diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..85c24a5
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,108 @@
+name: Build and Publish
+
+on:
+ push:
+ tags:
+ - 'v*.*.*'
+
+jobs:
+ tests:
+ uses: ./.github/workflows/tests.yaml
+
+ release:
+ name: Release wpex ${{ github.ref_name }}
+ runs-on: ubuntu-latest
+ needs: [ tests ]
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Create Release
+ id: create-release
+ uses: actions/create-release@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ tag_name: ${{ github.ref }}
+ release_name: Release ${{ github.ref_name }}
+ draft: false
+ prerelease: false
+
+ outputs:
+ upload_url: ${{ steps.create-release.outputs.upload_url }}
+
+ docker:
+ name: Build and Publish Docker Image
+ runs-on: ubuntu-latest
+ needs: [ release ]
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v2
+
+ - name: Docker meta
+ id: meta
+ uses: docker/metadata-action@v5
+ with:
+ images: |
+ ghcr.io/${{ github.repository_owner }}/wpex
+ tags: |
+ type=semver,pattern={{version}}
+ type=semver,pattern={{major}}.{{minor}}
+
+ - name: Login to GitHub Container Registry
+ uses: docker/login-action@v2
+ with:
+ registry: ghcr.io
+ username: ${{ github.repository_owner }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Build and push
+ uses: docker/build-push-action@v4
+ with:
+ platforms: linux/amd64,linux/arm64
+ push: true
+ tags: ${{ steps.meta.outputs.tags }}
+
+ binary:
+ name: Build and Publish Pre-built binaries
+ runs-on: ubuntu-latest
+ needs: [ release ]
+ strategy:
+ matrix:
+ GOOS: [ darwin, linux, windows ]
+ GOARCH: [ 386, amd64, arm64 ]
+ exclude:
+ - GOOS: darwin
+ GOARCH: 386
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v2
+
+ - name: Set up Golang
+ uses: actions/setup-go@v4
+ with:
+ go-version: '1.21'
+
+ - name: Build wpex
+ run: CGO_ENABLED=0 GOOS=${{ matrix.GOOS }} GOARCH=${{ matrix.GOARCH }} go build -ldflags="-w -s" -o wpex
+
+ - name: Get Version
+ id: version
+ run: echo version=${GITHUB_REF##*v} >> $GITHUB_OUTPUT
+
+ - name: Upload Release Asset
+ id: upload-release-asset
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.release.outputs.upload_url }}
+ asset_path: ./wpex
+ asset_name: wpex_${{ steps.version.outputs.version }}_${{ matrix.GOOS }}_${{ matrix.GOARCH }}
+ asset_content_type: application/zip
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
new file mode 100644
index 0000000..50f2f84
--- /dev/null
+++ b/.github/workflows/tests.yaml
@@ -0,0 +1,27 @@
+name: Tests
+
+on:
+ push:
+ pull_request:
+ workflow_call:
+
+jobs:
+ test:
+ name: Run Tests
+ runs-on: ${{ matrix.os }}
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ ubuntu-latest, windows-latest, macos-latest ]
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Set up Go
+ uses: actions/setup-go@v2
+ with:
+ go-version: 1.21
+
+ - name: Build and Test
+ run: |
+ go test -race ./...
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..e72bfdd
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,674 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc.
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public License.
+
+ "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy. The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+ To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+for making modifications to it. "Object code" means any non-source
+form of a work.
+
+ A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+ The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+ The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+ The Corresponding Source for a work in source code form is that
+same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+ You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force. You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright. Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+the conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+ a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+
+ b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under section
+ 7. This requirement modifies the requirement in section 4 to
+ "keep intact all notices".
+
+ c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+
+ d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+ a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the
+ Corresponding Source from a network server at no charge.
+
+ c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+
+ d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+
+ e) Convey the object code using peer-to-peer transmission, provided
+ you inform other peers where the object code and Corresponding
+ Source of the work are being offered to the general public at no
+ charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling. In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage. For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product. A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source. The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+ If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+ The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed. Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+ Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+ a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+
+ b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+
+ c) Prohibiting misrepresentation of the origin of that material, or
+ requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+
+ d) Limiting the use for publicity purposes of names of licensors or
+ authors of the material; or
+
+ e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions of
+ it) with contractual assumptions of liability to the recipient, for
+ any liability that these contractual assumptions directly impose on
+ those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+ Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+run a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+ An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+ You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+ A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+ In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License. You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all. For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation. If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+ Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper mail.
+
+ If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+ You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+.
+
+ The GNU General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License. But first, please read
+.
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..4de4c59
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,22 @@
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.21 as builder
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /build
+
+COPY go.mod go.sum ./
+
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-w -s" -o wpex
+
+FROM --platform=${TARGETPLATFORM:-linux/amd64} scratch
+
+COPY --from=builder /build/wpex /bin/wpex
+
+ENTRYPOINT ["/bin/wpex"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..93d50cf
--- /dev/null
+++ b/README.md
@@ -0,0 +1,94 @@
+# wpex: WireGuard Packet Relay
+
+`wpex` is a relay server designed for WireGuard, facilitating NAT traversal
+without compromising the E2E encryption of WireGuard.
+
+## Features
+
+- The relay server **can't** tamper the encryption.
+- Works with vanilla WireGuard setups, no extra software required.
+- Zero MTU overhead.
+
+## Installation
+
+### Using Docker:
+
+Fetch and run the `wpex` Docker image with:
+
+```bash
+docker run -d -p 40000:40000:udp ghcr.io/weiiwang01/wpex:latest
+```
+
+### Using Pre-built Binaries:
+
+You can download pre-built binaries directly from
+the [releases page](https://github.com/weiiwang01/wpex/releases).
+
+### Building from Source:
+
+Ensure you have Go 1.21 or later, then run:
+
+```bash
+go install github.com/weiiwang01/wpex@latest
+```
+
+## Usage
+
+If you wish to connect multiple WireGuard peers behind NAT via a `wpex` server
+(e.g., at `wpex.test:40000`), follow these steps:
+
+1. Update all WireGuard peers' endpoint configurations to point to the `wpex`
+ server.
+2. Enable the `PersistentKeepalive` setting.
+
+**Example for Peer A**:
+
+```
+[Interface]
+PrivateKey = aaaaa...
+
+[Peer]
+PublicKey = BBBBB...
+Endpoint = wpex.test:40000
+PersistentKeepalive = 25
+```
+
+**Example for Peer B**:
+
+```
+[Interface]
+PrivateKey = bbbbb...
+
+[Peer]
+PublicKey = AAAAA...
+Endpoint = wpex.test:40000
+PersistentKeepalive = 25
+```
+
+And that's done, Peer A and Peer B should now connect, and `wpex` will
+automatically relay their traffic.
+
+## Known Limitations
+
+The design principle behind `wpex` is to know as little as possible about the
+WireGuard connections. If it knows nothing, it can't leak anything. By
+default, `wpex` is unaware of any information regarding incoming connections,
+making it vulnerable to DoS and amplification attacks.
+
+To mitigate this, you can provide an allowed list of WireGuard public keys to
+the `wpex` server. Connections attempted with public keys not on this list will
+be ignored. This doesn't affect the integrity of the E2E encryption, as only the
+public keys (not the associated private keys) are known to the wpex server.
+
+Examples:
+
+```bash
+docker run -d -p 40000:40000:udp ghcr.io/weiiwang01/wpex:latest \
+ --allow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= \
+ --allow BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
+```
+
+```bash
+wpex --allow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= \
+ --allow BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
+```
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..08a6b0c
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,7 @@
+module github.com/weiiwang01/wpex
+
+go 1.21
+
+require golang.org/x/crypto v0.13.0
+
+require golang.org/x/sys v0.12.0 // indirect
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..a8dfcdf
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,4 @@
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/internal/analyzer/analyzer.go b/internal/analyzer/analyzer.go
new file mode 100644
index 0000000..0caa013
--- /dev/null
+++ b/internal/analyzer/analyzer.go
@@ -0,0 +1,191 @@
+package analyzer
+
+import (
+ "context"
+ "crypto/hmac"
+ "crypto/rand"
+ "encoding/base64"
+ "encoding/binary"
+ "errors"
+ "fmt"
+ "github.com/weiiwang01/wpex/internal/bloom"
+ "github.com/weiiwang01/wpex/internal/exchange"
+ "golang.org/x/crypto/blake2s"
+ "log/slog"
+ "net"
+)
+
+type WireguardAnalyzer struct {
+ table exchange.ExchangeTable
+ publicKeys [][]byte
+ filter bloom.Filter
+}
+
+func (t *WireguardAnalyzer) verifyMac1(packet []byte) error {
+ if len(packet) < 32 {
+ return errors.New("mac1 validation failed: data too short")
+ }
+ if len(t.publicKeys) == 0 {
+ return nil
+ }
+ l := len(packet)
+ mac1 := packet[l-32 : l-16]
+ d := packet[:l-32]
+ for _, key := range t.publicKeys {
+ hash, err := blake2s.New256(nil)
+ if err != nil {
+ return fmt.Errorf("failed to calculate blake2s hash: %w", err)
+ }
+ hash.Write([]byte("mac1----"))
+ hash.Write(key)
+ mackey := hash.Sum(nil)
+ mac, err := blake2s.New128(mackey)
+ if err != nil {
+ return fmt.Errorf("failed to calculate blake2s mac: %w", err)
+ }
+ mac.Write(d)
+ if hmac.Equal(mac1, mac.Sum(nil)) {
+ return nil
+ }
+ }
+ return errors.New("invalid mac1")
+}
+
+func (t *WireguardAnalyzer) decodeIndex(index []byte) uint32 {
+ return binary.BigEndian.Uint32(index)
+}
+
+func (t *WireguardAnalyzer) analyseHandshakeInitiation(packet []byte, peer net.UDPAddr) ([]net.UDPAddr, error) {
+ if len(packet) != 148 {
+ return nil, fmt.Errorf("invalid handshake initiation message: expected length 148, got %d", len(packet))
+ }
+ if err := t.verifyMac1(packet); err != nil {
+ return nil, err
+ }
+ if t.filter.Contains(packet) {
+ return nil, fmt.Errorf("possible duplicated handshake initiation detected")
+ }
+ t.filter.Add(packet)
+ sender := t.decodeIndex(packet[4:8])
+ if err := t.table.AddPeerAddr(sender, peer); err != nil {
+ return nil, err
+ }
+ addresses := t.table.ListAddrs(peer)
+ slog.Debug("handshake initiation message received", "addr", peer.String(), "sender", sender, "broadcast", len(addresses))
+ return addresses, nil
+}
+
+func (t *WireguardAnalyzer) analyseHandshakeResponse(packet []byte, peer net.UDPAddr) ([]net.UDPAddr, error) {
+ if len(packet) != 92 {
+ return nil, fmt.Errorf("invalid handshake response message: expected length 92, got %d", len(packet))
+ }
+ if err := t.verifyMac1(packet); err != nil {
+ return nil, err
+ }
+ sender := t.decodeIndex(packet[4:8])
+ if err := t.table.AddPeerAddr(sender, peer); err != nil {
+ return nil, err
+ }
+ receiverIdx := t.decodeIndex(packet[8:12])
+ receiver, err := t.table.GetPeerAddr(receiverIdx)
+ slog.Debug("handshake response message received", "addr", peer.String(), "sender", sender, "receiver", receiverIdx, "forward", receiver.String())
+ if err != nil {
+ return nil, err
+ }
+ err = t.table.LinkPeers(sender, receiverIdx)
+ if err != nil {
+ return nil, err
+ }
+ return []net.UDPAddr{receiver}, nil
+}
+
+func (t *WireguardAnalyzer) analyseCookieReply(packet []byte, peer net.UDPAddr) ([]net.UDPAddr, error) {
+ if len(packet) != 48 {
+ return nil, fmt.Errorf("invalid wireguard cookie reply message: expected length 48, got %d", len(packet))
+ }
+ receiverIdx := t.decodeIndex(packet[4:8])
+ receiver, err := t.table.GetPeerAddr(receiverIdx)
+ slog.Debug("cookie reply message received", "addr", peer.String(), "receiver", receiver, "forward", receiver.String())
+ if err != nil {
+ return nil, err
+ }
+ return []net.UDPAddr{receiver}, nil
+}
+
+func (t *WireguardAnalyzer) analyseTransportData(packet []byte, peer net.UDPAddr) ([]net.UDPAddr, error) {
+ receiverIdx := t.decodeIndex(packet[4:8])
+ receiver, err := t.table.GetPeerAddr(receiverIdx)
+ slog.Log(context.TODO(), slog.LevelDebug-4, "transport data message received", "addr", peer.String(), "receiver", receiverIdx, "forward", receiver.String())
+ if err != nil {
+ return nil, err
+ }
+ sender, err := t.table.GetPeerCounterpart(receiverIdx)
+ if err != nil {
+ return nil, err
+ }
+ addr, err := t.table.GetPeerAddr(sender)
+ if err != nil {
+ return nil, err
+ }
+ if addr.String() != peer.String() {
+ slog.Debug("roaming detected in transport data message", "sender", sender, "before", addr.String(), "after", peer.String())
+ err := t.table.UpdatePeerAddr(sender, peer)
+ if err != nil {
+ return nil, err
+ }
+ }
+ return []net.UDPAddr{receiver}, nil
+}
+
+// Analyse updates the exchange table with the source address and returns the forwarding address for this packet.
+func (t *WireguardAnalyzer) Analyse(packet []byte, peer net.UDPAddr) (addrs []net.UDPAddr, err error) {
+ const (
+ handshakeInitiationType = iota + 1
+ handshakeResponseType
+ cookieReplyType
+ transportDataType
+ )
+ if len(packet) < 16 {
+ addrs, err = nil, errors.New("invalid wireguard message: too short")
+ }
+ msgType := int(binary.LittleEndian.Uint32(packet[:4]))
+ typeStr := fmt.Sprintf("%d", msgType)
+ var header []byte
+ switch msgType {
+ case handshakeInitiationType:
+ typeStr = "Handshake Initiation"
+ addrs, err = t.analyseHandshakeInitiation(packet, peer)
+ header = packet
+ case handshakeResponseType:
+ typeStr = "Handshake Response"
+ addrs, err = t.analyseHandshakeResponse(packet, peer)
+ header = packet
+ case cookieReplyType:
+ typeStr = "Cookie Reply"
+ addrs, err = t.analyseCookieReply(packet, peer)
+ header = packet
+ case transportDataType:
+ typeStr = "Transport Data"
+ addrs, err = t.analyseTransportData(packet, peer)
+ header = packet[:16]
+ default:
+ addrs, err = nil, fmt.Errorf("unknown message type")
+ }
+ if err != nil {
+ slog.Error("error while analysing wireguard message", "error", err, "type", typeStr, "addr", peer.String(), "header", base64.StdEncoding.EncodeToString(header))
+ }
+ return addrs, err
+}
+
+func MakeWireguardAnalyzer(publicKeys [][]byte) WireguardAnalyzer {
+ salt := make([]byte, 32)
+ _, err := rand.Read(salt)
+ if err != nil {
+ panic(fmt.Errorf("failed to generate salt: %w", err))
+ }
+ return WireguardAnalyzer{
+ table: exchange.MakeExchangeTable(),
+ publicKeys: publicKeys,
+ filter: bloom.MakeFilter(8*1024*1024, 5, salt),
+ }
+}
diff --git a/internal/analyzer/analyzer_test.go b/internal/analyzer/analyzer_test.go
new file mode 100644
index 0000000..64c91dc
--- /dev/null
+++ b/internal/analyzer/analyzer_test.go
@@ -0,0 +1,141 @@
+package analyzer
+
+import (
+ "encoding/base64"
+ "encoding/hex"
+ "net"
+ "slices"
+ "testing"
+)
+
+// data obtained from https://gitlab.com/wireshark/wireshark/-/commit/cf9f1cac07130e3da2ef5e51c9232b7c206dcde2
+// and https://gitlab.com/wireshark/wireshark/-/commit/e7549372515dbef74f4764a36a6b1a408087cf59
+var (
+ handshakeInitiationSession1AtoB, _ = hex.DecodeString("01000000d837d0305fcec7c8e5c8e2e3f7989eef60c228d82329d602b6b1e2bb9d068f89cf9d4d4532780f6d27264f7b98701fdc27a4ec00aeb6becdbef2332f1b4084cadb93823935c012ae255e7b25eff13940c321fa6bd66a2a87b061db1430173e937f569349de2856dc5f2616763eeeafc0533b01dd965e7ec76976e28f683d671200000000000000000000000000000000")
+ handshakeResponseSession1BtoA, _ = hex.DecodeString("0200000006f47dabd837d030b18d5550bd4042a37a46823ac08db1ec66839bc0ca2d64bc15cd80232b66232faec24af8918de1060ff5c98e865d5f35f272214c5260110dc4c61e32cdd8542100000000000000000000000000000000")
+ transportDataSession1AtoB1, _ = hex.DecodeString("0400000006f47dab0000000000000000a4ebc12ee3f990da18033a0789c04e2700f6f5c271d42ac4b4d6262e666549b445a7436e829bffb6ac65f05648bc0c391fe7c5884874376127164940188f03dba67af8388eaab76c593628bf9dc7be03346d912e916dad862545454701364f2d2486d7ced4c8642ce547ddb26ef6a46b")
+ transportDataSession1BtoA1, _ = hex.DecodeString("04000000d837d03000000000000000006f4f080e9f52691bbe948535f79c13ed68f09145d523eedb087265f968082f70735729263eda627c7683cdc0b80a3356d9536c9f0e2872797b5c81720ba0b8ea7233c6debf9f0fbee8f10ec18985b824bf350f8b8180d08a64e6be9810089ac3d1363ed5e129ca1e0425cf7e94965659")
+ handshakeInitiationSession2AtoB, _ = hex.DecodeString("01000000c541fdbfa1e1ef034d269e52fcda161747e7d7b412165ff3f723ebd205e32b4a87868634d68aad0acd87497bd55230e66ffdeddbb797385abb5e6cf7197083f51999ac2e480ab650bc4ed6329f127b9e6c2074ec13cb3a822bc26ad2f8543988c4247222903c8f56a16019cb88cb7bd99534e87298e2dd3735e7bc33e907895200000000000000000000000000000000")
+ pubkeyA, _ = base64.StdEncoding.DecodeString("Igge9KzRytKNwrgkzDE/8hrLu6Ly0OqVdvOPWhA5KR4=")
+ pubkeyB, _ = base64.StdEncoding.DecodeString("YDCttCs9e1J52/g9vEnwJJa+2x6RqaayAYMpSVQfGEY=")
+ fakePubkey, _ = base64.StdEncoding.DecodeString("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
+ handshakeInitiationCtoD, _ = hex.DecodeString("01000000029c03c1f30ceb67148dd27c78d52d0196b6b78b71542986f563ac898879353f022f174770c5b3d433cfb49fd3311688284ce67ec72111e655129fc5f6bed2e0a44b8d28c222c6e1479a0833c7a1f6417b733c1ef049fab5e451aff561ea428c2116f7d1023ccdac2b2a00ecbe0273c9f84b1c695032084b58e7d2ff9fcf19fd00000000000000000000000000000000")
+)
+
+func mapAddrs(as []net.UDPAddr) []string {
+ var strs []string
+ for _, a := range as {
+ strs = append(strs, a.String())
+ }
+ slices.Sort(strs)
+ return strs
+}
+
+func TestWireguardAnalyzer_VerifyMac1(t *testing.T) {
+ analyzer := MakeWireguardAnalyzer([][]byte{pubkeyA, pubkeyB})
+ addr1, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ _, err := analyzer.Analyse(handshakeInitiationSession1AtoB, *addr1)
+ if err != nil {
+ t.Errorf("mac1 verification failed: %v", err)
+ }
+ analyzer = MakeWireguardAnalyzer([][]byte{fakePubkey})
+ _, err = analyzer.Analyse(handshakeInitiationSession1AtoB, *addr1)
+ if err == nil {
+ t.Errorf("mac1 verification didn't fail")
+ }
+}
+
+func TestWireguardAnalyzer_Handshake(t *testing.T) {
+ analyzer := MakeWireguardAnalyzer([][]byte{})
+
+ addrA, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ addrB, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51821")
+ addrC, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51822")
+
+ forward, err := analyzer.Analyse(handshakeInitiationSession1AtoB, *addrA)
+ if err != nil {
+ t.Errorf("Analysing handshake initiation failed: %v", err)
+ }
+ var expected []string
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing handshake initiation return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+
+ expected = []string{addrA.String()}
+ forward, err = analyzer.Analyse(handshakeInitiationSession2AtoB, *addrB)
+ if err != nil {
+ t.Errorf("Analysing handshake initiation failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing handshake initiation return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+
+ expected = []string{addrA.String(), addrB.String()}
+ forward, err = analyzer.Analyse(handshakeInitiationCtoD, *addrC)
+ if err != nil {
+ t.Errorf("Analysing handshake initiation failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing handshake initiation return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+
+ expected = []string{addrA.String()}
+ forward, err = analyzer.Analyse(handshakeResponseSession1BtoA, *addrB)
+ if err != nil {
+ t.Errorf("Analysing handshake response failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing handshake response return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+
+ expected = []string{addrB.String()}
+ forward, err = analyzer.Analyse(transportDataSession1AtoB1, *addrA)
+ if err != nil {
+ t.Errorf("Analysing transport data failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing transport data return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+
+ expected = []string{addrA.String()}
+ forward, err = analyzer.Analyse(transportDataSession1BtoA1, *addrB)
+ if err != nil {
+ t.Errorf("Analysing transport data failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing transport data return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+}
+
+func TestWireguardAnalyzer_Roaming(t *testing.T) {
+ analyzer := MakeWireguardAnalyzer([][]byte{})
+
+ addrA, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ addrB, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51821")
+ addrA2, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51822")
+
+ if _, err := analyzer.Analyse(handshakeInitiationSession1AtoB, *addrA); err != nil {
+ t.Errorf("Analysing handshake initiation failed: %v", err)
+ }
+ if _, err := analyzer.Analyse(handshakeResponseSession1BtoA, *addrB); err != nil {
+ t.Errorf("Analysing handshake initiation failed: %v", err)
+ }
+
+ expected := []string{addrB.String()}
+ forward, err := analyzer.Analyse(transportDataSession1AtoB1, *addrA2)
+ if err != nil {
+ t.Errorf("Analysing transport data failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing transport data return incorrect forward addresses: expected %s, got %s", expected, mapAddrs(forward))
+ }
+
+ expected = []string{addrA2.String()}
+ forward, err = analyzer.Analyse(transportDataSession1BtoA1, *addrB)
+ if err != nil {
+ t.Errorf("Analysing transport data failed: %v", err)
+ }
+ if !slices.Equal(mapAddrs(forward), expected) {
+ t.Errorf("Analysing transport data return incorrect forward addresses after roaming: expected %s, got %s", expected, mapAddrs(forward))
+ }
+}
diff --git a/internal/bloom/filter.go b/internal/bloom/filter.go
new file mode 100644
index 0000000..f52859f
--- /dev/null
+++ b/internal/bloom/filter.go
@@ -0,0 +1,63 @@
+package bloom
+
+import (
+ "crypto/sha256"
+ "encoding/binary"
+ "sync"
+)
+
+type Filter struct {
+ array []byte
+ salt []byte
+ k uint64
+ lock sync.Mutex
+}
+
+func (f *Filter) hash(k uint64, d []byte) uint64 {
+ hash := sha256.New()
+ hash.Write(f.salt)
+ ka := make([]byte, 8)
+ binary.BigEndian.PutUint64(ka, k)
+ hash.Write(ka)
+ hash.Write(d)
+ offset := binary.BigEndian.Uint64(hash.Sum(nil))
+ return offset % (uint64(len(f.array)) * 8)
+}
+
+// Add inserts the provided element into the filter.
+func (f *Filter) Add(elem []byte) {
+ f.lock.Lock()
+ defer f.lock.Unlock()
+ for k := uint64(0); k < f.k; k++ {
+ offset := f.hash(k, elem)
+ byteOffset := offset / 8
+ mask := byte(1) << (7 - offset%8)
+ f.array[byteOffset] |= mask
+ }
+}
+
+// Contains checks if the provided element might be in the filter.
+func (f *Filter) Contains(elem []byte) bool {
+ f.lock.Lock()
+ defer f.lock.Unlock()
+ for k := uint64(0); k < f.k; k++ {
+ offset := f.hash(k, elem)
+ byteOffset := offset / 8
+ mask := byte(1) << (7 - offset%8)
+ if f.array[byteOffset]&mask == 0 {
+ return false
+ }
+ }
+ return true
+}
+
+// MakeFilter constructs and returns a new Bloom filter with the specified parameters.
+// m is the size of the bit array in bits, and k is the number of hash functions to use.
+// A salt can be provided to introduce variability in the hash computations.
+func MakeFilter(m uint64, k uint64, salt []byte) Filter {
+ return Filter{
+ array: make([]byte, (m+7)/8),
+ salt: salt,
+ k: k,
+ }
+}
diff --git a/internal/bloom/filter_test.go b/internal/bloom/filter_test.go
new file mode 100644
index 0000000..77fadfe
--- /dev/null
+++ b/internal/bloom/filter_test.go
@@ -0,0 +1,34 @@
+package bloom
+
+import (
+ "math/rand"
+ "testing"
+)
+
+func TestFilter(t *testing.T) {
+ filter := MakeFilter(1024*1000, 1, nil)
+ var data [][]byte
+ for i := 0; i < 5000; i++ {
+ d := make([]byte, 64)
+ rand.Read(d)
+ data = append(data, d)
+ filter.Add(d)
+ for _, d := range data {
+ if !filter.Contains(d) {
+ t.Errorf("testing an known existing element should return true")
+ }
+ }
+ }
+ var falsePositives float64 = 0
+ test := 5000
+ for i := 0; i < test; i++ {
+ d := make([]byte, 64)
+ rand.Read(d)
+ if filter.Contains(d) {
+ falsePositives += 1
+ }
+ }
+ if falsePositives > 0.01*float64(test) {
+ t.Errorf("false positive rate too high, excepted > 0.01, got %f", falsePositives/float64(test))
+ }
+}
diff --git a/internal/exchange/exchange.go b/internal/exchange/exchange.go
new file mode 100644
index 0000000..54f16f0
--- /dev/null
+++ b/internal/exchange/exchange.go
@@ -0,0 +1,145 @@
+package exchange
+
+import (
+ "fmt"
+ "log/slog"
+ "net"
+ "sync"
+ "time"
+)
+
+type peerInfo struct {
+ addr net.UDPAddr
+ ttl time.Time
+ established bool
+ counterpart uint32
+}
+
+// ExchangeTable is a concurrency-safe table that maintains wireguard peer information.
+type ExchangeTable struct {
+ table map[uint32]peerInfo
+ lock sync.RWMutex
+}
+
+// AddPeerAddr adds a new peer's endpoint address to the exchange table
+// and automatically removes expired peer information.
+func (t *ExchangeTable) AddPeerAddr(index uint32, addr net.UDPAddr) error {
+ t.lock.Lock()
+ defer t.lock.Unlock()
+
+ now := time.Now()
+ for index, peer := range t.table {
+ if now.After(peer.ttl) {
+ slog.Debug("remove expired peer information", "index", index)
+ delete(t.table, index)
+ }
+ }
+
+ if _, ok := t.table[index]; ok {
+ return fmt.Errorf("peer index collision detected on %d", index)
+ }
+
+ t.table[index] = peerInfo{
+ addr: addr,
+ ttl: time.Now().Add(4 * time.Minute),
+ }
+
+ slog.Debug("exchange table updated", "entries", len(t.table))
+ return nil
+}
+
+// UpdatePeerAddr updates the endpoint address of a peer given its index.
+func (t *ExchangeTable) UpdatePeerAddr(index uint32, addr net.UDPAddr) error {
+ t.lock.Lock()
+ defer t.lock.Unlock()
+
+ peer, ok := t.table[index]
+ if !ok {
+ return fmt.Errorf("failed to update: unknown peer %d", index)
+ }
+
+ peer.addr = addr
+ t.table[index] = peer
+ return nil
+}
+
+// GetPeerAddr retrieves the endpoint address of a peer using its index.
+func (t *ExchangeTable) GetPeerAddr(index uint32) (net.UDPAddr, error) {
+ t.lock.RLock()
+ defer t.lock.RUnlock()
+
+ peer, ok := t.table[index]
+ if !ok {
+ return net.UDPAddr{}, fmt.Errorf("unknown peer %d", index)
+ }
+
+ return peer.addr, nil
+}
+
+// ListAddrs returns all known endpoint addresses from the exchange table.
+func (t *ExchangeTable) ListAddrs(exclude net.UDPAddr) []net.UDPAddr {
+ t.lock.RLock()
+ defer t.lock.RUnlock()
+
+ var addrs []net.UDPAddr
+ excludes := map[string]struct{}{
+ exclude.String(): {},
+ }
+
+ for _, peer := range t.table {
+ addrStr := peer.addr.String()
+ if _, ok := excludes[addrStr]; !ok {
+ addrs = append(addrs, peer.addr)
+ excludes[addrStr] = struct{}{}
+ }
+ }
+
+ return addrs
+}
+
+// LinkPeers associates two peers in the same wireguard session.
+// After linking, the counterpart peer can be retrieved using GetPeerCounterpart.
+func (t *ExchangeTable) LinkPeers(sender, receiver uint32) error {
+ t.lock.Lock()
+ defer t.lock.Unlock()
+
+ s, ok := t.table[sender]
+ if !ok {
+ return fmt.Errorf("failed to link peers: unknown sender %d", sender)
+ }
+
+ r, ok := t.table[receiver]
+ if !ok {
+ return fmt.Errorf("failed to link peers: unknown receiver %d", receiver)
+ }
+
+ s.established = true
+ s.counterpart = receiver
+ t.table[sender] = s
+
+ r.established = true
+ r.counterpart = sender
+ r.ttl = s.ttl
+ t.table[receiver] = r
+
+ return nil
+}
+
+// GetPeerCounterpart retrieves the counterpart of a given peer from the same session.
+func (t *ExchangeTable) GetPeerCounterpart(index uint32) (uint32, error) {
+ t.lock.RLock()
+ defer t.lock.RUnlock()
+
+ peer, ok := t.table[index]
+ if !ok || !peer.established {
+ return 0, fmt.Errorf("peer %d has no counterpart", index)
+ }
+
+ return peer.counterpart, nil
+}
+
+func MakeExchangeTable() ExchangeTable {
+ return ExchangeTable{
+ table: make(map[uint32]peerInfo),
+ }
+}
diff --git a/internal/exchange/exchange_test.go b/internal/exchange/exchange_test.go
new file mode 100644
index 0000000..ec373ce
--- /dev/null
+++ b/internal/exchange/exchange_test.go
@@ -0,0 +1,181 @@
+package exchange
+
+import (
+ "net"
+ "slices"
+ "testing"
+ "time"
+)
+
+func TestExchangeTable_AddPeerAddr(t *testing.T) {
+ table := MakeExchangeTable()
+ index := uint32(1)
+ addr, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ now := time.Now()
+ if err := table.AddPeerAddr(index, *addr); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if len(table.table) != 1 {
+ t.Errorf("incorrect number of peers in table, expected 1, got %d", len(table.table))
+ }
+ peer := table.table[index]
+ if peer.addr.String() != addr.String() {
+ t.Errorf("incorrect address of peer, expected %s, got %s", addr.String(), peer.addr.String())
+ }
+ if err := table.AddPeerAddr(1, *addr); err == nil {
+ t.Errorf("AddPeerAddr didn't return error when adding an existing peer")
+ }
+ if !peer.ttl.After(now) {
+ t.Errorf("incorrect ttl of peer")
+ }
+}
+
+func TestExchangeTable_GetPeerAddr(t *testing.T) {
+ table := MakeExchangeTable()
+ index := uint32(1)
+ addr, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ if err := table.AddPeerAddr(index, *addr); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ gotAddr, err := table.GetPeerAddr(index)
+ if err != nil {
+ t.Errorf("GetPeerAddr failed: %v", err)
+ }
+ if gotAddr.String() != addr.String() {
+ t.Errorf("incorrect address of peer, expected %s, got %s", addr.String(), gotAddr.String())
+ }
+ _, err = table.GetPeerAddr(0)
+ if err == nil {
+ t.Errorf("GetPeerAddr didn't return error when accessing an unknown peer")
+ }
+}
+
+func TestExchangeTable_GetPeerCounterpart(t *testing.T) {
+ table := MakeExchangeTable()
+ index1 := uint32(1)
+ addr1, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ index2 := uint32(2)
+ addr2, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51821")
+ index3 := uint32(3)
+ addr3, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51822")
+ if err := table.AddPeerAddr(index1, *addr1); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.AddPeerAddr(index2, *addr2); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.AddPeerAddr(index3, *addr3); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.LinkPeers(index1, index2); err != nil {
+ t.Errorf("LinkPeers failed: %v", err)
+ }
+ c1, err := table.GetPeerCounterpart(index1)
+ if err != nil {
+ t.Errorf("GetPeerCounterpart failed: %v", err)
+ }
+ c2, err := table.GetPeerCounterpart(index2)
+ if err != nil {
+ t.Errorf("GetPeerCounterpart failed: %v", err)
+ }
+ if c1 != index2 || c2 != index1 {
+ t.Errorf("GetPeerCounterpart didn't return correct counterpart")
+ }
+ if _, err := table.GetPeerCounterpart(index3); err == nil {
+ t.Errorf("GetPeerCounterpart didn't return error when retrieve an unknown counterpart")
+ }
+}
+
+func TestExchangeTable_LinkPeers(t *testing.T) {
+ table := MakeExchangeTable()
+ index1 := uint32(1)
+ addr1, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ index2 := uint32(2)
+ addr2, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51821")
+ if err := table.AddPeerAddr(index1, *addr1); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.AddPeerAddr(index2, *addr2); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.LinkPeers(index1, index2); err != nil {
+ t.Errorf("LinkPeers failed: %v", err)
+ }
+ peer1, ok1 := table.table[index1]
+ peer2, ok2 := table.table[index2]
+ if !ok1 || !ok2 {
+ t.Errorf("AddPeerAddr failed, peer doesn't exist in the table")
+ }
+ if peer1.ttl != peer2.ttl {
+ t.Errorf("linked peers don't have same ttl")
+ }
+ if !peer1.established || !peer2.established {
+ t.Errorf("linked peers don't have correct established status")
+ }
+}
+
+func TestExchangeTable_ListAddrs(t *testing.T) {
+ table := MakeExchangeTable()
+ addr1, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ addr2, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51821")
+
+ if err := table.AddPeerAddr(1, *addr1); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ mapAddrs := func(as []net.UDPAddr) []string {
+ var strs []string
+ for _, a := range as {
+ strs = append(strs, a.String())
+ }
+ slices.Sort(strs)
+ return strs
+ }
+ got := mapAddrs(table.ListAddrs(net.UDPAddr{}))
+ expected := []string{"127.0.0.1:51820"}
+ if !slices.Equal(got, expected) {
+ t.Errorf("ListAddrs returns incorrect values, expected %s, got %s", got, expected)
+ }
+ got = mapAddrs(table.ListAddrs(*addr1))
+ expected = []string{}
+ if !slices.Equal(got, expected) {
+ t.Errorf("ListAddrs returns incorrect values, expected %s, got %s", got, expected)
+ }
+ if err := table.AddPeerAddr(2, *addr2); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ got = mapAddrs(table.ListAddrs(*addr1))
+ expected = []string{"127.0.0.1:51821"}
+ if !slices.Equal(got, expected) {
+ t.Errorf("ListAddrs returns incorrect values, expected %s, got %s", got, expected)
+ }
+ got = mapAddrs(table.ListAddrs(net.UDPAddr{}))
+ expected = []string{"127.0.0.1:51820", "127.0.0.1:51821"}
+ if !slices.Equal(got, expected) {
+ t.Errorf("ListAddrs returns incorrect values, expected %s, got %s", got, expected)
+ }
+}
+
+func TestExchangeTable_UpdatePeerAddr(t *testing.T) {
+ table := MakeExchangeTable()
+ index1 := uint32(1)
+ addr1, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51820")
+ addr12, _ := net.ResolveUDPAddr("udp", "127.0.0.2:51820")
+ index2 := uint32(2)
+ addr2, _ := net.ResolveUDPAddr("udp", "127.0.0.1:51821")
+ if err := table.AddPeerAddr(index1, *addr1); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.AddPeerAddr(index2, *addr2); err != nil {
+ t.Errorf("AddPeerAddr failed: %v", err)
+ }
+ if err := table.UpdatePeerAddr(index1, *addr12); err != nil {
+ t.Errorf("UpdatePeerAddr failed: %v", err)
+ }
+ got, err := table.GetPeerAddr(index1)
+ if err != nil {
+ t.Errorf("GetPeerAddr failed: %v", err)
+ }
+ if got.String() != addr12.String() {
+ t.Errorf("update address failed, expected %s, got %s", addr12.String(), got.String())
+ }
+}
diff --git a/internal/relay/relay.go b/internal/relay/relay.go
new file mode 100644
index 0000000..c5cb2ec
--- /dev/null
+++ b/internal/relay/relay.go
@@ -0,0 +1,60 @@
+package relay
+
+import (
+ "github.com/weiiwang01/wpex/internal/analyzer"
+ "log/slog"
+ "net"
+)
+
+type udpPacket struct {
+ addr net.UDPAddr
+ data []byte
+}
+
+type Relay struct {
+ send chan udpPacket
+ analyzer analyzer.WireguardAnalyzer
+ conn *net.UDPConn
+}
+
+func (r *Relay) sendUDP() {
+ for packet := range r.send {
+ _, err := r.conn.WriteToUDP(packet.data, &packet.addr)
+ if err != nil {
+ slog.Error("error while sending UDP packet", "error", err.Error(), "addr", packet.addr.String())
+ }
+ }
+}
+
+func (r *Relay) receiveUDP() {
+ for {
+ buf := make([]byte, 1500)
+ n, remoteAddr, err := r.conn.ReadFromUDP(buf)
+ if err != nil {
+ slog.Error("error while receiving UDP packet", "error", err.Error(), "addr", remoteAddr)
+ continue
+ }
+ packet := buf[:n]
+ peers, err := r.analyzer.Analyse(packet, *remoteAddr)
+ if err != nil {
+ continue
+ }
+ for _, peer := range peers {
+ r.send <- udpPacket{addr: peer, data: packet}
+ }
+ }
+}
+
+// Start starts the wireguard packet relay server.
+func Start(conn *net.UDPConn, publicKeys [][]byte) {
+ relay := Relay{
+ send: make(chan udpPacket),
+ analyzer: analyzer.MakeWireguardAnalyzer(publicKeys),
+ conn: conn,
+ }
+ for i := 0; i < 4; i++ {
+ go relay.sendUDP()
+ go relay.receiveUDP()
+ }
+ select {}
+}
diff --git a/wpex.go b/wpex.go
new file mode 100644
index 0000000..fb8786c
--- /dev/null
+++ b/wpex.go
@@ -0,0 +1,62 @@
+package main
+
+import (
+ "encoding/base64"
+ "flag"
+ "fmt"
+ "github.com/weiiwang01/wpex/internal/relay"
+ "log/slog"
+ "net"
+ "os"
+ "strings"
+)
+
+type pubKeys []string
+
+func (ks *pubKeys) String() string {
+ return strings.Join(*ks, ",")
+}
+
+func (ks *pubKeys) Set(s string) error {
+ *ks = append(*ks, s)
+ return nil
+}
+
+func main() {
+ bind := flag.String("bind", "", "address to bind to")
+ port := flag.Uint("port", 40000, "port number to listen on")
+ debug := flag.Bool("debug", false, "enable debug messages")
+ trace := flag.Bool("trace", false, "enable trace level debug messages")
+ var allows pubKeys
+ flag.Var(&allows, "allow", "allowed wireguard public keys")
+ flag.Parse()
+ loggingLevel := new(slog.LevelVar)
+ logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: loggingLevel}))
+ if *debug {
+ loggingLevel.Set(slog.LevelDebug)
+ }
+ if *trace {
+ loggingLevel.Set(slog.LevelDebug - 4)
+ }
+ slog.SetDefault(logger)
+ address := fmt.Sprintf("%s:%d", *bind, *port)
+ var allowKeys [][]byte
+ for _, allow := range allows {
+ k, err := base64.StdEncoding.DecodeString(allow)
+ if err != nil || len(k) != 32 {
+ panic(fmt.Sprintf("invalid wireguard public key: '%s'", allow))
+ }
+ logger.Debug("allow wireguard public key", "key", allow)
+ allowKeys = append(allowKeys, k)
+ }
+ addr, err := net.ResolveUDPAddr("udp", address)
+ if err != nil {
+ panic(fmt.Sprintf("failed to resolve UDP address: %s", err))
+ }
+ conn, err := net.ListenUDP("udp", addr)
+ if err != nil {
+ panic(fmt.Sprintf("failed to listen on UDP: %s", err))
+ }
+ logger.Info("server listening", "addr", address)
+ relay.Start(conn, allowKeys)
+}