Go Implementation of WireGuard

Related tags

Network wireguard-go
Overview

Go Implementation of WireGuard

This is an implementation of WireGuard in Go.

Usage

Most Linux kernel WireGuard users are used to adding an interface with ip link add wg0 type wireguard. With wireguard-go, instead simply run:

$ wireguard-go wg0

This will create an interface and fork into the background. To remove the interface, use the usual ip link del wg0, or if your system does not support removing interfaces directly, you may instead remove the control socket via rm -f /var/run/wireguard/wg0.sock, which will result in wireguard-go shutting down.

To run wireguard-go without forking to the background, pass -f or --foreground:

$ wireguard-go -f wg0

When an interface is running, you may use wg(8) to configure it, as well as the usual ip(8) and ifconfig(8) commands.

To run with more logging you may set the environment variable LOG_LEVEL=debug.

Platforms

Linux

This will run on Linux; however you should instead use the kernel module, which is faster and better integrated into the OS. See the installation page for instructions.

macOS

This runs on macOS using the utun driver. It does not yet support sticky sockets, and won't support fwmarks because of Darwin limitations. Since the utun driver cannot have arbitrary interface names, you must either use utun[0-9]+ for an explicit interface name or utun to have the kernel select one for you. If you choose utun as the interface name, and the environment variable WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.

Windows

This runs on Windows, but you should instead use it from the more fully featured Windows app, which uses this as a module.

FreeBSD

This will run on FreeBSD. It does not yet support sticky sockets. Fwmark is mapped to SO_USER_COOKIE.

OpenBSD

This will run on OpenBSD. It does not yet support sticky sockets. Fwmark is mapped to SO_RTABLE. Since the tun driver cannot have arbitrary interface names, you must either use tun[0-9]+ for an explicit interface name or tun to have the program select one for you. If you choose tun as the interface name, and the environment variable WG_TUN_NAME_FILE is defined, then the actual name of the interface chosen by the kernel is written to the file specified by that variable.

Building

This requires an installation of go ≥ 1.17.

$ git clone https://git.zx2c4.com/wireguard-go
$ cd wireguard-go
$ make

License

Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Issues
  • Make device.Peer safe for atomic access on 32-bit.

    Make device.Peer safe for atomic access on 32-bit.

    All atomic access must be aligned to 64 bits, even on 32-bit platforms. Go promises that the start of allocated structs is aligned to 64 bits. So, place the atomically-accessed things first in the struct so that they benefit from that alignment.

    As a side bonus, it cleanly separates fields that are accessed by atomic ops, and those that should be accessed under mu.

    Also adds a test that will fail consistently on 32-bit platforms if the struct ever changes again to violate the rules. This is likely not needed because unaligned access crashes reliably, but this will reliably fail even if tests accidentally pass due to lucky alignment.

    Signed-Off-By: David Anderson [email protected]

    opened by crawshaw 5
  • device: use wgcfg key types

    device: use wgcfg key types

    opened by crawshaw 5
  • Fix a bug found on the centos7.5.1804 platform

    Fix a bug found on the centos7.5.1804 platform

    If the response message is exactly same to the fscanf()'s second parameter, the fscanf() in the userspace_set_device() cannot get the response and cannot return. This fix has been verified using my environment(CentOS Linux release 7.5.1804 (Core)).

    opened by digger001 4
  • Add possible to send packets with no IP header if allowed any IP on the device

    Add possible to send packets with no IP header if allowed any IP on the device

    Usecase

    1. Create a WG device wg-0
    2. Set to wg-0 property to allow any IP.
    3. Send packet to wg-0 with no IP header.

    Actual: the device will do nothing. In logs will log the text "Received packet with unknown IP version". Expected: the device will send a packet if the device allows any IP.

    opened by denis-tingaikin 3
  • Replace direct syscalls on macOS

    Replace direct syscalls on macOS

    This PR replaces all uses of direct syscalls (i.e. unix.Syscall(unix.SYS_*, ...)) on macOS by the respective functionality from the golang.org/x/sys/unix package using macOS libSystem. The support for direct syscalls on macOS is discouraged and was recently removed from golang.org/x/sys/unix, see https://golang.org/cl/250437 (golang/[email protected]). This broke the build of wireguard-go against the latest golang.org/x/sys/unix version, as reported in golang/go#41868.

    See individual commit messages for more details.

    Tested on macOS 10.15 against a wireguard server running on Ubuntu Linux 20.04.

    /cc @bradfitz

    opened by tklauser 3
  • device: separate logging for floods and replay attacks

    device: separate logging for floods and replay attacks

    Error messages being printed were about floods, but actually what was being detected was a potential "replay attack", ie. a duplicate copy of an incoming handshake. Let's print two separate log messages to differentiate them.

    Signed-off-by: Avery Pennarun [email protected]

    opened by crawshaw 3
  • Add nil check before convert typed error back

    Add nil check before convert typed error back

    Since errors.As(err, target) returns false when err is nil, which cause status set to 1 when no error occurs for IpcGetOperation and IpcSetOperation.

    Should be able to fix #17

    Signed-off-by: Wenxuan Zhao [email protected]

    opened by vizv 3
  • Do not hide request to reboot and pass that mark to higher level application

    Do not hide request to reboot and pass that mark to higher level application

    A wintun.dll installs a driver and WindowsOS may indicate that it needs a reboot to complete driver instalation.

    The needReboot mark was lost and no application did not received that indication. Solution is to extend the call, used by the CreateTUNWithRequestedGUID() function with additional return value indicating that. And leave generic interface function CreateTUN() as is.

    Signed-off-by: Antanas Gadeikis [email protected]

    opened by drgkaleda 2
  • tun/wintun/registry: fix Go 1.15 race/checkptr failure

    tun/wintun/registry: fix Go 1.15 race/checkptr failure

    opened by bradfitz 2
  • ipc: uapi for iOS

    ipc: uapi for iOS

    Hi,

    For use UAPI under iOS, we need to switch over "/var/run/wireguard" as for security reasons write to sys folder(s) prohibited by default in iOS.

    The patch will override "socketDirectory" variable under the iOS platform and use an app-specific temp directory instead.

    opened by suquant 0
  • Port to DragonFly BSD

    Port to DragonFly BSD

    Original patch (on top of commit e852f4c0) by Aaron Li <[email protected]> in 2020. Rebased with minor tweaks.

    The TUN device/interface on DragonFly BSD is very similar to the FreeBSD one, so it's rather easy to port WireGuard-go to DragonFly BSD based on the FreeBSD support code.

    The tun_dragonfly.go code is derived from the tun_freebsd.go code. One major difference is that DragonFly BSD's TUN device supports the TUNGIFNAME ioctl [0] for easily getting the assigned interface name. The remaining differences are mostly minor cleanups and tweaks.

    I've tested that DragonFly BSD's TUN device doesn't have the race issue like the FreeBSD one [1], so I didn't keep the code to disable LLv6.

    Tested on DragonFly BSD master branch (6.1-DEVELOPMENT) as of 2021-Jun-18. Requires a pending fix to the x/net library: https://go-review.googlesource.com/c/net/+/328331/

    Also thank François Tigeot, who ported WireGuard-go to DragonFly BSD's DeltaPorts/DPorts [2].

    [0] https://github.com/DragonFlyBSD/DragonFlyBSD/commit/0df03f127ea71fb9dbcedbdc065f211514feefdf [1] https://github.com/WireGuard/wireguard-go/commit/bb42ec7d185ab5f5cd3867ac1258edff86b7f307 [2] https://github.com/DragonFlyBSD/DeltaPorts/commit/ef672333228e7ecf8a33dd88a5e715034e973c75

    Signed-off-by: James Cook [email protected]

    opened by falsifian 0
  • Two Handhake initiation releated race-conditions fixed

    Two Handhake initiation releated race-conditions fixed

    • Fix race-condition between data TX watchdog timer and handshakes retries timer
    • (at the same time) Fix and unify handshake attempts counter usage: now 0 means no HI in progress. Can use that timer to check if and HIs already sent.
    • Do not flood new handhake initiations, if HI is already scheduled by somebody else.
    opened by drgkaleda 1
  • allowedips: Fix removeByPeer

    allowedips: Fix removeByPeer

    I have found what I believe to be a mistake in the implementation of removeByPeer.

    Currently, it returns node.child[0] without checking if node.child[1] is nil, causing the loss of the right child if it was not nil. I have added a check to check if node.child[1] is nil before returning node.child[0]; otherwise, we return node.

    The kernel implementation does not have this problem as it correctly checks for this scenario.

    Signed-off-by: Damian Ho [email protected]

    opened by damianhxy 0
  • tun: replace the DNS client in netstack with net.Resolver

    tun: replace the DNS client in netstack with net.Resolver

    Hello,

    I used the new netstack package to setup an in-process tunnel for tunneling SSH connections over WireGuard. It worked quite well, I was very happy with how easy it was. Here are some changes I made as part of my work. The biggest one is replacing the custom DNS client with an instance of net.Resolver.

    The TUN type includes a DNS client for sending hostname lookup queries to the DNS server(s) over the WireGuard connection. The builtin client resolver in the net package also uses the dnsmessage package to implement a DNS client, which can bypass the servers specified in resolv.conf when a custom Dial func is provided. This is a patch to replace the netstack package's DNS client with an instance of net.Resolver configured to connect to the specified servers instead of the system's configured DNS servers (via resolv.conf). It was tested on and with support from Fly.io.

    Also included is a change to update the modules in the netstack package and fixes for the client & server examples, along with a change to add a copyright file to the netstack package to fix https://pkg.go.dev/ support.

    opened by benburkert 7
  • Add illumos support

    Add illumos support

    A currently working cleanup of the code by @jclulow from https://github.com/jclulow/wireguard-go-illumos-wip squashed down to a single commit.

    This code works with the caveats noted in the commit message, and with additional modifications, can be added to the https://github.comtailscale/wireguard-go tree and be used to build mostly working tailscale binaries.

    I barely know what I'm doing here, so any help carrying this across the finish line would be greatly appreciated.

    opened by nshalman 20
  • improve receive function

    improve receive function

    Chose IPv4 or IPv6 and first, not every time

    opened by fishioon 1
  • device: add BenchmarkAllowedIPsInsertRemove

    device: add BenchmarkAllowedIPsInsertRemove

    To show that RemoveByPeer is slow. Currently:

    (pprof) top
    Showing nodes accounting for 2.99s, 96.14% of 3.11s total
    Dropped 35 nodes (cum <= 0.02s)
    Showing top 10 nodes out of 36
          flat  flat%   sum%        cum   cum%
         2.72s 87.46% 87.46%      2.72s 87.46%  golang.zx2c4.com/wireguard/device.(*trieEntry).removeByPeer
         0.10s  3.22% 90.68%      0.10s  3.22%  runtime.memclrNoHeapPointers
         0.05s  1.61% 92.28%      0.06s  1.93%  runtime.scanobject
         0.03s  0.96% 93.25%      0.05s  1.61%  runtime.casgstatus
         0.02s  0.64% 93.89%      0.02s  0.64%  runtime.(*gcBitsArena).tryAlloc (inline)
         0.02s  0.64% 94.53%      0.02s  0.64%  runtime.heapBitsSetType
         0.02s  0.64% 95.18%      0.04s  1.29%  runtime.sweepone
         0.01s  0.32% 95.50%      0.02s  0.64%  golang.zx2c4.com/wireguard/device.commonBits
         0.01s  0.32% 95.82%      0.03s  0.96%  runtime.(*mheap).allocSpan
         0.01s  0.32% 96.14%      0.24s  7.72%  runtime.mallocgc
    

    Signed-off-by: Brad Fitzpatrick [email protected]

    /cc @zx2c4 @crawshaw @danderson

    opened by bradfitz 6
  • device: return generic error from Ipc{Get,Set}Operation.

    device: return generic error from Ipc{Get,Set}Operation.

    This makes uapi.go's public API conform to Go style in terms of error types.

    Signed-off-by: David Anderson [email protected]

    opened by danderson 4
Owner
WireGuard
Mirror of various WireGuard-related projects. See https://www.wireguard.com/repositories/ for official repositories.
WireGuard
A flexible configuration manager for Wireguard networks

Drago A flexible configuration manager for WireGuard networks Drago is a flexible configuration manager for WireGuard networks which is designed to ma

Seashell 808 Dec 5, 2021
Simple Web based configuration generator for WireGuard. Demo:

Wg Gen Web Simple Web based configuration generator for WireGuard. Why another one ? All WireGuard UI implementations are trying to manage the service

vx3r 689 Dec 2, 2021
The easiest, most secure way to use WireGuard and 2FA.

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

Tailscale 6k Nov 30, 2021
Connect your devices into a single private WireGuard®-based mesh network.

Wiretrustee A WireGuard®-based mesh network that connects your devices into a single private network. Why using Wiretrustee? Connect multiple devices

null 1.7k Dec 4, 2021
An userspace SORACOM Arc client powered by wireguard-go

soratun An easy-to-use, userspace SORACOM Arc client powered by wireguard-go. For deploying and scaling Linux servers/Raspberry Pi devices working wit

Soracom, Inc. 5 Nov 17, 2021
A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

null 37 Nov 15, 2021
Layer2 version of wireguard with Floyd Warshall implement in go.

Etherguard 中文版README A Full Mesh Layer2 VPN based on wireguard-go OSPF can find best route based on it's cost. But sometimes the lentancy are differen

日下部 詩 13 Dec 2, 2021
Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface

wg-ovpn Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface Warning: really ugly and unstable code! Building Obtain latest so

Patrycja 5 Nov 18, 2021
Mount your podman container into WireGuard networks on spawn

wg-pod A tool to quickly join your podman container/pod into a WireGuard network. Explanation wg-pod wires up the tools ip,route,wg and podman. It cre

Maximilian Ehlers 6 Nov 17, 2021
A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent https://github.com/elazarl/goproxy and https://git.zx2c4.com/wireguard-go into an HTTP proxy s

Sebastian Himberger 1 Nov 26, 2021
A go implementation of the STUN client (RFC 3489 and RFC 5389)

go-stun go-stun is a STUN (RFC 3489, 5389) client implementation in golang (a.k.a. UDP hole punching). RFC 3489: STUN - Simple Traversal of User Datag

Cong Ding 460 Nov 29, 2021
A QUIC implementation in pure go

A QUIC implementation in pure Go quic-go is an implementation of the QUIC protocol in Go. It implements the IETF QUIC draft-29 and draft-32. Version c

Lucas Clemente 6k Dec 3, 2021
Fast RFC 5389 STUN implementation in go

STUN Package stun implements Session Traversal Utilities for NAT (STUN) [RFC5389] protocol and client with no external dependencies and zero allocatio

null 475 Nov 27, 2021
Pure Go implementation of the WebRTC API

Pion WebRTC A pure Go implementation of the WebRTC API New Release Pion WebRTC v3.0.0 has been released! See the release notes to learn about new feat

Pion 8.3k Nov 27, 2021
A LWM2M Client and Server implementation (For Go/Golang)

Betwixt - A LWM2M Client and Server in Go Betwixt is a Lightweight M2M implementation written in Go OMA Lightweight M2M is a protocol from the Open Mo

Zubair Hamed 51 Aug 28, 2021
A Socket.IO backend implementation written in Go

go-socket.io The socketio package is a simple abstraction layer for different web browser- supported transport mechanisms. It is fully compatible with

Jukka-Pekka Kekkonen 406 Aug 30, 2021
A Windows named pipe implementation written in pure Go.

npipe Package npipe provides a pure Go wrapper around Windows named pipes. Windows named pipe documentation: http://msdn.microsoft.com/en-us/library/w

Nate Finch 233 Nov 29, 2021
An Etsy StatsD (https://github.com/etsy/statsd) implementation in Go

STATSD-GO Port of Etsy's statsd, written in Go. This was forked from https://github.com/amir/gographite to provide Ganglia submission support. USAGE U

Jeff Buchbinder 45 Mar 5, 2021
Implementation of the FTPS protocol for Golang.

FTPS Implementation for Go Information This implementation does not implement the full FTP/FTPS specification. Only a small subset. I have not done a

Marco Beierer 26 Jul 26, 2021