1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
package wgcfg
import (
"fmt"
"net/netip"
"github.com/tailscale/wireguard-go/conn"
"github.com/tailscale/wireguard-go/device"
"github.com/tailscale/wireguard-go/tun"
"tailscale.com/types/logger"
)
// NewDevice returns a wireguard-go Device configured for Tailscale use.
func NewDevice(tunDev tun.Device, bind conn.Bind, logger *device.Logger) *device.Device {
ret := device.NewDevice(tunDev, bind, logger)
ret.DisableSomeRoamingForBrokenMobileSemantics()
return ret
}
// ReconfigDevice replaces the existing device configuration with cfg.
//
// Instead of using the UAPI text protocol, it uses the wireguard-go direct API
// to install a PeerLookupFunc callback that creates peers on demand.
//
// The caller is responsible for:
// - calling Device.SetPrivateKey when the key changes
// - installing a PeerByIPPacketFunc on the device for outbound packet routing
// (e.g. via Engine.SetPeerByIPPacketFunc)
//
// Race note: there's a small TOCTOU window between RemoveMatchingPeers and
// SetPeerLookupFunc where the previously-installed PeerLookupFunc (with a
// stale peer set) is still active. A concurrent handshake for a peer that's
// being removed could lazily recreate it via the old callback. Additionally,
// wireguard-go's LookupPeer snapshots the lookupFunc reference inside its
// RLock and then invokes it without the lock, so even reordering these calls
// can't fully close the window. We accept this: lazily-created peers have
// deleteOnIdle=true and self-clean after the rekey timeout (~9 min idle), so
// the worst case is a brief excess of memory. Closing the race fully would
// require either holding wireguard-go's peers lock across the lookupFunc
// call or more elaborate locking, neither of which seems worth the
// complexity for a transient memory blip.
func ReconfigDevice(d *device.Device, cfg *Config, logf logger.Logf) (err error) {
defer func() {
if err != nil {
logf("wgcfg.Reconfig failed: %v", err)
}
}()
// Build peer map: public key → allowed IPs.
peers := make(map[device.NoisePublicKey][]netip.Prefix, len(cfg.Peers))
for _, p := range cfg.Peers {
peers[p.PublicKey.Raw32()] = p.AllowedIPs
}
// Remove peers not in the new config.
d.RemoveMatchingPeers(func(pk device.NoisePublicKey) bool {
_, exists := peers[pk]
return !exists
})
// Update AllowedIPs on any already-active peers whose config may have
// changed. Peers that don't exist yet will get the correct AllowedIPs
// from PeerLookupFunc when they are lazily created.
for pk, allowedIPs := range peers {
if peer, ok := d.LookupActivePeer(pk); ok {
peer.SetAllowedIPs(allowedIPs)
}
}
// Install callback for lazy peer creation (incoming packets).
bind := d.Bind()
d.SetPeerLookupFunc(func(pubk device.NoisePublicKey) (_ *device.NewPeerConfig, ok bool) {
allowedIPs, ok := peers[pubk]
if !ok {
return nil, false
}
ep, err := bind.ParseEndpoint(fmt.Sprintf("%x", pubk[:]))
if err != nil {
logf("wgcfg: failed to parse endpoint for peer %x: %v", pubk[:8], err)
return nil, false
}
return &device.NewPeerConfig{
AllowedIPs: allowedIPs,
Endpoint: ep,
}, true
})
return nil
}
|
