Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement support for WireGuard #1200

Merged
merged 10 commits into from
Mar 1, 2021

Conversation

davidebeatrici
Copy link
Member

Reviews are welcome!

@davidebeatrici
Copy link
Member Author

Right now ProtoOptionsGet doesn't require the caller to be a server administrator, but the behavior should probably be changed now that the WireGuard private and preshared keys are there.

@metalefty
Copy link
Contributor

I can help you with Japanese translation.

@davidebeatrici
Copy link
Member Author

Awesome, thank you very much!

@dnobori usually translates to Japanese for me, but he's very busy right now.

@metalefty
Copy link
Contributor

I've just started to translate existing untranslated messages in the separate PR #1201.

Copy link
Contributor

@metalefty metalefty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be better to focus on reviewing the logic of new code in this PR. Translations can be done later.

So what about adding some markers around untranslated messages? Then, I and other contributors can easily find untranslated messages later.

# TODO:  TO BE TRANSLATED

@davidebeatrici
Copy link
Member Author

I agree, I'll do that in a separate pull request for all .stb files.

@andrewfer000
Copy link

So umm is this going to get merged soon? This feature is super cool and it looks like you put a lot of work into it. I would love to see it in one of the next releases.

@davidebeatrici
Copy link
Member Author

I'm actually waiting for feedbacks.

@davidebeatrici
Copy link
Member Author

davidebeatrici commented Oct 12, 2020

BLAKE2's CMake project wrongly detects the available instruction sets:

-- Build date: 12/10/2020
-- Build time: 19:11:24
-- Finding best ISA extension...
-- Selected AVX2
-- Configuring for SSE or newer
-- Configuring done
-- Generating done
-- Build files have been written to: /home/user/SoftEtherVPN/build
Program terminated with signal SIGILL, Illegal instruction.
#0  0x00007f14b3fd49b0 in blake2s_init_param () from /home/user/SoftEtherVPN/build/libcedar.so
[Current thread is 1 (Thread 0x7f14b26ec440 (LWP 12380))]
(gdb) bt
#0  0x00007f14b3fd49b0 in blake2s_init_param () from /home/user/SoftEtherVPN/build/libcedar.so
#1  0x00007f14b3fd4a5c in blake2s_init () from /home/user/SoftEtherVPN/build/libcedar.so
#2  0x00007f14b3fd4f6c in blake2s () from /home/user/SoftEtherVPN/build/libcedar.so
#3  0x00007f14b3f925aa in WgsInit () from /home/user/SoftEtherVPN/build/libcedar.so
#4  0x00007f14b3f72582 in ProtoSessionNew () from /home/user/SoftEtherVPN/build/libcedar.so
#5  0x00007f14b3f72916 in ProtoHandleDatagrams () from /home/user/SoftEtherVPN/build/libcedar.so
#6  0x00007f14b3e309d7 in UdpListenerThread () from /home/user/SoftEtherVPN/build/libmayaqua.so
#7  0x00007f14b3e16115 in ThreadPoolProc () from /home/user/SoftEtherVPN/build/libmayaqua.so
#8  0x00007f14b3e4e93c in UnixDefaultThreadProc () from /home/user/SoftEtherVPN/build/libmayaqua.so
#9  0x00007f14b3335fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#10 0x00007f14b3ca74cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
$ cat /proc/cpuinfo
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 6
model           : 6
model name      : QEMU Virtual CPU version 2.5+
stepping        : 3
microcode       : 0x1
cpu MHz         : 2397.384
cache size      : 16384 KB
physical id     : 0
siblings        : 1
core id         : 0
cpu cores       : 1
apicid          : 0
initial apicid  : 0
fpu             : yes
fpu_exception   : yes
cpuid level     : 13
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pse36 clflush mmx fxsr sse sse2 syscall nx lm rep_good nopl xtopology cpuid tsc_known_freq pni cx16 x2apic hypervisor lahf_lm cpuid_fault pti
bugs            : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit
bogomips        : 4794.76
clflush size    : 64
cache_alignment : 64
address sizes   : 40 bits physical, 48 bits virtual
power management:

For this CPU -DISA_EXTENSION=SSE2 needs to be specified in the CMake call.

@andrewfer000
Copy link

andrewfer000 commented Nov 17, 2020

I'd like to test this. I cloned the davidebeatrici:proto-wireguard and compiled it but I got no Wg commands. How do I go about obtaining and compiling the code so I can test out WireGuard?

Update: I am a noob but I just learned what git checkout does and the fact that I never checked out the proto-wireguard branch is the reason it did not work earlier but now that I did everything compiled and the Wg commands now show in vpncmd.

@andrewfer000
Copy link

So I am trying to get the public key for Wireguard but I do not know where to find it. Both WkgEnum and ProtoOptionsGet/ProtoOptionsSet are unsupported. How do I get WireGuard set up?

@davidebeatrici
Copy link
Member Author

You have to derive it from the private one (obtainable through ProtoOptionsGet).

See https://www.wireguard.com/quickstart.

@andrewfer000
Copy link

@davidebeatrici
I saw that in the original Github issue. The problem is with ProtoOptionsGet. This command is driving me crazy!

image

@davidebeatrici
Copy link
Member Author

The name of the protocol is WireGuard, but the comparison is case insensitive:

int ProtoContainerCompare(void *p1, void *p2)
{
PROTO_CONTAINER *container_1, *container_2;
if (p1 == NULL || p2 == NULL)
{
return (p1 == NULL && p2 == NULL ? 0 : (p1 == NULL ? -1 : 1));
}
container_1 = *(PROTO_CONTAINER **)p1;
container_2 = *(PROTO_CONTAINER **)p2;
return StrCmpi(container_1->Name, container_2->Name);
}

Are you sure the server you're running is compiled from my branch?

@andrewfer000
Copy link

andrewfer000 commented Nov 20, 2020

Okay so I just had to restart the vpnserver service and it works now. Thanks!

Edit: Also SSTP seems to have an error on this version as well with the "SSL Socket closed by remote side" error. So I guess I was using a different server version before now.

@davidebeatrici
Copy link
Member Author

I just rebased against master.

If you pull from my branch and build the server again you should not see the issue anymore, assuming it doesn't show up in master.

@andrewfer000
Copy link

andrewfer000 commented Nov 20, 2020

I think it does show up in master and I believe I mentioned that in issue #1241

So I just compiled and tested your updated branch and I am still getting the same error on SSTP

By any chance could this be happening because I am importing a Let's Encrypt certificate? Should we open a new issue for this?

Okay after importing a Self Signed certificate made by the vpncmd utility did not change anything.

@davidebeatrici
Copy link
Member Author

Sorry, you're right.

@davidebeatrici
Copy link
Member Author

I fixed the instruction set detection issue and restricted ProtoOptionsGet to server administrators, in order to protect the WireGuard private key.

@andrewfer000 Have you encountered any issues with the WireGuard implementation so far?

@andrewfer000
Copy link

andrewfer000 commented Feb 4, 2021

@davidebeatrici not at all. WireGuard has been working well. The only issue is I have encountered are the ones on my LG Android but that's it. Overall very stable.

Edit: If you Build your branch against Master one more time I'll be glad to pull it down and test it. If all goes well you should be able to merge it into Master.

@davidebeatrici
Copy link
Member Author

Awesome!

My branch is actually already rebased against master, feel free to test the latest changes.

As for your LG V30, is there perhaps something related to WireGuard in Android's logcat?

WgkAdd command - Add a WireGuard key
Help for command "WgkAdd"

Purpose:
  Add a WireGuard key

Description:
  This command can be used to add a WireGuard key to the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkAdd [key] [/HUB:hub] [/USER:user]

Parameters:
  key   - WireGuard key. Make sure it is the public one!
  /HUB  - Hub the key will be associated to.
  /USER - User the key will be associated to, in the specified hub.

================================================================================

WgkDelete command - Delete a WireGuard key
Help for command "WgkDelete"

Purpose:
  Delete a WireGuard key

Description:
  This command can be used to delete a WireGuard key from the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkDelete [key]

Parameters:
  key - WireGuard key.

================================================================================

WgkEnum command - List the WireGuard keys
Help for command "WgkEnum"

Purpose:
  List the WireGuard keys

Description:
  This command retrieves the WireGuard keys that are allowed to connect to the server, along with the associated Virtual Hub and user.
  You can add a key with the WgkAdd command.
  You can delete a key with the WgkDelete command.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkEnum
…rators

This is in order to protect the WireGuard private key.
This commit:

- Switches from Ubuntu 16.04 to 18.04 for all builds, mainly in order to use a more recent version of libsodium.
- Installs libsodium, used by the WireGuard implementation.
@Gaulomatic
Copy link

I downloaded the latest Azure artifacts from Azure for Windows and compiled the Linux sources and tried it on Windows and Linux. I am not able to connect to the server with WireGuard, neither on Win nor on Linux.

I am seeing this in the server logs:

image

The Windows client tells me that the handshake failed:

image

I have added the client keys via the command line interface, they are listed properly and WireGuard protocol is enabled (as it is by default). The keys are mapped to users on a virtual hub. Is there something else to configure that I might have missed?

@davidebeatrici
Copy link
Member Author

Have you set the server's public key in the client?

@Gaulomatic
Copy link

The keys were my first line of thinking as well, so I tripple checked all those. Is there any way to let SoftEther be a little bit more verbose so I can get down to the cause?

@davidebeatrici
Copy link
Member Author

./vpntest s

@Gaulomatic
Copy link

Thanks, that is good to know. I created completely new keys, server and client, and imported them to SoftEther. Now the client tells me that the response from SoftEther is giving an invalid response:

image

This is the output from ./vpntest s

image

@davidebeatrici
Copy link
Member Author

To be clear: you imported the public keys in both client and server, right?

@Gaulomatic
Copy link

Yes, I exported the config and set the PresharedKey (public) and PrivateKey (private) key which wg genkey generated for me.

image

I did the same with the clients and edited the KeyList accordingly:

image

Lastly I updated the WireGuard client config:

image

I set up a vanilla WireGuard server on a different machine using Ubuntu 18.04 and used the same public and private keys for client and server. This works correctly.

@davidebeatrici
Copy link
Member Author

davidebeatrici commented Mar 21, 2021

PresharedKey must be set on all peers. Please note that:

  1. It's an additional key, for extra security.
  2. It should be different from the public key.

Here's the matching block for your current server settings:

[Peer]
PublicKey = RjU8BHHngBKdNSJZIKx2+Xb0MleURvnM5ZxKmGDzpAw=
PresharedKey = RjU8BHHngBKdNSJZIKx2+Xb0MleURvnM5ZxKmGDzpAw=
AllowedIPs = 172.16.0.0/16
Endpoint = 192.168.31.195:5555

@Gaulomatic
Copy link

Thank you, that did it. I have mistaken the preshared with the public.

@davidebeatrici
Copy link
Member Author

You're welcome! We definitely need to document the configuration.

@paulmenzel
Copy link
Contributor

@Gaulomatic, thank you for reporting this, but please create an issue for this the next time.

@metalefty
Copy link
Contributor

The WireGuard support is actually working fine for me. Thanks for your hard work! I'll help you by improving documentation and Japanese translation.

スクリーンショット_2021-03-22_22-00-20
スクリーンショット_2021-03-22_22-01-31

@davidebeatrici
Copy link
Member Author

Awesome, thank you very much!

@hoang-rio
Copy link

@davidebeatrici Is WireGuard available for Radius user?

@davidebeatrici davidebeatrici deleted the proto-wireguard branch June 7, 2022 07:04
@davidebeatrici
Copy link
Member Author

Yes, but you have to associate the public key to it.

@hoang-rio
Copy link

I only add user * with radius authentication to manage all user and password in a radius server so how to associate public key to specific radius user? *.username or something else

@davidebeatrici
Copy link
Member Author

davidebeatrici commented Jun 7, 2022

Just the username and destination hub actually. We should eventually implement a way to check the public key against Radius.

@qupfer
Copy link

qupfer commented Aug 8, 2022

Simple question,
the connection is etablished, but "how" I get the traffic from Softether to the bridged network? It looks like in "hangs" in the virtual hub. Only with secure-nat?

@davidebeatrici
Copy link
Member Author

How's your setup?

@qupfer
Copy link

qupfer commented Aug 9, 2022

Its a ubuntu 22.04 lxc container (on proxmox) with the default hub bridged to eth0 (Softether build from yesterdays gitlab-src ).
I left the hub-config to its default 192.168.30.1/24, the eth0 net is 192.168.178.0/24. The wg-clint use 192.168.30.2.
I started a ping from the wg-client to 192.168.30.1 and watched eth0 on server side, but couldn't see anything.

@davidebeatrici
Copy link
Member Author

You're not supposed to enable Virtual NAT with a local bridge, you can use Virtual DHCP though.

@hoang-rio
Copy link

hoang-rio commented Jan 5, 2023

When wiguard configurable via JSON-RPC API?
@davidebeatrici Do you have a plan for it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

SoftEtherVPN - WireGuard integration. Possible?
7 participants