smartalock / wireguard-lwip Goto Github PK

When I call netif_add(&wg_netif_struct, &ipaddr, &netmask, &gateway, &wg, &wireguardif_init, &ethernet_input); Function,
the program stopped working, later found that the wireguardif_init parameter problem, may I ask why this?

I can't implement this library on my esp-idf version, in the goal to create a wireguard client.

Hello,

the WireGuard Handshake works fine and the keepalive pakets are fine too.
i would like to send from my WireGuard-Client packets through the WireGuard-Tunnel to a target machine. But i dont know how... which function i have to call?
My first Idea was:

static struct wireguard_device *device; 	
device = (struct wireguard_device *)wg_netif->state;
wireguardif_device_output(device, buffer, &dstIPaddr, UDP_PORT);

But this packts will send directly to the target machine without going through the tunnel. There is also no encryption here.

My secound Idea was:

peer->port = UDP_Port;
wireguardif_output_to_peer(wg_netif, buffer, &dstIPaddr, peer);

This is sending encrypted packets to the target machine, but not through the tunnel. That means my target machine receives encrypted data...

Can anyone explain me how i send packets from my WireGuard-Client packets through the WireGuard-Tunnel to my target machine?
Which output function i have to call?

Best regards
Ruien Karimi

Not sure you intended this, but the encryption and decryption function are not symmetrical. (i.e. the ct length is not encoded in the padding)

Basic code sample follows.

` uint8_t msg[7] = "Simola";
size_t pad = (sizeof(msg) + 15) & 0xFFFFFFF0;
uint8_t enc[16 + pad];
aead_encrypt(enc, msg, 7, NULL, 0, 0, key_bytes);
uint8_t dec[16];
int rc = aead_decrypt(dec, enc, sizeof(enc), NULL, 0, 0, key_bytes);

assert(crypto_equal(msg, dec, 7) && rc == 1);`

The assertion fails, but If I call the decryption function with srclen = 16+7 then the decryption is successfull.

Hello,

Recently I have implemented this library for the esp32 using freertos. Wireguard tunnel seems to be working and handshakes are also working between peers. But somehow ping is not working from my windows wireguard to the esp32 peer. I am trying to allow traffic forwarding so that every traffic to the internet from my windows wireguard peer will go through the lwip wireguard interface. I am not sure how to achieve this. Any help would be highly appreciated.

Thanks.

In wireguard_check_replay(), wireguard.c line 324, the replay window size is declared as:

size_t ReplayWindowSize = sizeof(keypair->replay_bitmap); // 32 bits

but this gives a value of 4, so that only 4 of the 32 bits in the replay bitmap are used. In RFC2401, which this is based on, the window size is declared as:

enum {
ReplayWindowSize = 32
};

This discrepancy shouldn't cause failures, but could cause out-of-order packets to be dropped unnecessarily.

In wireguardif_tmr you have

// TODO: Also destroy handshake?

The fork of this done for Arduino ESP32
https://github.com/ciniml/WireGuard-ESP32-Arduino
has this in it.

Does it need adding and is there anything else that needs updating?

If you deactivate the server or the server endpoint is removed from the network is there a way of indicating this?

It works great on my STM32F407 and ESP32 with ciniml/WireGuard-ESP32-Arduino

Thanks

Andy.

In wireguard.c, line 326, wireguard_check_replay() test for the seq argument being non-zero. This is almost the first thing that the function does, and if seq is zero then the function always returns false (i.e. rejecting the packet). Since seq is the sequential packet count, beginning at zero, this means that the first data packet of a session will always be dropped by WireGuard and will require retransmission. Furthermore, since sessions are re-created every 2-3 minutes - resetting the sequence count to zero - single packets may continue to be dropped at regular intervals.

This (and other) behaviour of wireguard_check_replay() appears to come directly from RFC2401:

if (seq == 0) return 0;             /* first == 0 or wrapped */

However the replay-checking logic in the Linux WireGuard function counter_validate(), which implements a different windowing algorithm based on RFC6479, appears to contain no such special treatment of a sequence value of zero.

Since the dropped packets will tend to be re-transmitted, either by the TCP layer, or by the application, no actual failures are likely to be observed, but the behaviour (and that of the RFC2401 example code) is puzzling.

Hi,

Trying to get this to work on an ESP8266 project (while I'm a complete novice which isnt helping) I cant figure out where in the code wireguard_interface is defined and I am getting compile errors such as error: aggregate 'wireguard_setup()::wireguard_interface wg' has incomplete type and cannot be defined. Any advice would be greatly appreciated on getting a connection up and running.

I was trying to port this to esp8266, compiled and uploads fine but i get constant crash and reboot, here is the decoded stack trace, my board version 2.6.3

Exception 9: LoadStoreAlignmentCause: Load or store to an unaligned address
PC: 0x402047fc: mul at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/x25519.c line 61
EXCVADDR: 0x3ffe87dd

Decoding stack results
0x402048b4: mul1 at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/x25519.c line 156
0x40204a02: x25519 at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/x25519.c line 157
0x40202836: wireguard_generate_public_key at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/wireguard.c line 415
0x40203885: wireguard_device_init at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/wireguard.c line 986
0x402045fe: wireguardif_init at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/wireguardif.c line 920
0x4021315c: netif_set_addr_LWIP2 at core/netif.c line 717
0x40213210: netif_add_LWIP2 at core/netif.c line 375
0x40204550: wireguardif_init at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/wireguardif.c line 881
0x4010091f: free(void*) at C:\Users\lan\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\2.6.3\cores\esp8266\umm_malloc\umm_malloc.cpp line 362
0x40204f73: WireGuard::begin(IPAddress const&, char const*, char const*, char const*, unsigned short) at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/ESP_WIREGUARD.ino line 45
0x40217d40: ip4_input at core/ipv4/ip4.c line 1167
0x4020691e: __delay(unsigned long) at C:\Users\lan\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\2.6.3\cores\esp8266\core_esp8266_wiring.cpp line 54
0x4020509d: setup() at C:\Users\lan\Documents\ARDUINO_SKETCHES\ESP_WIREGUARD/ESP_WIREGUARD.ino line 98
0x4020647c: loop_wrapper() at C:\Users\lan\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\2.6.3\cores\esp8266\core_esp8266_main.cpp line 177

here is the sketch all crypto and wireguard were placed on the root of the sketch.

#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <IPAddress.h>
#include "lwip/err.h"
#include "lwip/sys.h"
#include "lwip/ip.h"
#include "lwip/netdb.h"

extern "C" {
#include "wireguardif.h"
#include "wireguard-platform.h"
}

// Wireguard instance
static struct netif wg_netif_struct = {0};
static struct netif *wg_netif = NULL;
static uint8_t wireguard_peer_index = WIREGUARDIF_INVALID_INDEX;

char private_key[] = "8BU1giso23adjCk93dnpLJnK788bRAtpZxs8d+Jo+Vg=";  // [Interface] PrivateKey
IPAddress local_ip(192, 168, 0, 111);         // [Interface] Address
char public_key[] = "x6tAoOCzdZxB2x8un4NxcW6zCbtZ9tSeSAjbS1VZPQ8=";     // [Peer] PublicKey
char endpoint_address[] = "link.arc.soracom.io";    // [Peer] Endpoint
int endpoint_port = 13231;              // [Peer] Endpoint

class WireGuard
{
  public:
    void begin(const IPAddress& localIP, const char* privateKey, const char* remotePeerAddress, const char* remotePeerPublicKey, uint16_t remotePeerPort);
};

void WireGuard::begin(const IPAddress& localIP, const char* privateKey, const char* remotePeerAddress, const char* remotePeerPublicKey, uint16_t remotePeerPort) {
  struct wireguardif_init_data wg;
  struct wireguardif_peer peer;
  ip_addr_t ipaddr = IPADDR4_INIT(static_cast<uint32_t>(localIP));
  ip_addr_t netmask = IPADDR4_INIT_BYTES(255, 255, 255, 0);
  ip_addr_t gateway = IPADDR4_INIT_BYTES(0, 0, 0, 0);


  // Setup the WireGuard device structure
  wg.private_key = privateKey;
  wg.listen_port = remotePeerPort;//51820;
  wg.bind_netif = NULL;

  // Register the new WireGuard network interface with lwIP
  wg_netif = netif_add(&wg_netif_struct, ip_2_ip4(&ipaddr), ip_2_ip4(&netmask), ip_2_ip4(&gateway), &wg, &wireguardif_init, &ip_input);

  // Mark the interface as administratively up, link up flag is set automatically when peer connects
  netif_set_up(wg_netif);

  // Initialise the first WireGuard peer structure
  wireguardif_peer_init(&peer);
  peer.public_key = remotePeerPublicKey;
  peer.preshared_key = NULL;
  
  // Allow all IPs through tunnel
  ip_addr_t allowed_ip = IPADDR4_INIT_BYTES(0, 0, 0, 0);
  peer.allowed_ip = allowed_ip;
  ip_addr_t allowed_mask = IPADDR4_INIT_BYTES(0, 0, 0, 0);
  peer.allowed_mask = allowed_mask;

  // If we know the endpoint's address can add here
  ip_addr_t endpoint_ip = IPADDR4_INIT_BYTES(10, 10, 10, 1);
  peer.endpoint_ip = endpoint_ip;
  peer.endport_port = 13231;

  // Initialize the platform
  wireguard_platform_init();

  // Register the new WireGuard peer with the netwok interface
  wireguardif_add_peer(wg_netif, &peer, &wireguard_peer_index);

  if ((wireguard_peer_index != WIREGUARDIF_INVALID_INDEX) && !ip_addr_isany(&peer.endpoint_ip)) {
    // Start outbound connection to peer
    wireguardif_connect(wg_netif, wireguard_peer_index);
    netif_set_default(wg_netif);
  }
}

static WireGuard wireg;

void setup() {
  // put your setup code here, to run once:
  Serial.println("Connected. Initializing WireGuard...");
  Serial.begin(115200);
  Serial.println("Connecting to the AP...");

  WiFi.mode(WIFI_STA);
  WiFi.begin("MikroTik1", "");

  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("Connected. Initializing WireGuard...");
  delay( 5000 );
  wireg.begin(
    local_ip,
    private_key,
    endpoint_address,
    public_key,
    endpoint_port);
}

void loop() {
  // put your main code here, to run repeatedly:

}