From af53c456ea91a187defc72844e4a23de26d92987 Mon Sep 17 00:00:00 2001 From: "vladimir.kuznetsov" Date: Wed, 27 Sep 2023 00:40:01 +0500 Subject: [PATCH] added passing new wireguard config parameters over uapi and configuring the amneziawireguard container --- .../amneziaWireGuardConfigurator.cpp | 51 +++++++++++++++++-- client/configurators/vpn_configurator.cpp | 6 ++- client/configurators/vpn_configurator.h | 4 +- .../configurators/wireguard_configurator.cpp | 43 ++++++++-------- client/configurators/wireguard_configurator.h | 9 +++- client/core/scripts_registry.cpp | 3 +- client/core/scripts_registry.h | 3 +- client/core/servercontroller.cpp | 31 +++++++++++ client/daemon/daemon.cpp | 11 ++++ client/daemon/interfaceconfig.h | 10 ++++ client/mozilla/localsocketcontroller.cpp | 17 ++++++- .../macos/daemon/wireguardutilsmacos.cpp | 11 ++++ client/protocols/protocols_defs.h | 30 +++++++++++ client/resources.qrc | 5 ++ .../amnezia_wireguard/Dockerfile | 46 +++++++++++++++++ .../amnezia_wireguard/configure_container.sh | 26 ++++++++++ .../amnezia_wireguard/run_container.sh | 18 +++++++ .../server_scripts/amnezia_wireguard/start.sh | 28 ++++++++++ .../amnezia_wireguard/template.conf | 20 ++++++++ 19 files changed, 342 insertions(+), 30 deletions(-) create mode 100644 client/server_scripts/amnezia_wireguard/Dockerfile create mode 100644 client/server_scripts/amnezia_wireguard/configure_container.sh create mode 100644 client/server_scripts/amnezia_wireguard/run_container.sh create mode 100644 client/server_scripts/amnezia_wireguard/start.sh create mode 100644 client/server_scripts/amnezia_wireguard/template.conf diff --git a/client/configurators/amneziaWireGuardConfigurator.cpp b/client/configurators/amneziaWireGuardConfigurator.cpp index 56f0c68e5..3ed272088 100644 --- a/client/configurators/amneziaWireGuardConfigurator.cpp +++ b/client/configurators/amneziaWireGuardConfigurator.cpp @@ -1,7 +1,10 @@ #include "amneziaWireGuardConfigurator.h" +#include +#include + AmneziaWireGuardConfigurator::AmneziaWireGuardConfigurator(std::shared_ptr settings, QObject *parent) - : WireguardConfigurator(settings, parent) + : WireguardConfigurator(settings, true, parent) { } @@ -9,7 +12,49 @@ QString AmneziaWireGuardConfigurator::genAmneziaWireGuardConfig(const ServerCred DockerContainer container, const QJsonObject &containerConfig, ErrorCode *errorCode) { - auto config = WireguardConfigurator::genWireguardConfig(credentials, container, containerConfig, errorCode); + QString config = WireguardConfigurator::genWireguardConfig(credentials, container, containerConfig, errorCode); + + QJsonObject jsonConfig = QJsonDocument::fromJson(config.toUtf8()).object(); + QJsonObject awgConfig = containerConfig.value(config_key::amneziaWireguard).toObject(); + + auto junkPacketCount = + awgConfig.value(config_key::junkPacketCount).toString(protocols::amneziawireguard::defaultJunkPacketCount); + auto junkPacketMinSize = + awgConfig.value(config_key::junkPacketMinSize).toString(protocols::amneziawireguard::defaultJunkPacketMinSize); + auto junkPacketMaxSize = + awgConfig.value(config_key::junkPacketMaxSize).toString(protocols::amneziawireguard::defaultJunkPacketMaxSize); + auto initPacketJunkSize = + awgConfig.value(config_key::initPacketJunkSize).toString(protocols::amneziawireguard::defaultInitPacketJunkSize); + auto responsePacketJunkSize = + awgConfig.value(config_key::responsePacketJunkSize).toString(protocols::amneziawireguard::defaultResponsePacketJunkSize); + auto initPacketMagicHeader = + awgConfig.value(config_key::initPacketMagicHeader).toString(protocols::amneziawireguard::defaultInitPacketMagicHeader); + auto responsePacketMagicHeader = + awgConfig.value(config_key::responsePacketMagicHeader).toString(protocols::amneziawireguard::defaultResponsePacketMagicHeader); + auto underloadPacketMagicHeader = + awgConfig.value(config_key::underloadPacketMagicHeader).toString(protocols::amneziawireguard::defaultUnderloadPacketMagicHeader); + auto transportPacketMagicHeader = + awgConfig.value(config_key::transportPacketMagicHeader).toString(protocols::amneziawireguard::defaultTransportPacketMagicHeader); + + config.replace("$JUNK_PACKET_COUNT", junkPacketCount); + config.replace("$JUNK_PACKET_MIN_SIZE", junkPacketMinSize); + config.replace("$JUNK_PACKET_MAX_SIZE", junkPacketMaxSize); + config.replace("$INIT_PACKET_JUNK_SIZE", initPacketJunkSize); + config.replace("$RESPONSE_PACKET_JUNK_SIZE", responsePacketJunkSize); + config.replace("$INIT_PACKET_MAGIC_HEADER", initPacketMagicHeader); + config.replace("$RESPONSE_PACKET_MAGIC_HEADER", responsePacketMagicHeader); + config.replace("$UNDERLOAD_PACKET_MAGIC_HEADER", underloadPacketMagicHeader); + config.replace("$TRANSPORT_PACKET_MAGIC_HEADER", transportPacketMagicHeader); + + jsonConfig[config_key::junkPacketCount] = junkPacketCount; + jsonConfig[config_key::junkPacketMinSize] = junkPacketMinSize; + jsonConfig[config_key::junkPacketMaxSize] = junkPacketMaxSize; + jsonConfig[config_key::initPacketJunkSize] = initPacketJunkSize; + jsonConfig[config_key::responsePacketJunkSize] = responsePacketJunkSize; + jsonConfig[config_key::initPacketMagicHeader] = initPacketMagicHeader; + jsonConfig[config_key::responsePacketMagicHeader] = responsePacketMagicHeader; + jsonConfig[config_key::underloadPacketMagicHeader] = underloadPacketMagicHeader; + jsonConfig[config_key::transportPacketMagicHeader] = transportPacketMagicHeader; - return config; + return QJsonDocument(jsonConfig).toJson(); } diff --git a/client/configurators/vpn_configurator.cpp b/client/configurators/vpn_configurator.cpp index 7f0e95dfa..6706deed0 100644 --- a/client/configurators/vpn_configurator.cpp +++ b/client/configurators/vpn_configurator.cpp @@ -5,6 +5,7 @@ #include "shadowsocks_configurator.h" #include "ssh_configurator.h" #include "wireguard_configurator.h" +#include "amneziaWireGuardConfigurator.h" #include #include @@ -20,9 +21,10 @@ VpnConfigurator::VpnConfigurator(std::shared_ptr settings, QObject *pa openVpnConfigurator = std::shared_ptr(new OpenVpnConfigurator(settings, this)); shadowSocksConfigurator = std::shared_ptr(new ShadowSocksConfigurator(settings, this)); cloakConfigurator = std::shared_ptr(new CloakConfigurator(settings, this)); - wireguardConfigurator = std::shared_ptr(new WireguardConfigurator(settings, this)); + wireguardConfigurator = std::shared_ptr(new WireguardConfigurator(settings, false, this)); ikev2Configurator = std::shared_ptr(new Ikev2Configurator(settings, this)); sshConfigurator = std::shared_ptr(new SshConfigurator(settings, this)); + amneziaWireGuardConfigurator = std::shared_ptr(new AmneziaWireGuardConfigurator(settings, this)); } QString VpnConfigurator::genVpnProtocolConfig(const ServerCredentials &credentials, DockerContainer container, @@ -41,7 +43,7 @@ QString VpnConfigurator::genVpnProtocolConfig(const ServerCredentials &credentia return wireguardConfigurator->genWireguardConfig(credentials, container, containerConfig, errorCode); case Proto::AmneziaWireGuard: - return wireguardConfigurator->genWireguardConfig(credentials, container, containerConfig, errorCode); + return amneziaWireGuardConfigurator->genAmneziaWireGuardConfig(credentials, container, containerConfig, errorCode); case Proto::Ikev2: return ikev2Configurator->genIkev2Config(credentials, container, containerConfig, errorCode); diff --git a/client/configurators/vpn_configurator.h b/client/configurators/vpn_configurator.h index 3b9c761bb..d304e4c3d 100644 --- a/client/configurators/vpn_configurator.h +++ b/client/configurators/vpn_configurator.h @@ -13,13 +13,14 @@ class CloakConfigurator; class WireguardConfigurator; class Ikev2Configurator; class SshConfigurator; +class AmneziaWireGuardConfigurator; // Retrieve connection settings from server class VpnConfigurator : ConfiguratorBase { Q_OBJECT public: - VpnConfigurator(std::shared_ptr settings, QObject *parent = nullptr); + explicit VpnConfigurator(std::shared_ptr settings, QObject *parent = nullptr); QString genVpnProtocolConfig(const ServerCredentials &credentials, DockerContainer container, const QJsonObject &containerConfig, Proto proto, ErrorCode *errorCode = nullptr); @@ -40,6 +41,7 @@ class VpnConfigurator : ConfiguratorBase std::shared_ptr wireguardConfigurator; std::shared_ptr ikev2Configurator; std::shared_ptr sshConfigurator; + std::shared_ptr amneziaWireGuardConfigurator; }; #endif // VPN_CONFIGURATOR_H diff --git a/client/configurators/wireguard_configurator.cpp b/client/configurators/wireguard_configurator.cpp index 02716b722..dd836a180 100644 --- a/client/configurators/wireguard_configurator.cpp +++ b/client/configurators/wireguard_configurator.cpp @@ -19,9 +19,17 @@ #include "settings.h" #include "utilities.h" -WireguardConfigurator::WireguardConfigurator(std::shared_ptr settings, QObject *parent) - : ConfiguratorBase(settings, parent) +WireguardConfigurator::WireguardConfigurator(std::shared_ptr settings, bool isAmneziaWireGuard, QObject *parent) + : ConfiguratorBase(settings, parent), m_isAmneziaWireGuard(isAmneziaWireGuard) { + m_serverConfigPath = m_isAmneziaWireGuard ? amnezia::protocols::amneziawireguard::serverConfigPath + : amnezia::protocols::wireguard::serverConfigPath; + m_serverPublicKeyPath = m_isAmneziaWireGuard ? amnezia::protocols::amneziawireguard::serverPublicKeyPath + : amnezia::protocols::wireguard::serverPublicKeyPath; + m_serverPskKeyPath = m_isAmneziaWireGuard ? amnezia::protocols::amneziawireguard::serverPskKeyPath + : amnezia::protocols::wireguard::serverPskKeyPath; + m_configTemplate = m_isAmneziaWireGuard ? ProtocolScriptType::amnezia_wireguard_template + : ProtocolScriptType::wireguard_template; } WireguardConfigurator::ConnectionData WireguardConfigurator::genClientKeys() @@ -62,7 +70,7 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon { WireguardConfigurator::ConnectionData connData = WireguardConfigurator::genClientKeys(); connData.host = credentials.hostName; - connData.port = containerConfig.value(config_key::wireguard) + connData.port = containerConfig.value(m_isAmneziaWireGuard ? config_key::amneziaWireguard : config_key::wireguard) .toObject() .value(config_key::port) .toString(protocols::wireguard::defaultPort); @@ -79,7 +87,7 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon // Get list of already created clients (only IP addresses) QString nextIpNumber; { - QString script = QString("cat %1 | grep AllowedIPs").arg(amnezia::protocols::wireguard::serverConfigPath); + QString script = QString("cat %1 | grep AllowedIPs").arg(m_serverConfigPath); QString stdOut; auto cbReadStdOut = [&](const QString &data, libssh::Client &) { stdOut += data + "\n"; @@ -126,8 +134,7 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon } // Get keys - connData.serverPubKey = serverController.getTextFileFromContainer( - container, credentials, amnezia::protocols::wireguard::serverPublicKeyPath, &e); + connData.serverPubKey = serverController.getTextFileFromContainer(container, credentials, m_serverPublicKeyPath, &e); connData.serverPubKey.replace("\n", ""); if (e) { if (errorCode) @@ -135,8 +142,7 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon return connData; } - connData.pskKey = serverController.getTextFileFromContainer(container, credentials, - amnezia::protocols::wireguard::serverPskKeyPath, &e); + connData.pskKey = serverController.getTextFileFromContainer(container, credentials, m_serverPskKeyPath, &e); connData.pskKey.replace("\n", ""); if (e) { @@ -150,12 +156,9 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon "PublicKey = %1\n" "PresharedKey = %2\n" "AllowedIPs = %3/32\n\n") - .arg(connData.clientPubKey) - .arg(connData.pskKey) - .arg(connData.clientIP); + .arg(connData.clientPubKey, connData.pskKey, connData.clientIP); - e = serverController.uploadTextFileToContainer(container, credentials, configPart, - protocols::wireguard::serverConfigPath, + e = serverController.uploadTextFileToContainer(container, credentials, configPart, m_serverConfigPath, libssh::SftpOverwriteMode::SftpAppendToExisting); if (e) { @@ -164,11 +167,11 @@ WireguardConfigurator::ConnectionData WireguardConfigurator::prepareWireguardCon return connData; } + QString script = QString("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick strip %1)'") + .arg(m_serverConfigPath); + e = serverController.runScript( - credentials, - serverController.replaceVars("sudo docker exec -i $CONTAINER_NAME bash -c 'wg syncconf wg0 <(wg-quick " - "strip /opt/amnezia/wireguard/wg0.conf)'", - serverController.genVarsForScript(credentials, container))); + credentials, serverController.replaceVars(script, serverController.genVarsForScript(credentials, container))); return connData; } @@ -177,9 +180,9 @@ QString WireguardConfigurator::genWireguardConfig(const ServerCredentials &crede const QJsonObject &containerConfig, ErrorCode *errorCode) { ServerController serverController(m_settings); - QString config = - serverController.replaceVars(amnezia::scriptData(ProtocolScriptType::wireguard_template, container), - serverController.genVarsForScript(credentials, container, containerConfig)); + QString scriptData = amnezia::scriptData(m_configTemplate, container); + QString config = serverController.replaceVars( + scriptData, serverController.genVarsForScript(credentials, container, containerConfig)); ConnectionData connData = prepareWireguardConfig(credentials, container, containerConfig, errorCode); if (errorCode && *errorCode) { diff --git a/client/configurators/wireguard_configurator.h b/client/configurators/wireguard_configurator.h index 140acc479..70ed729b5 100644 --- a/client/configurators/wireguard_configurator.h +++ b/client/configurators/wireguard_configurator.h @@ -6,12 +6,13 @@ #include "configurator_base.h" #include "core/defs.h" +#include "core/scripts_registry.h" class WireguardConfigurator : public ConfiguratorBase { Q_OBJECT public: - WireguardConfigurator(std::shared_ptr settings, QObject *parent = nullptr); + WireguardConfigurator(std::shared_ptr settings, bool isAmneziaWireGuard, QObject *parent = nullptr); struct ConnectionData { @@ -35,6 +36,12 @@ class WireguardConfigurator : public ConfiguratorBase const QJsonObject &containerConfig, ErrorCode *errorCode = nullptr); ConnectionData genClientKeys(); + + bool m_isAmneziaWireGuard; + QString m_serverConfigPath; + QString m_serverPublicKeyPath; + QString m_serverPskKeyPath; + amnezia::ProtocolScriptType m_configTemplate; }; #endif // WIREGUARD_CONFIGURATOR_H diff --git a/client/core/scripts_registry.cpp b/client/core/scripts_registry.cpp index 31508152b..24deb41a2 100644 --- a/client/core/scripts_registry.cpp +++ b/client/core/scripts_registry.cpp @@ -11,7 +11,7 @@ QString amnezia::scriptFolder(amnezia::DockerContainer container) case DockerContainer::Cloak: return QLatin1String("openvpn_cloak"); case DockerContainer::ShadowSocks: return QLatin1String("openvpn_shadowsocks"); case DockerContainer::WireGuard: return QLatin1String("wireguard"); - case DockerContainer::AmneziaWireGuard: return QLatin1String("wireguard"); + case DockerContainer::AmneziaWireGuard: return QLatin1String("amnezia_wireguard"); case DockerContainer::Ipsec: return QLatin1String("ipsec"); case DockerContainer::TorWebSite: return QLatin1String("website_tor"); @@ -46,6 +46,7 @@ QString amnezia::scriptName(ProtocolScriptType type) case ProtocolScriptType::container_startup: return QLatin1String("start.sh"); case ProtocolScriptType::openvpn_template: return QLatin1String("template.ovpn"); case ProtocolScriptType::wireguard_template: return QLatin1String("template.conf"); + case ProtocolScriptType::amnezia_wireguard_template: return QLatin1String("template.conf"); } } diff --git a/client/core/scripts_registry.h b/client/core/scripts_registry.h index b30be2ff9..5c7a1b6a7 100644 --- a/client/core/scripts_registry.h +++ b/client/core/scripts_registry.h @@ -26,7 +26,8 @@ enum ProtocolScriptType { configure_container, container_startup, openvpn_template, - wireguard_template + wireguard_template, + amnezia_wireguard_template }; diff --git a/client/core/servercontroller.cpp b/client/core/servercontroller.cpp index 27213dc3e..3b30451f8 100644 --- a/client/core/servercontroller.cpp +++ b/client/core/servercontroller.cpp @@ -584,6 +584,37 @@ ServerController::Vars ServerController::genVarsForScript(const ServerCredential vars.append({ { "$SFTP_USER", sftpConfig.value(config_key::userName).toString() } }); vars.append({ { "$SFTP_PASSWORD", sftpConfig.value(config_key::password).toString() } }); + // Amnezia wireguard vars + vars.append({ { "$AMNEZIAWIREGUARD_SERVER_PORT", + amneziaWireguarConfig.value(config_key::port).toString(protocols::amneziawireguard::defaultPort) } }); + vars.append({ { "$JUNK_PACKET_COUNT", + amneziaWireguarConfig.value(config_key::junkPacketCount) + .toString(protocols::amneziawireguard::defaultJunkPacketCount) } }); + vars.append({ { "$JUNK_PACKET_MIN_SIZE", + amneziaWireguarConfig.value(config_key::junkPacketMinSize) + .toString(protocols::amneziawireguard::defaultJunkPacketMinSize) } }); + vars.append({ { "$JUNK_PACKET_MAX_SIZE", + amneziaWireguarConfig.value(config_key::junkPacketMaxSize) + .toString(protocols::amneziawireguard::defaultJunkPacketMaxSize) } }); + vars.append({ { "$INIT_PACKET_JUNK_SIZE", + amneziaWireguarConfig.value(config_key::initPacketJunkSize) + .toString(protocols::amneziawireguard::defaultInitPacketJunkSize) } }); + vars.append({ { "$RESPONSE_PACKET_JUNK_SIZE", + amneziaWireguarConfig.value(config_key::responsePacketJunkSize) + .toString(protocols::amneziawireguard::defaultResponsePacketJunkSize) } }); + vars.append({ { "$INIT_PACKET_MAGIC_HEADER", + amneziaWireguarConfig.value(config_key::initPacketMagicHeader) + .toString(protocols::amneziawireguard::defaultInitPacketMagicHeader) } }); + vars.append({ { "$RESPONSE_PACKET_MAGIC_HEADER", + amneziaWireguarConfig.value(config_key::responsePacketMagicHeader) + .toString(protocols::amneziawireguard::defaultResponsePacketMagicHeader) } }); + vars.append({ { "$UNDERLOAD_PACKET_MAGIC_HEADER", + amneziaWireguarConfig.value(config_key::underloadPacketMagicHeader) + .toString(protocols::amneziawireguard::defaultUnderloadPacketMagicHeader) } }); + vars.append({ { "$TRANSPORT_PACKET_MAGIC_HEADER", + amneziaWireguarConfig.value(config_key::transportPacketMagicHeader) + .toString(protocols::amneziawireguard::defaultTransportPacketMagicHeader) } }); + QString serverIp = Utils::getIPAddress(credentials.hostName); if (!serverIp.isEmpty()) { vars.append({ { "$SERVER_IP_ADDRESS", serverIp } }); diff --git a/client/daemon/daemon.cpp b/client/daemon/daemon.cpp index 3a0dc4d91..133109510 100644 --- a/client/daemon/daemon.cpp +++ b/client/daemon/daemon.cpp @@ -359,6 +359,17 @@ bool Daemon::parseConfig(const QJsonObject& obj, InterfaceConfig& config) { if (!parseStringList(obj, "vpnDisabledApps", config.m_vpnDisabledApps)) { return false; } + + config.m_junkPacketCount = obj.value("Jc").toString(); + config.m_junkPacketMinSize = obj.value("Jmin").toString(); + config.m_junkPacketMaxSize = obj.value("Jmax").toString(); + config.m_initPacketJunkSize = obj.value("S1").toString(); + config.m_responsePacketJunkSize = obj.value("S2").toString(); + config.m_initPacketMagicHeader = obj.value("H1").toString(); + config.m_responsePacketMagicHeader = obj.value("H2").toString(); + config.m_underloadPacketMagicHeader = obj.value("H3").toString(); + config.m_transportPacketMagicHeader = obj.value("H4").toString(); + return true; } diff --git a/client/daemon/interfaceconfig.h b/client/daemon/interfaceconfig.h index 61ffdd833..29aef0854 100644 --- a/client/daemon/interfaceconfig.h +++ b/client/daemon/interfaceconfig.h @@ -40,6 +40,16 @@ class InterfaceConfig { QString m_installationId; #endif + QString m_junkPacketCount; + QString m_junkPacketMinSize; + QString m_junkPacketMaxSize; + QString m_initPacketJunkSize; + QString m_responsePacketJunkSize; + QString m_initPacketMagicHeader; + QString m_responsePacketMagicHeader; + QString m_underloadPacketMagicHeader; + QString m_transportPacketMagicHeader; + QJsonObject toJson() const; QString toWgConf( const QMap& extra = QMap()) const; diff --git a/client/mozilla/localsocketcontroller.cpp b/client/mozilla/localsocketcontroller.cpp index 40bc0bba1..c9fa6a428 100644 --- a/client/mozilla/localsocketcontroller.cpp +++ b/client/mozilla/localsocketcontroller.cpp @@ -115,7 +115,9 @@ void LocalSocketController::daemonConnected() { } void LocalSocketController::activate(const QJsonObject &rawConfig) { - QJsonObject wgConfig = rawConfig.value("wireguard_config_data").toObject(); + QString protocolName = rawConfig.value("protocol").toString(); + + QJsonObject wgConfig = rawConfig.value(protocolName + "_config_data").toObject(); QJsonObject json; json.insert("type", "activate"); @@ -160,6 +162,19 @@ void LocalSocketController::activate(const QJsonObject &rawConfig) { // splitTunnelApps.append(QJsonValue(uri)); // } // json.insert("vpnDisabledApps", splitTunnelApps); + + if (protocolName == amnezia::config_key::amneziaWireguard) { + json.insert(amnezia::config_key::junkPacketCount, wgConfig.value(amnezia::config_key::junkPacketCount)); + json.insert(amnezia::config_key::junkPacketMinSize, wgConfig.value(amnezia::config_key::junkPacketMinSize)); + json.insert(amnezia::config_key::junkPacketMaxSize, wgConfig.value(amnezia::config_key::junkPacketMaxSize)); + json.insert(amnezia::config_key::initPacketJunkSize, wgConfig.value(amnezia::config_key::initPacketJunkSize)); + json.insert(amnezia::config_key::responsePacketJunkSize, wgConfig.value(amnezia::config_key::responsePacketJunkSize)); + json.insert(amnezia::config_key::initPacketMagicHeader, wgConfig.value(amnezia::config_key::initPacketMagicHeader)); + json.insert(amnezia::config_key::responsePacketMagicHeader, wgConfig.value(amnezia::config_key::responsePacketMagicHeader)); + json.insert(amnezia::config_key::underloadPacketMagicHeader, wgConfig.value(amnezia::config_key::underloadPacketMagicHeader)); + json.insert(amnezia::config_key::transportPacketMagicHeader, wgConfig.value(amnezia::config_key::transportPacketMagicHeader)); + } + write(json); } diff --git a/client/platforms/macos/daemon/wireguardutilsmacos.cpp b/client/platforms/macos/daemon/wireguardutilsmacos.cpp index 1f4224620..ead53e23f 100644 --- a/client/platforms/macos/daemon/wireguardutilsmacos.cpp +++ b/client/platforms/macos/daemon/wireguardutilsmacos.cpp @@ -163,6 +163,17 @@ bool WireguardUtilsMacos::updatePeer(const InterfaceConfig& config) { out << "allowed_ip=" << ip.toString() << "\n"; } + + out << "Jc=" << config.m_junkPacketCount << "\n"; + out << "jmin=" << config.m_junkPacketMinSize << "\n"; + out << "jmax=" << config.m_junkPacketMaxSize << "\n"; + out << "s1=" << config.m_initPacketJunkSize << "\n"; + out << "s2=" << config.m_responsePacketJunkSize << "\n"; + out << "h1=" << config.m_initPacketMagicHeader << "\n"; + out << "h2=" << config.m_responsePacketMagicHeader << "\n"; + out << "h3=" << config.m_underloadPacketMagicHeader << "\n"; + out << "h4=" << config.m_transportPacketMagicHeader << "\n"; + // Exclude the server address, except for multihop exit servers. if ((config.m_hopType != InterfaceConfig::MultiHopExit) && (m_rtmonitor != nullptr)) { diff --git a/client/protocols/protocols_defs.h b/client/protocols/protocols_defs.h index 4e72e3181..e26e60a4e 100644 --- a/client/protocols/protocols_defs.h +++ b/client/protocols/protocols_defs.h @@ -61,11 +61,22 @@ namespace amnezia constexpr char isThirdPartyConfig[] = "isThirdPartyConfig"; + constexpr char junkPacketCount[] = "Jc"; + constexpr char junkPacketMinSize[] = "Jmin"; + constexpr char junkPacketMaxSize[] = "Jmax"; + constexpr char initPacketJunkSize[] = "S1"; + constexpr char responsePacketJunkSize[] = "S2"; + constexpr char initPacketMagicHeader[] = "H1"; + constexpr char responsePacketMagicHeader[] = "H2"; + constexpr char underloadPacketMagicHeader[] = "H3"; + constexpr char transportPacketMagicHeader[] = "H4"; + constexpr char openvpn[] = "openvpn"; constexpr char wireguard[] = "wireguard"; constexpr char shadowsocks[] = "shadowsocks"; constexpr char cloak[] = "cloak"; constexpr char sftp[] = "sftp"; + constexpr char amneziaWireguard[] = "amneziawireguard"; } @@ -140,6 +151,25 @@ namespace amnezia } // namespace sftp + namespace amneziawireguard + { + constexpr char defaultPort[] = "55424"; + + constexpr char serverConfigPath[] = "/opt/amnezia/amneziawireguard/wg0.conf"; + constexpr char serverPublicKeyPath[] = "/opt/amnezia/amneziawireguard/wireguard_server_public_key.key"; + constexpr char serverPskKeyPath[] = "/opt/amnezia/amneziawireguard/wireguard_psk.key"; + + constexpr char defaultJunkPacketCount[] = "3"; + constexpr char defaultJunkPacketMinSize[] = "10"; + constexpr char defaultJunkPacketMaxSize[] = "30"; + constexpr char defaultInitPacketJunkSize[] = "15"; + constexpr char defaultResponsePacketJunkSize[] = "18"; + constexpr char defaultInitPacketMagicHeader[] = "1020325451"; + constexpr char defaultResponsePacketMagicHeader[] = "3288052141"; + constexpr char defaultTransportPacketMagicHeader[] = "2528465083"; + constexpr char defaultUnderloadPacketMagicHeader[] = "1766607858"; + } + } // namespace protocols namespace ProtocolEnumNS diff --git a/client/resources.qrc b/client/resources.qrc index 44c61172e..b79ed3d28 100644 --- a/client/resources.qrc +++ b/client/resources.qrc @@ -216,5 +216,10 @@ ui/qml/Pages2/PageServiceDnsSettings.qml ui/qml/Controls2/TopCloseButtonType.qml ui/qml/Pages2/PageProtocolAmneziaWireGuardSettings.qml + server_scripts/amnezia_wireguard/template.conf + server_scripts/amnezia_wireguard/start.sh + server_scripts/amnezia_wireguard/configure_container.sh + server_scripts/amnezia_wireguard/run_container.sh + server_scripts/amnezia_wireguard/Dockerfile diff --git a/client/server_scripts/amnezia_wireguard/Dockerfile b/client/server_scripts/amnezia_wireguard/Dockerfile new file mode 100644 index 000000000..ed974dc68 --- /dev/null +++ b/client/server_scripts/amnezia_wireguard/Dockerfile @@ -0,0 +1,46 @@ +FROM amneziavpn/amnezia-wg:latest + +LABEL maintainer="AmneziaVPN" + +#Install required packages +RUN apk add --no-cache curl wireguard-tools dumb-init +RUN apk --update upgrade --no-cache + +RUN mkdir -p /opt/amnezia +RUN echo -e "#!/bin/bash\ntail -f /dev/null" > /opt/amnezia/start.sh +RUN chmod a+x /opt/amnezia/start.sh + +# Tune network +RUN echo -e " \n\ + fs.file-max = 51200 \n\ + \n\ + net.core.rmem_max = 67108864 \n\ + net.core.wmem_max = 67108864 \n\ + net.core.netdev_max_backlog = 250000 \n\ + net.core.somaxconn = 4096 \n\ + \n\ + net.ipv4.tcp_syncookies = 1 \n\ + net.ipv4.tcp_tw_reuse = 1 \n\ + net.ipv4.tcp_tw_recycle = 0 \n\ + net.ipv4.tcp_fin_timeout = 30 \n\ + net.ipv4.tcp_keepalive_time = 1200 \n\ + net.ipv4.ip_local_port_range = 10000 65000 \n\ + net.ipv4.tcp_max_syn_backlog = 8192 \n\ + net.ipv4.tcp_max_tw_buckets = 5000 \n\ + net.ipv4.tcp_fastopen = 3 \n\ + net.ipv4.tcp_mem = 25600 51200 102400 \n\ + net.ipv4.tcp_rmem = 4096 87380 67108864 \n\ + net.ipv4.tcp_wmem = 4096 65536 67108864 \n\ + net.ipv4.tcp_mtu_probing = 1 \n\ + net.ipv4.tcp_congestion_control = hybla \n\ + # for low-latency network, use cubic instead \n\ + # net.ipv4.tcp_congestion_control = cubic \n\ + " | sed -e 's/^\s\+//g' | tee -a /etc/sysctl.conf && \ + mkdir -p /etc/security && \ + echo -e " \n\ + * soft nofile 51200 \n\ + * hard nofile 51200 \n\ + " | sed -e 's/^\s\+//g' | tee -a /etc/security/limits.conf + +ENTRYPOINT [ "dumb-init", "/opt/amnezia/start.sh" ] +CMD [ "" ] diff --git a/client/server_scripts/amnezia_wireguard/configure_container.sh b/client/server_scripts/amnezia_wireguard/configure_container.sh new file mode 100644 index 000000000..8653a9328 --- /dev/null +++ b/client/server_scripts/amnezia_wireguard/configure_container.sh @@ -0,0 +1,26 @@ +mkdir -p /opt/amnezia/amneziawireguard +cd /opt/amnezia/amneziawireguard +WIREGUARD_SERVER_PRIVATE_KEY=$(wg genkey) +echo $WIREGUARD_SERVER_PRIVATE_KEY > /opt/amnezia/amneziawireguard/wireguard_server_private_key.key + +WIREGUARD_SERVER_PUBLIC_KEY=$(echo $WIREGUARD_SERVER_PRIVATE_KEY | wg pubkey) +echo $WIREGUARD_SERVER_PUBLIC_KEY > /opt/amnezia/amneziawireguard/wireguard_server_public_key.key + +WIREGUARD_PSK=$(wg genpsk) +echo $WIREGUARD_PSK > /opt/amnezia/amneziawireguard/wireguard_psk.key + +cat > /opt/amnezia/amneziawireguard/wg0.conf <