porech / engarde Goto Github PK

engarde-client is not correctly handling multiple networking devices on Linux systems. It gives out no errors, but the transmission on an interface which is not the first will fail.

for example one ipv4 with extra ipv6 ?

or two ipv4 with alias for same interface ?

for both server side and client side.

Hi, do you think could be possible to add bonding capabilities to engarde? What do you think about this code?

Server:
// Import necessary packages

// Define a struct for storing bonded interfaces
type BondedInterfaces struct {
Interfaces []*net.UDPConn
}

// Initialize bonded interfaces
var bondedInterfaces BondedInterfaces

// Function to bond multiple network interfaces
func bondInterfaces() {
// Add code to initialize and bind multiple network interfaces
// For example, iterate through available interfaces and create UDP connections
// Store these connections in bondedInterfaces.Interfaces slice
}

// Function to distribute outgoing traffic across bonded interfaces
func distributeTraffic(data []byte) {
// Iterate through bonded interfaces and send data over each interface
for _, conn := range bondedInterfaces.Interfaces {
_, err := conn.Write(data)
if err != nil {
log.Warn("Error writing to bonded interface:", err)
}
}
}

// Modify main function to include bonding
func main() {
// Initialize bonded interfaces
bondInterfaces()

// Add other existing logic...

// Modify the existing send function to distribute traffic
go receiveFromClientBonded(ClientSocket, WireguardSocket, WireguardAddr)

}

// Modify existing send function to include bonding capabilities
func receiveFromClientBonded(socket, wgSocket *net.UDPConn, wgAddr *net.UDPAddr) {
buffer := make([]byte, 1500)
for {
n, srcAddr, err := socket.ReadFromUDP(buffer)
if err != nil {
log.Warn("Error reading from client")
continue
}

    // Distribute traffic across bonded interfaces
    go distributeTraffic(buffer[:n])
}

}

Client:
// Import necessary packages

// Modify main function to include bonding
func main() {
// Initialize bonded interfaces
bondInterfaces()

// Add other existing logic...

// Modify the existing receive function to handle bonded interfaces
go receiveFromWireguardBonded(WireguardSocket, &WireguardAddr)

}

// Modify existing receive function to handle bonded interfaces
func receiveFromWireguardBonded(wgsock *net.UDPConn, sourceAddr **net.UDPAddr) {
buffer := make([]byte, 1500)
for {
n, srcAddr, err := wgsock.ReadFromUDP(buffer)
if err != nil {
log.Warn("Error reading from Wireguard")
continue
}
*sourceAddr = srcAddr

    // Send received data to client application
    sendToClientBonded(buffer[:n])
}

}

// Function to send data to client application over bonded interfaces
func sendToClientBonded(data []byte) {
// Add code to send data to client application over bonded interfaces
// For example, distribute data across bonded connections
}

There's no reason why client and server should be two different executables. Also, there's no reason why a single process can hold only a single configuration.

It would be more comfortable to be able to insert multiple configurations into the same YML file, and run them together into the same process. Each config would have a "type" parameter to specify if it's client or server.

For example:

pcToServer:
    type: client
    description: "I am the first client"
    listenAddr: "127.0.0.1:59402"
    dstAddr: "203.0.113.1:59401"
    webManager:
        listenAddr: "0.0.0.0:9001"

pcToAnotherServer:
    type: client
    description: "I am the second client"
    listenAddr: "127.0.0.1:59402"
    dstAddr: "203.0.113.2:59401"
    webManager:
        listenAddr: "0.0.0.0:9002"

iAlsoActAsServer:
    type: server
    description: "This time, I am a server"
    listenAddr: "0.0.0.0:59501"
    dstAddr: "127.0.0.1:59301"
    webManager:
        listenAddr: "0.0.0.0:9003"

To keep compatibility with the current config file, a configuration named "client" would automatically set its type as client, and a configuration name "server" would automatically set its type as server.

This issue is also a discussion point to evaluate the feature: if you feel like this could break your workflow, or that there's a better way to handle this, let's talk about it!

First, thank you for your contribution. If I can get this to work properly it will be a lifesaver for me while trying to stream my daughter's competitive events. That said In my brain, I can't see how all these match up.
In your example you have
`_client:
listenAddr: "127.0.0.1:59401"
dstAddr: "198.51.100.32:59402"
excludedInterfaces:
- "eth3"
- "wg0"

server:
listenAddr: "0.0.0.0:59402"
dstAddr: "127.0.0.1:59301_"
`

I get the client dstaddr and server listen address. But 59401 and 59402?

In the actual engarde.yml.sample you have.
Random ports and ip address all over the place. I am finding it very difficult to decipher. While I am not an infrastructure engineer I am in the industry with o ver 20 years of experience.

I think I just need to better understand what Ip's need to go where with what ports.
My wireguard vpn server is using 192.168.10.1 with a local host of 192.168.1.130 and my client is using 192.168.10.2 for the wireguard vpn address and 192.168.0.23 whil connected to a Netgear Nighthawk M1 hotspot. This setup (Wireguard that is) is up and running properly.
Where do I put my public ip that is forwarding to port 51820 in the client yml config. and what do I need to put in the server yml config?

Much appreciated; thank you in advance for any advice offered.

Any chance in creating a video tutorial that shows both client and server setup?

No respond from engarde.linuxzogno.org

This is Google's cache of https://engarde.linuxzogno.org/builds/testing/update-ng-9/windows/. It is a snapshot of the page as it appeared on 1 Jan 2022 11:34:05 GMT.

Hello, first - thanks for this great project, its works aswesome!

And small question - how to build client and server with builtin webserver ? I can build client and server, but they are without built in webmanager (404 error), official build do include webmanager in single binary file...

Thanks alot!

So this might be one issue which you can close soon, as I've not fully verified why it happens.

But when I have 3 wan's connected, sometimes (Sporadically) my latency on the tunnel spikes for a second or two when i take one of the WAN cables out. (Engarde usually throws an error unable to write to socket)

My theory is that when i pull cable out, ifplugd sets link down and there is nothing to write to, creating a short buffer overflow? In which case I might be able to solve it by not using ifplugd and never take any interfaces link down (with ip link) and keep them statically ON? (In /etc/network/interfaces)

If my theory is correct this might be currently just the way it works, but i'll have to investigate this further. Its not like i pull my cables all the time for fun, but if it does happen somehow or bad physical link i'd rather keep stuff as stable as possible :)

Sorry, this is not really an issue, but more of a few questions I had about engarde. My situation is that I am livestreaming over an ethernet that gives sufficient bandwidth most of the time, but I'd like to have seamless failover to a cellular network (via a dongle) in case the ethernet goes down.
Engarde says "every UDP packet that is emitted (...) and sends it through every available connection. So, the first package that reaches its destination wins, and the others are silently discarded "
I'm not a network guy so I was wondering if you guys could answer a few questions before I dive into trying to make this work.

1. Does this support only UDP? I'm streaming via RTMP which is a TCP protocol. Will Engarde work?
2. If it sends every packet over two networks, does it have the means to maintain packets in the right order at the server end?
3. If theoretically my ethernet does get throttled, and its bandwidth drops, and my Wifi becomes the higher bandwidth connection, does this mean my livestream will theoretically continue uninterrupted over WiFi (assuming the WiFi has sufficent bandwidth for the livestream)

Thanks for your efforts!

Optimization: Reduced CPU usage on bandwidth load.

Noticed the software is quite CPU bound, although it doesn't currently appear to give me any issues, it could maybe be beneficial for higher throughput on load).

To get some form of QoS going, there seems to be two ways to go about it:

1. SQM on Wireguard Tunnel, since I control my own VPS I can easily setup an SQM interface on VPS as well:

Both sides apply egress bandwidth throttling, on router side I set it do 5Mbps for upstream (Basically a bit below the slowest of my 3 WAN interfaces)

VPS side I set egress cap to 50Mbps~ just for safety but to retain at least some bandwidth, basically lower than the lowest ingress (downstream) capability of my fastest WAN interface router side.

This yields perfect SQM on max bandwidth test, latency in tunnel doesn't even budge.
The theory here is that as long as we assume all 3 WAN's work on maximum quality/capacity, and setting the bandwidth cap 15%~ lower than the lowest available WAN interface, the tunnel remains fine. Downside is you'll have to be quite conservative on both sides, and if some WAN interfaces fail on router side, the bandwidth shaping cap might be too loose and no longer functions (Unless you set it really tight like 10Mbps/5Mbps maybe.

2. SQM only on router side, applying to individual WAN interfaces. Theory here is that we can never choke/starve any WAN interface, and anything that arrives or gets through the tunnel, through these WAN interfaces just get send/received on best effort. Assuming we don't use TCP ECN, any excess packets simply get dropped. Applying such QoS would in theory be best as you can utilize the maximum potential of the fastest available WAN over engarde. In theory it sounds like this is right into engarde's alley and should be no problem.

The problem is, as soon as I apply SQM (Lets say 1/1Mbps to a single individual WAN interface, the tunnel unexpectedly drops in speed the longer a bandwidth test is ongoing, as if the single capped interface affects the wireguard tunnel at the same time. The tighter I cap the single capped interface, the more regression is shown in the tunnel speed as well.

I'm currently using https://github.com/tohojo/sqm-scripts which is also used on OpenWRT.

For ingress it creates ifb devices to mirror the incoming data so that it can be shaped with tc qdisc.

Currently using this on both sides for applying to wg0 (wireguard) directly but obviously if i try method 2 I adjust parameters to suitable settings.

SCRIPT=layer_cake.qos
EQDISC_OPTS="diffserv3 metro nat dual-srchost no-split-gso ack-filter"

I tried older SQM methods as well, fq_codel etc but they all show the same behavior.

Not sure if this is just impossible to setup to the nature of the beast and it is simply impossible to apply SQM on a redundant setup like this.

Another method of testing is to apply SQM to interface, then ping -I $iface x.x.x.x (so it bypasses tunnel entirely), and no matter how low I cap the interface, pinging is troublesome while there should be plenty of bandwidth left for it.

MAYBE it can be solved with adding (virtual) 'veth' in/out devices in front of my WAN interfaces, but that's quite a complex config. Positive side effect would be that even ingress packets can be manipulated in iptables mangle table before they pass the (to be SQM'ed) veth out-interface

(Optional, user configurable) Feature suggestion:

Implement some form of FEC (reed-solomon), like TinyFECvpn/udpspeeder with some configurable options (Keep latency low, least intrusive but still some benefit).

Possibly only applied to specific interface, depending on which one might benefit from it. (I know one of my connections have upstream signal issues and this might be of some relief while my other fixed line never has any loss.)

And lets say my 4G connection has a monthly cap, so it would only be a problem for that one, as it would be more bandwidth consumption.

First of all, amazing job on creating this functionality. Thankyou so much !!

In the docs you have mentioned that is Mulitple engarde clients will need to connect to multiple engarde server instances as of now. Combining this is a WIP.

Any specific timeframe for this :)

Images in the README file are unreachable after tinypic shutdown. We need to upload them somewhere else and change the reference.

Having a bit of an issue and I'm unable to debug what's wrong.
My connections are an ethernet Lan cable and a WiFi from a phone hotspot.
Engarde is on via TUNSafe.
I'm using this config to do a livestream with OBS.
When I unplug the Lan cable, the livestream continues, albeit with a slight drop in bitrate (because of the WiFi bandwidth).
I plug the Lan back in, and turn off the data on my phone. (So the laptop is still connected to the hotspot, but no data will go through). The livestream continues (via Lan). Strangely, the Windows Performance tab continues to show data going through WiFi! Though it seems to be a replica of the Lan graph. Engarde's web console shows only Ethernet connected. The WiFi connection shows no packets going through.
However, if I disable the hotspot on my phone, the livestream bitrate drops to zero for a few seconds, before coming back up again. I'm guessing OBS or engarde or something assumes the connection went down.
Not sure why this would happen, especially considering that just turning off the data on my phone doesnt have this effect.

Configs are as below:
TUNSAFE
[Interface]
PrivateKey = **
Address = 192.168.2.2/24
DNS = 1.1.1.1
MTU = 1360

[Peer]
PublicKey = **
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:54320

ENGARDE
client:
description: "My engarde-client instance"
listenAddr: "127.0.0.1:54320"

dstAddr: "34.87.166.121:54321"
excludedInterfaces:
- "Local Area Connection* 1"
- "Local Area Connection* 2"
- "Ethernet 2"
- "GCPMumbai"
- "Bluetooth Network Connection"
- "Loopback Pseudo-Interface 1"
dstOverrides: []

webManager:
listenAddr: "0.0.0.0:9001"
username: "engarde"
password: "engarde"

server:
description: "My engarde-server instance"
listenAddr: "0.0.0.0:54321"
dstAddr: "127.0.0.1:54320"
clientTimeout: 30
writeTimeout: 10
webManager:
listenAddr: "0.0.0.0:80"
username: "engarde"
password: "engarde"

Hello!
Thank you very much, I love the software. It works really well when I set up wireguard manually using the wg command. However, I can't get it to work with wg-quick. I'm using wg-quick to set up the WireGuard VPN, and forward all my traffic over the VPN. It works perfectly for that after setting up ufw masquerading on the server. Has anyone been able to use engarde with wg-quick, and all traffic forwarding with masquerading?

Here is my setup:

gw-quick conf files

Ubuntu 20.04 server
cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.5.5.1
PrivateKey = 
ListenPort = 59301

[Peer]
PublicKey = 
AllowedIPs = 10.5.5.0/24

Ubuntu 20.04 client
cat /etc/wireguard/wg0.conf

[Interface]
Address = 10.5.5.5
PrivateKey =   

[Peer]
PublicKey = 
#Endpoint = <public-ip>:59301
Endpoint = 127.0.0.1:59402
AllowedIPs = 0.0.0.0/0
#AllowedIPs = 10.5.5.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

engarde configs

server:
  listenAddr: "0.0.0.0:59402"
  dstAddr: "127.0.0.1:59301"
 # You can control engarde-client by accessing the web management interface. Here you can specify its parameters.
 # If you don't want a management interface, you can omit this section.
  webManager:
    # The address to listen to. Leave it empty to disable the management webserver.
    listenAddr: "0.0.0.0:9001"

client:
  listenAddr: "127.0.0.1:59401"
  dstAddr: "<public-ip>:59402"
  excludedInterfaces:
    - "virbr0"
    - "virbr0-nic"
    - "wg0"
 # You can control engarde-client by accessing the web management interface. Here you can specify its parameters.
 # If you don't want a management interface, you can omit this section.
  webManager:
    # The address to listen to. Leave it empty to disable the management webserver.
    listenAddr: "0.0.0.0:9001"

First off, thanks for making this! I need a reliable failproof connection for "high stakes" streaming (ok it's comedy :) ).

Env

• Client: macOS 10.15.7, WG latest app from App Store. 1 ethernet, 1 wifi connection, same internal network, to a single router and modem.
• Server: I setup a new droplet at DO with https://github.com/jar-o/rotvpn (super simple btw). Ubuntu 20 I believe?

Put the engarde client locally, server remote. Used the sample config file but of course edited the destination, and edited the WG tunnel dest.

Connected WG, connected engarde, as far as I can tell. The engarde client reports the new interface and doesn't complain.

With engarde on, unable to ping (8.8.8.8 or 1.1.1.1 for example), nor DNS resolution. rotvpn installs unbound for encrypted DNS, but I get the sense that traffic wasn't flowing period, so not specifically a DNS issue. (I could be wrong about what destinations allow ICMP, to be fair). I checked all the ports that rotvpn opens, and tried to explicitly open any engarde port I could see, as well as setting unbound to accept traffic on all interfaces, from all client IP ranges.

I don't know that it's an issue with DNS, but I'm also not sure how engarde comes into the picture at this point.

I know this is semi vague; I'm hoping for troubleshooting tips to "teach myself to fish" on it.

Thanks in advance!

Display a clear, terrifying alert if someone tries to exclude the only active interface. The alert should clearly explain that the tunnel WILL go down FOR SURE, and ask if the user is REALLY REALLY sure about it. Maybe we should block the attempt at all?

Hello I was wondering if you could add a "classic" Bonding mode as you discussed on lowendtalk,
let me know as I would love to test

Is it possible to implement?

Thx!

Hello, I was trying to test engarde but I can't manage to get it work:

root@vultr:~# ./engarde-server 
engarde-server ver. 816a73e (master)
INFO[0000] Listening on 0.0.0.0:59402                   
INFO[0000] Management webserver listening on 0.0.0.0:9001 
INFO[0052] New client connected: 'xxx.xxx.xxx.xxx:57702' 
INFO[0052] New client connected: 'xxx.xxx.xxx.xxx:20084'   
INFO[0102] Client 'xxx.xxx.xxx.xxx:57702' timed out     
INFO[0102] Client 'xxx.xxx.xxx.xxx:20084' timed out 

This is my WireGuard server config file:

[Interface]
Address = 10.200.200.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
ListenPort = 51820
PrivateKey = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.2/32

And this is my WireGuard client config file:

[Interface]
PrivateKey = xxx
Address = 10.200.200.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = xxx
AllowedIPs = 10.200.200.0/24
Endpoint = 127.0.0.1:59401
PersistentKeepalive = 25

And this is my engarde.yml:

client:
    listenAddr: "127.0.0.1:59401"
    dstAddr: "xxx.xxx.xxx.xxx:59402"
    excludedInterfaces:
        - "Ethernet 3"
        - "Vultr-Miami"
        - "vEthernet (DockerNAT)"
        - "vEthernet (Default Switch)"
        - "Loopback Pseudo-Interface 1"
    webManager:
        listenAddr: "0.0.0.0:9001"
        username: "engarde"
        password: "engarde"

server:
    listenAddr: "0.0.0.0:59402"
    dstAddr: "127.0.0.1:51820"
    clientTimeout: 30
    webManager:
        listenAddr: "0.0.0.0:9001"
        username: "engarde"
        password: "engarde"

Without engarde I can ping my server at 10.200.200.1 but when I set the Endpoint to 127.0.0.1:59401 I can not longer ping it.
Some times the server detects the client addresses, but I have to reset my WireGuard client and the engarde client multiple times for some reason...
I am currently using Windows, but I don't believe that is the issue here.
Is there something that I missed on my setup? I want to tunnel everthing trough WireGuard but when I change AllowedIPs to 0.0.0.0/0 I lose my internet connection.

Sorry for my noob question I am kind of new to WireGuard.

Anyway, thanks for you effort making this program I wanted to do something similar but then I discovered this.

I think It would be useful to have a version code to recognize on which build I'm on while testing.

I should be able to do:

engarde-client -v

engarde-server -v

and have useful information on actual builds, maybe including dates for test builds.

good day

i have a small problem how do i set the wireguard client correctly

my current config looks like this

Hey again! Not sure if this is linked to latest code, but I was doing some SQM/QOS testing and restricted one WAN interface on client side to like 100kbit/s.

After some load testing the server crashed. That's a first in a like over a week!
Nothing fundamentally changed on the VPS side. No crash client side.

time="2019-11-29T22:07:23+01:00" level=info msg="New client connected: '62.131.70.190:49954'"
time="2019-11-29T22:07:25+01:00" level=info msg="New client connected: '62.131.70.190:43027'"
time="2019-11-29T22:07:27+01:00" level=info msg="New client connected: '62.131.70.190:38965'"
time="2019-11-29T22:07:36+01:00" level=info msg="New client connected: '62.131.70.190:60572'"
time="2019-11-29T22:07:42+01:00" level=info msg="New client connected: '62.131.70.190:39355'"
time="2019-11-29T22:07:43+01:00" level=info msg="New client connected: '62.131.70.190:36497'"
time="2019-11-29T22:07:44+01:00" level=info msg="Client '62.131.70.190:41589' timed out"
time="2019-11-29T22:07:44+01:00" level=info msg="New client connected: '62.131.70.190:33321'"
time="2019-11-29T22:07:45+01:00" level=info msg="New client connected: '62.131.70.190:53847'"
time="2019-11-29T22:07:46+01:00" level=info msg="Client '62.131.70.190:49954' timed out"
time="2019-11-29T22:07:46+01:00" level=info msg="New client connected: '62.131.70.190:47163'"
time="2019-11-29T22:07:47+01:00" level=info msg="Client '62.131.70.190:43027' timed out"
time="2019-11-29T22:07:47+01:00" level=info msg="New client connected: '62.131.70.190:52890'"
time="2019-11-29T22:07:48+01:00" level=info msg="New client connected: '62.131.70.190:38526'"
time="2019-11-29T22:07:49+01:00" level=info msg="New client connected: '62.131.70.190:42441'"
time="2019-11-29T22:07:50+01:00" level=info msg="New client connected: '62.131.70.190:60905'"
time="2019-11-29T22:07:51+01:00" level=info msg="New client connected: '62.131.70.190:34752'"
time="2019-11-29T22:07:52+01:00" level=info msg="New client connected: '62.131.70.190:58098'"
fatal error: concurrent map iteration and map write

goroutine 19 [running]:
runtime.throw(0x8a8bc9, 0x26)
        /usr/local/go/src/runtime/panic.go:774 +0x72 fp=0xc0000e1828 sp=0xc0000e17f8 pc=0x42f6c2
runtime.mapiternext(0xc0000e1f60)
        /usr/local/go/src/runtime/map.go:858 +0x579 fp=0xc0000e18b0 sp=0xc0000e1828 pc=0x410c49
main.receiveFromWireguard(0xc00009e240, 0xc00009e248)
        /home/travis/build/porech/engarde/cmd/engarde-server/main.go:182 +0x207 fp=0xc0000e1fd0 sp=0xc0000e18b0 pc=0x7b5697
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1357 +0x1 fp=0xc0000e1fd8 sp=0xc0000e1fd0 pc=0x45bf31
created by main.main
        /home/travis/build/porech/engarde/cmd/engarde-server/main.go:124 +0x4c4

goroutine 1 [runnable]:
syscall.Syscall6(0x2d, 0x5, 0xc0000e368c, 0x5dc, 0x0, 0xc0000e3360, 0xc0000e3354, 0x50, 0x5dc, 0x0)
        /usr/local/go/src/syscall/asm_linux_amd64.s:44 +0x5
syscall.recvfrom(0x5, 0xc0000e368c, 0x5dc, 0x5dc, 0x0, 0xc0000e3360, 0xc0000e3354, 0xffffffffffffffff, 0xc0000e3378, 0x42c27a)
        /usr/local/go/src/syscall/zsyscall_linux_amd64.go:1618 +0xa3
syscall.Recvfrom(0x5, 0xc0000e368c, 0x5dc, 0x5dc, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0xd43a80, 0xfc6620)
        /usr/local/go/src/syscall/syscall_unix.go:273 +0xaf
internal/poll.(*FD).ReadFrom(0xc000094280, 0xc0000e368c, 0x5dc, 0x5dc, 0x0, 0x0, 0x0, 0x0, 0x0)
        /usr/local/go/src/internal/poll/fd_unix.go:215 +0x13e
net.(*netFD).readFrom(0xc000094280, 0xc0000e368c, 0x5dc, 0x5dc, 0xc0000e3588, 0x5b3abb, 0xc000094200, 0xc0000e368c, 0x50)
        /usr/local/go/src/net/fd_unix.go:208 +0x5b
net.(*UDPConn).readFrom(0xc00009e248, 0xc0000e368c, 0x5dc, 0x5dc, 0x50, 0x0, 0x0, 0xbae54185f3812601)
        /usr/local/go/src/net/udpsock_posix.go:47 +0x6a
net.(*UDPConn).ReadFromUDP(0xc00009e248, 0xc0000e368c, 0x5dc, 0x5dc, 0xc00010b920, 0x50, 0x0, 0x0)
        /usr/local/go/src/net/udpsock.go:109 +0x5d
main.receiveFromClient(0xc00009e248, 0xc00009e240, 0xc00010b920)
        /home/travis/build/porech/engarde/cmd/engarde-server/main.go:138 +0x79
main.main()
        /home/travis/build/porech/engarde/cmd/engarde-server/main.go:125 +0x4ef
engarde-server ver. 996e6b3 (master)
time="2019-11-29T22:13:01+01:00" level=info msg="Listening on 0.0.0.0:59402"
time="2019-11-29T22:13:28+01:00" level=info msg="New client connected: '192.145.56.17:60386'"
time="2019-11-29T22:13:31+01:00" level=info msg="New client connected: '62.131.70.190:35177'"
root@redundant:~#

Hi there! I'm glad I finally found this piece of programming, after trying to mud my way through openmptcprouter, mlvpn, glorytun, etc.

For a maximum possible reliable connection non of them are really suited. This, combined does exactly what I want! (Looks like it does similar to Speedify redundant mode.

So far I managed to (Running Openwrt client, Debian 9 server vps)

1. Swap 3 LAN ports to 3 WAN ports and make the WAN port LAN port, all 3 WAN ports receive DHCP from ISP, put them all on WAN firewall zone and enabled default route.

2. Did all instructions on front page, and manage to ping the tunnel ip 10.97.98.1 end point to vps with on router, and reply back to router as well. So server config seems fine! I can rip wan cables one by one and ping nicely continues.

Now comes part that my local subnet (all clients) need to route to the wg0 interface but so far no luck.

Local brlan is 192.168.1.1/24 and tunnel ips are 10.97.98.1 on vps and 10.97.98.1 on router side.

I tried using policy-based-routing package and tried route from 192.168.1.1/24 etcetera to 10.97.98.1 through wg0 but no luck so far.

Anyone have any tips? Maybe I'm doing something wrong? Seems like last piece of puzzle. If router 192.168.1.1 can do it it cannot be too hard to make it happen for clients on same subnet. Thanks!

Seems promising so far.

I'm trying to connect from a Windows 10 client to a Ubuntu 18.04 server in the cloud.

Wireguard is all set up and working fine. Able to ping from client to server and server to client. Using it to browse etc.

But once I get Engarde running, nothing seems to be working. I'm unable to ping server from client or ping client from server. Strangely, I'm able to ping 1.1.1.1 from the client but something seems odd as the rtt is 9ms. I usually get around 40 ms.

Came across this issue about Allowed IPs set to 0.0.0.0 possibly causing an issue, but I can't figure out what to change there.

Also came across your discussion on Wireguard mailing lists about an issue with 127.0.0.1 in the Wireguard Windows client. Again, not sure what I can do to fix it.

I'm not much of a network guy so please make the explanation simple. :)

Thanks again for all your effort.

Below are my wireguard configs & then engarde.yml.

Wireguard Server config:

[Interface]
Address = 192.168.2.1
PrivateKey = ******
ListenPort = 54320
SaveConfig = false
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens4 -j MASQUERADE

[Peer]
PublicKey = *****
AllowedIPs = 192.168.2.2/24

Wireguard Client config:

[Interface]
PrivateKey = ****
Address = 192.168.2.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = 127.0.0.1:54320

Engarde config

---
# Client configuration
client:
  description: "My engarde-client instance"
  listenAddr: "127.0.0.1:54320"
  dstAddr: "SERVERIP:54321"
  writeTimeout: 10
  excludedInterfaces:
    - "Local Area Connection 1"
    - "Local Area Connection 2"
    - "GCPMumbai"
    - "Bluetooth Network Connection"
    - "Loopback Pseudo-Interface 1"
  dstOverrides: []
  
  webManager:
    listenAddr: "0.0.0.0:9001"
    username: "engarde"
    password: "engarde"

# Server configuration
server:
  description: "My engarde-server instance"
  listenAddr: "0.0.0.0:54321"
  dstAddr: "127.0.0.1:54320"
  clientTimeout: 30
  writeTimeout: 10
  webManager:
    listenAddr: "0.0.0.0:80"
    username: "engarde"
    password: "engarde"

Errors in send or receive on UDP are never checked. A sending routine should be destroyed and re-created everytime an UDP error occurs, because an UDP error can occur only when the socket becomes invalid.

Hello. I am trying "Engarde" for the first time and I have problems connecting a windows 11 client to a windows 7.
I have no problems connecting directly with wireguard. I have successful ping. With the same configuration I tried to connect from "engarde-client" MacOS without problems to the same windows 7.

It is possible to use engrade with udp2raw this kind of tools to avoid Qos from carriers when transfer data through UDP

When I trying to transfer large amount of data through UDP, the conncetion often become extreme slow after few second, but everything works well when using TCP.

I think carriers are messing my udp package

Hi! Just noticed (maybe) a small bug, not exactly sure.

I excluded an interface yesterday and an hour later re-included it.

Now i look today it was included but says xxxxx seconds not received any data (basically 12 ish hours or so), so i excluded and reincluded it just now and it just works fine again instantly.

Maybe there is some small bug that not always properly saves the new state though the API?

I need to be able to include/exclude interfaces from outside engarde interface (scripted) while its running

is this possible?

It is not essential, because the amd64 binary seems to work fine under Rosetta 2, but a native Apple Silicon (arm64 macOS) binary can be a nice thing.

Hi ale-rinaldi,

First of all thank you so much for your wonderful project.

I am trying this on
engarde server on Ubuntu VPS
engarde cliner on Window 10

What ever I try I see internet becoming dead slow after injecting engarde.
Other wise WireGuard alone works fine.

The installation guide is not clear to understand.
But some how understood the flow and started.

Btw, can we use this for live video streaming ?

tool: engarde-server
version: latest (github)
platform: Linux (Ubuntu Server 18.04)
issue: if a configuration file is created, it could have no "server" section and still it will start and listen to nothing.
details:

./engarde-server 
INFO[0000] Listening on  

expected behaviour: it should exit with an error code like when no configuration file is found