wgrpcd

package module
v0.0.0-...-372ab56 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 26, 2021 License: MIT Imports: 22 Imported by: 2

README

Wireguard Controller

GoDoc reference

Warning

wgrpcd has not been audited and is not suitable for production workloads. It's still under heavy development and is a hobby project to be used with targetpractice.network, wireguardhttps and other projects I develop in my spare time. Reach out to me on Twitter if you're interested in using wgrpcd in production.

Overview

wgrpcd controls a Wireguard instance, exposing operations over a gRPC API. This process must run with permissions to manipulate Wireguard interfaces and as such is bound to localhost by default, but can be publicly exposed to let an application control wgrpcd from a different server. No matter where it's bound, it must be configured to use mTLS with TLSv1.3. Keep all CA key material in a safe place, like Azure Key Vault. You can use certstrap to create certificates. This gRPC API is meant to be called by a lower privileged application that can provide services on top of Wireguard that interact with the general internet. It intentionally exposes minimal functionality to limit the attack surface. Clients have no good reason to retrieve a private key once it has been created. They should instead generate a new private key if they ever need a new configuration and revoke the old key.

Usage of wgrpcd:
  -ca-cert string
        -ca-cert is the CA that client certificates will be signed with. (default "cacert.pem")
  -cert-filename string
        -cert-filename server's SSL certificate. (default "servercert.pem")
  -key-filename string
        -key-filename is the server's SSL key. (default "serverkey.pem")
  -listen-address string
        -listen-address specifies the host:port pair to listen on. (default "localhost:15002")
  -openid-api-identifier string
        -openid-api-identifier is the API identifier given by the OpenID provider when setting up a machine-to-machine app.
  -openid-domain string
        -openid-domain is the domain the OpenID provider gives when setting up a machine-to-machine app.
  -openid-provider string
        -openid-provider enables OAuth2 authentication of clients using an OpenID provider's machine-to-machine auth. Allowed: (aws, auth0)

wgrpcd doesn't maintain any state to limit attack surface. This means wgrpcd does not:

  • Allocate IP Addresses
  • Set DNS providers for clients
  • Limit access between connected devices
  • Monitor VPN traffic

If you need these, you'll need to build it yourself. You can look at wireguardhttps as an example of how to build some of those things on top of wgrpcd.

Running without root

You can run this program on Linux without root by setting the CAP_NET_ADMIN and CAP_NET_BIND_SERVICE capabilities on the wgrpcd binary. Set them using sudo setcap CAP_NET_BIND_SERVICE,CAP_NET_ADMIN+eip wgrpcd

API Operations

  • Create peer and get provisioned config (one operation to minimize the time the private key is in memory)
  • Regenerate peer config and revoke old private key
  • Remove peer and revoke old private key
  • Change wireguard listen port
  • View registered peers

Authentication

wgrpcd uses mTLS to limit access to the gRPC API. Unencrypted connections will be rejected. Client certificates must be signed by the Certificate Authority passed with the -ca-cert flag.

auth0

wgrcpd also supports optional OAuth2 using auth0's Machine to Machine offering. I recommend using it if you will be running wgrpcd on a separate host from its client(s). I use it to put wgrpcd clients on Heroku while being able to revoke access and maintain better audit logs of access to wgrpcd. Pass auth0 to the -openid-provider flag to enable auth0 and pass your auth0 Domain and API Identifier with the -openid-domain and -openid-api-identifier flags.

In order to access the methods on the gRPC API, you'll have to add scopes to auth0. You can copy them from the Permissions section below.

auth0 scopes config

AWS Cognito

Pass aws to the -openid-provider flag to enable auth0 and pass your AWS Cognito Domain and API Identifier with the -openid-domain and -openid-api-identifier flags. wgrpcd supports AWS Cognito as an Open ID Provider. wgrpcd clients must be added as an App Client using the Client Credentials grant type in Cognito. In order to access the methods on wgrpcd, you need to register the permissions as scopes in AWS Cognito. AWS Cognito sends scopes in the format API identifier/scope name. wgrpcd's identifer should be /wgrpcd.WireguardRPC, and the scopes should be named after the individual methods, like CreatePeer and RekeyPeer. You can copy the scopes from the Permissions section below.

wgrpcd scopes on AWS

Permissions

wgrpcd clients authenticated with auth0 will only be able to access the gRPC method names specified as OAuth2 scopes. On AWS, this means your API Identifier must be /wgrpcd.WireguardRPC, and the scope should be named after the method name, like CreatePeer.

// Permissions allow wgrpcd to limit access to methods on its gRPC server based on configuration with an OpenID provider.
// The permissions in this file are meant to allow admins to limit access to wgrpcd functions.
// These permissions should be passed as scopes in the JWT from the OpenID provider.
const (
	// PermissionChangeListenPort allows a client to change the Wireguard VPN's listening port
	PermissionChangeListenPort = "/wgrpcd.WireguardRPC/ChangeListenPort"

	// PermissionCreatePeer allows a client to create a new peer on the Wiregurd interface.
	PermissionCreatePeer = "/wgrpcd.WireguardRPC/CreatePeer"

	// PermissionRekeyPeer allows a client to rekey a peer.
	PermissionRekeyPeer = "/wgrpcd.WireguardRPC/RekeyPeer"

	// PermissionRemovePeer allows a client to remove a peer from the interface.
	PermissionRemovePeer = "/wgrpcd.WireguardRPC/RemovePeer"

	// PermissionListPeers allows a client to list active peers.
	PermissionListPeers = "/wgrpcd.WireguardRPC/ListPeers"

	// PermissionListDevices allows a client to list active Wireguard interfaces on a host.
	PermissionListDevices = "/wgrpcd.WireguardRPC/Devices"
)

Clients should only request the permissions they need to limit the impact of compromised credentials. For example, WireguardHTTPS has no reason to change the listen port of a Wireguard VPN.

minimal permissions

//ServerConfig contains all information a caller needs to create a new wgrpcd.Server.
type ServerConfig struct {
	TLSConfig      *tls.Config
	CACertFilename string
	AuthFunc       AuthFunc
	Logger         Logger
}

Using the API

wgrpcd exposes a gRPC server that controls a Wireguard interfaces. By default, it listens on localhost:15002. It can be connected to with any language, but this RPC server is intended to be used by wireguardhttps. The protobuf service, requests and responses can be found in wgrpcd.proto.

This package exports an API client that handles gRPC connections and handles input validation.

There's a wgrpcd.Client that handles loading SSL credentials and performs some input validation before sending it over the wire in client.go.

To create a client, pass a wgrpcd.ClientConfig struct to wgrpcd.NewClient. You can use grpcauth.AWSCognitoAppClientCredentials or grpcauth.Auth0M2MClientCredentials to generate a grpc.DialOption that conects to an OAuth2 provider.

// ClientConfig contains all information needed to configure a wgrpcd.Client.
// Client authentication can be configured using the Options []DialOption.
type ClientConfig struct {
	GRPCAddress     string
	ClientCertBytes []byte
	ClientKeyBytes  []byte
	CACertFilename  string
	Options         []grpc.DialOption
}

Client certificates are represented as byte slices, making it easy to load from environment variables. This makes it possible to do git push heroku master with wgprcd clients without putting your client credentials in version control.

Go clients of wgrpcd should use wgrpcd.Client instead of writing their own client implementations. If you spot an improvement, please submit a pull request.

There's an example client in wg-info.go that displays all connected Wireguard interfaces. The client needs to be configured for mTLS with a client certificate, key and CA certificate for validating the server.

Usage of wg-info:
  -audience string
        -audience is the auth0 audience
  -ca-cert string
        -ca-cert is the CA that server certificates will be signed with. (default "cacert.pem")
  -client-cert string
        -client-cert is the client SSL certificate. (default "clientcert.pem")
  -client-id string
        -client-id is the oauth2 client id
  -client-key string
        -client-key is the client SSL key. (default "clientkey.pem")
  -client-secret string
        -client-secret is the oauth2 client secret
  -openid-provider string
        -openid-provider specifies the OpenID provider to use. Supported: ('aws', 'auth0')
  -token-url string
        -token-url is the oauth2 client credentials token URL
  -wgrpcd-address string
        -wgrpcd-address is the wgrpcd gRPC server on localhost. It must be running to run this program. (default "localhost:15002")
  -wireguard-interface string
        -wireguard-interface is the name of the wireguard interface. (default "wg0")

Documentation

Overview

Package wgrpcd contains an opinionated Wireguard VPN controller that accepts connections over gRPC and mTLS with TLSv1.3 and Let's Encrypt. It supports optional OAuth2 using auth0 or any OAuth2 provider implementing their OAuth2 M2M flow. See https://auth0.com/blog/using-m2m-authorization/ for more information. wgrpcd can be used as a library but is meant to be used with its included wgrpcd CLI.

Index

Constants

View Source 
const (
	// PermissionChangeListenPort allows a client to change the Wireguard VPN's listening port
	PermissionChangeListenPort = "/wgrpcd.WireguardRPC/ChangeListenPort"

	// PermissionCreatePeer allows a client to create a new peer on the Wiregurd interface.
	PermissionCreatePeer = "/wgrpcd.WireguardRPC/CreatePeer"

	// PermissionRekeyPeer allows a client to rekey a peer.
	PermissionRekeyPeer = "/wgrpcd.WireguardRPC/RekeyPeer"

	// PermissionRemovePeer allows a client to remove a peer from the interface.
	PermissionRemovePeer = "/wgrpcd.WireguardRPC/RemovePeer"

	// PermissionListPeers allows a client to list active peers.
	PermissionListPeers = "/wgrpcd.WireguardRPC/ListPeers"

	// PermissionListDevices allows a client to list active Wireguard interfaces on a host.
	PermissionListDevices = "/wgrpcd.WireguardRPC/Devices"
)

Permissions allow wgrpcd to limit access to methods on its gRPC server based on configuration with an OpenID provider. The permissions in this file are meant to allow admins to limit access to wgrpcd functions. These permissions should be passed as scopes in the JWT from the OpenID provider.

Variables

View Source 
var (
	// ConnectTimeout describes the total timeout for establishing a client
	// connection to the wgrpcd server.
	ConnectTimeout = time.Duration(10) * time.Second

	// ConnectBackoffMaxDelay configures the dialer to use the
	// provided maximum delay when backing off after
	// failed connection attempts.
	ConnectBackoffMaxDelay = time.Duration(2) * time.Second

	// KeepaliveTime is the interval at which the client sends keepalive
	// probes to the server.
	KeepaliveTime = time.Duration(30) * time.Second

	// KeepaliveTimeout is the amount of time the client waits to receive
	// a response from the server after a keepalive probe.
	KeepaliveTimeout = time.Duration(20) * time.Second
)
View Source 
var File_wgrpcd_proto protoreflect.FileDescriptor

Functions

func IPNetsToStrings 

func IPNetsToStrings(nets []net.IPNet) []string

IPNetsToStrings converts a list of net.IPNets to CIDR subnet strings.

func IPsToStrings 

func IPsToStrings(ips []net.IP) []string

IPsToStrings converts a list of net.IPs to string

func NewServer 

func NewServer(config *ServerConfig) (*grpc.Server, error)

NewServer returns a wgrpcd instance configured to use a gRPC server with TLSv1.3.

func NoAuth 

func NoAuth(md metadata.MD) (*grpcauth.AuthResult, error)

NoAuth always returns an grpcauth.AuthResult with all permissions attached. Use this to use wgrpcd with only mTLS client certifcate auth. mTLS client certifcate auth is sufficient if wgrpcd and its client(s) are on the same server.

func RegisterWireguardRPCServer 

func RegisterWireguardRPCServer(s grpc.ServiceRegistrar, srv WireguardRPCServer)

func StringsToIPNet 

func StringsToIPNet(cidrStrings []string) ([]net.IPNet, error)

StringsToIPNet tries to convert a list of CIDR subnet strings to net.IPNets.

func StringsToIPs 

func StringsToIPs(rawIPs []string) ([]net.IP, error)

StringsToIPs parses a list of strings into net.IPs.

Types

type ChangeListenPortRequest 

type ChangeListenPortRequest struct {
	ListenPort int32  `protobuf:"varint,1,opt,name=listenPort,proto3" json:"listenPort,omitempty"`
	DeviceName string `protobuf:"bytes,2,opt,name=deviceName,proto3" json:"deviceName,omitempty"`
	// contains filtered or unexported fields
}

func (*ChangeListenPortRequest) Descriptor deprecated 

func (*ChangeListenPortRequest) Descriptor() ([]byte, []int)

Deprecated: Use ChangeListenPortRequest.ProtoReflect.Descriptor instead.

func (*ChangeListenPortRequest) GetDeviceName 

func (x *ChangeListenPortRequest) GetDeviceName() string

func (*ChangeListenPortRequest) GetListenPort 

func (x *ChangeListenPortRequest) GetListenPort() int32

func (*ChangeListenPortRequest) ProtoMessage 

func (*ChangeListenPortRequest) ProtoMessage()

func (*ChangeListenPortRequest) ProtoReflect 

func (x *ChangeListenPortRequest) ProtoReflect() protoreflect.Message

func (*ChangeListenPortRequest) Reset 

func (x *ChangeListenPortRequest) Reset()

func (*ChangeListenPortRequest) String 

func (x *ChangeListenPortRequest) String() string

type ChangeListenPortResponse 

type ChangeListenPortResponse struct {
	NewListenPort int32 `protobuf:"varint,1,opt,name=newListenPort,proto3" json:"newListenPort,omitempty"`
	// contains filtered or unexported fields
}

func (*ChangeListenPortResponse) Descriptor deprecated 

func (*ChangeListenPortResponse) Descriptor() ([]byte, []int)

Deprecated: Use ChangeListenPortResponse.ProtoReflect.Descriptor instead.

func (*ChangeListenPortResponse) GetNewListenPort 

func (x *ChangeListenPortResponse) GetNewListenPort() int32

func (*ChangeListenPortResponse) ProtoMessage 

func (*ChangeListenPortResponse) ProtoMessage()

func (*ChangeListenPortResponse) ProtoReflect 

func (x *ChangeListenPortResponse) ProtoReflect() protoreflect.Message

func (*ChangeListenPortResponse) Reset 

func (x *ChangeListenPortResponse) Reset()

func (*ChangeListenPortResponse) String 

func (x *ChangeListenPortResponse) String() string

type Client 

type Client struct {
	GrpcAddress       string
	TLSCredentials    credentials.TransportCredentials
	AdditionalOptions []grpc.DialOption
	// contains filtered or unexported fields
}

Client interfaces with the wgrpcd API and marshals data between Go and the underlying transport.

func NewClient 

func NewClient(config *ClientConfig) (*Client, error)

NewClient returns a client configured with client TLS certificates and the wgrpcd instance URL.

func (*Client) ChangeListenPort 

func (c *Client) ChangeListenPort(ctx context.Context, deviceName string, listenPort int) (int32, error)

ChangeListenPort changes a wgrpcd's Wireguard server's listen port

func (*Client) Close 

func (c *Client) Close() error

Close closes a client connection and frees the resouces associated with it.

func (*Client) Connect 

func (c *Client) Connect() error

Connect makes the gRPC client dial the server and maintains a connection until the client is closed with Close. Callers of this must Close() the connection themselves to avoid leaks.

func (*Client) CreatePeer 

func (c *Client) CreatePeer(ctx context.Context, deviceName string, allowedIPs []net.IPNet) (*PeerConfigInfo, error)

CreatePeer calls the server's CreatePeer method and returns a Wireguard config for the newly created peer.

func (*Client) Devices 

func (c *Client) Devices(ctx context.Context) ([]string, error)

Devices returns all Wireguard interfaces controllable by wgrpcd.

func (*Client) ImportPeers 

func (c *Client) ImportPeers(ctx context.Context, deviceName string, peers []*ImportedPeer) error

ImportPeers creates a new peer from a list of peers.

func (*Client) ListPeers 

func (c *Client) ListPeers(ctx context.Context, deviceName string) ([]*Peer, error)

ListPeers shows all peers authorized to connect to a Wireguard instance.

func (*Client) RekeyPeer 

func (c *Client) RekeyPeer(ctx context.Context, deviceName string, oldPublicKey wgtypes.Key, allowedIPs []net.IPNet) (*PeerConfigInfo, error)

RekeyPeer wraps the server's RekeyPeer operation and returns the updated credentials.

func (*Client) RemovePeer 

func (c *Client) RemovePeer(ctx context.Context, deviceName string, publicKey wgtypes.Key) (bool, error)

RemovePeer removes a peer from the Wireguard server and revokes its access.

type ClientConfig 

type ClientConfig struct {
	GRPCAddress     string
	ClientCertBytes []byte
	ClientKeyBytes  []byte
	CACertFilename  string
	Options         []grpc.DialOption
}

ClientConfig contains all information needed to configure a wgrpcd.Client. Client authentication can be configured using the Options []DialOption.

type CreatePeerRequest 

type CreatePeerRequest struct {
	AllowedIPs []string `protobuf:"bytes,1,rep,name=allowedIPs,proto3" json:"allowedIPs,omitempty"`
	DeviceName string   `protobuf:"bytes,2,opt,name=deviceName,proto3" json:"deviceName,omitempty"`
	// contains filtered or unexported fields
}

func (*CreatePeerRequest) Descriptor deprecated 

func (*CreatePeerRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreatePeerRequest.ProtoReflect.Descriptor instead.

func (*CreatePeerRequest) GetAllowedIPs 

func (x *CreatePeerRequest) GetAllowedIPs() []string

func (*CreatePeerRequest) GetDeviceName 

func (x *CreatePeerRequest) GetDeviceName() string

func (*CreatePeerRequest) ProtoMessage 

func (*CreatePeerRequest) ProtoMessage()

func (*CreatePeerRequest) ProtoReflect 

func (x *CreatePeerRequest) ProtoReflect() protoreflect.Message

func (*CreatePeerRequest) Reset 

func (x *CreatePeerRequest) Reset()

func (*CreatePeerRequest) String 

func (x *CreatePeerRequest) String() string

type CreatePeerResponse 

type CreatePeerResponse struct {
	PrivateKey      string   `protobuf:"bytes,1,opt,name=privateKey,proto3" json:"privateKey,omitempty"`
	PublicKey       string   `protobuf:"bytes,2,opt,name=publicKey,proto3" json:"publicKey,omitempty"`
	AllowedIPs      []string `protobuf:"bytes,3,rep,name=allowedIPs,proto3" json:"allowedIPs,omitempty"`
	ServerPublicKey string   `protobuf:"bytes,4,opt,name=serverPublicKey,proto3" json:"serverPublicKey,omitempty"`
	// contains filtered or unexported fields
}

func (*CreatePeerResponse) Descriptor deprecated 

func (*CreatePeerResponse) Descriptor() ([]byte, []int)

Deprecated: Use CreatePeerResponse.ProtoReflect.Descriptor instead.

func (*CreatePeerResponse) GetAllowedIPs 

func (x *CreatePeerResponse) GetAllowedIPs() []string

func (*CreatePeerResponse) GetPrivateKey 

func (x *CreatePeerResponse) GetPrivateKey() string

func (*CreatePeerResponse) GetPublicKey 

func (x *CreatePeerResponse) GetPublicKey() string

func (*CreatePeerResponse) GetServerPublicKey 

func (x *CreatePeerResponse) GetServerPublicKey() string

func (*CreatePeerResponse) ProtoMessage 

func (*CreatePeerResponse) ProtoMessage()

func (*CreatePeerResponse) ProtoReflect 

func (x *CreatePeerResponse) ProtoReflect() protoreflect.Message

func (*CreatePeerResponse) Reset 

func (x *CreatePeerResponse) Reset()

func (*CreatePeerResponse) String 

func (x *CreatePeerResponse) String() string

type DevicesRequest 

type DevicesRequest struct {
	// contains filtered or unexported fields
}

func (*DevicesRequest) Descriptor deprecated 

func (*DevicesRequest) Descriptor() ([]byte, []int)

Deprecated: Use DevicesRequest.ProtoReflect.Descriptor instead.

func (*DevicesRequest) ProtoMessage 

func (*DevicesRequest) ProtoMessage()

func (*DevicesRequest) ProtoReflect 

func (x *DevicesRequest) ProtoReflect() protoreflect.Message

func (*DevicesRequest) Reset 

func (x *DevicesRequest) Reset()

func (*DevicesRequest) String 

func (x *DevicesRequest) String() string

type DevicesResponse 

type DevicesResponse struct {
	Devices []string `protobuf:"bytes,1,rep,name=devices,proto3" json:"devices,omitempty"`
	// contains filtered or unexported fields
}

func (*DevicesResponse) Descriptor deprecated 

func (*DevicesResponse) Descriptor() ([]byte, []int)

Deprecated: Use DevicesResponse.ProtoReflect.Descriptor instead.

func (*DevicesResponse) GetDevices 

func (x *DevicesResponse) GetDevices() []string

func (*DevicesResponse) ProtoMessage 

func (*DevicesResponse) ProtoMessage()

func (*DevicesResponse) ProtoReflect 

func (x *DevicesResponse) ProtoReflect() protoreflect.Message

func (*DevicesResponse) Reset 

func (x *DevicesResponse) Reset()

func (*DevicesResponse) String 

func (x *DevicesResponse) String() string

type ImportRequest 

type ImportRequest struct {
	Peers      []*ImportedPeer `protobuf:"bytes,1,rep,name=peers,proto3" json:"peers,omitempty"`
	DeviceName string          `protobuf:"bytes,2,opt,name=deviceName,proto3" json:"deviceName,omitempty"`
	// contains filtered or unexported fields
}

func (*ImportRequest) Descriptor deprecated 

func (*ImportRequest) Descriptor() ([]byte, []int)

Deprecated: Use ImportRequest.ProtoReflect.Descriptor instead.

func (*ImportRequest) GetDeviceName 

func (x *ImportRequest) GetDeviceName() string

func (*ImportRequest) GetPeers 

func (x *ImportRequest) GetPeers() []*ImportedPeer

func (*ImportRequest) ProtoMessage 

func (*ImportRequest) ProtoMessage()

func (*ImportRequest) ProtoReflect 

func (x *ImportRequest) ProtoReflect() protoreflect.Message

func (*ImportRequest) Reset 

func (x *ImportRequest) Reset()

func (*ImportRequest) String 

func (x *ImportRequest) String() string

type ImportResponse 

type ImportResponse struct {
	// contains filtered or unexported fields
}

func (*ImportResponse) Descriptor deprecated 

func (*ImportResponse) Descriptor() ([]byte, []int)

Deprecated: Use ImportResponse.ProtoReflect.Descriptor instead.

func (*ImportResponse) ProtoMessage 

func (*ImportResponse) ProtoMessage()

func (*ImportResponse) ProtoReflect 

func (x *ImportResponse) ProtoReflect() protoreflect.Message

func (*ImportResponse) Reset 

func (x *ImportResponse) Reset()

func (*ImportResponse) String 

func (x *ImportResponse) String() string

type ImportedPeer 

type ImportedPeer struct {
	PublicKey  string   `protobuf:"bytes,1,opt,name=publicKey,proto3" json:"publicKey,omitempty"`
	AllowedIPs []string `protobuf:"bytes,2,rep,name=allowedIPs,proto3" json:"allowedIPs,omitempty"`
	// contains filtered or unexported fields
}

func (*ImportedPeer) Descriptor deprecated 

func (*ImportedPeer) Descriptor() ([]byte, []int)

Deprecated: Use ImportedPeer.ProtoReflect.Descriptor instead.

func (*ImportedPeer) GetAllowedIPs 

func (x *ImportedPeer) GetAllowedIPs() []string

func (*ImportedPeer) GetPublicKey 

func (x *ImportedPeer) GetPublicKey() string

func (*ImportedPeer) ProtoMessage 

func (*ImportedPeer) ProtoMessage()

func (*ImportedPeer) ProtoReflect 

func (x *ImportedPeer) ProtoReflect() protoreflect.Message

func (*ImportedPeer) Reset 

func (x *ImportedPeer) Reset()

func (*ImportedPeer) String 

func (x *ImportedPeer) String() string

type ListPeersRequest 

type ListPeersRequest struct {
	DeviceName string `protobuf:"bytes,1,opt,name=deviceName,proto3" json:"deviceName,omitempty"`
	// contains filtered or unexported fields
}

func (*ListPeersRequest) Descriptor deprecated 

func (*ListPeersRequest) Descriptor() ([]byte, []int)

Deprecated: Use ListPeersRequest.ProtoReflect.Descriptor instead.

func (*ListPeersRequest) GetDeviceName 

func (x *ListPeersRequest) GetDeviceName() string

func (*ListPeersRequest) ProtoMessage 

func (*ListPeersRequest) ProtoMessage()

func (*ListPeersRequest) ProtoReflect 

func (x *ListPeersRequest) ProtoReflect() protoreflect.Message

func (*ListPeersRequest) Reset 

func (x *ListPeersRequest) Reset()

func (*ListPeersRequest) String 

func (x *ListPeersRequest) String() string

type ListPeersResponse 

type ListPeersResponse struct {
	Peers []*Peer `protobuf:"bytes,1,rep,name=peers,proto3" json:"peers,omitempty"`
	// contains filtered or unexported fields
}

func (*ListPeersResponse) Descriptor deprecated 

func (*ListPeersResponse) Descriptor() ([]byte, []int)

Deprecated: Use ListPeersResponse.ProtoReflect.Descriptor instead.

func (*ListPeersResponse) GetPeers 

func (x *ListPeersResponse) GetPeers() []*Peer

func (*ListPeersResponse) ProtoMessage 

func (*ListPeersResponse) ProtoMessage()

func (*ListPeersResponse) ProtoReflect 

func (x *ListPeersResponse) ProtoReflect() protoreflect.Message

func (*ListPeersResponse) Reset 

func (x *ListPeersResponse) Reset()

func (*ListPeersResponse) String 

func (x *ListPeersResponse) String() string

type Logger 

type Logger struct {
	*log.Logger
}

Logger wraps Go's stdlib logger to allow for more control over logging. An empty logger will log to Go's default logger.

func (*Logger) Printf 

func (l *Logger) Printf(format string, args ...interface{})

Printf forwards the logging call to a custom logger, or the default logger if there is no custom logger.

type Peer 

type Peer struct {
	PublicKey        string   `protobuf:"bytes,1,opt,name=publicKey,proto3" json:"publicKey,omitempty"`
	AllowedIPs       []string `protobuf:"bytes,2,rep,name=allowedIPs,proto3" json:"allowedIPs,omitempty"`
	ReceivedBytes    int64    `protobuf:"varint,3,opt,name=receivedBytes,proto3" json:"receivedBytes,omitempty"`
	TransmittedBytes int64    `protobuf:"varint,4,opt,name=transmittedBytes,proto3" json:"transmittedBytes,omitempty"`
	LastSeen         int64    `protobuf:"varint,5,opt,name=lastSeen,proto3" json:"lastSeen,omitempty"`
	// contains filtered or unexported fields
}

func (*Peer) Descriptor deprecated 

func (*Peer) Descriptor() ([]byte, []int)

Deprecated: Use Peer.ProtoReflect.Descriptor instead.

func (*Peer) GetAllowedIPs 

func (x *Peer) GetAllowedIPs() []string

func (*Peer) GetLastSeen 

func (x *Peer) GetLastSeen() int64

func (*Peer) GetPublicKey 

func (x *Peer) GetPublicKey() string

func (*Peer) GetReceivedBytes 

func (x *Peer) GetReceivedBytes() int64

func (*Peer) GetTransmittedBytes 

func (x *Peer) GetTransmittedBytes() int64

func (*Peer) ProtoMessage 

func (*Peer) ProtoMessage()

func (*Peer) ProtoReflect 

func (x *Peer) ProtoReflect() protoreflect.Message

func (*Peer) Reset 

func (x *Peer) Reset()

func (*Peer) String 

func (x *Peer) String() string

type PeerConfigInfo 

type PeerConfigInfo struct {
	PrivateKey      string
	PublicKey       string
	AllowedIPs      []net.IPNet
	ServerPublicKey string
}

PeerConfigInfo contains all information needed to configure a Wireguard peer.

type RekeyPeerRequest 

type RekeyPeerRequest struct {
	PublicKey  string   `protobuf:"bytes,1,opt,name=publicKey,proto3" json:"publicKey,omitempty"`
	AllowedIPs []string `protobuf:"bytes,2,rep,name=allowedIPs,proto3" json:"allowedIPs,omitempty"`
	DeviceName string   `protobuf:"bytes,3,opt,name=deviceName,proto3" json:"deviceName,omitempty"`
	// contains filtered or unexported fields
}

func (*RekeyPeerRequest) Descriptor deprecated 

func (*RekeyPeerRequest) Descriptor() ([]byte, []int)

Deprecated: Use RekeyPeerRequest.ProtoReflect.Descriptor instead.

func (*RekeyPeerRequest) GetAllowedIPs 

func (x *RekeyPeerRequest) GetAllowedIPs() []string

func (*RekeyPeerRequest) GetDeviceName 

func (x *RekeyPeerRequest) GetDeviceName() string

func (*RekeyPeerRequest) GetPublicKey 

func (x *RekeyPeerRequest) GetPublicKey() string

func (*RekeyPeerRequest) ProtoMessage 

func (*RekeyPeerRequest) ProtoMessage()

func (*RekeyPeerRequest) ProtoReflect 

func (x *RekeyPeerRequest) ProtoReflect() protoreflect.Message

func (*RekeyPeerRequest) Reset 

func (x *RekeyPeerRequest) Reset()

func (*RekeyPeerRequest) String 

func (x *RekeyPeerRequest) String() string

type RekeyPeerResponse 

type RekeyPeerResponse struct {
	PrivateKey      string   `protobuf:"bytes,1,opt,name=privateKey,proto3" json:"privateKey,omitempty"`
	PublicKey       string   `protobuf:"bytes,2,opt,name=publicKey,proto3" json:"publicKey,omitempty"`
	AllowedIPs      []string `protobuf:"bytes,3,rep,name=allowedIPs,proto3" json:"allowedIPs,omitempty"`
	ServerPublicKey string   `protobuf:"bytes,4,opt,name=serverPublicKey,proto3" json:"serverPublicKey,omitempty"`
	// contains filtered or unexported fields
}

func (*RekeyPeerResponse) Descriptor deprecated 

func (*RekeyPeerResponse) Descriptor() ([]byte, []int)

Deprecated: Use RekeyPeerResponse.ProtoReflect.Descriptor instead.

func (*RekeyPeerResponse) GetAllowedIPs 

func (x *RekeyPeerResponse) GetAllowedIPs() []string

func (*RekeyPeerResponse) GetPrivateKey 

func (x *RekeyPeerResponse) GetPrivateKey() string

func (*RekeyPeerResponse) GetPublicKey 

func (x *RekeyPeerResponse) GetPublicKey() string

func (*RekeyPeerResponse) GetServerPublicKey 

func (x *RekeyPeerResponse) GetServerPublicKey() string

func (*RekeyPeerResponse) ProtoMessage 

func (*RekeyPeerResponse) ProtoMessage()

func (*RekeyPeerResponse) ProtoReflect 

func (x *RekeyPeerResponse) ProtoReflect() protoreflect.Message

func (*RekeyPeerResponse) Reset 

func (x *RekeyPeerResponse) Reset()

func (*RekeyPeerResponse) String 

func (x *RekeyPeerResponse) String() string

type RemovePeerRequest 

type RemovePeerRequest struct {
	PublicKey  string `protobuf:"bytes,1,opt,name=publicKey,proto3" json:"publicKey,omitempty"`
	DeviceName string `protobuf:"bytes,2,opt,name=deviceName,proto3" json:"deviceName,omitempty"`
	// contains filtered or unexported fields
}

func (*RemovePeerRequest) Descriptor deprecated 

func (*RemovePeerRequest) Descriptor() ([]byte, []int)

Deprecated: Use RemovePeerRequest.ProtoReflect.Descriptor instead.

func (*RemovePeerRequest) GetDeviceName 

func (x *RemovePeerRequest) GetDeviceName() string

func (*RemovePeerRequest) GetPublicKey 

func (x *RemovePeerRequest) GetPublicKey() string

func (*RemovePeerRequest) ProtoMessage 

func (*RemovePeerRequest) ProtoMessage()

func (*RemovePeerRequest) ProtoReflect 

func (x *RemovePeerRequest) ProtoReflect() protoreflect.Message

func (*RemovePeerRequest) Reset 

func (x *RemovePeerRequest) Reset()

func (*RemovePeerRequest) String 

func (x *RemovePeerRequest) String() string

type RemovePeerResponse 

type RemovePeerResponse struct {
	Removed bool `protobuf:"varint,1,opt,name=removed,proto3" json:"removed,omitempty"`
	// contains filtered or unexported fields
}

func (*RemovePeerResponse) Descriptor deprecated 

func (*RemovePeerResponse) Descriptor() ([]byte, []int)

Deprecated: Use RemovePeerResponse.ProtoReflect.Descriptor instead.

func (*RemovePeerResponse) GetRemoved 

func (x *RemovePeerResponse) GetRemoved() bool

func (*RemovePeerResponse) ProtoMessage 

func (*RemovePeerResponse) ProtoMessage()

func (*RemovePeerResponse) ProtoReflect 

func (x *RemovePeerResponse) ProtoReflect() protoreflect.Message

func (*RemovePeerResponse) Reset 

func (x *RemovePeerResponse) Reset()

func (*RemovePeerResponse) String 

func (x *RemovePeerResponse) String() string

type Server 

type Server struct {
	UnimplementedWireguardRPCServer
	// contains filtered or unexported fields
}

Server implements the operations exposed in the profobuf definitions for the gRPC server.

func (*Server) ChangeListenPort 

func (s *Server) ChangeListenPort(ctx context.Context, request *ChangeListenPortRequest) (*ChangeListenPortResponse, error)

ChangeListenPort updates the listening port wireguard is running on. It can be used to allow coordination with a firewall.

func (*Server) CreatePeer 

func (s *Server) CreatePeer(ctx context.Context, request *CreatePeerRequest) (*CreatePeerResponse, error)

CreatePeer adds a new Wireguard peer to the VPN.

func (*Server) Devices 

func (s *Server) Devices(ctx context.Context, request *DevicesRequest) (*DevicesResponse, error)

Devices shows all Wireguard interfaces that can be controlled with wgrpcd.

func (*Server) Import 

func (s *Server) Import(ctx context.Context, request *ImportRequest) (*ImportResponse, error)

Import allows loading new peers into a wgrpcd instance from a list of Peers

func (*Server) ListPeers 

func (s *Server) ListPeers(ctx context.Context, request *ListPeersRequest) (*ListPeersResponse, error)

ListPeers returns all peers from a Wireguard device.

func (*Server) RekeyPeer 

func (s *Server) RekeyPeer(ctx context.Context, request *RekeyPeerRequest) (*RekeyPeerResponse, error)

RekeyPeer revokes a client's old public key and replaces it with a new one.

func (*Server) RemovePeer 

func (s *Server) RemovePeer(ctx context.Context, request *RemovePeerRequest) (*RemovePeerResponse, error)

RemovePeer deletes a peer from the Wireguard interface.

type ServerConfig 

type ServerConfig struct {
	TLSConfig      *tls.Config
	CACertFilename string
	AuthFunc       grpcauth.AuthFunc
	PermissionFunc grpcauth.PermissionFunc
	Logger         Logger
}

ServerConfig contains all information a caller needs to create a new wgrpcd.Server.

type UnimplementedWireguardRPCServer 

type UnimplementedWireguardRPCServer struct {
}

UnimplementedWireguardRPCServer must be embedded to have forward compatible implementations.

func (UnimplementedWireguardRPCServer) ChangeListenPort 

func (UnimplementedWireguardRPCServer) ChangeListenPort(context.Context, *ChangeListenPortRequest) (*ChangeListenPortResponse, error)

func (UnimplementedWireguardRPCServer) CreatePeer 

func (UnimplementedWireguardRPCServer) CreatePeer(context.Context, *CreatePeerRequest) (*CreatePeerResponse, error)

func (UnimplementedWireguardRPCServer) Devices 

func (UnimplementedWireguardRPCServer) Devices(context.Context, *DevicesRequest) (*DevicesResponse, error)

func (UnimplementedWireguardRPCServer) Import 

func (UnimplementedWireguardRPCServer) Import(context.Context, *ImportRequest) (*ImportResponse, error)

func (UnimplementedWireguardRPCServer) ListPeers 

func (UnimplementedWireguardRPCServer) ListPeers(context.Context, *ListPeersRequest) (*ListPeersResponse, error)

func (UnimplementedWireguardRPCServer) RekeyPeer 

func (UnimplementedWireguardRPCServer) RekeyPeer(context.Context, *RekeyPeerRequest) (*RekeyPeerResponse, error)

func (UnimplementedWireguardRPCServer) RemovePeer 

func (UnimplementedWireguardRPCServer) RemovePeer(context.Context, *RemovePeerRequest) (*RemovePeerResponse, error)

type UnsafeWireguardRPCServer 

type UnsafeWireguardRPCServer interface {
	// contains filtered or unexported methods
}

UnsafeWireguardRPCServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to WireguardRPCServer will result in compilation errors.

type Wireguard 

type Wireguard struct {
	DeviceName      string
	ListenPort      int
	ServerPublicKey wgtypes.Key
}

Wireguard represents a wireguard interface. It is simply a struct with the device name. Each call will attempt to control the device and return os.IsNotExist if the named device cannot be found. Wireguard is an abstraction over wgctrl to ensure callers don't leave clients open.

func Devices 

func Devices() ([]*Wireguard, error)

Devices shows all Wireguard interfaces.

func New 

func New(deviceName string) (*Wireguard, error)

New returns a new Wireguard controller.

func (Wireguard) AddNewPeer 

func (w Wireguard) AddNewPeer(allowedIPs []net.IPNet, publicKey wgtypes.Key) (*wgtypes.PeerConfig, error)

AddNewPeer adds a new Wireguard peer to the VPN.

func (Wireguard) ChangeListenPort 

func (w Wireguard) ChangeListenPort(port int) error

ChangeListenPort updates the listening port wireguard is running on. It can be used to allow coordination with a firewall.

func (Wireguard) Peers 

func (w Wireguard) Peers() ([]wgtypes.Peer, error)

Peers returns all peers from a Wireguard device.

func (Wireguard) RekeyClient 

func (w Wireguard) RekeyClient(allowedIPs []net.IPNet, oldPublicKey, newPublicKey wgtypes.Key) (*wgtypes.PeerConfig, error)

RekeyClient revokes a client's old public key and replaces it with a new one.

func (Wireguard) RemovePeer 

func (w Wireguard) RemovePeer(publicKey wgtypes.Key) error

RemovePeer deletes a peer from the Wireguard interface.

func (Wireguard) String 

func (w Wireguard) String() string

String returns the name of the interface.

type WireguardRPCClient 

type WireguardRPCClient interface {
	ChangeListenPort(ctx context.Context, in *ChangeListenPortRequest, opts ...grpc.CallOption) (*ChangeListenPortResponse, error)
	CreatePeer(ctx context.Context, in *CreatePeerRequest, opts ...grpc.CallOption) (*CreatePeerResponse, error)
	RekeyPeer(ctx context.Context, in *RekeyPeerRequest, opts ...grpc.CallOption) (*RekeyPeerResponse, error)
	RemovePeer(ctx context.Context, in *RemovePeerRequest, opts ...grpc.CallOption) (*RemovePeerResponse, error)
	ListPeers(ctx context.Context, in *ListPeersRequest, opts ...grpc.CallOption) (*ListPeersResponse, error)
	Devices(ctx context.Context, in *DevicesRequest, opts ...grpc.CallOption) (*DevicesResponse, error)
	Import(ctx context.Context, in *ImportRequest, opts ...grpc.CallOption) (*ImportResponse, error)
}

WireguardRPCClient is the client API for WireguardRPC service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

func NewWireguardRPCClient 

func NewWireguardRPCClient(cc grpc.ClientConnInterface) WireguardRPCClient

type WireguardRPCServer 

type WireguardRPCServer interface {
	ChangeListenPort(context.Context, *ChangeListenPortRequest) (*ChangeListenPortResponse, error)
	CreatePeer(context.Context, *CreatePeerRequest) (*CreatePeerResponse, error)
	RekeyPeer(context.Context, *RekeyPeerRequest) (*RekeyPeerResponse, error)
	RemovePeer(context.Context, *RemovePeerRequest) (*RemovePeerResponse, error)
	ListPeers(context.Context, *ListPeersRequest) (*ListPeersResponse, error)
	Devices(context.Context, *DevicesRequest) (*DevicesResponse, error)
	Import(context.Context, *ImportRequest) (*ImportResponse, error)
	// contains filtered or unexported methods
}

WireguardRPCServer is the server API for WireguardRPC service. All implementations must embed UnimplementedWireguardRPCServer for forward compatibility

Source Files

View all Source files

Directories

Path Synopsis
cmd
wgrpcd
Package main sets up a gRPC server on a localhost port that can control a local Wireguard instance.
 Package main sets up a gRPC server on a localhost port that can control a local Wireguard instance.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.