Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
Some checks failed
Go / build-and-release (push) Has been cancelled
Some checks failed
Go / build-and-release (push) Has been cancelled
- Add embedded WireGuard VPN server using wireguard-go + netstack - Implement deterministic /31 subnet allocation from seed + sequence - Use Badger's built-in Sequence for atomic counter allocation - Add NIP-46 bunker server for remote signing over VPN - Add revoked key tracking and access audit logging for users - Add Bunker tab to web UI with WireGuard/bunker QR codes - Support key regeneration with old keypair archiving New environment variables: - ORLY_WG_ENABLED: Enable WireGuard VPN server - ORLY_WG_PORT: UDP port for WireGuard (default 51820) - ORLY_WG_ENDPOINT: Public endpoint for WireGuard - ORLY_WG_NETWORK: Base network for subnet pool (default 10.0.0.0/8) - ORLY_BUNKER_ENABLED: Enable NIP-46 bunker - ORLY_BUNKER_PORT: WebSocket port for bunker (default 3335) Files added: - pkg/wireguard/: WireGuard server, keygen, subnet pool, errors - pkg/bunker/: NIP-46 bunker server and session handling - pkg/database/wireguard.go: Peer storage with audit logging - app/handle-wireguard.go: API endpoints for config/regenerate/audit - app/wireguard-helpers.go: Key derivation helpers - app/web/src/BunkerView.svelte: Bunker UI with QR codes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
42
pkg/wireguard/keygen.go
Normal file
42
pkg/wireguard/keygen.go
Normal file
@@ -0,0 +1,42 @@
|
||||
// Package wireguard provides an embedded WireGuard VPN server for secure
|
||||
// NIP-46 bunker access. It uses wireguard-go with gVisor netstack for
|
||||
// userspace networking (no root required).
|
||||
package wireguard
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
|
||||
"golang.org/x/crypto/curve25519"
|
||||
)
|
||||
|
||||
// GenerateKeyPair generates a new Curve25519 keypair for WireGuard.
|
||||
// Returns the private key and public key as 32-byte slices.
|
||||
func GenerateKeyPair() (privateKey, publicKey []byte, err error) {
|
||||
privateKey = make([]byte, 32)
|
||||
if _, err = rand.Read(privateKey); err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// Curve25519 clamping (required by WireGuard spec)
|
||||
privateKey[0] &= 248
|
||||
privateKey[31] &= 127
|
||||
privateKey[31] |= 64
|
||||
|
||||
// Derive public key from private key
|
||||
publicKey = make([]byte, 32)
|
||||
curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
|
||||
|
||||
return privateKey, publicKey, nil
|
||||
}
|
||||
|
||||
// DerivePublicKey derives the public key from a private key.
|
||||
func DerivePublicKey(privateKey []byte) (publicKey []byte, err error) {
|
||||
if len(privateKey) != 32 {
|
||||
return nil, ErrInvalidKeyLength
|
||||
}
|
||||
|
||||
publicKey = make([]byte, 32)
|
||||
curve25519.ScalarBaseMult((*[32]byte)(publicKey), (*[32]byte)(privateKey))
|
||||
|
||||
return publicKey, nil
|
||||
}
|
||||
Reference in New Issue
Block a user