device

package
v0.0.0-...-7bfd199 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 26, 2026 License: MIT Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	RekeyAfterMessages      = (1 << 60)
	RejectAfterMessages     = (1 << 64) - (1 << 13) - 1
	RekeyAfterTime          = time.Second * 120
	RekeyAttemptTime        = time.Second * 90
	RekeyTimeout            = time.Second * 5
	MaxTimerHandshakes      = 90 / 5 /* RekeyAttemptTime / RekeyTimeout */
	RekeyTimeoutJitterMaxMs = 334
	RejectAfterTime         = time.Second * 180
	KeepaliveTimeout        = time.Second * 10
	CookieRefreshTime       = time.Second * 120
	HandshakeInitationRate  = time.Second / 50
	PaddingMultiple         = 16
)
View Source 
const (
	MinMessageSize = MessageKeepaliveSize                                                      // minimum size of transport message (keepalive)
	MaxMessageSize = MaxSegmentSize                                                            // maximum size of transport message
	MaxContentSize = MaxSegmentSize - MessageTransportSize - MessageEncapsulatingTransportSize // maximum size of transport message content
)
View Source 
const (
	UnderLoadAfterTime = time.Second // how long does the device remain under load after detected
	MaxPeers           = 1 << 16     // maximum number of configured peers
)
View Source 
const (
	IPv4offsetTotalLength = 2
	IPv4offsetSrc         = 12
	IPv4offsetDst         = IPv4offsetSrc + net.IPv4len
)
View Source 
const (
	IPv6offsetPayloadLength = 4
	IPv6offsetSrc           = 8
	IPv6offsetDst           = IPv6offsetSrc + net.IPv6len
)
View Source 
const (
	LogLevelSilent = iota
	LogLevelError
	LogLevelVerbose
)

Log levels for use with NewLogger.

View Source 
const (
	NoiseConstruction = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
	WGIdentifier      = "WireGuard v1 zx2c4 [email protected]"
	WGLabelMAC1       = "mac1----"
	WGLabelCookie     = "cookie--"
)
View Source 
const (
	MessageInitiationType  = 1
	MessageResponseType    = 2
	MessageCookieReplyType = 3
	MessageTransportType   = 4
)
View Source 
const (
	MessageInitiationSize             = 148                                           // size of handshake initiation message
	MessageResponseSize               = 92                                            // size of response message
	MessageCookieReplySize            = 64                                            // size of cookie reply message
	MessageTransportHeaderSize        = 16                                            // size of data preceding content in transport message
	MessageEncapsulatingTransportSize = 8                                             // size of optional, free (for use by conn.Bind.Send()) space preceding the transport header
	MessageTransportSize              = MessageTransportHeaderSize + poly1305.TagSize // size of empty transport
	MessageKeepaliveSize              = MessageTransportSize                          // size of keepalive
	MessageHandshakeSize              = MessageInitiationSize                         // size of largest handshake related message
)
View Source 
const (
	MessageTransportOffsetReceiver = 4
	MessageTransportOffsetCounter  = 8
	MessageTransportOffsetContent  = 16
)
View Source 
const (
	NoisePublicKeySize    = 32
	NoisePrivateKeySize   = 32
	NoisePresharedKeySize = 32
)
View Source 
const (
	QueueStagedSize            = conn.IdealBatchSize
	QueueOutboundSize          = 1024
	QueueInboundSize           = 1024
	QueueHandshakeSize         = 1024
	MaxSegmentSize             = (1 << 16) - 1 // largest possible UDP datagram
	PreallocatedBuffersPerPool = 0             // Disable and allow for infinite memory growth
)
View Source 
const DefaultMTU = 1420

Variables

View Source 
var (
	InitialChainKey [blake2s.Size]byte
	InitialHash     [blake2s.Size]byte
	ZeroNonce       [chacha20poly1305.NonceSize]byte
)

Functions

func DiscardLogf 

func DiscardLogf(format string, args ...any)

Function for use in Logger for discarding logged lines.

func HMAC1 

func HMAC1(sum *[blake2s.Size]byte, key, in0 []byte)

func HMAC2 

func HMAC2(sum *[blake2s.Size]byte, key, in0, in1 []byte)

func KDF1 

func KDF1(t0 *[blake2s.Size]byte, key, input []byte)

func KDF2 

func KDF2(t0, t1 *[blake2s.Size]byte, key, input []byte)

func KDF3 

func KDF3(t0, t1, t2 *[blake2s.Size]byte, key, input []byte)

Types

type AllowedIPs 

type AllowedIPs struct {
	// contains filtered or unexported fields
}

func (*AllowedIPs) EntriesForPeer 

func (table *AllowedIPs) EntriesForPeer(peer *Peer, cb func(prefix netip.Prefix) bool)

func (*AllowedIPs) Insert 

func (table *AllowedIPs) Insert(prefix netip.Prefix, peer *Peer)

func (*AllowedIPs) Lookup 

func (table *AllowedIPs) Lookup(ip []byte) *Peer

func (*AllowedIPs) RemoveByPeer 

func (table *AllowedIPs) RemoveByPeer(peer *Peer)

type CookieChecker 

type CookieChecker struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func (*CookieChecker) CheckMAC1 

func (st *CookieChecker) CheckMAC1(msg []byte) bool

func (*CookieChecker) CheckMAC2 

func (st *CookieChecker) CheckMAC2(msg, src []byte) bool

func (*CookieChecker) CreateReply 

func (st *CookieChecker) CreateReply(
	msg []byte,
	recv uint32,
	src []byte,
) (*MessageCookieReply, error)

func (*CookieChecker) Init 

func (st *CookieChecker) Init(pk NoisePublicKey)

type CookieGenerator 

type CookieGenerator struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func (*CookieGenerator) AddMacs 

func (st *CookieGenerator) AddMacs(msg []byte)

func (*CookieGenerator) ConsumeReply 

func (st *CookieGenerator) ConsumeReply(msg *MessageCookieReply) bool

func (*CookieGenerator) Init 

func (st *CookieGenerator) Init(pk NoisePublicKey)

type Device 

type Device struct {
	// contains filtered or unexported fields
}

func NewDevice 

func NewDevice(tunDevice tun.Device, bind conn.Bind, logger *Logger) *Device

func (*Device) BatchSize 

func (device *Device) BatchSize() int

BatchSize returns the BatchSize for the device as a whole which is the max of the bind batch size and the tun batch size. The batch size reported by device is the size used to construct memory pools, and is the allowed batch size for the lifetime of the device.

func (*Device) Bind 

func (device *Device) Bind() conn.Bind

func (*Device) BindClose 

func (device *Device) BindClose() error

func (*Device) BindSetMark 

func (device *Device) BindSetMark(mark uint32) error

func (*Device) BindUpdate 

func (device *Device) BindUpdate() error

func (*Device) Close 

func (device *Device) Close()

func (*Device) ConsumeMessageInitiation 

func (device *Device) ConsumeMessageInitiation(msg *MessageInitiation, endpoint conn.Endpoint) *Peer

func (*Device) ConsumeMessageResponse 

func (device *Device) ConsumeMessageResponse(msg *MessageResponse) *Peer

func (*Device) CreateMessageInitiation 

func (device *Device) CreateMessageInitiation(peer *Peer) (*MessageInitiation, error)

func (*Device) CreateMessageResponse 

func (device *Device) CreateMessageResponse(peer *Peer) (*MessageResponse, error)

func (*Device) DeleteKeypair 

func (device *Device) DeleteKeypair(key *Keypair)

func (*Device) DisableSomeRoamingForBrokenMobileSemantics 

func (device *Device) DisableSomeRoamingForBrokenMobileSemantics()

DisableSomeRoamingForBrokenMobileSemantics should ideally be called before peers are created, though it will try to deal with it, and race maybe, if called after.

func (*Device) Down 

func (device *Device) Down() error

func (*Device) GetInboundElement 

func (device *Device) GetInboundElement() *QueueInboundElement

func (*Device) GetInboundElementsContainer 

func (device *Device) GetInboundElementsContainer() *QueueInboundElementsContainer

func (*Device) GetMessageBuffer 

func (device *Device) GetMessageBuffer() *[MaxMessageSize]byte

func (*Device) GetOutboundElement 

func (device *Device) GetOutboundElement() *QueueOutboundElement

func (*Device) GetOutboundElementsContainer 

func (device *Device) GetOutboundElementsContainer() *QueueOutboundElementsContainer

func (*Device) IpcGet 

func (device *Device) IpcGet() (string, error)

func (*Device) IpcGetOperation 

func (device *Device) IpcGetOperation(w io.Writer) error

IpcGetOperation implements the WireGuard configuration protocol "get" operation. See https://www.wireguard.com/xplatform/#configuration-protocol for details.

func (*Device) IpcHandle 

func (device *Device) IpcHandle(socket net.Conn)

func (*Device) IpcSet 

func (device *Device) IpcSet(uapiConf string) error

func (*Device) IpcSetOperation 

func (device *Device) IpcSetOperation(r io.Reader) (err error)

IpcSetOperation implements the WireGuard configuration protocol "set" operation. See https://www.wireguard.com/xplatform/#configuration-protocol for details.

func (*Device) IsUnderLoad 

func (device *Device) IsUnderLoad() bool

func (*Device) LookupActivePeer 

func (device *Device) LookupActivePeer(pk NoisePublicKey) (_ *Peer, ok bool)

LookupActivePeer looks up a peer by its public key.

Unlike Device.LookupPeer, this function does not use a PeerLookupFunc to create the peer if it does not already exist.

If the peer does not exist or was created lazily via PeerLookupFunc and has subsequently idled away, it returns (nil, false).

func (*Device) LookupPeer 

func (device *Device) LookupPeer(pk NoisePublicKey) *Peer

LookupPeer looks up a peer by its public key.

If the peer does not exist and a PeerLookupFunc is set (via Device.SetPeerLookupFunc), then that function is used to create the peer before returning it. Peers created via this mechanism exist only until their state machine reaches idle, and then the peers are removed.

If the peer does not exist and no PeerLookupFunc is set, nil is returned.

Use Device.LookupActivePeer to only return already-existing peers, without using a PeerLookupFunc.

func (*Device) NewOutboundElement 

func (device *Device) NewOutboundElement() *QueueOutboundElement

func (*Device) NewPeer 

func (device *Device) NewPeer(pk NoisePublicKey) (*Peer, error)

func (*Device) PopulatePools 

func (device *Device) PopulatePools()

func (*Device) PutInboundElement 

func (device *Device) PutInboundElement(elem *QueueInboundElement)

func (*Device) PutInboundElementsContainer 

func (device *Device) PutInboundElementsContainer(c *QueueInboundElementsContainer)

func (*Device) PutMessageBuffer 

func (device *Device) PutMessageBuffer(msg *[MaxMessageSize]byte)

func (*Device) PutOutboundElement 

func (device *Device) PutOutboundElement(elem *QueueOutboundElement)

func (*Device) PutOutboundElementsContainer 

func (device *Device) PutOutboundElementsContainer(c *QueueOutboundElementsContainer)

func (*Device) RemoveAllPeers 

func (device *Device) RemoveAllPeers()

func (*Device) RemoveMatchingPeers 

func (device *Device) RemoveMatchingPeers(shouldRemove func(NoisePublicKey) bool) (numRemoved int)

RemoveMatchingPeers removes all peers for which shouldRemove returns true.

It returns the number of peers removed.

func (*Device) RemovePeer 

func (device *Device) RemovePeer(key NoisePublicKey)

func (*Device) RoutineDecryption 

func (device *Device) RoutineDecryption(id int)

func (*Device) RoutineEncryption 

func (device *Device) RoutineEncryption(id int)

Encrypts the elements in the queue * and marks them for sequential consumption (by releasing the mutex) * * Obs. One instance per core

func (*Device) RoutineHandshake 

func (device *Device) RoutineHandshake(id int)

Handles incoming packets related to handshake

func (*Device) RoutineReadFromTUN 

func (device *Device) RoutineReadFromTUN()

func (*Device) RoutineReceiveIncoming 

func (device *Device) RoutineReceiveIncoming(maxBatchSize int, recv conn.ReceiveFunc)

Receives incoming datagrams for the device * * Every time the bind is updated a new routine is started for * IPv4 and IPv6 (separately)

func (*Device) RoutineTUNEventReader 

func (device *Device) RoutineTUNEventReader()

func (*Device) SendHandshakeCookie 

func (device *Device) SendHandshakeCookie(initiatingElem *QueueHandshakeElement) error

func (*Device) SendKeepalivesToPeersWithCurrentKeypair 

func (device *Device) SendKeepalivesToPeersWithCurrentKeypair()

func (*Device) SetPeerLookupFunc 

func (device *Device) SetPeerLookupFunc(f PeerLookupFunc)

SetPeerLookupFunc sets the function used to look up peers by public key when receiving packets for unknown peers.

func (*Device) SetPrivateKey 

func (device *Device) SetPrivateKey(sk NoisePrivateKey) error

func (*Device) Up 

func (device *Device) Up() error

func (*Device) Wait 

func (device *Device) Wait() chan struct{}

type Handshake 

type Handshake struct {
	// contains filtered or unexported fields
}

func (*Handshake) Clear 

func (h *Handshake) Clear()

type IPCError 

type IPCError struct {
	// contains filtered or unexported fields
}

func (IPCError) Error 

func (s IPCError) Error() string

func (IPCError) ErrorCode 

func (s IPCError) ErrorCode() int64

func (IPCError) Unwrap 

func (s IPCError) Unwrap() error

type IndexTable 

type IndexTable struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func (*IndexTable) Delete 

func (table *IndexTable) Delete(index uint32)

func (*IndexTable) Init 

func (table *IndexTable) Init()

func (*IndexTable) Lookup 

func (table *IndexTable) Lookup(id uint32) IndexTableEntry

func (*IndexTable) NewIndexForHandshake 

func (table *IndexTable) NewIndexForHandshake(peer *Peer, handshake *Handshake) (uint32, error)

func (*IndexTable) SwapIndexForKeypair 

func (table *IndexTable) SwapIndexForKeypair(index uint32, keypair *Keypair)

type IndexTableEntry 

type IndexTableEntry struct {
	// contains filtered or unexported fields
}

type Keypair 

type Keypair struct {
	// contains filtered or unexported fields
}

type Keypairs 

type Keypairs struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func (*Keypairs) Current 

func (kp *Keypairs) Current() *Keypair

type Logger 

type Logger struct {
	Verbosef func(format string, args ...any)
	Errorf   func(format string, args ...any)
}

A Logger provides logging for a Device. The functions are Printf-style functions. They must be safe for concurrent use. They do not require a trailing newline in the format. If nil, that level of logging will be silent.

func NewLogger 

func NewLogger(level int, prepend string) *Logger

NewLogger constructs a Logger that writes to stdout. It logs at the specified log level and above. It decorates log lines with the log level, date, time, and prepend.

type MessageCookieReply 

type MessageCookieReply struct {
	Type     uint32
	Receiver uint32
	Nonce    [chacha20poly1305.NonceSizeX]byte
	Cookie   [blake2s.Size128 + poly1305.TagSize]byte
}

type MessageInitiation 

type MessageInitiation struct {
	Type      uint32
	Sender    uint32
	Ephemeral NoisePublicKey
	Static    [NoisePublicKeySize + poly1305.TagSize]byte
	Timestamp [tai64n.TimestampSize + poly1305.TagSize]byte
	MAC1      [blake2s.Size128]byte
	MAC2      [blake2s.Size128]byte
}

type MessageResponse 

type MessageResponse struct {
	Type      uint32
	Sender    uint32
	Receiver  uint32
	Ephemeral NoisePublicKey
	Empty     [poly1305.TagSize]byte
	MAC1      [blake2s.Size128]byte
	MAC2      [blake2s.Size128]byte
}

type MessageTransport 

type MessageTransport struct {
	Type     uint32
	Receiver uint32
	Counter  uint64
	Content  []byte
}

type NoiseNonce 

type NoiseNonce uint64 // padded to 12-bytes

type NoisePresharedKey 

type NoisePresharedKey [NoisePresharedKeySize]byte

func (*NoisePresharedKey) FromHex 

func (key *NoisePresharedKey) FromHex(src string) error

type NoisePrivateKey 

type NoisePrivateKey [NoisePrivateKeySize]byte

func (NoisePrivateKey) Equals 

func (key NoisePrivateKey) Equals(tar NoisePrivateKey) bool

func (*NoisePrivateKey) FromHex 

func (key *NoisePrivateKey) FromHex(src string) (err error)

func (*NoisePrivateKey) FromMaybeZeroHex 

func (key *NoisePrivateKey) FromMaybeZeroHex(src string) (err error)

func (NoisePrivateKey) IsZero 

func (key NoisePrivateKey) IsZero() bool

type NoisePublicKey 

type NoisePublicKey [NoisePublicKeySize]byte

func (NoisePublicKey) Equals 

func (key NoisePublicKey) Equals(tar NoisePublicKey) bool

func (*NoisePublicKey) FromHex 

func (key *NoisePublicKey) FromHex(src string) error

func (NoisePublicKey) IsZero 

func (key NoisePublicKey) IsZero() bool

type Peer 

type Peer struct {
	// contains filtered or unexported fields
}

func (*Peer) BeginSymmetricSession 

func (peer *Peer) BeginSymmetricSession() error

Derives a new keypair from the current handshake state *

func (*Peer) ExpireCurrentKeypairs 

func (peer *Peer) ExpireCurrentKeypairs()

func (*Peer) FlushStagedPackets 

func (peer *Peer) FlushStagedPackets()

func (*Peer) NewTimer 

func (peer *Peer) NewTimer(expirationFunction func(*Peer)) *Timer

func (*Peer) ReceivedWithKeypair 

func (peer *Peer) ReceivedWithKeypair(receivedKeypair *Keypair) bool

func (*Peer) RoutineSequentialReceiver 

func (peer *Peer) RoutineSequentialReceiver(maxBatchSize int)

func (*Peer) RoutineSequentialSender 

func (peer *Peer) RoutineSequentialSender(maxBatchSize int)

func (*Peer) SendBuffers 

func (peer *Peer) SendBuffers(buffers [][]byte) error

SendBuffers sends buffers to peer. WireGuard packet data in each element of buffers must be preceded by MessageEncapsulatingTransportSize number of bytes.

func (*Peer) SendHandshakeInitiation 

func (peer *Peer) SendHandshakeInitiation(isRetry bool) error

func (*Peer) SendHandshakeResponse 

func (peer *Peer) SendHandshakeResponse() error

func (*Peer) SendKeepalive 

func (peer *Peer) SendKeepalive()

Queues a keepalive if no packets are queued for peer

func (*Peer) SendStagedPackets 

func (peer *Peer) SendStagedPackets()

func (*Peer) SetAllowedIPs 

func (p *Peer) SetAllowedIPs(allowedIPs []netip.Prefix)

SetAllowedIPs sets the allowed IP prefixes for this peer.

If the allowedIPs are unchanged since the last call, this method is a no-op. It's the caller's responsibility to ensure that no two peers have duplicate allowed IPs. If so, the last writer wins.

func (*Peer) SetEndpointFromPacket 

func (peer *Peer) SetEndpointFromPacket(endpoint conn.Endpoint)

func (*Peer) StagePackets 

func (peer *Peer) StagePackets(elems *QueueOutboundElementsContainer)

func (*Peer) Start 

func (peer *Peer) Start()

func (*Peer) Stop 

func (peer *Peer) Stop()

func (*Peer) String 

func (peer *Peer) String() string

func (*Peer) ZeroAndFlushAll 

func (peer *Peer) ZeroAndFlushAll()

type PeerLookupFunc 

type PeerLookupFunc func(NoisePublicKey) (allowedIPs []netip.Prefix)

PeerLookupFunc is the type of function used to look up peers by public key when receiving packets for unknown peers.

If it returns nil, the peer is not known.

Otherwise, returning non-nil signals that wireguard-go should create the peer with the provided allowed IPs.

See Device.SetPeerLookupFunc and Device.LookupPeer.

type QueueHandshakeElement 

type QueueHandshakeElement struct {
	// contains filtered or unexported fields
}

type QueueInboundElement 

type QueueInboundElement struct {
	// contains filtered or unexported fields
}

type QueueInboundElementsContainer 

type QueueInboundElementsContainer struct {
	sync.Mutex
	// contains filtered or unexported fields
}

type QueueOutboundElement 

type QueueOutboundElement struct {
	// contains filtered or unexported fields
}

type QueueOutboundElementsContainer 

type QueueOutboundElementsContainer struct {
	sync.Mutex
	// contains filtered or unexported fields
}

type Timer 

type Timer struct {
	*time.Timer
	// contains filtered or unexported fields
}

A Timer manages time-based aspects of the WireGuard protocol. Timer roughly copies the interface of the Linux kernel's struct timer_list.

func (*Timer) Del 

func (timer *Timer) Del()

func (*Timer) DelSync 

func (timer *Timer) DelSync()

func (*Timer) IsPending 

func (timer *Timer) IsPending() bool

func (*Timer) Mod 

func (timer *Timer) Mod(d time.Duration)

type WaitPool 

type WaitPool struct {
	// contains filtered or unexported fields
}

func NewWaitPool 

func NewWaitPool(max uint32, new func() any) *WaitPool

func (*WaitPool) Get 

func (p *WaitPool) Get() any

func (*WaitPool) Put 

func (p *WaitPool) Put(x any)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.