runnel-rs 0.2.0

A Rust proxy and tunnel toolbox with WireGuard-style, TUN, SOCKS, and TLS-based transports.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

use anyhow::Result;
use base64::{Engine as _, engine::general_purpose::STANDARD};
use boringtun::x25519::{PublicKey, StaticSecret};
use clap::Args;
use rand::rngs::OsRng;
use serde::Serialize;

use super::parse_key;

#[derive(Clone, Debug, Args)]
pub struct WgKeygenArgs {
    #[arg(long)]
    pub json: bool,
}

#[derive(Debug, Serialize, PartialEq, Eq)]
pub(crate) struct WgKeyMaterial {
    pub(crate) private_key: String,
    pub(crate) public_key: String,
}

pub fn run_keygen(args: WgKeygenArgs) -> Result<()> {
    let material = generate_key_material();
    print_key_material(&material, args.json)?;
    Ok(())
}

pub(crate) fn generate_key_material() -> WgKeyMaterial {
    let private_key = StaticSecret::random_from_rng(OsRng).to_bytes();
    let public_key = *PublicKey::from(&StaticSecret::from(private_key)).as_bytes();
    WgKeyMaterial {
        private_key: STANDARD.encode(private_key),
        public_key: STANDARD.encode(public_key),
    }
}

pub(crate) fn public_key_from_private_key(encoded_private_key: &str) -> Result<String> {
    let private_key = parse_key("wg private_key", encoded_private_key)?;
    let public_key = *PublicKey::from(&StaticSecret::from(private_key)).as_bytes();
    Ok(STANDARD.encode(public_key))
}

fn print_key_material(material: &WgKeyMaterial, as_json: bool) -> Result<()> {
    if as_json {
        println!("{}", serde_json::to_string_pretty(material)?);
    } else {
        println!("private_key={}", material.private_key);
        println!("public_key={}", material.public_key);
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::{generate_key_material, public_key_from_private_key};
    use base64::{Engine as _, engine::general_purpose::STANDARD};
    use boringtun::x25519::{PublicKey, StaticSecret};

    #[test]
    fn keygen_outputs_parseable_base64_keypair() {
        let material = generate_key_material();
        let private_key = STANDARD
            .decode(&material.private_key)
            .expect("private key should decode");
        let public_key = STANDARD
            .decode(&material.public_key)
            .expect("public key should decode");

        assert_eq!(private_key.len(), 32);
        assert_eq!(public_key.len(), 32);
        assert_eq!(
            material.public_key,
            public_key_from_private_key(&material.private_key).unwrap()
        );
    }

    #[test]
    fn pubkey_derives_expected_public_key() {
        let private_key = STANDARD.encode([7u8; 32]);
        let expected = STANDARD.encode(PublicKey::from(&StaticSecret::from([7u8; 32])).as_bytes());
        assert_eq!(public_key_from_private_key(&private_key).unwrap(), expected);
    }

    #[test]
    fn pubkey_rejects_invalid_private_key() {
        let err = public_key_from_private_key("not-base64")
            .unwrap_err()
            .to_string();
        assert!(err.contains("failed to decode"), "{err}");
    }
}