to: cc: @subspacecommunity/subspace-maintainers related to: resolves: https://github.com/subspacecommunity/subspace/issues/167

Background

There was a severe vulnerability in crewjam/saml v0.3.0 that allowed bypassing SAML SSO. Updating to v0.4.5 would solve the issue.

The way SAML works in subspace is to basically split the handler procedure encoded in samlSP.RequreAccount. This function is supposed to make it easy to use SAML SSO, however it requires the use of pure net/http. As we use julienschmidt/httprouter. We have to handle it ourselves.

The way this is done is basically split samlSP.RequreAccount in two. The first part is implemented in the two handlers ssoHandler and samlHandler. ssoHandler, in turn handles specifically the authentication flow. Therefore, we must reimplement it using samlSP.HandleStartAuthFlow. The code in it is almost the same as in samlSP.RequreAccount. The difference is that samlSP. ServeHTTP is reserved for samlHandler.

The other modification was the refactoring of the procedure that extracts the subject name from the JWT Token. This changed quite drastically in 0.4.x. This version did away with the convenient function GetAuthorizationToken. Now we have to extract the session from the conext and use type assertion to cast it to JWTSessionClaims. Without it, we would be left with sessionWithAttributes.GetAttributes which in turn only returns the contents of attrs of the JWT Token. This cast restores the access to what was previously retrieved with token.StandardClaims. Now we access it with jwtSessionClaim directly, which is the complete decoded jwt token.

DISCLAIMER: I am NOT a security expert and the first contact I ever had with golang was applying this fix. So I welcome everyone to treat this pull request as an invitation for debating, so that we can arrive at an optimal solution.

Changes

• Updated crewjam/saml from v0.3.0 -> v0.4.5
• Applied necessary refactor to account for breaking changes.

Testing

• Build and start a fresh container
• Log in with an admin account
• Create a testing account on jumpcloud
• Configure SSO as explained in the documentation
• Log in with the created user in jumpcloud

The wg binary cannot be found inside the docker container. Although the volume mount is specified in my docker run command. I also tried it via the example docker-compose variant, no luck.

I double checked locally, wg is installed at /usr/bin/wg and its not a symlink somewhere.

I'm at my whits end why in the entrypoint.sh:139, while running, it can't find the wg binary.

Any idea whats going on here?

• Ubuntu 18.04 Server x64
• Docker 19.03.8

to: cc: @subspacecommunity/subspace-maintainers related to: resolves: #101, also resolves #63

Background

In current implementation, it is assumed that network masks are /24 for v4 and /112 for v6. And also, the num of devices is limited up to 250.

In other words, you can set SUBSPACE_IPV4_POOL to 10.99.0.0/16, but subspace just use only 10.99.0.1~10.99.0.254.

In this PR, this limitation is removed.

Changes

• Create calc-default-gateway command to calc the default gateway.
• Generate IP addresses using net standard library.
• maxProfiles constant is removed, because we will get an error if there is address to assign.

Testing

I set up my own subspace server and create some devices.

to: cc: @subspacecommunity/subspace-maintainers related to: resolves:

Background

Reason for the change

Changes

• Add wireguard-tools to remove the need to symlink in the binary
• Add ip6tables
• Add runit as init service.
• Add Init Wrapper.
• Revert IPv6 hacks to wrapper which are not needed.
• Removed docs about linking the WG binary this is no longer needed.

Testing

• Tested on Debian / Ubuntu / CentOS & Basic k8s (With this change k8s support should not be too much work)

Hello

I am running subspace in a docker and dnsmasq is also running in the docker. It was uninstalled in the host machine as mentioned in the docs.

I also added some internal domains to /etc/hosts. And the DNS resolution is working well when connected to the VPN.

Everything works as expected but randomly the DNS resolution stops. On restarting the docker container everything works normally again.

I got access to the docker shell using docker exec and inside the container, DNS is working fine. it is just that in the wireguard clients and the host, DNS resolution is stopping randomly.

dnsmasq is running when checked with ps aux | grep dnsmasq on the host system.

Expected behaviour

DNS should resolve normally every time.

Additional context I am facing this issue right now with 2 different machines which are on AWS.

cc: @subspacecommunity/subspace-maintainers

Background

Reason for the change

dnsmasq can be used for accomplish a wide variety of tasks. This change lets us mount dnsmasq configurations inside the subspace container to provide additional configuration to dnsmasq.

For example you could override hostnames by creating the following config file and then mounting it inside subspace.

/opt/docker/dnsmasq/01-static-dns.conf

address=/a.example.com/172.16.0.10
address=/b.example.com/172.16.0.11

docker-compose.yml

   volumes:
   - /opt/docker/subspace:/data
   - /opt/docker/dnsmasq:/etc/dnsmasq.d

Changes

• Include /etc/dnsmasq.d in dnsmasq config at /etc/dnsmasq.conf

Testing

The container works as expected with additional dnsmasq configuration mounted and without.

Hi,

I have added the IDP Metadata XML generated with the correct ACS URL and Entity ID.

But unfortunately when I try to signin with the google account i have the following error :

Error: app_not_configured_for_user

Service is not configured for this user.

I have configured the SAML APPs: Name ID : Basic information / Primary Email Name ID Format: UNSPECIFIED

The SAML APPs is "On for everyone" and the Subspace docker is behind an Nginx Reverse proxy

Thanks for your help, Clement

to: cc: @subspacecommunity/subspace-maintainers related to: #111 resolves: #104

Background

NEW: This fixes a typo in the last commited change, I'll copy all the contents from the original PR

Wanted to secure the default user of subspace with TOTP. Now it is possible to turn on TOTP for the default user by visiting /settings and scanning the QR code with your phone (or putting the secret key into something else)

Changes

• Configure TOTP via /settings
• Reset TOTP via /settings (only visible if TOTP is already configured)
• Can only be done by an Admin (This means both SAML Signed in Admin and the default Admin)

Pics

Initial Setup of MFA

Reset MFA (will then result in the above page)

Sign in page for default admin account if TOTP has been saved

Testing

NEW: Run from a clean file, but still needs deep testing.

Ran this locally multiple times on my Droplet in Digital Ocean (i'm using rsync to sync changes to my box and then running docker-compose up --build -d whenever changes are made to go files. For changes related static files i simply specify --debug in the build step for go-bindata and mount web/ into the running container. go-bindata then reads these files live on each request :D)

to: @subspacecommunity/subspace-maintainers related to: resolves: https://github.com/subspacecommunity/subspace/issues/199

Background

Clients were reporting DNS timeouts every few hours with subspace, with the only resolution being to either restart the container or turn off DNS. Upon investigating, it seems subspace is using the wrong flag for dnsmasq, passing a debug flag instead of the approved production flag. This switches that. See: https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

Debug mode: don't fork to the background, don't write a pid file, don't change user id, generate a complete cache dump on receipt on SIGUSR1, log to stderr as well as syslog, don't fork new processes to handle TCP queries. Note that this option is for use in debugging only, to stop dnsmasq daemonising in production, use --keep-in-foreground.

Changes

• changes the flag from --no-daemon to -keep-in-foreground

Testing

root      4030  0.0  0.0    784     4 ?        Ss   11:49   0:00          \_ runsv dnsmasq
nfsnobo+  4036  0.0  0.0   2188  1692 ?        S    11:49   0:00          |   \_ /usr/sbin/dnsmasq --keep-in-foreground
$ docker-compose ps
  Name                Command               State   Ports
---------------------------------------------------------
subspace   /usr/local/bin/entrypoint. ...   Up
CONTAINER ID   IMAGE                                     COMMAND                  CREATED       STATUS          PORTS     NAMES
ad67ccc1ba2c   subspacecommunity/subspace:amd64-v1.5.0   "/usr/local/bin/entr…"   4 weeks ago   Up 3 weeks             subspace

Currently running a prolonged test with a few dozen users and so far everything looks good

Hi, I'm trying to configure the SSO subspace using Keycloak as IDP. I have not been able to find information about how the Metadata format requested by the Subspace should be. After configuring the SAML client, Keycloak provides some Metadata formats to insert into the application, but putting them in the Subspace returns an "Error, please try again". I finally tried to build the Metadata myself and the redirection works well by clicking the SSO login button. However, when I save, Subspace returns an "Invalid, please try again" and an error message can also be seen in the application logs.

Has anyone found themselves in a similar situation? What is the format of your Metadata file? Thank you so much

The Metadata I'm using is the follow one (with changed urls and certificate):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://MY_KEYCLOAK_URL:8443/auth/realms/master" validUntil="2022-04-18T10:12:14.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>THE_CERTIFICATE</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://MY_KEYCLOAK_URL:8443/auth/realms/master/protocol/saml/clients/wireguard"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://MY_KEYCLOAK_URL:8443/auth/realms/master/protocol/saml/clients/wireguard"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

to: cc: @subspacecommunity/subspace-maintainers related to: https://github.com/subspacecommunity/subspace/issues/68 resolves: https://github.com/subspacecommunity/subspace/issues/68

Background

Adding the status page, and new template

Changes

• Added status page
• Changed template from green to black

Testing

Testing has been done locally and with docker on debian, and docker (alpine?) by @jack1902. Applied mentioned changes in https://github.com/subspacecommunity/subspace/issues/68 by @jack1902.

Not ready for merge yet. See https://github.com/subspacecommunity/subspace/pull/83#issuecomment-639686664

No documentation on setting static routes

I would like to have documentation on setting static routes so clients know where to go for different vpn-lan based services if that is available

Bumps github.com/crewjam/saml from 0.4.5 to 0.4.9.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Thanks for your nice work, but I can't make it work in my CoreElec (aarch64) box.

I used this composer file in Portainer:

version: "3.3"
services:
  subspace:
   image: subspacecommunity/subspace:latest
   container_name: subspace
   volumes:
    - /storage/dockers/subspace:/data
   ports:
    - 4545:80
   restart: always
   environment:
    - SUBSPACE_HTTP_HOST=subspace.mydomain.duckdns.org
    - SUBSPACE_HTTP_INSECURE=true
    - SUBSPACE_HTTP_ADDR=":80"
    - SUBSPACE_NAMESERVERS=1.1.1.1,8.8.8.8
    - SUBSPACE_LISTENPORT=51820
    - SUBSPACE_IPV6_NAT_ENABLED=0
    - SUBSPACE_DISABLE_DNS=1
   cap_add:
    - NET_ADMIN
   network_mode: "host"

But the container keeps restarting with this error repeating in the logs:

modprobe: can't change directory to '/lib/modules': No such file or directory
modprobe: can't change directory to '/lib/modules': No such file or directory
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.3 (legacy): unknown option "--to"
Try `ip6tables -h' or 'ip6tables --help' for more information.

 # ip6tables --version
ip6tables v1.4.21

I disabled ipv6 in my host with sysctl net.ipv6.conf.default.disable_ipv6=1 probably that's related? Can't I just disable ipv6 in subspace?

We have a volume in our docker-compose that would mount the dnsmasq.conf file for subspace but it's being replaced by the entrypoint script on each restart. This condition needs to be refined a little to ignore the dnsmasq.conf file if it already exists. https://github.com/subspacecommunity/subspace/blob/1a2d4f2b1801b1d120a0b99b72684b460fdd4b37/entrypoint.sh#L196-L209

to: @subspacecommunity/subspace-maintainers

Background

If SUBSPACE_DISABLE_DNS is set to true, but a client uses nameservers in his local subnet (e.g. his IP address is 10.0.0.2, netmask /24, home gateway and caching DNS server - 10.0.0.1), he won't be able to reach it. It can be solved partially by adding all private subnets to an exclusion list:

SUBSPACE_ALLOWED_IPS="::/0, 1.0.0.0/8, 2.0.0.0/8, 3.0.0.0/8, 4.0.0.0/6, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4"

but in some cases that local DNS server still will be unavailable (e.g. if kill-switch mode is enabled).

Changes

Now, if variable SUBSPACE_CLIENT_NAMESERVERS is set and contain a valid comma-separated list of DNS servers, this list will be included in a client config as is.

Example:

--env SUBSPACE_CLIENT_NAMESERVERS="8.8.8.8,1.1.1.1"

to: cc: @subspacecommunity/subspace-maintainers related to: resolves:

Background

Reason for the change: It wasn't working as we wanted it to.

Changes

• Replace logic module with wg-bond, to support arbitrary network masks
• Replace all the docker with lack of docker

Testing

We tested it extensively.