Update README.md

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+liberapay: octeep

.github/wireproxy-releaser.yml

@@ -11,6 +11,8 @@ builds:
       - linux
       - windows
       - darwin
+      - freebsd
+      - openbsd
     goarch:
       - arm
       - arm64

.github/workflows/wireproxy.yml

@@ -2,6 +2,9 @@ name: Cross compile WirePorxy
 
 on:
   workflow_dispatch:
+  create:
+     tags:
+       - v*
 
 jobs:
   WirePorxy:

README.md

@@ -1,4 +1,8 @@
 # wireproxy
+[![ISC licensed](https://img.shields.io/badge/license-ISC-blue)](./LICENSE)
+[![Build status](https://github.com/octeep/wireproxy/actions/workflows/build.yml/badge.svg)](https://github.com/octeep/wireproxy/actions)
+[![Documentation](https://img.shields.io/badge/godoc-wireproxy-blue)](https://pkg.go.dev/github.com/octeep/wireproxy)
+
 A wireguard client that exposes itself as a socks5 proxy or tunnels.
 
 # What is this
@@ -20,6 +24,10 @@ anything.
 - TCP static routing for client and server
 - SOCKS5 proxy (currently only CONNECT is supported) 
 
+# TODO
+- UDP Support in SOCKS5
+- UDP static routing
+
 # Usage
 ```
 ./wireproxy -c [path to config]
@@ -108,6 +116,9 @@ WGConfig = <path to the wireguard config>
 ...
 ```
 
+## Donation
+<noscript><a href="https://liberapay.com/octeep/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript>
+
 
 ## Stargazers over time
 

cmd/wireproxy/main.go

@@ -8,18 +8,33 @@ import (
 
 	"github.com/akamensky/argparse"
 	"github.com/octeep/wireproxy"
+	"suah.dev/protect"
 )
 
+// an argument to denote that this process was spawned by -d
 const daemonProcess = "daemon-process"
 
+// attempts to pledge and panic if it fails
+// this does nothing on non-OpenBSD systems
+func pledgeOrPanic(promises string) {
+	err := protect.Pledge(promises)
+	if err != nil {
+		log.Panic(err)
+	}
+}
+
 func main() {
+	// only allow standard stdio operation, file reading, networking, and exec
+	pledgeOrPanic("stdio rpath inet dns proc exec")
+
 	isDaemonProcess := len(os.Args) > 1 && os.Args[1] == daemonProcess
 	args := os.Args
 	if isDaemonProcess {
+		// remove proc and exec if they are not needed
+		pledgeOrPanic("stdio rpath inet dns")
 		args = []string{args[0]}
 		args = append(args, os.Args[2:]...)
 	}
-
 	parser := argparse.NewParser("wireproxy", "Userspace wireguard client for proxying")
 
 	config := parser.String("c", "config", &argparse.Options{Required: true, Help: "Path of configuration file"})
@@ -32,6 +47,11 @@ func main() {
 		return
 	}
 
+	if !*daemon {
+		// remove proc and exec if they are not needed
+		pledgeOrPanic("stdio rpath inet dns")
+	}
+
 	conf, err := wireproxy.ParseConfig(*config)
 	if err != nil {
 		log.Panic(err)
@@ -64,6 +84,9 @@ func main() {
 		return
 	}
 
+	// no file access is allowed from now on, only networking
+	pledgeOrPanic("stdio inet dns")
+
 	tnet, err := wireproxy.StartWireguard(conf.Device)
 	if err != nil {
 		log.Panic(err)

config.go

@@ -12,6 +12,7 @@ import (
 	"golang.zx2c4.com/go118/netip"
 )
 
+// DeviceConfig contains the information to initiate a wireguard connection
 type DeviceConfig struct {
 	SelfSecretKey string
 	SelfEndpoint  []netip.Addr
@@ -160,6 +161,7 @@ func resolveIPPAndPort(addr string) (string, error) {
 	return net.JoinHostPort(ip.String(), port), nil
 }
 
+// ParseInterface parses the [Interface] section and extract the information into `device`
 func ParseInterface(cfg *ini.File, device *DeviceConfig) error {
 	sections, err := cfg.SectionsByName("Interface")
 	if len(sections) != 1 || err != nil {
@@ -197,6 +199,7 @@ func ParseInterface(cfg *ini.File, device *DeviceConfig) error {
 	return nil
 }
 
+// ParsePeer parses the [Peer] section and extract the information into `device`
 func ParsePeer(cfg *ini.File, device *DeviceConfig) error {
 	sections, err := cfg.SectionsByName("Peer")
 	if len(sections) != 1 || err != nil {
@@ -292,6 +295,8 @@ func parseSocks5Config(section *ini.Section) (RoutineSpawner, error) {
 	return config, nil
 }
 
+// Takes a function that parses an individual section into a config, and apply it on all
+// specified sections
 func parseRoutinesConfig(routines *[]RoutineSpawner, cfg *ini.File, sectionName string, f func(*ini.Section) (RoutineSpawner, error)) error {
 	sections, err := cfg.SectionsByName(sectionName)
 	if err != nil {
@@ -310,6 +315,7 @@ func parseRoutinesConfig(routines *[]RoutineSpawner, cfg *ini.File, sectionName
 	return nil
 }
 
+// ParseConfig takes the path of a configuration file and parses it into Configuration
 func ParseConfig(path string) (*Configuration, error) {
 	iniOpt := ini.LoadOptions{
 		Insensitive:  true,

go.mod

@@ -21,4 +21,5 @@ require (
 	golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 // indirect
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	suah.dev/protect v1.2.0 // indirect
 )

go.sum

@@ -744,6 +744,7 @@ golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210314195730-07df6a141424/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -999,3 +1000,5 @@ sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:w
 sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+suah.dev/protect v1.2.0 h1:4G4V43yVYXCjLFzaE9QJR0fLo3rf5vNBS9YxyoI19DU=
+suah.dev/protect v1.2.0/go.mod h1:Ocn1yqUskqe/is6N2bxQxtT+fegbvQsOFyHbJAQu9XE=

routine.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"crypto/subtle"
 	"errors"
-	"fmt"
 	"io"
 	"log"
 	"math/rand"
 	"net"
+	"os"
 	"strconv"
 
 	"github.com/armon/go-socks5"
@@ -17,20 +17,28 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 )
 
+// errorLogger is the logger to print error message
+var errorLogger = log.New(os.Stderr, "ERROR: ", log.LstdFlags)
+
+// CredentialValidator stores the authentication data of a socks5 proxy
 type CredentialValidator struct {
 	username string
 	password string
 }
 
+// VirtualTun stores a reference to netstack network and DNS configuration
 type VirtualTun struct {
 	tnet      *netstack.Net
 	systemDNS bool
 }
 
+// RoutineSpawner spawns a routine (e.g. socks5, tcp static routes) after the configuration is parsed
 type RoutineSpawner interface {
 	SpawnRoutine(vt *VirtualTun)
 }
 
+// LookupAddr lookups a hostname.
+// DNS traffic may or may not be routed depending on VirtualTun's setting
 func (d VirtualTun) LookupAddr(ctx context.Context, name string) ([]string, error) {
 	if d.systemDNS {
 		return net.DefaultResolver.LookupHost(ctx, name)
@@ -39,23 +47,15 @@ func (d VirtualTun) LookupAddr(ctx context.Context, name string) ([]string, erro
 	}
 }
 
+// ResolveAddrPort resolves a hostname and returns an AddrPort.
+// DNS traffic may or may not be routed depending on VirtualTun's setting
 func (d VirtualTun) ResolveAddrPort(saddr string) (*netip.AddrPort, error) {
 	name, sport, err := net.SplitHostPort(saddr)
 	if err != nil {
 		return nil, err
 	}
 
-	addrs, err := d.LookupAddr(context.Background(), name)
+	addr, err := d.ResolveAddrWithContext(context.Background(), name)
-	if err != nil {
-		return nil, err
-	}
-
-	size := len(addrs)
-	if size == 0 {
-		return nil, errors.New("no address found for: " + name)
-	}
-
-	addr, err := netip.ParseAddr(addrs[rand.Intn(size)])
 	if err != nil {
 		return nil, err
 	}
@@ -65,34 +65,54 @@ func (d VirtualTun) ResolveAddrPort(saddr string) (*netip.AddrPort, error) {
 		return nil, &net.OpError{Op: "dial", Err: errors.New("port must be numeric")}
 	}
 
-	addrPort := netip.AddrPortFrom(addr, uint16(port))
+	addrPort := netip.AddrPortFrom(*addr, uint16(port))
 	return &addrPort, nil
 }
 
-func (d VirtualTun) Resolve(ctx context.Context, name string) (context.Context, net.IP, error) {
+// ResolveAddrPort resolves a hostname and returns an AddrPort.
-	var addrs []string
+// DNS traffic may or may not be routed depending on VirtualTun's setting
-	var err error
+func (d VirtualTun) ResolveAddrWithContext(ctx context.Context, name string) (*netip.Addr, error) {
-
+	addrs, err := d.LookupAddr(ctx, name)
-	addrs, err = d.LookupAddr(ctx, name)
-
 	if err != nil {
-		return ctx, nil, err
+		return nil, err
 	}
 
 	size := len(addrs)
 	if size == 0 {
-		return ctx, nil, errors.New("no address found for: " + name)
+		return nil, errors.New("no address found for: " + name)
 	}
 
-	addr := addrs[rand.Intn(size)]
+	rand.Shuffle(size, func(i, j int) {
-	ip := net.ParseIP(addr)
+		addrs[i], addrs[j] = addrs[j], addrs[i]
-	if ip == nil {
+	})
-		return ctx, nil, errors.New("invalid address: " + addr)
+
+	var addr netip.Addr
+	for _, saddr := range addrs {
+		addr, err = netip.ParseAddr(saddr)
+		if err == nil {
+			break
+		}
 	}
 
-	return ctx, ip, err
+	if err != nil {
+		return nil, err
 	}
 
+	return &addr, nil
+}
+
+// ResolveAddrPort resolves a hostname and returns an IP.
+// DNS traffic may or may not be routed depending on VirtualTun's setting
+func (d VirtualTun) Resolve(ctx context.Context, name string) (context.Context, net.IP, error) {
+	addr, err := d.ResolveAddrWithContext(ctx, name)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return ctx, addr.AsSlice(), nil
+}
+
+// Spawns a socks5 server.
 func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 	conf := &socks5.Config{Dial: vt.tnet.DialContext, Resolver: vt}
 	if username := config.Username; username != "" {
@@ -110,25 +130,30 @@ func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 	}
 }
 
+// Valid checks the authentication data in CredentialValidator and compare them
+// to username and password in constant time.
 func (c CredentialValidator) Valid(username, password string) bool {
 	u := subtle.ConstantTimeCompare([]byte(c.username), []byte(username))
 	p := subtle.ConstantTimeCompare([]byte(c.password), []byte(password))
 	return u&p == 1
 }
 
+// connForward copy data from `from` to `to`, then close both stream.
 func connForward(bufSize int, from io.ReadWriteCloser, to io.ReadWriteCloser) {
 	buf := make([]byte, bufSize)
 	_, err := io.CopyBuffer(to, from, buf)
 	if err != nil {
-		to.Close()
+		errorLogger.Printf("Cannot forward traffic: %s\n", err.Error())
-		return
 	}
+	_ = from.Close()
+	_ = to.Close()
 }
 
+// tcpClientForward starts a new connection via wireguard and forward traffic from `conn`
 func tcpClientForward(tnet *netstack.Net, target *net.TCPAddr, conn net.Conn) {
 	sconn, err := tnet.DialTCP(target)
 	if err != nil {
-		fmt.Printf("[ERROR] TCP Client Tunnel to %s: %s\n", target, err.Error())
+		errorLogger.Printf("TCP Client Tunnel to %s: %s\n", target, err.Error())
 		return
 	}
 
@@ -136,6 +161,7 @@ func tcpClientForward(tnet *netstack.Net, target *net.TCPAddr, conn net.Conn) {
 	go connForward(1024, conn, sconn)
 }
 
+// Spawns a local TCP server which acts as a proxy to the specified target
 func (conf *TCPClientTunnelConfig) SpawnRoutine(vt *VirtualTun) {
 	raddr, err := vt.ResolveAddrPort(conf.Target)
 	if err != nil {
@@ -157,10 +183,11 @@ func (conf *TCPClientTunnelConfig) SpawnRoutine(vt *VirtualTun) {
 	}
 }
 
+// tcpServerForward starts a new connection locally and forward traffic from `conn`
 func tcpServerForward(target *net.TCPAddr, conn net.Conn) {
 	sconn, err := net.DialTCP("tcp", nil, target)
 	if err != nil {
-		fmt.Printf("[ERROR] TCP Server Tunnel to %s: %s\n", target, err.Error())
+		errorLogger.Printf("TCP Server Tunnel to %s: %s\n", target, err.Error())
 		return
 	}
 
@@ -168,6 +195,7 @@ func tcpServerForward(target *net.TCPAddr, conn net.Conn) {
 	go connForward(1024, conn, sconn)
 }
 
+// Spawns a TCP server on wireguard which acts as a proxy to the specified target
 func (conf *TCPServerTunnelConfig) SpawnRoutine(vt *VirtualTun) {
 	raddr, err := vt.ResolveAddrPort(conf.Target)
 	if err != nil {

wireguard.go

@@ -9,6 +9,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 )
 
+// DeviceSetting contains the parameters for setting up a tun interface
 type DeviceSetting struct {
 	ipcRequest string
 	dns        []netip.Addr
@@ -16,6 +17,7 @@ type DeviceSetting struct {
 	mtu        int
 }
 
+// serialize the config into an IPC request and DeviceSetting
 func createIPCRequest(conf *DeviceConfig) (*DeviceSetting, error) {
 	request := fmt.Sprintf(`private_key=%s
 public_key=%s
@@ -28,6 +30,7 @@ allowed_ip=0.0.0.0/0`, conf.SelfSecretKey, conf.PeerPublicKey, conf.PeerEndpoint
 	return setting, nil
 }
 
+// StartWireguard creates a tun interface on netstack given a configuration
 func StartWireguard(conf *DeviceConfig) (*VirtualTun, error) {
 	setting, err := createIPCRequest(conf)
 	if err != nil {