diff --git a/common/wireguard/src/lib.rs b/common/wireguard/src/lib.rs index 3da715bad0..cd13ba6937 100644 --- a/common/wireguard/src/lib.rs +++ b/common/wireguard/src/lib.rs @@ -42,6 +42,10 @@ pub async fn start_wireguard( let (tun, tun_task_tx, tun_task_response_rx) = tun_device::TunDevice::new(peers_by_ip.clone()); tun.start(); + // If we want to have the tun device on a separate host, it's the tun_task and + // tun_task_response channels that needs to be sent over the network to the host where the tun + // device is running. + // The packet relayer's responsibility is to route packets between the correct tunnel and the // tun device. The tun device may or may not be on a separate host, which is why we can't do // this routing in the tun device itself. diff --git a/common/wireguard/src/wg_tunnel.rs b/common/wireguard/src/wg_tunnel.rs index 6d1cf4cdf8..72ae2d9e01 100644 --- a/common/wireguard/src/wg_tunnel.rs +++ b/common/wireguard/src/wg_tunnel.rs @@ -7,6 +7,7 @@ use boringtun::{ }; use bytes::Bytes; use log::{debug, error, info, warn}; +use rand::RngCore; use tap::TapFallible; use tokio::{ net::UdpSocket, @@ -90,7 +91,7 @@ impl WireGuardTunnel { index, rate_limiter, ) - .unwrap(), + .expect("failed to create Tunn instance"), )); // Channels with incoming data that is received by the main event loop @@ -102,10 +103,7 @@ impl WireGuardTunnel { let mut allowed_ips = NetworkTable::new(); allowed_ips.insert(peer_allowed_ips, ()); - // random u64 - use rand::RngCore; - let mut rng = rand::rngs::OsRng; - let tag = rng.next_u64(); + let tag = Self::new_tag(); let tunnel = WireGuardTunnel { peer_rx, @@ -122,6 +120,10 @@ impl WireGuardTunnel { (tunnel, peer_tx, tag) } + fn new_tag() -> u64 { + rand::thread_rng().next_u64() + } + fn close(&self) { let _ = self.close_tx.send(()); }