peers.go 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700
  1. package logic
  2. import (
  3. "errors"
  4. "fmt"
  5. "net"
  6. "strconv"
  7. "strings"
  8. "time"
  9. "github.com/c-robinson/iplib"
  10. "github.com/gravitl/netmaker/database"
  11. "github.com/gravitl/netmaker/logger"
  12. "github.com/gravitl/netmaker/logic/acls/nodeacls"
  13. "github.com/gravitl/netmaker/models"
  14. "github.com/gravitl/netmaker/nm-proxy/manager"
  15. "github.com/gravitl/netmaker/servercfg"
  16. "golang.org/x/exp/slices"
  17. "golang.zx2c4.com/wireguard/wgctrl/wgtypes"
  18. )
  19. func GetPeersForProxy(node *models.Node, onlyPeers bool) (manager.ManagerPayload, error) {
  20. proxyPayload := manager.ManagerPayload{}
  21. var peers []wgtypes.PeerConfig
  22. peerConfMap := make(map[string]manager.PeerConf)
  23. var err error
  24. currentPeers, err := GetNetworkNodes(node.Network)
  25. if err != nil {
  26. return proxyPayload, err
  27. }
  28. if !onlyPeers {
  29. if node.IsRelayed == "yes" {
  30. relayNode := FindRelay(node)
  31. relayEndpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", relayNode.Endpoint, relayNode.LocalListenPort))
  32. if err != nil {
  33. logger.Log(1, "failed to resolve relay node endpoint: ", err.Error())
  34. }
  35. proxyPayload.IsRelayed = true
  36. proxyPayload.RelayedTo = relayEndpoint
  37. }
  38. if node.IsRelay == "yes" {
  39. relayedNodes, err := GetRelayedNodes(node)
  40. if err != nil {
  41. logger.Log(1, "failed to relayed nodes: ", node.Name, err.Error())
  42. proxyPayload.IsRelay = false
  43. } else {
  44. relayPeersMap := make(map[string][]wgtypes.PeerConfig)
  45. for _, relayedNode := range relayedNodes {
  46. payload, err := GetPeersForProxy(&relayedNode, true)
  47. if err == nil {
  48. relayPeersMap[relayedNode.PublicKey] = payload.Peers
  49. }
  50. }
  51. proxyPayload.IsRelay = true
  52. proxyPayload.RelayedPeers = relayPeersMap
  53. }
  54. }
  55. }
  56. for _, peer := range currentPeers {
  57. if peer.ID == node.ID {
  58. //skip yourself
  59. continue
  60. }
  61. pubkey, err := wgtypes.ParseKey(peer.PublicKey)
  62. if err != nil {
  63. logger.Log(1, "failed to parse node pub key: ", peer.ID)
  64. continue
  65. }
  66. endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", peer.Endpoint, peer.LocalListenPort))
  67. if err != nil {
  68. logger.Log(1, "failed to resolve udp addr for node: ", peer.ID, peer.Endpoint, err.Error())
  69. continue
  70. }
  71. allowedips := getNodeAllowedIPs(node, &peer)
  72. var keepalive time.Duration
  73. if node.PersistentKeepalive != 0 {
  74. // set_keepalive
  75. keepalive, _ = time.ParseDuration(strconv.FormatInt(int64(node.PersistentKeepalive), 10) + "s")
  76. }
  77. peers = append(peers, wgtypes.PeerConfig{
  78. PublicKey: pubkey,
  79. Endpoint: endpoint,
  80. AllowedIPs: allowedips,
  81. PersistentKeepaliveInterval: &keepalive,
  82. ReplaceAllowedIPs: true,
  83. })
  84. if !onlyPeers && peer.IsRelayed == "yes" {
  85. relayNode := FindRelay(&peer)
  86. if relayNode != nil {
  87. relayTo, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", peer.Endpoint, peer.LocalListenPort))
  88. if err == nil {
  89. peerConfMap[peer.PublicKey] = manager.PeerConf{
  90. IsRelayed: true,
  91. RelayedTo: relayTo,
  92. }
  93. }
  94. }
  95. }
  96. }
  97. proxyPayload.Peers = peers
  98. proxyPayload.PeerMap = peerConfMap
  99. proxyPayload.InterfaceName = node.Interface
  100. return proxyPayload, nil
  101. }
  102. // GetPeerUpdate - gets a wireguard peer config for each peer of a node
  103. func GetPeerUpdate(node *models.Node) (models.PeerUpdate, error) {
  104. var peerUpdate models.PeerUpdate
  105. var peers []wgtypes.PeerConfig
  106. var serverNodeAddresses = []models.ServerAddr{}
  107. var isP2S bool
  108. network, err := GetNetwork(node.Network)
  109. if err != nil {
  110. return peerUpdate, err
  111. } else if network.IsPointToSite == "yes" && node.IsHub != "yes" {
  112. isP2S = true
  113. }
  114. var peerMap = make(models.PeerMap)
  115. var metrics *models.Metrics
  116. if servercfg.Is_EE {
  117. metrics, _ = GetMetrics(node.ID)
  118. }
  119. if metrics == nil {
  120. metrics = &models.Metrics{}
  121. }
  122. if metrics.FailoverPeers == nil {
  123. metrics.FailoverPeers = make(map[string]string)
  124. }
  125. // udppeers = the peers parsed from the local interface
  126. // gives us correct port to reach
  127. udppeers, errN := database.GetPeers(node.Network)
  128. if errN != nil {
  129. logger.Log(2, errN.Error())
  130. }
  131. currentPeers, err := GetNetworkNodes(node.Network)
  132. if err != nil {
  133. return models.PeerUpdate{}, err
  134. }
  135. // if node.IsRelayed == "yes" {
  136. // return GetPeerUpdateForRelayedNode(node, udppeers)
  137. // }
  138. // #1 Set Keepalive values: set_keepalive
  139. // #2 Set local address: set_local - could be a LOT BETTER and fix some bugs with additional logic
  140. // #3 Set allowedips: set_allowedips
  141. for _, peer := range currentPeers {
  142. if peer.ID == node.ID {
  143. //skip yourself
  144. continue
  145. }
  146. // on point to site networks -- get peers regularily if you are the hub --- otherwise the only peer is the hub
  147. if node.NetworkSettings.IsPointToSite == "yes" && node.IsHub == "no" && peer.IsHub == "no" {
  148. continue
  149. }
  150. if node.Connected != "yes" {
  151. //skip unconnected nodes
  152. continue
  153. }
  154. // if the node is not a server, set the endpoint
  155. var setEndpoint = !(node.IsServer == "yes")
  156. // if peer.IsRelayed == "yes" {
  157. // if !(node.IsRelay == "yes" && ncutils.StringSliceContains(node.RelayAddrs, peer.PrimaryAddress())) {
  158. // //skip -- will be added to relay
  159. // continue
  160. // } else if node.IsRelay == "yes" && ncutils.StringSliceContains(node.RelayAddrs, peer.PrimaryAddress()) {
  161. // // dont set peer endpoint if it's relayed by node
  162. // setEndpoint = false
  163. // }
  164. // }
  165. if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID), nodeacls.NodeID(peer.ID)) {
  166. //skip if not permitted by acl
  167. continue
  168. }
  169. if isP2S && peer.IsHub != "yes" {
  170. continue
  171. }
  172. if len(metrics.FailoverPeers[peer.ID]) > 0 && IsFailoverPresent(node.Network) {
  173. logger.Log(2, "peer", peer.Name, peer.PrimaryAddress(), "was found to be in failover peers list for node", node.Name, node.PrimaryAddress())
  174. continue
  175. }
  176. pubkey, err := wgtypes.ParseKey(peer.PublicKey)
  177. if err != nil {
  178. return models.PeerUpdate{}, err
  179. }
  180. if node.Endpoint == peer.Endpoint {
  181. //peer is on same network
  182. // set_local
  183. if node.LocalAddress != peer.LocalAddress && peer.LocalAddress != "" {
  184. peer.Endpoint = peer.LocalAddress
  185. if peer.LocalListenPort != 0 {
  186. peer.ListenPort = peer.LocalListenPort
  187. }
  188. } else {
  189. continue
  190. }
  191. }
  192. // set address if setEndpoint is true
  193. // otherwise, will get inserted as empty value
  194. var address *net.UDPAddr
  195. // Sets ListenPort to UDP Hole Punching Port assuming:
  196. // - UDP Hole Punching is enabled
  197. // - udppeers retrieval did not return an error
  198. // - the endpoint is valid
  199. if setEndpoint {
  200. var setUDPPort = false
  201. if peer.UDPHolePunch == "yes" && errN == nil && CheckEndpoint(udppeers[peer.PublicKey]) {
  202. endpointstring := udppeers[peer.PublicKey]
  203. endpointarr := strings.Split(endpointstring, ":")
  204. if len(endpointarr) == 2 {
  205. port, err := strconv.Atoi(endpointarr[1])
  206. if err == nil {
  207. setUDPPort = true
  208. peer.ListenPort = int32(port)
  209. }
  210. }
  211. }
  212. // if udp hole punching is on, but udp hole punching did not set it, use the LocalListenPort instead
  213. // or, if port is for some reason zero use the LocalListenPort
  214. // but only do this if LocalListenPort is not zero
  215. if ((peer.UDPHolePunch == "yes" && !setUDPPort) || peer.ListenPort == 0) && peer.LocalListenPort != 0 {
  216. peer.ListenPort = peer.LocalListenPort
  217. }
  218. endpoint := peer.Endpoint + ":" + strconv.FormatInt(int64(peer.ListenPort), 10)
  219. address, err = net.ResolveUDPAddr("udp", endpoint)
  220. if err != nil {
  221. return models.PeerUpdate{}, err
  222. }
  223. }
  224. allowedips := GetAllowedIPs(node, &peer, metrics)
  225. var keepalive time.Duration
  226. if node.PersistentKeepalive != 0 {
  227. // set_keepalive
  228. keepalive, _ = time.ParseDuration(strconv.FormatInt(int64(node.PersistentKeepalive), 10) + "s")
  229. }
  230. var peerData = wgtypes.PeerConfig{
  231. PublicKey: pubkey,
  232. Endpoint: address,
  233. ReplaceAllowedIPs: true,
  234. AllowedIPs: allowedips,
  235. PersistentKeepaliveInterval: &keepalive,
  236. }
  237. peers = append(peers, peerData)
  238. peerMap[peer.PublicKey] = models.IDandAddr{
  239. Name: peer.Name,
  240. ID: peer.ID,
  241. Address: peer.PrimaryAddress(),
  242. IsServer: peer.IsServer,
  243. }
  244. if peer.IsServer == "yes" {
  245. serverNodeAddresses = append(serverNodeAddresses, models.ServerAddr{IsLeader: IsLeader(&peer), Address: peer.Address})
  246. }
  247. }
  248. if node.IsIngressGateway == "yes" {
  249. extPeers, idsAndAddr, err := getExtPeers(node)
  250. if err == nil {
  251. peers = append(peers, extPeers...)
  252. for i := range idsAndAddr {
  253. peerMap[idsAndAddr[i].ID] = idsAndAddr[i]
  254. }
  255. } else if !database.IsEmptyRecord(err) {
  256. logger.Log(1, "error retrieving external clients:", err.Error())
  257. }
  258. }
  259. peerUpdate.Network = node.Network
  260. peerUpdate.ServerVersion = servercfg.Version
  261. peerUpdate.Peers = peers
  262. peerUpdate.ServerAddrs = serverNodeAddresses
  263. peerUpdate.DNS = getPeerDNS(node.Network)
  264. peerUpdate.PeerIDs = peerMap
  265. return peerUpdate, nil
  266. }
  267. func getExtPeers(node *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, error) {
  268. var peers []wgtypes.PeerConfig
  269. var idsAndAddr []models.IDandAddr
  270. extPeers, err := GetExtPeersList(node)
  271. if err != nil {
  272. return peers, idsAndAddr, err
  273. }
  274. for _, extPeer := range extPeers {
  275. pubkey, err := wgtypes.ParseKey(extPeer.PublicKey)
  276. if err != nil {
  277. logger.Log(1, "error parsing ext pub key:", err.Error())
  278. continue
  279. }
  280. if node.PublicKey == extPeer.PublicKey {
  281. continue
  282. }
  283. var allowedips []net.IPNet
  284. var peer wgtypes.PeerConfig
  285. if extPeer.Address != "" {
  286. var peeraddr = net.IPNet{
  287. IP: net.ParseIP(extPeer.Address),
  288. Mask: net.CIDRMask(32, 32),
  289. }
  290. if peeraddr.IP != nil && peeraddr.Mask != nil {
  291. allowedips = append(allowedips, peeraddr)
  292. }
  293. }
  294. if extPeer.Address6 != "" {
  295. var addr6 = net.IPNet{
  296. IP: net.ParseIP(extPeer.Address6),
  297. Mask: net.CIDRMask(128, 128),
  298. }
  299. if addr6.IP != nil && addr6.Mask != nil {
  300. allowedips = append(allowedips, addr6)
  301. }
  302. }
  303. primaryAddr := extPeer.Address
  304. if primaryAddr == "" {
  305. primaryAddr = extPeer.Address6
  306. }
  307. peer = wgtypes.PeerConfig{
  308. PublicKey: pubkey,
  309. ReplaceAllowedIPs: true,
  310. AllowedIPs: allowedips,
  311. }
  312. peers = append(peers, peer)
  313. idsAndAddr = append(idsAndAddr, models.IDandAddr{
  314. ID: peer.PublicKey.String(),
  315. Address: primaryAddr,
  316. })
  317. }
  318. return peers, idsAndAddr, nil
  319. }
  320. // GetAllowedIPs - calculates the wireguard allowedip field for a peer of a node based on the peer and node settings
  321. func GetAllowedIPs(node, peer *models.Node, metrics *models.Metrics) []net.IPNet {
  322. var allowedips []net.IPNet
  323. allowedips = getNodeAllowedIPs(peer, node)
  324. // handle ingress gateway peers
  325. if peer.IsIngressGateway == "yes" {
  326. extPeers, _, err := getExtPeers(peer)
  327. if err != nil {
  328. logger.Log(2, "could not retrieve ext peers for ", peer.Name, err.Error())
  329. }
  330. for _, extPeer := range extPeers {
  331. allowedips = append(allowedips, extPeer.AllowedIPs...)
  332. }
  333. // if node is a failover node, add allowed ips from nodes it is handling
  334. if peer.Failover == "yes" && metrics.FailoverPeers != nil {
  335. // traverse through nodes that need handling
  336. logger.Log(3, "peer", peer.Name, "was found to be failover for", node.Name, "checking failover peers...")
  337. for k := range metrics.FailoverPeers {
  338. // if FailoverNode is me for this node, add allowedips
  339. if metrics.FailoverPeers[k] == peer.ID {
  340. // get original node so we can traverse the allowed ips
  341. nodeToFailover, err := GetNodeByID(k)
  342. if err == nil {
  343. failoverNodeMetrics, err := GetMetrics(nodeToFailover.ID)
  344. if err == nil && failoverNodeMetrics != nil {
  345. if len(failoverNodeMetrics.NodeName) > 0 {
  346. allowedips = append(allowedips, getNodeAllowedIPs(&nodeToFailover, peer)...)
  347. logger.Log(0, "failing over node", nodeToFailover.Name, nodeToFailover.PrimaryAddress(), "to failover node", peer.Name)
  348. }
  349. }
  350. }
  351. }
  352. }
  353. }
  354. }
  355. // handle relay gateway peers
  356. // if peer.IsRelay == "yes" {
  357. // for _, ip := range peer.RelayAddrs {
  358. // //find node ID of relayed peer
  359. // relayedPeer, err := findNode(ip)
  360. // if err != nil {
  361. // logger.Log(0, "failed to find node for ip ", ip, err.Error())
  362. // continue
  363. // }
  364. // if relayedPeer == nil {
  365. // continue
  366. // }
  367. // if relayedPeer.ID == node.ID {
  368. // //skip self
  369. // continue
  370. // }
  371. // //check if acl permits comms
  372. // if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID), nodeacls.NodeID(relayedPeer.ID)) {
  373. // continue
  374. // }
  375. // if iplib.Version(net.ParseIP(ip)) == 4 {
  376. // relayAddr := net.IPNet{
  377. // IP: net.ParseIP(ip),
  378. // Mask: net.CIDRMask(32, 32),
  379. // }
  380. // allowedips = append(allowedips, relayAddr)
  381. // }
  382. // if iplib.Version(net.ParseIP(ip)) == 6 {
  383. // relayAddr := net.IPNet{
  384. // IP: net.ParseIP(ip),
  385. // Mask: net.CIDRMask(128, 128),
  386. // }
  387. // allowedips = append(allowedips, relayAddr)
  388. // }
  389. // relayedNode, err := findNode(ip)
  390. // if err != nil {
  391. // logger.Log(1, "unable to find node for relayed address", ip, err.Error())
  392. // continue
  393. // }
  394. // if relayedNode.IsEgressGateway == "yes" {
  395. // extAllowedIPs := getEgressIPs(node, relayedNode)
  396. // allowedips = append(allowedips, extAllowedIPs...)
  397. // }
  398. // if relayedNode.IsIngressGateway == "yes" {
  399. // extPeers, _, err := getExtPeers(relayedNode)
  400. // if err == nil {
  401. // for _, extPeer := range extPeers {
  402. // allowedips = append(allowedips, extPeer.AllowedIPs...)
  403. // }
  404. // } else {
  405. // logger.Log(0, "failed to retrieve extclients from relayed ingress", err.Error())
  406. // }
  407. // }
  408. // }
  409. // }
  410. return allowedips
  411. }
  412. func getPeerDNS(network string) string {
  413. var dns string
  414. if nodes, err := GetNetworkNodes(network); err == nil {
  415. for i := range nodes {
  416. dns = dns + fmt.Sprintf("%s %s.%s\n", nodes[i].Address, nodes[i].Name, nodes[i].Network)
  417. }
  418. }
  419. if customDNSEntries, err := GetCustomDNS(network); err == nil {
  420. for _, entry := range customDNSEntries {
  421. // TODO - filter entries based on ACLs / given peers vs nodes in network
  422. dns = dns + fmt.Sprintf("%s %s.%s\n", entry.Address, entry.Name, entry.Network)
  423. }
  424. }
  425. return dns
  426. }
  427. // GetPeerUpdateForRelayedNode - calculates peer update for a relayed node by getting the relay
  428. // copying the relay node's allowed ips and making appropriate substitutions
  429. func GetPeerUpdateForRelayedNode(node *models.Node, udppeers map[string]string) (models.PeerUpdate, error) {
  430. var peerUpdate models.PeerUpdate
  431. var peers []wgtypes.PeerConfig
  432. var serverNodeAddresses = []models.ServerAddr{}
  433. var allowedips []net.IPNet
  434. //find node that is relaying us
  435. relay := FindRelay(node)
  436. if relay == nil {
  437. return models.PeerUpdate{}, errors.New("not found")
  438. }
  439. //add relay to lists of allowed ip
  440. if relay.Address != "" {
  441. relayIP := net.IPNet{
  442. IP: net.ParseIP(relay.Address),
  443. Mask: net.CIDRMask(32, 32),
  444. }
  445. allowedips = append(allowedips, relayIP)
  446. }
  447. if relay.Address6 != "" {
  448. relayIP6 := net.IPNet{
  449. IP: net.ParseIP(relay.Address6),
  450. Mask: net.CIDRMask(128, 128),
  451. }
  452. allowedips = append(allowedips, relayIP6)
  453. }
  454. //get PeerUpdate for relayed node
  455. relayPeerUpdate, err := GetPeerUpdate(relay)
  456. if err != nil {
  457. return models.PeerUpdate{}, err
  458. }
  459. //add the relays allowed ips from all of the relay's peers
  460. for _, peer := range relayPeerUpdate.Peers {
  461. allowedips = append(allowedips, peer.AllowedIPs...)
  462. }
  463. //delete any ips not permitted by acl
  464. for i := len(allowedips) - 1; i >= 0; i-- {
  465. target, err := findNode(allowedips[i].IP.String())
  466. if err != nil {
  467. logger.Log(0, "failed to find node for ip", allowedips[i].IP.String(), err.Error())
  468. continue
  469. }
  470. if target == nil {
  471. logger.Log(0, "failed to find node for ip", allowedips[i].IP.String())
  472. continue
  473. }
  474. if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID), nodeacls.NodeID(target.ID)) {
  475. logger.Log(0, "deleting node from relayednode per acl", node.Name, target.Name)
  476. allowedips = append(allowedips[:i], allowedips[i+1:]...)
  477. }
  478. }
  479. //delete self from allowed ips
  480. for i := len(allowedips) - 1; i >= 0; i-- {
  481. if allowedips[i].IP.String() == node.Address || allowedips[i].IP.String() == node.Address6 {
  482. allowedips = append(allowedips[:i], allowedips[i+1:]...)
  483. }
  484. }
  485. //delete egressrange from allowedip if we are egress gateway
  486. if node.IsEgressGateway == "yes" {
  487. for i := len(allowedips) - 1; i >= 0; i-- {
  488. if StringSliceContains(node.EgressGatewayRanges, allowedips[i].String()) {
  489. allowedips = append(allowedips[:i], allowedips[i+1:]...)
  490. }
  491. }
  492. }
  493. //delete extclients from allowedip if we are ingress gateway
  494. if node.IsIngressGateway == "yes" {
  495. for i := len(allowedips) - 1; i >= 0; i-- {
  496. if strings.Contains(node.IngressGatewayRange, allowedips[i].IP.String()) {
  497. allowedips = append(allowedips[:i], allowedips[i+1:]...)
  498. }
  499. }
  500. }
  501. //add egress range if relay is egress
  502. if relay.IsEgressGateway == "yes" {
  503. var ip *net.IPNet
  504. for _, cidr := range relay.EgressGatewayRanges {
  505. _, ip, err = net.ParseCIDR(cidr)
  506. if err != nil {
  507. continue
  508. }
  509. }
  510. allowedips = append(allowedips, *ip)
  511. }
  512. pubkey, err := wgtypes.ParseKey(relay.PublicKey)
  513. if err != nil {
  514. return models.PeerUpdate{}, err
  515. }
  516. var setUDPPort = false
  517. if relay.UDPHolePunch == "yes" && CheckEndpoint(udppeers[relay.PublicKey]) {
  518. endpointstring := udppeers[relay.PublicKey]
  519. endpointarr := strings.Split(endpointstring, ":")
  520. if len(endpointarr) == 2 {
  521. port, err := strconv.Atoi(endpointarr[1])
  522. if err == nil {
  523. setUDPPort = true
  524. relay.ListenPort = int32(port)
  525. }
  526. }
  527. }
  528. // if udp hole punching is on, but udp hole punching did not set it, use the LocalListenPort instead
  529. // or, if port is for some reason zero use the LocalListenPort
  530. // but only do this if LocalListenPort is not zero
  531. if ((relay.UDPHolePunch == "yes" && !setUDPPort) || relay.ListenPort == 0) && relay.LocalListenPort != 0 {
  532. relay.ListenPort = relay.LocalListenPort
  533. }
  534. endpoint := relay.Endpoint + ":" + strconv.FormatInt(int64(relay.ListenPort), 10)
  535. address, err := net.ResolveUDPAddr("udp", endpoint)
  536. if err != nil {
  537. return models.PeerUpdate{}, err
  538. }
  539. var keepalive time.Duration
  540. if node.PersistentKeepalive != 0 {
  541. // set_keepalive
  542. keepalive, _ = time.ParseDuration(strconv.FormatInt(int64(node.PersistentKeepalive), 10) + "s")
  543. }
  544. var peerData = wgtypes.PeerConfig{
  545. PublicKey: pubkey,
  546. Endpoint: address,
  547. ReplaceAllowedIPs: true,
  548. AllowedIPs: allowedips,
  549. PersistentKeepaliveInterval: &keepalive,
  550. }
  551. peers = append(peers, peerData)
  552. if relay.IsServer == "yes" {
  553. serverNodeAddresses = append(serverNodeAddresses, models.ServerAddr{IsLeader: IsLeader(relay), Address: relay.Address})
  554. }
  555. //if ingress add extclients
  556. if node.IsIngressGateway == "yes" {
  557. extPeers, _, err := getExtPeers(node)
  558. if err == nil {
  559. peers = append(peers, extPeers...)
  560. } else {
  561. logger.Log(2, "could not retrieve ext peers for ", node.Name, err.Error())
  562. }
  563. }
  564. peerUpdate.Network = node.Network
  565. peerUpdate.ServerVersion = servercfg.Version
  566. peerUpdate.Peers = peers
  567. peerUpdate.ServerAddrs = serverNodeAddresses
  568. peerUpdate.DNS = getPeerDNS(node.Network)
  569. return peerUpdate, nil
  570. }
  571. func getEgressIPs(node, peer *models.Node) []net.IPNet {
  572. //check for internet gateway
  573. internetGateway := false
  574. if slices.Contains(peer.EgressGatewayRanges, "0.0.0.0/0") || slices.Contains(peer.EgressGatewayRanges, "::/0") {
  575. internetGateway = true
  576. }
  577. allowedips := []net.IPNet{}
  578. for _, iprange := range peer.EgressGatewayRanges { // go through each cidr for egress gateway
  579. _, ipnet, err := net.ParseCIDR(iprange) // confirming it's valid cidr
  580. if err != nil {
  581. logger.Log(1, "could not parse gateway IP range. Not adding ", iprange)
  582. continue // if can't parse CIDR
  583. }
  584. nodeEndpointArr := strings.Split(peer.Endpoint, ":") // getting the public ip of node
  585. if ipnet.Contains(net.ParseIP(nodeEndpointArr[0])) && !internetGateway { // ensuring egress gateway range does not contain endpoint of node
  586. logger.Log(2, "egress IP range of ", iprange, " overlaps with ", node.Endpoint, ", omitting")
  587. continue // skip adding egress range if overlaps with node's ip
  588. }
  589. // TODO: Could put in a lot of great logic to avoid conflicts / bad routes
  590. if ipnet.Contains(net.ParseIP(node.LocalAddress)) && !internetGateway { // ensuring egress gateway range does not contain public ip of node
  591. logger.Log(2, "egress IP range of ", iprange, " overlaps with ", node.LocalAddress, ", omitting")
  592. continue // skip adding egress range if overlaps with node's local ip
  593. }
  594. if err != nil {
  595. logger.Log(1, "error encountered when setting egress range", err.Error())
  596. } else {
  597. allowedips = append(allowedips, *ipnet)
  598. }
  599. }
  600. return allowedips
  601. }
  602. func getNodeAllowedIPs(peer, node *models.Node) []net.IPNet {
  603. var allowedips = []net.IPNet{}
  604. if peer.Address != "" {
  605. var peeraddr = net.IPNet{
  606. IP: net.ParseIP(peer.Address),
  607. Mask: net.CIDRMask(32, 32),
  608. }
  609. allowedips = append(allowedips, peeraddr)
  610. }
  611. if peer.Address6 != "" {
  612. var addr6 = net.IPNet{
  613. IP: net.ParseIP(peer.Address6),
  614. Mask: net.CIDRMask(128, 128),
  615. }
  616. allowedips = append(allowedips, addr6)
  617. }
  618. // handle manually set peers
  619. for _, allowedIp := range peer.AllowedIPs {
  620. // parsing as a CIDR first. If valid CIDR, append
  621. if _, ipnet, err := net.ParseCIDR(allowedIp); err == nil {
  622. nodeEndpointArr := strings.Split(node.Endpoint, ":")
  623. if !ipnet.Contains(net.IP(nodeEndpointArr[0])) && ipnet.IP.String() != peer.Address { // don't need to add an allowed ip that already exists..
  624. allowedips = append(allowedips, *ipnet)
  625. }
  626. } else { // parsing as an IP second. If valid IP, check if ipv4 or ipv6, then append
  627. if iplib.Version(net.ParseIP(allowedIp)) == 4 && allowedIp != peer.Address {
  628. ipnet := net.IPNet{
  629. IP: net.ParseIP(allowedIp),
  630. Mask: net.CIDRMask(32, 32),
  631. }
  632. allowedips = append(allowedips, ipnet)
  633. } else if iplib.Version(net.ParseIP(allowedIp)) == 6 && allowedIp != peer.Address6 {
  634. ipnet := net.IPNet{
  635. IP: net.ParseIP(allowedIp),
  636. Mask: net.CIDRMask(128, 128),
  637. }
  638. allowedips = append(allowedips, ipnet)
  639. }
  640. }
  641. }
  642. // handle egress gateway peers
  643. if peer.IsEgressGateway == "yes" {
  644. //hasGateway = true
  645. egressIPs := getEgressIPs(node, peer)
  646. // remove internet gateway if server
  647. if node.IsServer == "yes" {
  648. for i := len(egressIPs) - 1; i >= 0; i-- {
  649. if egressIPs[i].String() == "0.0.0.0/0" || egressIPs[i].String() == "::/0" {
  650. egressIPs = append(egressIPs[:i], egressIPs[i+1:]...)
  651. }
  652. }
  653. }
  654. allowedips = append(allowedips, egressIPs...)
  655. }
  656. return allowedips
  657. }