mirror of
https://github.com/SoftEtherVPN/SoftEtherVPN.git
synced 2025-07-13 03:04:58 +03:00
Cedar: Implement support for WireGuard
Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf). More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired. I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server. Once the keypair is expired, we immediately delete the session. The cookie mechanism can be implemented in future. As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer. That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address. As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list. If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful. The allowed key list is stored in the configuration file like this: declare WireGuardKeyList { declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM= { string Hub DEFAULT string User user } }
This commit is contained in:
Davide Beatrici
@ -367,6 +367,7 @@
|
||||
#define AUTHTYPE_ROOTCERT 3 // Root certificate which is issued by trusted Certificate Authority
|
||||
#define AUTHTYPE_RADIUS 4 // Radius authentication
|
||||
#define AUTHTYPE_NT 5 // Windows NT authentication
|
||||
#define AUTHTYPE_WIREGUARD_KEY 97 // WireGuard public key authentication
|
||||
#define AUTHTYPE_OPENVPN_CERT 98 // TLS client certificate authentication
|
||||
#define AUTHTYPE_TICKET 99 // Ticket authentication
|
||||
|
||||
@ -923,6 +924,7 @@ typedef struct CEDAR
|
||||
UINT Type; // Type
|
||||
LIST *ListenerList; // Listener list
|
||||
LIST *HubList; // HUB list
|
||||
LIST *WgkList; // WireGuard key list
|
||||
LIST *ConnectionList; // Negotiating connection list
|
||||
LIST *CaList; // List of CA
|
||||
volatile bool Halt; // Halt flag
|
||||
@ -1032,8 +1034,6 @@ typedef struct CEDAR
|
||||
#include <Cedar/Command.h>
|
||||
// RPC over HTTP
|
||||
#include <Cedar/Wpc.h>
|
||||
// Layer-2/Layer-3 converter
|
||||
#include <Cedar/IPC.h>
|
||||
// Third party protocols
|
||||
#include <Cedar/Proto.h>
|
||||
#include <Cedar/Proto_IPsec.h>
|
||||
@ -1045,6 +1045,9 @@ typedef struct CEDAR
|
||||
#include <Cedar/Proto_PPP.h>
|
||||
#include <Cedar/Proto_SSTP.h>
|
||||
#include <Cedar/Proto_Win7.h>
|
||||
#include <Cedar/Proto_WireGuard.h>
|
||||
// Layer-2/Layer-3 converter
|
||||
#include <Cedar/IPC.h>
|
||||
// UDP Acceleration
|
||||
#include <Cedar/UdpAccel.h>
|
||||
// DDNS Client
|
||||
|
||||
Reference in New Issue
Block a user