Layer2 version of wireguard with Floyd Warshall implement in go.

Etherguard

中文版README

A Full Mesh Layer2 VPN based on wireguard-go

OSPF can find best route based on it's cost.
But sometimes the lentancy are different in the packet goes and back.
I'am thinking, is it possible to find the best route based on the single-way latency?
For example, I have two routes A and B at node N1, both of them can reach my node N2. A goes fast, but B backs fast.
My VPN can automatically send packet through route A at node N1, and the packet backsfrom route B.

Here is the solution. This VPN Etherguard can collect all the single-way lentancy from all nodes, and calculate the best route using Floyd–Warshall algorithm.

Usage

Usage of ./etherguard-go:
  -config string
        Config path.
  -example
        Print example config
  -help
        Show this help
  -mode string
        Running mode. [super|edge|solve]
  -no-uapi
        Do not use UAPI
  -version
        Show version

Mode

  1. Static Mode: Similar to origional wireguard. Introduction.
  2. Super Mode: Inspired byn2n. Introduction.
  3. P2P Mode: Inspired bytinc. Introduction.

Common Config Paramater

Edge Config

  1. interface
    1. itype: Interface type.
      1. dummy: Dymmy interface, drop any packet received. You need this if you want to setup it as a relay node.
      2. stdio: Wrtie to stdout,read from stdin.
        Paramaters: macaddrprefix,l2headermode
      3. udpsock: Write to an udp socket, and read from an net assress.
        Paramaters: macaddrprefix,recvaddr,sendaddr
      4. vpp: Integrate to VPP by libmemif.
        Paramaters: name,vppifaceid,vppbridgeid,macaddrprefix,mtu
      5. tap: Read/Write to tap device from linux.
        Paramaters: name,macaddrprefix,vppifaceid,mtu
    2. name : Device name
    3. vppifaceid: Interface ID。Muse be unique in same VPP runtime
    4. vppbridgeid: VPP Bridge ID. Fill 0 if you don't use it.
    5. macaddrprefix: Mac address Prefix.
      Real Mac address=[Prefix]:[NodeID].
      If you fill full mac address here, NodeID will be ignored.
    6. recvaddr: Listen address for udpsock mode
    7. sendaddr: Packet send address for udpsock mode
    8. l2headermode: For debug usage, stdio and udpsock mode only
      1. nochg: Do not change anything.
      2. kbdbg: Keyboard debug mode.
        Let me construct Layer 2 header by ascii character only.
        So that I can track the packet flow with loglevel option.
      3. noL2: Remove all Layer 2 header
  2. nodeid: NodeID. Must be unique in the whole Etherguard network.
  3. nodename: Node Name.
  4. privkey: Private key. Same spec as wireguard.
  5. listenport: UDP lesten port
  6. loglevel: Log Level
    1. loglevel: debug,error,slient for wirefuard logger.
    2. logtransit: Log packets that neither the source or distenation is self.
    3. logcontrol: Log for all Control Message.
    4. lognormal: Log packets that either the source or distenation is self.
    5. logntp: NTP related logs.
  7. dynamicroute: Log for dynamic route.
    1. sendpinginterval: Send Ping interval
    2. dupchecktimeout: Duplication chack timeout.
    3. conntimeout: Connection timeout.
    4. savenewpeers: Save peer info to local file.
    5. supernode: See Super Mode
    6. p2p See P2P Mode
    7. ntpconfig: NTP related settings
      1. usentp: USE NTP or not.
      2. maxserveruse: How many NTP servers should we use at once.
        First time we will measure lentancy for all NTP server, next time it will use only fastest server.
      3. synctimeinterval: NTP sync interval.
      4. ntptimeout: NTP timeout
      5. servers: NTP server list
  8. nexthoptable: Nexthop table。Only static mode use it. See Static Mㄍㄟ
  9. resetconninterval: Reset the endpoint for peers. You may need this if that peer use DDNS.
  10. peers: Peer info.
    1. nodeid: Node ID.
    2. pubkey: Public key.
    3. pskey: Preshared key. Not implement yet.
    4. endpoint: Peer enddpoint. Will be overwrite if the peer roaming unless static=true.
    5. static: Do not overwrite by roaming and reset the connection every resetconninterval seconds.

Super config

See Super Mode.

Build

No-vpp version

Build Etherguard.

Install Go 1.16

add-apt-repository ppa:longsleep/golang-backports
apt-get -y update
apt-install -y wireguard-tools golang-go build-essential

Build

make

VPP version

Build Etherguard with VPP integrated.
You need libmemif.so installed to run this version.

Install VPP and libemif

/etc/apt/sources.list.d/99fd.io.list curl -L https://packagecloud.io/fdio/release/gpgkey | sudo apt-key add - apt-get -y update apt-get install -y vpp vpp-plugin-core python3-vpp-api vpp-dbg vpp-dev libmemif libmemif-dev "> 
echo "deb [trusted=yes] https://packagecloud.io/fdio/release/ubuntu focal main" > /etc/apt/sources.list.d/99fd.io.list
curl -L https://packagecloud.io/fdio/release/gpgkey | sudo apt-key add -
apt-get -y update
apt-get install -y vpp vpp-plugin-core python3-vpp-api vpp-dbg vpp-dev libmemif libmemif-dev

Build

make vpp
Owner
日下部 詩
小小博客開張啦,歡迎來逛逛
日下部 詩
https://github.com/KusakabeSi/EtherGuard-VPN https://www.kskb.eu.org/2021/08/rootless-routerpart-3-etherguard.html
Similar Resources

A HTTP proxy server tunnelling through wireguard

wg-http-proxy This project hacks together the excellent https://github.com/elazarl/goproxy and https://git.zx2c4.com/wireguard-go into an HTTP proxy s

Dec 30, 2022

NAT puncher for Wireguard mesh networking.

natpunch-go This is a NAT hole punching tool designed for creating Wireguard mesh networks. It was inspired by Tailscale and informed by this example.

Dec 12, 2022

generate Wireguard keypairs with a given prefix string

wireguard-vanity-address Generate Wireguard keypairs with a given prefix string. The Wireguard VPN uses Curve25519 keypairs, and displays the Base64-e

Nov 9, 2022

udppunch hole for wireguard

udppunch udp punch for wireguard, inspired by natpunch-go usage server side ./punch-server-linux-amd64 -port 19993 client side make sure wireguard is

Nov 24, 2022

language server protocol sdk implement for go

LSP(language server protocol) defines for golang lsp types is from vscode-languageserver-node. Project is working in progress. Example func main() {

Dec 17, 2022

An experimental package that rely on go generics to implement collection functions utilities

go-underscore go-underscore is a utility-belt library for Golang that provides s

Mar 20, 2022

Let's implement some basic ZeroMQ publisher and subscriber in Golang. Utilize Envoy as a proxy.

Let's implement some basic ZeroMQ publisher and subscriber in Golang. Utilize Envoy as a proxy.

Envy proxy with ZeroMQ Solution tested on DigitalOcean Droplet. In case of re-creation VM follow this article. Introduction Let's implement some basic

Jan 25, 2022

High-precision indoor positioning framework, version 3.

The Framework for Internal Navigation and Discovery (FIND) is like indoor GPS for your house or business, using only a simple smartphone or laptop. Th

Jan 1, 2023

SOCKS Protocol Version 5 Library in Go. Full TCP/UDP and IPv4/IPv6 support

socks5 中文 SOCKS Protocol Version 5 Library. Full TCP/UDP and IPv4/IPv6 support. Goals: KISS, less is more, small API, code is like the original protoc

Jan 8, 2023
Comments
  • Ubuntu LTS 22.04 jammy Deb包支持?

    Ubuntu LTS 22.04 jammy Deb包支持?

    显然依赖出了问题

    root@azure:~# uname -a
Linux azure 5.15.0-1014-azure #17-Ubuntu SMP Thu Jun 23 19:04:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@azure:~# apt update
命中:1 http://azure.archive.ubuntu.com/ubuntu jammy InRelease
命中:2 http://azure.archive.ubuntu.com/ubuntu jammy-updates InRelease
命中:3 http://azure.archive.ubuntu.com/ubuntu jammy-backports InRelease
命中:8 https://packagecloud.io/fdio/release/ubuntu focal InRelease
已下载 5,542 B,耗时 3秒 (1,686 B/s)
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
有 50 个软件包可以升级。请执行 ‘apt list --upgradable’ 来查看它们。
root@azure:~# apt-get install -y vpp vpp-plugin-core python3-vpp-api vpp-dbg vpp-dev libmemif libmemif-dev
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
有一些软件包无法被安装。如果您用的是 unstable 发行版,这也许是
因为系统无法达到您要求的状态造成的。该版本中可能会有一些您需要的软件
包尚未被创建或是它们已被从新到(Incoming)目录移出。
下列信息可能会对解决问题有所帮助:

下列软件包有未满足的依赖关系:
 vpp-plugin-core : 依赖: libmbedcrypto3 (>= 2.13) 但无法安装它
                   依赖: libmbedtls12 (>= 2.13) 但无法安装它
                   依赖: libmbedx509-0 (>= 2.0) 但无法安装它
E: 无法修正错误,因为您要求某些软件包保持现状,就是它们破坏了软件包间的依赖关系。
root@azure:~# apt install libmbedcrypto3
正在读取软件包列表... 完成
正在分析软件包的依赖关系树... 完成
正在读取状态信息... 完成
没有可用的软件包 libmbedcrypto3,但是它被其它的软件包引用了。
这可能意味着这个缺失的软件包可能已被废弃,
或者只能在其他发布源中找到

E: 软件包 libmbedcrypto3 没有可安装候选
  • Add static build and CI

    Add static build and CI

    This PR provides following features:

    • statically linked build to Makefile.
    • Github Action workflow to upload build results on multiple arch when publish a new release.

    You can build statically linked executables by using make static and make vpp-statc.

    Following arch are supported in workflow:
    | | no-vpp version, dynamic | no-vpp version, static | vpp version, dynamic| vpp version, static | | ------------- | ------------- | ------------- | ------------- | ------------- | | x86_64 | ✔️ | ✔️ | ✔️ | ⛔ | | mipsle | ✔️ | ✔️ | ⛔ | ⛔ | | aarch64 | ✔️ | ✔️ | ✔️ | ⛔ | | armv7 | ✔️ | ✔️ | ⛔ | ⛔ |

    Known issues

    • ~make vpp-static will fail in the workflow.~ (Deleted)
  • Crypto Go :we are a research group to help developers build secure applications.

    Crypto Go :we are a research group to help developers build secure applications.

    Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following. Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows: (1) Location: main_httpserver.go:203 Broken rule: MD5 is an insecure algorithm; (2) Location: main_httpserver.go:518 Broken rule: MD5 is an insecure algorithm; (3) Location: main_httpserver.go:776 Broken rule: MD5 is an insecure algorithm; (4) Location: main_httpserver.go:884 Broken rule: MD5 is an insecure algorithm; (5) Location: main_super.go:312 Broken rule: MD5 is an insecure algorithm; (6) Location: main_super.go:425 Broken rule: MD5 is an insecure algorithm; (7) Location: device/noise-helpers.go:100 Broken rule: The ScalarMult method of Package curve25519 is deprecated; We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

Related tags
Network golang mesh-networks network vpn
A fork of the simple WireGuard VPN server GUI community maintained
 A fork of the simple WireGuard VPN server GUI community maintained

Subspace - A simple WireGuard VPN server GUI Subspace - A simple WireGuard VPN server GUI Slack Screenshots Features Contributing Setup 1. Get a serve

Dec 25, 2022
A flexible configuration manager for Wireguard networks
 A flexible configuration manager for Wireguard networks

Drago A flexible configuration manager for WireGuard networks Drago is a flexible configuration manager for WireGuard networks which is designed to ma

Jan 7, 2023
Simple Web based configuration generator for WireGuard. Demo:
 Simple Web based configuration generator for WireGuard. Demo:

Wg Gen Web Simple Web based configuration generator for WireGuard. Why another one ? All WireGuard UI implementations are trying to manage the service

Jan 1, 2023
The easiest, most secure way to use WireGuard and 2FA.

This repository contains all the open source Tailscale client code and the tailscaled daemon and tailscale CLI tool. The tailscaled daemon runs primarily on Linux; it also works to varying degrees on FreeBSD, OpenBSD, Darwin, and Windows.

Jan 8, 2023
Connect your devices into a single private WireGuard®-based mesh network.

Wiretrustee A WireGuard®-based mesh network that connects your devices into a single private network. Why using Wiretrustee? Connect multiple devices

Dec 31, 2022
An userspace SORACOM Arc client powered by wireguard-go

soratun An easy-to-use, userspace SORACOM Arc client powered by wireguard-go. For deploying and scaling Linux servers/Raspberry Pi devices working wit

Jun 2, 2022
A Wireguard VPN Server Manager and API to add and remove clients

Wireguard Manager And API A manager and API to add, remove clients as well as other features such as an auto reapplier which deletes and adds back a c

Dec 22, 2022
Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface

wg-ovpn Magic util that "bridges" Wireguard with OpenVPN without a TUN/TAP interface Warning: really ugly and unstable code! Building Obtain latest so

Sep 27, 2022
Mount your podman container into WireGuard networks on spawn

wg-pod A tool to quickly join your podman container/pod into a WireGuard network. Explanation wg-pod wires up the tools ip,route,wg and podman. It cre

Aug 14, 2022
Go Implementation of WireGuard

Go Implementation of WireGuard

Jan 2, 2023