.41.1", features = ["rt", "rt-multi-thread", "macros"] }
+futures = "0.3.31"

README.md

@@ -32,9 +32,6 @@ and closely mirror the structure of the configuration file described below.
 ### Sample configuration file
 
 ```toml
-# The Wireguard interface to control.
-interface = "wg0"
-
 # The port wgautomesh will use to communicate from node to node.  Wgautomesh
 # gossip communications occur inside the wireguard mesh network.
 gossip_port = 1666
@@ -42,10 +39,6 @@ gossip_port = 1666
 # Enable discovery of other wgautomesh nodes on the same LAN using UDP broadcast.
 lan_discovery = true
 
-# Enables UPnP/IGD forwarding of an external port to the Wireguard listening port
-# on this node, for compatible routers/gateways.
-upnp_forward_external_port = 33723
-
 # The path to a file that contains the encryption secret wgautomesh uses to
 # communicate.  This secret can be any arbitrary utf-8 string.  The following
 # command can be used to generate a new secret:
@@ -58,27 +51,51 @@ gossip_secret_file = "/var/lib/wgautomesh/gossip_secret"
 # `[[peers]]` section when trying to establish connectivity.
 persist_file = "/var/lib/wgautomesh/state"
 
-[[peers]]
+# Configuration for a wireguard interface
-pubkey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="
+[[interfaces]]
-address = "10.14.1.2"
+# Interface name
-endpoint = "77.207.15.215:33722"
+name = "wg0"
+# Enables UPnP/IGD forwarding of an external port to the Wireguard listening port
+# on this interface, for compatible routers/gateways.
+# For IPv6 only interfaces, just assign any port here to enable IGD since the Wireguard
+# interfaces listen port will always be pinholed instead.
+upnp_forward_external_port = 51820
 
 [[peers]]
+# The Wireguard interface to use to connect with this peer.
+interface = "wg0"
+# Pubkey of the other peer
+pubkey = "7Nm7pMmyS7Nts1MB+loyD8u84ODxHPTkDu+uqQR6yDk="
+# Mesh-internal wireguard address
+address = "10.14.1.2"
+# (Optional) endpoint address of this peer
+endpoint = "77.207.15.215"
+# (Optional) endpoint port
+port = 33722
+
+[[peers]]
+interface = "wg0"
 pubkey = "lABn/axzD1jkFulX8c+K3B3CbKXORlIMDDoe8sQVxhs="
 address = "10.14.1.3"
-endpoint = "77.207.15.215:33723"
+endpoint = "77.207.15.215"
+port = 33723
 
 [[peers]]
+interface = "wg0"
 pubkey = "XLOYoMXF+PO4jcgfSVAk+thh4VmWx0wzWnb0xs08G1s="
 address = "10.14.4.1"
-endpoint = "bitfrost.fiber.shirokumo.net:33734"
+endpoint = "bitfrost.fiber.shirokumo.net"
+port = 33734
 
 [[peers]]
+interface = "wg0"
 pubkey = "smBQYUS60JDkNoqkTT7TgbpqFiM43005fcrT6472llI="
 address = "10.14.2.33"
-endpoint = "82.64.238.84:33733"
+endpoint = "82.64.238.84"
+port = 33733
 
 [[peers]]
+interface = "wg0"
 pubkey = "m9rLf+233X1VColmeVrM/xfDGro5W6Gk5N0zqcf32WY="
 address = "10.14.3.1"
 ```

config.toml

@@ -1,2 +1,3 @@
-interface = "route48"
 gossip_port = 1134
+[[interfaces]]
+name = "wg0"

rust-toolchain.toml

@@ -0,0 +1,2 @@
+[toolchain]
+channel = "nightly"

src/igd.rs

@@ -0,0 +1,219 @@
+use std::collections::HashMap;
+use log::*;
+use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+use futures::stream::{StreamExt};
+use rupnp::{Device, Service};
+use rupnp::ssdp::{SearchTarget, URN};
+use std::str::FromStr;
+use std::time::Duration;
+use anyhow::{anyhow, bail, Context, Result, Error};
+const IGD_LEASE_DURATION: Duration = Duration::from_secs(300);
+const WAN_IPV6_FIREWALL_CONTROL: URN = URN::service("schemas-upnp-org", "WANIPv6FirewallControl", 1);
+const WAN_IP_CONNECTION: URN = URN::service("schemas-upnp-org", "WANIPConnection", 1);
+pub async fn igd_loop_iter(portmap_v4:HashMap<u16,u16>,portmap_v6: Vec<u16>) -> Result<()> {
+    let lease_duration: u64 = IGD_LEASE_DURATION.as_secs();
+    //find gateway compatible with publishing the port for required IP version
+    let gateway = find_gateway(portmap_v6.len() >0).await?;
+    let gateway_ip: IpAddr = IpAddr::from_str(gateway.url().host().unwrap())?;
+
+    //find corresponding interface local IP to forward in gateway
+    let (local_ipv4, local_ipv6) = select_local_ip_for_gateway(gateway_ip)?;
+
+    debug!(
+        "Found gateway: {:?} at IP {}, making announce",
+        gateway.friendly_name(),
+        gateway.url().host().unwrap()
+    );
+    if local_ipv6.is_some() {
+        for listen_port in &portmap_v6 {
+            create_ipv6_firewall_pinhole(
+                &gateway,
+                &IpAddr::V6(local_ipv6.unwrap()),
+                listen_port,
+                &lease_duration,
+            )
+                .await?
+        }
+    }
+    if local_ipv4.is_some() {
+        for (listen_port, external_port) in &portmap_v4 {
+            create_ipv4_port_mapping(
+                &gateway,
+                &IpAddr::V4(local_ipv4.unwrap()),
+                listen_port,
+                external_port,
+                &lease_duration,
+            )
+                .await?
+        }
+    }
+    Ok(())
+
+}
+/// Create a port mapping to forward a given Port for a given internal IPv4
+async fn create_ipv4_port_mapping(
+    gateway: &Device,
+    internal_ip: &IpAddr,
+    listen_port: &u16,
+    external_port: &u16,
+    lease_duration: &u64,
+) -> Result<()> {
+    let wan_ip_con_service = gateway
+        .find_service(&WAN_IP_CONNECTION)
+        .expect("Gateway passed doesn't offer the required service to create IPv4 port mapping");
+    let arguments = format!(
+        "<NewRemoteHost/>
+<NewExternalPort>{external_port}</NewExternalPort>
+<NewProtocol>UDP</NewProtocol>
+<NewInternalPort>{listen_port}</NewInternalPort>
+<NewInternalClient>{internal_ip}</NewInternalClient>
+<NewEnabled>1</NewEnabled>
+<NewPortMappingDescription>Wireguard via wgautomesh</NewPortMappingDescription>
+<NewLeaseDuration>{lease_duration}</NewLeaseDuration>"
+    );
+    debug!(
+        "Adding port mapping for internal IP {} on internal port {}, external port {}",
+        internal_ip, listen_port, external_port,
+    );
+    let result = wan_ip_con_service
+        .action(gateway.url(), "AddPortMapping", &arguments)
+        .await;
+    if result.is_ok() {
+        Ok(())
+    } else {
+        bail!(
+            "Error trying to add IPv4 port mapping: {}.\
+            Note: Have you checked whether your router allows this device to create (IPv4) port mappings?",
+            result.err().unwrap()
+        );
+    }
+}
+/// Create a pinhole for a given IPv6 address on a given port
+async fn create_ipv6_firewall_pinhole(gateway: &Device,
+                                      ip: &IpAddr,
+                                      listen_port: &u16,
+                                      lease_duration: &u64,
+) -> Result<()> {
+    let wan_ip6_fw_con = gateway
+        .find_service(&WAN_IPV6_FIREWALL_CONTROL)
+        .expect("Gateway passed doesn't offer the required service to create IPv6 pinholes");
+    let (firewall_enabled, can_create_inbound_pinhole) =
+        get_firewall_status(&gateway, &wan_ip6_fw_con).await;
+    if !firewall_enabled {
+        debug!("Gateway firewall is not enabled, incoming connections should be allowed as-is on all ports");
+        return Ok(());
+    } else if !can_create_inbound_pinhole {
+        bail!("Gateway said creating inbound IPv6 pinholes isn't allowed")
+    }
+    let arguments = format!(
+        "<RemoteHost/>
+<RemotePort/>
+<Protocol>17</Protocol>
+<InternalPort>{listen_port}</InternalPort>
+<InternalClient>{ip}</InternalClient>
+<LeaseTime>{lease_duration}</LeaseTime>"
+    );
+    debug!(
+        "Opening firewall pinhole for IP {} on port {}",
+        ip, listen_port,
+    );
+    let result = wan_ip6_fw_con
+        .action(gateway.url(), "AddPinhole", &arguments)
+        .await;
+    if result.is_ok() {
+        Ok(())
+    } else {
+        bail!(
+            "Error trying to open IPv6 pinhole: {}\
+            Note: Have you checked whether your router allows this device to create (IPv6) pinholes?",
+            result.err().unwrap()
+        );
+    }
+}
+/// Asks the Gateway for the IPv6 Firewall status (whether the firewall is enabled AND whether devices in this network are allowed to create IPv6 pinholes per policy).
+/// Note: This only works on IGDv2 supporting firewalls (-> any firewall that can do IPv6)
+async fn get_firewall_status(gateway: &Device, igd_service: &Service) -> (bool, bool) {
+    let firewall_status_response = igd_service
+        .action(gateway.url(), "GetFirewallStatus", "")
+        .await
+        .unwrap();
+    let firewall_enabled: bool =
+        (u32::from_str(firewall_status_response.get("FirewallEnabled").unwrap()).unwrap()) != 0;
+    let can_create_inbound_pinhole: bool = u32::from_str(
+        firewall_status_response
+            .get("InboundPinholeAllowed")
+            .unwrap(),
+    )
+        .unwrap()
+        != 0;
+    (firewall_enabled, can_create_inbound_pinhole)
+}
+/// Find a Gateway compatible with either IPv4 (supports WANIPConnection) or IPv6 (supports WANIPv6FirewallControl)
+async fn find_gateway(ipv6_required: bool) -> Result<Device, Error> {
+    let search_urn: URN = if ipv6_required {
+        WAN_IPV6_FIREWALL_CONTROL
+    } else {
+        WAN_IP_CONNECTION
+    };
+
+    let discovered_devices = rupnp::discover(
+        &SearchTarget::URN(search_urn.clone()),
+        Duration::from_secs(3),
+    )
+        .await?
+        .filter_map(|result| async {
+            match result {
+                Ok(device) => Some(device),
+                Err(_) => None,
+            }
+        });
+    futures::pin_mut!(discovered_devices);
+    discovered_devices.next().await.ok_or_else(||anyhow!("Couldn't find any gateways supporting {}. Is port 1900 open for incoming connections from local networks?", search_urn.typ()))
+}
+/// Returns a list of IPs assigned to interfaces that are in the same subnet as a given IP
+fn interface_ips_in_same_subnet_as(ip_to_match: IpAddr) -> Result<Vec<IpAddr>, Error> {
+    let interfaces = pnet::datalink::interfaces();
+    let ipnets = interfaces
+        .iter()
+        .filter_map(|interface| {
+            if interface
+                .ips
+                .iter()
+                .any(|ipnetwork| ipnetwork.contains(ip_to_match))
+            {
+                Some(interface.ips.clone())
+            } else {
+                None
+            }
+        })
+        .next()
+        .context("Couldn't find any local IPs within the same network as given IP")?;
+    let ips = ipnets.iter().map(|ip| ip.ip()).collect();
+    Ok(ips)
+}
+/// Selects the local IP we tell the Gateway to port forward to (/pinhole) later on
+/// Note: As soon as this[https://github.com/jakobhellermann/ssdp-client/issues/11] is fixed and the dependency is upgraded in rupnp, we can simplify it
+fn select_local_ip_for_gateway(gateway: IpAddr) -> Result<(Option<Ipv4Addr>,Option<Ipv6Addr>), Error> {
+    //get IPs in same subnet as Gateway
+    let ips = interface_ips_in_same_subnet_as(gateway)?;
+    //removes IPv6 that are not globally routable as pinholing those would be pointless
+    let v6_cleaned_up = ips
+        .iter()
+        .filter(|ip| ip.is_ipv4() || (ip.is_global() && ip.is_ipv6()));
+    //get the first IPv4 and IPv6 found
+    let mut first_ipv4 :Option<Ipv4Addr> = None;
+    let mut first_ipv6 :Option<Ipv6Addr> = None;
+    for ip in v6_cleaned_up {
+        match ip {
+            IpAddr::V4(ipv4) => { if first_ipv4.is_none() { first_ipv4 = Some(ipv4.clone()); } }
+            IpAddr::V6(ipv6) => { if first_ipv6.is_none() { first_ipv6 = Some(ipv6.clone()); } }
+        }
+        if first_ipv4.is_some() && first_ipv6.is_some() {
+            break;
+        }
+    }
+    if first_ipv4.is_none() && first_ipv6.is_none() {
+        bail!("Couldn't find any IP address")
+    }
+    Ok((first_ipv4, first_ipv6))
+}

src/main.rs

@@ -1,5 +1,8 @@
-use std::collections::HashMap;
+#![feature(ip)]
-use std::net::{IpAddr, SocketAddr, SocketAddrV4, ToSocketAddrs, UdpSocket};
+mod igd;
+use igd::*;
+use std::collections::{HashMap, HashSet};
+use std::net::{IpAddr, SocketAddr, ToSocketAddrs, UdpSocket};
 use std::process::Command;
 use std::sync::Mutex;
 use std::thread;
@@ -26,14 +29,10 @@ const PERSIST_INTERVAL: Duration = Duration::from_secs(600);
 const LAN_BROADCAST_INTERVAL: Duration = Duration::from_secs(60);
 
 const IGD_INTERVAL: Duration = Duration::from_secs(60);
-const IGD_LEASE_DURATION: Duration = Duration::from_secs(300);
-
 type Pubkey = String;
 
 #[derive(Deserialize)]
 struct Config {
-    /// The Wireguard interface name
-    interface: Pubkey,
     /// The port to use for gossip inside the Wireguard mesh (must be the same on all nodes)
     gossip_port: u16,
     /// The secret to use to authenticate nodes between them
@@ -46,23 +45,36 @@ struct Config {
     #[serde(default)]
     lan_discovery: bool,
 
-    /// Forward an external port to Wiregard using UPnP IGD
-    upnp_forward_external_port: Option<u16>,
-
     /// The list of peers we try to connect to
     #[serde(default)]
     peers: Vec<Peer>,
+
+    /// Settings for the Wireguard interfaces (currently only necessary if you want to use igd features)
+    #[serde(default)]
+    interfaces: Vec<InterfaceSetting>,
 }
 
 #[derive(Deserialize)]
 struct Peer {
     /// The peer's Wireguard public key
     pubkey: Pubkey,
-    /// The peer's Wireguard address
+    /// The destination used for gossip packets
     address: IpAddr,
-    /// An optionnal Wireguard endpoint used to initialize a connection to this peer
+    /// The Wireguard interface name used to communicate with this peer
+    interface: String,
+    /// The endpoint port
+    port: Option<u16>,
+    /// An optional Wireguard endpoint used to initialize a connection to this peer
     endpoint: Option<String>,
 }
+/// Settings for Wireguard interfaces
+#[derive(Deserialize)]
+struct InterfaceSetting {
+    /// The Wireguard interface name
+    name: String,
+    /// Forward an external port to Wiregard using UPnP IGD.
+    upnp_forward_external_port: Option<u16>,
+}
 
 fn main() -> Result<()> {
     pretty_env_logger::init();
@@ -115,9 +127,15 @@ fn kdf(secret: &str) -> xsalsa20poly1305::Key {
     hash.as_bytes().clone().into()
 }
 
-fn wg_dump(config: &Config) -> Result<(Pubkey, u16, Vec<(Pubkey, Option<SocketAddr>, u64)>)> {
+struct IfInfo {
+    our_pubkey: Pubkey,
+    listen_port: u16,
+    peers: Vec<(Pubkey, Option<SocketAddr>, u64)>,
+}
+
+fn wg_dump(interface: &str) -> Result<IfInfo> {
     let output = Command::new("wg")
-        .args(["show", &config.interface, "dump"])
+        .args(["show", interface, "dump"])
         .output()?;
     let mut lines = std::str::from_utf8(&output.stdout)?.split('\n');
 
@@ -125,7 +143,7 @@ fn wg_dump(config: &Config) -> Result<(Pubkey, u16, Vec<(Pubkey, Option<SocketAd
     if ourself.len() < 3 {
         bail!(
             "Unable to fetch wireguard status for interface {}",
-            config.interface
+            interface
         );
     }
     let our_pubkey = ourself[1].to_string();
@@ -146,7 +164,7 @@ fn wg_dump(config: &Config) -> Result<(Pubkey, u16, Vec<(Pubkey, Option<SocketAd
         })
         .collect::<Vec<_>>();
 
-    Ok((our_pubkey, listen_port, peers))
+    Ok(IfInfo { our_pubkey, listen_port, peers })
 }
 
 // ============ DAEMON CODE =================
@@ -154,10 +172,9 @@ fn wg_dump(config: &Config) -> Result<(Pubkey, u16, Vec<(Pubkey, Option<SocketAd
 struct Daemon {
     config: Config,
     gossip_key: xsalsa20poly1305::Key,
-    our_pubkey: Pubkey,
-    listen_port: u16,
     socket: UdpSocket,
     state: Mutex<State>,
+    our_pubkey: Pubkey,
 }
 
 struct PeerInfo {
@@ -165,10 +182,10 @@ struct PeerInfo {
     gossip_ip: IpAddr,
     gossip_prio: u64,
     // Info retrieved from wireguard
-    endpoint: Option<SocketAddr>,
+    endpoint: Option<IpAddr>,
     last_seen: u64,
     // Info received by LAN broadcast
-    lan_endpoint: Option<(SocketAddr, u64)>,
+    lan_endpoint: Option<(IpAddr, u64)>,
 }
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -177,12 +194,11 @@ enum Gossip {
     Pong,
     Announce {
         pubkey: Pubkey,
-        endpoints: Vec<(SocketAddr, u64)>,
+        endpoints: Vec<(IpAddr, u64)>,
     },
     Request,
     LanBroadcast {
         pubkey: Pubkey,
-        listen_port: u16,
     },
 }
 
@@ -190,18 +206,35 @@ impl Daemon {
     fn new(config: Config) -> Result<Self> {
         let gossip_key = kdf(config.gossip_secret.as_deref().unwrap_or_default());
 
-        let (our_pubkey, listen_port, _peers) = wg_dump(&config)?;
+        let interface_names = config.peers.iter().map(|peer| peer.interface.clone()).collect::<HashSet<_>>();
-        let socket = UdpSocket::bind(SocketAddr::new("0.0.0.0".parse()?, config.gossip_port))?;
+        let interfaces = interface_names.into_iter().map(|interface_name| wg_dump(&interface_name).map(|ifinfo| (interface_name, ifinfo))).collect::<Result<HashMap<_, _>>>()?;
+        let socket = UdpSocket::bind(SocketAddr::new("::".parse()?, config.gossip_port))?;
         socket.set_broadcast(true)?;
+        socket.set_ttl(1)?;
+
+        let our_pubkey = interfaces.iter().next().unwrap().1.our_pubkey.clone();
+
+        let peers = config.peers.iter().map(|peer_cfg| {
+            (
+                peer_cfg.pubkey.clone(),
+                PeerInfo {
+                    gossip_ip: peer_cfg.address,
+                    gossip_prio: fasthash(format!("{}-{}", our_pubkey, peer_cfg.pubkey).as_bytes()),
+                    endpoint: None,  // Is resolved as DNS name later
+                    last_seen: u64::MAX,
+                    lan_endpoint: None,
+                }
+            )
+        }).collect();
 
         Ok(Daemon {
             config,
             gossip_key,
-            our_pubkey,
-            listen_port,
             socket,
+            our_pubkey,
             state: Mutex::new(State {
-                peers: HashMap::new(),
+                interfaces,
+                peers,
                 gossip: HashMap::new(),
             }),
         })
@@ -236,7 +269,7 @@ impl Daemon {
 
     fn initialize(&self) -> Result<()> {
         let mut state = self.state.lock().unwrap();
-        state.read_wg_peers(self)?;
+        state.read_wg_peers()?;
         state.setup_wg_peers(self, 0)?;
         Ok(())
     }
@@ -259,7 +292,7 @@ impl Daemon {
                 error!("Wireguard configuration loop error: {}", e);
             }
             i = i + 1;
-            std::thread::sleep(TRY_INTERVAL);
+            thread::sleep(TRY_INTERVAL);
         }
     }
 
@@ -267,7 +300,7 @@ impl Daemon {
         let mut state = self.state.lock().unwrap();
 
         // 1. Update local peers info of peers
-        state.read_wg_peers(self)?;
+        state.read_wg_peers()?;
 
         // 2. Send gossip for peers where there is a big update
         let announces = state
@@ -299,7 +332,7 @@ impl Daemon {
         loop {
             if let Err(e) = self.recv_loop_iter() {
                 error!("Receive loop error: {}", e);
-                std::thread::sleep(Duration::from_secs(10));
+                thread::sleep(Duration::from_secs(10));
             }
         }
     }
@@ -322,12 +355,10 @@ impl Daemon {
             }
             Gossip::LanBroadcast {
                 pubkey,
-                listen_port,
             } => {
                 if self.config.lan_discovery {
                     if let Some(peer) = state.peers.get_mut(&pubkey) {
-                        let addr = SocketAddr::new(from.ip(), listen_port);
+                        peer.lan_endpoint = Some((from.ip(), time()));
-                        peer.lan_endpoint = Some((addr, time()));
                     }
                 }
             }
@@ -369,7 +400,7 @@ impl Daemon {
                 if let Err(e) = self.persist_state(file) {
                     error!("Could not write persistent state to disk: {}", e);
                 }
-                std::thread::sleep(PERSIST_INTERVAL);
+                thread::sleep(PERSIST_INTERVAL);
             }
         }
     }
@@ -386,7 +417,7 @@ impl Daemon {
                 if let Err(e) = self.lan_broadcast_iter() {
                     error!("LAN broadcast loop error: {}", e);
                 }
-                std::thread::sleep(LAN_BROADCAST_INTERVAL);
+                thread::sleep(LAN_BROADCAST_INTERVAL);
             }
         }
     }
@@ -394,59 +425,76 @@ impl Daemon {
     fn lan_broadcast_iter(&self) -> Result<()> {
         let packet = self.make_packet(&Gossip::LanBroadcast {
             pubkey: self.our_pubkey.clone(),
-            listen_port: self.listen_port,
         })?;
-        let addr = SocketAddr::new("255.255.255.255".parse().unwrap(), self.config.gossip_port);
+        let broadcast_addr = SocketAddr::new("255.255.255.255".parse()?, self.config.gossip_port);
-        self.socket.send_to(&packet, addr)?;
+        let broadcast_addrv6 = SocketAddr::new("ff05::1".parse()?, self.config.gossip_port);
+        self.socket.send_to(&packet, broadcast_addr)?;
+        self.socket.send_to(&packet, broadcast_addrv6)?;
         Ok(())
     }
 
     fn igd_loop(&self) {
-        if let Some(external_port) = self.config.upnp_forward_external_port {
+        if self.config.interfaces.iter().any(|interface| interface.upnp_forward_external_port.is_some()) {
+            let rt = tokio::runtime::Runtime::new().expect("Failed to create Tokio runtime");
+            rt.block_on(async {
                 loop {
-                if let Err(e) = self.igd_loop_iter(external_port) {
+                    let (portmap_v4, portmap_v6) = self.generate_portmaps();
+                    if !portmap_v4.is_empty() || !portmap_v6.is_empty() {
+                        if let Err(e) = igd_loop_iter(portmap_v4, portmap_v6).await {
                             error!("IGD loop error: {}", e);
                         }
-                std::thread::sleep(IGD_INTERVAL);
+                    }
-            }
+                    tokio::time::sleep(IGD_INTERVAL).await;
+                }
+            });
         }
     }
+    fn generate_portmaps(&self) -> (HashMap<u16,u16>, Vec<u16>) {
+        let mut portmap_v4: HashMap<u16, u16> = HashMap::new();
+        let mut v6_internal_ports: Vec<u16> = Vec::new();
 
-    fn igd_loop_iter(&self, external_port: u16) -> Result<()> {
+        //collect interfaces that have peers with IPv4 addresses (-> IPv4 port mappings need to exist)
-        let gateway = igd::search_gateway(Default::default())?;
+        let binding = self.state.lock().unwrap();
-
+        let interfaces = binding.interfaces.iter().clone();
-        let gwa = gateway.addr.ip().octets();
+        let v4ifs: Vec<_> = interfaces.clone()
-        let cmplen = match gwa {
+            .filter(|(ifname, ifinfo)| {
-            [192, 168, _, _] => 3,
+                ifinfo.listen_port!=0
-            [10, _, _, _] => 2,
+                && self.config
-            _ => bail!(
+                    .peers
-                "Gateway IP does not appear to be in a local network ({})",
+                    .iter()
-                gateway.addr.ip()
+                    .any(|peer| peer.interface == **ifname && peer.address.is_ipv4())
-            ),
-        };
-        let private_ip = get_if_addrs::get_if_addrs()?
-            .into_iter()
-            .map(|i| i.addr.ip())
-            .filter_map(|a| match a {
-                std::net::IpAddr::V4(a4) if a4.octets()[..cmplen] == gwa[..cmplen] => Some(a4),
-                _ => None,
             })
-            .next()
+            .collect();
-            .ok_or(anyhow!("No interface has an IP on same subnet as gateway"))?;
-        debug!(
-            "IGD: gateway is {}, private IP is {}, making announce",
-            gateway.addr, private_ip
-        );
 
-        gateway.add_port(
+        //collect interfaces that have peers with IPv6 addresses (-> pinholes for the IPv6 listen ports should be created)
-            igd::PortMappingProtocol::UDP,
+        let v6ifs: Vec<_> = interfaces
-            external_port,
+            .filter(|(ifname, ifinfo)| {
-            SocketAddrV4::new(private_ip, self.listen_port),
+                ifinfo.listen_port!=0
-            IGD_LEASE_DURATION.as_secs() as u32,
+                && self.config
-            "Wireguard via wgautomesh",
+                    .peers
-        )?;
+                    .iter()
+                    .any(|peer| peer.interface == **ifname && peer.address.is_ipv6())
+            })
+            .collect();
+
+        for ifsetting in &self.config.interfaces {
+            if let Some(external_port) = ifsetting.upnp_forward_external_port {
+                if let Some((_ifname, ifinfo)) = v4ifs
+                    .iter()
+                    .find(|(ifname, _)| **ifname == ifsetting.name)
+                {
+                    portmap_v4.insert(ifinfo.listen_port, external_port);
+                }
+                if let Some((_ifname, ifinfo)) = v6ifs
+                    .iter()
+                    .find(|(ifname, _)| **ifname == ifsetting.name)
+                {
+                    v6_internal_ports.push(ifinfo.listen_port);
+                }
+            }
+        }
+        (portmap_v4, v6_internal_ports)
 
-        Ok(())
     }
 
     fn make_packet(&self, gossip: &Gossip) -> Result<Vec<u8>> {
@@ -469,7 +517,8 @@ impl Daemon {
 
 struct State {
     peers: HashMap<Pubkey, PeerInfo>,
-    gossip: HashMap<Pubkey, Vec<(SocketAddr, u64)>>,
+    gossip: HashMap<Pubkey, Vec<(IpAddr, u64)>>,
+    interfaces: HashMap<String, IfInfo>,
 }
 
 impl State {
@@ -481,7 +530,7 @@ impl State {
         let mut peer_vec = self
             .peers
             .iter()
-            .filter(|(_, info)| now < info.last_seen + TIMEOUT.as_secs() && info.endpoint.is_some())
+            .filter(|(_, info)| info.last_seen != u64::MAX && now < info.last_seen + TIMEOUT.as_secs() && info.endpoint.is_some())
             .map(|(_, info)| (info.gossip_ip, info.gossip_prio))
             .collect::<Vec<_>>();
         peer_vec.sort_by_key(|(_, prio)| *prio);
@@ -499,7 +548,7 @@ impl State {
         &mut self,
         daemon: &Daemon,
         pubkey: Pubkey,
-        mut endpoints: Vec<(SocketAddr, u64)>,
+        mut endpoints: Vec<(IpAddr, u64)>,
     ) -> Result<()> {
         let propagate = {
             match self.gossip.get_mut(&pubkey) {
@@ -541,36 +590,21 @@ impl State {
         Ok(())
     }
 
-    fn read_wg_peers(&mut self, daemon: &Daemon) -> Result<()> {
+    fn read_wg_peers(&mut self) -> Result<()> {
-        let (_, _, wg_peers) = wg_dump(&daemon.config)?;
 
         // Clear old known endpoints if any
         for (_, peer) in self.peers.iter_mut() {
             peer.endpoint = None;
         }
 
-        for (pk, endpoint, last_seen) in wg_peers {
+        for (ifname, ifinfo) in &mut self.interfaces {
-            match self.peers.get_mut(&pk) {
+            *ifinfo = wg_dump(&ifname)?;
-                Some(i) => {
+            for (pk, endpoint, last_seen) in &mut ifinfo.peers {
-                    i.endpoint = endpoint;
+                if let Some(i) = self.peers.get_mut(&*pk) {
-                    i.last_seen = last_seen;
+                    i.endpoint = endpoint.as_ref().map(SocketAddr::ip);
-                }
+                    i.last_seen = *last_seen;
-                None => {
+                } else {
-                    let gossip_ip = match daemon.config.peers.iter().find(|x| x.pubkey == pk) {
+                    warn!("unknown peer: {}", pk);
-                        Some(x) => x.address,
-                        None => continue,
-                    };
-                    let gossip_prio = fasthash(format!("{}-{}", daemon.our_pubkey, pk).as_bytes());
-                    self.peers.insert(
-                        pk,
-                        PeerInfo {
-                            endpoint,
-                            lan_endpoint: None,
-                            gossip_prio,
-                            gossip_ip,
-                            last_seen,
-                        },
-                    );
                 }
             }
         }
@@ -601,11 +635,11 @@ impl State {
 
                 // if peer is connected and endpoint is the correct one,
                 // set higher keepalive and then skip reconfiguring it
-                if !bad_endpoint && now < peer.last_seen + TIMEOUT.as_secs() {
+                if !bad_endpoint && peer.last_seen != u64::MAX && now < peer.last_seen + TIMEOUT.as_secs() {
                     Command::new("wg")
                         .args([
                             "set",
-                            &daemon.config.interface,
+                            &peer_cfg.interface,
                             "peer",
                             &peer_cfg.pubkey,
                             "persistent-keepalive",
@@ -631,11 +665,11 @@ impl State {
                         .cloned()
                         .unwrap_or_default();
                     if let Some(endpoint) = &peer_cfg.endpoint {
-                        match endpoint.to_socket_addrs() {
+                        match format!("{}:0", endpoint).to_socket_addrs() {
                             Err(e) => error!("Could not resolve DNS for {}: {}", endpoint, e),
                             Ok(iter) => {
                                 for addr in iter {
-                                    endpoints.push((addr, 0));
+                                    endpoints.push((addr.ip(), 0));
                                 }
                             }
                         }
@@ -657,20 +691,20 @@ impl State {
                     // Skip if we are already using that endpoint
                     continue;
                 }
-
+                if let Some(port) = peer_cfg.port {
                     info!("Configure {} with endpoint {}", peer_cfg.pubkey, endpoint);
                     Command::new("wg")
                         .args([
                             "set",
-                        &daemon.config.interface,
+                            &peer_cfg.interface,
                             "peer",
                             &peer_cfg.pubkey,
                             "endpoint",
-                        &endpoint.to_string(),
+                            &SocketAddr::new(endpoint, port).to_string(),
                             "persistent-keepalive",
                             "10",
                             "allowed-ips",
-                        &format!("{}/32", peer_cfg.address),
+                            "::/0,0.0.0.0/0"
                         ])
                         .output()?;
                     let packet = daemon.make_packet(&Gossip::Ping)?;
@@ -678,16 +712,17 @@ impl State {
                         &packet,
                         SocketAddr::new(peer_cfg.address, daemon.config.gossip_port),
                     )?;
+                }
             } else {
                 info!("Configure {} with no known endpoint", peer_cfg.pubkey);
                 Command::new("wg")
                     .args([
                         "set",
-                        &daemon.config.interface,
+                        &peer_cfg.interface,
                         "peer",
                         &peer_cfg.pubkey,
                         "allowed-ips",
-                        &format!("{}/32", peer_cfg.address),
+                        "::/0,0.0.0.0/0"
                     ])
                     .output()?;
             }