Add WireGuard VPN with random /31 subnet isolation (v0.40.0)

- Add embedded WireGuard VPN server using wireguard-go + netstack - Implement deterministic /31 subnet allocation from seed + sequence - Use Badger's built-in Sequence for atomic counter allocation - Add NIP-46 bunker server for remote signing over VPN - Add revoked key tracking and access audit logging for users - Add Bunker tab to web UI with WireGuard/bunker QR codes - Support key regeneration with old keypair archiving New environment variables: - ORLY_WG_ENABLED: Enable WireGuard VPN server - ORLY_WG_PORT: UDP port for WireGuard (default 51820) - ORLY_WG_ENDPOINT: Public endpoint for WireGuard - ORLY_WG_NETWORK: Base network for subnet pool (default 10.0.0.0/8) - ORLY_BUNKER_ENABLED: Enable NIP-46 bunker - ORLY_BUNKER_PORT: WebSocket port for bunker (default 3335) Files added: - pkg/wireguard/: WireGuard server, keygen, subnet pool, errors - pkg/bunker/: NIP-46 bunker server and session handling - pkg/database/wireguard.go: Peer storage with audit logging - app/handle-wireguard.go: API endpoints for config/regenerate/audit - app/wireguard-helpers.go: Key derivation helpers - app/web/src/BunkerView.svelte: Bunker UI with QR codes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-27 16:32:48 +02:00
parent 2aa5c16311
commit e84949140b
23 changed files with 3498 additions and 25 deletions
--- a/pkg/wireguard/errors.go
+++ b/pkg/wireguard/errors.go
@@ -0,0 +1,23 @@
+package wireguard
+
+import "errors"
+
+var (
+	// ErrInvalidKeyLength is returned when a key is not exactly 32 bytes.
+	ErrInvalidKeyLength = errors.New("invalid key length: must be 32 bytes")
+
+	// ErrServerNotRunning is returned when an operation requires a running server.
+	ErrServerNotRunning = errors.New("wireguard server not running")
+
+	// ErrEndpointRequired is returned when WireGuard is enabled but no endpoint is set.
+	ErrEndpointRequired = errors.New("ORLY_WG_ENDPOINT is required when WireGuard is enabled")
+
+	// ErrInvalidNetwork is returned when the network CIDR is invalid.
+	ErrInvalidNetwork = errors.New("invalid network CIDR")
+
+	// ErrPeerNotFound is returned when a peer lookup fails.
+	ErrPeerNotFound = errors.New("peer not found")
+
+	// ErrIPExhausted is returned when no more IPs are available in the network.
+	ErrIPExhausted = errors.New("no more IP addresses available in network")
+)
--- a/pkg/wireguard/keygen.go
+++ b/pkg/wireguard/keygen.go
@@ -0,0 +1,42 @@
+// Package wireguard provides an embedded WireGuard VPN server for secure
+// NIP-46 bunker access. It uses wireguard-go with gVisor netstack for
+// userspace networking (no root required).
+package wireguard
+
+import (
+	"crypto/rand"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+// GenerateKeyPair generates a new Curve25519 keypair for WireGuard.
+// Returns the private key and public key as 32-byte slices.
+func GenerateKeyPair() (privateKey, publicKey []byte, err error) {
+	privateKey = make([]byte, 32)
+	if _, err = rand.Read(privateKey); err != nil {
+		return nil, nil, err
+	}
+
+	// Curve25519 clamping (required by WireGuard spec)
+	privateKey[0] &= 248
+	privateKey[31] &= 127
+	privateKey[31] |= 64
+
+	// Derive public key from private key
+	publicKey = make([]byte, 32)
+	curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
+
+	return privateKey, publicKey, nil
+}
+
+// DerivePublicKey derives the public key from a private key.
+func DerivePublicKey(privateKey []byte) (publicKey []byte, err error) {
+	if len(privateKey) != 32 {
+		return nil, ErrInvalidKeyLength
+	}
+
+	publicKey = make([]byte, 32)
+	curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
+
+	return publicKey, nil
+}
--- a/pkg/wireguard/server.go
+++ b/pkg/wireguard/server.go
@@ -0,0 +1,281 @@
+package wireguard
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"lol.mleku.dev/log"
+)
+
+// Config holds the WireGuard server configuration.
+type Config struct {
+	Port       int    // UDP port for WireGuard (default 51820)
+	Endpoint   string // Public IP/domain for clients to connect to
+	PrivateKey []byte // Server's 32-byte Curve25519 private key
+	Network    string // CIDR for internal network (e.g., "10.73.0.0/16")
+	ServerIP   string // Server's internal IP (e.g., "10.73.0.1")
+}
+
+// Peer represents a WireGuard peer (client).
+type Peer struct {
+	NostrPubkey []byte // User's Nostr pubkey (32 bytes)
+	WGPublicKey []byte // WireGuard public key (32 bytes)
+	AssignedIP  string // Assigned internal IP
+}
+
+// Server manages the embedded WireGuard VPN server.
+type Server struct {
+	cfg       *Config
+	device    *device.Device
+	tun       *netstack.Net
+	tunDev    tun.Device
+	publicKey []byte
+
+	peers   map[string]*Peer // WG pubkey (base64) -> Peer
+	peersMu sync.RWMutex
+
+	ctx     context.Context
+	cancel  context.CancelFunc
+	running bool
+	mu      sync.RWMutex
+}
+
+// New creates a new WireGuard server with the given configuration.
+func New(cfg *Config) (*Server, error) {
+	if cfg.Endpoint == "" {
+		return nil, ErrEndpointRequired
+	}
+
+	// Parse network CIDR to validate it
+	_, _, err := net.ParseCIDR(cfg.Network)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", ErrInvalidNetwork, err)
+	}
+
+	// Default server IP if not set
+	if cfg.ServerIP == "" {
+		cfg.ServerIP = "10.73.0.1"
+	}
+
+	// Derive public key from private key
+	publicKey, err := DerivePublicKey(cfg.PrivateKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to derive public key: %w", err)
+	}
+
+	return &Server{
+		cfg:       cfg,
+		publicKey: publicKey,
+		peers:     make(map[string]*Peer),
+	}, nil
+}
+
+// Start initializes and starts the WireGuard server.
+func (s *Server) Start() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.running {
+		return nil
+	}
+
+	s.ctx, s.cancel = context.WithCancel(context.Background())
+
+	// Parse server IP
+	serverAddr, err := netip.ParseAddr(s.cfg.ServerIP)
+	if err != nil {
+		return fmt.Errorf("invalid server IP: %w", err)
+	}
+
+	// Create netstack TUN device (userspace, no root required)
+	s.tunDev, s.tun, err = netstack.CreateNetTUN(
+		[]netip.Addr{serverAddr},
+		[]netip.Addr{}, // No DNS servers
+		1420,           // MTU
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create netstack TUN: %w", err)
+	}
+
+	// Create WireGuard device
+	s.device = device.NewDevice(
+		s.tunDev,
+		conn.NewDefaultBind(),
+		device.NewLogger(device.LogLevelSilent, "wg"),
+	)
+
+	// Configure device with server private key and listen port
+	privateKeyHex := hex.EncodeToString(s.cfg.PrivateKey)
+	ipcConfig := fmt.Sprintf("private_key=%s\nlisten_port=%d\n",
+		privateKeyHex,
+		s.cfg.Port,
+	)
+
+	if err = s.device.IpcSet(ipcConfig); err != nil {
+		s.device.Close()
+		return fmt.Errorf("failed to configure WireGuard device: %w", err)
+	}
+
+	// Bring up the device
+	if err = s.device.Up(); err != nil {
+		s.device.Close()
+		return fmt.Errorf("failed to bring up WireGuard device: %w", err)
+	}
+
+	s.running = true
+	log.I.F("WireGuard server started on UDP port %d", s.cfg.Port)
+	log.I.F("WireGuard server public key: %s", base64.StdEncoding.EncodeToString(s.publicKey))
+	log.I.F("WireGuard internal network: %s (server: %s)", s.cfg.Network, s.cfg.ServerIP)
+
+	return nil
+}
+
+// Stop shuts down the WireGuard server.
+func (s *Server) Stop() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if !s.running {
+		return nil
+	}
+
+	if s.cancel != nil {
+		s.cancel()
+	}
+
+	if s.device != nil {
+		s.device.Close()
+	}
+
+	s.running = false
+	log.I.F("WireGuard server stopped")
+
+	return nil
+}
+
+// IsRunning returns whether the server is currently running.
+func (s *Server) IsRunning() bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.running
+}
+
+// ServerPublicKey returns the server's WireGuard public key.
+func (s *Server) ServerPublicKey() []byte {
+	return s.publicKey
+}
+
+// Endpoint returns the configured endpoint address.
+func (s *Server) Endpoint() string {
+	return fmt.Sprintf("%s:%d", s.cfg.Endpoint, s.cfg.Port)
+}
+
+// GetNetstack returns the netstack networking interface.
+// This is used by the bunker to listen on the WireGuard network.
+func (s *Server) GetNetstack() *netstack.Net {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.tun
+}
+
+// ServerIP returns the server's internal IP address.
+func (s *Server) ServerIP() string {
+	return s.cfg.ServerIP
+}
+
+// AddPeer adds a new peer to the WireGuard server.
+func (s *Server) AddPeer(nostrPubkey, wgPublicKey []byte, assignedIP string) error {
+	s.mu.RLock()
+	if !s.running {
+		s.mu.RUnlock()
+		return ErrServerNotRunning
+	}
+	s.mu.RUnlock()
+
+	// Encode WG public key as hex for IPC
+	wgPubkeyHex := hex.EncodeToString(wgPublicKey)
+	wgPubkeyBase64 := base64.StdEncoding.EncodeToString(wgPublicKey)
+
+	// Configure peer in WireGuard device
+	ipcConfig := fmt.Sprintf(
+		"public_key=%s\nallowed_ip=%s/32\n",
+		wgPubkeyHex,
+		assignedIP,
+	)
+
+	if err := s.device.IpcSet(ipcConfig); err != nil {
+		return fmt.Errorf("failed to add peer: %w", err)
+	}
+
+	// Track peer
+	s.peersMu.Lock()
+	s.peers[wgPubkeyBase64] = &Peer{
+		NostrPubkey: nostrPubkey,
+		WGPublicKey: wgPublicKey,
+		AssignedIP:  assignedIP,
+	}
+	s.peersMu.Unlock()
+
+	log.I.F("WireGuard peer added: %s -> %s", wgPubkeyBase64[:16]+"...", assignedIP)
+
+	return nil
+}
+
+// RemovePeer removes a peer from the WireGuard server.
+func (s *Server) RemovePeer(wgPublicKey []byte) error {
+	s.mu.RLock()
+	if !s.running {
+		s.mu.RUnlock()
+		return ErrServerNotRunning
+	}
+	s.mu.RUnlock()
+
+	wgPubkeyHex := hex.EncodeToString(wgPublicKey)
+	wgPubkeyBase64 := base64.StdEncoding.EncodeToString(wgPublicKey)
+
+	// Remove peer from WireGuard device
+	ipcConfig := fmt.Sprintf(
+		"public_key=%s\nremove=true\n",
+		wgPubkeyHex,
+	)
+
+	if err := s.device.IpcSet(ipcConfig); err != nil {
+		return fmt.Errorf("failed to remove peer: %w", err)
+	}
+
+	// Remove from tracking
+	s.peersMu.Lock()
+	delete(s.peers, wgPubkeyBase64)
+	s.peersMu.Unlock()
+
+	log.I.F("WireGuard peer removed: %s", wgPubkeyBase64[:16]+"...")
+
+	return nil
+}
+
+// GetPeer returns a peer by their WireGuard public key.
+func (s *Server) GetPeer(wgPublicKey []byte) (*Peer, bool) {
+	wgPubkeyBase64 := base64.StdEncoding.EncodeToString(wgPublicKey)
+
+	s.peersMu.RLock()
+	defer s.peersMu.RUnlock()
+
+	peer, ok := s.peers[wgPubkeyBase64]
+	return peer, ok
+}
+
+// PeerCount returns the number of active peers.
+func (s *Server) PeerCount() int {
+	s.peersMu.RLock()
+	defer s.peersMu.RUnlock()
+	return len(s.peers)
+}
--- a/pkg/wireguard/subnet_pool.go
+++ b/pkg/wireguard/subnet_pool.go
@@ -0,0 +1,184 @@
+package wireguard
+
+import (
+	"crypto/sha256"
+	"encoding/binary"
+	"fmt"
+	"net/netip"
+	"sync"
+
+	"lukechampine.com/frand"
+)
+
+// Subnet represents a /31 point-to-point subnet.
+type Subnet struct {
+	ServerIP netip.Addr // Even address (server side)
+	ClientIP netip.Addr // Odd address (client side)
+}
+
+// SubnetPool manages deterministic /31 subnet generation from a seed.
+// Given the same seed and sequence number, the same subnet is always generated.
+type SubnetPool struct {
+	seed       [32]byte       // Random seed for deterministic generation
+	basePrefix netip.Prefix   // e.g., 10.0.0.0/8
+	maxSeq     uint32         // Current highest sequence number
+	assigned   map[string]uint32 // Client pubkey hex -> sequence number
+	mu         sync.RWMutex
+}
+
+// NewSubnetPool creates a subnet pool with a new random seed.
+func NewSubnetPool(baseNetwork string) (*SubnetPool, error) {
+	prefix, err := netip.ParsePrefix(baseNetwork)
+	if err != nil {
+		return nil, fmt.Errorf("invalid base network: %w", err)
+	}
+
+	var seed [32]byte
+	frand.Read(seed[:])
+
+	return &SubnetPool{
+		seed:       seed,
+		basePrefix: prefix,
+		maxSeq:     0,
+		assigned:   make(map[string]uint32),
+	}, nil
+}
+
+// NewSubnetPoolWithSeed creates a subnet pool with an existing seed.
+func NewSubnetPoolWithSeed(baseNetwork string, seed []byte) (*SubnetPool, error) {
+	prefix, err := netip.ParsePrefix(baseNetwork)
+	if err != nil {
+		return nil, fmt.Errorf("invalid base network: %w", err)
+	}
+
+	if len(seed) != 32 {
+		return nil, fmt.Errorf("seed must be 32 bytes, got %d", len(seed))
+	}
+
+	pool := &SubnetPool{
+		basePrefix: prefix,
+		maxSeq:     0,
+		assigned:   make(map[string]uint32),
+	}
+	copy(pool.seed[:], seed)
+
+	return pool, nil
+}
+
+// Seed returns the pool's seed for persistence.
+func (p *SubnetPool) Seed() []byte {
+	return p.seed[:]
+}
+
+// deriveSubnet deterministically generates a /31 subnet from seed + sequence.
+func (p *SubnetPool) deriveSubnet(seq uint32) Subnet {
+	// Hash seed + sequence to get deterministic randomness
+	h := sha256.New()
+	h.Write(p.seed[:])
+	binary.Write(h, binary.BigEndian, seq)
+	hash := h.Sum(nil)
+
+	// Use first 4 bytes as offset within the prefix
+	offset := binary.BigEndian.Uint32(hash[:4])
+
+	// Calculate available address space
+	bits := p.basePrefix.Bits()
+	availableBits := uint32(32 - bits)
+	maxOffset := uint32(1) << availableBits
+
+	// Make offset even (for /31 alignment) and within range
+	offset = (offset % (maxOffset / 2)) * 2
+
+	// Calculate server IP (even) and client IP (odd)
+	baseAddr := p.basePrefix.Addr()
+	baseBytes := baseAddr.As4()
+	baseVal := uint32(baseBytes[0])<<24 | uint32(baseBytes[1])<<16 |
+		uint32(baseBytes[2])<<8 | uint32(baseBytes[3])
+
+	serverVal := baseVal + offset
+	clientVal := serverVal + 1
+
+	serverBytes := [4]byte{
+		byte(serverVal >> 24), byte(serverVal >> 16),
+		byte(serverVal >> 8), byte(serverVal),
+	}
+	clientBytes := [4]byte{
+		byte(clientVal >> 24), byte(clientVal >> 16),
+		byte(clientVal >> 8), byte(clientVal),
+	}
+
+	return Subnet{
+		ServerIP: netip.AddrFrom4(serverBytes),
+		ClientIP: netip.AddrFrom4(clientBytes),
+	}
+}
+
+// ServerIPs returns server-side IPs for sequences 0 to maxSeq (for netstack).
+func (p *SubnetPool) ServerIPs() []netip.Addr {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	if p.maxSeq == 0 {
+		return nil
+	}
+
+	ips := make([]netip.Addr, p.maxSeq)
+	for seq := uint32(0); seq < p.maxSeq; seq++ {
+		subnet := p.deriveSubnet(seq)
+		ips[seq] = subnet.ServerIP
+	}
+	return ips
+}
+
+// GetSubnet returns the subnet for a client, or nil if not assigned.
+func (p *SubnetPool) GetSubnet(clientPubkeyHex string) *Subnet {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	if seq, ok := p.assigned[clientPubkeyHex]; ok {
+		subnet := p.deriveSubnet(seq)
+		return &subnet
+	}
+	return nil
+}
+
+// GetSequence returns the sequence number for a client, or -1 if not assigned.
+func (p *SubnetPool) GetSequence(clientPubkeyHex string) int {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+
+	if seq, ok := p.assigned[clientPubkeyHex]; ok {
+		return int(seq)
+	}
+	return -1
+}
+
+// RestoreAllocation restores a previously saved allocation.
+func (p *SubnetPool) RestoreAllocation(clientPubkeyHex string, seq uint32) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	p.assigned[clientPubkeyHex] = seq
+	if seq >= p.maxSeq {
+		p.maxSeq = seq + 1
+	}
+}
+
+// MaxSequence returns the current max sequence number.
+func (p *SubnetPool) MaxSequence() uint32 {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return p.maxSeq
+}
+
+// AllocatedCount returns the number of allocated subnets.
+func (p *SubnetPool) AllocatedCount() int {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return len(p.assigned)
+}
+
+// SubnetForSequence returns the subnet for a given sequence number.
+func (p *SubnetPool) SubnetForSequence(seq uint32) Subnet {
+	return p.deriveSubnet(seq)
+}