resolve host for every new connection in static tunnels

This reverts commit e38b0155dd.

.github/wireproxy-releaser.yml

@@ -11,8 +11,6 @@ builds:
       - linux
       - windows
       - darwin
-      - freebsd
-      - openbsd
     goarch:
       - arm
       - arm64

.github/workflows/wireproxy.yml

@@ -1,4 +1,4 @@
-name: Cross compile WirePorxy
+name: Cross compile WireProxy
 
 on:
   workflow_dispatch:
@@ -7,14 +7,14 @@ on:
        - v*
 
 jobs:
-  WirePorxy:
+  WireProxy:
 
-    name: Cross compile WirePorxy
+    name: Cross compile WireProxy
 
     runs-on: ubuntu-20.04
 
     env:
-      workdir: ./WirePorxy
+      workdir: ./WireProxy
 
     steps:
       - name: Checkout code
@@ -22,7 +22,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Git clone WirePorxy
+      - name: Git clone WireProxy
         run: |
           git clone https://github.com/octeep/wireproxy.git ${{ env.workdir }}
           cp ./.github/wireproxy-releaser.yml ${{ env.workdir }}/.goreleaser.yml
@@ -46,4 +46,4 @@ jobs:
           tag_name: wireproxy
           files: ${{ env.workdir }}/dist/*.tar.gz
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

cmd/wireproxy/main.go

@@ -19,12 +19,35 @@ const daemonProcess = "daemon-process"
 func pledgeOrPanic(promises string) {
 	err := protect.Pledge(promises)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 }
 
+// attempts to unveil and panic if it fails
+// this does nothing on non-OpenBSD systems
+func unveilOrPanic(path string, flags string) {
+	err := protect.Unveil(path, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+// get the executable path via syscalls or infer it from argv
+func executablePath() string {
+	programPath, err := os.Executable()
+	if err != nil {
+		return os.Args[0]
+	}
+	return programPath
+}
+
 func main() {
+	exePath := executablePath()
+	unveilOrPanic("/", "r")
+	unveilOrPanic(exePath, "x")
+
 	// only allow standard stdio operation, file reading, networking, and exec
+	// also remove unveil permission to lock unveil
 	pledgeOrPanic("stdio rpath inet dns proc exec")
 
 	isDaemonProcess := len(os.Args) > 1 && os.Args[1] == daemonProcess
@@ -54,7 +77,7 @@ func main() {
 
 	conf, err := wireproxy.ParseConfig(*config)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 
 	if *configTest {
@@ -69,14 +92,8 @@ func main() {
 	}
 
 	if *daemon {
-		programPath, err := os.Executable()
-		if err != nil {
-			programPath = args[0]
-		}
-
-		newArgs := []string{daemonProcess}
-		newArgs = append(newArgs, args[1:]...)
-		cmd := exec.Command(programPath, newArgs...)
+		args[0] = daemonProcess
+		cmd := exec.Command(exePath, args...)
 		err = cmd.Start()
 		if err != nil {
 			fmt.Println(err.Error())
@@ -89,7 +106,7 @@ func main() {
 
 	tnet, err := wireproxy.StartWireguard(conf.Device)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 
 	for _, spawner := range conf.Routines {

docker/Dockerfile

@@ -11,4 +11,4 @@ RUN apk upgrade
 COPY --from=go-build /go/wireproxy/wireproxy /usr/bin/
 
 VOLUME [ "/etc/wireproxy"]
-ENTRYPOINT [ "/usr/bin/wireproxy", "/etc/wireproxy/config" ]
+ENTRYPOINT [ "/usr/bin/wireproxy", "--config", "/etc/wireproxy/config" ]

routine.go

@@ -37,6 +37,11 @@ type RoutineSpawner interface {
 	SpawnRoutine(vt *VirtualTun)
 }
 
+type addressPort struct {
+	address string
+	port    uint16
+}
+
 // LookupAddr lookups a hostname.
 // DNS traffic may or may not be routed depending on VirtualTun's setting
 func (d VirtualTun) LookupAddr(ctx context.Context, name string) ([]string, error) {
@@ -47,29 +52,7 @@ func (d VirtualTun) LookupAddr(ctx context.Context, name string) ([]string, erro
 	}
 }
 
-// ResolveAddrPort resolves a hostname and returns an AddrPort.
-// DNS traffic may or may not be routed depending on VirtualTun's setting
-func (d VirtualTun) ResolveAddrPort(saddr string) (*netip.AddrPort, error) {
-	name, sport, err := net.SplitHostPort(saddr)
-	if err != nil {
-		return nil, err
-	}
-
-	addr, err := d.ResolveAddrWithContext(context.Background(), name)
-	if err != nil {
-		return nil, err
-	}
-
-	port, err := strconv.Atoi(sport)
-	if err != nil || port < 0 || port > 65535 {
-		return nil, &net.OpError{Op: "dial", Err: errors.New("port must be numeric")}
-	}
-
-	addrPort := netip.AddrPortFrom(*addr, uint16(port))
-	return &addrPort, nil
-}
-
-// ResolveAddrPort resolves a hostname and returns an AddrPort.
+// ResolveAddrPortWithContext resolves a hostname and returns an AddrPort.
 // DNS traffic may or may not be routed depending on VirtualTun's setting
 func (d VirtualTun) ResolveAddrWithContext(ctx context.Context, name string) (*netip.Addr, error) {
 	addrs, err := d.LookupAddr(ctx, name)
@@ -101,7 +84,7 @@ func (d VirtualTun) ResolveAddrWithContext(ctx context.Context, name string) (*n
 	return &addr, nil
 }
 
-// ResolveAddrPort resolves a hostname and returns an IP.
+// Resolve resolves a hostname and returns an IP.
 // DNS traffic may or may not be routed depending on VirtualTun's setting
 func (d VirtualTun) Resolve(ctx context.Context, name string) (context.Context, net.IP, error) {
 	addr, err := d.ResolveAddrWithContext(ctx, name)
@@ -112,6 +95,30 @@ func (d VirtualTun) Resolve(ctx context.Context, name string) (context.Context,
 	return ctx, addr.AsSlice(), nil
 }
 
+func parseAddressPort(endpoint string) (*addressPort, error) {
+	name, sport, err := net.SplitHostPort(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	port, err := strconv.Atoi(sport)
+	if err != nil || port < 0 || port > 65535 {
+		return nil, &net.OpError{Op: "dial", Err: errors.New("port must be numeric")}
+	}
+
+	return &addressPort{address: name, port: uint16(port)}, nil
+}
+
+func (d VirtualTun) resolveToAddrPort(endpoint *addressPort) (*netip.AddrPort, error) {
+	addr, err := d.ResolveAddrWithContext(context.Background(), endpoint.address)
+	if err != nil {
+		return nil, err
+	}
+
+	addrPort := netip.AddrPortFrom(*addr, endpoint.port)
+	return &addrPort, nil
+}
+
 // Spawns a socks5 server.
 func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 	conf := &socks5.Config{Dial: vt.tnet.DialContext, Resolver: vt}
@@ -122,11 +129,11 @@ func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 	}
 	server, err := socks5.New(conf)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 
 	if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 }
 
@@ -150,8 +157,16 @@ func connForward(bufSize int, from io.ReadWriteCloser, to io.ReadWriteCloser) {
 }
 
 // tcpClientForward starts a new connection via wireguard and forward traffic from `conn`
-func tcpClientForward(tnet *netstack.Net, target *net.TCPAddr, conn net.Conn) {
-	sconn, err := tnet.DialTCP(target)
+func tcpClientForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
+	target, err := vt.resolveToAddrPort(raddr)
+	if err != nil {
+		errorLogger.Printf("TCP Server Tunnel to %s: %s\n", target, err.Error())
+		return
+	}
+
+	tcpAddr := TCPAddrFromAddrPort(*target)
+
+	sconn, err := vt.tnet.DialTCP(tcpAddr)
 	if err != nil {
 		errorLogger.Printf("TCP Client Tunnel to %s: %s\n", target, err.Error())
 		return
@@ -163,29 +178,36 @@ func tcpClientForward(tnet *netstack.Net, target *net.TCPAddr, conn net.Conn) {
 
 // Spawns a local TCP server which acts as a proxy to the specified target
 func (conf *TCPClientTunnelConfig) SpawnRoutine(vt *VirtualTun) {
-	raddr, err := vt.ResolveAddrPort(conf.Target)
+	raddr, err := parseAddressPort(conf.Target)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
-	tcpAddr := TCPAddrFromAddrPort(*raddr)
 
 	server, err := net.ListenTCP("tcp", conf.BindAddress)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 
 	for {
 		conn, err := server.Accept()
 		if err != nil {
-			log.Panic(err)
+			log.Fatal(err)
 		}
-		go tcpClientForward(vt.tnet, tcpAddr, conn)
+		go tcpClientForward(vt, raddr, conn)
 	}
 }
 
 // tcpServerForward starts a new connection locally and forward traffic from `conn`
-func tcpServerForward(target *net.TCPAddr, conn net.Conn) {
-	sconn, err := net.DialTCP("tcp", nil, target)
+func tcpServerForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
+	target, err := vt.resolveToAddrPort(raddr)
+	if err != nil {
+		errorLogger.Printf("TCP Server Tunnel to %s: %s\n", target, err.Error())
+		return
+	}
+
+	tcpAddr := TCPAddrFromAddrPort(*target)
+
+	sconn, err := net.DialTCP("tcp", nil, tcpAddr)
 	if err != nil {
 		errorLogger.Printf("TCP Server Tunnel to %s: %s\n", target, err.Error())
 		return
@@ -197,23 +219,22 @@ func tcpServerForward(target *net.TCPAddr, conn net.Conn) {
 
 // Spawns a TCP server on wireguard which acts as a proxy to the specified target
 func (conf *TCPServerTunnelConfig) SpawnRoutine(vt *VirtualTun) {
-	raddr, err := vt.ResolveAddrPort(conf.Target)
+	raddr, err := parseAddressPort(conf.Target)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
-	tcpAddr := TCPAddrFromAddrPort(*raddr)
 
 	addr := &net.TCPAddr{Port: conf.ListenPort}
 	server, err := vt.tnet.ListenTCP(addr)
 	if err != nil {
-		log.Panic(err)
+		log.Fatal(err)
 	}
 
 	for {
 		conn, err := server.Accept()
 		if err != nil {
-			log.Panic(err)
+			log.Fatal(err)
 		}
-		go tcpServerForward(tcpAddr, conn)
+		go tcpServerForward(vt, raddr, conn)
 	}
 }

wireguard.go

@@ -24,7 +24,8 @@ public_key=%s
 endpoint=%s
 persistent_keepalive_interval=%d
 preshared_key=%s
-allowed_ip=0.0.0.0/0`, conf.SelfSecretKey, conf.PeerPublicKey, conf.PeerEndpoint, conf.KeepAlive, conf.PreSharedKey)
+allowed_ip=0.0.0.0/0
+allowed_ip=::0/0`, conf.SelfSecretKey, conf.PeerPublicKey, conf.PeerEndpoint, conf.KeepAlive, conf.PreSharedKey)
 
 	setting := &DeviceSetting{ipcRequest: request, dns: conf.DNS, deviceAddr: conf.SelfEndpoint, mtu: conf.MTU}
 	return setting, nil