netbirdio / netbird Goto Github PK

Hi, I while studying your implementation I was wondering where wiretrustee/iface/nat_linux.go is used within the project?

Where do you need to configure NATing fir wiretrustee?
Maybe that file should be removed if its not used.

What
Add a REST endpoint to the Management server that registers a user.
There should be just one user (admin) and once it was registered there should be no registration required.
Similar to https://github.com/subspacecloud/subspace

Why
This is an essential step before enabling a peer management system.

How

• Create a REST API layer in management/ (see request/response below)

• Provision database table user and store required data (id, email, password hash).

• Additionally add a flag (most likely in db) indicating that the initial registration has been done.

• Create a follow-up story to extend registration with SSO

• endpoint to register a user

  • request: email, password
  • response: ok

Right now logs are written to the syslog.
Should be a separate file in /var/log/wiretrustee

Currently, all Wireguard data is passed through the Wireguard proxy even though the connection candidates could be directly passed as peers to Wireguard. I think we only really need the proxy if a TCP TURN relay is used.

https://github.com/wiretrustee/wiretrustee/projects/1#card-62350370

Endpoint to register a new peer.

The request should contain:

• Protocol version
• Peer Wireguard Public Key
• Setup key (pre-authorized key, the one generated on the server)
• local file storage

Please, consider the extension of the protocol (new fields, encryption, etc)

see management doc
management/README.md

https://github.com/grpc/grpc-go/tree/master/examples/features/health

When a new peer is added other peers have to be notified of a newcomer

Depends on #18
Each peer has to receive an initial config to setup Wireguard and enable connections to other peers:

PeerManagement.Sync message should include:

• Wiretrustee peer configuration (stun, turn, signal, etc)
• Wireguard configuration (Wg IP, etc)
• Peer configuration (public key, Wg allowed IPs, etc)
  Think of what is missing

• Documentation
• Explanatory videos
• TURN auth
• TURN auto cert
• UI Dashboard
  • Auth0 sign-up/login
  • Peers view (list, delete, disable)
  • Setup Keys view (list, delete disable)
  • Add Peer view (getting started)
• UI Dashboard Build
• Management HTTP API
• Management gRPC API
• Client sync with Management gRPC
• extract Auth0 creds

On ./wiretrustee up check the state if the peer was not already initialized and logged in (config.json) and do:

• Generate private and public key
• Call the Peer Management Service with the public key (can be combined with 2.1.3)
• Peer Management Service will add the peer and reply with an IP and all allowed peers (public keys). Everything by default.
• When a new peer has been added all other peers have to be notified of a new peer (public key). Refreshing their state.
• remove ./wiretrustee init
• remove ./wiretrustee add-peer

Hello everyone

I have a 5.10 kernel:

uname -a

Linux debian-1cpu-1gb-sg-sin1 5.10.0-0.bpo.7-amd64 #1 SMP Debian 5.10.40-1~bpo10+1 (2021-06-04) x86_64 GNU/Linux

The wireguard kernel module has been loaded:

modprobe wireguard
lsmod | grep wireguard

wireguard              94208  0
libchacha20poly1305    16384  1 wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             20480  1 wireguard
libblake2s             16384  1 wireguard
curve25519_x86_64      49152  1 wireguard
libcurve25519_generic    49152  2 curve25519_x86_64,wireguard

After starting wiretrustee, there is no wiretrustee0 interface:

systemctl status wiretrustee.service

● wiretrustee.service - Wiretrustee Service
   Loaded: loaded (/lib/systemd/system/wiretrustee.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2021-07-05 14:41:31 UTC; 6min ago
 Main PID: 799 (wiretrustee)
    Tasks: 3 (limit: 1135)
   Memory: 6.7M
   CGroup: /system.slice/wiretrustee.service
           └─799 /usr/local/bin/wiretrustee up --config /etc/wiretrustee/config.json --log-level debug

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 46:d1:1a:9d:07:2e brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.xxx/22 brd xxx.xxx.xxx.xxx scope global dynamic eth0
       valid_lft 85710sec preferred_lft 85710sec
    inet6 fe80::44d1:1aff:fe9d:72e/64 scope link 
       valid_lft forever preferred_lft forever

What did i do wrong? Any suggestions, thanks

See example for the management service
#71 (comment)

See
#71 (comment)

Change service definition in
management/proto/management.proto

Use EncryptedMessage logic instead
see (Sync endpoint)

What?

1. connect 2 peers
2. switch network on one of the peers (e.g. connect to a different wifi net or just turn wifi off/on)
3. peer will attempt to reconnect but will fail in some cases
4. connection won't be established anymore

Why?
When a peer goes offline (e.g. wi-fi network switch) a connection to signal drops. While it will be reestablished later, a process of Connection.Restart() has been already triggered and an attempt to signal fails. Restart doesn't continue.

create a common package:
move:

• encryption (move from signal to common)
• lets-encrypt logic (move from cmd root to common)

Important see if can be combined with
#16

What?
Register peer on the Management service
Why?
Every new peer has to be registered on the management system.
This is required to support dynamic peer distribution.
All newly registered peers public keys will be distributed to the other parties.

How?

• implement gRpc client of management/
  see management tests for example (use TLS, e.g. https://gist.github.com/nleiva/90f5bd042763f9b6bca9acbaae993288#file-grpc-lets-encrypt-go-L4)
• add setupKey support on up
• Management system Register endpoint can be called on every start
• think of storing setup key in the local config (not in plain text?)

Hello,

In the README I only see IPv4 subnets, is wiretrustee working with IPv6 subnets? If not, is it possible to add a support for IPv6?

Update build and documentation for management service to account for the separated binary.

• update build
• use separated docker hub image repository
• update documentation
• update infrastructure_files
• Link docker hub documentation

a separate management gRpc server with a basic protocol definition and a health check endpoint

• healthcheck endpoint
• healthcheck test
• protobuf servcie descption
• command in cmd/ to start the server (similar to signal)
• docker image

As an un elevated user:

~/wiretrustee ❯ wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key MY3paM+bln5PEoNahHMjzTUg3embjlsVOEIhPqyFC1o=
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x15d5def]

goroutine 1 [running]:
github.com/wiretrustee/wiretrustee/cmd.glob..func1(0x1ba3fe0, 0xc0000bff40, 0x0, 0x4)
	/home/runner/work/wiretrustee/wiretrustee/cmd/addpeer.go:26 +0xcf
github.com/spf13/cobra.(*Command).execute(0x1ba3fe0, 0xc0000bfec0, 0x4, 0x4, 0x1ba3fe0, 0xc0000bfec0)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:856 +0x2c2
github.com/spf13/cobra.(*Command).ExecuteC(0x1ba49e0, 0x0, 0x162fc20, 0xc00008c058)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:960 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:897
github.com/wiretrustee/wiretrustee/cmd.Execute(...)
	/home/runner/work/wiretrustee/wiretrustee/cmd/root.go:31
main.main()
	/home/runner/work/wiretrustee/wiretrustee/main.go:9 +0x2e

When performing the same action with sudo:

~/wiretrustee 15s ❯ sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key MY3paM+bln5PEoNahHMjzTUg3embjlsVOEIhPqyFC1o=
~/wiretrustee ❯

Instead of using sync groups to wait until stream is connected or retry mechanisms try using
with grpc.WaitForReady(true)

See examples:
https://github.com/grpc/grpc-go/blob/master/examples/features/wait_for_ready/main.go

https://github.com/grpc/grpc-go/blob/master/examples/features/retry/client/main.go

What?
Due to the async nature of gRPC bi-directional streams, the client gets successfully connected to the stream before the Signal server registers it in the registry. Therefore signal/client.WaitConnected() returns before the peer was registered.
This is visible in the test environments when signal and peers are "close", not likely to happen in the production scenario.

Why?
A peer has to start communication with other peers only when it has been registered therefore signal/client.WaitConnected() should unblock when the peer has been actually registered on signal

How?
We could introduce additional methods to register peer on signal or use meta headers of gRPC on ConnectStream

see #52 (similar implementation)

TLS with Let's encrypt.
Should be automated.

• host under app.wiretrustee.com
• registration screen
• login screen
• Auth0 logic
• • redirect
• • token verification
• • basic user database to keep registered user id (Auth0)

When a new peer is added other peers have to be notified of a newcomer

In order to ensure that different pieces of the code is self contained, we need to move signal client and server to their own folders

• separate client and server
• move cmd to signal
• update builds

I can't pulll docker images, looking at the hub, repository is empty, no pulls and no tags.

Add client support for Windows.

What
Backend Support for #19

Why
Since the introduction of the management system, a peer needs a way to authenticate itself and fetch necessary info (e.g. a list of peers to connect to)

How

• Provision peer database table to contain peer (device) info

Implement the following API endpoints (gRPC) in /signal

• endpoint to validate peer existence
• • request: peer auth token (setup-key), peer pub key
• • response: 200 if exists, 404 otherwise
• endpoint to register a peer (device)
• • request: peer auth token (setup-key), peer pub key, peer hostname, peer mac
• • response: ip
• endpoint to fetch a list of peers (public keys) to connect to
• • request: peer auth token (setup-key), peer pub key
• • response: listy of peers to connect to with the corresponsing ips

When a peer is removed from Management (e.g. via Dashboard) the client app keeps trying to connect and gets permission denied response.

At this point, we should stop the client.

Support live update of peers without requiring a restart.

Relates to #19

I didn't find any mention of a chat, so I added one on matrix: https://matrix.to/#/#wiretrustee:matrix.org

./wiretrustee login
will request the user to login into his Google account

• User will have to authenticate and get OAuth credential
• • Open a browser from the terminal and make user login (Check for options) and get the token

https://github.com/grpc/grpc-go/tree/master/examples/features/health

Also, Remove the custom isHealthy endpoint from the service definition

Trying to connect peer using cmd
sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<PEER2 PUBLIC KEY>'

ERROR :
received a new message from Peer [fingerprint: peer1 publickey]"
error while handling message of Peer [key: ] error: [wrongly addressed message ]

What?
Encrypt the body of a message being sent to a remote peer through signal

Why?
Peers exchange credentials and external addresses (e.g. open UDP ports) via signal.
Even if introducing TLS between a peer and a signal server the owner of a signal server might be able to see the body of the message. To hide sensitive info the message body has to be encrypted so that only the remote peer could decrypt it.

How?

1. change signal protocol (message body string -> byte[])
2. Use signal.EncryptMessage function to create encrypted message body

Optional: Consider using Wireguard public key fingerprint to identify peer on a signal server instead of plain Wireguard public key