Merge branch 'release-0.1'

Author: Ruakij

Dockerfile

@@ -0,0 +1,22 @@
+# ---- Base ----
+FROM alpine:3 AS base
+WORKDIR /app
+
+
+# ---- Build ----
+FROM golang:1.19-alpine AS build
+WORKDIR /build
+# Copy sources
+ADD . .
+# Get dependencies
+RUN go get ./cmd/app
+# Compile
+RUN CGO_ENABLED=0 go build -a -o app ./cmd/app
+
+
+# ---- Release ----
+FROM base AS release
+# Copy build-target
+COPY --from=build /build/app .
+
+CMD ["./app"]  

README.md

@@ -1,4 +1,82 @@
-RoutingTableToWGTranslator
+RoutingTableToWG
 --
 
 Translate Routing-Table Entries to Wireguard AllowedIPs with Filters
+
+<br>
+
+<!-- TOC -->
+- [1. Overview](#1-overview)
+  - [1.1. Usage](#11-usage)
+  - [1.2. Install](#12-install)
+- [2. Behaviour](#2-behaviour)
+  - [2.1. Adding Route](#21-adding-route)
+  - [2.2. Deleting Route](#22-deleting-route)
+<!-- /TOC -->
+
+<br>
+
+# 1. Overview 
+
+## 1.1. Usage
+
+The Program will listen for RoutingTable Changes and can translate the changes to a Wireguard-Interface.
+
+It will detect the Peer to add the Route to using the Gateway from the Route-Entry.<br>
+In case routes clash or cant be added to Wireguard, Warnings will be logged.
+
+<br>
+
+### 1.1.1. Examples
+
+- Dynamic Routing with Routing-Protocols (e.g. OSPF)
+- Interacting with Wireguard using the familiar Tools like `iproute2`
+
+<br>
+
+## 1.2. Install
+
+
+
+<br>
+
+### 1.2.1. Docker
+
+Depending on the needs, the Container can be run in `network_mode: host` to be able to accessrouting-tables and interfaces of the host. 
+
+<details><summary><code>docker-compose.yml</code></summary>
+
+```yaml
+version: '3'
+
+services:
+  routingTableWGTranslator:
+    image: ruakij/RoutingTableWGTranslator
+    restart: unless-stopped
+    network_mode: "host"
+    environment:
+      - INTERFACE="<wgInterfaceName or empty for wg0>"
+```
+</details>
+
+<br>
+
+### 1.2.2. Without Docker
+
+Clone the Repository `git clone <URI>` and build the Program with `go build cmd/app`
+
+Then you can run it with `./app`
+
+<br>
+
+# 2. Behaviour
+
+## 2.1. Adding Route
+
+![](doc/add-route.svg)
+
+<br>
+
+## 2.2. Deleting Route
+
+![](doc/del-route.svg)

build/docker-multiarch.sh

@@ -0,0 +1,9 @@
+TAG="ruakij/routingtabletowg"
+PLATFORM="linux/amd64,linux/arm64/v8,linux/arm/v7"
+EXTRA_ARGS="$@"
+
+docker buildx build \
+--platform $PLATFORM \
+--tag $TAG \
+$EXTRA_ARGS
+.

build/docker-ownarch.sh

@@ -0,0 +1,7 @@
+TAG="ruakij/routingtabletowg"
+EXTRA_ARGS="$@"
+
+docker build \
+--tag $TAG \
+$EXTRA_ARGS \
+.

cmd/app/filter.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"github.com/vishvananda/netlink"
+)
+
+type FilterOptions struct {
+	Table    int
+	Protocol int
+}
+
+func CheckFilter(options FilterOptions, route netlink.Route) bool {
+	if (options.Table != -1 && options.Table != route.Table) ||
+		(options.Protocol != -1 && options.Protocol != route.Protocol) {
+		return false
+	}
+	return true
+}

cmd/app/logger.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"log"
+	"os"
+)
+
+type Log struct {
+	Info log.Logger
+	Warn log.Logger
+	Error log.Logger
+}
+var logger Log = Log{
+	Info:	*log.New(os.Stdout, "[INFO]\t", log.Ltime|log.Lshortfile),
+	Warn:	*log.New(os.Stderr, "[WARN]\t", log.Ltime|log.Lshortfile),
+	Error:	*log.New(os.Stderr, "[ERROR]\t", log.Ltime|log.Lshortfile),
+}

cmd/app/main.go

@@ -0,0 +1,214 @@
+package main
+
+import (
+	"net"
+	"os"
+
+	envChecks "git.ruekov.eu/ruakij/routingtabletowg/lib/environmentchecks"
+	ip2Map "git.ruekov.eu/ruakij/routingtabletowg/lib/iproute2mapping"
+	"git.ruekov.eu/ruakij/routingtabletowg/lib/wgchecks"
+
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+var envRequired = []string{
+	"INTERFACE",
+}
+var envDefaults = map[string]string{
+	"INTERFACE": "wg0",
+	//"MANAGE_ALL": "true",
+
+	"FILTER_PROTOCOL": "-1",
+	"FILTER_TABLE":    "-1",
+}
+
+func main() {
+	// Environment-vars
+	err := envChecks.HandleRequired(envRequired)
+	if(err != nil){
+		logger.Error.Fatal(err)
+	}
+	envChecks.HandleDefaults(envDefaults)
+
+	iface := os.Getenv("INTERFACE")
+	//MANAGE_ALL = os.Getenv("MANAGE_ALL")
+
+	// Parse filter-env-vars
+	filterProtocolStr := os.Getenv("FILTER_PROTOCOL")
+	filterProtocol, err := ip2Map.TryGetId(ip2Map.PROTOCOL, filterProtocolStr)
+	if err != nil {
+		logger.Error.Fatalf("Couldn't read FILTER_PROTOCOL '%s': %s", filterProtocolStr, err)
+	}
+
+	filterTableStr := os.Getenv("FILTER_TABLE")
+	filterTable, err := ip2Map.TryGetId(ip2Map.TABLE, filterTableStr)
+	if err != nil {
+		logger.Error.Fatalf("Couldn't read FILTER_TABLE '%s': %s", filterTableStr, err)
+	}
+
+	// Create filter
+	filterOptions := FilterOptions{
+		Table: filterTable,
+		Protocol: filterProtocol,
+	}
+
+	// Get Link-Device
+	link, err := netlink.LinkByName(iface)
+	if err != nil {
+		logger.Error.Fatalf("Couldn't get interface '%s': %s", iface, err)
+	}
+
+	// Test getting wg-client
+	client, err := wgctrl.New()
+	if err != nil {
+		logger.Error.Fatalf("Couldn't create wgctl-client: %s", err)
+	}
+	// Test getting wg-device
+	_, err = client.Device(iface)
+	if err != nil {
+		logger.Error.Fatalf("Couldn't get wg-interface '%s': %s", iface, err)
+	}
+
+	
+	// Subscribe to route-change events
+	routeSubChan, routeSubDoneChan := make(chan netlink.RouteUpdate), make(chan struct{})
+
+	netlink.RouteSubscribe(routeSubChan, routeSubDoneChan)
+	go handleRouteEvents(routeSubChan, filterOptions, iface)
+
+	//# Initial Route-setup
+	// Get routing-table entries from device
+	routeList, err := netlink.RouteList(link, netlink.FAMILY_ALL)
+	if err != nil {
+		logger.Error.Fatalf("Couldn't get route-entries: %s", err)
+	}
+
+	logger.Info.Printf("Initially setting all current routes")
+	for _, route := range routeList {
+		// Ignore routes with empty gateway
+		if(route.Gw == nil){
+			continue
+		}
+
+		// Send current routes to handler
+		routeSubChan <- netlink.RouteUpdate{
+			Type:  unix.RTM_NEWROUTE,
+			Route: route,
+		}
+	}
+
+	select {}
+}
+
+var routeUpdateTypeMapFromId = map[uint16]string{
+	unix.RTM_NEWROUTE: "+",
+	unix.RTM_DELROUTE: "-",
+}
+// TODO: Add proxy to apply filter in channels rather than.. this mess
+func handleRouteEvents(routeSubChan <-chan netlink.RouteUpdate, filterOptions FilterOptions, iface string) {
+	// Create wg-client
+	client, err := wgctrl.New()
+	if err != nil {
+		logger.Error.Fatalf("Couldn't create wgctl-client: %s", err)
+	}
+	
+	for {
+		// Receive Route-Updates
+		routeUpdate := <-routeSubChan
+		route := routeUpdate.Route
+
+		// Check filter
+		if(!CheckFilter(filterOptions, routeUpdate.Route)){
+			continue
+		}
+		
+		// Special case for default-route
+		if route.Dst == nil{
+			if route.Gw.To4() != nil { // IPv4
+				route.Dst = &net.IPNet{
+					IP: net.IPv4zero,
+					Mask: net.CIDRMask(0, 32),
+				}
+			} else { // IPv6
+				route.Dst = &net.IPNet{
+					IP: net.IPv6zero,
+					Mask: net.CIDRMask(0, 128),
+				}
+			}
+		}
+
+		logger.Info.Printf("Route-Update: [%s] %s via %s", routeUpdateTypeMapFromId[routeUpdate.Type], route.Dst, route.Gw)
+
+		// Get wgDevice
+		wgDevice, err := client.Device(iface)
+		if err != nil {
+			logger.Error.Fatalf("Couldn't get wg-interface '%s' while running: %s", iface, err)
+		}
+
+		// Empty config for filling in switch
+		var wgConfig wgtypes.Config
+
+		switch routeUpdate.Type{
+		case unix.RTM_NEWROUTE:
+			// Check if gateway is set
+			if route.Gw == nil{
+				logger.Warn.Printf("Gateway unset, ignoring")
+				continue
+			}
+
+			// Check if other peer already has exact same dst
+			if peer, err := wgChecks.PeerByIPNet(wgDevice.Peers, *route.Dst); err == nil {
+				logger.Warn.Printf("dst-IPNet already set for Peer '%s', ignoring", peer.PublicKey)
+				continue
+			}
+
+			// Get peer containing gateway-addr
+			peer, err := wgChecks.PeerByIP(wgDevice.Peers, route.Gw)
+			if(err != nil){
+				logger.Warn.Printf("No peer found containing gw-IP '%s', ignoring", route.Gw)
+				continue
+			}
+
+			// Set peerConfig, this will override set values for that peer
+			wgConfig.Peers = []wgtypes.PeerConfig{
+				{
+					PublicKey: peer.PublicKey,
+					AllowedIPs: append(peer.AllowedIPs, *route.Dst),
+				},
+			}
+
+		case unix.RTM_DELROUTE:
+			// Get peer containing dst-NetIP
+			peerIndex, ipNetIndex, err := wgChecks.PeerIndexByIPNet(wgDevice.Peers, *route.Dst)
+			if(err != nil){
+				logger.Warn.Printf("No peer found having dst-IPNet '%s', ignoring", route.Dst)
+				continue
+			}
+			peer := wgDevice.Peers[peerIndex]
+
+			// Delete dstNet from allowedIPs
+			peer.AllowedIPs[ipNetIndex] = peer.AllowedIPs[len(peer.AllowedIPs)-1]
+			peer.AllowedIPs = peer.AllowedIPs[:len(peer.AllowedIPs)-1]
+
+			// Set peerConfig, this will override set values for that peer
+			wgConfig.Peers = []wgtypes.PeerConfig{
+				{
+					PublicKey: peer.PublicKey,
+					UpdateOnly: true,
+
+					ReplaceAllowedIPs: true,
+					AllowedIPs: peer.AllowedIPs,
+				},
+			}
+		}
+
+		err = client.ConfigureDevice(iface, wgConfig)
+		if(err != nil){
+			logger.Error.Fatalf("Error configuring wg-device '%s': %s", iface, err)
+		}
+	}
+}