WireGuard rework for MacOS and Windows (#314)

WireGuard rework for MacOS and Windows

client/daemon/daemon.cpp

@@ -9,6 +9,7 @@
 #include <QJsonDocument>
 #include <QJsonObject>
 #include <QJsonValue>
+#include <QMetaEnum>
 #include <QTimer>
 
 #include "leakdetector.h"
@@ -64,9 +65,12 @@ bool Daemon::activate(const InterfaceConfig& config) {
   //    method calls switchServer().
   //
   // At the end, if the activation succeds, the `connected` signal is emitted.
+  // If the activation abort's for any reason `the `activationFailure` signal is
+  // emitted.
   logger.debug() << "Activating interface";
+  auto emit_failure_guard = qScopeGuard([this] { emit activationFailure(); });
 
-  if (m_connections.contains(config.m_hopindex)) {
+  if (m_connections.contains(config.m_hopType)) {
     if (supportServerSwitching(config)) {
       logger.debug() << "Already connected. Server switching supported.";
 
@@ -85,10 +89,12 @@ bool Daemon::activate(const InterfaceConfig& config) {
       bool status = run(Switch, config);
       logger.debug() << "Connection status:" << status;
       if (status) {
-        m_connections[config.m_hopindex] = ConnectionState(config);
+        m_connections[config.m_hopType] = ConnectionState(config);
         m_handshakeTimer.start(HANDSHAKE_POLL_MSEC);
+        emit_failure_guard.dismiss();
+        return true;
       }
-      return status;
+      return false;
     }
 
     logger.warning() << "Already connected. Server switching not supported.";
@@ -96,8 +102,12 @@ bool Daemon::activate(const InterfaceConfig& config) {
       return false;
     }
 
-    Q_ASSERT(!m_connections.contains(config.m_hopindex));
-    return activate(config);
+    Q_ASSERT(!m_connections.contains(config.m_hopType));
+    if (activate(config)) {
+      emit_failure_guard.dismiss();
+      return true;
+    }
+    return false;
   }
 
   prepareActivation(config);
@@ -112,13 +122,7 @@ bool Daemon::activate(const InterfaceConfig& config) {
 
   // Configure routing for excluded addresses.
   for (const QString& i : config.m_excludedAddresses) {
-    QHostAddress address(i);
-    if (m_excludedAddrSet.contains(address)) {
-      m_excludedAddrSet[address]++;
-      continue;
-    }
-    wgutils()->addExclusionRoute(address);
-    m_excludedAddrSet[address] = 1;
+    addExclusionRoute(IPAddress(i));
   }
 
   // Add the peer to this interface.
@@ -142,7 +146,7 @@ bool Daemon::activate(const InterfaceConfig& config) {
 
   // set routing
   for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
-    if (!wgutils()->updateRoutePrefix(ip, config.m_hopindex)) {
+    if (!wgutils()->updateRoutePrefix(ip)) {
       logger.debug() << "Routing configuration failed for"
                      << logger.sensitive(ip.toString());
       return false;
@@ -152,15 +156,21 @@ bool Daemon::activate(const InterfaceConfig& config) {
   bool status = run(Up, config);
   logger.debug() << "Connection status:" << status;
   if (status) {
-    m_connections[config.m_hopindex] = ConnectionState(config);
+    m_connections[config.m_hopType] = ConnectionState(config);
     m_handshakeTimer.start(HANDSHAKE_POLL_MSEC);
+    emit_failure_guard.dismiss();
+    return true;
   }
-
-  return status;
+  return false;
 }
 
 bool Daemon::maybeUpdateResolvers(const InterfaceConfig& config) {
-  if ((config.m_hopindex == 0) && supportDnsUtils()) {
+  if (!supportDnsUtils()) {
+    return true;
+  }
+
+  if ((config.m_hopType == InterfaceConfig::MultiHopExit) ||
+      (config.m_hopType == InterfaceConfig::SingleHop)) {
     QList<QHostAddress> resolvers;
     resolvers.append(QHostAddress(config.m_dnsServer));
 
@@ -199,6 +209,28 @@ bool Daemon::parseStringList(const QJsonObject& obj, const QString& name,
   return true;
 }
 
+bool Daemon::addExclusionRoute(const IPAddress& prefix) {
+  if (m_excludedAddrSet.contains(prefix)) {
+    m_excludedAddrSet[prefix]++;
+    return true;
+  }
+  if (!wgutils()->addExclusionRoute(prefix)) {
+    return false;
+  }
+  m_excludedAddrSet[prefix] = 1;
+  return true;
+}
+
+bool Daemon::delExclusionRoute(const IPAddress& prefix) {
+  Q_ASSERT(m_excludedAddrSet.contains(prefix));
+  if (m_excludedAddrSet[prefix] > 1) {
+    m_excludedAddrSet[prefix]--;
+    return true;
+  }
+  m_excludedAddrSet.remove(prefix);
+  return wgutils()->deleteExclusionRoute(prefix);
+}
+
 // static
 bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
 #define GETVALUE(name, where, jsontype)                           \
@@ -216,8 +248,8 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
 
   GETVALUE("privateKey", config.m_privateKey, String);
   GETVALUE("serverPublicKey", config.m_serverPublicKey, String);
-  GETVALUE("serverPort", config.m_serverPort, Double);
   GETVALUE("serverPskKey", config.m_serverPskKey, String);
+  GETVALUE("serverPort", config.m_serverPort, Double);
 
   config.m_deviceIpv4Address = obj.value("deviceIpv4Address").toString();
   config.m_deviceIpv6Address = obj.value("deviceIpv6Address").toString();
@@ -247,15 +279,24 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) {
     config.m_dnsServer = value.toString();
   }
 
-  if (!obj.contains("hopindex")) {
-    config.m_hopindex = 0;
+  if (!obj.contains("hopType")) {
+    config.m_hopType = InterfaceConfig::SingleHop;
   } else {
-    QJsonValue value = obj.value("hopindex");
-    if (!value.isDouble()) {
-      logger.error() << "hopindex is not a number";
+    QJsonValue value = obj.value("hopType");
+    if (!value.isString()) {
+      logger.error() << "hopType is not a string";
+      return false;
+    }
+
+    bool okay;
+    QByteArray vdata = value.toString().toUtf8();
+    QMetaEnum meta = QMetaEnum::fromType<InterfaceConfig::HopType>();
+    config.m_hopType =
+        InterfaceConfig::HopType(meta.keyToValue(vdata.constData(), &okay));
+    if (!okay) {
+      logger.error() << "hopType" << value.toString() << "is not valid";
       return false;
     }
-    config.m_hopindex = value.toInt();
   }
 
   if (!obj.contains(JSON_ALLOWEDIPADDRESSRANGES)) {
@@ -325,8 +366,8 @@ bool Daemon::deactivate(bool emitSignals) {
   Q_ASSERT(wgutils() != nullptr);
 
   // Deactivate the main interface.
-  if (m_connections.contains(0)) {
-    const ConnectionState& state = m_connections.value(0);
+  if (!m_connections.isEmpty()) {
+    const ConnectionState& state = m_connections.first();
     if (!run(Down, state.m_config)) {
       return false;
     }
@@ -349,9 +390,9 @@ bool Daemon::deactivate(bool emitSignals) {
   // Cleanup peers and routing
   for (const ConnectionState& state : m_connections) {
     const InterfaceConfig& config = state.m_config;
-    logger.debug() << "Deleting routes for hop" << config.m_hopindex;
+    logger.debug() << "Deleting routes for" << config.m_hopType;
     for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
-      wgutils()->deleteRoutePrefix(ip, config.m_hopindex);
+      wgutils()->deleteRoutePrefix(ip);
     }
     wgutils()->deletePeer(config);
   }
@@ -376,14 +417,14 @@ QString Daemon::logs() {
   return {};
 }
 
-void Daemon::cleanLogs() {  }
+void Daemon::cleanLogs() { }
 
 bool Daemon::supportServerSwitching(const InterfaceConfig& config) const {
-  if (!m_connections.contains(config.m_hopindex)) {
+  if (!m_connections.contains(config.m_hopType)) {
     return false;
   }
   const InterfaceConfig& current =
-      m_connections.value(config.m_hopindex).m_config;
+      m_connections.value(config.m_hopType).m_config;
 
   return current.m_privateKey == config.m_privateKey &&
          current.m_deviceIpv4Address == config.m_deviceIpv4Address &&
@@ -395,21 +436,15 @@ bool Daemon::supportServerSwitching(const InterfaceConfig& config) const {
 bool Daemon::switchServer(const InterfaceConfig& config) {
   Q_ASSERT(wgutils() != nullptr);
 
-  logger.debug() << "Switching server for hop" << config.m_hopindex;
+  logger.debug() << "Switching server for" << config.m_hopType;
 
-  Q_ASSERT(m_connections.contains(config.m_hopindex));
+  Q_ASSERT(m_connections.contains(config.m_hopType));
   const InterfaceConfig& lastConfig =
-      m_connections.value(config.m_hopindex).m_config;
+      m_connections.value(config.m_hopType).m_config;
 
   // Configure routing for new excluded addresses.
   for (const QString& i : config.m_excludedAddresses) {
-    QHostAddress address(i);
-    if (m_excludedAddrSet.contains(address)) {
-      m_excludedAddrSet[address]++;
-      continue;
-    }
-    wgutils()->addExclusionRoute(address);
-    m_excludedAddrSet[address] = 1;
+    addExclusionRoute(IPAddress(i));
   }
 
   // Activate the new peer and its routes.
@@ -418,7 +453,7 @@ bool Daemon::switchServer(const InterfaceConfig& config) {
     return false;
   }
   for (const IPAddress& ip : config.m_allowedIPAddressRanges) {
-    if (!wgutils()->updateRoutePrefix(ip, config.m_hopindex)) {
+    if (!wgutils()->updateRoutePrefix(ip)) {
       logger.error() << "Server switch failed to update the routing table";
       break;
     }
@@ -426,18 +461,11 @@ bool Daemon::switchServer(const InterfaceConfig& config) {
 
   // Remove routing entries for the old peer.
   for (const QString& i : lastConfig.m_excludedAddresses) {
-    QHostAddress address(i);
-    Q_ASSERT(m_excludedAddrSet.contains(address));
-    if (m_excludedAddrSet[address] > 1) {
-      m_excludedAddrSet[address]--;
-      continue;
-    }
-    wgutils()->deleteExclusionRoute(address);
-    m_excludedAddrSet.remove(address);
+    delExclusionRoute(QHostAddress(i));
   }
   for (const IPAddress& ip : lastConfig.m_allowedIPAddressRanges) {
     if (!config.m_allowedIPAddressRanges.contains(ip)) {
-      wgutils()->deleteRoutePrefix(ip, config.m_hopindex);
+      wgutils()->deleteRoutePrefix(ip);
     }
   }
 
@@ -448,7 +476,7 @@ bool Daemon::switchServer(const InterfaceConfig& config) {
     }
   }
 
-  m_connections[config.m_hopindex] = ConnectionState(config);
+  m_connections[config.m_hopType] = ConnectionState(config);
   return true;
 }
 
@@ -457,12 +485,12 @@ QJsonObject Daemon::getStatus() {
   QJsonObject json;
   logger.debug() << "Status request";
 
-  if (!m_connections.contains(0) || !wgutils()->interfaceExists()) {
+  if (!wgutils()->interfaceExists() || m_connections.isEmpty()) {
     json.insert("connected", QJsonValue(false));
     return json;
   }
 
-  const ConnectionState& connection = m_connections.value(0);
+  const ConnectionState& connection = m_connections.first();
   QList<WireguardUtils::PeerStatus> peers = wgutils()->getPeerStatus();
   for (const WireguardUtils::PeerStatus& status : peers) {
     if (status.m_pubkey != connection.m_config.m_serverPublicKey) {
@@ -495,6 +523,7 @@ void Daemon::checkHandshake() {
     if (connection.m_date.isValid()) {
       continue;
     }
+    logger.debug() << "awaiting" << config.m_serverPublicKey;
 
     // Check if the handshake has completed.
     for (const WireguardUtils::PeerStatus& status : peers) {

client/daemon/daemon.h

@@ -43,11 +43,18 @@ class Daemon : public QObject {
 
  signals:
   void connected(const QString& pubkey);
+  /**
+   * Can be fired if a call to activate() was unsucessfull
+   * and connected systems should rollback
+   */
+  void activationFailure();
   void disconnected();
   void backendFailure();
 
  private:
   bool maybeUpdateResolvers(const InterfaceConfig& config);
+  bool addExclusionRoute(const IPAddress& address);
+  bool delExclusionRoute(const IPAddress& address);
 
  protected:
   virtual bool run(Op op, const InterfaceConfig& config) {
@@ -75,8 +82,8 @@ class Daemon : public QObject {
     QDateTime m_date;
     InterfaceConfig m_config;
   };
-  QMap<int, ConnectionState> m_connections;
-  QHash<QHostAddress, int> m_excludedAddrSet;
+  QMap<InterfaceConfig::HopType, ConnectionState> m_connections;
+  QHash<IPAddress, int> m_excludedAddrSet;
   QTimer m_handshakeTimer;
 };
 

client/daemon/interfaceconfig.cpp

@@ -0,0 +1,122 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "interfaceconfig.h"
+
+#include <QJsonArray>
+#include <QJsonDocument>
+#include <QJsonObject>
+#include <QJsonValue>
+#include <QMetaEnum>
+
+QJsonObject InterfaceConfig::toJson() const {
+  QJsonObject json;
+  QMetaEnum metaEnum = QMetaEnum::fromType<HopType>();
+
+  json.insert("hopType", QJsonValue(metaEnum.valueToKey(m_hopType)));
+  json.insert("privateKey", QJsonValue(m_privateKey));
+  json.insert("deviceIpv4Address", QJsonValue(m_deviceIpv4Address));
+  json.insert("deviceIpv6Address", QJsonValue(m_deviceIpv6Address));
+  json.insert("serverPublicKey", QJsonValue(m_serverPublicKey));
+  json.insert("serverPskKey", QJsonValue(m_serverPskKey));
+  json.insert("serverIpv4AddrIn", QJsonValue(m_serverIpv4AddrIn));
+  json.insert("serverIpv6AddrIn", QJsonValue(m_serverIpv6AddrIn));
+  json.insert("serverPort", QJsonValue((double)m_serverPort));
+  if ((m_hopType == InterfaceConfig::MultiHopExit) ||
+      (m_hopType == InterfaceConfig::SingleHop)) {
+    json.insert("serverIpv4Gateway", QJsonValue(m_serverIpv4Gateway));
+    json.insert("serverIpv6Gateway", QJsonValue(m_serverIpv6Gateway));
+    json.insert("dnsServer", QJsonValue(m_dnsServer));
+  }
+
+  QJsonArray allowedIPAddesses;
+  for (const IPAddress& i : m_allowedIPAddressRanges) {
+    QJsonObject range;
+    range.insert("address", QJsonValue(i.address().toString()));
+    range.insert("range", QJsonValue((double)i.prefixLength()));
+    range.insert("isIpv6",
+                 QJsonValue(i.type() == QAbstractSocket::IPv6Protocol));
+    allowedIPAddesses.append(range);
+  };
+  json.insert("allowedIPAddressRanges", allowedIPAddesses);
+
+  QJsonArray jsExcludedAddresses;
+  for (const QString& i : m_excludedAddresses) {
+    jsExcludedAddresses.append(QJsonValue(i));
+  }
+  json.insert("excludedAddresses", jsExcludedAddresses);
+
+  QJsonArray disabledApps;
+  for (const QString& i : m_vpnDisabledApps) {
+    disabledApps.append(QJsonValue(i));
+  }
+  json.insert("vpnDisabledApps", disabledApps);
+
+  return json;
+}
+
+QString InterfaceConfig::toWgConf(const QMap<QString, QString>& extra) const {
+#define VALIDATE(x) \
+  if (x.contains("\n")) return "";
+
+  VALIDATE(m_privateKey);
+  VALIDATE(m_deviceIpv4Address);
+  VALIDATE(m_deviceIpv6Address);
+  VALIDATE(m_serverIpv4Gateway);
+  VALIDATE(m_serverIpv6Gateway);
+  VALIDATE(m_serverPublicKey);
+  VALIDATE(m_serverIpv4AddrIn);
+  VALIDATE(m_serverIpv6AddrIn);
+#undef VALIDATE
+
+  QString content;
+  QTextStream out(&content);
+  out << "[Interface]\n";
+  out << "PrivateKey = " << m_privateKey << "\n";
+
+  QStringList addresses;
+  if (!m_deviceIpv4Address.isNull()) {
+    addresses.append(m_deviceIpv4Address);
+  }
+  if (!m_deviceIpv6Address.isNull()) {
+    addresses.append(m_deviceIpv6Address);
+  }
+  if (addresses.isEmpty()) {
+    return "";
+  }
+  out << "Address = " << addresses.join(", ") << "\n";
+
+  if (!m_dnsServer.isNull()) {
+    QStringList dnsServers(m_dnsServer);
+    // If the DNS is not the Gateway, it's a user defined DNS
+    // thus, not add any other :)
+    if (m_dnsServer == m_serverIpv4Gateway) {
+      dnsServers.append(m_serverIpv6Gateway);
+    }
+    out << "DNS = " << dnsServers.join(", ") << "\n";
+  }
+
+  // If any extra config was provided, append it now.
+  for (const QString& key : extra.keys()) {
+    out << key << " = " << extra[key] << "\n";
+  }
+
+  out << "\n[Peer]\n";
+  out << "PublicKey = " << m_serverPublicKey << "\n";
+  out << "Endpoint = " << m_serverIpv4AddrIn.toUtf8() << ":" << m_serverPort
+      << "\n";
+
+  /* In theory, we should use the ipv6 endpoint, but wireguard doesn't seem
+   * to be happy if there are 2 endpoints.
+  out << "Endpoint = [" << config.m_serverIpv6AddrIn << "]:"
+      << config.m_serverPort << "\n";
+  */
+  QStringList ranges;
+  for (const IPAddress& ip : m_allowedIPAddressRanges) {
+    ranges.append(ip.toString());
+  }
+  out << "AllowedIPs = " << ranges.join(", ") << "\n";
+
+  return content;
+}

client/daemon/interfaceconfig.h

@@ -10,22 +10,39 @@
 
 #include "ipaddress.h"
 
-struct InterfaceConfig {
-  int m_hopindex = 0;
+class QJsonObject;
+
+class InterfaceConfig {
+  Q_GADGET
+
+ public:
+  InterfaceConfig() {}
+
+  enum HopType { SingleHop, MultiHopEntry, MultiHopExit };
+  Q_ENUM(HopType)
+
+  HopType m_hopType;
   QString m_privateKey;
   QString m_deviceIpv4Address;
   QString m_deviceIpv6Address;
   QString m_serverIpv4Gateway;
   QString m_serverIpv6Gateway;
   QString m_serverPublicKey;
-  QString m_serverPskKey;
   QString m_serverIpv4AddrIn;
+  QString m_serverPskKey;
   QString m_serverIpv6AddrIn;
   QString m_dnsServer;
   int m_serverPort = 0;
   QList<IPAddress> m_allowedIPAddressRanges;
   QStringList m_excludedAddresses;
   QStringList m_vpnDisabledApps;
+#if defined(MZ_ANDROID) || defined(MZ_IOS)
+  QString m_installationId;
+#endif
+
+  QJsonObject toJson() const;
+  QString toWgConf(
+      const QMap<QString, QString>& extra = QMap<QString, QString>()) const;
 };
 
 #endif  // INTERFACECONFIG_H

client/daemon/wireguardutils.h

@@ -5,6 +5,8 @@
 #ifndef WIREGUARDUTILS_H
 #define WIREGUARDUTILS_H
 
+#define _WINSOCKAPI_
+
 #include <QCoreApplication>
 #include <QHostAddress>
 #include <QObject>
@@ -12,7 +14,7 @@
 
 #include "interfaceconfig.h"
 
-constexpr const char* WG_INTERFACE = "moz0";
+constexpr const char* WG_INTERFACE = "amn0";
 
 constexpr uint16_t WG_KEEPALIVE_PERIOD = 60;
 
@@ -41,11 +43,11 @@ class WireguardUtils : public QObject {
   virtual bool deletePeer(const InterfaceConfig& config) = 0;
   virtual QList<PeerStatus> getPeerStatus() = 0;
 
-  virtual bool updateRoutePrefix(const IPAddress& prefix, int hopindex) = 0;
-  virtual bool deleteRoutePrefix(const IPAddress& prefix, int hopindex) = 0;
+  virtual bool updateRoutePrefix(const IPAddress& prefix) = 0;
+  virtual bool deleteRoutePrefix(const IPAddress& prefix) = 0;
 
-  virtual bool addExclusionRoute(const QHostAddress& address) = 0;
-  virtual bool deleteExclusionRoute(const QHostAddress& address) = 0;
+  virtual bool addExclusionRoute(const IPAddress& prefix) = 0;
+  virtual bool deleteExclusionRoute(const IPAddress& prefix) = 0;
 };
 
 #endif  // WIREGUARDUTILS_H