Bump golang.org/x/net from 0.33.0 to 0.38.0

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.38.0. - [Commits](https://github.com/golang/net/compare/v0.33.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
fix: issue with omiting endpoint (#157 )
2025-04-16 22:58:46 +00:00 · 2025-02-19 17:21:17 +00:00 · 2025-02-18 12:27:18 +00:00 · 2025-02-18 12:26:13 +00:00 · 2025-01-31 16:26:26 +00:00 · 2025-01-31 16:09:16 +00:00
17 changed files with 768 additions and 185 deletions
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -59,6 +59,7 @@ jobs:
          docker buildx build \
            --platform "$BUILD_PLATFORMS" \
            --tag "$CONTAINER_NAME:$CONTAINER_TAG" \
+            --tag "$CONTAINER_NAME:$GITHUB_SHA" \
            --label "org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" \
            --label "org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \
            --label "org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}/packages" \
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-Copyright (c) 2023 octeep <github@bandersnatch.anonaddy.com>
+Copyright (c) 2024 Wind Wong <me@windtfw.com>

 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
--- a/README.md
+++ b/README.md
@@ -1,4 +1,5 @@
 # wireproxy
+
 [![ISC licensed](https://img.shields.io/badge/license-ISC-blue)](./LICENSE)
 [![Build status](https://github.com/octeep/wireproxy/actions/workflows/build.yml/badge.svg)](https://github.com/octeep/wireproxy/actions)
 [![Documentation](https://img.shields.io/badge/godoc-wireproxy-blue)](https://pkg.go.dev/github.com/octeep/wireproxy)
@@ -6,12 +7,14 @@
 A wireguard client that exposes itself as a socks5/http proxy or tunnels.

 # What is this
+
 `wireproxy` is a completely userspace application that connects to a wireguard peer,
 and exposes a socks5/http proxy or tunnels on the machine. This can be useful if you need
 to connect to certain sites via a wireguard peer, but can't be bothered to setup a new network
 interface for whatever reasons.

 # Why you might want this
+
 - You simply want to use wireguard as a way to proxy some traffic.
 - You don't want root permission just to change wireguard settings.

@@ -20,22 +23,36 @@ and configured my browser to use wireproxy for certain sites. It's pretty useful
 wireproxy is completely isolated from my network interfaces, and I don't need root to configure
 anything.

+Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/artem-russkikh/wireproxy-awg)
+of wireproxy by [@artem-russkikh](https://github.com/artem-russkikh).
+
+# Sponsor
+
+This project is supported by [IPRoyal](https://iproyal.com/?r=795836). You can get premium quality proxies at unbeatable prices
+with a discount using [this referral link](https://iproyal.com/?r=795836)! 🚀
+
+![IPRoyal](/assets/iproyal.png)
+
 # Feature
+
 - TCP static routing for client and server
 - SOCKS5/HTTP proxy (currently only CONNECT is supported)

 # TODO
+
 - UDP Support in SOCKS5
 - UDP static routing

 # Usage
-```
-./wireproxy -c [path to config]
+
+```bash
+./wireproxy [-c path to config]
 ```

-```
+```bash
 usage: wireproxy [-h|--help] [-c|--config "<value>"] [-s|--silent]
-                 [-d|--daemon] [-v|--version] [-n|--configtest]
+                 [-d|--daemon] [-i|--info "<value>"] [-v|--version]
+                 [-n|--configtest]

                 Userspace wireguard client for proxying

@@ -43,25 +60,36 @@ Arguments:

  -h  --help        Print help information
  -c  --config      Path of configuration file
+                    Default paths: /etc/wireproxy/wireproxy.conf, $HOME/.config/wireproxy.conf
  -s  --silent      Silent mode
  -d  --daemon      Make wireproxy run in background
+  -i  --info        Specify the address and port for exposing health status
  -v  --version     Print version
  -n  --configtest  Configtest mode. Only check the configuration file for
                    validity.
 ```

 # Build instruction
-```
+
+```bash
 git clone https://github.com/octeep/wireproxy
 cd wireproxy
 make
 ```

+# Install
+
+```bash
+go install github.com/pufferffish/wireproxy/cmd/wireproxy@v1.0.9 # or @latest
+```
+
 # Use with VPN
+
 Instructions for using wireproxy with Firefox container tabs and auto-start on MacOS can be found [here](/UseWithVPN.md).

 # Sample config file
-```
+
+```ini
 # The [Interface] and [Peer] configurations follow the same semantics and meaning
 # of a wg-quick configuration. To understand what these fields mean, please refer to:
 # https://wiki.archlinux.org/title/WireGuard#Persistent_configuration
@@ -70,6 +98,7 @@ Instructions for using wireproxy with Firefox container tabs and auto-start on M
 Address = 10.200.200.2/32 # The subnet should be /32 and /128 for IPv4 and v6 respectively
 # MTU = 1420 (optional)
 PrivateKey = uCTIK+56CPyCvwJxmU5dBfuyJvPuSXAq1FzHdnIxe1Q=
+# PrivateKey = $MY_WIREGUARD_PRIVATE_KEY # Alternatively, reference environment variables
 DNS = 10.200.200.1

 [Peer]
@@ -127,7 +156,8 @@ BindAddress = 127.0.0.1:25345

 Alternatively, if you already have a wireguard config, you can import it in the
 wireproxy config file like this:
-```
+
+```ini
 WGConfig = <path to the wireguard config>

 # Same semantics as above
@@ -143,7 +173,8 @@ WGConfig = <path to the wireguard config>

 Having multiple peers is also supported. `AllowedIPs` would need to be specified
 such that wireproxy would know which peer to forward to.
-```
+
+```ini
 [Interface]
 Address = 10.254.254.40/32
 PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
@@ -175,7 +206,8 @@ Target = service-three.servicenet:80
 ```

 Wireproxy can also allow peers to connect to it:
-```
+
+```ini
 [Interface]
 ListenPort = 5400
 ...
@@ -186,5 +218,72 @@ AllowedIPs = 10.254.254.100/32
 # Note there is no Endpoint defined here.
 ```

+# Health endpoint
+
+Wireproxy supports exposing a health endpoint for monitoring purposes.
+The argument `--info/-i` specifies an address and port (e.g. `localhost:9080`), which exposes a HTTP server that provides health status metric of the server.
+
+Currently two endpoints are implemented:
+
+`/metrics`: Exposes information of the wireguard daemon, this provides the same information you would get with `wg show`. [This](https://www.wireguard.com/xplatform/#example-dialog) shows an example of what the response would look like.
+
+`/readyz`: This responds with a json which shows the last time a pong is received from an IP specified with `CheckAlive`. When `CheckAlive` is set, a ping is sent out to addresses in `CheckAlive` per `CheckAliveInterval` seconds (defaults to 5) via wireguard. If a pong has not been received from one of the addresses within the last `CheckAliveInterval` seconds (+2 seconds for some leeway to account for latency), then it would respond with a 503, otherwise a 200.
+
+For example:
+
+```ini
+[Interface]
+PrivateKey = censored
+Address = 10.2.0.2/32
+DNS = 10.2.0.1
+CheckAlive = 1.1.1.1, 3.3.3.3
+CheckAliveInterval = 3
+
+[Peer]
+PublicKey = censored
+AllowedIPs = 0.0.0.0/0
+Endpoint = 149.34.244.174:51820
+
+[Socks5]
+BindAddress = 127.0.0.1:25344
+```
+
+`/readyz` would respond with
+
+```text
+< HTTP/1.1 503 Service Unavailable
+< Date: Thu, 11 Apr 2024 00:54:59 GMT
+< Content-Length: 35
+< Content-Type: text/plain; charset=utf-8
+<
+{"1.1.1.1":1712796899,"3.3.3.3":0}
+```
+
+And for:
+
+```ini
+[Interface]
+PrivateKey = censored
+Address = 10.2.0.2/32
+DNS = 10.2.0.1
+CheckAlive = 1.1.1.1
+```
+
+`/readyz` would respond with
+
+```text
+< HTTP/1.1 200 OK
+< Date: Thu, 11 Apr 2024 00:56:21 GMT
+< Content-Length: 23
+< Content-Type: text/plain; charset=utf-8
+<
+{"1.1.1.1":1712796979}
+```
+
+If nothing is set for `CheckAlive`, an empty JSON object with 200 will be the response.
+
+The peer which the ICMP ping packet is routed to depends on the `AllowedIPs` set for each peers.
+
 # Stargazers over time
+
 [![Stargazers over time](https://starchart.cc/octeep/wireproxy.svg)](https://starchart.cc/octeep/wireproxy)
--- a/UseWithVPN.md
+++ b/UseWithVPN.md
@@ -1,11 +1,12 @@
 # Getting a Wireguard Server
+
 You can create your own wireguard server using a host service like DigitalOcean,
 or you can get a VPN service that provides WireGuard configs.

 I recommend ProtonVPN, because it is highly secure and has a great WireGuard
 config generator.

-Simply go to https://account.protonvpn.com/downloads and scroll down to the
+Simply go to <https://account.protonvpn.com/downloads> and scroll down to the
 wireguard section to generate your configs, then paste into the appropriate
 section below.

@@ -25,9 +26,11 @@ naming should also be similar (e.g.
 `/Users/jonny/Library/LaunchAgents/com.ProtonUS.adblock.plist`)

 ## Config File
+
 Make sure you use a unique port for every separate server
 I recommend you set proxy authentication, you can use the same user/pass for all
-```
+
+```ini
 # Link to the Downloaded config
 WGConfig = /Users/jonny/vpntabs/ProtonUS.adblock.server.conf

@@ -43,24 +46,27 @@ BindAddress = 127.0.0.1:25344 # Update the port here for each new server
 ```

 ## Startup Script File
+
 This is a bash script to facilitate startup, not strictly essential, but adds
 ease.
 Note, you MUST update the first path to wherever you installed this code to.
 Make sure you use the path for the config file above, not the one you downloaded
 from e.g. protonvpn.
-```
+
+```bash
 #!/bin/bash
 /Users/jonny/wireproxy/wireproxy -c /Users/jonny/vpntabs/ProtonUS.adblock.conf
 ```

 ## MacOS LaunchAgent
+
 To make it run every time you start your computer, you can create a launch agent
 in `$HOME/Library/LaunchAgents`. Name reference above.

 That file should contain the following, the label should be the same as the file
 name and the paths should be set correctly:

-```
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -70,7 +76,7 @@ name and the paths should be set correctly:
    <key>Program</key>
    <string>/Users/jonny/vpntabs/ProtonUS.adblock.sh</string>
    <key>RunAtLoad</key>
-	<true/>
+    <true/>
    <key>KeepAlive</key>
    <true/>
 </dict>
@@ -82,6 +88,7 @@ To enable it, run
 `launchtl start ~/Library/LaunchAgents/com.PortonUS.adblock.plist`

 # Firefox Setup
+
 You will need to enable the Multi Account Container Tabs extension and a proxy extension, I
 recommend Sideberry, but Container Proxy also works.

--- a/assets/iproyal.png
+++ b/assets/iproyal.png
--- a/cmd/wireproxy/main.go
+++ b/cmd/wireproxy/main.go
@@ -3,10 +3,14 @@ package main
 import (
 	"context"
 	"fmt"
+	"github.com/landlock-lsm/go-landlock/landlock"
 	"log"
+	"net"
+	"net/http"
 	"os"
 	"os/exec"
 	"os/signal"
+	"strconv"
 	"syscall"

 	"github.com/akamensky/argparse"
@@ -18,24 +22,30 @@ import (
 // an argument to denote that this process was spawned by -d
 const daemonProcess = "daemon-process"

-var version = "1.0.5-dev"
+// default paths for wireproxy config file
+var default_config_paths = []string {
+    "/etc/wireproxy/wireproxy.conf",
+    os.Getenv("HOME")+"/.config/wireproxy.conf",
+}

-// attempts to pledge and panic if it fails
-// this does nothing on non-OpenBSD systems
-func pledgeOrPanic(promises string) {
-	err := protect.Pledge(promises)
+var version = "1.0.8-dev"
+
+func panicIfError(err error) {
 	if err != nil {
 		log.Fatal(err)
 	}
 }

+// attempts to pledge and panic if it fails
+// this does nothing on non-OpenBSD systems
+func pledgeOrPanic(promises string) {
+	panicIfError(protect.Pledge(promises))
+}
+
 // attempts to unveil and panic if it fails
 // this does nothing on non-OpenBSD systems
 func unveilOrPanic(path string, flags string) {
-	err := protect.Unveil(path, flags)
-	if err != nil {
-		log.Fatal(err)
-	}
+	panicIfError(protect.Unveil(path, flags))
 }

 // get the executable path via syscalls or infer it from argv
@@ -47,6 +57,101 @@ func executablePath() string {
 	return programPath
 }

+// check if default config file paths exist
+func configFilePath() (string, bool) {
+    for _, path := range default_config_paths {
+        if _, err := os.Stat(path); err == nil {
+            return path, true
+        }
+    }
+    return "", false
+}
+
+func lock(stage string) {
+	switch stage {
+	case "boot":
+		exePath := executablePath()
+		// OpenBSD
+		unveilOrPanic("/", "r")
+		unveilOrPanic(exePath, "x")
+		// only allow standard stdio operation, file reading, networking, and exec
+		// also remove unveil permission to lock unveil
+		pledgeOrPanic("stdio rpath inet dns proc exec")
+		// Linux
+		panicIfError(landlock.V1.BestEffort().RestrictPaths(
+			landlock.RODirs("/"),
+		))
+	case "boot-daemon":
+	case "read-config":
+		// OpenBSD
+		pledgeOrPanic("stdio rpath inet dns")
+	case "ready":
+		// no file access is allowed from now on, only networking
+		// OpenBSD
+		pledgeOrPanic("stdio inet dns")
+		// Linux
+		net.DefaultResolver.PreferGo = true // needed to lock down dependencies
+		panicIfError(landlock.V1.BestEffort().RestrictPaths(
+			landlock.ROFiles("/etc/resolv.conf").IgnoreIfMissing(),
+			landlock.ROFiles("/dev/fd").IgnoreIfMissing(),
+			landlock.ROFiles("/dev/zero").IgnoreIfMissing(),
+			landlock.ROFiles("/dev/urandom").IgnoreIfMissing(),
+			landlock.ROFiles("/etc/localtime").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/self/stat").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/self/status").IgnoreIfMissing(),
+			landlock.ROFiles("/usr/share/locale").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/self/cmdline").IgnoreIfMissing(),
+			landlock.ROFiles("/usr/share/zoneinfo").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/sys/kernel/version").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/sys/kernel/ngroups_max").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/sys/kernel/cap_last_cap").IgnoreIfMissing(),
+			landlock.ROFiles("/proc/sys/vm/overcommit_memory").IgnoreIfMissing(),
+			landlock.RWFiles("/dev/log").IgnoreIfMissing(),
+			landlock.RWFiles("/dev/null").IgnoreIfMissing(),
+			landlock.RWFiles("/dev/full").IgnoreIfMissing(),
+			landlock.RWFiles("/proc/self/fd").IgnoreIfMissing(),
+		))
+	default:
+		panic("invalid stage")
+	}
+}
+
+func extractPort(addr string) uint16 {
+	_, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		panic(fmt.Errorf("failed to extract port from %s: %w", addr, err))
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Errorf("failed to extract port from %s: %w", addr, err))
+	}
+
+	return uint16(port)
+}
+
+func lockNetwork(sections []wireproxy.RoutineSpawner, infoAddr *string) {
+	var rules []landlock.Rule
+	if infoAddr != nil && *infoAddr != "" {
+		rules = append(rules, landlock.BindTCP(extractPort(*infoAddr)))
+	}
+
+	for _, section := range sections {
+		switch section := section.(type) {
+		case *wireproxy.TCPServerTunnelConfig:
+			rules = append(rules, landlock.ConnectTCP(extractPort(section.Target)))
+		case *wireproxy.HTTPConfig:
+			rules = append(rules, landlock.BindTCP(extractPort(section.BindAddress)))
+		case *wireproxy.TCPClientTunnelConfig:
+			rules = append(rules, landlock.ConnectTCP(uint16(section.BindAddress.Port)))
+		case *wireproxy.Socks5Config:
+			rules = append(rules, landlock.BindTCP(extractPort(section.BindAddress)))
+		}
+	}
+
+	panicIfError(landlock.V4.BestEffort().RestrictNet(rules...))
+}
+
 func main() {
 	s := make(chan os.Signal, 1)
 	signal.Notify(s, syscall.SIGINT, syscall.SIGQUIT)
@@ -58,18 +163,12 @@ func main() {
 	}()

 	exePath := executablePath()
-	unveilOrPanic("/", "r")
-	unveilOrPanic(exePath, "x")
-
-	// only allow standard stdio operation, file reading, networking, and exec
-	// also remove unveil permission to lock unveil
-	pledgeOrPanic("stdio rpath inet dns proc exec")
+	lock("boot")

 	isDaemonProcess := len(os.Args) > 1 && os.Args[1] == daemonProcess
 	args := os.Args
 	if isDaemonProcess {
-		// remove proc and exec if they are not needed
-		pledgeOrPanic("stdio rpath inet dns")
+		lock("boot-daemon")
 		args = []string{args[0]}
 		args = append(args, os.Args[2:]...)
 	}
@@ -78,6 +177,7 @@ func main() {
 	config := parser.String("c", "config", &argparse.Options{Help: "Path of configuration file"})
 	silent := parser.Flag("s", "silent", &argparse.Options{Help: "Silent mode"})
 	daemon := parser.Flag("d", "daemon", &argparse.Options{Help: "Make wireproxy run in background"})
+	info := parser.String("i", "info", &argparse.Options{Help: "Specify the address and port for exposing health status"})
 	printVerison := parser.Flag("v", "version", &argparse.Options{Help: "Print version"})
 	configTest := parser.Flag("n", "configtest", &argparse.Options{Help: "Configtest mode. Only check the configuration file for validity."})

@@ -93,13 +193,16 @@ func main() {
 	}

 	if *config == "" {
-		fmt.Println("configuration path is required")
-		return
+        if path, config_exist := configFilePath(); config_exist {
+            *config = path
+        } else {
+            fmt.Println("configuration path is required")
+            return
+        }
 	}

 	if !*daemon {
-		// remove proc and exec if they are not needed
-		pledgeOrPanic("stdio rpath inet dns")
+		lock("read-config")
 	}

 	conf, err := wireproxy.ParseConfig(*config)
@@ -112,6 +215,8 @@ func main() {
 		return
 	}

+	lockNetwork(conf.Routines, info)
+
 	if isDaemonProcess {
 		os.Stdout, _ = os.Open(os.DevNull)
 		os.Stderr, _ = os.Open(os.DevNull)
@@ -137,16 +242,26 @@ func main() {
 		logLevel = device.LogLevelSilent
 	}

-	// no file access is allowed from now on, only networking
-	pledgeOrPanic("stdio inet dns")
+	lock("ready")

-	tnet, err := wireproxy.StartWireguard(conf.Device, logLevel)
+	tun, err := wireproxy.StartWireguard(conf.Device, logLevel)
 	if err != nil {
 		log.Fatal(err)
 	}

 	for _, spawner := range conf.Routines {
-		go spawner.SpawnRoutine(tnet)
+		go spawner.SpawnRoutine(tun)
+	}
+
+	tun.StartPingIPs()
+
+	if *info != "" {
+		go func() {
+			err := http.ListenAndServe(*info, tun)
+			if err != nil {
+				panic(err)
+			}
+		}()
 	}

 	<-ctx.Done()
--- a/config.go
+++ b/config.go
@@ -5,6 +5,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"net"
+	"os"
 	"strings"

 	"github.com/go-ini/ini"
@@ -22,12 +23,14 @@ type PeerConfig struct {

 // DeviceConfig contains the information to initiate a wireguard connection
 type DeviceConfig struct {
-	SecretKey  string
-	Endpoint   []netip.Addr
-	Peers      []PeerConfig
-	DNS        []netip.Addr
-	MTU        int
-	ListenPort *int
+	SecretKey          string
+	Endpoint           []netip.Addr
+	Peers              []PeerConfig
+	DNS                []netip.Addr
+	MTU                int
+	ListenPort         *int
+	CheckAlive         []netip.Addr
+	CheckAliveInterval int
 }

 type TCPClientTunnelConfig struct {
@@ -66,6 +69,18 @@ func parseString(section *ini.Section, keyName string) (string, error) {
 	if key == nil {
 		return "", errors.New(keyName + " should not be empty")
 	}
+	value := key.String()
+	if strings.HasPrefix(value, "$") {
+		if strings.HasPrefix(value, "$$") {
+			return strings.Replace(value, "$$", "$", 1), nil
+		}
+		var ok bool
+		value, ok = os.LookupEnv(strings.TrimPrefix(value, "$"))
+		if !ok {
+			return "", errors.New(keyName + " references unset environment variable " + key.String())
+		}
+		return value, nil
+	}
 	return key.String(), nil
 }

@@ -120,15 +135,21 @@ func encodeBase64ToHex(key string) (string, error) {
 }

 func parseNetIP(section *ini.Section, keyName string) ([]netip.Addr, error) {
-	key := section.Key(keyName)
-	if key == nil {
-		return []netip.Addr{}, nil
+	key, err := parseString(section, keyName)
+	if err != nil {
+		if strings.Contains(err.Error(), "should not be empty") {
+			return []netip.Addr{}, nil
+		}
+		return nil, err
 	}

-	keys := key.StringsWithShadows(",")
+	keys := strings.Split(key, ",")
 	var ips = make([]netip.Addr, 0, len(keys))
 	for _, str := range keys {
 		str = strings.TrimSpace(str)
+		if len(str) == 0 {
+			continue
+		}
 		ip, err := netip.ParseAddr(str)
 		if err != nil {
 			return nil, err
@@ -139,34 +160,53 @@ func parseNetIP(section *ini.Section, keyName string) ([]netip.Addr, error) {
 }

 func parseCIDRNetIP(section *ini.Section, keyName string) ([]netip.Addr, error) {
-	key := section.Key(keyName)
-	if key == nil {
-		return []netip.Addr{}, nil
+	key, err := parseString(section, keyName)
+	if err != nil {
+		if strings.Contains(err.Error(), "should not be empty") {
+			return []netip.Addr{}, nil
+		}
+		return nil, err
 	}

-	keys := key.StringsWithShadows(",")
+	keys := strings.Split(key, ",")
 	var ips = make([]netip.Addr, 0, len(keys))
 	for _, str := range keys {
-		prefix, err := netip.ParsePrefix(str)
-		if err != nil {
-			return nil, err
+		str = strings.TrimSpace(str)
+		if len(str) == 0 {
+			continue
+		}
+    
+		if addr, err := netip.ParseAddr(str); err == nil {
+			ips = append(ips, addr)
+		} else {
+			prefix, err := netip.ParsePrefix(str)
+			if err != nil {
+				return nil, err
+			}
+      
+			addr := prefix.Addr()
+			ips = append(ips, addr)
 		}
-
-		addr := prefix.Addr()
-		ips = append(ips, addr)
 	}
 	return ips, nil
 }

 func parseAllowedIPs(section *ini.Section) ([]netip.Prefix, error) {
-	key := section.Key("AllowedIPs")
-	if key == nil {
-		return []netip.Prefix{}, nil
+	key, err := parseString(section, "AllowedIPs")
+	if err != nil {
+		if strings.Contains(err.Error(), "should not be empty") {
+			return []netip.Prefix{}, nil
+		}
+		return nil, err
 	}

-	keys := key.StringsWithShadows(",")
+	keys := strings.Split(key, ",")
 	var ips = make([]netip.Prefix, 0, len(keys))
 	for _, str := range keys {
+		str = strings.TrimSpace(str)
+		if len(str) == 0 {
+			continue
+		}
 		prefix, err := netip.ParsePrefix(str)
 		if err != nil {
 			return nil, err
@@ -237,6 +277,25 @@ func ParseInterface(cfg *ini.File, device *DeviceConfig) error {
 		device.ListenPort = &value
 	}

+	checkAlive, err := parseNetIP(section, "CheckAlive")
+	if err != nil {
+		return err
+	}
+	device.CheckAlive = checkAlive
+
+	device.CheckAliveInterval = 5
+	if sectionKey, err := section.GetKey("CheckAliveInterval"); err == nil {
+		value, err := sectionKey.Int()
+		if err != nil {
+			return err
+		}
+		if len(checkAlive) == 0 {
+			return errors.New("CheckAliveInterval is only valid when CheckAlive is set")
+		}
+
+		device.CheckAliveInterval = value
+	}
+
 	return nil
 }

--- a/config_test.go
+++ b/config_test.go
@@ -0,0 +1,87 @@
+package wireproxy
+
+import (
+	"github.com/go-ini/ini"
+	"testing"
+)
+
+func loadIniConfig(config string) (*ini.File, error) {
+	iniOpt := ini.LoadOptions{
+		Insensitive:            true,
+		AllowShadows:           true,
+		AllowNonUniqueSections: true,
+	}
+
+	return ini.LoadSources(iniOpt, []byte(config))
+}
+
+func TestWireguardConfWithoutSubnet(t *testing.T) {
+	const config = `
+[Interface]
+PrivateKey = LAr1aNSNF9d0MjwUgAVC4020T0N/E5NUtqVv5EnsSz0=
+Address = 10.5.0.2
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = e8LKAc+f9xEzq9Ar7+MfKRrs+gZ/4yzvpRJLRJ/VJ1w=
+AllowedIPs = 0.0.0.0/0, ::/0
+Endpoint = 94.140.11.15:51820
+PersistentKeepalive = 25`
+	var cfg DeviceConfig
+	iniData, err := loadIniConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ParseInterface(iniData, &cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestWireguardConfWithSubnet(t *testing.T) {
+	const config = `
+[Interface]
+PrivateKey = LAr1aNSNF9d0MjwUgAVC4020T0N/E5NUtqVv5EnsSz0=
+Address = 10.5.0.2/23
+DNS = 1.1.1.1
+
+[Peer]
+PublicKey = e8LKAc+f9xEzq9Ar7+MfKRrs+gZ/4yzvpRJLRJ/VJ1w=
+AllowedIPs = 0.0.0.0/0, ::/0
+Endpoint = 94.140.11.15:51820
+PersistentKeepalive = 25`
+	var cfg DeviceConfig
+	iniData, err := loadIniConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ParseInterface(iniData, &cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestWireguardConfWithManyAddress(t *testing.T) {
+	const config = `
+[Interface]
+PrivateKey = mBsVDahr1XIu9PPd17UmsDdB6E53nvmS47NbNqQCiFM=
+Address = 100.96.0.190,2606:B300:FFFF:fe8a:2ac6:c7e8:b021:6f5f/128
+DNS = 198.18.0.1,198.18.0.2
+
+[Peer]
+PublicKey = SHnh4C2aDXhp1gjIqceGhJrhOLSeNYcqWLKcYnzj00U=
+AllowedIPs = 0.0.0.0/0,::/0
+Endpoint = 192.200.144.22:51820`
+	var cfg DeviceConfig
+	iniData, err := loadIniConfig(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = ParseInterface(iniData, &cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,25 @@
 module github.com/pufferffish/wireproxy

 go 1.21.1
-
-toolchain go1.21.6
+toolchain go1.24.1

 require (
 	github.com/MakeNowJust/heredoc/v2 v2.0.1
 	github.com/akamensky/argparse v1.4.0
 	github.com/go-ini/ini v1.67.0
+	github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a
 	github.com/things-go/go-socks5 v0.0.5
+	golang.org/x/net v0.38.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	suah.dev/protect v1.2.3
 )

 require (
 	github.com/google/btree v1.1.2 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -8,21 +8,21 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
+github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a h1:dz+a1MiMQksVhejeZwqJuzPawYQBwug74J8PPtkLl9U=
+github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a/go.mod h1:1NY/VPO8xm3hXw3f+M65z+PJDLUaZA5cu7OfanxoUzY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
-github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/things-go/go-socks5 v0.0.5 h1:qvKaGcBkfDrUL33SchHN93srAmYGzb4CxSM2DPYufe8=
 github.com/things-go/go-socks5 v0.0.5/go.mod h1:mtzInf8v5xmsBpHZVbIw2YQYhc4K0jRwzfsH64Uh0IQ=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
@@ -33,5 +33,7 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
 gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 h1:IdrOs1ZgwGw5CI+BH6GgVVlOt+LAXoPyh7enr8lfaXs=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
 suah.dev/protect v1.2.3 h1:aHeoNwZ9YPp64hrYaN0g0djNE1eRujgH63CrfRrUKdc=
 suah.dev/protect v1.2.3/go.mod h1:n1R3XIbsnryKX7C1PO88i5Wgo0v8OTXm9K9FIKt4rfs=
--- a/http.go
+++ b/http.go
@@ -10,8 +10,6 @@ import (
 	"net"
 	"net/http"
 	"strings"
-
-	"github.com/sourcegraph/conc"
 )

 const proxyAuthHeaderKey = "Proxy-Authorization"
@@ -31,23 +29,23 @@ func (s *HTTPServer) authenticate(req *http.Request) (int, error) {
 	}

 	auth := req.Header.Get(proxyAuthHeaderKey)
-	if auth != "" {
-		enc := strings.TrimPrefix(auth, "Basic ")
-		str, err := base64.StdEncoding.DecodeString(enc)
-		if err != nil {
-			return http.StatusNotAcceptable, fmt.Errorf("decode username and password failed: %w", err)
-		}
-		pairs := bytes.SplitN(str, []byte(":"), 2)
-		if len(pairs) != 2 {
-			return http.StatusLengthRequired, fmt.Errorf("username and password format invalid")
-		}
-		if s.auth.Valid(string(pairs[0]), string(pairs[1])) {
-			return 0, nil
-		}
-		return http.StatusUnauthorized, fmt.Errorf("username and password not matching")
+	if auth == "" {
+		return http.StatusProxyAuthRequired, fmt.Errorf("%s", http.StatusText(http.StatusProxyAuthRequired))
 	}

-	return http.StatusProxyAuthRequired, fmt.Errorf(http.StatusText(http.StatusProxyAuthRequired))
+	enc := strings.TrimPrefix(auth, "Basic ")
+	str, err := base64.StdEncoding.DecodeString(enc)
+	if err != nil {
+		return http.StatusNotAcceptable, fmt.Errorf("decode username and password failed: %w", err)
+	}
+	pairs := bytes.SplitN(str, []byte(":"), 2)
+	if len(pairs) != 2 {
+		return http.StatusLengthRequired, fmt.Errorf("username and password format invalid")
+	}
+	if s.auth.Valid(string(pairs[0]), string(pairs[1])) {
+		return 0, nil
+	}
+	return http.StatusUnauthorized, fmt.Errorf("username and password not matching")
 }

 func (s *HTTPServer) handleConn(req *http.Request, conn net.Conn) (peer net.Conn, err error) {
@@ -103,7 +101,11 @@ func (s *HTTPServer) serve(conn net.Conn) {

 	code, err := s.authenticate(req)
 	if err != nil {
-		_ = responseWith(req, code).Write(conn)
+		resp := responseWith(req, code)
+		if code == http.StatusProxyAuthRequired {
+			resp.Header.Set("Proxy-Authenticate", "Basic realm=\"Proxy\"")
+		}
+		_ = resp.Write(conn)
 		log.Println(err)
 		return
 	}
@@ -127,17 +129,19 @@ func (s *HTTPServer) serve(conn net.Conn) {
 		log.Println("dial proxy failed: peer nil")
 		return
 	}
+
 	go func() {
-		wg := conc.NewWaitGroup()
-		wg.Go(func() {
-			_, err = io.Copy(conn, peer)
-			_ = conn.Close()
-		})
-		wg.Go(func() {
-			_, err = io.Copy(peer, conn)
-			_ = peer.Close()
-		})
-		wg.Wait()
+		defer conn.Close()
+		defer peer.Close()
+
+		_, _ = io.Copy(conn, peer)
+	}()
+
+	go func() {
+		defer conn.Close()
+		defer peer.Close()
+
+		_, _ = io.Copy(peer, conn)
 	}()
 }

--- a/rc.d/README.md
+++ b/rc.d/README.md
@@ -0,0 +1,21 @@
+# Running wireproxy with rc.d
+
+If you're on a rc.d-based distro, you'll most likely want to run Wireproxy as a systemd unit.
+
+The provided systemd unit assumes you have the wireproxy executable installed on `/bin/wireproxy` and a configuration file stored at `/etc/wireproxy.conf`. These paths can be customized by editing the unit file.
+
+# Setting up the unit
+
+1. Copy the `wireproxy` file from this directory to `/usr/local/etc/rc.d`.
+
+2. If necessary, customize the unit.
+   Edit the parts with `procname`, `command`, `wireproxy_conf`  to point to the executable and the configuration file.
+
+4. Add the following lines to `/etc/rc.conf` to enable wireproxy
+   `wireproxy_enable="YES"`
+
+5. Start wireproxy service and check status
+   ```
+   sudo service wireproxy start
+   sudo service wireproxy status
+   ```
--- a/rc.d/wireproxy
+++ b/rc.d/wireproxy
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# PROVIDE: wireproxy
+# REQUIRE: DAEMON
+# KEYWORD: nojail
+#
+
+#
+# Add the following lines to /etc/rc.conf to enable wireproxy:
+#
+#wireproxy_enable="YES"
+#
+
+. /etc/rc.subr
+
+name=wireproxy
+rcvar=wireproxy_enable
+
+load_rc_config $name
+procname="/bin/wireproxy"
+
+wireproxy_enable=${wireproxy_enable:-"NO"}
+
+wireproxy_bin=/bin/wireproxy
+wireproxy_conf=/etc/wireproxy.conf
+
+command=${wireproxy_bin}
+command_args="-s -d -c ${wireproxy_conf}"
+
+run_rc_command "$1"
--- a/routine.go
+++ b/routine.go
@@ -1,17 +1,29 @@
 package wireproxy

 import (
+	"bytes"
 	"context"
+	srand "crypto/rand"
 	"crypto/subtle"
+	"encoding/binary"
+	"encoding/json"
 	"errors"
+	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv4"
+	"golang.org/x/net/ipv6"
+	"golang.zx2c4.com/wireguard/device"
 	"io"
 	"log"
 	"math/rand"
 	"net"
+	"net/http"
 	"os"
+	"path"
 	"strconv"
+	"strings"
+	"sync"
+	"time"

-	"github.com/sourcegraph/conc"
 	"github.com/things-go/go-socks5"
 	"github.com/things-go/go-socks5/bufferpool"

@@ -32,7 +44,12 @@ type CredentialValidator struct {
 // VirtualTun stores a reference to netstack network and DNS configuration
 type VirtualTun struct {
 	Tnet      *netstack.Net
+	Dev       *device.Device
 	SystemDNS bool
+	Conf      *DeviceConfig
+	// PingRecord stores the last time an IP was pinged
+	PingRecord     map[string]uint64
+	PingRecordLock *sync.Mutex
 }

 // RoutineSpawner spawns a routine (e.g. socks5, tcp static routes) after the configuration is parsed
@@ -148,16 +165,16 @@ func (config *Socks5Config) SpawnRoutine(vt *VirtualTun) {

 // SpawnRoutine spawns a http server.
 func (config *HTTPConfig) SpawnRoutine(vt *VirtualTun) {
-	http := &HTTPServer{
+	server := &HTTPServer{
 		config: config,
 		dial:   vt.Tnet.Dial,
 		auth:   CredentialValidator{config.Username, config.Password},
 	}
 	if config.Username != "" || config.Password != "" {
-		http.authRequired = true
+		server.authRequired = true
 	}

-	if err := http.ListenAndServe("tcp", config.BindAddress); err != nil {
+	if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {
 		log.Fatal(err)
 	}
 }
@@ -172,6 +189,9 @@ func (c CredentialValidator) Valid(username, password string) bool {

 // connForward copy data from `from` to `to`
 func connForward(from io.ReadWriteCloser, to io.ReadWriteCloser) {
+	defer from.Close()
+	defer to.Close()
+
 	_, err := io.Copy(to, from)
 	if err != nil {
 		errorLogger.Printf("Cannot forward traffic: %s\n", err.Error())
@@ -194,20 +214,8 @@ func tcpClientForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
 		return
 	}

-	go func() {
-		wg := conc.NewWaitGroup()
-		wg.Go(func() {
-			connForward(sconn, conn)
-		})
-		wg.Go(func() {
-			connForward(conn, sconn)
-		})
-		wg.Wait()
-		_ = sconn.Close()
-		_ = conn.Close()
-		sconn = nil
-		conn = nil
-	}()
+	go connForward(sconn, conn)
+	go connForward(conn, sconn)
 }

 // STDIOTcpForward starts a new connection via wireguard and forward traffic from `conn`
@@ -232,18 +240,8 @@ func STDIOTcpForward(vt *VirtualTun, raddr *addressPort) {
 		return
 	}

-	go func() {
-		wg := conc.NewWaitGroup()
-		wg.Go(func() {
-			connForward(os.Stdin, sconn)
-		})
-		wg.Go(func() {
-			connForward(sconn, stdout)
-		})
-		wg.Wait()
-		_ = sconn.Close()
-		sconn = nil
-	}()
+	go connForward(os.Stdin, sconn)
+	go connForward(sconn, stdout)
 }

 // SpawnRoutine spawns a local TCP server which acts as a proxy to the specified target
@@ -293,20 +291,9 @@ func tcpServerForward(vt *VirtualTun, raddr *addressPort, conn net.Conn) {
 		return
 	}

-	go func() {
-		gr := conc.NewWaitGroup()
-		gr.Go(func() {
-			connForward(sconn, conn)
-		})
-		gr.Go(func() {
-			connForward(conn, sconn)
-		})
-		gr.Wait()
-		_ = sconn.Close()
-		_ = conn.Close()
-		sconn = nil
-		conn = nil
-	}()
+	go connForward(sconn, conn)
+	go connForward(conn, sconn)
+
 }

 // SpawnRoutine spawns a TCP server on wireguard which acts as a proxy to the specified target
@@ -330,3 +317,153 @@ func (conf *TCPServerTunnelConfig) SpawnRoutine(vt *VirtualTun) {
 		go tcpServerForward(vt, raddr, conn)
 	}
 }
+
+func (d VirtualTun) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	log.Printf("Health metric request: %s\n", r.URL.Path)
+	switch path.Clean(r.URL.Path) {
+	case "/readyz":
+		body, err := json.Marshal(d.PingRecord)
+		if err != nil {
+			errorLogger.Printf("Failed to get device metrics: %s\n", err.Error())
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		status := http.StatusOK
+		for _, record := range d.PingRecord {
+			lastPong := time.Unix(int64(record), 0)
+			// +2 seconds to account for the time it takes to ping the IP
+			if time.Since(lastPong) > time.Duration(d.Conf.CheckAliveInterval+2)*time.Second {
+				status = http.StatusServiceUnavailable
+				break
+			}
+		}
+
+		w.WriteHeader(status)
+		_, _ = w.Write(body)
+		_, _ = w.Write([]byte("\n"))
+	case "/metrics":
+		get, err := d.Dev.IpcGet()
+		if err != nil {
+			errorLogger.Printf("Failed to get device metrics: %s\n", err.Error())
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		var buf bytes.Buffer
+		for _, peer := range strings.Split(get, "\n") {
+			pair := strings.SplitN(peer, "=", 2)
+			if len(pair) != 2 {
+				buf.WriteString(peer)
+				continue
+			}
+			if pair[0] == "private_key" || pair[0] == "preshared_key" {
+				pair[1] = "REDACTED"
+			}
+			buf.WriteString(pair[0])
+			buf.WriteString("=")
+			buf.WriteString(pair[1])
+			buf.WriteString("\n")
+		}
+
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write(buf.Bytes())
+	default:
+		w.WriteHeader(http.StatusNotFound)
+	}
+}
+
+func (d VirtualTun) pingIPs() {
+	for _, addr := range d.Conf.CheckAlive {
+		socket, err := d.Tnet.Dial("ping", addr.String())
+		if err != nil {
+			errorLogger.Printf("Failed to ping %s: %s\n", addr, err.Error())
+			continue
+		}
+
+		data := make([]byte, 16)
+		_, _ = srand.Read(data)
+
+		requestPing := icmp.Echo{
+			Seq:  rand.Intn(1 << 16),
+			Data: data,
+		}
+
+		var icmpBytes []byte
+		if addr.Is4() {
+			icmpBytes, _ = (&icmp.Message{Type: ipv4.ICMPTypeEcho, Code: 0, Body: &requestPing}).Marshal(nil)
+		} else if addr.Is6() {
+			icmpBytes, _ = (&icmp.Message{Type: ipv6.ICMPTypeEchoRequest, Code: 0, Body: &requestPing}).Marshal(nil)
+		} else {
+			errorLogger.Printf("Failed to ping %s: invalid address: %s\n", addr, addr.String())
+			continue
+		}
+
+		_ = socket.SetReadDeadline(time.Now().Add(time.Duration(d.Conf.CheckAliveInterval) * time.Second))
+		_, err = socket.Write(icmpBytes)
+		if err != nil {
+			errorLogger.Printf("Failed to ping %s: %s\n", addr, err.Error())
+			continue
+		}
+
+		addr := addr
+		go func() {
+			n, err := socket.Read(icmpBytes[:])
+			if err != nil {
+				errorLogger.Printf("Failed to read ping response from %s: %s\n", addr, err.Error())
+				return
+			}
+
+			replyPacket, err := icmp.ParseMessage(1, icmpBytes[:n])
+			if err != nil {
+				errorLogger.Printf("Failed to parse ping response from %s: %s\n", addr, err.Error())
+				return
+			}
+
+			if addr.Is4() {
+				replyPing, ok := replyPacket.Body.(*icmp.Echo)
+				if !ok {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid reply type: %s\n", addr, replyPacket.Type)
+					return
+				}
+				if !bytes.Equal(replyPing.Data, requestPing.Data) || replyPing.Seq != requestPing.Seq {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid ping reply: %v\n", addr, replyPing)
+					return
+				}
+			}
+
+			if addr.Is6() {
+				replyPing, ok := replyPacket.Body.(*icmp.RawBody)
+				if !ok {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid reply type: %s\n", addr, replyPacket.Type)
+					return
+				}
+
+				seq := binary.BigEndian.Uint16(replyPing.Data[2:4])
+				pongBody := replyPing.Data[4:]
+				if !bytes.Equal(pongBody, requestPing.Data) || int(seq) != requestPing.Seq {
+					errorLogger.Printf("Failed to parse ping response from %s: invalid ping reply: %v\n", addr, replyPing)
+					return
+				}
+			}
+
+			d.PingRecordLock.Lock()
+			d.PingRecord[addr.String()] = uint64(time.Now().Unix())
+			d.PingRecordLock.Unlock()
+
+			defer socket.Close()
+		}()
+	}
+}
+
+func (d VirtualTun) StartPingIPs() {
+	for _, addr := range d.Conf.CheckAlive {
+		d.PingRecord[addr.String()] = 0
+	}
+
+	go func() {
+		for {
+			d.pingIPs()
+			time.Sleep(time.Duration(d.Conf.CheckAliveInterval) * time.Second)
+		}
+	}()
+}
--- a/systemd/README.md
+++ b/systemd/README.md
@@ -8,29 +8,17 @@ The provided systemd unit assumes you have the wireproxy executable installed on

 1. Copy the `wireproxy.service` file from this directory to `/etc/systemd/system/`, or use the following cURL command to download it:
   ```bash
-   sudo curl https://raw.githubusercontent.com/pufferffish/wireproxy/master/systemd/wireproxy.service > /etc/systemd/system/wireproxy.service
+   curl https://raw.githubusercontent.com/pufferffish/wireproxy/master/systemd/wireproxy.service | sudo tee /etc/systemd/system/wireproxy.service
   ```

 2. If necessary, customize the unit.

-   Edit the parts with `ExecStartPre=` and `ExecStart=` to point to the executable and the configuration file. For example, if wireproxy is installed on `/usr/bin` and the configuration file is located in `/opt/myfiles/wireproxy.conf` do the following change:
+   Edit the parts with `LoadCredential`, `ExecStartPre=` and `ExecStart=` to point to the executable and the configuration file. For example, if wireproxy is installed on `/usr/bin` and the configuration file is located in `/opt/myfiles/wireproxy.conf` do the following change:
   ```service
-   ExecStartPre=/usr/bin/wireproxy -n -c /opt/myfiles/wireproxy.conf
-   ExecStart=/usr/bin/wireproxy -c /opt/myfiles/wireproxy.conf
+   LoadCredential=conf:/opt/myfiles/wireproxy.conf
+   ExecStartPre=/usr/bin/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
+   ExecStart=/usr/bin/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
   ```
-   #### 2.2 Drop root privileges (optional, but recommended)
-   Without any modifications, this Wireproxy service will run as root. You might want to drop those privileges. One way to do this is to simply create a system account for Wireproxy (or just use your own user account to run it instead).
-   ```bash
-   sudo useradd --comment "Wireproxy tunnel" --system wireproxy
-   ```
-   Then uncomment these lines from the wireproxy.service:
-   ```service
-   #User=wireproxy
-   #Group=wireproxy
-   ```
-   Caveats:
-     1) Make sure `wireproxy` user can read the wireproxy configuration file.
-     2) Also note that unprivileged user cannot bind to ports below 1024 by default.

 4. Reload systemd and enable the unit.
   ```bash
--- a/systemd/wireproxy.service
+++ b/systemd/wireproxy.service
@@ -4,15 +4,43 @@ Wants=network-online.target
 After=network-online.target

 [Service]
-#Uncomment and/or change these if you don't want to run Wireproxy as root
-#User=wireproxy
-#Group=wireproxy
+User=wireproxy
+Group=wireproxy
+SyslogIdentifier=wireproxy
 Type=simple
 Restart=on-failure
 RestartSec=30s
-ExecStartPre=/opt/wireproxy/wireproxy -n -c /etc/wireproxy.conf
-ExecStart=/opt/wireproxy/wireproxy -c /etc/wireproxy.conf
-SyslogIdentifier=wireproxy
+
+DynamicUser=yes
+LoadCredential=conf:/etc/wireproxy.conf
+ExecStartPre=/opt/wireproxy/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
+ExecStart=/opt/wireproxy/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
+
+# Required if <1024 port
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+LimitNPROC=64
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service @sandbox

 [Install]
 WantedBy=multi-user.target
--- a/wireguard.go
+++ b/wireguard.go
@@ -3,6 +3,7 @@ package wireproxy
 import (
 	"bytes"
 	"fmt"
+	"sync"

 	"net/netip"

@@ -14,14 +15,14 @@ import (

 // DeviceSetting contains the parameters for setting up a tun interface
 type DeviceSetting struct {
-	ipcRequest string
-	dns        []netip.Addr
-	deviceAddr []netip.Addr
-	mtu        int
+	IpcRequest string
+	DNS        []netip.Addr
+	DeviceAddr []netip.Addr
+	MTU        int
 }

-// serialize the config into an IPC request and DeviceSetting
-func createIPCRequest(conf *DeviceConfig) (*DeviceSetting, error) {
+// CreateIPCRequest serialize the config into an IPC request and DeviceSetting
+func CreateIPCRequest(conf *DeviceConfig) (*DeviceSetting, error) {
 	var request bytes.Buffer

 	request.WriteString(fmt.Sprintf("private_key=%s\n", conf.SecretKey))
@@ -54,23 +55,23 @@ func createIPCRequest(conf *DeviceConfig) (*DeviceSetting, error) {
 		}
 	}

-	setting := &DeviceSetting{ipcRequest: request.String(), dns: conf.DNS, deviceAddr: conf.Endpoint, mtu: conf.MTU}
+	setting := &DeviceSetting{IpcRequest: request.String(), DNS: conf.DNS, DeviceAddr: conf.Endpoint, MTU: conf.MTU}
 	return setting, nil
 }

 // StartWireguard creates a tun interface on netstack given a configuration
 func StartWireguard(conf *DeviceConfig, logLevel int) (*VirtualTun, error) {
-	setting, err := createIPCRequest(conf)
+	setting, err := CreateIPCRequest(conf)
 	if err != nil {
 		return nil, err
 	}

-	tun, tnet, err := netstack.CreateNetTUN(setting.deviceAddr, setting.dns, setting.mtu)
+	tun, tnet, err := netstack.CreateNetTUN(setting.DeviceAddr, setting.DNS, setting.MTU)
 	if err != nil {
 		return nil, err
 	}
 	dev := device.NewDevice(tun, conn.NewDefaultBind(), device.NewLogger(logLevel, ""))
-	err = dev.IpcSet(setting.ipcRequest)
+	err = dev.IpcSet(setting.IpcRequest)
 	if err != nil {
 		return nil, err
 	}
@@ -81,7 +82,11 @@ func StartWireguard(conf *DeviceConfig, logLevel int) (*VirtualTun, error) {
 	}

 	return &VirtualTun{
-		Tnet:      tnet,
-		SystemDNS: len(setting.dns) == 0,
+		Tnet:           tnet,
+		Dev:            dev,
+		Conf:           conf,
+		SystemDNS:      len(setting.DNS) == 0,
+		PingRecord:     make(map[string]uint64),
+		PingRecordLock: new(sync.Mutex),
 	}, nil
 }
Author	SHA1	Message	Date
dependabot[bot]	a805b7a855	Bump golang.org/x/net from 0.33.0 to 0.38.0 Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.38.0. - [Commits](https://github.com/golang/net/compare/v0.33.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>	2025-04-16 22:58:46 +00:00
Emilien Devos	9dad356bee	fix: issue with omiting endpoint (#157 ) fixes #156	2025-02-19 17:21:17 +00:00
lexandr0s	288687b873	Add hint to run Wireproxy as system daemon in rc.d-based system (#164 ) * Add hint for rc.d service * Update README.md --------- Co-authored-by: root <root@prox1.example.com>	2025-02-18 12:27:18 +00:00
pufferffish	f17557487d	add IPRoyal referral link	2025-02-18 12:26:13 +00:00
dependabot[bot]	a57972e756	Bump golang.org/x/net from 0.23.0 to 0.33.0 (#160 ) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.23.0 to 0.33.0. - [Commits](https://github.com/golang/net/compare/v0.23.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-01-31 16:26:26 +00:00
Christian Speckner	7bb1be2d20	Make sure that closing one direction closes the other, too. (#159 ) * Make sure that closing one direction closes the other, too. * Pacify linter.	2025-01-31 16:09:16 +00:00
Lars Gerber	47cd451c80	docs: add syntax highlighting and Go install command (#158 ) * docs: add syntax language for codeblocks * docs: add install instructions for Go	2025-01-31 15:59:57 +00:00
Takanori Hirano	d710683181	Fix PingRecord race condition (#149 )	2024-12-26 17:20:01 +00:00
Yaroslav	3098c397e7	Update README.md (#150 ) Fixed curl example command to work well with sudo	2024-12-26 17:19:42 +00:00
dependabot[bot]	3e6e5a61f0	Bump golang.org/x/crypto from 0.21.0 to 0.31.0 (#146 ) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.21.0 to 0.31.0. - [Commits](https://github.com/golang/crypto/compare/v0.21.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-12-12 00:24:48 +00:00
Luiz Henrique Gomes Palácio	4a564b5ea2	Fix HTTP proxy authentication to support both preemptive and challenge-response auth (#134 )	2024-09-04 04:21:40 +08:00
Niko	5b7f822f17	Fix broken sandboxing resulting in SIGABRT (#136 )	2024-09-04 04:08:52 +08:00
Artem Russkikh	3729bced93	Update README (#137 )	2024-09-04 04:08:20 +08:00
Nicholas	cb1f39b3e5	Support env lookup for some values (#122 ) Co-authored-by: pufferfish <74378430+pufferffish@users.noreply.github.com>	2024-07-22 15:38:19 +01:00
pufferffish	f8a5d70c71	make device setting fields public	2024-07-22 15:38:07 +01:00
Amirhossein Shaerpour	42a097d490	change - add default configuration paths (#121 )	2024-07-22 15:11:26 +01:00
pufferffish	ff99bfd4a6	fix config parsing	2024-07-22 15:10:12 +01:00
dependabot[bot]	e749217090	Bump golang.org/x/net from 0.21.0 to 0.23.0 (#113 ) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.23.0. - [Commits](https://github.com/golang/net/compare/v0.21.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-04-19 15:21:34 +01:00
pufferfish	6ab7069908	fix landlock restriction while files do not exists (#114 )	2024-04-19 15:15:09 +01:00
pufferfish	a6797166eb	Limit wireproxy's permissions with landlock (#108 ) * Limit wireproxy's permissions with landlock * Show better debug message * Fix crash when info is null * Fix crash when landlock ABI is outdated * remove /dev/std{in,out,err} from landlock restriction	2024-04-13 02:38:48 +01:00
pufferfish	eccf83a0cf	Add health status endpoint (#107 ) * implement metric endpoint * implement ICMP ping * fix linting * fix IPv6 pings * Add documentation for --info	2024-04-12 05:24:16 +01:00
pufferfish	54cedea2e4	Update LICENSE	2024-04-10 03:42:15 +01:00
pufferffish	bbde9cd266	bump version	2024-04-06 20:21:37 +01:00
J. Dekker	4f066d050a	systemd: tight sandboxing (#103 ) wireproxy needs very little permissions, we can restrict it to basically nothing. DynamicUser means the system will generate a UID on demand for service, also CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired. Also LoadCredential lets us read a file with tight permissions i.e. root:root 0400 and pass it to only wireproxy in an ephemeral and constrained manner. Signed-off-by: J. Dekker <jdek@itanimul.li>	2024-03-18 16:42:03 +00:00
pufferfish	c710def46d	Update README.md to mention Amnezia fork	2024-02-20 19:40:19 +00:00