Feature/exit nodes - Linux support #1667

lixmal · 2024-03-05T10:33:21Z

This PR adds client default route support for Linux clients:

Route Management: Establishes routes, including the default route, in a dedicated routing table, enabling VPN traffic to be correctly routed through the VPN tunnel while maintaining access to local and management networks.
Routing Rules: Implements several routing rules to ensure management traffic always uses the physical interface. It prioritizes existing local routes over VPN routes and directs all unmatched routes to the VPN routing table.
Custom fwmark applications: Applies a custom fwmark to all management network connections, including gRPC for signal and management servers, the eBPF proxy, ICE (STUN/TURN) connections, the shared socket, and the WireGuard interface. This marking system effectively excludes these connections from being routed through the VPN.
Enhanced Error Handling and Cleanup: Improves error reporting and handling. It also introduces a comprehensive cleanup routine to revert all changes made to the routing rules and the custom routing table, ensuring no residual configurations that might affect system networking.

The update also includes renaming and reorganizing packages for better clarity and maintenance.

Issue ticket number and link

Updates #289

Checklist

Is it a bug fix
Is a typo/documentation fix
Is a feature enhancement
It is a refactor
Created tests that fail without the change (if possible)
Extended the README / documentation, if necessary

This way we can prioritize mgmt traffic even if a setup route would encompass management traffic. It also eases the cleanup process.

iface/wg_configurer.go

iface/wg_configurer_kernel.go

iface/wg_configurer_usp.go

Previously this was the wg interface's IP address + prefix length. This stopped working with the new approach for some reason. Using the nft tool this would be automatically fixed by the tool, but using netfilter directly seems to leave it as is.

All routes are now installed in a custom netbird routing table. Management and wireguard traffic is now marked with a custom fwmark. When the mark is present the traffic is routed via the main routing table, bypassing the VPN. When the mark is absent the traffic is routed via the netbird routing table, if: - there's no match in the main routing table - it would match the default route in the routing table IPv6 traffic is blocked when a default route IPv4 route is configured to avoid leakage.

lixmal added 10 commits March 5, 2024 11:32

Make gRPC dialers use fwmark

d667bcf

Improve error handling

bec57e5

Add fwmark to wireguard interface

a806218

Add fwmark to ICE connections

38751f9

Remove prefix length restriction

c1781c6

Make routing operations table-aware and add new operations

c5d4a24

Mark missing sockets without fwmark and streamline existing markings

82433fb

Add default route handling

0f71870

Improve socket error handling

d60f1ed

Rename and move packages

20c57b5

mlsmaycon changed the title ~~Feature/exit nodes~~ Feature/exit nodes - Linux support Mar 5, 2024

lixmal added 17 commits March 5, 2024 11:51

Make socket mark functions linux exclusive

1b727f6

Fix dialer

f993fa0

Rename grpc dialer func for consistency

c9c8a18

Remove forwarding on client

dc539f7

Disallow routes without destination

ae95173

Remove aliasing issue

e389f04

Reverse cleanup order

f3be573

Use multierr

f3cd3f8

Setup rules for all routes

d8abc40

This way we can prioritize mgmt traffic even if a setup route would encompass management traffic. It also eases the cleanup process.

Replace blackhole with unreachable

6ab3839

Reinstate restriction for other OSs

afa3290

Merge branch 'main' into feature/exit-nodes

3c68f7e

Merge branch 'main' into feature/exit-nodes

2ddf7fa

Add non-linux setup functions

43918fa

Add non-linux intf params

685bb32

Fix some tests

8454fb4

Improve rule description

cafa324

lixmal force-pushed the feature/exit-nodes branch from 3ea2665 to 9cc0b41 Compare March 13, 2024 14:53

Fix builds

ae23022

lixmal force-pushed the feature/exit-nodes branch 9 times, most recently from eceaf32 to 869c841 Compare March 14, 2024 10:19

Add remaining pcap deps

04844e3

lixmal force-pushed the feature/exit-nodes branch from 869c841 to 04844e3 Compare March 14, 2024 10:32

mlsmaycon and others added 2 commits March 14, 2024 21:52

apt update

861007f

Remove obsolete rule, add more tests and use correct syscall constants

8538364

lixmal marked this pull request as ready for review March 16, 2024 23:37

lixmal added 3 commits March 17, 2024 00:47

Ignore exists errors in test

d4e248e

Ignore missing rt_tables

c9ca599

Fix tests when the default route exists with metric 0

8c377fa

pappz requested changes Mar 19, 2024

View reviewed changes

iface/wg_configurer.go Outdated Show resolved Hide resolved

iface/wg_configurer_kernel.go Show resolved Hide resolved

lixmal added 3 commits March 19, 2024 18:06

Don't set fwmark on non-Linux

4dc316d

Remove obsolete methods

3c6ce49

Merge branch 'main' into feature/exit-nodes

fe8fffd

pappz requested changes Mar 19, 2024

View reviewed changes

iface/wg_configurer_usp.go Outdated Show resolved Hide resolved

lixmal added 3 commits March 19, 2024 19:17

Fix missing fwmark setting

397a184

Remove fwmark split on kernel configurer

0b8cf53

pappz approved these changes Mar 21, 2024

View reviewed changes

lixmal merged commit 2475473 into main Mar 21, 2024
21 checks passed

lixmal deleted the feature/exit-nodes branch March 21, 2024 15:49

TheRedScreen64 mentioned this pull request Mar 27, 2024

Exit node #289

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature/exit nodes - Linux support #1667

Feature/exit nodes - Linux support #1667

lixmal commented Mar 5, 2024 •

edited

Feature/exit nodes - Linux support #1667

Feature/exit nodes - Linux support #1667

Conversation

lixmal commented Mar 5, 2024 • edited

Issue ticket number and link

Checklist

lixmal commented Mar 5, 2024 •

edited