ipipou

#!/usr/bin/env python3

'''
Utility to create ipipou tunnels (IPIP over UDP [FOU]).
Optionally remote ip:port authentication can be enabled using supported
authentication modes.

It must be run from root or have the following capabilities:
  CAP_NET_ADMIN - to create and configure network interfaces
  CAP_NET_RAW - if authentication packets sending required
  CAP_SYS_MODULE - if "fou" and "ipip" modules are not loaded yet

In client mode SIGUSR1 signal initiates auth resend to the server (the same way
as --reauth-only option do).

On SIGTERM or SIGINT cleanup (deconfiguration) will be initiated first.

Program exit codes with specific meaning:
  0: ok
  1: generic
  2: argparse
 10: modprobe
 20: nfq
 40: nftables
 51: ip_address
 52: ip_link
 53: ip_fou
100: ipipou_create
101: ipipou_update
120: send_auth
127: not_implemented
200: cleanup
'''

from base64 import b64decode, b64encode
from datetime import datetime, timezone, timedelta
from time import sleep
import fcntl
import gc
import ipaddress
import logging
import os
import signal
import socket
import struct
import subprocess
import sys
import traceback
#import argparse                                 # Will be imported if run as a command
#import netfilterqueue as nfq                    # Will be imported for server mode only
#from nacl.signing import SigningKey, VerifyKey  # Will be imported for AUTH_KEY mode only
#from nacl.exceptions import BadSignatureError   # Will be imported for AUTH_KEY mode only

# TODO: Use python native bindings instead of subprocess: libnl, netlink, pyroute2, ...?

# pylint:disable=undefined-variable,used-before-assignment,global-statement,global-variable-undefined,subprocess-run-check,too-many-branches

# Some global defaults/initial values
tunl_ip_base = '172.28.0.0'  # Default base TUNL_IP (when N == 0)
fou_ip_alt_base = '172.29.0.0'  # Default base FOU_IP_ALT (when N == 0)
fou_port_base = 10000  # Default base FOU_PORT (when N == 0)
nfq_range = None  # How many bytes of the packet to get. None to full packet.
fou_ip = None  # Current FOU local IP, will be filled with one of FOU_IP_MAIN or FOU_IP_ALT
last_remote_ip = None  # Last remembered FOU remote IP (str)
last_remote_port = None  # Last remembered FOU remote PORT (int)
last_remote_timestamp = None  # The time when last_remote_ip:last_remote_port was remembered
own_fou = None  # If FOU listener was created by this script
own_fou_ip_alt = None  # If FOU alt IP was added by this script
ip_fou_unsupported_local = None  # If `ip fou` supports "local" and "dev" arguments. None to autodetect.
returncode = 0  # Default return code (ok)


def cleanup_and_exit(signalnum=None, frame=None, rcode=0):
    '''
    Cleanup and exit gracefully.
    '''

    if signalnum is None:
        log.info('Cleanup and exit')
    else:
        log.info('Cleanup and exit on %s (%s)', signal.Signals(signalnum).name, signalnum)  # pylint:disable=no-member
    try:
        Q.unbind()
    except Exception:
        pass
    if not ipipou_delete() \
    and rcode == 0:
        rcode = 200  # cleanup error exit code

    sys.exit(rcode)


def sigignore(signalnum=None, frame=None):
    '''
    This function should be called when some signal is ignored explicitly.
    '''
    log.info('%s: ignored', signal.Signals(signalnum).name)  # pylint:disable=no-member


def prerequisites():
    '''
    General script requirements
    '''
    # Be sure "fou" kernel module is loaded.
    # "ipip" module will be loaded automatically on tunnel creation if supported.
    fou_loaded = None
    try:
        with open('/proc/modules') as fd:
            for l in fd.read().splitlines():
                if l.startswith('fou '):
                    log.debug('Already loaded module: fou')
                    fou_loaded = True
                    break
    except Exception as e:
        log.debug('Failed to read /proc/modules: %s', e)
    if not fou_loaded:
        cmd = ('modprobe', 'fou')
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
        except FileNotFoundError:
            log.fatal('Executable not found: modprobe')
            sys.exit(10)  # modprobe error exit code
        except subprocess.CalledProcessError as e:
            log.fatal('Failed to load module: fou: %s', e.stderr)
            sys.exit(10)  # modprobe error exit code
        except Exception as e:
            log.fatal('Failed to load module: fou: %s', e)
            sys.exit(10)  # modprobe error exit code
        else:
            log.debug('Loaded module: fou')

    if MODE == 'server':
        # Be sure that required nftables base chains exists

        # May not be able to add table with chains on single call, so add sequentially.
        # Add table
        cmd = ('nft', '--', 'add table ip', NFT_TABLE, ';')
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
        except FileNotFoundError:
            log.fatal('Executable not found: nft')
            sys.exit(40)  # nftables error exit code
        except subprocess.CalledProcessError as e:
            log.fatal('Failed to add nftables table %s: %s', NFT_TABLE, e.stderr)
            sys.exit(40)  # nftables error exit code
        except Exception as e:
            log.fatal('Failed to add nftables table %s: %s', NFT_TABLE, e)
            sys.exit(40)  # nftables error exit code
        else:
            log.debug('Added nftables table %s', NFT_TABLE)

        # Add chains
        cmd = ('nft', '--',
            # 'add table ip', NFT_TABLE, ';',
            'add chain ip', NFT_TABLE, 'nat-prerouting { type nat hook prerouting priority -42 ; } ;',
            'add chain ip', NFT_TABLE, 'nfq { type nat hook prerouting priority -41 ; } ;',
            'add chain ip', NFT_TABLE, 'nat-postrouting { type nat hook postrouting priority -42 ; } ;',
        )
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
        except FileNotFoundError:
            log.fatal('Executable not found: nft')
            sys.exit(40)  # nftables error exit code
        except subprocess.CalledProcessError as e:
            log.fatal('Failed to add nftables chains to table %s: %s', NFT_TABLE, e.stderr)
            sys.exit(40)  # nftables error exit code
        except Exception as e:
            log.fatal('Failed to add nftables chains to table %s: %s', NFT_TABLE, e)
            sys.exit(40)  # nftables error exit code
        else:
            log.debug('Added nftables chains to table %s', NFT_TABLE)


def client_init(monitor=False):
    '''
    Create client tunnel and authenticate it to the server.
    Optionally monitor connection and reauthenticate if required.
    '''
    global fou_ip
    fou_ip = FOU_IP_MAIN  # Alt IP is not supported in client mode

    # Create IPIP over FOU tunnel
    cmd = ['ip', 'link', 'add', 'name', TUNL_DEV, 'type', 'ipip',
        'remote', str(FOU_REMOTE_IP), 'local', str(fou_ip),
        'encap', 'fou', 'encap-sport', str(FOU_PORT), 'encap-dport', str(FOU_REMOTE_PORT),
    ]
    if ENCAP_CSUM is True:
        cmd.append('encap-csum')
    elif ENCAP_CSUM is False:
        cmd.append('noencap-csum')
    cmd.extend(('mode', 'ipip'))
    if FOU_DEV:
        cmd.extend(('dev', FOU_DEV))
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
    except FileNotFoundError:
        log.fatal('Executable not found: ip')
        cleanup_and_exit(rcode=52)  # ip_link error exit code
    except subprocess.CalledProcessError as e:
        log.error('Failed to create %s: %s', TUNL_DEV, e.stderr)
        cleanup_and_exit(rcode=52)  # ip_link error exit code
    except Exception as e:
        log.error('Failed to create %s: %s', TUNL_DEV, e)
        cleanup_and_exit(rcode=52)  # ip_link error exit code
    else:
        log.debug('%s created', TUNL_DEV)

    if not fou_listener_create():
        cleanup_and_exit(rcode=53)  # ip_fou error exit code

    # Assign IP to TUNL_DEV
    cmd = ('ip', 'address', 'add', str(TUNL_IP), 'peer', str(TUNL_PEER_IP), 'dev', TUNL_DEV)
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
    except subprocess.CalledProcessError as e:
        log.error('Failed to assign IP to %s: %s', TUNL_DEV, e.stderr)
        cleanup_and_exit(rcode=51)  # ip_address error exit code
    except Exception as e:
        log.error('Failed to assign IP to %s: %s', TUNL_DEV, e)
        cleanup_and_exit(rcode=51)  # ip_address error exit code
    else:
        log.debug('Assigned IP to %s: %s/%s', TUNL_DEV, TUNL_IP, TUNL_PEER_IP)

    # Bring up TUNL_DEV
    cmd = ('ip', 'link', 'set', TUNL_DEV, 'up')
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
    except subprocess.CalledProcessError as e:
        log.error('Failed to bring up %s: %s', TUNL_DEV, e.stderr)
        cleanup_and_exit(rcode=52)  # ip_link error exit code
    except Exception as e:
        log.error('Failed to bring up %s: %s', TUNL_DEV, e)
        cleanup_and_exit(rcode=52)  # ip_link error exit code
    else:
        log.debug('%s brought up', TUNL_DEV)

    # Authenticate on server, send UDP auth packet.
    if not client_auth():
        cleanup_and_exit(rcode=120)  # send_auth error exit code

    log.info('Setup completed for %s%s: %s:%s<->%s:%s', TUNL_DEV, '@'+FOU_DEV if FOU_DEV else '', fou_ip, FOU_PORT, FOU_REMOTE_IP, FOU_REMOTE_PORT)

    # Catch some signals for clean exit
    signal.signal(signal.SIGTERM, cleanup_and_exit)
    signal.signal(signal.SIGALRM, cleanup_and_exit)
    signal.signal(signal.SIGINT,  cleanup_and_exit)

    # Catch SIGUSR1 for auth resend
    def sigusr1(signalnum=None, frame=None):
        log.info('SIGUSR1: sending auth packet')
        client_auth()
    signal.signal(signal.SIGUSR1, sigusr1)

    # Ignore some signals
    signal.signal(signal.SIGUSR2, sigignore)
    signal.signal(signal.SIGHUP,  sigignore)

    if monitor:
        # TODO: implement monitoring: check periodically if tunnel is alive (by ping?) and if not resend auth packet.
        log.error('Monitor mode is not implemented yet')
        cleanup_and_exit(rcode=127)  # not_implemented error exit code

    if KEEPALIVE_SEC > 0:
        # Send auth packets every KEEPALIVE_SEC
        while True:
            sleep(KEEPALIVE_SEC)
            client_auth()
    else:
        # Sleep until SIGTERM is received
        while True:  # Loop to allow other signals processing like SIGUSR1
            signal.pause()


def client_auth():
    '''
    Send auth packet to the server
    '''
    # Set udp_payload depends on auth type
    if AUTH_TOKEN:
        udp_payload = AUTH_TOKEN
    elif AUTH_KEY:
        if AUTH_KEY_TYPE == 'ed25519':
            timestamp = int.to_bytes(int(datetime.now(tz=timezone.utc).timestamp()), 5, 'big')
            salt = os.urandom(4)
            # sig = AUTH_KEY.sign(timestamp+salt+AUTH_SECRET)  # For deprecated module ed25519
            sig = AUTH_KEY.sign(timestamp+salt+AUTH_SECRET).signature
            udp_payload = sig+timestamp+salt
        else:
            log.error('Unsupported AUTH_KEY_TYPE: %s', AUTH_KEY_TYPE)
            cleanup_and_exit(rcode=127)  # not_implemented error exit code
    else:
        udp_payload = b''

    log.debug('Sending auth packet')
    return send_raw_packet(
        dst_ip=FOU_REMOTE_IP,
        dst_port=FOU_REMOTE_PORT,
        src_ip=fou_ip or FOU_IP_MAIN,
        src_port=FOU_PORT,
        payload=udp_payload,
        ttl=AUTH_PACKET_TTL,
    )


def queue_init(nft_pre_verdict_statement='', nft_queue_flags=''):
    '''
    Queue to userspace all packets which initiate new connection to FOU port and assign handler.
    If alt FOU local IP in use DNAT-matched packets will not be queued because DNAT rule will have higher priority, it's expected.
    For server mode only.
    '''
    global returncode

    cmd = ['nft', '--', 'add', 'rule', 'ip', NFT_TABLE, 'nfq']
    if FOU_DEV:
        cmd.extend(('iifname', '"%s"' % FOU_DEV))
    cmd.extend(('ip', 'daddr', str(FOU_IP_MAIN), 'udp', 'dport', str(FOU_PORT)))
    if nft_pre_verdict_statement:
        cmd.append(nft_pre_verdict_statement)
    if NFT_COUNTER:
        cmd.append('counter')
    cmd.extend(('queue', 'num', str(NFQ_NUM)))
    if nft_queue_flags:
        cmd.append(nft_queue_flags)
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
    except subprocess.CalledProcessError as e:
        log.fatal('Failed to add nftables queue rule: %s', e.stderr)
        cleanup_and_exit(rcode=40)  # nftables error exit code
    except Exception as e:
        log.fatal('Failed to add nftables queue rule: %s', e)
        cleanup_and_exit(rcode=40)  # nftables error exit code

    # Catch some signals for clean exit
    signal.signal(signal.SIGTERM, cleanup_and_exit)
    signal.signal(signal.SIGALRM, lambda s, f: cleanup_and_exit(s, f, rcode=returncode))  # To exit from queue_handler call with proper returncode

    # Ignore some signals
    signal.signal(signal.SIGUSR1, sigignore)
    signal.signal(signal.SIGUSR2, sigignore)
    signal.signal(signal.SIGHUP,  sigignore)

    Q = nfq.NetfilterQueue()
    if nfq_range is None:
        Q.bind(NFQ_NUM, queue_handler, NFQ_MAX_LEN, nfq.COPY_PACKET)
    else:
        Q.bind(NFQ_NUM, queue_handler, NFQ_MAX_LEN, nfq.COPY_PACKET, nfq_range)

    # Main run loop
    try:
        # if KEEPALIVE_SEC > 0:
        #     # Send keepalive packets every KEEPALIVE_SEC
        #     # TODO: run in separate thread?
        #     while True:
        #         sleep(KEEPALIVE_SEC)
        #         if FOU_REMOTE_IP:
        #             send_raw_packet(
        #                 dst_ip=FOU_REMOTE_IP, dst_port=FOU_REMOTE_PORT,
        #                 src_ip=fou_ip or FOU_IP_MAIN, src_port=FOU_PORT,
        #                 payload=b'',
        #                 ttl=AUTH_PACKET_TTL,
        #             )

        log.info('Running netfilter queue %s for %s:%s.udp%s...',
            NFQ_NUM, FOU_IP_MAIN, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '',
        )
        Q.run(block=True)
    except KeyboardInterrupt as e:
        log.info('Exit netfilter queue %s by %s', NFQ_NUM, e.__class__.__name__)
    # except SystemExit as e:  # Do not use to avoid double cleanup_and_exit call
    #     log.info('Exit netfilter queue %s by %s', NFQ_NUM, e.__class__.__name__)
    #     returncode = int(e.code)
    except Exception as e:
        log.info('Exit netfilter queue %s by %s', NFQ_NUM, e.__class__.__name__)
        log.debug(traceback.format_exc())
        returncode = 20  # nfq error exit code
    cleanup_and_exit(rcode=returncode)


def queue_handler(pkt):
    '''
    Netfilter queue packets handler.

    It's the only performance critical function, so avoid heavy calculations
    here (and in functions called from here) if possible.

    It authenticates packet and creates/updates tunnel accordingly.
    Supported auth:
      - remote IP and/or PORT (if FOU_REMOTE_IP and/or FOU_REMOTE_PORT specified)
      - UDP payload
    '''
    global returncode
    global last_remote_ip
    global last_remote_port
    global last_remote_timestamp
    global FOU_REMOTE_IP
    global FOU_REMOTE_PORT

    payload = pkt.get_payload()  # Ethernet frame payload
    # src_ip = '.'.join(str(i) for i in payload[12:16])
    src_ip = socket.inet_ntoa(payload[12:16])
    src_udp_port = int.from_bytes(payload[20:22], 'big')
    src_udp_payload = payload[28:]
    if log.isEnabledFor(logging.DEBUG):
        # dst_ip = '.'.join(str(i) for i in payload[16:20])
        dst_ip = socket.inet_ntoa(payload[16:20])
        dst_udp_port = int.from_bytes(payload[22:24], 'big')
        # udp_len_bytes = payload[24:26]
        # udp_csum_bytes = payload[26:28]
        # inner_udp_csum_bytes = src_udp_payload[6:8]
        log.debug('NFQ %s: got packet: %s:%s->%s:%s\n'
            'IP__hdr_hex: %s\n'
            'UDP_hdr_hex: %s\n'
            'UDP_pl__hex: %s',
            NFQ_NUM, src_ip, src_udp_port, dst_ip, dst_udp_port,
            payload[:20].hex(), payload[20:28].hex(),
            src_udp_payload.hex(),
        )

    # Accept packet for closest followers of the auth packet
    # or if connection is expired but related to the last remembered remote with acceptable lifetime
    if last_remote_port == src_udp_port \
    and last_remote_ip == src_ip:
        if AUTH_LIFETIME_SEC > 0 \
        and last_remote_timestamp + timedelta(seconds=AUTH_LIFETIME_SEC) < datetime.now():
            log.debug('Auth lifetime is expired for the last remembered remote %s:%s', src_ip, src_udp_port)
        else:
            pkt.accept()
            log.debug('Accept packet: the last remembered remote %s:%s match', src_ip, src_udp_port)
            # Update last_remote_timestamp if it's auth packet
            if auth_is_valid(src_ip, src_udp_port, src_udp_payload, mute=True):
                last_remote_timestamp = datetime.now()
                log.debug('Auth: Updated remembered remote timestamp')
            return

    # Authenticate
    if not auth_is_valid(src_ip, src_udp_port, src_udp_payload):
        pkt.drop()
        log.debug('Drop packet (auth error)')
        return

    pkt.drop()  # The packet achieved its goal, so drop it right now, there is no other destination.
    log.info('Drop packet (auth ok)')

    if FOU_REMOTE_IP is None \
    or FOU_REMOTE_PORT is None:
        log.debug('FOU remote set to %s:%s', src_ip, src_udp_port)
    else:
        log.debug('FOU remote changed from %s:%s to %s:%s', FOU_REMOTE_IP, FOU_REMOTE_PORT, src_ip, src_udp_port)
    FOU_REMOTE_IP = ipaddress.IPv4Address(src_ip)
    FOU_REMOTE_PORT = src_udp_port

    if last_remote_ip is None:  # The first auth packet for this tunnel
        if ipipou_create():  # Create tunnel and set fou_ip
            if fou_ip == FOU_IP_MAIN:  # For alt IP it breaks NAT
                # Add connection manually, because original packet was dropped, so was not tracked.
                # It's optional but helps to avoid next packet to be queued, also increases connection timeout.
                cmd = ('conntrack', '--create',
                    '--timeout', '120',
                    '--status', 'ASSURED,ASSURED',
                    '--proto', 'udp',
                    '--orig-src', src_ip, '--reply-dst', src_ip,
                    '--orig-port-src', str(FOU_REMOTE_PORT), '--reply-port-dst', str(FOU_REMOTE_PORT),
                    '--orig-dst', str(FOU_IP_MAIN), '--reply-src', str(fou_ip),
                    '--orig-port-dst', str(FOU_PORT), '--reply-port-src', str(FOU_PORT),
                    # '--mark', '0',
                )
                # if fou_ip == FOU_IP_ALT:
                #     cmd.append('--dst-nat')
                log.debug('call: %s', cmd)
                try:
                    subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=2, check=True)
                except FileNotFoundError:
                    log.info('Executable not found: conntrack')
                except subprocess.CalledProcessError as e:
                    log.info('Failed to track outer connection for %s: %s', TUNL_DEV, e.stderr)
                except Exception as e:
                    log.info('Failed to track outer connection for %s: %s', TUNL_DEV, e)
                else:
                    log.debug('Outer connection tracked for %s', TUNL_DEV)
        else:
            log.error('Failed to create %s for remote %s:%s, signaling for exit.', TUNL_DEV, FOU_REMOTE_IP, FOU_REMOTE_PORT)
            # Any exception from this handler will be ignored, so use signals instead of sys.exit
            if returncode == 0:  # Do not overwrite original returncode if any
                returncode = 100  # ipipou_create error exit code
            signal.alarm(1)
            return
    else:  # Subsequent auth packet, need to update tunnel FOU_REMOTE_IP:FOU_REMOTE_PORT
        if not ipipou_update():
            log.error('Failed to update %s for remote %s:%s, signaling for exit.', TUNL_DEV, FOU_REMOTE_IP, FOU_REMOTE_PORT)
            # Any exception from this handler will be ignored, so use signals instead of sys.exit
            if returncode == 0:  # Do not overwrite original returncode if any
                returncode = 101  # ipipou_update error exit code
            signal.alarm(1)
            return

    if REPLY_ON_AUTH_OK:
        # Send reply packet to notify about successful auth (and to complete reply direction of connection tracking if tracked)
        if AUTH_KEY and AUTH_REMOTE_PUBKEY:
            if AUTH_KEY_TYPE == 'ed25519':
                timestamp = int.to_bytes(int(datetime.now(tz=timezone.utc).timestamp()), 5, 'big')
                salt = os.urandom(4)
                # sig = AUTH_KEY.sign(timestamp+salt+AUTH_SECRET)  # For deprecated module ed25519
                sig = AUTH_KEY.sign(timestamp+salt+AUTH_SECRET).signature
                udp_payload = sig+timestamp+salt
            else:
                log.error('Unsupported AUTH_KEY_TYPE: %s', AUTH_KEY_TYPE)
                returncode = 127  # not_implemented error exit code
                signal.alarm(1)
                return
        else:
            udp_payload = src_udp_payload[::-1]  # Original payload reverse

        send_raw_packet(
            dst_ip=FOU_REMOTE_IP,
            dst_port=FOU_REMOTE_PORT,
            src_ip=fou_ip or FOU_IP_MAIN,
            src_port=FOU_PORT,
            payload=udp_payload,
            ttl=AUTH_PACKET_TTL,
        )

    last_remote_ip = src_ip
    last_remote_port = src_udp_port
    last_remote_timestamp = datetime.now()
    log.debug('Remembered remote: %s:%s', last_remote_ip, last_remote_port)


def auth_is_valid(src_ip, src_udp_port, src_udp_payload=b'', mute=False):
    '''
    Check whether authentication is valid or not for selected auth scheme.
    '''
    # [Pre]authenticate by remote ip and/or port if specified
    if AUTH_BY_REMOTE_IP:
        if str(FOU_REMOTE_IP) != src_ip:
            if not mute:
                log.debug('Auth: src IP %s did not match %s but AUTH_BY_REMOTE_IP set', src_ip, FOU_REMOTE_IP)
            return False
    if AUTH_BY_REMOTE_PORT:
        if FOU_REMOTE_PORT != src_udp_port:
            if not mute:
                log.debug('Auth: src port %s did not match %s but AUTH_BY_REMOTE_PORT set', src_udp_port, FOU_REMOTE_PORT)
            return False

    # Then check payload based auth if required
    if AUTH_TOKEN:
        if AUTH_TOKEN == src_udp_payload:
            if not mute:
                log.info('Auth: %s:%s authenticated successfully by token for %s', src_ip, src_udp_port, TUNL_DEV)
            return True
        if not mute:
            log.debug('Auth: outer UDP payload did not match AUTH_TOKEN')
    elif AUTH_REMOTE_PUBKEY:
        # Expected UDP payload format: Signature (64 bytes) + Unix time UTC timestamp (5 bytes) + salt (4 bytes)
        # TODO: optionally include client public IP to signed message
        if len(src_udp_payload) < 73:  # 64+5+4
            if not mute:
                log.info('Auth: %s:%s invalid UDP payload length for %s', src_ip, src_udp_port, TUNL_DEV)
            return False
        sig = src_udp_payload[:64]  # Signature
        msg = src_udp_payload[64:] + AUTH_SECRET  # Message. Trailing secret assumed in message.
        timestamp = int.from_bytes(msg[:5], 'big')
        # salt = msg[5:9]
        # secret = msg[9:]
        if AUTH_KEY_TYPE == 'ed25519':
            # Allow up to AUTH_MAX_TIME_DISCREPANCY_SEC time discrepancy between hosts
            if AUTH_MAX_TIME_DISCREPANCY_SEC:
                utc_now = int(datetime.now(tz=timezone.utc).timestamp())
                abs_timedelta = abs(utc_now-timestamp)
                if abs_timedelta > AUTH_MAX_TIME_DISCREPANCY_SEC:
                    if not mute:
                        log.info('Auth: %s:%s not an auth packet or too high time discrepancy for %s: %ss', src_ip, src_udp_port, TUNL_DEV, abs_timedelta)
                    return False

            try:
                # AUTH_REMOTE_PUBKEY.verify(sig, msg)
                AUTH_REMOTE_PUBKEY.verify(msg, sig)
            except BadSignatureError:
                if not mute:
                    log.info('Auth: %s:%s invalid signature for %s', src_ip, src_udp_port, TUNL_DEV)
            except Exception as e:
                if not mute:
                    log.warning('Auth: %s:%s authentication error for %s: %s', src_ip, src_udp_port, TUNL_DEV, e)
            else:
                if not mute:
                    log.info('Auth: %s:%s authenticated successfully by ed25519 pubkey for %s', src_ip, src_udp_port, TUNL_DEV)
                return True
        # elif AUTH_KEY_TYPE == 'another':
        #     pass
        else:
            if not mute:
                log.warning('Unsupported AUTH_KEY_TYPE: %s', AUTH_KEY_TYPE)
            return False
    else:
        return True

    # Auth failure can happen for clients behind NAT when connection is
    # expired and client's public src port changed, then client sends data
    # packet using new connection, server treat it as auth attempt. Active
    # reply about auth failure may help if client expects such replies (see
    # REPLY_ON_AUTH_FAILURE and monitor mode). Or client have to keep
    # connection alive and/or monitor disconnections with consequent reauth.
    return False


def fou_listener_create():
    '''
    Create fou listener if does not exist
    '''
    global ip_fou_unsupported_local
    global own_fou

    cmd = ['ip', 'fou', 'add', 'port', str(FOU_PORT), 'ipproto', '4', 'local', str(fou_ip)]
    # if FOU_REMOTE_IP and FOU_REMOTE_PORT:  # Establish connection
    #     cmd.extend(('peer', FOU_REMOTE_IP, 'peer_port', FOU_REMOTE_PORT))
    if FOU_DEV:
        cmd.extend(('dev', FOU_DEV))
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
    except subprocess.CalledProcessError as e:
        if 'RTNETLINK answers: Address already in use' in e.stderr:
            own_fou = False
            log.warning('Seems IPIP FOU listener %s:%s%s already exists', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '')
        elif 'fou: unknown command ' in e.stderr:
            log.warning('Unsupported "ip fou" argument(s), fallback to non-bind fou listener.')
            cmd = cmd[:cmd.index('local')]
            log.debug('call: %s', cmd)
            try:
                subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=5, check=True)
            except subprocess.CalledProcessError as e:
                own_fou = False
                if 'RTNETLINK answers: Address already in use' in e.stderr:
                    log.warning('Seems IPIP FOU listener 0.0.0.0:%s already exists', FOU_PORT)
                else:
                    log.error('Failed to create IPIP FOU listener 0.0.0.0:%s: %s', FOU_PORT, e.stderr)
                    return False
            except Exception as e:
                log.error('Failed to create IPIP FOU listener 0.0.0.0:%s: %s', FOU_PORT, e)
                return False
            else:
                own_fou = True
                ip_fou_unsupported_local = True  # Remember support status for next calls
                log.debug('Added IPIP FOU listener 0.0.0.0:%s', FOU_PORT)
        else:
            own_fou = False
            log.error('Failed to create IPIP FOU listener %s:%s%s: %s', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '', e.stderr)
            return False
    except Exception as e:
        own_fou = False
        log.error('Failed to create IPIP FOU listener %s:%s%s: %s', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '', e)
        return False
    else:
        own_fou = True
        ip_fou_unsupported_local = False  # Remember support status for next calls
        log.debug('Added IPIP FOU listener %s:%s%s', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '')
    return True


def send_raw_packet(dst_ip, dst_port, src_ip=None, src_port=0, payload=b'', ttl=64, checksum=False):
    '''
    Send raw UDP packet to remote host.
    '''
    # # Deprecated way using "sendip" subprocess
    # cmd = ['sendip']
    # if payload:
    #     payload_type = type(payload)
    #     if payload_type is bytes:
    #         cmd += ('-d', '0x'+payload.hex())
    #     elif payload_type is str:
    #         cmd += ('-d', payload)
    #     else:
    #         cmd += ('-d', str(payload))
    # cmd += ('-p', 'ipv4', '-p', 'udp')
    # if src_ip:
    #     cmd += ('-is', str(src_ip))
    # if src_port:
    #     cmd += ('-us', str(src_port))
    # cmd += ('-ud', str(dst_port), str(dst_ip))
    # log.debug('call: %s', cmd)
    # try:
    #     p = subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL)
    #     if p.returncode:
    #         log.error('Failed to send packet: %s', p.stderr)
    #         return False
    #     log.debug('Auth packet send')
    # except FileNotFoundError:
    #     log.error('Executable not found: sendip')
    #     return False
    # return True

    # Use raw sockets instead of binding to avoid conflict with FOU listener
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW)
    except Exception as e:
        log.error('Failed to create raw socket for packet: %s', e)
        return False

    if not isinstance(payload, bytes):
        if not payload:
            payload = b''
        else:
            payload = bytes(str(payload), 'utf8')

    packet = bytearray()

    # IP header
    # oct|       0       |       1       |       2       |       3       |
    #    |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
    #    ╔═══════╦═══════╦═══════════╦═══╦═══════════════════════════════╗
    #  0 ║Version║  IHL  ║    DSCP   ║ECN║          Total Length         ║
    #    ╠═══════╩═══════╩═══════════╩═══╬═════╦═════════════════════════╣
    #  4 ║         Identification        ║Flags║      Fragment Offset    ║
    #    ╠═══════════════╦═══════════════╬═════╩═════════════════════════╣
    #  8 ║  Time to Live ║    Protocol   ║         Header Checksum       ║
    #    ╠═══════════════╩═══════════════╩═══════════════════════════════╣
    # 12 ║                       Source Address                          ║
    #    ╠═══════════════════════════════════════════════════════════════╣
    # 16 ║                     Destination Address                       ║
    #    ╚═══════════════════════════════════════════════════════════════╝
    packet += b'\x45\x00\x00\x00'  # Total Length will be filled by kernel
    packet += b'\x00\x00\x00\x00'  # Identification will be filled by kernel if empty
    packet += int.to_bytes(ttl, 1, 'big')
    packet += b'\x11'  # UDP proto (17)
    packet += b'\x00\x00'  # Header Checksum will be filled by kernel
    try:
        src_ip_type = type(src_ip)
        if src_ip_type is ipaddress.IPv4Address:
            packet += src_ip.packed
        elif src_ip_type is bytes:
            packet += src_ip
        elif src_ip_type is str:
            packet += socket.inet_aton(src_ip)
        elif not src_ip:
            packet += b'\x00\x00\x00\x00'
        else:
            packet += socket.inet_aton(str(src_ip))
    except Exception as e:
        log.error('Failed to parse source IP %s: %s', src_ip, e)
        return False
    try:
        dst_ip_type = type(dst_ip)
        if dst_ip_type is ipaddress.IPv4Address:
            packet += dst_ip.packed
        elif dst_ip_type is bytes:
            packet += dst_ip
        elif dst_ip_type is str:
            packet += socket.inet_aton(dst_ip)
        else:
            packet += socket.inet_aton(str(dst_ip))
    except Exception as e:
        log.error('Failed to parse destination IP %s: %s', dst_ip, e)
        return False

    # UDP header
    # oct|       0       |       1       |       2       |       3       |
    #    |0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|0 1 2 3 4 5 6 7|
    #    ╔═══════════════════════════════╦═══════════════════════════════╗
    #  0 ║         Source Port           ║         Destination Port      ║
    #    ╠═══════════════════════════════╬═══════════════════════════════╣
    #  4 ║ Length (UDP header + payload) ║ Checksum (UDP header+payload) ║
    #    ╚═══════════════════════════════╩═══════════════════════════════╝
    packet += int.to_bytes(src_port, 2, 'big')
    packet += int.to_bytes(dst_port, 2, 'big')
    packet += int.to_bytes(8+len(payload), 2, 'big')
    if checksum:
        # TODO: Implement UDP checksum calculation when required
        log.warning('UDP checksum computing is not implemented, fallback to empty.')
        packet += b'\x00\x00'
    else:  # Set empty UDP checksum
        packet += b'\x00\x00'

    # UDP payload
    packet += payload

    log.debug('Sending raw UDP packet: %s:%s->%s:%s\n'
        'IP__hdr_hex: %s\n'
        'UDP_hdr_hex: %s\n'
        'UDP_pl__hex: %s',
        src_ip, src_port, dst_ip, dst_port,
        packet[:20].hex(), packet[20:28].hex(),
        packet[28:].hex(),
    )
    try:
        s.sendto(packet, (str(dst_ip), dst_port))
    except Exception as e:
        log.error('Failed to send raw UDP packet %s:%s->%s:%s: %s', src_ip, src_port, dst_ip, dst_port, e)
        log.debug(traceback.format_exc())
        return False
    return True


def ipipou_create():
    '''Create ipipou tunnel'''
    global returncode
    global fou_ip
    global own_fou_ip_alt

    log.debug('Creating %s', TUNL_DEV)

    if FORCE_FOU_IP_ALT:
        fou_ip = FOU_IP_ALT
        log.debug('Force current FOU local IP to alt %s', fou_ip)
    else:
        fou_ip = FOU_IP_MAIN
        log.debug('Set current FOU local IP to main %s', fou_ip)

    # Create IPIP over FOU tunnel
    cmd = ['ip', 'link', 'add', 'name', TUNL_DEV, 'type', 'ipip',
        'remote', str(FOU_REMOTE_IP), 'local', str(fou_ip),
        'encap', 'fou', 'encap-sport', str(FOU_PORT), 'encap-dport', str(FOU_REMOTE_PORT),
    ]
    if ENCAP_CSUM is True:
        cmd.append('encap-csum')
    elif ENCAP_CSUM is False:
        cmd.append('noencap-csum')
    cmd.extend(('mode', 'ipip'))
    if FOU_DEV:
        cmd.extend(('dev', FOU_DEV))
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
    except subprocess.CalledProcessError as e:
        if 'RTNETLINK answers: File exists' in e.stderr \
        and fou_ip == FOU_IP_MAIN:
            # Failed to create tunnel, most probably because the tunnel with the same
            # pair FOU_IP_MAIN,FOU_REMOTE_IP already exists (e.g. if clients behind NAT), so
            # using alternate local IP with DNAT.
            log.warning('Failed to create %s directly using FOU local IP %s, trying to use alt %s.', TUNL_DEV, fou_ip, FOU_IP_ALT)
            fou_ip = FOU_IP_ALT
        else:
            log.error('Failed to create %s using FOU local IP %s: %s', TUNL_DEV, fou_ip, e.stderr)
            returncode = 52  # ip_link error exit code
            return False
    else:
        log.debug('%s created', TUNL_DEV)

    if fou_ip == FOU_IP_ALT:
        # Change to private mapped IP
        cmd[cmd.index(str(FOU_IP_MAIN))] = str(fou_ip)
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            log.error('Failed to create alternate %s using FOU local IP %s: %s', TUNL_DEV, fou_ip, e.stderr)
            returncode = 52  # ip_link error exit code
            return False
        else:
            log.debug('%s created', TUNL_DEV)

        # DNAT rule for mapping
        cmd = ['nft', '--', 'add', 'rule', 'ip', NFT_TABLE, 'nat-prerouting']
        if FOU_DEV:
            cmd.extend(('iifname', '"%s"' % FOU_DEV))
        cmd.extend(('ip', 'daddr', str(FOU_IP_MAIN), 'udp', 'dport', str(FOU_PORT),
            # Required for FOU_REMOTE_IP:FOU_REMOTE_PORT update lately
            'ip', 'saddr', str(FOU_REMOTE_IP), 'udp', 'sport', str(FOU_REMOTE_PORT),
        ))
        if NFT_COUNTER:
            cmd.append('counter')
        cmd.extend(('dnat', 'to', str(FOU_IP_ALT)))
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            log.error('Failed to add DNAT rule for alt FOU local IP: %s', e.stderr)
            returncode = 40  # nftables error exit code
            return False
        else:
            log.debug('Added DNAT rule for alt FOU local IP')

        # SNAT rule for mapping (required if incoming connection expired or conntrack disabled)
        cmd = ['nft', '--', 'add', 'rule', 'ip', NFT_TABLE, 'nat-postrouting']
        if FOU_DEV:
            cmd.extend(('oifname', '"%s"' % FOU_DEV))
        cmd.extend(('ip', 'saddr', str(FOU_IP_ALT), 'udp', 'sport', str(FOU_PORT)))
        if NFT_COUNTER:
            cmd.append('counter')
        cmd.extend(('snat', 'to', str(FOU_IP_MAIN)))
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            log.error('Failed to add SNAT rule for alt FOU local IP: %s', e.stderr)
            returncode = 40  # nftables error exit code
            return False
        else:
            log.debug('Added SNAT rule for alt FOU local IP')

        # Add mapped FOU local IP if not yet present
        cmd = ('ip', 'address', 'add', str(FOU_IP_ALT), 'scope', 'global', 'dev', FOU_DEV or fou_dev)
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            own_fou_ip_alt = False
            if 'RTNETLINK answers: File exists' in e.stderr:
                log.warning('Seems alt IP %s already assigned to %s', FOU_IP_ALT, FOU_DEV or fou_dev)
            else:
                log.error('Failed to add alt IP %s to %s: %s', FOU_IP_ALT, FOU_DEV or fou_dev, e.stderr)
                returncode = 51  # ip_address error exit code
                return False
        else:
            own_fou_ip_alt = True
            log.debug('Added alt IP %s to %s', FOU_IP_ALT, FOU_DEV or fou_dev)

    # Create fou listener if does not exist
    if not fou_listener_create():
        returncode = 53  # ip_fou error exit code
        return False

    # Assign IP to TUNL_DEV
    cmd = ('ip', 'address', 'add', str(TUNL_IP), 'peer', str(TUNL_PEER_IP), 'dev', TUNL_DEV)
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
    except subprocess.CalledProcessError as e:
        log.error('Failed to assign IP to %s: %s', TUNL_DEV, e.stderr)
        returncode = 51  # ip_address error exit code
        return False
    else:
        log.debug('Assigned IP to %s: %s/%s', TUNL_DEV, TUNL_IP, TUNL_PEER_IP)

    # Bring up TUNL_DEV
    cmd = ('ip', 'link', 'set', TUNL_DEV, 'up')
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
    except subprocess.CalledProcessError as e:
        log.error('Failed to bring up %s: %s', TUNL_DEV, e.stderr)
        returncode = 52  # ip_link error exit code
        return False
    else:
        log.debug('%s brought up', TUNL_DEV)

    log.info('Setup completed for %s%s: %s:%s<->%s:%s', TUNL_DEV, '@'+FOU_DEV if FOU_DEV else '', fou_ip, FOU_PORT, FOU_REMOTE_IP, FOU_REMOTE_PORT)

    return True


def ipipou_update():
    '''Update ipipou tunnel using new FOU_REMOTE_IP:FOU_REMOTE_PORT'''
    global returncode
    global fou_ip
    global own_fou

    # Update IPIP over FOU tunnel
    cmd = ['ip', 'link', 'set', TUNL_DEV, 'type', 'ipip',
        'remote', str(FOU_REMOTE_IP),
        'encap', 'fou', 'encap-sport', str(FOU_PORT), 'encap-dport', str(FOU_REMOTE_PORT),
    ]
    log.debug('call: %s', cmd)
    try:
        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
    except subprocess.CalledProcessError as e:
        if 'RTNETLINK answers: File exists' in e.stderr \
        and fou_ip == FOU_IP_MAIN:
            # Failed to update tunnel directly, most probably because tunnel with the same new
            # pair FOU_IP_MAIN,FOU_REMOTE_IP already exists, so reconfigure to use
            # alternate local IP with DNAT.
            log.warning('Failed to update %s directly using FOU local IP %s, trying to use alt %s.', TUNL_DEV, fou_ip, FOU_IP_ALT)
            fou_ip = FOU_IP_ALT

            # Update tunnel using FOU_IP_ALT
            cmd.extend(('local', str(fou_ip)))
            log.debug('call: %s', cmd)
            try:
                subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
            except subprocess.CalledProcessError as e:
                log.error('Failed to update %s%s using alt FOU local IP: %s:%s<->%s:%s : %s',
                    TUNL_DEV, '@'+FOU_DEV if FOU_DEV else '',
                    fou_ip, FOU_PORT, FOU_REMOTE_IP, FOU_REMOTE_PORT,
                    e.stderr,
                )
                returncode = 52  # ip_link error exit code
                return False
            else:
                log.info('%s%s updated using new remote with alt FOU local IP: %s:%s<->%s:%s',
                    TUNL_DEV, '@'+FOU_DEV if FOU_DEV else '',
                    fou_ip, FOU_PORT, FOU_REMOTE_IP, FOU_REMOTE_PORT,
                )

            # DNAT will be added below
            # Create SNAT rule for mapping (required if incoming connection expired or conntrack disabled)
            cmd = ['nft', '--', 'add', 'rule', 'ip', NFT_TABLE, 'nat-postrouting']
            if FOU_DEV:
                cmd.extend(('oifname', '"%s"' % FOU_DEV))
            cmd.extend(('ip', 'saddr', str(FOU_IP_ALT), 'udp', 'sport', str(FOU_PORT)))
            if NFT_COUNTER:
                cmd.append('counter')
            cmd.extend(('snat', 'to', str(FOU_IP_MAIN)))
            log.debug('call: %s', cmd)
            try:
                subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
            except subprocess.CalledProcessError as e:
                log.error('Failed to add SNAT rule for alt FOU local IP: %s', e.stderr)
                returncode = 40  # nftables error exit code
                return False
            else:
                log.debug('Added SNAT rule for alt FOU local IP')

            # Add mapped FOU local IP if not yet present
            cmd = ('ip', 'address', 'add', str(FOU_IP_ALT), 'scope', 'global', 'dev', FOU_DEV or fou_dev)
            log.debug('call: %s', cmd)
            try:
                subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
            except subprocess.CalledProcessError as e:
                if 'RTNETLINK answers: File exists' in e.stderr:
                    log.warning('Seems alt IP %s already assigned to %s', FOU_IP_ALT, FOU_DEV or fou_dev)
                else:
                    log.error('Failed to add alt IP %s to %s: %s', FOU_IP_ALT, FOU_DEV or fou_dev, e.stderr)
                    returncode = 51  # ip_address error exit code
                    return False
            else:
                log.debug('Added alt IP %s to %s', FOU_IP_ALT, FOU_DEV or fou_dev)

            # Update FOU listener

            # Delete old if was created by this script
            if own_fou:
                cmd = ['ip', 'fou', 'del', 'port', str(FOU_PORT)]
                if not ip_fou_unsupported_local:
                    cmd.extend(('local', str(FOU_IP_MAIN)))
                    # if FOU_REMOTE_IP and FOU_REMOTE_PORT:
                    #     cmd.extend(('peer', str(FOU_REMOTE_IP), 'peer_port', str(FOU_REMOTE_PORT)))
                    if FOU_DEV:
                        cmd.extend(('dev', FOU_DEV))
                log.debug('call: %s', cmd)
                try:
                    subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
                except subprocess.CalledProcessError as e:
                    log.warning('Failed to delete old FOU listener %s:%s%s : %s', FOU_IP_MAIN, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '', e.stderr)
                else:
                    log.debug('Deleted old FOU listener %s:%s%s', FOU_IP_MAIN, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '')

            # Create replacement
            cmd = ['ip', 'fou', 'add', 'port', str(FOU_PORT), 'ipproto', '4']
            if not ip_fou_unsupported_local:
                cmd.extend(('local', str(fou_ip)))
                # if FOU_REMOTE_IP and FOU_REMOTE_PORT:  # Establish connection
                #     cmd.extend(('peer', FOU_REMOTE_IP, 'peer_port', FOU_REMOTE_PORT))
                if FOU_DEV:
                    cmd.extend(('dev', FOU_DEV))
            log.debug('call: %s', cmd)
            try:
                subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
            except subprocess.CalledProcessError as e:
                own_fou = False
                if 'RTNETLINK answers: Address already in use' in e.stderr:
                    log.warning('Seems IPIP FOU listener %s:%s%s already exists', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '')
                else:
                    log.error('Failed to create replacement IPIP FOU listener %s:%s%s : %s', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '', e.stderr)
                    returncode = 53  # ip_fou error exit code
                    return False
            else:
                own_fou = True
                log.debug('Added replacement IPIP FOU listener %s:%s%s', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '')
        else:
            log.error('Failed to update %s%s %s:%s<->%s:%s : %s', TUNL_DEV, '@'+FOU_DEV if FOU_DEV else '', fou_ip, FOU_PORT, FOU_REMOTE_IP, FOU_REMOTE_PORT, e.stderr)
            returncode = 52  # ip_link error exit code
            return False
    else:
        log.info('%s updated to use new FOU remote %s:%s', TUNL_DEV, FOU_REMOTE_IP, FOU_REMOTE_PORT)

    if fou_ip == FOU_IP_ALT:
        # Create or update DNAT rule
        handle_num = None
        cmd = ('nft', '-ann', '--', 'list', 'chain', 'ip', NFT_TABLE, 'nat-prerouting')
        for l in subprocess.check_output(cmd, universal_newlines=True).splitlines():
            if ' daddr {} '.format(FOU_IP_MAIN) in l \
            and ' udp dport {} '.format(FOU_PORT) in l:
                handle_num = l[l.rfind(' ')+1:]
                break
        if handle_num is None:  # Create new rule
            cmd = ['nft', '--', 'add', 'rule', 'ip', NFT_TABLE, 'nat-prerouting']
        else:  # Update/replace existing
            cmd = ['nft', '--', 'replace', 'rule', 'ip', NFT_TABLE, 'nat-prerouting', 'handle', handle_num]
        if FOU_DEV:
            cmd.extend(('iifname', '"%s"' % FOU_DEV))
        cmd.extend(('ip', 'daddr', str(FOU_IP_MAIN), 'udp', 'dport', str(FOU_PORT),
            'ip', 'saddr', str(FOU_REMOTE_IP), 'udp', 'sport', str(FOU_REMOTE_PORT),
        ))
        if NFT_COUNTER:
            cmd.append('counter')
        cmd.extend(('dnat', 'to', str(FOU_IP_ALT)))
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            log.error('Failed to update DNAT rule for alt FOU local IP: %s', e.stderr)
            returncode = 40  # nftables error exit code
            return False
        else:
            log.debug('Updated DNAT rule for alt FOU local IP')

    # # Delete old connection if any
    # cmd = ('conntrack', '--delete',
    #     '--proto', 'udp',
    #     '--orig-src', str(fou_remote_ip_old),
    #     '--orig-port-src', str(fou_remote_port_old),
    #     '--orig-dst', str(FOU_IP_MAIN),
    #     '--orig-port-dst', str(FOU_PORT),
    # )
    # log.debug('call: %s', cmd)
    # try:
    #     if subprocess.call(cmd, stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL):
    #         log.debug('Conntrack old entry not found: %s:%s->%s:%s', FOU_REMOTE_IP, FOU_REMOTE_PORT, fou_ip, FOU_PORT)
    #     else:
    #         log.debug('Conntrack old entry deleted: %s:%s->%s:%s', FOU_REMOTE_IP, FOU_REMOTE_PORT, fou_ip, FOU_PORT)
    # except FileNotFoundError:
    #     log.info('Executable not found: conntrack')

    return True


def ipipou_delete():
    '''
    Deconfigure and delete ipipou tunnel
    '''
    rval = True

    # Delete tunnel interface
    if os.path.islink('/sys/class/net/'+TUNL_DEV) \
    or (not os.path.isdir('/sys/class/net')
        and subprocess.call(('ip', 'link', 'show', TUNL_DEV),
            stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL) == 0
    ):
        cmd = ('ip', 'link', 'del', TUNL_DEV)
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            log.warning('Failed to delete %s: %s', TUNL_DEV, e.stderr)
            rval = False
        else:
            log.debug('%s deleted', TUNL_DEV)
    else:
        log.debug('%s does not exist, nothing to delete.', TUNL_DEV)

    # Delete FOU listener if exists and was created by this script
    if own_fou and fou_ip:
        cmd = ['ip', 'fou', 'del', 'port', str(FOU_PORT)]
        if not ip_fou_unsupported_local:
            cmd.extend(('local', str(fou_ip)))
            # if FOU_REMOTE_IP and FOU_REMOTE_PORT:
            #     cmd.extend(('peer', str(FOU_REMOTE_IP), 'peer_port', str(FOU_REMOTE_PORT)))
            if FOU_DEV:
                cmd.extend(('dev', FOU_DEV))
        log.debug('call: %s', cmd)
        try:
            subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
        except subprocess.CalledProcessError as e:
            log.warning('Failed to delete FOU listener %s:%s%s: %s', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '', e.stderr)
            rval = False
        else:
            log.debug('FOU listener %s:%s%s deleted', fou_ip, FOU_PORT, '@'+FOU_DEV if FOU_DEV else '')

    if MODE == 'server':
        # Remove private mapped local FOU IP if any
        if own_fou_ip_alt and fou_ip == FOU_IP_ALT:
            cmd = ('ip', '-4', '-o', 'address', 'show', 'dev', FOU_DEV or fou_dev)
            for l in subprocess.check_output(cmd, universal_newlines=True).splitlines():
                l = l.split(maxsplit=4)
                ip = l[l.index('inet', 2)+1]
                if ip == '%s/32' % FOU_IP_ALT:
                    cmd = ('ip', 'address', 'delete', ip, 'dev', FOU_DEV or fou_dev)
                    log.debug('call: %s', cmd)
                    try:
                        subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
                    except subprocess.CalledProcessError as e:
                        log.warning('Failed to delete FOU alt IP %s from %s: %s', FOU_IP_ALT, FOU_DEV or fou_dev, e.stderr)
                        rval = False
                    else:
                        log.debug('FOU alt IP %s deleted from %s', FOU_IP_ALT, FOU_DEV or fou_dev)
                    break

        # Remove NAT and queue rules if any
        cmd = ('nft', '-ann', '--', 'list', 'table', 'ip', NFT_TABLE)
        for l in subprocess.check_output(cmd, universal_newlines=True).splitlines():
            if 'port {} '.format(FOU_PORT) in l:
                if ' queue num {} '.format(NFQ_NUM) in l:
                    cmd = ('nft', '--', 'delete', 'rule', 'ip', NFT_TABLE, 'nfq', 'handle', l[l.rfind(' ')+1:])
                elif ' dnat to {} '.format(FOU_IP_ALT) in l:
                    cmd = ('nft', '--', 'delete', 'rule', 'ip', NFT_TABLE, 'nat-prerouting', 'handle', l[l.rfind(' ')+1:])
                elif ' snat to {} '.format(FOU_IP_MAIN) in l:
                    cmd = ('nft', '--', 'delete', 'rule', 'ip', NFT_TABLE, 'nat-postrouting', 'handle', l[l.rfind(' ')+1:])
                else:
                    continue

                log.debug('call: %s', cmd)
                try:
                    subprocess.run(cmd, universal_newlines=True, stderr=subprocess.PIPE, stdout=subprocess.DEVNULL, timeout=3, check=True)
                except subprocess.CalledProcessError as e:
                    log.warning('Failed to delete nftables rule: %s: %s', l.lstrip(), e.stderr)
                    rval = False
                else:
                    log.debug('nftables rule deleted: %s', l.lstrip())

        # Delete existing connection if any
        if FOU_REMOTE_IP and FOU_REMOTE_PORT:
            cmd = ('conntrack', '--delete',
                '--proto', 'udp',
                '--orig-src', str(FOU_REMOTE_IP),
                '--orig-port-src', str(FOU_REMOTE_PORT),
                '--orig-dst', str(FOU_IP_MAIN),
                '--orig-port-dst', str(FOU_PORT),
            )
            log.debug('call: %s', cmd)
            try:
                if subprocess.call(cmd, stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL):
                    log.debug('Conntrack entry not found: %s:%s->%s:%s', FOU_REMOTE_IP, FOU_REMOTE_PORT, fou_ip, FOU_PORT)
                else:
                    log.debug('Conntrack entry deleted: %s:%s->%s:%s', FOU_REMOTE_IP, FOU_REMOTE_PORT, fou_ip, FOU_PORT)
            except FileNotFoundError:
                log.info('Executable not found: conntrack')

    return rval


def iface2ip(iface):
    '''
    Return first available IPv4 address of interface.
    '''
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(
        fcntl.ioctl(
            s.fileno(),
            0x8915,  # SIOCGIFADDR
            struct.pack('256s', iface.encode()[:15])
        )[20:24]
    )


# To use it as a module you have to properly init global variables parsed and pushed to global scope below
if __name__ == '__main__':
    import argparse

    # Parse command line options
    parser = argparse.ArgumentParser(description=__doc__)

    parser.add_argument('--version', action='version', version='0.1',
        help='Show program version and exit.')
    parser.add_argument('--config', dest='CONFIG',
        # type=argparse.FileType('r'),
        help='Configuration file. If does not start with `/` or `./` or `../` filename will be prefixed with `/etc/ipipou/` and suffixed with `.conf`. One argument per line. Key and value (if any) separated by single space. Leading spaces, tabs, and hyphens are ignored, as well as empty lines and lines started with `#`. Can be specified multiple times. Other command line options parsed later so have higher priority generally.')
    parser.add_argument('-v', action='count', dest='LOG_LEVEL', default=0,
        help='Output verbosity. Set multiple times to increase it even more (up to 3).')
    parser.add_argument('--verb', dest='VERB', default=None, type=int,
        help='Output verbosity. The same as `-v` but with numeric value.')
    parser.add_argument('-c', '--client', action='store_true', dest='MODE', default=True,
        help='Client mode (default).')
    parser.add_argument('-s', '--server', action='store_false', dest='MODE', default=True,
        help='Server mode.')
    parser.add_argument('-n', '--number', dest='N', default=0, type=int,
        help='Default value for NFQ_NUM and default argument for generation of: TUNL_DEV, TUNL_IP, TUNL_PEER_IP, FOU_PORT, FOU_IP_ALT. Defaults to NFQ_NUM if specified and less than 999, or 0 otherwise.')
    parser.add_argument('-q', '--queue-number', dest='NFQ_NUM', type=int,
        help='Netfilter queue number. Defaults to N (if specified).')
    parser.add_argument('--auth-by-remote-ip', action='store_true', default=False, dest='AUTH_BY_REMOTE_IP',
        help='Authenticate by explicitly specified FOU_REMOTE_IP. Only connections from this IP will be authenticated, all others declined. Can supplement other auth methods.')
    parser.add_argument('--auth-by-remote-port', action='store_true', default=False, dest='AUTH_BY_REMOTE_PORT',
        help='The same as AUTH_BY_REMOTE_IP but for AUTH_BY_REMOTE_PORT.')
    parser.add_argument('--auth-token', metavar='AUTH_TOKEN', dest='AUTH_TOKEN',
        type=lambda s: bytes(s, 'utf8'),
        help='Auth token utf8 plaintext (will be converted to bytes).')
    parser.add_argument('--auth-token-b64', metavar='AUTH_TOKEN_BASE64', dest='AUTH_TOKEN',
        type=lambda s: b64decode(s, validate=True),
        help='Auth token base64 encoded.')
    parser.add_argument('--auth-key-b64', metavar='AUTH_KEY_BASE64', dest='AUTH_KEY',
        type=lambda s: b64decode(s, validate=True),
        help='Auth private key base64 encoded. Key type set by AUTH_KEY_TYPE.')
    parser.add_argument('--auth-remote-pubkey-b64', metavar='AUTH_REMOTE_PUBKEY_BASE64', dest='AUTH_REMOTE_PUBKEY',
        type=lambda s: b64decode(s, validate=True),
        help='Auth public key of remote host base64 encoded. Key type set by AUTH_KEY_TYPE.')
    parser.add_argument('--auth-key-type', dest='AUTH_KEY_TYPE', default='ed25519',
        help='Auth key type. Defaults to "ed25519" (32 bit), the only supported type so far.')
    parser.add_argument('--auth-secret', dest='AUTH_SECRET', default=b'netprickle.com',
        type=lambda s: bytes(s, 'utf8'),
        help='Auth shared secret. Never sent over network but participate in message signing. Defaults to "netprickle.com".')
    parser.add_argument('--auth-keygen', action='store_true', default=False, dest='AUTH_KEYGEN',
        help='Generate base64 encoded key pair of type AUTH_KEY_TYPE and exit. First line is private/signing key, second line is public/verifying key. Use "-v" option to prepend key type for each line.')
    parser.add_argument('--auth-max-time-discrepancy', metavar='SEC',
        dest='AUTH_MAX_TIME_DISCREPANCY_SEC', default=0,
        type=int,
        help='Max allowed time discrepancy between hosts for authentication when AUTH_REMOTE_PUBKEY set. This may protect from replay attack for plaintext token auth. The most secure (but unstable) value is slightly higher than latency between hosts (time must be in sync on both hosts in this case). Set to 0 to ignore time discrepancy (default).')
    parser.add_argument('-b', '--fou-local', dest='FOU_LOCAL',
        help='FOU local [FOU_IP][:FOU_PORT][@FOU_DEV] to bind. It is 3-in-one option.')
    parser.add_argument('--fou-local-ip', metavar='FOU_IP', dest='FOU_IP_MAIN', type=ipaddress.IPv4Address,
        help='FOU local IP to bind. Defaults to first available FOU_DEV IP if FOU_DEV specified.')
    parser.add_argument('--fou-local-ip-alt', dest='FOU_IP_ALT', type=ipaddress.IPv4Address,
        help='Fallback FOU local IP to bind. If required will be assigned to FOU_DEV if not assigned yet. If in use connections to/from this IP will be NATed to/from FOU_IP. Used when another tunnel with the same pair FOU_REMOTE_IP:FOU_IP already exists but source/destination UDP port is/are different. This allows to create multiple tunnels when remote side is behind NAT with the same public IP. Defaults to %s+N.' % fou_ip_alt_base)
    parser.add_argument('--force-fou-local-ip-alt', action='store_true', default=False, dest='FORCE_FOU_IP_ALT',
        help='Use FOU_IP_ALT even if it is possible to create tunnel directly using FOU_IP. If false (default) FOU_IP_ALT will be used only if another tunnel already exists with the same pair FOU_REMOTE_IP:FOU_IP.')
    parser.add_argument('--fou-local-port', dest='FOU_PORT', type=int,
        help='FOU local port to bind. Defaults to %s+N.' % fou_port_base)
    parser.add_argument('-r', '--fou-remote', dest='FOU_REMOTE',
        help='FOU remote [FOU_REMOTE_IP][:FOU_REMOTE_PORT]. It is 2-in-one option.')
    parser.add_argument('--fou-remote-ip', dest='FOU_REMOTE_IP', type=ipaddress.IPv4Address,
        help='FOU remote IPv4. In server mode defaults to autodetect on first authenticated packet, change for subsequent packets.')
    parser.add_argument('--fou-remote-port', dest='FOU_REMOTE_PORT', type=int,
        help='FOU remote port. In server mode defaults to autodetect on first authenticated packet, change for subsequent packets.')
    parser.add_argument('--fou-dev', dest='FOU_DEV',
        help='FOU local/base/outer network interface. Must be present on host if set.')
    parser.add_argument('--tunl-dev', dest='TUNL_DEV',
        help='IPIP tunnel network interface name. Defaults to ipipou+N, where N is the value of -n option.')
    parser.add_argument('--tunl-ip', dest='TUNL_IP', type=ipaddress.IPv4Address,
        help='IPv4 to assign to TUNL_DEV. Defaults to %s+2*N.' % tunl_ip_base)
    parser.add_argument('--tunl-peer-ip', dest='TUNL_PEER_IP', type=ipaddress.IPv4Address,
        help='Remote side IP of TUNL_DEV. Defaults to TUNL_IP+1 in server mode, TUNL_IP-1 in client mode.')
    parser.add_argument('--nfq-max-len', dest='NFQ_MAX_LEN', type=int, default=24,
        help='The largest number of packets that can be in netfilter queue. New packets are dropped if the size of the queue reaches this number. Defaults to 24.')
    parser.add_argument('--no-encap-csum', action='store_false', dest='ENCAP_CSUM', default=None)
    parser.add_argument('--encap-csum', action='store_true', dest='ENCAP_CSUM', default=None,
        help='Specifies if UDP checksums are enabled in the inner tunnel layer. System wide default will be used if unset.')
    parser.add_argument('--no-nft-counter', action='store_false', dest='NFT_COUNTER', default=True,
        help='Do not add counter statement to nftables rules. By default counters are added.')
    parser.add_argument('--nft-table', dest='NFT_TABLE', default='ipipou',
        help='Netfilter table name which will be used to manage nftables state. Should be the same across multiple tunnels. Defaults to "ipipou".')
    parser.add_argument('--reauth-only', action='store_true', dest='REAUTH_ONLY', default=False,
        help='In client mode [re]send corresponding authentication packet and exit. It can be useful to reauthenticate already configured tunnel in case if authentication was forgotten on server side and/or client public ip:port was changed.')
    parser.add_argument('--auth-packet-ttl', dest='AUTH_PACKET_TTL', default=None, type=int,
        help='TTL value for authentication IP packet in client mode (or reply in server mode when REPLY_ON_AUTH_OK set). Defaults to system wide default or 64 if failed to detect. Note: If you configured netfilter rules to change outgoing packets TTL they will not work for auth packets because they sent by raw sockets, so not tracked by netfilter.')
    parser.add_argument('--auth-lifetime', metavar='SEC', dest='AUTH_LIFETIME_SEC', default=0, type=int,
        help='Max time in seconds while existing auth is valid for remembered remote. If lifetime is expired next packet received from remembered remote will be treated as auth packet by netfilter queue handler. Note that it affect only the case when connection is expired on server side, existing connection lifetime is not limited and can exceed this limit (such packets are not handled by nfq). It can be useful to prevent unauthorized access when connection is expired and the same remote can be used by unknown host. Recommended values: for higher security use the value less than udp connection timeout (e.g. 15), for clients with public IPs or behind one-to-one NAT use 0 (infinity), for clients with relatively stable ports mapping use values around 1h, avoid using values lower than 5 sec - the auth packet closest followers might be dropped because queued to nfq before auth packet handling. Defaults to 0 (infinity).')
    parser.add_argument('--keepalive', metavar='SEC', dest='KEEPALIVE_SEC', default=0, type=int,
        help='Send keepalive packets every SEC seconds. In client mode send auth packets, in server mode (not implemented) send empty packets. Defaults to 0 (never).')
    parser.add_argument('--reply-on-auth-ok', action='store_true', dest='REPLY_ON_AUTH_OK', default=False,
        help='In server mode send response back to remote host if authentication was successful. In AUTH_TOKEN mode (or REMOTE_IP/REMOTE_PORT auth only) response UDP payload (outer) is reversed bytes of original auth packet UDP payload. In AUTH_KEY or AUTH_REMOTE_PUBKEY mode response UDP payload is: signature + unix time UTC timestamp (5 bytes) + salt (4 bytes), client may authenticate response by verifying message signature and timestamp. Signature message contains: timestamp + salt + secret (so the secret is not included to packet payload but required to be known for signature verification). Defaults to false: verify silently, in this case you may check if tunnel was properly authenticated by ping or other methods.')
    # parser.add_argument('--reply-on-auth-failure', action='store_true', dest='REPLY_ON_AUTH_FAILURE', default=False,
    #     help='The same as REPLY_ON_AUTH_OK but for unauthenticated requests.')
    parser.add_argument('--no-log-time', action='store_false', dest='LOG_TIME', default=True,
        help='Do not add timestamp to log. Suitable when run as a service.')
    parser.add_argument('--no-log-pid', action='store_false', dest='LOG_PID', default=True,
        help='Do not add PID to log. Suitable when run as a service.')
    # parser.add_argument('--no-log-loglevel', action='store_false', dest='LOG_loglevel', default=True,
    #     help='Do not add loglevel to log. Suitable when run as a service.')

    # Parse config if specified
    config_args = []  # The list of options gathered from config file if any
    args = sys.argv[1:]
    while '--config' in args:
        i = args.index('--config')
        args.pop(i)
        try:
            CONFIG = args.pop(i)
        except IndexError:
            parser.error('argument --config: expected one argument')

        if CONFIG.startswith('/') or CONFIG.startswith('./') or CONFIG.startswith('../'):
            pass
        else:
            CONFIG = '/etc/ipipou/%s.conf' % CONFIG

        try:
            with open(CONFIG) as fd:
                for line in fd:
                    line = line.rstrip('\r\n')
                    if not line or line.startswith('#'):
                        continue
                    k, _, v = line.lstrip(' \t-').partition(' ')
                    if k:
                        if len(k) == 1:
                            config_args.append('-'+k)
                        else:
                            config_args.append('--'+k)
                        if v:
                            config_args.append(v)
        except Exception as e:
            parser.error('argument --config: failed to parse file %s: %s' % (CONFIG, e))

    # Parse and assign arguments to globals
    globals().update(parser.parse_args(config_args + args).__dict__)

    if VERB is not None:
        LOG_LEVEL += VERB
    LOG_LEVEL = (40-LOG_LEVEL*10) if LOG_LEVEL < 4 else 0  # 40 is WARNING
    # Slightly rename logging level names to decrease levelname indent from 8 to 5
    logging.addLevelName(50, 'FATAL')
    #logging.addLevelName(40, 'ERROR')
    logging.addLevelName(30, 'WARN')
    #logging.addLevelName(20, 'INFO')
    #logging.addLevelName(10, 'DEBUG')
    logging.addLevelName(0, 'UNSET')
    log_format = '%(levelname)05s %(message)s'
    if LOG_PID:
        log_format = '%(process)d ' + log_format
    if LOG_TIME:
        log_format = '%(asctime)s.%(msecs)03d ' + log_format
    logging.basicConfig(
        format=log_format,
        datefmt='%Y-%m-%dT%H:%M:%S',
        level=LOG_LEVEL,
    )
    log = logging.getLogger()

    # Set defaults and validate arguments

    MODE = 'client' if MODE else 'server'

    if FOU_LOCAL:
        if '@' in FOU_LOCAL:
            i = FOU_LOCAL.find('@')
            FOU_DEV = FOU_LOCAL[i+1:]
            FOU_LOCAL = FOU_LOCAL[:i]
        if ':' in FOU_LOCAL:
            i = FOU_LOCAL.find(':')
            try:
                FOU_PORT = int(FOU_LOCAL[i+1:])
            except ValueError:
                parser.error('argument --fou-local: invalid FOU_PORT')
            FOU_LOCAL = FOU_LOCAL[:i]
        if FOU_LOCAL:
            try:
                FOU_IP_MAIN = ipaddress.IPv4Address(FOU_LOCAL)
            except ipaddress.AddressValueError:
                parser.error('argument --fou-local: invalid FOU_IP')
    if FOU_REMOTE:
        if ':' in FOU_REMOTE:
            i = FOU_REMOTE.find(':')
            try:
                FOU_REMOTE_PORT = int(FOU_REMOTE[i+1:])
            except ValueError:
                parser.error('argument --fou-remote: invalid FOU_REMOTE_PORT')
            FOU_REMOTE = FOU_REMOTE[:i]
        if FOU_REMOTE:
            try:
                FOU_REMOTE_IP = ipaddress.IPv4Address(FOU_REMOTE)
            except ipaddress.AddressValueError:
                # Treat FOU_REMOTE as a domain name
                try:
                    FOU_REMOTE = socket.gethostbyname(FOU_REMOTE)
                except Exception as e:
                    parser.error('argument --fou-remote: %s' % e)
                try:
                    FOU_REMOTE_IP = ipaddress.IPv4Address(FOU_REMOTE)
                except ipaddress.AddressValueError:
                    parser.error('argument --fou-remote: invalid FOU_REMOTE_IP: %s' % e)

    if AUTH_KEY or AUTH_REMOTE_PUBKEY or AUTH_KEYGEN:
        if AUTH_KEY_TYPE == 'ed25519':
            # try:  # Deprecated
            #     import ed25519
            #     from ed25519 import BadSignatureError
            # except Exception as e:
            #     parser.error('failed to import module: %s' % e)
            try:
                from nacl.signing import SigningKey, VerifyKey
                from nacl.exceptions import BadSignatureError
            except Exception as e:
                parser.error('failed to import module: %s' % e)

            if AUTH_KEYGEN:  # Generate keys and exit
                # key, pubkey = ed25519.create_keypair()  # For deprecated module ed25519
                key = SigningKey.generate()
                if LOG_LEVEL < 40:
                    # print("Private key (32 bytes):", b64encode(key.to_seed()).decode())  # For deprecated module ed25519
                    # print("Public  key (32 bytes):", b64encode(pubkey.to_bytes()).decode())  # For deprecated module ed25519
                    print("Private key (ed25519, 32 bytes):", b64encode(key.encode()).decode())
                    print("Public  key (ed25519, 32 bytes):", b64encode(key.verify_key.encode()).decode())
                else:
                    # print(b64encode(key.to_seed()).decode())  # For deprecated module ed25519
                    # print(b64encode(pubkey.to_bytes()).decode())  # For deprecated module ed25519
                    print(b64encode(key.encode()).decode())
                    print(b64encode(key.verify_key.encode()).decode())
                sys.exit(0)

            if AUTH_KEY:
                if len(AUTH_KEY) != 32:
                    parser.error('invalid AUTH_KEY size for type %s: %s != 32' % (AUTH_KEY_TYPE, len(AUTH_KEY)))
                # Convert to ed25519 signing key obj
                # AUTH_KEY = ed25519.SigningKey(AUTH_KEY)  # For deprecated module ed25519
                AUTH_KEY = SigningKey(AUTH_KEY)
            if AUTH_REMOTE_PUBKEY:
                if len(AUTH_REMOTE_PUBKEY) != 32:
                    parser.error('invalid AUTH_REMOTE_PUBKEY size for type %s: %s != 32' % (AUTH_KEY_TYPE, len(AUTH_REMOTE_PUBKEY)))
                # Convert to ed25519 verify key obj
                # AUTH_REMOTE_PUBKEY = ed25519.VerifyingKey(AUTH_REMOTE_PUBKEY)  # For deprecated module ed25519
                AUTH_REMOTE_PUBKEY = VerifyKey(AUTH_REMOTE_PUBKEY)
        else:
            parser.error('unsupported AUTH_KEY_TYPE: %s' % AUTH_KEY_TYPE)

    if (AUTH_KEY or AUTH_REMOTE_PUBKEY) and AUTH_SECRET == b'netprickle.com':
        log.warning('Default AUTH_SECRET is in use, change it on both sides for higher security.')

    if FOU_DEV or FOU_IP_MAIN:
        pass
    else:
        # (?) Use the main IP and device of default route
        parser.error('either FOU_DEV or FOU_IP is required')
    if not FOU_IP_MAIN:
        # Use the first available IP of FOU_DEV
        try:
            FOU_IP_MAIN = ipaddress.IPv4Address(iface2ip(FOU_DEV))
        except Exception:  # Most probably OSError
            parser.error('failed to get main IP of %s' % FOU_DEV)
        log.debug('Autodetected main IP of %s: %s', FOU_DEV, FOU_IP_MAIN)
    if not FOU_DEV:
        # Keep FOU_DEV not specified but set autodetected fou_dev required for
        # some actions (e.g. adding/removing alt IP)
        for l in subprocess.check_output(
            ('ip', '-4', '-o', 'address', 'show', 'scope', 'global'),
            universal_newlines=True,
        ).splitlines():
            if ' inet {}/'.format(FOU_IP_MAIN) in l:
                fou_dev = l[l.find(': ')+2:l.find('  ')]
                log.debug('Set implicit fou_dev to %s', fou_dev)
                break

    if FOU_DEV:
        if os.path.islink('/sys/class/net/'+FOU_DEV):
            pass
        elif os.path.isdir('/sys/class/net') \
        or subprocess.call(('ip', 'link', 'show', FOU_DEV),
            stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL,
        ):
            parser.error('FOU_DEV does not exist: %s' % FOU_DEV)

    if FOU_REMOTE_IP:
        pass
    elif MODE == 'client':
        parser.error('FOU_REMOTE_IP is required in client mode')
    elif AUTH_BY_REMOTE_IP:
        parser.error('FOU_REMOTE_IP is required if AUTH_BY_REMOTE_IP set')

    if FOU_REMOTE_PORT is not None:
        if not 1 <= FOU_REMOTE_PORT <= 65535:
            parser.error('FOU_REMOTE_PORT is out of range 1-65535: {}'.format(FOU_REMOTE_PORT))
    elif MODE == 'client':
        parser.error('FOU_REMOTE_PORT is required in client mode')
    elif AUTH_BY_REMOTE_PORT:
        parser.error('FOU_REMOTE_PORT is required if AUTH_BY_REMOTE_PORT set')

    if MODE == 'server':
        if REAUTH_ONLY:
            parser.error('REAUTH_ONLY is not supported in server mode')

        try:
            import netfilterqueue as nfq
        except ModuleNotFoundError as e:
            parser.error(e)

        if NFQ_NUM is None:
            NFQ_NUM = N
        if not 0 <= NFQ_NUM <= 65535:
            parser.error('NFQ_NUM is out of range 0-65535: {}'.format(NFQ_NUM))
        if N == 0 and (0 < NFQ_NUM <= 999):
            N = NFQ_NUM

        # if FORCE_FOU_IP_ALT and not FOU_IP_ALT:
        #     parser.error('FOU_IP_ALT required if FORCE_FOU_IP_ALT set')

        # Map FOU_IP_MAIN to FOU_IP_ALT in case if IPIP tunnel with the same pair
        # FOU_IP_MAIN<->FOU_REMOTE_IP already exists but on different FOU ports, because otherwise
        # IPIP tunnel creation fails with "RTNETLINK answers: File exists"
        if not FOU_IP_ALT:
            # FOU_IP_ALT = ipaddress.IPv4Address('172.29.{}.{}'.format(N//256, N%256))
            FOU_IP_ALT = ipaddress.IPv4Address(fou_ip_alt_base) + N

        if AUTH_TOKEN or AUTH_REMOTE_PUBKEY:
            pass
        else:
            log.debug('No AUTH_TOKEN or AUTH_REMOTE_PUBKEY specified: set NFQ range to 28 to get only IP+UDP packet headers.')
            nfq_range = 28  # Get only packet headers up to UDP

    if AUTH_PACKET_TTL is None:
        try:
            with open('/proc/sys/net/ipv4/ip_default_ttl') as fd:
                AUTH_PACKET_TTL = int(fd.read())
            log.debug('Using system wide default auth packet TTL: %s', AUTH_PACKET_TTL)
        except Exception as e:
            log.warning('Failed to detect system wide default for auth packet TTL, fallback to 64: %s', e)
            AUTH_PACKET_TTL = 64

    if AUTH_TOKEN:
        atb_len = len(AUTH_TOKEN)
        if atb_len <= 548:  # Max payload size with min IPv4 MTU (576-28)
            pass
        elif atb_len > 1472:  # 1500-28
            parser.error('auth token size is larger than 1472 (max payload for common MTU): %s' % atb_len)
        elif atb_len > 548:
            log.warning('auth token size is larger than 548 (max payload for min IPv4 MTU)')
        del atb_len

    if FOU_PORT is None:
        FOU_PORT = fou_port_base+N  # FOU RX port
    if not 1 <= FOU_PORT <= 65535:
        parser.error('FOU_PORT is out of range 1-65535: {}'.format(FOU_PORT))

    if not TUNL_DEV:
        TUNL_DEV = 'ipipou{}'.format(N)  # Default tunnel interface name
    elif len(TUNL_DEV) > 16 or '/' in TUNL_DEV:
        parser.error('invalid TUNL_DEV: {}'.format(TUNL_DEV))

    if not TUNL_IP:
        if MODE == 'server':
            # TUNL_IP = ipaddress.IPv4Address('172.28.{}.{}'.format((2*N)//256, (2*N)%256))
            TUNL_IP = ipaddress.IPv4Address(tunl_ip_base) + 2*N
        else:
            parser.error('TUNL_IP is required in client mode, it must match server peer IP.')
    if not TUNL_PEER_IP:
        if MODE == 'server':
            # TUNL_PEER_IP = ipaddress.IPv4Address('172.28.{}.{}'.format((2*N+1)//256, (2*N+1)%256))
            TUNL_PEER_IP = TUNL_IP + 1
        else:
            # TUNL_PEER_IP = ipaddress.IPv4Address('172.28.{}.{}'.format((2*N-1)//256, (2*N-1)%256))
            TUNL_PEER_IP = TUNL_IP - 1

    # TODO: (?) convert IPs from IPv4Address back to str notation

    # Cleanup some stuff which is not required anymore
    del parser
    del argparse
    del AUTH_KEYGEN
    del FOU_LOCAL
    del FOU_REMOTE
    del i
    gc.collect()

    prerequisites()

    if MODE == 'server':
        # Main long running function
        queue_init(nft_queue_flags='bypass')

    elif MODE == 'client':
        if REAUTH_ONLY:  # Short running.
            if not client_auth():
                returncode = 120  # send_auth error exit code
        else:
            # Main long running function
            client_init(monitor=False)

    sys.exit(returncode)