tun: add tun support (linux)

Signed-off-by: Mark Pashmfouroush <mark@markpash.me>

Author: markpash

app/app.go

@@ -14,6 +14,7 @@ import (
 
 const singleMTU = 1330
 const doubleMTU = 1280 // minimum mtu for IPv6, may cause frag reassembly somewhere
+const connTestEndpoint = "http://1.1.1.1:80/"
 
 type WarpOptions struct {
 	Bind     netip.AddrPort
@@ -22,12 +23,17 @@ type WarpOptions struct {
 	Psiphon  *PsiphonOptions
 	Gool     bool
 	Scan     *wiresocks.ScanOptions
+	Tun      *TunOptions
 }
 
 type PsiphonOptions struct {
 	Country string
 }
 
+type TunOptions struct {
+	FwMark uint32
+}
+
 func RunWarp(ctx context.Context, l *slog.Logger, opts WarpOptions) error {
 	if opts.Psiphon != nil && opts.Gool {
 		return errors.New("can't use psiphon and gool at the same time")
@@ -37,6 +43,10 @@ func RunWarp(ctx context.Context, l *slog.Logger, opts WarpOptions) error {
 		return errors.New("must provide country for psiphon")
 	}
 
+	if opts.Psiphon != nil && opts.Tun != nil {
+		return errors.New("can't use psiphon and tun at the same time")
+	}
+
 	// create identities
 	if err := createPrimaryAndSecondaryIdentities(l.With("subsystem", "warp/account"), opts.License); err != nil {
 		return err
@@ -69,123 +79,211 @@ func RunWarp(ctx context.Context, l *slog.Logger, opts WarpOptions) error {
 	case opts.Gool:
 		l.Info("running in warp-in-warp (gool) mode")
 		// run warp in warp
-		warpErr = runWarpInWarp(ctx, l, opts.Bind, endpoints)
+		warpErr = runWarpInWarp(ctx, l, opts.Bind, endpoints, opts.Tun)
 	default:
 		l.Info("running in normal warp mode")
 		// just run primary warp on bindAddress
-		warpErr = runWarp(ctx, l, opts.Bind, endpoints[0])
+		warpErr = runWarp(ctx, l, opts.Bind, endpoints[0], opts.Tun)
 	}
 
 	return warpErr
 }
 
-func runWarp(ctx context.Context, l *slog.Logger, bind netip.AddrPort, endpoint string) error {
+func runWarp(ctx context.Context, l *slog.Logger, bind netip.AddrPort, endpoint string, tun *TunOptions) error {
+	// Set up primary/outer warp config
 	conf, err := wiresocks.ParseConfig("./stuff/primary/wgcf-profile.ini", endpoint)
 	if err != nil {
 		return err
 	}
+
+	// Set up MTU
 	conf.Interface.MTU = singleMTU
 
+	// Enable trick and keepalive on all peers in config
 	for i, peer := range conf.Peers {
 		peer.Trick = true
 		peer.KeepAlive = 3
 		conf.Peers[i] = peer
 	}
 
-	tnet, err := wiresocks.StartWireguard(ctx, l, conf)
+	if tun != nil {
+		// Create a new tun interface
+		tunDev, err := newNormalTun()
+		if err != nil {
+			return err
+		}
+
+		// Establish wireguard tunnel on tun interface
+		if err := establishWireguard(l, conf, tunDev, tun.FwMark); err != nil {
+			return err
+		}
+		l.Info("serving tun", "interface", "warp0")
+		return nil
+	}
+
+	// Create userspace tun network stack
+	tunDev, tnet, err := newUsermodeTun(conf)
 	if err != nil {
 		return err
 	}
 
-	_, err = tnet.StartProxy(bind)
+	// Establish wireguard on userspace stack
+	if err := establishWireguard(l, conf, tunDev, 0); err != nil {
+		return err
+	}
+
+	// Test wireguard connectivity
+	if err := usermodeTunTest(ctx, l, tnet); err != nil {
+		return err
+	}
+
+	// Run a proxy on the userspace stack
+	_, err = wiresocks.StartProxy(ctx, l, tnet, bind)
 	if err != nil {
 		return err
 	}
 
 	l.Info("serving proxy", "address", bind)
-
 	return nil
 }
 
-func runWarpWithPsiphon(ctx context.Context, l *slog.Logger, bind netip.AddrPort, endpoint string, country string) error {
-	conf, err := wiresocks.ParseConfig("./stuff/primary/wgcf-profile.ini", endpoint)
+func runWarpInWarp(ctx context.Context, l *slog.Logger, bind netip.AddrPort, endpoints []string, tun *TunOptions) error {
+	// Set up primary/outer warp config
+	conf, err := wiresocks.ParseConfig("./stuff/primary/wgcf-profile.ini", endpoints[0])
 	if err != nil {
 		return err
 	}
+
+	// Set up MTU
 	conf.Interface.MTU = singleMTU
 
+	// Enable trick and keepalive on all peers in config
 	for i, peer := range conf.Peers {
 		peer.Trick = true
 		peer.KeepAlive = 3
 		conf.Peers[i] = peer
 	}
 
-	tnet, err := wiresocks.StartWireguard(ctx, l, conf)
+	// Create userspace tun network stack
+	tunDev, tnet, err := newUsermodeTun(conf)
 	if err != nil {
 		return err
 	}
 
-	warpBind, err := tnet.StartProxy(netip.MustParseAddrPort("127.0.0.1:0"))
+	// Establish wireguard on userspace stack
+	if err := establishWireguard(l.With("gool", "outer"), conf, tunDev, 0); err != nil {
+		return err
+	}
+
+	// Test wireguard connectivity
+	if err := usermodeTunTest(ctx, l, tnet); err != nil {
+		return err
+	}
+
+	// Create a UDP port forward between localhost and the remote endpoint
+	addr, err := wiresocks.NewVtunUDPForwarder(ctx, netip.MustParseAddrPort("127.0.0.1:0"), endpoints[0], tnet, singleMTU)
 	if err != nil {
 		return err
 	}
 
-	// run psiphon
-	err = psiphon.RunPsiphon(ctx, l.With("subsystem", "psiphon"), warpBind.String(), bind.String(), country)
+	// Set up secondary/inner warp config
+	conf, err = wiresocks.ParseConfig("./stuff/secondary/wgcf-profile.ini", addr.String())
 	if err != nil {
-		return fmt.Errorf("unable to run psiphon %w", err)
+		return err
 	}
 
-	l.Info("serving proxy", "address", bind)
+	// Set up MTU
+	conf.Interface.MTU = doubleMTU
+
+	// Enable keepalive on all peers in config
+	for i, peer := range conf.Peers {
+		peer.KeepAlive = 10
+		conf.Peers[i] = peer
+	}
+
+	if tun != nil {
+		// Create a new tun interface
+		tunDev, err := newNormalTun()
+		if err != nil {
+			return err
+		}
+
+		// Establish wireguard tunnel on tun interface
+		if err := establishWireguard(l.With("gool", "inner"), conf, tunDev, tun.FwMark); err != nil {
+			return err
+		}
+		l.Info("serving tun", "interface", "warp0")
+		return nil
+	}
+
+	// Create userspace tun network stack
+	tunDev, tnet, err = newUsermodeTun(conf)
+	if err != nil {
+		return err
+	}
+
+	// Establish wireguard on userspace stack
+	if err := establishWireguard(l.With("gool", "inner"), conf, tunDev, 0); err != nil {
+		return err
+	}
+
+	// Test wireguard connectivity
+	if err := usermodeTunTest(ctx, l, tnet); err != nil {
+		return err
+	}
+
+	_, err = wiresocks.StartProxy(ctx, l, tnet, bind)
+	if err != nil {
+		return err
+	}
 
+	l.Info("serving proxy", "address", bind)
 	return nil
 }
 
-func runWarpInWarp(ctx context.Context, l *slog.Logger, bind netip.AddrPort, endpoints []string) error {
-	// Run outer warp
-	conf, err := wiresocks.ParseConfig("./stuff/primary/wgcf-profile.ini", endpoints[0])
+func runWarpWithPsiphon(ctx context.Context, l *slog.Logger, bind netip.AddrPort, endpoint string, country string) error {
+	// Set up primary/outer warp config
+	conf, err := wiresocks.ParseConfig("./stuff/primary/wgcf-profile.ini", endpoint)
 	if err != nil {
 		return err
 	}
+
+	// Set up MTU
 	conf.Interface.MTU = singleMTU
 
+	// Enable trick and keepalive on all peers in config
 	for i, peer := range conf.Peers {
 		peer.Trick = true
 		peer.KeepAlive = 3
 		conf.Peers[i] = peer
 	}
 
-	tnet, err := wiresocks.StartWireguard(ctx, l.With("gool", "outer"), conf)
+	// Create userspace tun network stack
+	tunDev, tnet, err := newUsermodeTun(conf)
 	if err != nil {
 		return err
 	}
 
-	// Create a UDP port forward between localhost and the remote endpoint
-	addr, err := wiresocks.NewVtunUDPForwarder(ctx, netip.MustParseAddrPort("127.0.0.1:0"), endpoints[1], tnet, singleMTU)
-	if err != nil {
+	// Establish wireguard on userspace stack
+	if err := establishWireguard(l, conf, tunDev, 0); err != nil {
 		return err
 	}
 
-	// Run inner warp
-	conf, err = wiresocks.ParseConfig("./stuff/secondary/wgcf-profile.ini", addr.String())
-	if err != nil {
+	// Test wireguard connectivity
+	if err := usermodeTunTest(ctx, l, tnet); err != nil {
 		return err
 	}
-	conf.Interface.MTU = doubleMTU
-
-	for i, peer := range conf.Peers {
-		peer.KeepAlive = 10
-		conf.Peers[i] = peer
-	}
 
-	tnet, err = wiresocks.StartWireguard(ctx, l.With("gool", "inner"), conf)
+	// Run a proxy on the userspace stack
+	warpBind, err := wiresocks.StartProxy(ctx, l, tnet, netip.MustParseAddrPort("127.0.0.1:0"))
 	if err != nil {
 		return err
 	}
 
-	_, err = tnet.StartProxy(bind)
+	// run psiphon
+	err = psiphon.RunPsiphon(ctx, l.With("subsystem", "psiphon"), warpBind.String(), bind.String(), country)
 	if err != nil {
-		return err
+		return fmt.Errorf("unable to run psiphon %w", err)
 	}
 
 	l.Info("serving proxy", "address", bind)

app/wg.go

@@ -0,0 +1,107 @@
+package app
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"time"
+
+	"github.com/bepass-org/warp-plus/wireguard/conn"
+	"github.com/bepass-org/warp-plus/wireguard/device"
+	wgtun "github.com/bepass-org/warp-plus/wireguard/tun"
+	"github.com/bepass-org/warp-plus/wireguard/tun/netstack"
+	"github.com/bepass-org/warp-plus/wiresocks"
+)
+
+func newNormalTun() (wgtun.Device, error) {
+	tunDev, err := wgtun.CreateTUN("warp0", 1280)
+	if err != nil {
+		return nil, err
+	}
+
+	return tunDev, nil
+}
+
+func newUsermodeTun(conf *wiresocks.Configuration) (wgtun.Device, *netstack.Net, error) {
+	tunDev, tnet, err := netstack.CreateNetTUN(conf.Interface.Addresses, conf.Interface.DNS, conf.Interface.MTU)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return tunDev, tnet, nil
+}
+
+func usermodeTunTest(ctx context.Context, l *slog.Logger, tnet *netstack.Net) error {
+	ctx, cancel := context.WithDeadline(ctx, time.Now().Add(30*time.Second))
+	defer cancel()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+		}
+
+		client := http.Client{Transport: &http.Transport{
+			DialContext:           tnet.DialContext,
+			ResponseHeaderTimeout: 5 * time.Second,
+		}}
+		resp, err := client.Get(connTestEndpoint)
+		if err != nil {
+			l.Error("connection test failed", "error", err.Error())
+			continue
+		}
+		_, err = io.ReadAll(resp.Body)
+		resp.Body.Close()
+		if err != nil {
+			l.Error("connection test failed", "error", err.Error())
+			continue
+		}
+
+		l.Info("connection test successful")
+		break
+	}
+
+	return nil
+}
+
+func establishWireguard(l *slog.Logger, conf *wiresocks.Configuration, tunDev wgtun.Device, fwmark uint32) error {
+	// create the IPC message to establish the wireguard conn
+	var request bytes.Buffer
+
+	request.WriteString(fmt.Sprintf("private_key=%s\n", conf.Interface.PrivateKey))
+	if fwmark != 0 {
+		request.WriteString(fmt.Sprintf("fwmark=%d\n", fwmark))
+	}
+
+	for _, peer := range conf.Peers {
+		request.WriteString(fmt.Sprintf("public_key=%s\n", peer.PublicKey))
+		request.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", peer.KeepAlive))
+		request.WriteString(fmt.Sprintf("preshared_key=%s\n", peer.PreSharedKey))
+		request.WriteString(fmt.Sprintf("endpoint=%s\n", peer.Endpoint))
+		request.WriteString(fmt.Sprintf("trick=%t\n", peer.Trick))
+
+		for _, cidr := range peer.AllowedIPs {
+			request.WriteString(fmt.Sprintf("allowed_ip=%s\n", cidr))
+		}
+	}
+
+	dev := device.NewDevice(
+		tunDev,
+		conn.NewDefaultBind(),
+		device.NewSLogger(l.With("subsystem", "wireguard-go")),
+	)
+
+	if err := dev.IpcSet(request.String()); err != nil {
+		return err
+	}
+
+	if err := dev.Up(); err != nil {
+		return err
+	}
+
+	return nil
+}

example_config.json

@@ -7,5 +7,7 @@
   "cfon": false,
   "country": "DE",
   "scan": true,
-  "rtt": "1000ms"
+  "rtt": "1000ms",
+  "tun": false,
+  "fwmark": "0x1375"
 }