Add support for AmneziaWG

Author: one-d-wide

Cargo.lock

@@ -17,6 +17,7 @@ name = "stun-test"
 bytecodec = "0.5"
 clap = { version = "4.5", features = [ "derive" ] }
 rand = "0.9"
+rand_chacha = "0.9"
 serde_json = "1.0"
 serde = { version = "1.0", features = [ "derive" ] }
 socket2 = "0.6"

Cargo.toml

@@ -117,11 +117,18 @@ traversal succeeds.
 - `wireguard = true` (default is false) - send all traffic between peers using
 wireguard, eliminating added latency even under load. Only supported on linux,
 and requires CAP_NET_ADMIN capability or root privileges. See [Bridging over
-WireGuard](#Bridging-over-WireGuard).
+WireGuard](#Bridging-over-WireGuard) and [Bridging over
+AmneziaWG](#Bridging-over-AmneziaWG).
 
 - `wireguard_yggdrasil_keepalive` (default is false) - whether to keep
 yggdrasil session alive, while wireguard bridge is active.
 
+- `wireguard_types = ["wireguard", "amneziawg"]` (default is "wireguard") - set
+allowed wireguard implementations.
+
+- `wireguard_device_params.<type>.<param> = ...` - override wireguard device
+configuration, including amneziawg obfuscation options.
+
 - `yggdrasil_dpi` (highly experimental, prefer wireguard if available) - send
 network traffic over an unreliable channel, reducing latency under network
 load. See [Yggdrasil DPI](#Yggdrasil-DPI).
@@ -167,6 +174,25 @@ encrypted.
 
 [repology]: https://repology.org/projects/
 
+## Bridging over AmneziaWG
+
+[AmneziaWG][amneziawg] is a fork of Wireguard adding support for traffic
+obfuscation. You need to install a separate kernel module and amneziawg-tools
+package.
+
+[amneziawg]: https://docs.amnezia.org/documentation/amnezia-wg/
+
+Set `wireguard_types = [ "wireguard", "amneziawg" ]` on both sides (amneziawg
+is prioritized when supported). Recommended obfuscation parameters are randomly
+selected per connection, but of course you can customize them. Note that jumper
+doesn't negotiate non-default parameters.
+
+```toml
+[wireguard_device_params.amneziawg]
+i1 = "<b 0x1234>"
+...
+```
+
 ## Yggdrasil DPI
 
 Currently yggdrasil router expects all communication between peers be conducted

README.md

@@ -16,24 +16,46 @@ use tokio::{
 use tracing::{debug, error, event, info, instrument, warn, Level};
 
 use crate::{
+    config::ConfigInner,
     map_debug, map_error, map_warn,
     utils::{self, defer_async, CsvIter, FutureAttach},
     Config, SilentResult, State,
 };
 
 const WIREGUARD_KEEPALIVE_LEN: usize = 32;
 
-pub async fn verify() -> SilentResult<()> {
+pub fn wg_cmd(wg_type: &str) -> Option<&'static str> {
+    match wg_type {
+        "wireguard" => Some("wg"),
+        "amneziawg" => Some("awg"),
+        _ => None,
+    }
+}
+
+pub async fn verify(config: &ConfigInner) -> SilentResult<()> {
     let mut res = Ok(());
 
-    let spec = [
+    let mut spec = vec![
         ("ip link", "iproute2"),
         ("iptables --help", "iptables"),
         ("ip6tables --help", "iptables"),
-        ("wg help", "wireguard-tools"),
         ("conntrack help", "conntrack-tools"),
     ];
 
+    for wg_type in Iterator::chain(
+        config.wireguard_types.iter(),
+        config.wireguard_device_params.keys(),
+    ) {
+        match wg_type.as_str() {
+            "wireguard" => spec.push(("wg help", "wireguard-tools")),
+            "amneziawg" => spec.push(("awg help", "amneziawg-tools")),
+            _ => {
+                error!("Wireguard type {wg_type:?} is not supported");
+                return Err(());
+            }
+        }
+    }
+
     for (cmd, pkg) in spec {
         if run(cmd).await.is_err() {
             error!(
@@ -52,15 +74,30 @@ async fn run(line: impl AsRef<str>) -> SilentResult<Vec<u8>> {
 }
 
 async fn run_stdin(line: impl AsRef<str>, stdin: impl AsRef<[u8]>) -> SilentResult<Vec<u8>> {
-    let line = line.as_ref();
+    run_stdin_args(line.as_ref().split(" "), stdin).await
+}
+
+async fn run_stdin_args<S: AsRef<str>>(
+    args: impl IntoIterator<Item = S>,
+    stdin: impl AsRef<[u8]>,
+) -> SilentResult<Vec<u8>> {
     let stdin = stdin.as_ref();
 
-    debug!("Running {line:?}");
+    let mut args = args.into_iter();
+    let command = args.next().unwrap();
+    let command = command.as_ref();
 
-    let (command, args) = line.split_once(" ").unwrap();
+    let mut line = command.to_string();
+    let mut cmd = tokio::process::Command::new(command);
+    for arg in args {
+        cmd.arg(arg.as_ref());
+        line.push_str(" ");
+        line.push_str(arg.as_ref());
+    }
+
+    debug!("Running {line:?}");
 
-    let mut proc = tokio::process::Command::new(command)
-        .args(args.split(" "))
+    let mut proc = cmd
         .stdin(if !stdin.is_empty() {
             Stdio::piped()
         } else {
@@ -118,8 +155,8 @@ struct WgLink {
     transfer_tx: u64,
 }
 
-async fn wg_dump(dev: &str) -> SilentResult<WgDev> {
-    let lines = run(format!("wg show {dev} dump")).await?;
+async fn wg_dump(wg_cmd: &str, dev: &str) -> SilentResult<WgDev> {
+    let lines = run(format!("{wg_cmd} show {dev} dump")).await?;
     let Some(Ok(line)) = lines.lines().next() else {
         warn!("Can't get wireguard device");
         return Err(());
@@ -134,8 +171,8 @@ async fn wg_dump(dev: &str) -> SilentResult<WgDev> {
     Ok(WgDev { listen_port })
 }
 
-async fn wg_dump_peer(dev: &str, pub_key: &str) -> SilentResult<WgLink> {
-    let lines = run(format!("wg show {dev} dump")).await?;
+async fn wg_dump_peer(wg_cmd: &str, dev: &str, pub_key: &str) -> SilentResult<WgLink> {
+    let lines = run(format!("{wg_cmd} show {dev} dump")).await?;
     let Some(line) = lines
         .lines()
         .skip(1)
@@ -164,13 +201,14 @@ async fn wg_dump_peer(dev: &str, pub_key: &str) -> SilentResult<WgLink> {
     })
 }
 
-pub async fn wg_genkeys() -> SilentResult<(String, String)> {
+pub async fn wg_genkeys(config: &Config) -> SilentResult<(String, String)> {
+    let wg_cmd = wg_cmd(config.wireguard_types.first().unwrap()).unwrap();
     let trim = |key: Vec<u8>| {
         String::from_utf8(key.trim_ascii().into()).map_err(map_error!("Invalid key encoding"))
     };
-    let priv_key = trim(run("wg genkey").await?)?;
+    let priv_key = trim(run(format!("{wg_cmd} genkey")).await?)?;
 
-    let pub_key = trim(run_stdin("wg pubkey", &priv_key).await?)?;
+    let pub_key = trim(run_stdin(format!("{wg_cmd} pubkey"), &priv_key).await?)?;
 
     Ok((pub_key, priv_key))
 }
@@ -324,6 +362,8 @@ pub struct WgBridgeParams {
     pub monitor_address: Ipv6Addr,
     pub inet_socket: UdpSocket,
     pub yggdrasil_socket: UdpSocket,
+    pub shared_secret: u64,
+    pub wg_type: String,
 }
 
 #[instrument(parent = None, name = "Wireguard bridge ", skip_all,
@@ -359,6 +399,9 @@ pub async fn start_bridge(
 
     let remote = &params.peer_addr;
 
+    let wg_type = &params.wg_type;
+    let wg_cmd = wg_cmd(wg_type).unwrap();
+
     // Remove previous association of traversal socket
     flush_firewall(*remote).await;
     let _guard = defer_async(flush_firewall(*remote));
@@ -369,20 +412,50 @@ pub async fn start_bridge(
 
     // TODO: Multiplex on a single wireguard device
     // TODO: add a queue?
-    run(format!("ip link add dev {dev} type wireguard")).await?;
+    run(format!("ip link add dev {dev} type {wg_type}")).await?;
     // Associated routing entries are removed automatically
     let _guard =
         defer_async(run(format!("ip link del dev {dev}")).attach(cancellation.get_active()));
 
     run(format!("ip link set dev {dev} up")).await?;
 
-    let wg_port = wg_dump(dev).await?.listen_port;
+    let wg_port = wg_dump(wg_cmd, dev).await?.listen_port;
+
+    let mut wg_dev_args: Vec<_> =
+        format!("{wg_cmd} set {dev} listen-port {wg_port} private-key /dev/stdin")
+            .split(" ")
+            .map(|s| s.to_string())
+            .collect();
+
+    if wg_type == "amneziawg" {
+        use rand::{Rng, SeedableRng};
+        let mut seed = params.shared_secret;
+        let mut rand_param = |name: &str, range| {
+            seed = seed.wrapping_add(1);
+            let value = rand_chacha::ChaCha12Rng::seed_from_u64(seed).random_range(range);
+            wg_dev_args.push(name.into());
+            wg_dev_args.push(format!("{value}"));
+        };
+
+        rand_param("jc", 4..=12);
+        rand_param("jmin", 8..=8);
+        rand_param("jmax", 80..=80);
+        for s in ["s1", "s2"] {
+            rand_param(s, 15..=150);
+        }
+        for h in ["h1", "h2", "h3", "h4"] {
+            rand_param(h, 5..=2147483647);
+        }
+    }
 
-    run_stdin(
-        format!("wg set {dev} listen-port {wg_port} private-key /dev/stdin"),
-        &self_priv,
-    )
-    .await?;
+    if let Some(params) = config.wireguard_device_params.get(wg_type) {
+        for (k, v) in params {
+            wg_dev_args.push(k.clone());
+            wg_dev_args.push(v.clone());
+        }
+    }
+
+    run_stdin_args(wg_dev_args, &self_priv).await?;
 
     setup_firewall("-I", wg_port, &params).await;
     let _guard =
@@ -394,7 +467,7 @@ pub async fn start_bridge(
         .map_err(map_warn!("Can't bind socket to device"));
 
     run(format!(
-        "wg set {dev} peer {remote_pub} persistent-keepalive 20 endpoint {remote} allowed-ips {remote_ygg_addr}/128"
+        "{wg_cmd} set {dev} peer {remote_pub} persistent-keepalive 20 endpoint {remote} allowed-ips {remote_ygg_addr}/128"
     ))
     .await?;
 
@@ -488,7 +561,7 @@ pub async fn start_bridge(
             },
         }
 
-        let dump = wg_dump_peer(dev, &params.peer_pub).await?;
+        let dump = wg_dump_peer(wg_cmd, dev, &params.peer_pub).await?;
 
         if !started {
             if dump.latest_handshake != 0 {

src/bridge_wireguard.rs

@@ -1,6 +1,11 @@
 use serde::Deserialize;
 use std::{
-    collections::HashSet, net::Ipv6Addr, num::NonZero, path::Path, sync::Arc, time::Duration,
+    collections::{HashMap, HashSet},
+    net::Ipv6Addr,
+    num::NonZero,
+    path::Path,
+    sync::Arc,
+    time::Duration,
 };
 use tracing::error;
 
@@ -43,6 +48,8 @@ pub struct ConfigInner {
     pub failed_yggdrasil_traversal_limit: Option<NonZero<u32>>,
 
     pub wireguard: bool,
+    pub wireguard_types: Vec<String>,
+    pub wireguard_device_params: HashMap<String, HashMap<String, String>>,
     pub wireguard_skip_checks: bool,
     #[serde(deserialize_with = "parse_duration")]
     pub wireguard_query_delay: Duration,
@@ -141,6 +148,8 @@ impl Default for ConfigInner {
             failed_yggdrasil_traversal_limit: None,
 
             wireguard: false,
+            wireguard_types: vec!["wireguard".to_string()],
+            wireguard_device_params: Default::default(),
             wireguard_skip_checks: false,
             wireguard_query_delay: Duration::from_secs(2),
             // Time to initially wait, until connection is established
@@ -155,7 +164,7 @@ impl Default for ConfigInner {
             wireguard_handshake_renew_timeout: 180,
             wireguard_shutdown_notification_count: 5,
             wireguard_shutdown_notification_delay: Duration::from_secs_f64(0.3),
-            wireguard_device_prefix: "wg-jumper".into(),
+            wireguard_device_prefix: "wg-jumper-".into(),
             wireguard_device_rounds: 1000,
             // Keep yggdrasil session alive, while wireguard bridge is active
             wireguard_yggdrasil_keepalive: false,
@@ -216,7 +225,7 @@ impl ConfigInner {
 
         if self.wireguard && !self.wireguard_skip_checks {
             #[cfg(target_os = "linux")]
-            crate::bridge_wireguard::verify().await?;
+            crate::bridge_wireguard::verify(&self).await?;
             #[cfg(not(target_os = "linux"))]
             {
                 error!("Wireguard not supported on this platform");