Limit wireproxy's permissions with landlock (#108)

* Limit wireproxy's permissions with landlock

* Show better debug message

* Fix crash when info is null

* Fix crash when landlock ABI is outdated

* remove /dev/std{in,out,err} from landlock restriction

.github/workflows/build.yml

@@ -6,17 +6,18 @@ on:
   pull_request:
     branches:
       - '**'
+  workflow_dispatch:
 
 jobs:
   windowsAmd64Build:
     name: Build Windows amd64 Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Windows amd64 Version
         run: |
           CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o WireProxy_amd64.exe -v ./cmd/wireproxy
@@ -24,7 +25,7 @@ jobs:
           mv WireProxy_amd64.exe wireproxy.exe
           cp wireproxy.exe release_windows_amd64/wireproxy.exe
       - name: Upload Windows amd64 Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_windows_amd64
           path: release_windows_amd64
@@ -32,11 +33,11 @@ jobs:
     name: Build Windows arm64 Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Windows arm64 Version
         run: |
           CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -o WireProxy_arm64.exe -v ./cmd/wireproxy
@@ -44,7 +45,7 @@ jobs:
           mv WireProxy_arm64.exe wireproxy.exe
           cp wireproxy.exe release_windows_arm64/wireproxy.exe
       - name: Upload Windows arm64 Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_windows_arm64
           path: release_windows_arm64
@@ -52,11 +53,11 @@ jobs:
     name: Build Linux amd64 Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Linux amd64 Version
         run: |
           CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o WireProxy_amd64 -v ./cmd/wireproxy
@@ -64,7 +65,7 @@ jobs:
           mv WireProxy_amd64 wireproxy
           cp wireproxy release_linux_amd64/wireproxy
       - name: Upload Linux amd64 Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_linux_amd64
           path: release_linux_amd64
@@ -72,11 +73,11 @@ jobs:
     name: Build Linux arm64 Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Linux arm64 Version
         run: |
           CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o WireProxy_arm64 -v ./cmd/wireproxy
@@ -84,7 +85,7 @@ jobs:
           mv WireProxy_arm64 wireproxy
           cp wireproxy release_linux_arm64/wireproxy
       - name: Upload Linux arm64 Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_linux_arm64
           path: release_linux_arm64
@@ -92,11 +93,11 @@ jobs:
     name: Build Linux s390x Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Linux s390x Version
         run: |
           CGO_ENABLED=0 GOOS=linux GOARCH=s390x go build -o WireProxy_s390x -v ./cmd/wireproxy
@@ -104,7 +105,7 @@ jobs:
           mv WireProxy_s390x wireproxy
           cp wireproxy release_linux_s390x/wireproxy
       - name: Upload Linux s390x Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_linux_s390x
           path: release_linux_s390x
@@ -112,11 +113,11 @@ jobs:
     name: Build Darwin amd64 Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Darwin amd64 Version
         run: |
           CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o WireProxy_amd64 -v ./cmd/wireproxy
@@ -124,7 +125,7 @@ jobs:
           mv WireProxy_amd64 wireproxy
           cp wireproxy release_darwin_amd64/wireproxy
       - name: Upload Darwin amd64 Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_darwin_amd64
           path: release_darwin_amd64
@@ -132,11 +133,11 @@ jobs:
     name: Build Darwin arm64 Version
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Building Darwin arm64 Version
         run: |
           CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o WireProxy_arm64 -v ./cmd/wireproxy
@@ -144,7 +145,7 @@ jobs:
           mv WireProxy_arm64 wireproxy
           cp wireproxy release_darwin_arm64/wireproxy
       - name: Upload Darwin arm64 Version
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: WireProxy_darwin_arm64
           path: release_darwin_arm64

.github/workflows/container.yml

@@ -28,26 +28,26 @@ jobs:
 
     steps:
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2.0.0
+        uses: docker/setup-buildx-action@v3.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: recursive
 
       # Needed for buildx gha cache to work
       - name: Expose GitHub Runtime
-        uses: crazy-max/ghaction-github-runtime@v2
+        uses: crazy-max/ghaction-github-runtime@v3
 
       - name: Build container
         env:

.github/workflows/golangci-lint.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
     branches:
       - '**'
+  workflow_dispatch:
+
 permissions:
   contents: read
 jobs:
@@ -13,9 +15,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v5
         with:
-          go-version: '1.19'
+          go-version: '1.21'
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4
+        with:
+          version: latest

.github/workflows/test.yml

@@ -6,17 +6,18 @@ on:
   pull_request:
     branches:
       - '**'
+  workflow_dispatch:
 
 jobs:
   test:
     name: Test wireproxy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Setting up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - name: Install dependencies
         run: sudo apt install wireguard curl
       - name: Building wireproxy

.github/workflows/wireproxy.yml

@@ -28,17 +28,17 @@ jobs:
           cp ./.github/wireproxy-releaser.yml ${{ env.workdir }}/.goreleaser.yml
 
       - name: Set up GoReleaser
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
-          go-version: "1.19"
+          go-version: "1.21"
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v5
         with:
           distribution: goreleaser
           workdir: ${{ env.workdir }}
           version: latest
-          args: release --rm-dist
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

Dockerfile

@@ -1,5 +1,5 @@
 # Start by building the application.
-FROM golang:1.18 as build
+FROM docker.io/golang:1.21 as build
 
 WORKDIR /usr/src/wireproxy
 COPY . .
@@ -14,6 +14,6 @@ VOLUME [ "/etc/wireproxy"]
 ENTRYPOINT [ "/usr/bin/wireproxy" ]
 CMD [ "--config", "/etc/wireproxy/config" ]
 
-LABEL org.opencontainers.image.title wireproxy
+LABEL org.opencontainers.image.title="wireproxy"
-LABEL org.opencontainers.image.description "Wireguard client that exposes itself as a socks5 proxy"
+LABEL org.opencontainers.image.description="Wireguard client that exposes itself as a socks5 proxy"
-LABEL org.opencontainers.image.licenses ISC
+LABEL org.opencontainers.image.licenses="ISC"

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2023 octeep <github@bandersnatch.anonaddy.com>
+Copyright (c) 2024 Wind Wong <me@windtfw.com>
 
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

README.md

@@ -20,6 +20,9 @@ and configured my browser to use wireproxy for certain sites. It's pretty useful
 wireproxy is completely isolated from my network interfaces, and I don't need root to configure
 anything.
 
+Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/juev/wireproxy/tree/feature/amnezia-go)
+of wireproxy by [@juev](https://github.com/juev).
+
 # Feature
 - TCP static routing for client and server
 - SOCKS5/HTTP proxy (currently only CONNECT is supported)
@@ -35,7 +38,8 @@ anything.
 
 ```
 usage: wireproxy [-h|--help] [-c|--config "<value>"] [-s|--silent]
-                 [-d|--daemon] [-v|--version] [-n|--configtest]
+                 [-d|--daemon] [-i|--info "<value>"] [-v|--version]
+                 [-n|--configtest]
 
                  Userspace wireguard client for proxying
 
@@ -45,9 +49,11 @@ Arguments:
   -c  --config      Path of configuration file
   -s  --silent      Silent mode
   -d  --daemon      Make wireproxy run in background
+  -i  --info        Specify the address and port for exposing health status
   -v  --version     Print version
   -n  --configtest  Configtest mode. Only check the configuration file for
                     validity.
+
 ```
 
 # Build instruction
@@ -57,6 +63,9 @@ cd wireproxy
 make
 ```
 
+# Use with VPN
+Instructions for using wireproxy with Firefox container tabs and auto-start on MacOS can be found [here](/UseWithVPN.md).
+
 # Sample config file
 ```
 # The [Interface] and [Peer] configurations follow the same semantics and meaning
@@ -91,6 +100,16 @@ Target = play.cubecraft.net:25565
 ListenPort = 3422
 Target = localhost:25545
 
+# STDIOTunnel is a tunnel connecting the standard input and output of the wireproxy
+# process to the specified TCP target via wireguard.
+# This is especially useful to use wireproxy as a ProxyCommand parameter in openssh
+# For example:
+#    ssh -o ProxyCommand='wireproxy -c myconfig.conf' ssh.myserver.net
+# Flow:
+# Piped command -->(wireguard)--> ssh.myserver.net:22
+[STDIOTunnel]
+Target = ssh.myserver.net:22
+
 # Socks5 creates a socks5 proxy on your LAN, and all traffic would be routed via wireguard.
 [Socks5]
 BindAddress = 127.0.0.1:25344
@@ -161,10 +180,75 @@ ListenPort = 5080
 Target = service-three.servicenet:80
 ```
 
-## Donation
+Wireproxy can also allow peers to connect to it:
-<noscript><a href="https://liberapay.com/octeep/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript>
+```
+[Interface]
+ListenPort = 5400
+...
 
+[Peer]
+PublicKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=
+AllowedIPs = 10.254.254.100/32
+# Note there is no Endpoint defined here.
+```
+# Health endpoint
+Wireproxy supports exposing a health endpoint for monitoring purposes.
+The argument `--info/-i` specifies an address and port (e.g. `localhost:9080`), which exposes a HTTP server that provides health status metric of the server.
 
-## Stargazers over time
+Currently two endpoints are implemented:
 
+`/metrics`: Exposes information of the wireguard daemon, this provides the same information you would get with `wg show`. [This](https://www.wireguard.com/xplatform/#example-dialog) shows an example of what the response would look like.
+
+`/readyz`: This responds with a json which shows the last time a pong is received from an IP specified with `CheckAlive`. When `CheckAlive` is set, a ping is sent out to addresses in `CheckAlive` per `CheckAliveInterval` seconds (defaults to 5) via wireguard. If a pong has not been received from one of the addresses within the last `CheckAliveInterval` seconds (+2 seconds for some leeway to account for latency), then it would respond with a 503, otherwise a 200.
+
+For example:
+```
+[Interface]
+PrivateKey = censored
+Address = 10.2.0.2/32
+DNS = 10.2.0.1
+CheckAlive = 1.1.1.1, 3.3.3.3
+CheckAliveInterval = 3
+
+[Peer]
+PublicKey = censored
+AllowedIPs = 0.0.0.0/0
+Endpoint = 149.34.244.174:51820
+
+[Socks5]
+BindAddress = 127.0.0.1:25344
+```
+`/readyz` would respond with
+```
+< HTTP/1.1 503 Service Unavailable
+< Date: Thu, 11 Apr 2024 00:54:59 GMT
+< Content-Length: 35
+< Content-Type: text/plain; charset=utf-8
+<
+{"1.1.1.1":1712796899,"3.3.3.3":0}
+```
+
+And for:
+```
+[Interface]
+PrivateKey = censored
+Address = 10.2.0.2/32
+DNS = 10.2.0.1
+CheckAlive = 1.1.1.1
+```
+`/readyz` would respond with
+```
+< HTTP/1.1 200 OK
+< Date: Thu, 11 Apr 2024 00:56:21 GMT
+< Content-Length: 23
+< Content-Type: text/plain; charset=utf-8
+<
+{"1.1.1.1":1712796979}
+```
+
+If nothing is set for `CheckAlive`, an empty JSON object with 200 will be the response.
+
+The peer which the ICMP ping packet is routed to depends on the `AllowedIPs` set for each peers.
+
+# Stargazers over time
 [![Stargazers over time](https://starchart.cc/octeep/wireproxy.svg)](https://starchart.cc/octeep/wireproxy)

UseWithVPN.md

@@ -0,0 +1,89 @@
+# Getting a Wireguard Server
+You can create your own wireguard server using a host service like DigitalOcean,
+or you can get a VPN service that provides WireGuard configs.
+
+I recommend ProtonVPN, because it is highly secure and has a great WireGuard
+config generator.
+
+Simply go to https://account.protonvpn.com/downloads and scroll down to the
+wireguard section to generate your configs, then paste into the appropriate
+section below.
+
+# Simple Setup for multiple SOCKS configs for firefox
+
+Create a folder for your configs and startup scripts. Can be the same place as
+this code. That path you will use below. For reference this text uses
+`/Users/jonny/vpntabs`
+
+For each VPN you want to run, you will download your wireguard config and name
+it appropriately (e.g. `ProtonUS.adblock.server.conf`) and then create two new
+files from those below with similar names (e.g. `ProtonUS.adblock.conf` and
+`ProtonUS.adblock.sh`)
+
+You will also create a launch script, the reference below is only for macOS. The
+naming should also be similar (e.g.
+`/Users/jonny/Library/LaunchAgents/com.ProtonUS.adblock.plist`)
+
+## Config File
+Make sure you use a unique port for every separate server
+I recommend you set proxy authentication, you can use the same user/pass for all
+```
+# Link to the Downloaded config
+WGConfig = /Users/jonny/vpntabs/ProtonUS.adblock.server.conf
+
+# Used for firefox containers
+[Socks5]
+BindAddress = 127.0.0.1:25344 # Update the port here for each new server
+
+# Socks5 authentication parameters, specifying username and password enables
+# proxy authentication.
+#Username = ...
+# Avoid using spaces in the password field
+#Password = ...
+```
+
+## Startup Script File
+This is a bash script to facilitate startup, not strictly essential, but adds
+ease.
+Note, you MUST update the first path to wherever you installed this code to.
+Make sure you use the path for the config file above, not the one you downloaded
+from e.g. protonvpn.
+```
+#!/bin/bash
+/Users/jonny/wireproxy/wireproxy -c /Users/jonny/vpntabs/ProtonUS.adblock.conf
+```
+
+## MacOS LaunchAgent
+To make it run every time you start your computer, you can create a launch agent
+in `$HOME/Library/LaunchAgents`. Name reference above.
+
+That file should contain the following, the label should be the same as the file
+name and the paths should be set correctly:
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>com.ProtonUS.adblock</string>
+    <key>Program</key>
+    <string>/Users/jonny/vpntabs/ProtonUS.adblock.sh</string>
+    <key>RunAtLoad</key>
+	<true/>
+    <key>KeepAlive</key>
+    <true/>
+</dict>
+</plist>
+```
+
+To enable it, run
+`launchctl load ~/Library/LaunchAgents/com.ProtonUS.adblock.plist` and
+`launchtl start ~/Library/LaunchAgents/com.PortonUS.adblock.plist`
+
+# Firefox Setup
+You will need to enable the Multi Account Container Tabs extension and a proxy extension, I
+recommend Sideberry, but Container Proxy also works.
+
+Create a container to be dedicated to this VPN, and then add the IP, port,
+username, and password from above.

cmd/wireproxy/main.go

@@ -1,13 +1,20 @@
 package main
 
 import (
+	"context"
 	"fmt"
+	"github.com/landlock-lsm/go-landlock/landlock"
 	"log"
+	"net"
+	"net/http"
 	"os"
 	"os/exec"
+	"os/signal"
+	"strconv"
+	"syscall"
 
 	"github.com/akamensky/argparse"
-	"github.com/octeep/wireproxy"
+	"github.com/pufferffish/wireproxy"
 	"golang.zx2c4.com/wireguard/device"
 	"suah.dev/protect"
 )
@@ -15,24 +22,24 @@ import (
 // an argument to denote that this process was spawned by -d
 const daemonProcess = "daemon-process"
 
-var version = "1.0.5-dev"
+var version = "1.0.8-dev"
 
-// attempts to pledge and panic if it fails
+func panicIfError(err error) {
-// this does nothing on non-OpenBSD systems
-func pledgeOrPanic(promises string) {
-	err := protect.Pledge(promises)
 	if err != nil {
 		log.Fatal(err)
 	}
 }
 
+// attempts to pledge and panic if it fails
+// this does nothing on non-OpenBSD systems
+func pledgeOrPanic(promises string) {
+	panicIfError(protect.Pledge(promises))
+}
+
 // attempts to unveil and panic if it fails
 // this does nothing on non-OpenBSD systems
 func unveilOrPanic(path string, flags string) {
-	err := protect.Unveil(path, flags)
+	panicIfError(protect.Unveil(path, flags))
-	if err != nil {
-		log.Fatal(err)
-	}
 }
 
 // get the executable path via syscalls or infer it from argv
@@ -44,20 +51,108 @@ func executablePath() string {
 	return programPath
 }
 
-func main() {
+func lock(stage string) {
+	switch stage {
+	case "boot":
 		exePath := executablePath()
+		// OpenBSD
 		unveilOrPanic("/", "r")
 		unveilOrPanic(exePath, "x")
-
 		// only allow standard stdio operation, file reading, networking, and exec
 		// also remove unveil permission to lock unveil
 		pledgeOrPanic("stdio rpath inet dns proc exec")
+		// Linux
+		panicIfError(landlock.V1.BestEffort().RestrictPaths(
+			landlock.RODirs("/"),
+		))
+	case "boot-daemon":
+	case "read-config":
+		// OpenBSD
+		pledgeOrPanic("stdio rpath inet dns")
+	case "ready":
+		// no file access is allowed from now on, only networking
+		// OpenBSD
+		pledgeOrPanic("stdio inet dns")
+		// Linux
+		net.DefaultResolver.PreferGo = true // needed to lock down dependencies
+		panicIfError(landlock.V1.BestEffort().RestrictPaths(
+			landlock.ROFiles("/etc/resolv.conf"),
+			landlock.ROFiles("/dev/fd"),
+			landlock.ROFiles("/dev/zero"),
+			landlock.ROFiles("/dev/urandom"),
+			landlock.ROFiles("/etc/localtime"),
+			landlock.ROFiles("/proc/self/stat"),
+			landlock.ROFiles("/proc/self/status"),
+			landlock.ROFiles("/usr/share/locale"),
+			landlock.ROFiles("/proc/self/cmdline"),
+			landlock.ROFiles("/usr/share/zoneinfo"),
+			landlock.ROFiles("/proc/sys/kernel/version"),
+			landlock.ROFiles("/proc/sys/kernel/ngroups_max"),
+			landlock.ROFiles("/proc/sys/kernel/cap_last_cap"),
+			landlock.ROFiles("/proc/sys/vm/overcommit_memory"),
+			landlock.RWFiles("/dev/log"),
+			landlock.RWFiles("/dev/null"),
+			landlock.RWFiles("/dev/full"),
+			landlock.RWFiles("/proc/self/fd"),
+		))
+	default:
+		panic("invalid stage")
+	}
+}
+
+func extractPort(addr string) uint16 {
+	_, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		panic(fmt.Errorf("failed to extract port from %s: %w", addr, err))
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Errorf("failed to extract port from %s: %w", addr, err))
+	}
+
+	return uint16(port)
+}
+
+func lockNetwork(sections []wireproxy.RoutineSpawner, infoAddr *string) {
+	var rules []landlock.Rule
+	if infoAddr != nil && *infoAddr != "" {
+		rules = append(rules, landlock.BindTCP(extractPort(*infoAddr)))
+	}
+
+	for _, section := range sections {
+		switch section := section.(type) {
+		case *wireproxy.TCPServerTunnelConfig:
+			rules = append(rules, landlock.ConnectTCP(extractPort(section.Target)))
+		case *wireproxy.HTTPConfig:
+			rules = append(rules, landlock.BindTCP(extractPort(section.BindAddress)))
+		case *wireproxy.TCPClientTunnelConfig:
+			rules = append(rules, landlock.ConnectTCP(uint16(section.BindAddress.Port)))
+		case *wireproxy.Socks5Config:
+			rules = append(rules, landlock.BindTCP(extractPort(section.BindAddress)))
+		}
+	}
+
+	panicIfError(landlock.V4.BestEffort().RestrictNet(rules...))
+}
+
+func main() {
+	s := make(chan os.Signal, 1)
+	signal.Notify(s, syscall.SIGINT, syscall.SIGQUIT)
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func() {
+		<-s
+		cancel()
+	}()
+
+	exePath := executablePath()
+	lock("boot")
 
 	isDaemonProcess := len(os.Args) > 1 && os.Args[1] == daemonProcess
 	args := os.Args
 	if isDaemonProcess {
-		// remove proc and exec if they are not needed
+		lock("boot-daemon")
-		pledgeOrPanic("stdio rpath inet dns")
 		args = []string{args[0]}
 		args = append(args, os.Args[2:]...)
 	}
@@ -66,6 +161,7 @@ func main() {
 	config := parser.String("c", "config", &argparse.Options{Help: "Path of configuration file"})
 	silent := parser.Flag("s", "silent", &argparse.Options{Help: "Silent mode"})
 	daemon := parser.Flag("d", "daemon", &argparse.Options{Help: "Make wireproxy run in background"})
+	info := parser.String("i", "info", &argparse.Options{Help: "Specify the address and port for exposing health status"})
 	printVerison := parser.Flag("v", "version", &argparse.Options{Help: "Print version"})
 	configTest := parser.Flag("n", "configtest", &argparse.Options{Help: "Configtest mode. Only check the configuration file for validity."})
 
@@ -86,8 +182,7 @@ func main() {
 	}
 
 	if !*daemon {
-		// remove proc and exec if they are not needed
+		lock("read-config")
-		pledgeOrPanic("stdio rpath inet dns")
 	}
 
 	conf, err := wireproxy.ParseConfig(*config)
@@ -100,6 +195,8 @@ func main() {
 		return
 	}
 
+	lockNetwork(conf.Routines, info)
+
 	if isDaemonProcess {
 		os.Stdout, _ = os.Open(os.DevNull)
 		os.Stderr, _ = os.Open(os.DevNull)
@@ -116,22 +213,36 @@ func main() {
 		return
 	}
 
+	// Wireguard doesn't allow configuring which FD to use for logging
+	// https://github.com/WireGuard/wireguard-go/blob/master/device/logger.go#L39
+	// so redirect STDOUT to STDERR, we don't want to print anything to STDOUT anyways
+	os.Stdout = os.NewFile(uintptr(syscall.Stderr), "/dev/stderr")
 	logLevel := device.LogLevelVerbose
 	if *silent {
 		logLevel = device.LogLevelSilent
 	}
 
-	// no file access is allowed from now on, only networking
+	lock("ready")
-	pledgeOrPanic("stdio inet dns")
 
-	tnet, err := wireproxy.StartWireguard(conf.Device, logLevel)
+	tun, err := wireproxy.StartWireguard(conf.Device, logLevel)
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	for _, spawner := range conf.Routines {
-		go spawner.SpawnRoutine(tnet)
+		go spawner.SpawnRoutine(tun)
 	}
 
-	select {} // sleep eternally
+	tun.StartPingIPs()
+
+	if *info != "" {
+		go func() {
+			err := http.ListenAndServe(*info, tun)
+			if err != nil {
+				panic(err)
+			}
+		}()
+	}
+
+	<-ctx.Done()
 }

config.go

@@ -15,7 +15,7 @@ import (
 type PeerConfig struct {
 	PublicKey    string
 	PreSharedKey string
-	Endpoint     string
+	Endpoint     *string
 	KeepAlive    int
 	AllowedIPs   []netip.Prefix
 }
@@ -27,6 +27,9 @@ type DeviceConfig struct {
 	Peers              []PeerConfig
 	DNS                []netip.Addr
 	MTU                int
+	ListenPort         *int
+	CheckAlive         []netip.Addr
+	CheckAliveInterval int
 }
 
 type TCPClientTunnelConfig struct {
@@ -34,6 +37,10 @@ type TCPClientTunnelConfig struct {
 	Target      string
 }
 
+type STDIOTunnelConfig struct {
+	Target string
+}
+
 type TCPServerTunnelConfig struct {
 	ListenPort int
 	Target     string
@@ -120,8 +127,9 @@ func parseNetIP(section *ini.Section, keyName string) ([]netip.Addr, error) {
 		return []netip.Addr{}, nil
 	}
 
-	var ips []netip.Addr
+	keys := key.StringsWithShadows(",")
-	for _, str := range key.StringsWithShadows(",") {
+	var ips = make([]netip.Addr, 0, len(keys))
+	for _, str := range keys {
 		str = strings.TrimSpace(str)
 		ip, err := netip.ParseAddr(str)
 		if err != nil {
@@ -138,18 +146,15 @@ func parseCIDRNetIP(section *ini.Section, keyName string) ([]netip.Addr, error)
 		return []netip.Addr{}, nil
 	}
 
-	var ips []netip.Addr
+	keys := key.StringsWithShadows(",")
-	for _, str := range key.StringsWithShadows(",") {
+	var ips = make([]netip.Addr, 0, len(keys))
+	for _, str := range keys {
 		prefix, err := netip.ParsePrefix(str)
 		if err != nil {
 			return nil, err
 		}
 
 		addr := prefix.Addr()
-		if prefix.Bits() != addr.BitLen() {
-			return nil, errors.New("interface address subnet should be /32 for IPv4 and /128 for IPv6")
-		}
-
 		ips = append(ips, addr)
 	}
 	return ips, nil
@@ -161,8 +166,9 @@ func parseAllowedIPs(section *ini.Section) ([]netip.Prefix, error) {
 		return []netip.Prefix{}, nil
 	}
 
-	var ips []netip.Prefix
+	keys := key.StringsWithShadows(",")
-	for _, str := range key.StringsWithShadows(",") {
+	var ips = make([]netip.Prefix, 0, len(keys))
+	for _, str := range keys {
 		prefix, err := netip.ParsePrefix(str)
 		if err != nil {
 			return nil, err
@@ -225,10 +231,37 @@ func ParseInterface(cfg *ini.File, device *DeviceConfig) error {
 		device.MTU = value
 	}
 
+	if sectionKey, err := section.GetKey("ListenPort"); err == nil {
+		value, err := sectionKey.Int()
+		if err != nil {
+			return err
+		}
+		device.ListenPort = &value
+	}
+
+	checkAlive, err := parseNetIP(section, "CheckAlive")
+	if err != nil {
+		return err
+	}
+	device.CheckAlive = checkAlive
+
+	device.CheckAliveInterval = 5
+	if sectionKey, err := section.GetKey("CheckAliveInterval"); err == nil {
+		value, err := sectionKey.Int()
+		if err != nil {
+			return err
+		}
+		if len(checkAlive) == 0 {
+			return errors.New("CheckAliveInterval is only valid when CheckAlive is set")
+		}
+
+		device.CheckAliveInterval = value
+	}
+
 	return nil
 }
 
-// ParsePeer parses the [Peer] section and extract the information into `peers`
+// ParsePeers parses the [Peer] section and extract the information into `peers`
 func ParsePeers(cfg *ini.File, peers *[]PeerConfig) error {
 	sections, err := cfg.SectionsByName("Peer")
 	if len(sections) < 1 || err != nil {
@@ -255,15 +288,14 @@ func ParsePeers(cfg *ini.File, peers *[]PeerConfig) error {
 			peer.PreSharedKey = value
 		}
 
-		decoded, err = parseString(section, "Endpoint")
+		if sectionKey, err := section.GetKey("Endpoint"); err == nil {
+			value := sectionKey.String()
+			decoded, err = resolveIPPAndPort(strings.ToLower(value))
 			if err != nil {
 				return err
 			}
-		decoded, err = resolveIPPAndPort(decoded)
+			peer.Endpoint = &decoded
-		if err != nil {
-			return err
 		}
-		peer.Endpoint = decoded
 
 		if sectionKey, err := section.GetKey("PersistentKeepalive"); err == nil {
 			value, err := sectionKey.Int()
@@ -300,6 +332,17 @@ func parseTCPClientTunnelConfig(section *ini.Section) (RoutineSpawner, error) {
 	return config, nil
 }
 
+func parseSTDIOTunnelConfig(section *ini.Section) (RoutineSpawner, error) {
+	config := &STDIOTunnelConfig{}
+	targetSection, err := parseString(section, "Target")
+	if err != nil {
+		return nil, err
+	}
+	config.Target = targetSection
+
+	return config, nil
+}
+
 func parseTCPServerTunnelConfig(section *ini.Section) (RoutineSpawner, error) {
 	config := &TCPServerTunnelConfig{}
 
@@ -418,6 +461,11 @@ func ParseConfig(path string) (*Configuration, error) {
 		return nil, err
 	}
 
+	err = parseRoutinesConfig(&routinesSpawners, cfg, "STDIOTunnel", parseSTDIOTunnelConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	err = parseRoutinesConfig(&routinesSpawners, cfg, "TCPServerTunnel", parseTCPServerTunnelConfig)
 	if err != nil {
 		return nil, err

go.mod

@@ -1,23 +1,27 @@
-module github.com/octeep/wireproxy
+module github.com/pufferffish/wireproxy
 
-go 1.18
+go 1.21.1
+
+toolchain go1.21.6
 
 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
-	github.com/akamensky/argparse v1.3.1
+	github.com/akamensky/argparse v1.4.0
-	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
+	github.com/go-ini/ini v1.67.0
-	github.com/go-ini/ini v1.66.4
+	github.com/things-go/go-socks5 v0.0.5
-	golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b
+	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
-	suah.dev/protect v1.2.0
+	suah.dev/protect v1.2.3
 )
 
 require (
-	github.com/google/btree v1.0.1 // indirect
+	github.com/google/btree v1.1.2 // indirect
-	github.com/stretchr/testify v1.8.0 // indirect
+	github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a // indirect
-	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
+	golang.org/x/sys v0.17.0 // indirect
-	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	golang.org/x/time v0.5.0 // indirect
-	gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 // indirect
 )

go.sum

@@ -1,41 +1,41 @@
 github.com/MakeNowJust/heredoc/v2 v2.0.1 h1:rlCHh70XXXv7toz95ajQWOWQnN4WNLt0TdpZYIR/J6A=
 github.com/MakeNowJust/heredoc/v2 v2.0.1/go.mod h1:6/2Abh5s+hc3g9nbWLe9ObDIOhaRrqsyY9MWy+4JdRM=
-github.com/akamensky/argparse v1.3.1 h1:kP6+OyvR0fuBH6UhbE6yh/nskrDEIQgEA1SUXDPjx4g=
+github.com/akamensky/argparse v1.4.0 h1:YGzvsTqCvbEZhL8zZu2AiA5nq805NZh75JNj4ajn1xc=
-github.com/akamensky/argparse v1.3.1/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA=
+github.com/akamensky/argparse v1.4.0/go.mod h1:S5kwC7IuDcEr5VeXtGPRVZ5o/FdhcMlQz4IZQuw64xA=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-ini/ini v1.66.4 h1:dKjMqkcbkzfddhIhyglTPgMoJnkvmG+bSLrU9cTHc5M=
+github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
-github.com/go-ini/ini v1.66.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
-github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a h1:dz+a1MiMQksVhejeZwqJuzPawYQBwug74J8PPtkLl9U=
+github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a/go.mod h1:1NY/VPO8xm3hXw3f+M65z+PJDLUaZA5cu7OfanxoUzY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/things-go/go-socks5 v0.0.5 h1:qvKaGcBkfDrUL33SchHN93srAmYGzb4CxSM2DPYufe8=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38=
+github.com/things-go/go-socks5 v0.0.5/go.mod h1:mtzInf8v5xmsBpHZVbIw2YQYhc4K0jRwzfsH64Uh0IQ=
-golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
+golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
-golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b h1:qgrKnOfe1zyURRNdmDlGbN32i38Zjmw0B1+TMdHcOvg=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220829161405-d1d08426b27b/go.mod h1:6y4CqPAy54NwiN4nC8K+R1eMpQDB1P2d25qmunh2RSA=
+golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5 h1:cv/zaNV0nr1mJzaeo4S5mHIm5va1W0/9J3/5prlsuRM=
+gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
-gvisor.dev/gvisor v0.0.0-20220817001344-846276b3dbc5/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
+gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
-suah.dev/protect v1.2.0 h1:4G4V43yVYXCjLFzaE9QJR0fLo3rf5vNBS9YxyoI19DU=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 h1:IdrOs1ZgwGw5CI+BH6GgVVlOt+LAXoPyh7enr8lfaXs=
-suah.dev/protect v1.2.0/go.mod h1:Ocn1yqUskqe/is6N2bxQxtT+fegbvQsOFyHbJAQu9XE=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
+suah.dev/protect v1.2.3 h1:aHeoNwZ9YPp64hrYaN0g0djNE1eRujgH63CrfRrUKdc=
+suah.dev/protect v1.2.3/go.mod h1:n1R3XIbsnryKX7C1PO88i5Wgo0v8OTXm9K9FIKt4rfs=

http.go

@@ -10,6 +10,8 @@ import (
 	"net"
 	"net/http"
 	"strings"
+
+	"github.com/sourcegraph/conc"
 )
 
 const proxyAuthHeaderKey = "Proxy-Authorization"
@@ -62,7 +64,7 @@ func (s *HTTPServer) handleConn(req *http.Request, conn net.Conn) (peer net.Conn
 
 	_, err = conn.Write([]byte("HTTP/1.1 200 Connection established\r\n\r\n"))
 	if err != nil {
-		peer.Close()
+		_ = peer.Close()
 		peer = nil
 	}
 
@@ -83,7 +85,7 @@ func (s *HTTPServer) handle(req *http.Request) (peer net.Conn, err error) {
 
 	err = req.Write(peer)
 	if err != nil {
-		peer.Close()
+		_ = peer.Close()
 		peer = nil
 		return peer, fmt.Errorf("conn write failed: %w", err)
 	}
@@ -91,19 +93,19 @@ func (s *HTTPServer) handle(req *http.Request) (peer net.Conn, err error) {
 	return
 }
 
-func (s *HTTPServer) serve(conn net.Conn) error {
+func (s *HTTPServer) serve(conn net.Conn) {
-	defer conn.Close()
+	var rd = bufio.NewReader(conn)
-
+	req, err := http.ReadRequest(rd)
-	var rd io.Reader = bufio.NewReader(conn)
-	req, err := http.ReadRequest(rd.(*bufio.Reader))
 	if err != nil {
-		return fmt.Errorf("read request failed: %w", err)
+		log.Printf("read request failed: %s\n", err)
+		return
 	}
 
 	code, err := s.authenticate(req)
 	if err != nil {
 		_ = responseWith(req, code).Write(conn)
-		return err
+		log.Println(err)
+		return
 	}
 
 	var peer net.Conn
@@ -114,43 +116,47 @@ func (s *HTTPServer) serve(conn net.Conn) error {
 		peer, err = s.handle(req)
 	default:
 		_ = responseWith(req, http.StatusMethodNotAllowed).Write(conn)
-		return fmt.Errorf("unsupported protocol: %s", req.Method)
+		log.Printf("unsupported protocol: %s\n", req.Method)
+		return
 	}
 	if err != nil {
-		return fmt.Errorf("dial proxy failed: %w", err)
+		log.Printf("dial proxy failed: %s\n", err)
+		return
 	}
 	if peer == nil {
-		return fmt.Errorf("dial proxy failed: peer nil")
+		log.Println("dial proxy failed: peer nil")
+		return
 	}
-	defer peer.Close()
-
 	go func() {
-		defer peer.Close()
+		wg := conc.NewWaitGroup()
-		defer conn.Close()
+		wg.Go(func() {
-		_, _ = io.Copy(conn, peer)
+			_, err = io.Copy(conn, peer)
-	}()
+			_ = conn.Close()
+		})
+		wg.Go(func() {
 			_, err = io.Copy(peer, conn)
-
+			_ = peer.Close()
-	return err
+		})
+		wg.Wait()
+	}()
 }
 
 // ListenAndServe is used to create a listener and serve on it
 func (s *HTTPServer) ListenAndServe(network, addr string) error {
-	server, err := net.Listen("tcp", s.config.BindAddress)
+	server, err := net.Listen(network, addr)
 	if err != nil {
 		return fmt.Errorf("listen tcp failed: %w", err)
 	}
-
+	defer func(server net.Listener) {
+		_ = server.Close()
+	}(server)
 	for {
 		conn, err := server.Accept()
 		if err != nil {
 			return fmt.Errorf("accept request failed: %w", err)
 		}
 		go func(conn net.Conn) {
-			err = s.serve(conn)
+			s.serve(conn)
-			if err != nil {
-				log.Println(err)
-			}
 		}(conn)
 	}
 }

routine.go

@@ -1,20 +1,35 @@
 package wireproxy
 
 import (
+	"bytes"
 	"context"
+	srand "crypto/rand"
 	"crypto/subtle"
+	"encoding/binary"
+	"encoding/json"
 	"errors"
+	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv4"
+	"golang.org/x/net/ipv6"
+	"golang.zx2c4.com/wireguard/device"
 	"io"
 	"log"
 	"math/rand"
 	"net"
+	"net/http"
 	"os"
+	"path"
 	"strconv"
+	"strings"
+	"time"
 
-	"github.com/armon/go-socks5"
+	"github.com/sourcegraph/conc"
+	"github.com/things-go/go-socks5"
+	"github.com/things-go/go-socks5/bufferpool"
+
+	"net/netip"
 
 	"golang.zx2c4.com/wireguard/tun/netstack"
-	"net/netip"
 )
 
 // errorLogger is the logger to print error message
@@ -29,7 +44,11 @@ type CredentialValidator struct {
 // VirtualTun stores a reference to netstack network and DNS configuration
 type VirtualTun struct {
 	Tnet      *netstack.Net
+	Dev       *device.Device
 	SystemDNS bool
+	Conf      *DeviceConfig
+	// PingRecord stores the last time an IP was pinged
+	PingRecord map[string]uint64
 }
 
 // RoutineSpawner spawns a routine (e.g. socks5, tcp static routes) after the configuration is parsed
@@ -47,9 +66,8 @@ type addressPort struct {
 func (d VirtualTun) LookupAddr(ctx context.Context, name string) ([]string, error) {
 	if d.SystemDNS {
 		return net.DefaultResolver.LookupHost(ctx, name)
-	} else {
-		return d.Tnet.LookupContextHost(ctx, name)
 	}
+	return d.Tnet.LookupContextHost(ctx, name)
 }
 
 // ResolveAddrWithContext resolves a hostname and returns an AddrPort.
@@ -121,17 +139,24 @@ func (d VirtualTun) resolveToAddrPort(endpoint *addressPort) (*netip.AddrPort, e
 
 // SpawnRoutine spawns a socks5 server.
 func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
-	conf := &socks5.Config{Dial: vt.Tnet.DialContext, Resolver: vt}
+	var authMethods []socks5.Authenticator
 	if username := config.Username; username != "" {
-		validator := CredentialValidator{username: username}
+		authMethods = append(authMethods, socks5.UserPassAuthenticator{
-		validator.password = config.Password
+			Credentials: socks5.StaticCredentials{username: config.Password},
-		conf.Credentials = validator
+		})
+	} else {
+		authMethods = append(authMethods, socks5.NoAuthAuthenticator{})
 	}
-	server, err := socks5.New(conf)
+
-	if err != nil {
+	options := []socks5.Option{
-		log.Fatal(err)
+		socks5.WithDial(vt.Tnet.DialContext),
+		socks5.WithResolver(vt),
+		socks5.WithAuthMethods(authMethods),
+		socks5.WithBufferPool(bufferpool.NewPool(256 * 1024)),
 	}
 
+	server := socks5.NewServer(options...)
+
 	if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {
 		log.Fatal(err)
 	}
@@ -139,16 +164,16 @@ func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {
 
 // SpawnRoutine spawns a http server.
 func (config *HTTPConfig) SpawnRoutine(vt *VirtualTun) {
-	http := &HTTPServer{
+	server := &HTTPServer{
 		config: config,
 		dial:   vt.Tnet.Dial,
 		auth:   CredentialValidator{config.Username, config.Password},
 	}
 	if config.Username != "" || config.Password != "" {
-		http.authRequired = true
+		server.authRequired = true
 	}
 
-	if err := http.ListenAndServe("tcp", config.BindAddress); err != nil {
+	if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {
 		log.Fatal(err)
 	}
 }
@@ -161,15 +186,12 @@ func (c CredentialValidator) Valid(username, password string) bool {
 	return u&p == 1
 }
 
-// connForward copy data from `from` to `to`, then close both stream.
+// connForward copy data from `from` to `to`
-func connForward(bufSize int, from io.ReadWriteCloser, to io.ReadWriteCloser) {
+func connForward(from io.ReadWriteCloser, to io.ReadWriteCloser) {
-	buf := make([]byte, bufSize)
+	_, err := io.Copy(to, from)
-	_, err := io.CopyBuffer(to, from, buf)
 	if err != nil {
 		errorLogger.Printf("Cannot forward traffic: %s\n", err.Error())
 	}
-	_ = from.Close()
-	_ = to.Close()
 }
 
 // tcpClientForward starts a new connection via wireguard and forward traffic from `conn`
@@ -188,8 +210,56 @@ func tcpClientForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
 		return
 	}
 
-	go connForward(1024, sconn, conn)
+	go func() {
-	go connForward(1024, conn, sconn)
+		wg := conc.NewWaitGroup()
+		wg.Go(func() {
+			connForward(sconn, conn)
+		})
+		wg.Go(func() {
+			connForward(conn, sconn)
+		})
+		wg.Wait()
+		_ = sconn.Close()
+		_ = conn.Close()
+		sconn = nil
+		conn = nil
+	}()
+}
+
+// STDIOTcpForward starts a new connection via wireguard and forward traffic from `conn`
+func STDIOTcpForward(vt *VirtualTun, raddr *addressPort) {
+	target, err := vt.resolveToAddrPort(raddr)
+	if err != nil {
+		errorLogger.Printf("Name resolution error for %s: %s\n", raddr.address, err.Error())
+		return
+	}
+
+	// os.Stdout has previously been remapped to stderr, se we can't use it
+	stdout, err := os.OpenFile("/dev/stdout", os.O_WRONLY, 0)
+	if err != nil {
+		errorLogger.Printf("Failed to open /dev/stdout: %s\n", err.Error())
+		return
+	}
+
+	tcpAddr := TCPAddrFromAddrPort(*target)
+	sconn, err := vt.Tnet.DialTCP(tcpAddr)
+	if err != nil {
+		errorLogger.Printf("TCP Client Tunnel to %s (%s): %s\n", target, tcpAddr, err.Error())
+		return
+	}
+
+	go func() {
+		wg := conc.NewWaitGroup()
+		wg.Go(func() {
+			connForward(os.Stdin, sconn)
+		})
+		wg.Go(func() {
+			connForward(sconn, stdout)
+		})
+		wg.Wait()
+		_ = sconn.Close()
+		sconn = nil
+	}()
 }
 
 // SpawnRoutine spawns a local TCP server which acts as a proxy to the specified target
@@ -213,6 +283,16 @@ func (conf *TCPClientTunnelConfig) SpawnRoutine(vt *VirtualTun) {
 	}
 }
 
+// SpawnRoutine connects to the specified target and plumbs it to STDIN / STDOUT
+func (conf *STDIOTunnelConfig) SpawnRoutine(vt *VirtualTun) {
+	raddr, err := parseAddressPort(conf.Target)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	go STDIOTcpForward(vt, raddr)
+}
+
 // tcpServerForward starts a new connection locally and forward traffic from `conn`
 func tcpServerForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
 	target, err := vt.resolveToAddrPort(raddr)
@@ -229,8 +309,20 @@ func tcpServerForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
 		return
 	}
 
-	go connForward(1024, sconn, conn)
+	go func() {
-	go connForward(1024, conn, sconn)
+		gr := conc.NewWaitGroup()
+		gr.Go(func() {
+			connForward(sconn, conn)
+		})
+		gr.Go(func() {
+			connForward(conn, sconn)
+		})
+		gr.Wait()
+		_ = sconn.Close()
+		_ = conn.Close()
+		sconn = nil
+		conn = nil
+	}()
 }
 
 // SpawnRoutine spawns a TCP server on wireguard which acts as a proxy to the specified target
@@ -254,3 +346,151 @@ func (conf *TCPServerTunnelConfig) SpawnRoutine(vt *VirtualTun) {
 		go tcpServerForward(vt, raddr, conn)
 	}
 }
+
+func (d VirtualTun) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	log.Printf("Health metric request: %s\n", r.URL.Path)
+	switch path.Clean(r.URL.Path) {
+	case "/readyz":
+		body, err := json.Marshal(d.PingRecord)
+		if err != nil {
+			errorLogger.Printf("Failed to get device metrics: %s\n", err.Error())
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		status := http.StatusOK
+		for _, record := range d.PingRecord {
+			lastPong := time.Unix(int64(record), 0)
+			// +2 seconds to account for the time it takes to ping the IP
+			if time.Since(lastPong) > time.Duration(d.Conf.CheckAliveInterval+2)*time.Second {
+				status = http.StatusServiceUnavailable
+				break
+			}
+		}
+
+		w.WriteHeader(status)
+		_, _ = w.Write(body)
+		_, _ = w.Write([]byte("\n"))
+	case "/metrics":
+		get, err := d.Dev.IpcGet()
+		if err != nil {
+			errorLogger.Printf("Failed to get device metrics: %s\n", err.Error())
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		var buf bytes.Buffer
+		for _, peer := range strings.Split(get, "\n") {
+			pair := strings.SplitN(peer, "=", 2)
+			if len(pair) != 2 {
+				buf.WriteString(peer)
+				continue
+			}
+			if pair[0] == "private_key" || pair[0] == "preshared_key" {
+				pair[1] = "REDACTED"
+			}
+			buf.WriteString(pair[0])
+			buf.WriteString("=")
+			buf.WriteString(pair[1])
+			buf.WriteString("\n")
+		}
+
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write(buf.Bytes())
+	default:
+		w.WriteHeader(http.StatusNotFound)
+	}
+}
+
+func (d VirtualTun) pingIPs() {
+	for _, addr := range d.Conf.CheckAlive {
+		socket, err := d.Tnet.Dial("ping", addr.String())
+		if err != nil {
+			errorLogger.Printf("Failed to ping %s: %s\n", addr, err.Error())
+			continue
+		}
+
+		data := make([]byte, 16)
+		_, _ = srand.Read(data)
+
+		requestPing := icmp.Echo{
+			Seq:  rand.Intn(1 << 16),
+			Data: data,
+		}
+
+		var icmpBytes []byte
+		if addr.Is4() {
+			icmpBytes, _ = (&icmp.Message{Type: ipv4.ICMPTypeEcho, Code: 0, Body: &requestPing}).Marshal(nil)
+		} else if addr.Is6() {
+			icmpBytes, _ = (&icmp.Message{Type: ipv6.ICMPTypeEchoRequest, Code: 0, Body: &requestPing}).Marshal(nil)
+		} else {
+			errorLogger.Printf("Failed to ping %s: invalid address: %s\n", addr, addr.String())
+			continue
+		}
+
+		_ = socket.SetReadDeadline(time.Now().Add(time.Duration(d.Conf.CheckAliveInterval) * time.Second))
+		_, err = socket.Write(icmpBytes)
+		if err != nil {
+			errorLogger.Printf("Failed to ping %s: %s\n", addr, err.Error())
+			continue
+		}
+
+		addr := addr
+		go func() {
+			n, err := socket.Read(icmpBytes[:])
+			if err != nil {
+				errorLogger.Printf("Failed to read ping response from %s: %s\n", addr, err.Error())
+				return
+			}
+
+			replyPacket, err := icmp.ParseMessage(1, icmpBytes[:n])
+			if err != nil {
+				errorLogger.Printf("Failed to parse ping response from %s: %s\n", addr, err.Error())
+				return
+			}
+
+			if addr.Is4() {
+				replyPing, ok := replyPacket.Body.(*icmp.Echo)
+				if !ok {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid reply type: %s\n", addr, replyPacket.Type)
+					return
+				}
+				if !bytes.Equal(replyPing.Data, requestPing.Data) || replyPing.Seq != requestPing.Seq {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid ping reply: %v\n", addr, replyPing)
+					return
+				}
+			}
+
+			if addr.Is6() {
+				replyPing, ok := replyPacket.Body.(*icmp.RawBody)
+				if !ok {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid reply type: %s\n", addr, replyPacket.Type)
+					return
+				}
+
+				seq := binary.BigEndian.Uint16(replyPing.Data[2:4])
+				pongBody := replyPing.Data[4:]
+				if !bytes.Equal(pongBody, requestPing.Data) || int(seq) != requestPing.Seq {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid ping reply: %v\n", addr, replyPing)
+					return
+				}
+			}
+
+			d.PingRecord[addr.String()] = uint64(time.Now().Unix())
+
+			defer socket.Close()
+		}()
+	}
+}
+
+func (d VirtualTun) StartPingIPs() {
+	for _, addr := range d.Conf.CheckAlive {
+		d.PingRecord[addr.String()] = 0
+	}
+
+	go func() {
+		for {
+			d.pingIPs()
+			time.Sleep(time.Duration(d.Conf.CheckAliveInterval) * time.Second)
+		}
+	}()
+}

systemd/README.md

@@ -0,0 +1,35 @@
+# Running wireproxy with systemd
+
+If you're on a systemd-based distro, you'll most likely want to run Wireproxy as a systemd unit.
+
+The provided systemd unit assumes you have the wireproxy executable installed on `/opt/wireproxy/wireproxy` and a configuration file stored at `/etc/wireproxy.conf`. These paths can be customized by editing the unit file.
+
+# Setting up the unit
+
+1. Copy the `wireproxy.service` file from this directory to `/etc/systemd/system/`, or use the following cURL command to download it:
+   ```bash
+   sudo curl https://raw.githubusercontent.com/pufferffish/wireproxy/master/systemd/wireproxy.service > /etc/systemd/system/wireproxy.service
+   ```
+
+2. If necessary, customize the unit.
+
+   Edit the parts with `LoadCredential`, `ExecStartPre=` and `ExecStart=` to point to the executable and the configuration file. For example, if wireproxy is installed on `/usr/bin` and the configuration file is located in `/opt/myfiles/wireproxy.conf` do the following change:
+   ```service
+   LoadCredential=conf:/opt/myfiles/wireproxy.conf
+   ExecStartPre=/usr/bin/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
+   ExecStart=/usr/bin/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
+   ```
+
+4. Reload systemd and enable the unit.
+   ```bash
+   sudo systemctl daemon-reload
+   sudo systemctl enable --now wireproxy.service
+   ```
+
+5. Make sure it's working correctly.
+
+   Finally, check out the unit status to confirm `wireproxy.service` has started without problems. You can use commands like `systemctl status wireproxy.service` and/or `sudo journalctl -u wireproxy.service`.
+
+# Additional notes
+
+If you want to disable the extensive logging that's done by Wireproxy, simply add `-s` parameter to `ExecStart=`. This will enable the silent mode that was implemented with [pull/67](https://github.com/pufferffish/wireproxy/pull/67).

systemd/wireproxy.service

@@ -0,0 +1,46 @@
+[Unit]
+Description=Wireproxy socks5/http tunnel
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=wireproxy
+Group=wireproxy
+SyslogIdentifier=wireproxy
+Type=simple
+Restart=on-failure
+RestartSec=30s
+
+DynamicUser=yes
+LoadCredential=conf:/etc/wireproxy.conf
+ExecStartPre=/opt/wireproxy/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
+ExecStart=/opt/wireproxy/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
+
+# Required if <1024 port
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LimitNPROC=64
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

wireguard.go

@@ -26,15 +26,21 @@ func createIPCRequest(conf *DeviceConfig) (*DeviceSetting, error) {
 
 	request.WriteString(fmt.Sprintf("private_key=%s\n", conf.SecretKey))
 
+	if conf.ListenPort != nil {
+		request.WriteString(fmt.Sprintf("listen_port=%d\n", *conf.ListenPort))
+	}
+
 	for _, peer := range conf.Peers {
 		request.WriteString(fmt.Sprintf(heredoc.Doc(`
 				public_key=%s
-				endpoint=%s
 				persistent_keepalive_interval=%d
 				preshared_key=%s
 			`),
-			peer.PublicKey, peer.Endpoint, peer.KeepAlive, peer.PreSharedKey,
+			peer.PublicKey, peer.KeepAlive, peer.PreSharedKey,
 		))
+		if peer.Endpoint != nil {
+			request.WriteString(fmt.Sprintf("endpoint=%s\n", *peer.Endpoint))
+		}
 
 		if len(peer.AllowedIPs) > 0 {
 			for _, ip := range peer.AllowedIPs {
@@ -76,6 +82,9 @@ func StartWireguard(conf *DeviceConfig, logLevel int) (*VirtualTun, error) {
 
 	return &VirtualTun{
 		Tnet:       tnet,
+		Dev:        dev,
+		Conf:       conf,
 		SystemDNS:  len(setting.dns) == 0,
+		PingRecord: make(map[string]uint64),
 	}, nil
 }