feat(wireguard): implement interface network validation and tests

Author: x0sina

backend/wireguard/config.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"strings"
 	"sync"
 
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -65,6 +66,27 @@ func NewConfig(config string) (*Config, error) {
 	return &wgConfig, nil
 }
 
+// InterfaceNetworks returns CIDR prefixes parsed from the node's core `address` list.
+// Used to restrict peer AllowedIPs to subnets this interface actually serves.
+func (c *Config) InterfaceNetworks() []*net.IPNet {
+	if c == nil {
+		return nil
+	}
+	var out []*net.IPNet
+	for _, addr := range c.Address {
+		addr = strings.TrimSpace(addr)
+		if addr == "" {
+			continue
+		}
+		_, ipNet, err := net.ParseCIDR(addr)
+		if err != nil {
+			continue
+		}
+		out = append(out, ipNet)
+	}
+	return out
+}
+
 // GetPrivateKey returns the parsed WireGuard private key.
 // The parsed key is stored in memory and reused after first successful parse.
 func (c *Config) GetPrivateKey() (wgtypes.Key, error) {

backend/wireguard/config_test.go

@@ -1,9 +1,29 @@
 package wireguard
 
 import (
+	"net"
 	"testing"
 )
 
+func TestConfigInterfaceNetworks(t *testing.T) {
+	cfg := &Config{Address: []string{" 10.8.0.1/24 ", ""}}
+	nets := cfg.InterfaceNetworks()
+	if len(nets) != 1 {
+		t.Fatalf("expected 1 network, got %d", len(nets))
+	}
+	if nets[0].String() != "10.8.0.0/24" {
+		t.Fatalf("unexpected network: %s", nets[0].String())
+	}
+	_, ipn, _ := net.ParseCIDR("10.8.0.5/32")
+	if !peerIPAllowedOnInterface(ipn, nets) {
+		t.Fatal("expected 10.8.0.5/32 to be allowed under 10.8.0.0/24")
+	}
+	_, wrong, _ := net.ParseCIDR("10.0.0.2/32")
+	if peerIPAllowedOnInterface(wrong, nets) {
+		t.Fatal("expected 10.0.0.2/32 to be rejected under 10.8.0.0/24")
+	}
+}
+
 func TestNewWireGuardConfig(t *testing.T) {
 	configJSON := `{
 		"interface_name": "wg0",

backend/wireguard/user_common.go

@@ -187,6 +187,29 @@ func buildAddConfigFromPeerInfo(peer *PeerInfo, presharedKey *wgtypes.Key) (wgty
 	return buildAddConfig(peer.PublicKey, peer.AllowedIPs, presharedKey), nil
 }
 
+func peerIPAllowedOnInterface(peerNet *net.IPNet, ifaceNets []*net.IPNet) bool {
+	if len(ifaceNets) == 0 {
+		return true
+	}
+	for _, pool := range ifaceNets {
+		if pool == nil || peerNet == nil {
+			continue
+		}
+		if len(peerNet.IP) != len(pool.IP) {
+			continue
+		}
+		if !pool.Contains(peerNet.IP) {
+			continue
+		}
+		pPeer, _ := peerNet.Mask.Size()
+		pPool, _ := pool.Mask.Size()
+		if pPeer >= pPool {
+			return true
+		}
+	}
+	return false
+}
+
 func (wg *WireGuard) collectDesiredPeers(users []*common.User) (map[string]*DesiredPeer, error) {
 	desiredPeers := make(map[string]*DesiredPeer)
 	seenIPs := make(map[string]string)
@@ -206,6 +229,8 @@ func (wg *WireGuard) collectDesiredPeers(users []*common.User) (map[string]*Desi
 			continue
 		}
 
+		ifaceNets := wg.config.InterfaceNetworks()
+
 		var allowedIPNets []net.IPNet
 		var hasInvalidIP bool
 
@@ -217,6 +242,16 @@ func (wg *WireGuard) collectDesiredPeers(users []*common.User) (map[string]*Desi
 				break
 			}
 
+			if !peerIPAllowedOnInterface(ipNet, ifaceNets) {
+				log.Printf(
+					"skipping wireguard peer IP %s for user %s on interface %s (outside core address ranges)",
+					peerIp,
+					email,
+					wg.config.InterfaceName,
+				)
+				continue
+			}
+
 			canonicalIP := ipNet.String()
 			if existingEmail, exists := seenIPs[canonicalIP]; exists && existingEmail != email {
 				return nil, fmt.Errorf("duplicate wireguard allowed IP %s assigned to users %s and %s", canonicalIP, existingEmail, email)

backend/wireguard/user_sync_test.go

@@ -67,7 +67,7 @@ func TestSyncUserRejectsUnparsableStoredPeer(t *testing.T) {
 		Inbounds: []string{"wg-test"},
 		Proxies: &common.Proxy{
 			Wireguard: &common.Wireguard{
-				PublicKey: validKey, PeerIps: []string{"10.0.0.1/32"},
+				PublicKey: validKey, PeerIps: []string{"10.61.0.10/32"},
 			},
 		},
 	}
@@ -306,7 +306,7 @@ func TestSyncUsersReplaceAllRemovesStalePeersAndStats(t *testing.T) {
 			Inbounds: []string{"wg-test"},
 			Proxies: &common.Proxy{
 				Wireguard: &common.Wireguard{
-					PublicKey: newKey, PeerIps: []string{"10.0.0.4/32"},
+					PublicKey: newKey, PeerIps: []string{"10.63.0.10/32"},
 				},
 			},
 		},