All atomic access must be aligned to 64 bits, even on 32-bit platforms. Go promises that the start of allocated structs is aligned to 64 bits. So, place the atomically-accessed things first in the struct so that they benefit from that alignment.

As a side bonus, it cleanly separates fields that are accessed by atomic ops, and those that should be accessed under mu.

Also adds a test that will fail consistently on 32-bit platforms if the struct ever changes again to violate the rules. This is likely not needed because unaligned access crashes reliably, but this will reliably fail even if tests accidentally pass due to lucky alignment.

Signed-Off-By: David Anderson [email protected]

If the response message is exactly same to the fscanf()'s second parameter, the fscanf() in the userspace_set_device() cannot get the response and cannot return. This fix has been verified using my environment(CentOS Linux release 7.5.1804 (Core)).

This PR replaces all uses of direct syscalls (i.e. unix.Syscall(unix.SYS_*, ...)) on macOS by the respective functionality from the golang.org/x/sys/unix package using macOS libSystem. The support for direct syscalls on macOS is discouraged and was recently removed from golang.org/x/sys/unix, see https://golang.org/cl/250437 (golang/sys@6fcdbc0bbc04dcd9e7dc145879ceaf9bf1c6ff03). This broke the build of wireguard-go against the latest golang.org/x/sys/unix version, as reported in golang/go#41868.

See individual commit messages for more details.

Tested on macOS 10.15 against a wireguard server running on Ubuntu Linux 20.04.

/cc @bradfitz

Since errors.As(err, target) returns false when err is nil, which cause status set to 1 when no error occurs for IpcGetOperation and IpcSetOperation.

Should be able to fix #17

Signed-off-by: Wenxuan Zhao [email protected]

Error messages being printed were about floods, but actually what was being detected was a potential "replay attack", ie. a duplicate copy of an incoming handshake. Let's print two separate log messages to differentiate them.

Signed-off-by: Avery Pennarun [email protected]

Usecase

1. Create a WG device wg-0
2. Set to wg-0 property to allow any IP.
3. Send packet to wg-0 with no IP header.

Actual: the device will do nothing. In logs will log the text "Received packet with unknown IP version". Expected: the device will send a packet if the device allows any IP.

allow adding additional inline flags to go build e.g.:

make GOBUILDFLAGS="-ldflags='-s -w' -trimpath"

results in having the go build command modified to:

go build -ldflags='-s -w' -trimpath -v -o wireguard-go ...

A wintun.dll installs a driver and WindowsOS may indicate that it needs a reboot to complete driver instalation.

The needReboot mark was lost and no application did not received that indication. Solution is to extend the call, used by the CreateTUNWithRequestedGUID() function with additional return value indicating that. And leave generic interface function CreateTUN() as is.

Signed-off-by: Antanas Gadeikis [email protected]

Peers are currently removed after Device's goroutines are signaled to stop, but without waiting for them to actually do so, which is racy.

For example, RoutineHandshake may be in Peer.SendKeepalive when the corresponding peer is removed, which closes its nonce channel. This causes a send on a closed channel, as observed in tailscale/tailscale#487.

This patch seems to be the correct synchronizing action: Peer's goroutines are receivers and handle channel closure gracefully, so Device's goroutines are the ones that should be fully stopped first.

The motivation is to build with go1.19. It needs https://github.com/google/gvisor/commit/99325baf5dfc23e54aea3acf8aaabb1996f5338e

gvisor.dev/gvisor/pkg/tcpip/buffer is no longer available, so it needs to refactor a bit.

This PR replaces #47

As discussed on IRC:

The first commit updates wireguard-go as used in the sub-module wireguard-go/tun/netstack and fixes all callsites for netip.AddrFromSlice (which has changed its signature recently). The second commit adds an error check a linter I had running noticed.

Please let me know if there's anything else I can/need to do to get this merged. Thanks!

Cheers, fd0

最新发布的wireguard-go0.0.20220316至wireguard-go0.0.20210212版本发现一个问题，wg-quick up wg0 启动卡在wg setconf wg0 /dev/fd/63，wireguard-go0.0.20201118版本测试正常。微信截图_20221211191458

This commit changes the tun.Device and conn.Bind interfaces to accept packet vectors for reading and writing. Internal plumbing between these interfaces now passes a vector of packets. Vectors move untouched between these interfaces, i.e. if 128 packets are received from conn.Bind.Read(), 128 packets are passed to tun.Device.Write(). There is no internal buffering.

Platform-specific implementations of tun.Device have been updated to the new tun.Device interface, but only Linux supports passing more than one packet for now. The Linux tun.Device implementation accomplishes this via TSO and GRO, which is made possible by virtio extensions in the TUN driver. Linux TUN offloading can be disabled by setting the WG_DISABLE_OFFLOAD environment variable to 1.

conn.LinuxSocketEndpoint has been deleted in favor of a collapsed conn.StdNetBind. conn.StdNetBind makes use of recvmmsg() and sendmmsg() on Linux. All platforms fall under conn.StdNetBind, except for Windows, which remains in conn.WinRingBind. Sticky sockets support has been refactored as part of this work to eventually be applicable on platforms other than just Linux, however Linux remains the sole platform that fully implements it. The conn.Bind UDP socket buffer is now being sized to 7MB, whereas it was previously inheriting the system default.

device.Keypairs locking has been simplified from a RWMutex + atomic to just a Mutex.

Signed-off-by: Jordan Whited [email protected] Signed-off-by: James Tucker [email protected] Co-authored-by: James Tucker [email protected]

This PR represents a patch I'm working with locally to support a particular use case. I'm creating this upstream to prompt discussion on if this patch should be the upstream functionality.

I'm trying to create a wireguard tunnel which can seamlessly switch between underlying interfaces (WIFI, ethernet, etc) without having to restart the VPN. This works perfectly well with the kernel implementaiton. When Ethernet goes down (or the routing table is changed to prioritize Wifi), packets for wireguard are sent over the new interface, with the source address correctly set to the configured address of the new interface. The destination will receive the NAT'ed address and be about to route a response back.

However, in the wireguard-go userspace implementation, the modified code here sets the packets source address to be cached in some way to the initial interface which packets are routed through. Therefore, when the routing table changes to send packets through a different address, the source address is invalid and the connection drops.

Please let me know if there's anything I'm misunderstanding here. At the very least, this represents a potentially undesirable difference in functionality between the userspace and kernel implementations.

name          old time/op    new time/op    delta
PeerString-8    49.5ns ±17%    32.6ns ±17%  -34.09%  (p=0.000 n=10+10)

name          old alloc/op   new alloc/op   delta
PeerString-8     24.0B ± 0%     24.0B ± 0%     ~     (all equal)

name          old allocs/op  new allocs/op  delta
PeerString-8      1.00 ± 0%      1.00 ± 0%     ~     (all equal)

Signed-off-by: Alexander Yastrebov [email protected]

This reduces the overhead of various code paths as there are less pipeline delays and more code can be inlined. The mutex fast path is a single atomic operation, and this mutex is never held for very long.

Microbenchmark results in each commit show no micro-scale difference, macro scale tests demonstrate a slight speed up, though well within the noise of other external effects: small improvement in arm64 test on t4g.nano from 642mbps to 646mbps, x64 test on m6i.xlarge from 975mbps to 1.02gbps.