wip

halkeye · Jan 26, 2020 · 6b17e8f · 6b17e8f
1 parent c3d5327
commit 6b17e8f
Show file tree

Hide file tree

Showing 7 changed files with 124 additions and 87 deletions.
diff --git a/demo.sh b/demo.sh
@@ -24,6 +24,9 @@ docker run \
   --cap-add NET_ADMIN \
   --device /dev/net/tun:/dev/net/tun \
   -v "$CONFIG_FILE:/config.yaml" \
+  -v demo-data:/data \
+  -e "LOG_LEVEL=Debug" \
   -p 8000:8000/tcp \
   -p 51820:51820/udp \
+  -p 53:53/udp \
   place1/wireguard-access-server /server --config /config.yaml
diff --git a/go.mod b/go.mod
@@ -11,21 +11,23 @@ require (
 	github.com/felixge/httpsnoop v1.0.1 // indirect
 	github.com/gorilla/handlers v1.4.2 // indirect
 	github.com/gorilla/mux v1.7.3
+	github.com/jonboulle/clockwork v0.1.0 // indirect
+	github.com/kr/pretty v0.1.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/miekg/dns v1.1.27
 	github.com/pkg/errors v0.8.1
 	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
 	github.com/prometheus/client_golang v1.2.1
 	github.com/russellhaering/goxmldsig v0.0.0-20180430223755-7acd5e4a6ef7 // indirect
 	github.com/sirupsen/logrus v1.4.2
-	github.com/spf13/viper v1.4.0
 	github.com/vishvananda/netlink v1.0.0
 	github.com/vishvananda/netns v0.0.0-20190625233234-7109fa855b0f // indirect
-	golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20191008142428-8d021180e987
 	google.golang.org/grpc v1.24.0 // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
+	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/ldap.v2 v2.5.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v2 v2.2.2

diff --git a/go.sum b/go.sum
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -63,8 +63,6 @@ type AppConfig struct {
 		ExternalAddress string `yaml:"externalAddress`
 		// The WireGuard ListenPort
 		Port int `yaml:"port"`
-		// The DNS servers that VPN clients will be directed to use
-		DNS []string `yaml:"dns"`
 	} `yaml:"wireguard"`
 	VPN struct {
 		// CIDR configures a network address space
@@ -77,6 +75,10 @@ type AppConfig struct {
 		// to the outside internet
 		GatewayInterface string `yaml:"gatewayInterface`
 	}
+	DNS struct {
+		// TODO: docs
+		Upstream []string `yaml:"upstream"`
+	} `yaml:"dns"`
 	Auth struct {
 		OIDC   *auth.OIDCConfig   `yaml:"oidc"`
 		Gitlab *auth.GitlabConfig `yaml:"gitlab"`
@@ -175,10 +177,6 @@ func Read() *AppConfig {
 		logrus.Warn("storage directory not configured - using in-memory storage backend! wireguard devices will be lost when the process exits!")
 	}
 
-	if len(config.WireGuard.DNS) == 0 {
-		config.WireGuard.DNS = []string{"1.1.1.1", "8.8.8.8"}
-	}
-
 	return &config
 }
 

diff --git a/internal/services/dns.go b/internal/services/dns.go
@@ -0,0 +1,80 @@
+package services
+
+import (
+	"fmt"
+	"net"
+	"runtime/debug"
+
+	"github.com/miekg/dns"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type DNSServer struct {
+	server   *dns.Server
+	client   *dns.Client
+	upstream []string
+}
+
+func NewDNSServer(upstream []string) (*DNSServer, error) {
+	logrus.Infof("starting dns server")
+	server := &dns.Server{Addr: "0.0.0.0:53", Net: "udp"}
+	client := &dns.Client{
+		SingleInflight: true,
+	}
+	dnsServer := &DNSServer{server, client, upstream}
+	server.Handler = dnsServer
+	go func() {
+		if err := server.ListenAndServe(); err != nil {
+			logrus.Error(errors.Wrap(err, "failed to start dns server"))
+		}
+	}()
+	return dnsServer, nil
+}
+
+func (d *DNSServer) Close() error {
+	return d.server.Shutdown()
+}
+
+func (d *DNSServer) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	defer func() {
+		if err := recover(); err != nil {
+			logrus.Errorf("dns server panic handled: %v\n%s", err, string(debug.Stack()))
+			dns.HandleFailed(w, r)
+		}
+	}()
+	switch r.Opcode {
+	case dns.OpcodeQuery:
+		if logrus.GetLevel() == logrus.DebugLevel {
+			// log behind a condition to ensure we don't call prettyPrintMsg
+			// when the log level would filter out the message anyway
+			logrus.Debugf("dns query: %s", prettyPrintMsg(r))
+		}
+		m, err := d.Lookup(r)
+		if err != nil {
+			logrus.Errorf("failed lookup record %s with error: %s\n", r, err.Error())
+			m.SetReply(r)
+			w.WriteMsg(m)
+			return
+		}
+		m.SetReply(r)
+		w.WriteMsg(m)
+		return
+	}
+}
+
+func (d *DNSServer) Lookup(m *dns.Msg) (*dns.Msg, error) {
+	// TODO: add support for caching
+	response, _, err := d.client.Exchange(m, net.JoinHostPort(d.upstream[0], "53"))
+	if err != nil {
+		return nil, err
+	}
+	return response, nil
+}
+
+func prettyPrintMsg(m *dns.Msg) string {
+	if len(m.Question) > 0 {
+		return fmt.Sprintf("dns query for: %s", m.Question[0].Name)
+	}
+	return m.String()
+}
diff --git a/internal/services/network.go b/internal/services/network.go
@@ -1,12 +1,20 @@
 package services
 
 import (
+	"net"
+
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
 )
 
+func ServerVPNIP(cidr string) *net.IPNet {
+	vpnip, vpnsubnet := MustParseCIDR(cidr)
+	vpnsubnet.IP = nextIP(vpnip.Mask(vpnsubnet.Mask))
+	return vpnsubnet
+}
+
 func ConfigureRouting(wgIface string, cidr string) error {
 	// Networking configuration (ip links and route tables)
 	// to ensure that network traffic in the VPN subnet
@@ -15,11 +23,9 @@ func ConfigureRouting(wgIface string, cidr string) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to find wireguard interface")
 	}
-	vpnip, vpnsubnet := MustParseCIDR(cidr)
-	vpnsubnet.IP = nextIP(vpnip.Mask(vpnsubnet.Mask))
-	serverIP := vpnsubnet.String()
-	logrus.Infof("server VPN subnet IP is %s", serverIP)
-	addr, err := netlink.ParseAddr(serverIP)
+	vpnip := ServerVPNIP(cidr)
+	logrus.Infof("server VPN subnet IP is %s", vpnip.String())
+	addr, err := netlink.ParseAddr(vpnip.String())
 	if err != nil {
 		return errors.Wrap(err, "failed to parse subnet address")
 	}

diff --git a/main.go b/main.go
@@ -37,13 +37,16 @@ func main() {
 		time.Sleep(1 * time.Second)
 	}
 
+	// The server's IP within the VPN virtual network
+	vpnip := services.ServerVPNIP(conf.VPN.CIDR)
+
 	// WireGuard
 	wgserver, err := services.NewWireGuard(
 		conf.WireGuard.InterfaceName,
 		conf.WireGuard.PrivateKey,
 		conf.WireGuard.Port,
 		conf.WireGuard.ExternalAddress,
-		conf.WireGuard.DNS,
+		[]string{vpnip.IP.String()},
 	)
 	if err != nil {
 		logrus.Fatal(errors.Wrap(err, "failed to create wgserver"))
@@ -65,6 +68,13 @@ func main() {
 		logrus.Warn("VPN.GatewayInterface is not configured - vpn clients will not have access to the internet")
 	}
 
+	// DNS Server
+	dns, err := services.NewDNSServer(conf.DNS.Upstream)
+	if err != nil {
+		logrus.Fatal(errors.Wrap(err, "failed to start dns server"))
+	}
+	defer dns.Close()
+
 	// Storage
 	var storageDriver storage.Storage
 	if conf.Storage.Directory != "" {