internal/vpn/wireguard.go

package vpn

import (
	"context"
	"fmt"

	"github.com/qdm12/gluetun/internal/configuration/settings"
	"github.com/qdm12/gluetun/internal/models"
	"github.com/qdm12/gluetun/internal/netlink"
	"github.com/qdm12/gluetun/internal/provider"
	"github.com/qdm12/gluetun/internal/provider/utils"
	"github.com/qdm12/gluetun/internal/wireguard"
	"github.com/qdm12/gosettings"
)

// setupWireguard sets Wireguard up using the configurators and settings given.
// It returns a serverName for port forwarding (PIA) and an error if it fails.
func setupWireguard(ctx context.Context, netlinker NetLinker,
	fw Firewall, providerConf provider.Provider,
	settings settings.VPN, ipv6SupportLevel netlink.IPv6SupportLevel, logger wireguard.Logger) (
	wireguarder *wireguard.Wireguard, connection models.Connection, err error,
) {
	ipv6Internet := ipv6SupportLevel == netlink.IPv6Internet
	connection, err = providerConf.GetConnection(settings.Provider.ServerSelection, ipv6Internet)
	if err != nil {
		return nil, models.Connection{}, fmt.Errorf("finding a VPN server: %w", err)
	}

	wireguardSettings := utils.BuildWireguardSettings(connection, settings.Wireguard, ipv6SupportLevel.IsSupported())

	logger.Debug("Wireguard server public key: " + wireguardSettings.PublicKey)
	logger.Debug("Wireguard client private key: " + gosettings.ObfuscateKey(wireguardSettings.PrivateKey))
	logger.Debug("Wireguard pre-shared key: " + gosettings.ObfuscateKey(wireguardSettings.PreSharedKey))

	wireguarder, err = wireguard.New(wireguardSettings, netlinker, logger)
	if err != nil {
		return nil, models.Connection{}, fmt.Errorf("creating Wireguard: %w", err)
	}

	err = fw.SetVPNConnection(ctx, connection, settings.Wireguard.Interface)
	if err != nil {
		return nil, models.Connection{}, fmt.Errorf("setting firewall: %w", err)
	}

	return wireguarder, connection, nil
}
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`package vpn`

			`import (`
			`"context"`
			`"fmt"`

chore(settings): refactor settings processing (#756) - Better settings tree structure logged using `qdm12/gotree` - Read settings from environment variables, then files, then secret files - Settings methods to default them, merge them and override them - `DNS_PLAINTEXT_ADDRESS` default changed to `127.0.0.1` to use DoT. Warning added if set to something else. - `HTTPPROXY_LISTENING_ADDRESS` instead of `HTTPPROXY_PORT` (with retro-compatibility) 2022-01-06 06:40:23 -05:00			`"github.com/qdm12/gluetun/internal/configuration/settings"`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`"github.com/qdm12/gluetun/internal/models"`
feat(netlink): detect ipv6 support level - 'supported' if one ipv6 route is found that is not loopback and not a default route - 'internet' if one default ipv6 route is found 2024-10-14 16:44:05 +00:00			`"github.com/qdm12/gluetun/internal/netlink"`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`"github.com/qdm12/gluetun/internal/provider"`
			`"github.com/qdm12/gluetun/internal/provider/utils"`
			`"github.com/qdm12/gluetun/internal/wireguard"`
feat(wireguard): debug logs log obfuscated keys 2023-05-29 06:45:12 +00:00			`"github.com/qdm12/gosettings"`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`)`

			`// setupWireguard sets Wireguard up using the configurators and settings given.`
			`// It returns a serverName for port forwarding (PIA) and an error if it fails.`
chore(all): return concrete types, accept interfaces - Remove exported interfaces unused locally - Define interfaces to accept arguments - Return concrete types, not interfaces 2022-06-11 01:34:30 +00:00			`func setupWireguard(ctx context.Context, netlinker NetLinker,`
			`fw Firewall, providerConf provider.Provider,`
feat(netlink): detect ipv6 support level - 'supported' if one ipv6 route is found that is not loopback and not a default route - 'internet' if one default ipv6 route is found 2024-10-14 16:44:05 +00:00			`settings settings.VPN, ipv6SupportLevel netlink.IPv6SupportLevel, logger wireguard.Logger) (`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`wireguarder *wireguard.Wireguard, connection models.Connection, err error,`
chore: use gofumpt for code formatting 2024-10-11 19:20:48 +00:00			`) {`
feat(netlink): detect ipv6 support level - 'supported' if one ipv6 route is found that is not loopback and not a default route - 'internet' if one default ipv6 route is found 2024-10-14 16:44:05 +00:00			`ipv6Internet := ipv6SupportLevel == netlink.IPv6Internet`
			`connection, err = providerConf.GetConnection(settings.Provider.ServerSelection, ipv6Internet)`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`if err != nil {`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`return nil, models.Connection{}, fmt.Errorf("finding a VPN server: %w", err)`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`}`

feat(netlink): detect ipv6 support level - 'supported' if one ipv6 route is found that is not loopback and not a default route - 'internet' if one default ipv6 route is found 2024-10-14 16:44:05 +00:00			`wireguardSettings := utils.BuildWireguardSettings(connection, settings.Wireguard, ipv6SupportLevel.IsSupported())`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00
Feat: debug log Wireguard keys 2021-09-23 14:42:28 +00:00			`logger.Debug("Wireguard server public key: " + wireguardSettings.PublicKey)`
feat(wireguard): debug logs log obfuscated keys 2023-05-29 06:45:12 +00:00			`logger.Debug("Wireguard client private key: " + gosettings.ObfuscateKey(wireguardSettings.PrivateKey))`
			`logger.Debug("Wireguard pre-shared key: " + gosettings.ObfuscateKey(wireguardSettings.PreSharedKey))`
Feat: debug log Wireguard keys 2021-09-23 14:42:28 +00:00
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`wireguarder, err = wireguard.New(wireguardSettings, netlinker, logger)`
			`if err != nil {`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`return nil, models.Connection{}, fmt.Errorf("creating Wireguard: %w", err)`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`}`

			`err = fw.SetVPNConnection(ctx, connection, settings.Wireguard.Interface)`
			`if err != nil {`
feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`return nil, models.Connection{}, fmt.Errorf("setting firewall: %w", err)`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`}`

feat(healthcheck): combination of ICMP and TCP+TLS checks (#2923) - New option: `HEALTH_ICMP_TARGET_IP` defaults to `0.0.0.0` meaning use the VPN server public IP address. - Options removed: `HEALTH_VPN_INITIAL_DURATION` and `HEALTH_VPN_ADDITIONAL_DURATION` - times and retries are handpicked and hardcoded. - Less aggressive checks and less false positive detection 2025-10-17 01:45:50 +02:00			`return wireguarder, connection, nil`
Wireguard support for Mullvad and Windscribe (#565) - `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard` 2021-08-22 14:58:39 -07:00			`}`