Add endpoint verification using cookie reply

weiiwang01 · Sep 24, 2023 · 9ab1847 · 9ab1847
1 parent 217b9d9
commit 9ab1847
Show file tree

Hide file tree

Showing 12 changed files with 319 additions and 216 deletions.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -61,9 +61,14 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Get Version
+        id: version
+        run: echo version=${GITHUB_REF##*v} >> $GITHUB_OUTPUT
+
       - name: Build and push
         uses: docker/build-push-action@v4
         with:
+          build-args: WPEX_VERSION=${{ steps.version.outputs.version }}
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
@@ -89,13 +94,17 @@ jobs:
         with:
           go-version: '1.21'
 
-      - name: Build wpex
-        run: CGO_ENABLED=0 GOOS=${{ matrix.GOOS }} GOARCH=${{ matrix.GOARCH }} go build -ldflags="-w -s" -o wpex
-
       - name: Get Version
         id: version
         run: echo version=${GITHUB_REF##*v} >> $GITHUB_OUTPUT
 
+      - name: Build wpex
+        run: >-
+          CGO_ENABLED=0 
+          GOOS=${{ matrix.GOOS }} 
+          GOARCH=${{ matrix.GOARCH }} 
+          go build -ldflags="-w -s -X main.version=${{ steps.version.outputs.version }}" -o wpex
+
       - name: Upload Release Asset
         id: upload-release-asset
         uses: actions/upload-release-asset@v1

diff --git a/Dockerfile b/Dockerfile
@@ -4,6 +4,7 @@ ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 ARG TARGETOS
 ARG TARGETARCH
+ARG WPEX_VERSION
 
 WORKDIR /build
 
@@ -13,7 +14,7 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-w -s" -o wpex
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-w -s -X main.version=${WPEX_VERSION}" -o wpex
 
 FROM --platform=${TARGETPLATFORM:-linux/amd64} scratch
 

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # wpex: WireGuard Packet Relay
 
 `wpex` is a relay server designed for WireGuard, facilitating NAT traversal
-without compromising the E2E encryption of WireGuard.
+without compromising the end-to-end encryption of WireGuard.
 
 ## Features
 
@@ -16,9 +16,14 @@ without compromising the E2E encryption of WireGuard.
 Fetch and run the `wpex` Docker image with:
 
 ```bash
-docker run -d -p 40000:40000:udp ghcr.io/weiiwang01/wpex:latest
+docker run -d -p 40000:40000:udp ghcr.io/weiiwang01/wpex:latest --peers 3 --pairs 2
 ```
 
+Where `--peers` is the number of WireGuard peers connecting to the server,
+and `--pairs` is the number of WireGuard peer-to-peer pairs formed from all
+pairs. Those configurations are used to estimate broadcast rate limit for
+amplification attack mitigation.
+
 ### Using Pre-built Binaries:
 
 You can download pre-built binaries directly from
@@ -39,7 +44,7 @@ If you wish to connect multiple WireGuard peers behind NAT via a `wpex` server
 
 1. Update all WireGuard peers' endpoint configurations to point to the `wpex`
    server.
-2. Enable the `PersistentKeepalive` setting.
+2. Enable the `PersistentKeepalive` setting, if the peer is behind a NAT.
 
 **Example for Peer A**:
 
@@ -80,15 +85,18 @@ the `wpex` server. Connections attempted with public keys not on this list will
 be ignored. This doesn't affect the integrity of the E2E encryption, as only the
 public keys (not the associated private keys) are known to the wpex server.
 
+`--peers` can be omitted as it will be set to the number of allowed public keys.
+
 Examples:
 
 ```bash
-docker run -d -p 40000:40000:udp ghcr.io/weiiwang01/wpex:latest \
+docker run -d -p 40000:40000:udp ghcr.io/weiiwang01/wpex:latest --pairs 1 \
   --allow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= \
   --allow BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
 ```
 
 ```bash
-wpex --allow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= \
+wpex --pairs 1 \
+  --allow AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= \
   --allow BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=
 ```
diff --git a/go.mod b/go.mod
@@ -2,6 +2,9 @@ module github.com/weiiwang01/wpex
 
 go 1.21
 
-require golang.org/x/crypto v0.13.0
+require (
+	golang.org/x/crypto v0.13.0
+	golang.org/x/time v0.3.0
+)
 
 require golang.org/x/sys v0.12.0 // indirect
diff --git a/go.sum b/go.sum
@@ -2,3 +2,5 @@ golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=