innisfree 0.4.0

Exposes local services on public IPv4 address, via cloud server.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393

//! Functions for managing Wireguard connections.
//! Includes methods for generating keypairs ([`WireguardKeypair::new`]),
//! for configuring interfaces ([WireguardHost]),

use anyhow::{anyhow, Context, Result};
use base64::Engine as _;
use std::io::Write as _;
use std::net::IpAddr;
use std::path::Path;

use crate::config::{make_config_dir, ServicePort};
use crate::net::generate_unused_subnet;
use serde::Serialize;
use x25519_dalek::{PublicKey, StaticSecret};

mod runtime;
pub use runtime::LocalWg;

const WIREGUARD_LISTEN_PORT: i32 = 51820;

#[derive(Debug, Serialize, Clone)]
/// Contains the public and private key material
/// for a Wireguard ED25519 keypair.
pub struct WireguardKeypair {
    /// Private key material.
    private: String,
    /// Public key material.
    public: String,
}

impl WireguardKeypair {
    /// Generate a new Curve25519 keypair for use as a Wireguard identity.
    pub fn new() -> Result<WireguardKeypair> {
        let secret = StaticSecret::random_from_rng(rand_core::OsRng);
        let public = PublicKey::from(&secret);
        Ok(WireguardKeypair {
            private: encode_key(secret.as_bytes()),
            public: encode_key(public.as_bytes()),
        })
    }

    /// Returns the private key as a 32-byte array, ready for use with
    /// `x25519_dalek::StaticSecret::from` or boringtun's UAPI.
    pub fn private_bytes(&self) -> Result<[u8; 32]> {
        decode_key(&self.private).context("failed to decode wg private key")
    }

    /// Returns the public key as a 32-byte array.
    pub fn public_bytes(&self) -> Result<[u8; 32]> {
        decode_key(&self.public).context("failed to decode wg public key")
    }
}

/// Encode a 32-byte Wireguard key to standard base64 (no padding stripped),
/// matching the format produced by `wg genkey` / `wg pubkey`.
fn encode_key(bytes: &[u8]) -> String {
    base64::engine::general_purpose::STANDARD.encode(bytes)
}

/// Decode a base64-encoded 32-byte Wireguard key.
fn decode_key(s: &str) -> Result<[u8; 32]> {
    let raw = base64::engine::general_purpose::STANDARD.decode(s.trim())?;
    raw.as_slice()
        .try_into()
        .map_err(|_| anyhow::anyhow!("expected 32-byte key, got {}", raw.len()))
}

#[derive(Debug, Serialize, Clone)]
/// Represents a Wireguard that can be peered with.
pub struct WireguardHost {
    /// Human-readable name for peer on the Wireguard network.
    pub name: String,
    /// IP address within the Wireguard network for exclusive use by this host.
    pub address: IpAddr,
    /// Publicly accessible IP address to allow peers to connect over Wireguard.
    /// Optional, because only the remote host will have an Endpoint.
    pub endpoint: Option<IpAddr>,
    /// The UDP port on which Wireguard will listen for incoming peer traffic.
    /// This port is not related to [crate::config::ServicePort].
    pub listenport: i32,
    /// An ED25519 keypair defining the identity of this [WireguardHost].
    /// Its public key will be referred to in peers' configs, and its private
    /// key will be used to initialize the interface.
    pub keypair: WireguardKeypair,
}

#[derive(Debug, Serialize, Clone)]
/// Represents a network device for handling Wireguard traffic.
/// Must include remote and local identities in the form of `WireguardHost`.
pub struct WireguardDevice {
    /// Human-readable name for this device.
    pub name: String,
    /// Representation of localhost as a [WireguardHost].
    pub interface: WireguardHost,
    /// Representation of remote peer as a [WireguardHost].
    pub peer: WireguardHost,
}

impl WireguardDevice {
    /// Returns contents of an INI config file for Wireguard.
    /// This file constitutes the entirety of the Wireguard interface configuration,
    /// for use with `wg-quick`, and is usually referred to in Wireguard documentation
    /// as `wg0.conf`. In our case, on disk it is usually called `innisfree.conf`.
    /// In practice, this config file is used by the local end of the Innisfree tunnel.
    pub fn config(&self) -> Result<String> {
        let wg_template = include_str!("../../files/wg0.conf.j2");
        let mut context = tera::Context::new();
        context.insert("wireguard_device", &self);
        // Firewall rules are mostly important from client side,
        // so allow rules to be ignored
        let empty_rules: Vec<ServicePort> = Vec::new();
        context.insert("services", &empty_rules);
        // Disable autoescaping, since it breaks wg key contents
        tera::Tera::one_off(wg_template, &context, false)
            .context("Failed to write wireguard config")
    }

    /// Returns a specially formed Wireguard INI config file,
    /// that includes firewall rules restrictions for the services
    /// being proxied.
    pub fn config_with_services(&self, services: &[ServicePort]) -> Result<String> {
        let wg_template = include_str!("../../files/wg0.conf.j2");
        let mut context = tera::Context::new();
        context.insert("wireguard_device", &self);
        context.insert("services", &services);
        // Disable autoescaping, since it breaks wg key contents
        tera::Tera::one_off(wg_template, &context, false)
            .context("Failed to write wireguard config for multiple services")
    }

    /// Save the config file to disk, within the configuration directory for project state.
    /// This method is only appropriate for the local end of the Innisfree tunnel.
    pub fn write_locally(&self, service_name: &str, services: &[ServicePort]) -> Result<()> {
        let wg_config_path = make_config_dir(service_name)?.join(format!("{}.conf", service_name));
        let mut f = std::fs::File::create(&wg_config_path)?;
        f.write_all(self.config_with_services(services)?.as_bytes())?;
        Ok(())
    }
}

#[derive(Debug, Clone)]
/// Controller class for creating both ends of a Wireguard tunnel.
/// Generates keypairs for local and remote interfaces.
/// Generates configuration files for both interfaces.
pub struct WireguardManager {
    /// IP address of the local Wireguard interface.
    pub wg_local_ip: IpAddr,
    // wg_local_name: String,
    // wg_local_host: WireguardHost,
    /// Wireguard configuration for local interface.
    pub wg_local_device: WireguardDevice,

    /// IP address of the remote Wireguard interface.
    pub wg_remote_ip: IpAddr,
    // wg_remote_name: String,
    // wg_remote_host: WireguardHost,
    /// Wireguard configuration for remote interface.
    pub wg_remote_device: WireguardDevice,
}

impl WireguardManager {
    /// Create a new controller class, based on `service_name`.
    pub fn new(service_name: &str) -> Result<WireguardManager> {
        let wg_subnet = generate_unused_subnet()?;
        let s = wg_subnet.hosts().collect::<Vec<IpAddr>>();

        let wg_local_ip = s[0];
        // Decouple the kernel-visible interface name from `service_name`:
        // user-provided names + the `innisfree-` / `-local` adornments would
        // routinely overflow Linux's IFNAMSIZ (15). Pick a short, fixed-shape
        // name (`innisfree<N>`) where N is the smallest integer not already
        // taken by an existing interface. Service identity stays in
        // `service_name` and the per-tunnel config dir.
        let wg_local_name = pick_local_iface_name()?;
        let wg_local_keypair = WireguardKeypair::new()?;
        let wg_local_host = WireguardHost {
            name: wg_local_name.to_owned(),
            address: wg_local_ip,
            endpoint: None,
            listenport: 0,
            keypair: wg_local_keypair,
        };

        let wg_remote_ip = s[1];
        let wg_remote_name = format!("innisfree-{}-remote", service_name);
        let wg_remote_keypair = WireguardKeypair::new()?;
        let wg_remote_host = WireguardHost {
            name: wg_remote_name.to_owned(),
            address: wg_remote_ip,
            endpoint: None,
            listenport: WIREGUARD_LISTEN_PORT,
            keypair: wg_remote_keypair,
        };

        let wg_local_device = WireguardDevice {
            name: wg_local_name,
            interface: wg_local_host.clone(),
            peer: wg_remote_host.clone(),
        };
        let wg_remote_device = WireguardDevice {
            name: wg_remote_name,
            interface: wg_remote_host,
            peer: wg_local_host,
        };

        Ok(WireguardManager {
            wg_local_ip,
            // wg_local_name,
            // wg_local_host,
            wg_local_device,

            wg_remote_ip,
            // wg_remote_name,
            // wg_remote_host,
            wg_remote_device,
        })
    }
}

/// Pick the lowest unused `innisfree<N>` interface name. The pattern is
/// always 10–11 characters, well under IFNAMSIZ (15), regardless of what
/// the user named their tunnel.
///
/// Existence is detected via `/sys/class/net/<name>` rather than a netlink
/// dump — `/sys/class/net` is world-readable on every modern Linux and
/// keeps this function dep-free and callable from `WireguardManager::new`
/// (which is sync). Stale interfaces left behind by a crashed prior run
/// will simply be skipped over until the user `ip link delete`s them; with
/// 100 slots that's plenty of headroom in practice.
fn pick_local_iface_name() -> Result<String> {
    const MAX_SLOTS: u32 = 100;
    for n in 0..MAX_SLOTS {
        let candidate = format!("innisfree{n}");
        if !Path::new(&format!("/sys/class/net/{candidate}")).exists() {
            return Ok(candidate);
        }
    }
    Err(anyhow!(
        "no free interface name in innisfree[0..{MAX_SLOTS}); \
         clean up stale ones with `sudo ip link delete <name>`"
    ))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn config_generation() -> anyhow::Result<()> {
        let wg_hosts = _generate_hosts()?;
        let wg_device = WireguardDevice {
            name: "foo1".to_string(),
            interface: wg_hosts[0].clone(),
            peer: wg_hosts[1].clone(),
        };
        let wg_config = wg_device.config()?;
        assert!(wg_config.contains("Interface"));
        assert!(wg_config.contains("PrivateKey = "));

        assert!(!wg_config.contains(&wg_hosts[0].keypair.public));
        assert!(wg_config.contains(&wg_hosts[0].keypair.private));

        assert!(wg_config.contains(&wg_hosts[1].keypair.public));
        assert!(!wg_config.contains(&wg_hosts[1].keypair.private));

        // Slashes '/' will be rendered as hex value &#x2F if formatting is broken
        assert!(!wg_config.contains("&#x2F"));
        assert!(!wg_config.contains(r"&#x2F"));

        Ok(())
    }

    // Helper function for reusable structs
    fn _generate_hosts() -> Result<Vec<WireguardHost>> {
        let kp1 = WireguardKeypair::new()?;
        let h1 = WireguardHost {
            name: "foo1".to_string(),
            address: "127.0.0.1".parse()?,
            endpoint: Some("1.1.1.1".parse()?),
            listenport: 80,
            keypair: kp1,
        };
        let kp2 = WireguardKeypair::new()?;
        let h2 = WireguardHost {
            name: "foo2".to_string(),
            address: "127.0.0.1".parse()?,
            endpoint: None,
            listenport: 80,
            keypair: kp2,
        };
        let wg_hosts: Vec<WireguardHost> = vec![h1, h2];
        Ok(wg_hosts)
    }

    #[test]
    fn host_generation() -> anyhow::Result<()> {
        let wg_hosts = _generate_hosts()?;
        assert_eq!(wg_hosts[0].name, "foo1");
        assert_eq!(wg_hosts[1].name, "foo2");
        Ok(())
    }

    #[test]
    fn device_generation() -> anyhow::Result<()> {
        let wg_hosts = _generate_hosts()?;
        let wg_device = WireguardDevice {
            name: "foo".to_string(),
            interface: wg_hosts[0].clone(),
            peer: wg_hosts[1].clone(),
        };
        assert_eq!(wg_device.name, "foo");
        assert_eq!(wg_hosts[0].name, "foo1");
        Ok(())
    }

    #[test]
    fn host_cloning() -> anyhow::Result<()> {
        let wg_hosts = _generate_hosts()?;
        let wg_h1 = &wg_hosts[0];
        let wg_h2 = &wg_hosts[1];
        let wg_device = WireguardDevice {
            name: "foo".to_string(),
            interface: wg_h1.clone(),
            peer: wg_h2.clone(),
        };
        assert_eq!(wg_device.name, "foo");
        assert_eq!(wg_hosts[0].name, "foo1");
        assert_eq!(wg_device.interface.keypair.public, wg_h1.keypair.public);
        assert_eq!(wg_device.interface.keypair.private, wg_h1.keypair.private);
        Ok(())
    }

    #[test]
    fn device_cloning() -> anyhow::Result<()> {
        let wg_hosts = _generate_hosts()?;
        let wg_h1 = &wg_hosts[0];
        let wg_h2 = &wg_hosts[1];
        let wg_device = WireguardDevice {
            name: "foo".to_string(),
            interface: wg_h1.clone(),
            peer: wg_h2.clone(),
        };

        let wg_device2 = wg_device.clone();
        assert_eq!(
            wg_device.interface.keypair.public,
            wg_device2.interface.keypair.public
        );
        assert_eq!(
            wg_device.interface.keypair.private,
            wg_device2.interface.keypair.private
        );
        Ok(())
    }

    #[test]
    fn pubkey_generation() -> anyhow::Result<()> {
        // Hardcoded test vector, matches the output of `wg genkey | wg pubkey`.
        let privkey_b64 = "yPgz26A4S6RcniNaikFZrc0C0SyCW1moXmDP7AMeimE=";
        let secret = StaticSecret::from(decode_key(privkey_b64)?);
        let public = encode_key(PublicKey::from(&secret).as_bytes());
        assert_eq!(public, "ISRq2SHZQDnSfV0VlmMEP4MbwfExE/iNHzthMQ7eNmY=");
        Ok(())
    }

    #[test]
    fn key_generation() -> anyhow::Result<()> {
        let kp = WireguardKeypair::new()?;
        assert!(!kp.public.ends_with('\n'));
        assert!(!kp.private.ends_with('\n'));
        // Slashes '/' will be rendered as hex value &#x2F if formatting is broken
        // Confirming they're NOT in the raw key parts, looks like they slipped
        // in during development in the tera template output.
        assert!(!kp.public.contains("&#x2F"));
        assert!(!kp.public.contains(r"&#x2F"));
        assert!(!kp.private.contains("&#x2F"));
        assert!(!kp.private.contains(r"&#x2F"));
        Ok(())
    }

    #[test]
    fn create_manager() -> anyhow::Result<()> {
        // We'll assume the test host has no tunnels. The first
        // tunnel configured should be 10.50.0.1/30, assuming those
        // IP addrs are available on the system.
        let mgr = WireguardManager::new("foo-service")?;
        let local_ip: IpAddr = "10.50.0.1".parse()?;
        assert!(mgr.wg_local_ip == local_ip);
        let remote_ip: IpAddr = "10.50.0.2".parse()?;
        assert!(mgr.wg_remote_ip == remote_ip);
        Ok(())
    }
}