Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optimize wireguard kernel mode #2757

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Optimize wireguard kernel mode #2757

wants to merge 3 commits into from

Conversation

kunsonx
Copy link
Contributor

@kunsonx kunsonx commented Nov 26, 2023

  1. 调整 WireGuard kernel mode 只支持 client 模式并支持要求权限.
  2. 不再要求 root 权限(不调整 rp_filter),调整为 cap CAP_NET_ADMIN 和 iptables 与 net.ipv4.conf.all.src_valid_mark=1
  3. docker 打包镜像附带 iptables 预先安装

docker container 运行最低条件

    cap_add:
      - CAP_NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    devices:
        - /dev/net/tun

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 26, 2023

@hax0r31337 It is better for your design on WireGuard server sides?
@yuhan6665 请大佬看看这个版本的优化,解决了 #2736#2477 提到的相关问题。

另外失败的 jobs 应该不是代码问题,rerun 一下应该就好了。

@yuhan6665
Copy link
Member

@kunsonx thanks for your pr. Although I think it is too complex to maintain code to deal with iptables. Is this needed only by the kernel mode tun? If so I think it is reasonable for user to ask for root access if they need it. We just need to make sure the gvisor tun doesn't need it and we clearly document it.
CC @RPRX

@yuhan6665
Copy link
Member

BTW are you sure this tun implementation

wgt, err := wgtun.CreateTUN(n, mtu)

need privilege access like disable rp_filter?

@Fangliding
Copy link
Member

@yuhan6665 主要的问题是 如果在容器里跑 就会遇到权限问题 还需要给容器特权才可以正常运行 已经有不少反馈这种问题了

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 27, 2023

@yuhan6665 The user space WireGuard tun device require container device "/dev/net/tun". current version of "kernelMode" implementation create proxy socket and bind to wireguard device so when socket packet come back kernel will check reverse path and drop it(Cause no any changes on routes).

I'm plan to implement native WireGuard device (no userspace device) it also require iptables operation.

So considering the implementations of current and plan.

I think it is better way to do that.

iptables operation package copy from kuberneters so I think maintain thing is ok?

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 27, 2023

Current implementations:
go-wireguard(userspace device) + gVIsor(userspace netstack) for default mode(require device "/dev/net/tun").
go-wireguard(userspace device) + sysnetstack for kernel mode(require device "/dev/net/tun" and cap CAP_NET_ADMIN and iptables and net.ipv4.conf.all.src_valid_mark=1)

Planning:
sys wireguard device + sysnetstack(require cap CAP_NET_ADMIN and iptables and net.ipv4.conf.all.src_valid_mark=1)

@yuhan6665
Copy link
Member

Thanks for your info. Seems a rather big question for @RPRX :)

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 27, 2023

The WireGuard outbound non userspace optimization version just created pull request on #2762.

@devopg
Copy link

devopg commented Nov 19, 2024

@kunsonx
Hello. I see you are making a big update about WireGuard. I don't know if it's related to the #4025 (confuses certificates when opening multiple tabs) issue or not. The problem is being resolved right now. I just wanted to inform you so that you can take it into in your work, so that this issue doesn't come up again later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants