Wireguard support for Mullvad and Windscribe (#565)

- `internal/wireguard` client package with unit tests - Implementation works with kernel space or user space if unavailable - `WIREGUARD_PRIVATE_KEY` - `WIREGUARD_ADDRESS` - `WIREGUARD_PRESHARED_KEY` - `WIREGUARD_PORT` - `internal/netlink` package used by `internal/wireguard`
2021-08-22 14:58:39 -07:00
parent 0bfd58a3f5
commit 614eb10d67
70 changed files with 13595 additions and 148 deletions
--- a/internal/wireguard/netlink_integration_test.go
+++ b/internal/wireguard/netlink_integration_test.go
@@ -0,0 +1,113 @@
+// +build netlink
+
+package wireguard
+
+import (
+	"fmt"
+	"math/rand"
+	"net"
+	"testing"
+
+	inetlink "github.com/qdm12/gluetun/internal/netlink"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/vishvananda/netlink"
+)
+
+func Test_netlink_Wireguard_addAddresses(t *testing.T) {
+	t.Parallel()
+
+	netlinker := inetlink.New()
+	wg := &Wireguard{
+		netlink: netlinker,
+	}
+
+	intfName := "test_" + fmt.Sprint(rand.Intn(10000)) //nolint:gosec
+
+	// Add link
+	linkAttrs := netlink.NewLinkAttrs()
+	linkAttrs.Name = intfName
+	link := &netlink.Bridge{
+		LinkAttrs: linkAttrs,
+	}
+	err := netlink.LinkAdd(link)
+	require.NoError(t, err)
+
+	defer func() {
+		err = netlink.LinkDel(link)
+		assert.NoError(t, err)
+	}()
+
+	addresses := []*net.IPNet{
+		{IP: net.IP{1, 2, 3, 4}, Mask: net.IPv4Mask(255, 255, 255, 255)},
+		{IP: net.IP{5, 6, 7, 8}, Mask: net.IPv4Mask(255, 255, 255, 255)},
+	}
+
+	// Success
+	err = wg.addAddresses(link, addresses)
+	require.NoError(t, err)
+
+	netlinkAddresses, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+	require.NoError(t, err)
+	require.Equal(t, len(addresses), len(netlinkAddresses))
+	for i, netlinkAddress := range netlinkAddresses {
+		ipNet := netlinkAddress.IPNet
+		assert.Equal(t, addresses[i], ipNet)
+	}
+
+	// Existing address cannot be added
+	err = wg.addAddresses(link, addresses)
+	require.Error(t, err)
+	assert.Equal(t, "file exists: when adding address 1.2.3.4/32 to link test_8081", err.Error())
+}
+
+func Test_netlink_Wireguard_addRule(t *testing.T) {
+	t.Parallel()
+
+	netlinker := inetlink.New()
+	wg := &Wireguard{
+		netlink: netlinker,
+	}
+
+	rulePriority := 10000
+	const firewallMark = 999
+
+	cleanup, err := wg.addRule(rulePriority, firewallMark)
+	require.NoError(t, err)
+	defer func() {
+		err := cleanup()
+		assert.NoError(t, err)
+	}()
+
+	rules, err := netlink.RuleList(netlink.FAMILY_ALL)
+	require.NoError(t, err)
+	var rule netlink.Rule
+	var ruleFound bool
+	for _, rule = range rules {
+		if rule.Mark == firewallMark {
+			ruleFound = true
+			break
+		}
+	}
+	require.True(t, ruleFound)
+	expectedRule := netlink.Rule{
+		Invert:            true,
+		Priority:          rulePriority,
+		Mark:              firewallMark,
+		Table:             firewallMark,
+		Mask:              4294967295,
+		Goto:              -1,
+		Flow:              -1,
+		SuppressIfgroup:   -1,
+		SuppressPrefixlen: -1,
+	}
+	assert.Equal(t, expectedRule, rule)
+
+	// Existing rule cannot be added
+	nilCleanup, err := wg.addRule(rulePriority, firewallMark)
+	if nilCleanup != nil {
+		_ = nilCleanup() // in case it succeeds
+	}
+	require.Error(t, err)
+	assert.Equal(t, "file exists: when adding rule: ip rule 10000: from <nil> table 999", err.Error())
+}