Cedar: Implement support for WireGuard

Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf).
More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired.
I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server.
Once the keypair is expired, we immediately delete the session.

The cookie mechanism can be implemented in future.

As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer.
That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address.
As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list.
If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful.

The allowed key list is stored in the configuration file like this:

declare WireGuardKeyList
{
	declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM=
	{
		string Hub DEFAULT
		string User user
	}
}

src/Cedar/CMakeLists.txt

@@ -26,6 +26,21 @@ set(BLAKE2_SRC_PATH $<IF:$<BOOL:HAS_SSE2>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,$
 target_include_directories(cedar PUBLIC ${BLAKE2_SRC_PATH})
 target_sources(cedar PRIVATE "${BLAKE2_SRC_PATH}/blake2s.c")
 
+if(VCPKG_TARGET_TRIPLET)
+  find_package(unofficial-sodium CONFIG REQUIRED)
+  target_link_libraries(cedar PUBLIC unofficial-sodium::sodium)
+else()
+  find_package(PkgConfig REQUIRED)
+  pkg_search_module(SODIUM libsodium REQUIRED)
+  target_include_directories(cedar PUBLIC ${SODIUM_INCLUDE_DIRS})
+  if(NOT ("$ENV{TRAVIS_CPU_ARCH}" STREQUAL ppc64le))
+    target_link_libraries(cedar PUBLIC $<IF:$<BOOL:SODIUM_LINK_LIBRARIES>,${SODIUM_LINK_LIBRARIES},${SODIUM_LIBRARIES}>)
+  else()
+    # TODO: investigate why on ppc64le the use of SODIUM_LINK_LIBRARIES causes undefined references to libsodium functions.
+    target_link_libraries(cedar PUBLIC ${SODIUM_LIBRARIES})
+  endif()
+endif()
+
 if(WIN32)
   set_target_properties(cedar
     PROPERTIES
@@ -38,10 +53,10 @@ if(WIN32)
 endif()
 
 if(UNIX)
-  find_library(LIB_READLINE readline)
   find_package(Curses REQUIRED)
+  find_library(LIB_READLINE readline)
 
-  target_link_libraries(cedar PRIVATE ${LIB_READLINE} ${CURSES_LIBRARIES})
+  target_link_libraries(cedar PRIVATE ${CURSES_LIBRARIES} ${LIB_READLINE})
 
   if(${CMAKE_SYSTEM_NAME} STREQUAL "Darwin")
     target_link_libraries(cedar PRIVATE mayaqua pcap)

src/Cedar/Cedar.c

@@ -1094,12 +1094,13 @@ void CleanupCedar(CEDAR *c)
 	WuFreeWebUI(c->WebUI);
 	FreeCedarLayer3(c);
 
-/*
-	for (i = 0;i < LIST_NUM(c->HubList);i++)
+	for (i = 0; i < LIST_NUM(c->WgkList); ++i)
 	{
-		HUB *h = LIST_DATA(c->HubList, i);
+		WGK *wgk = LIST_DATA(c->WgkList, i);
+		Free(wgk);
 	}
-*/
+	ReleaseList(c->WgkList);
+
 	for (i = 0;i < LIST_NUM(c->CaList);i++)
 	{
 		X *x = LIST_DATA(c->CaList, i);
@@ -1491,6 +1492,7 @@ CEDAR *NewCedar(X *server_x, K *server_k)
 	c->Traffic = NewTraffic();
 	c->TrafficLock = NewLock();
 	c->CaList = NewList(CompareCert);
+	c->WgkList = NewList(CompareWgk);
 
 	c->TrafficDiffList = NewList(NULL);
 
@@ -1600,6 +1602,12 @@ void InitCedar()
 		return;
 	}
 
+	if (sodium_init() == -1)
+	{
+		Debug("InitCedar(): sodium_init() failed!\n");
+		return;
+	}
+
 	// Initialize protocol module
 	InitProtocol();
 }

src/Cedar/Cedar.h

@@ -367,6 +367,7 @@
 #define	AUTHTYPE_ROOTCERT				3			// Root certificate which is issued by trusted Certificate Authority
 #define	AUTHTYPE_RADIUS					4			// Radius authentication
 #define	AUTHTYPE_NT						5			// Windows NT authentication
+#define	AUTHTYPE_WIREGUARD_KEY			97			// WireGuard public key authentication
 #define	AUTHTYPE_OPENVPN_CERT    		98			// TLS client certificate authentication
 #define	AUTHTYPE_TICKET					99			// Ticket authentication
 
@@ -923,6 +924,7 @@ typedef struct CEDAR
 	UINT Type;						// Type
 	LIST *ListenerList;				// Listener list
 	LIST *HubList;					// HUB list
+	LIST *WgkList;					// WireGuard key list
 	LIST *ConnectionList;			// Negotiating connection list
 	LIST *CaList;					// List of CA
 	volatile bool Halt;				// Halt flag
@@ -1032,8 +1034,6 @@ typedef struct CEDAR
 #include <Cedar/Command.h>
 // RPC over HTTP
 #include <Cedar/Wpc.h>
-// Layer-2/Layer-3 converter
-#include <Cedar/IPC.h>
 // Third party protocols
 #include <Cedar/Proto.h>
 #include <Cedar/Proto_IPsec.h>
@@ -1045,6 +1045,9 @@ typedef struct CEDAR
 #include <Cedar/Proto_PPP.h>
 #include <Cedar/Proto_SSTP.h>
 #include <Cedar/Proto_Win7.h>
+#include <Cedar/Proto_WireGuard.h>
+// Layer-2/Layer-3 converter
+#include <Cedar/IPC.h>
 // UDP Acceleration
 #include <Cedar/UdpAccel.h>
 // DDNS Client

src/Cedar/CedarType.h

@@ -277,6 +277,7 @@ typedef struct HUB_SNAPSHOT HUB_SNAPSHOT;
 typedef struct SERVER_SNAPSHOT SERVER_SNAPSHOT;
 typedef struct SERVER_HUB_CREATE_HISTORY SERVER_HUB_CREATE_HISTORY;
 typedef struct OPENVPN_SSTP_CONFIG OPENVPN_SSTP_CONFIG;
+typedef struct WGK WGK;
 
 // ==============================================================
 //   Server Admin Tool

src/Cedar/IPC.c

@@ -226,8 +226,8 @@ IPC *NewIPCByParam(CEDAR *cedar, IPC_PARAM *param, UINT *error_code)
 	}
 
 	ipc = NewIPC(cedar, param->ClientName, param->Postfix, param->HubName,
-	             param->UserName, param->Password, error_code, &param->ClientIp,
-	             param->ClientPort, &param->ServerIp, param->ServerPort,
+	             param->UserName, param->Password, param->WgKey, error_code,
+	             &param->ClientIp, param->ClientPort, &param->ServerIp, param->ServerPort,
 	             param->ClientHostname, param->CryptName,
 	             param->BridgeMode, param->Mss, NULL, param->ClientCertificate, param->Layer);
 
@@ -235,7 +235,7 @@ IPC *NewIPCByParam(CEDAR *cedar, IPC_PARAM *param, UINT *error_code)
 }
 
 // Start a new IPC connection
-IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char *username, char *password,
+IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char *username, char *password, char *wg_key,
             UINT *error_code, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port,
             char *client_hostname, char *crypt_name,
             bool bridge_mode, UINT mss, EAP_CLIENT *eap_client, X *client_certificate,
@@ -337,7 +337,11 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 	FreePack(p);
 
 	// Upload the authentication data
-	if (client_certificate != NULL)
+	if (IsEmptyStr(wg_key) == false)
+	{
+		p = PackLoginWithWireGuardKey(wg_key);
+	}
+	else if (client_certificate != NULL)
 	{
 		p = PackLoginWithOpenVPNCertificate(hubname, username, client_certificate);
 	}

src/Cedar/IPC.h

@@ -75,6 +75,7 @@ struct IPC_PARAM
 	char HubName[MAX_HUBNAME_LEN + 1];
 	char UserName[MAX_USERNAME_LEN + 1];
 	char Password[MAX_PASSWORD_LEN + 1];
+	char WgKey[WG_KEY_BASE64_SIZE];
 	IP ClientIp;
 	UINT ClientPort;
 	IP ServerIp;
@@ -171,7 +172,7 @@ struct IPC_IPV6_ROUTER_ADVERTISEMENT
 	UCHAR RouterLinkLayerAddress[6];
 };
 
-IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char *username, char *password,
+IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char *username, char *password, char *wg_key,
             UINT *error_code, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port,
             char *client_hostname, char *crypt_name,
             bool bridge_mode, UINT mss, EAP_CLIENT *eap_client, X *client_certificate,

src/Cedar/Proto.c

@@ -213,6 +213,8 @@ PROTO *ProtoNew(CEDAR *cedar)
 
 	AddRef(cedar->ref);
 
+	// WireGuard
+	Add(proto->Containers, ProtoContainerNew(WgsGetProtoImpl()));
 	// OpenVPN
 	Add(proto->Containers, ProtoContainerNew(OvsGetProtoImpl()));
 	// SSTP

src/Cedar/Proto_EtherIP.c

@@ -59,7 +59,7 @@ void EtherIPIpcConnectThread(THREAD *t, void *p)
 		EtherIPLog(s, "LE_START_IPC", id.HubName, id.UserName, mss);
 		ipc = NewIPC(s->Cedar, client_name,
 			(s->L2TPv3 ? ETHERIP_L2TPV3_POSTFIX : ETHERIP_POSTFIX),
-			id.HubName, id.UserName, id.Password,
+			id.HubName, id.UserName, id.Password, NULL,
 			&error_code,
 			&s->ClientIP, s->ClientPort,
 			&s->ServerIP, s->ServerPort,

src/Cedar/Proto_PPP.c

@@ -1519,7 +1519,7 @@ bool PPPProcessPAPRequestPacket(PPP_SESSION *p, PPP_PACKET *pp)
 								// Attempt to connect with IPC
 								UINT error_code;
 
-								ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, hub, id, password,
+								ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, hub, id, password, NULL,
 								             &error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
 								             p->ClientHostname, p->CryptName, false, p->AdjustMss, NULL, NULL,
 								             IPC_LAYER_3);
@@ -2844,7 +2844,7 @@ bool PPPParseMSCHAP2ResponsePacket(PPP_SESSION *p, PPP_PACKET *pp)
 			else if (p->Ipc == NULL)
 			{
 				Debug("MSCHAPv2 creating IPC\n");
-				ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, hub, id, password,
+				ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, hub, id, password, NULL,
 				             &error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
 				             p->ClientHostname, p->CryptName, false, p->AdjustMss, p->EapClient, NULL,
 				             +					IPC_LAYER_3);
@@ -3252,7 +3252,7 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapTlsSi
 
 				PPPParseUsername(p->Cedar, p->Eap_Identity, &d);
 
-				ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, d.HubName, d.UserName, "",
+				ipc = NewIPC(p->Cedar, p->ClientSoftwareName, p->Postfix, d.HubName, d.UserName, "", NULL,
 				             &error_code, &p->ClientIP, p->ClientPort, &p->ServerIP, p->ServerPort,
 				             p->ClientHostname, p->CryptName, false, p->AdjustMss, NULL, p->Eap_TlsCtx.ClientCert.X,
 				             IPC_LAYER_3);

src/Cedar/Proto_WireGuard.h

@@ -0,0 +1,209 @@
+#ifndef PROTO_WIREGUARD_H
+#define PROTO_WIREGUARD_H
+
+#include <sodium.h>
+
+#define WG_IPC_POSTFIX "WIREGUARD"
+
+#define WG_CIPHER "ChaCha20-Poly1305"
+
+#define WG_CONSTRUCTION "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
+#define WG_IDENTIFIER "WireGuard v1 zx2c4 Jason@zx2c4.com"
+#define WG_LABEL_COOKIE "cookie--"
+#define WG_LABEL_MAC1 "mac1----"
+
+#define WG_MAX_INITIATIONS_PER_SECOND 50
+
+#define WG_KEEPALIVE_TIMEOUT 10000 // 10 seconds
+#define WG_INITIATION_GIVEUP 30000 // 30 seconds
+
+#define WG_REJECT_AFTER_TIME 180000 // 180 seconds
+#define WG_REJECT_AFTER_MESSAGES (UINT64_MAX - 16 - 1)
+
+#define WG_KEY_SIZE crypto_aead_chacha20poly1305_ietf_KEYBYTES
+#define WG_IV_SIZE crypto_aead_chacha20poly1305_ietf_NPUBBYTES
+#define WG_TAG_SIZE crypto_aead_chacha20poly1305_ietf_ABYTES
+
+#define WG_COOKIE_IV_SIZE crypto_aead_xchacha20poly1305_ietf_NPUBBYTES
+#define WG_COOKIE_TAG_SIZE crypto_aead_xchacha20poly1305_ietf_ABYTES
+
+#define WG_HASH_SIZE 32
+#define WG_BLOCK_SIZE 16
+#define WG_COOKIE_SIZE 16
+#define WG_TIMESTAMP_SIZE (sizeof(UINT64) + sizeof(UINT))
+
+#define WG_KEY_BASE64_SIZE (sodium_base64_ENCODED_LEN(WG_KEY_SIZE, sodium_base64_VARIANT_ORIGINAL))
+
+#define WG_AEAD_SIZE(plain_size) (plain_size + WG_TAG_SIZE)
+#define WG_PLAIN_SIZE(aead_size) (aead_size - WG_TAG_SIZE)
+
+// RFC 6479
+#define WG_REPLAY_WINDOW_SIZE 1024
+#define WG_REPLAY_BITMAP_SIZE (WG_REPLAY_WINDOW_SIZE / (sizeof(int) * 8))
+#define WG_REPLAY_BITMAP_INDEX_MASK (WG_REPLAY_BITMAP_SIZE - 1)
+#define WG_REPLAY_REDUNDANT_BIT_SHIFTS 5
+#define WG_REPLAY_REDUNDANT_BITS (1 << WG_REPLAY_REDUNDANT_BIT_SHIFTS)
+#define WG_REPLAY_BITMAP_LOC_MASK (WG_REPLAY_REDUNDANT_BITS - 1)
+
+typedef enum WG_MSG_TYPE
+{
+	WG_MSG_INVALID = 0,
+	WG_MSG_HANDSHAKE_INIT,
+	WG_MSG_HANDSHAKE_REPLY,
+	WG_MSG_HANDSHAKE_COOKIE,
+	WG_MSG_TRANSPORT_DATA
+} WG_MSG_TYPE;
+
+typedef enum WG_KEYPAIR_STATE
+{
+	WG_KEYPAIR_INVALID = 0,
+	WG_KEYPAIR_INITIATED,
+	WG_KEYPAIR_CONFIRMED
+} WG_KEYPAIR_STATE;
+
+typedef struct WG_HEADER
+{
+	BYTE Type;
+	BYTE Reserved[3];
+} WG_HEADER;
+
+typedef struct WG_COMMON
+{
+	WG_HEADER Header;
+	UINT Index;
+} WG_COMMON;
+
+typedef struct WG_MACS
+{
+	BYTE Mac1[WG_COOKIE_SIZE];
+	BYTE Mac2[WG_COOKIE_SIZE];
+} WG_MACS;
+
+typedef struct WG_HANDSHAKE_INIT
+{
+	WG_HEADER Header;
+	UINT SenderIndex;
+	BYTE UnencryptedEphemeral[WG_KEY_SIZE];
+	BYTE EncryptedStatic[WG_AEAD_SIZE(WG_KEY_SIZE)];
+	BYTE EncryptedTimestamp[WG_AEAD_SIZE(WG_TIMESTAMP_SIZE)];
+	WG_MACS Macs;
+} WG_HANDSHAKE_INIT;
+
+typedef struct WG_HANDSHAKE_REPLY
+{
+	WG_HEADER Header;
+	UINT SenderIndex;
+	UINT ReceiverIndex;
+	BYTE UnencryptedEphemeral[WG_KEY_SIZE];
+	BYTE EncryptedNothing[WG_AEAD_SIZE(0)];
+	WG_MACS Macs;
+} WG_HANDSHAKE_REPLY;
+
+typedef struct WG_COOKIE_REPLY
+{
+	WG_HEADER Header;
+	UINT ReceiverIndex;
+	BYTE Nonce[WG_COOKIE_IV_SIZE];
+	BYTE EncryptedCookie[WG_COOKIE_SIZE + WG_COOKIE_TAG_SIZE];
+} WG_COOKIE_REPLY;
+
+typedef struct WG_TRANSPORT_DATA
+{
+	WG_HEADER Header;
+	UINT ReceiverIndex;
+	UINT64 Counter;
+	BYTE EncapsulatedPacket[];
+} WG_TRANSPORT_DATA;
+
+typedef struct WG_KEYPAIR
+{
+	WG_KEYPAIR_STATE State;
+	UINT64 CreationTime;
+	UINT IndexLocal;
+	UINT IndexRemote;
+	UINT64 CounterLocal;
+	UINT64 CounterRemote;
+	BYTE KeyLocal[WG_KEY_SIZE];
+	BYTE KeyRemote[WG_KEY_SIZE];
+	UINT64 ReplayWindow[WG_REPLAY_WINDOW_SIZE];
+} WG_KEYPAIR;
+
+typedef struct WG_KEYPAIRS
+{
+	WG_KEYPAIR *Current;
+	WG_KEYPAIR *Next;
+	WG_KEYPAIR *Previous;
+} WG_KEYPAIRS;
+
+typedef struct WG_SESSION
+{
+	WG_KEYPAIRS Keypairs;
+	IPC *IPC;
+	IP IPLocal;
+	IP IPRemote;
+	USHORT PortLocal;
+	USHORT PortRemote;
+	UINT64 LastInitiationReceived;
+	UINT64 LastDataReceived;
+	UINT64 LastDataSent;
+	BYTE StaticRemote[WG_KEY_SIZE];
+	BYTE LastTimestamp[WG_TIMESTAMP_SIZE];
+	BYTE Hash[WG_HASH_SIZE];
+	BYTE ChainingKey[WG_HASH_SIZE];
+	BYTE PrecomputedStaticStatic[WG_KEY_SIZE];
+} WG_SESSION;
+
+typedef struct WG_SERVER
+{
+	UINT64 Now;
+	UINT64 CreationTime;
+	WG_SESSION Session;
+	CEDAR *Cedar;
+	SOCK_EVENT *SockEvent;
+	INTERRUPT_MANAGER *InterruptManager;
+	BYTE PresharedKey[WG_KEY_SIZE];
+	BYTE StaticPublic[WG_KEY_SIZE];
+	BYTE StaticPrivate[WG_KEY_SIZE];
+	BYTE HandshakeInitHash[WG_HASH_SIZE];
+	BYTE HandshakeInitChainingKey[WG_HASH_SIZE];
+} WG_SERVER;
+
+const PROTO_IMPL *WgsGetProtoImpl();
+const char *WgsName();
+const PROTO_OPTION *WgsOptions();
+char *WgsOptionStringValue(const char *name);
+bool WgsInit(void **param, const LIST *options, CEDAR *cedar, INTERRUPT_MANAGER *im, SOCK_EVENT *se, const char *cipher, const char *hostname);
+void WgsFree(void *param);
+bool WgsIsPacketForMe(const PROTO_MODE mode, const void *data, const UINT size);
+bool WgsProcessDatagrams(void *param, LIST *in, LIST *out);
+
+void WgsLog(const WG_SERVER *server, const char *name, ...);
+
+WG_MSG_TYPE WgsDetectMessageType(const void *data, const UINT size);
+
+UINT WgsMSS(const WG_SESSION *session);
+
+IPC *WgsIPCNew(WG_SERVER *server);
+
+WG_KEYPAIR *WgsProcessHandshakeInit(WG_SERVER *server, const WG_HANDSHAKE_INIT *init, BYTE *ephemeral_remote);
+WG_HANDSHAKE_REPLY *WgsCreateHandshakeReply(WG_SERVER *server, WG_KEYPAIR *keypair, const BYTE *ephemeral_remote);
+
+bool WgsProcessTransportData(WG_SERVER *server, WG_TRANSPORT_DATA *data, const UINT size);
+WG_TRANSPORT_DATA *WgsCreateTransportData(WG_SERVER *server, const void *data, const UINT size, UINT *final_size);
+
+bool WgsIsInReplayWindow(const WG_KEYPAIR *keypair, const UINT64 counter);
+void WgsUpdateReplayWindow(WG_KEYPAIR *keypair, const UINT64 counter);
+
+UINT WgsEncryptData(void *key, const UINT64 counter, void *dst, const void *src, const UINT src_size);
+UINT WgsDecryptData(void *key, const UINT64 counter, void *dst, const void *src, const UINT src_size);
+
+bool WgsEncryptWithHash(void *dst, const void *src, const UINT src_size, BYTE *hash, const BYTE *key);
+bool WgsDecryptWithHash(void *dst, const void *src, const UINT src_size, BYTE *hash, const BYTE *key);
+
+void WgsEphemeral(BYTE *ephemeral_dst, const BYTE *ephemeral_src, BYTE *chaining_key, BYTE *hash);
+void WgsHKDF(BYTE *dst_1, BYTE *dst_2, BYTE *dst_3, const BYTE *data, const UINT data_size, const BYTE *chaining_key);
+
+void WgsMixHash(void *dst, const void *src, const UINT size);
+bool WgsMixDh(BYTE *chaining_key, BYTE *key, const BYTE *priv, const BYTE *pub);
+
+#endif

src/Cedar/Protocol.c

@@ -1330,12 +1330,45 @@ bool ServerAccept(CONNECTION *c)
 			goto CLEANUP;
 		}
 
-
-
-		// Login
-		if (GetHubnameAndUsernameFromPack(p, username, sizeof(username), hubname, sizeof(hubname)) == false)
+		// Get authentication method and initiate login process
+		authtype = GetAuthTypeFromPack(p);
+		if (authtype == AUTHTYPE_WIREGUARD_KEY)
+		{
+			WGK *wgk, tmp;
+			bool ok = false;
+
+			if (PackGetStr(p, "key", tmp.Key, sizeof(tmp.Key)) == false)
+			{
+				FreePack(p);
+				c->Err = ERR_PROTOCOL_ERROR;
+				error_detail = "GetWireGuardKeyFromPack";
+				goto CLEANUP;
+			}
+
+			LockList(c->Cedar->WgkList);
+			{
+				wgk = Search(c->Cedar->WgkList, &tmp);
+				if (wgk != NULL)
+				{
+					ok = true;
+					StrCpy(hubname, sizeof(hubname), wgk->Hub);
+					StrCpy(username, sizeof(username), wgk->User);
+					StrCpy(node.HubName, sizeof(node.HubName), hubname);
+				}
+			}
+			UnlockList(c->Cedar->WgkList);
+
+			if (ok == false)
+			{
+				FreePack(p);
+				c->Err = ERR_AUTH_FAILED;
+				SLog(c->Cedar, "LS_WG_KEY_NOT_FOUND", c->Name, hubname);
+				error_detail = "ERR_AUTH_FAILED";
+				goto CLEANUP;
+			}
+		}
+		else if (GetHubnameAndUsernameFromPack(p, username, sizeof(username), hubname, sizeof(hubname)) == false)
 		{
-			// Protocol error
 			FreePack(p);
 			c->Err = ERR_PROTOCOL_ERROR;
 			error_detail = "GetHubnameAndUsernameFromPack";
@@ -1345,9 +1378,7 @@ bool ServerAccept(CONNECTION *c)
 		if (farm_member)
 		{
 			bool ok = false;
-			UINT authtype;
 
-			authtype = GetAuthTypeFromPack(p);
 			if (StrCmpi(username, ADMINISTRATOR_USERNAME) == 0 &&
 				authtype == AUTHTYPE_PASSWORD)
 			{
@@ -1600,9 +1631,6 @@ bool ServerAccept(CONNECTION *c)
 				PackGetData(p, "unique_id", unique);
 			}
 
-			// Get the authentication method
-			authtype = GetAuthTypeFromPack(p);
-
 			if (1)
 			{
 				// Log
@@ -1622,12 +1650,15 @@ bool ServerAccept(CONNECTION *c)
 				case CLIENT_AUTHTYPE_CERT:
 					authtype_str = _UU("LH_AUTH_CERT");
 					break;
-				case AUTHTYPE_TICKET:
-					authtype_str = _UU("LH_AUTH_TICKET");
+				case AUTHTYPE_WIREGUARD_KEY:
+					authtype_str = _UU("LH_AUTH_WIREGUARD_KEY");
 					break;
 				case AUTHTYPE_OPENVPN_CERT:
 					authtype_str = _UU("LH_AUTH_OPENVPN_CERT");
 					break;
+				case AUTHTYPE_TICKET:
+					authtype_str = _UU("LH_AUTH_TICKET");
+					break;
 				}
 				IPToStr(ip1, sizeof(ip1), &c->FirstSock->RemoteIP);
 				IPToStr(ip2, sizeof(ip2), &c->FirstSock->LocalIP);
@@ -1640,7 +1671,6 @@ bool ServerAccept(CONNECTION *c)
 
 			// Attempt an anonymous authentication first
 			auth_ret = SamAuthUserByAnonymous(hub, username);
-
 			if (auth_ret)
 			{
 				if (c->IsInProc)
@@ -1734,8 +1764,6 @@ bool ServerAccept(CONNECTION *c)
 
 				if (auth_ret)
 				{
-					// User authentication success by anonymous authentication
-					HLog(hub, "LH_AUTH_OK", c->Name, username);
 					is_empty_password = true;
 				}
 			}
@@ -1961,6 +1989,24 @@ bool ServerAccept(CONNECTION *c)
 					}
 					break;
 
+				case AUTHTYPE_WIREGUARD_KEY:
+					// We already retrieved the hubname and username associated with the key.
+					// Now we only have to verify that the user effectively exists.
+					if (c->IsInProc)
+					{
+						auth_ret = SamIsUser(hub, username);
+					}
+					else
+					{
+						// WireGuard public key authentication cannot be used directly by external clients.
+						Unlock(hub->lock);
+						ReleaseHub(hub);
+						FreePack(p);
+						c->Err = ERR_AUTHTYPE_NOT_SUPPORTED;
+						goto CLEANUP;
+					}
+					break;
+
 				case AUTHTYPE_OPENVPN_CERT:
 					// For OpenVPN; mostly same as CLIENT_AUTHTYPE_CERT, but without
 					// signature verification, because it was already performed during TLS handshake.
@@ -2014,25 +2060,14 @@ bool ServerAccept(CONNECTION *c)
 					error_detail = "ERR_AUTHTYPE_NOT_SUPPORTED";
 					goto CLEANUP;
 				}
-
-				if (auth_ret == false)
-				{
-					// Get client IP to feed tools such as Fail2Ban
-					char ip[64];
-					IPToStr(ip, sizeof(ip), &c->FirstSock->RemoteIP);
-					// Authentication failure
-					HLog(hub, "LH_AUTH_NG", c->Name, username, ip);
-				}
-				else
-				{
-					// Authentication success
-					HLog(hub, "LH_AUTH_OK", c->Name, username);
-				}
 			}
 
 			if (auth_ret == false)
 			{
-				// Authentication failure
+				char ip[64];
+				IPToStr(ip, sizeof(ip), &c->FirstSock->RemoteIP);
+				HLog(hub, "LH_AUTH_NG", c->Name, username, ip);
+
 				Unlock(hub->lock);
 				ReleaseHub(hub);
 				FreePack(p);
@@ -2046,13 +2081,12 @@ bool ServerAccept(CONNECTION *c)
 			}
 			else
 			{
-				if(is_empty_password)
+				if (is_empty_password)
 				{
-					SOCK *s = c->FirstSock;
+					const SOCK *s = c->FirstSock;
 					if (s != NULL && s->RemoteIP.addr[0] != 127)
 					{
-						if(StrCmpi(username, ADMINISTRATOR_USERNAME) == 0 || 
-							GetHubAdminOption(hub, "deny_empty_password") != 0)
+						if (StrCmpi(username, ADMINISTRATOR_USERNAME) == 0 || GetHubAdminOption(hub, "deny_empty_password") != 0)
 						{
 							// When the password is empty, remote connection is not acceptable
 							HLog(hub, "LH_LOCAL_ONLY", c->Name, username);
@@ -2066,6 +2100,8 @@ bool ServerAccept(CONNECTION *c)
 						}
 					}
 				}
+
+				HLog(hub, "LH_AUTH_OK", c->Name, username);
 			}
 
 			policy = NULL;
@@ -6592,6 +6628,24 @@ PACK *PackLoginWithPlainPassword(char *hubname, char *username, void *plain_pass
 	return p;
 }
 
+// Generate a packet of WireGuard key login
+PACK *PackLoginWithWireGuardKey(char *key)
+{
+	PACK *p;
+	// Validate arguments
+	if (key == NULL)
+	{
+		return NULL;
+	}
+
+	p = NewPack();
+	PackAddStr(p, "method", "login");
+	PackAddInt(p, "authtype", AUTHTYPE_WIREGUARD_KEY);
+	PackAddStr(p, "key", key);
+
+	return p;
+}
+
 // Generate a packet of OpenVPN certificate login
 PACK *PackLoginWithOpenVPNCertificate(char *hubname, char *username, X *x)
 {

src/Cedar/Protocol.h

@@ -134,6 +134,7 @@ PACK *PackLoginWithAnonymous(char *hubname, char *username);
 PACK *PackLoginWithPassword(char *hubname, char *username, void *secure_password);
 PACK *PackLoginWithPlainPassword(char *hubname, char *username, void *plain_password);
 PACK *PackLoginWithCert(char *hubname, char *username, X *x, void *sign, UINT sign_size);
+PACK *PackLoginWithWireGuardKey(char *key);
 PACK *PackLoginWithOpenVPNCertificate(char *hubname, char *username, X *x);
 bool GetMethodFromPack(PACK *p, char *method, UINT size);
 bool GetHubnameAndUsernameFromPack(PACK *p, char *username, UINT username_size,

src/Cedar/Server.c

@@ -402,6 +402,11 @@ void SiCheckDeadLockMain(SERVER *s, UINT timeout)
 			CheckDeadLock(cedar->CaList->lock, timeout, "cedar->CaList->lock");
 		}
 
+		if (cedar->WgkList != NULL)
+		{
+			CheckDeadLock(cedar->WgkList->lock, timeout, "cedar->WgkList->lock");
+		}
+
 		if (cedar->TrafficLock != NULL)
 		{
 			CheckDeadLock(cedar->TrafficLock, timeout, "cedar->TrafficLock");
@@ -2677,16 +2682,13 @@ bool SiIsAzureSupported(SERVER *s)
 // Read the server settings from the CFG
 bool SiLoadConfigurationCfg(SERVER *s, FOLDER *root)
 {
-	FOLDER *f1, *f2, *f3, *f4, *f5, *f6, *f7, *f8, *f;
+	FOLDER *f1, *f2, *f3, *f4, *f5, *f6, *f7, *f8, *f9;
 	// Validate arguments
 	if (s == NULL || root == NULL)
 	{
 		return false;
 	}
 
-	f = NULL;
-
-
 	f1 = CfgGetFolder(root, "ServerConfiguration");
 	f2 = CfgGetFolder(root, "VirtualHUB");
 	f3 = CfgGetFolder(root, "ListenerList");
@@ -2695,6 +2697,7 @@ bool SiLoadConfigurationCfg(SERVER *s, FOLDER *root)
 	f6 = CfgGetFolder(root, "LicenseManager");
 	f7 = CfgGetFolder(root, "IPsec");
 	f8 = CfgGetFolder(root, "DDnsClient");
+	f9 = CfgGetFolder(root, "WireGuardKeyList");
 
 	if (f1 == NULL)
 	{
@@ -2736,6 +2739,30 @@ bool SiLoadConfigurationCfg(SERVER *s, FOLDER *root)
 
 	if (s->ServerType != SERVER_TYPE_FARM_MEMBER)
 	{
+		TOKEN_LIST *t = CfgEnumFolderToTokenList(f9);
+		if (t != NULL)
+		{
+			LockList(s->Cedar->WgkList);
+			{
+				UINT i;
+				for (i = 0; i < t->NumTokens; ++i)
+				{
+					const char *name = t->Token[i];
+					FOLDER *f = CfgGetFolder(f9, name);
+					if (f != NULL)
+					{
+						WGK *wgk = Malloc(sizeof(WGK));
+						StrCpy(wgk->Key, sizeof(wgk->Key), name);
+						CfgGetStr(f, "Hub", wgk->Hub, sizeof(wgk->Hub));
+						CfgGetStr(f, "User", wgk->User, sizeof(wgk->User));
+						Add(s->Cedar->WgkList, wgk);
+					}
+				}
+			}
+			UnlockList(s->Cedar->WgkList);
+			FreeToken(t);
+		}
+
 		SiLoadHubs(s, f2);
 	}
 
@@ -3102,9 +3129,28 @@ FOLDER *SiWriteConfigurationToCfg(SERVER *s)
 
 	SiWriteServerCfg(CfgCreateFolder(root, "ServerConfiguration"), s);
 
-
 	if (s->UpdatedServerType != SERVER_TYPE_FARM_MEMBER)
 	{
+		FOLDER *f = CfgCreateFolder(root, "WireGuardKeyList");
+		if (f != NULL)
+		{
+			LockList(s->Cedar->WgkList);
+			{
+				UINT i;
+				for (i = 0; i < LIST_NUM(s->Cedar->WgkList); ++i)
+				{
+					WGK *wgk = LIST_DATA(s->Cedar->WgkList, i);
+					FOLDER *ff = CfgCreateFolder(f, wgk->Key);
+					if (ff != NULL)
+					{
+						CfgAddStr(ff, "Hub", wgk->Hub);
+						CfgAddStr(ff, "User", wgk->User);
+					}
+				}
+			}
+			UnlockList(s->Cedar->WgkList);
+		}
+
 		SiWriteHubs(CfgCreateFolder(root, "VirtualHUB"), s);
 	}
 
@@ -10301,6 +10347,27 @@ int CompareHubList(void *p1, void *p2)
 	return StrCmpi(h1->Name, h2->Name);
 }
 
+// Search in WireGuard key list
+int CompareWgk(void *p1, void *p2)
+{
+	WGK *wgk_1, *wgk_2;
+
+	if (p1 == NULL || p2 == NULL)
+	{
+		return (p1 == NULL && p2 == NULL ? 0 : (p1 == NULL ? -1 : 1));
+	}
+
+	wgk_1 = *(WGK **)p1;
+	wgk_2 = *(WGK **)p2;
+
+	if (wgk_1 == NULL || wgk_2 == NULL)
+	{
+		return (wgk_1 == NULL && wgk_2 == NULL ? 0 : (wgk_1 == NULL ? -1 : 1));
+	}
+
+	return StrCmp(wgk_1->Key, wgk_2->Key);
+}
+
 // Connection thread to the controller
 void SiConnectToControllerThread(THREAD *thread, void *param)
 {

src/Cedar/Server.h

@@ -150,6 +150,14 @@ struct OPENVPN_SSTP_CONFIG
 	bool EnableSSTP;						// SSTP is enabled
 };
 
+// WireGuard key structure
+struct WGK
+{
+	char Key[WG_KEY_BASE64_SIZE];
+	char Hub[MAX_HUBNAME_LEN + 1];
+	char User[MAX_USERNAME_LEN + 1];
+};
+
 // Server object
 struct SERVER
 {
@@ -631,6 +639,8 @@ void SiUpdateCurrentRegion(CEDAR *c, char *region, bool force_update);
 void SiGetCurrentRegion(CEDAR *c, char *region, UINT region_size);
 bool SiIsEnterpriseFunctionsRestrictedOnOpenSource(CEDAR *c);
 
+int CompareWgk(void *p1, void *p2);
+
 #endif	// SERVER_H
 
 

src/bin/hamcore/strtable_cn.stb

@@ -1786,6 +1786,7 @@ LS_SSL_START				连接 "%S" 的 SSL 通信已启动。加密算法名为 "%S"。
 LS_CONNECTION_ERROR			连接 "%S"因原因 "%s" (代码 %u)已终止。
 LS_FARMMEMBER_NOT_ADMIN		连接 "%S": 服务端是群集成员，但客户端在非管理员 (%S) 用户情况下，尝试直接与虚拟 HUB "%S" 连接。客户端用户名为 "%S"。访问被拒绝。
 LS_HUB_NOT_FOUND			连接 "%S": 客户端正在尝试连接的虚拟 HUB "%S" 在服务端上不存在。
+LS_WG_KEY_NOT_FOUND			Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED				连接 "%S": 基于虚拟 HUB 上定义的源 IP 访问限制列表，客户端的源 IP 地址 "%S" 被拒绝。
 LS_LICENSE_ERROR			连接 "%S": 因为发生许可证相关错误，客户端无法连接到服务端。
 LS_BETA_EXPIRES				SoftEther VPN Server 测试版已过期。测试版使用期限已到。请从 http://selinks.org/ 下载新的测试版或完整版。
@@ -1817,6 +1818,16 @@ LP_SESSION_CREATED		Session created.
 LP_SESSION_DELETED		Session deleted.
 
 
+# (WireGuard log)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN Logs)
 LO_PREFIX_RAW			OpenVPN 模块:
 LO_PREFIX_SESSION		OpenVPN 会话%u (%r:%u -> %r:%u):
@@ -1919,7 +1930,8 @@ LH_AUTH_PASSWORD			密码验证
 LH_AUTH_PLAIN_PASSWORD		外部服务器身份验证
 LH_AUTH_CERT				证书验证
 LH_AUTH_TICKET				票证验证
-LH_AUTH_OPENVPN_CERT    OpenVPN certificate authentication
+LH_AUTH_WIREGUARD_KEY		WireGuard public key authentication
+LH_AUTH_OPENVPN_CERT		OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT	连接 "%S": 用户 "%S" 身份验证方法 RADIUS 或 Active Directory (NT 域)，但 VPN Server 是 "%S"，因为 RADIUS 或 Active Directory (NT 域)不能使用。连接被拒绝。
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	"%S" 的连接方法: 用户 "%S" 的身份验证方法被指定为 RADIUS 身份验证或 Active Directory 身份验证 (NT 域验证)。然而，这样一个外部用户身份验证功能尚未在 SoftEther VPN 的开源版本上实施。该连接将被拒绝。
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE	"%S" 的连接方法: 用户 "%S" 的身份验证方法被指定为证书认证。然而，证书验证功能尚未在 SoftEther VPN 的开源版本上实施。该连接将被拒绝。

src/bin/hamcore/strtable_en.stb

@@ -1769,6 +1769,7 @@ LS_SSL_START			SSL communication for connection "%S" has been started. The encry
 LS_CONNECTION_ERROR		Connection "%S" terminated by the cause "%s" (code %u).
 LS_FARMMEMBER_NOT_ADMIN	Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused.
 LS_HUB_NOT_FOUND		Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server.
+LS_WG_KEY_NOT_FOUND		Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED			Connection "%S": The source IP address "%S" of the client has refused based on the Source IP Address Limit List defined for the Virtual Hub.
 LS_LICENSE_ERROR		Connection "%S": Because a license-related error has been occurred, the client is unable to connect to the server.
 LS_BETA_EXPIRES			This beta version of SoftEther VPN Server is expired. The beta version period of use has expired. Download a new beta version or full version from http://selinks.org/.
@@ -1800,6 +1801,16 @@ LP_SESSION_CREATED		Session created.
 LP_SESSION_DELETED		Session deleted.
 
 
+# (WireGuard log)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN Logs)
 LO_PREFIX_RAW			OpenVPN Module: 
 LO_PREFIX_SESSION		OpenVPN Session %u (%r:%u -> %r:%u): 
@@ -1902,7 +1913,8 @@ LH_AUTH_PASSWORD		Password authentication
 LH_AUTH_PLAIN_PASSWORD	External server authentication
 LH_AUTH_CERT			Certificate authentication
 LH_AUTH_TICKET			Ticket authentication
-LH_AUTH_OPENVPN_CERT    OpenVPN certificate authentication
+LH_AUTH_WIREGUARD_KEY	WireGuard public key authentication
+LH_AUTH_OPENVPN_CERT	OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT	Connection "%S": The authentication method of the user "%S" has been specified as RADIUS Authentication or Active Directory Authentication (NT Domain Authentication). However, the edition of the VPN Server is "%S". This edition does not support RADIUS Authentication nor Active Directory Authentication (NT Domain Authentication). The connection will be denied.
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	Connection "%S": The authentication method of the user "%S" has been specified as RADIUS Authentication or Active Directory Authentication (NT Domain Authentication). However, such an external user-authentication function hasn't been implemented on the Open-Source version of SoftEther VPN yet. The connection will be denied.
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE	Connection "%S": The authentication method of the user "%S" has been specified as Certificate Authentication. However, the Certificate Authentication function hasn't been implemented on the Open-Source version of SoftEther VPN yet. The connection will be denied.

src/bin/hamcore/strtable_ja.stb

@@ -1773,6 +1773,7 @@ LS_SSL_START			コネクション "%S" に対する SSL 通信が開始されま
 LS_CONNECTION_ERROR		コネクション "%S" は理由 "%s" (コード %u) で終了しました。
 LS_FARMMEMBER_NOT_ADMIN	コネクション "%S": サーバーはクラスタメンバですが、クライアントは仮想 HUB "%S" に管理者ユーザー "%S" 以外で直接接続しようと試みました。クライアントが提示したユーザー名は "%S" です。アクセスは許可されません。
 LS_HUB_NOT_FOUND		コネクション "%S": クライアントが接続しようとした仮想 HUB "%S" はサーバー上に存在しません。
+LS_WG_KEY_NOT_FOUND		Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED			コネクション "%S": クライアントの接続元 IP アドレス "%S" は、仮想 HUB に定義されている 接続元 IP 制限リストによって拒否されました。
 LS_LICENSE_ERROR		コネクション "%S": ライセンス上のエラーが発生したため、クライアントはサーバーに接続できませんでした。
 LS_BETA_EXPIRES			ライセンスエラーが発生しました。ベータ版の使用期限が終了しています。新しいベータ版または完成版を http://selinks.org/ からダウンロードしてください。
@@ -1797,11 +1798,23 @@ LS_API_AUTH_OK			HTTPS API クライアント "%r:%u" (%S): 管理モード: "%S
 LS_API_AUTH_ERROR		HTTPS API クライアント "%r:%u" (%S): 組み込み HTTPS Web サーバーを用いてログインに失敗しました。使用されたユーザー名: "%S", メソッド: "%S", パス: "%S"
 LS_API_RPC_CALL			HTTPS API クライアント "%r:%u" (%S): JSON-API を呼び出しました。メソッド名: "%S", 結果エラーコード: %u (0 = 成功), 結果エラーメッセージ: "%s"
 
+
 # (Proto ログ)
 LP_PREFIX_SESSION		[%s] %r:%u -> %r:%u (%s): 
 LP_SESSION_CREATED		Session created.
 LP_SESSION_DELETED		Session deleted.
 
+
+# (WireGuard ログ)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN ログ)
 LO_PREFIX_RAW			OpenVPN モジュール: 
 LO_PREFIX_SESSION		OpenVPN セッション %u (%r:%u -> %r:%u): 
@@ -1904,6 +1917,7 @@ LH_AUTH_PASSWORD		パスワード認証
 LH_AUTH_PLAIN_PASSWORD	外部サーバー認証
 LH_AUTH_CERT			証明書認証
 LH_AUTH_TICKET			チケット認証
+LH_AUTH_WIREGUARD_KEY	WireGuard public key authentication
 LH_AUTH_OPENVPN_CERT    OpenVPN 証明書認証
 LH_AUTH_RADIUS_NOT_SUPPORT	コネクション "%S": ユーザー "%S" の認証方法として RADIUS 認証または Active Directory 認証 (NT ドメイン認証) が指定されましたが、現在の VPN Server のエディションは "%S" であるため、RADIUS 認証または Active Directory 認証 (NT ドメイン認証) を使用することができません。接続は拒否されます。
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	コネクション "%S": ユーザー "%S" の認証方法として RADIUS 認証または Active Directory 認証 (NT ドメイン認証) が指定されましたが、RADIUS 認証または Active Directory 認証 (NT ドメイン認証) を使用することができません。この機能はオープンソース版 SoftEther VPN にはまだ実装されていません。接続は拒否されます。

src/bin/hamcore/strtable_ko.stb

@@ -1754,6 +1754,7 @@ LS_SSL_START 연결 "%S"에 대한 SSL 통신이 시작되었습니다. 암호
 LS_CONNECTION_ERROR 연결 "%S"는 이유로 "%s"(코드 %u)로 종료되었습니다.
 LS_FARMMEMBER_NOT_ADMIN 연결 "%S": 서버는 클러스터 멤버이지만, 클라이언트는 가상 HUB "%S"관리자 사용자 "%S"이외로 직접 연결하려고 시도했습니다. 클라이언트가 제공 한 사용자 이름은 "%S"입니다. 액세스는 허용되지 않습니다.
 LS_HUB_NOT_FOUND 연결 "%S": 클라이언트가 연결을 시도하는 가상 HUB "%S"는 서버에 존재하지 않습니다.
+LS_WG_KEY_NOT_FOUND Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED 연결 "%S": 클라이언트의 접근 IP 주소 "%S"는 가상 HUB에 정의 된 접근 IP 제한 목록에 의해 거부되었습니다.
 LS_LICENSE_ERROR 연결 "%S": 라이센스에 오류가 발생했기 때문에 클라이언트는 서버에 연결할 수 없습니다.
 LS_BETA_EXPIRES 라이센스 오류가 발생했습니다. 베타 사용 기간이 종료하고 있습니다. 새로운 베타 버전 또는 완성판을 http://selinks.org/에서 다운로드하십시오.
@@ -1785,6 +1786,16 @@ LP_SESSION_CREATED Session created.
 LP_SESSION_DELETED Session deleted.
 
 
+# (WireGuard 로그)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN 로그)
 LO_PREFIX_RAW OpenVPN 모듈:
 LO_PREFIX_SESSION OpenVPN 세션 %u (%r:%u -> %r:%u):
@@ -1884,6 +1895,8 @@ LH_AUTH_PASSWORD 암호 인증
 LH_AUTH_PLAIN_PASSWORD 외부 서버 인증
 LH_AUTH_CERT 인증서 인증
 LH_AUTH_TICKET 티켓 인증
+LH_AUTH_WIREGUARD_KEY WireGuard public key authentication
+LH_AUTH_OPENVPN_CERT OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT 연결 "%S"사용자 "%S"의 인증 방법으로 RADIUS 인증 또는 Active Directory 인증 (NT 도메인 인증)이 지정 되었으나, 현재 VPN Server 버전은 "%S"이기 때문에 RADIUS 인증 또는 Active Directory 인증 (NT 도메인 인증)을 사용할 수 없습니다. 연결이 거부됩니다.
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE 연결 "%S"사용자 "%S"의 인증 방법으로 RADIUS 인증 또는 Active Directory 인증 (NT 도메인 인증)이 지정되었습니다 만, RADIUS 인증 또는 Active Directory 인증 (NT 도메인 인증)을 사용할 수 수 없습니다. 이 기능은 오픈 소스 버전 SoftEther VPN은 아직 구현되어 있지 않습니다. 연결이 거부됩니다.
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE 연결 "%S"사용자 "%S"의 인증 방법으로 인증서 인증을 지정했지만 인증서 인증을 사용 할 수 없습니다. 이 기능은 오픈 소스 버전 SoftEther VPN은 아직 구현되어 있지 않습니다. 연결이 거부됩니다.
@@ -7308,7 +7321,6 @@ SM_SNAT_IS_RAW		Raw IP mode NAT is Active
 LO_CLIENT_CERT		Client certificate received (subject: CN="%s"), will use certificate authentication.
 LO_CLIENT_UNVERIFIED_CERT	Client certificate was provided but did not pass verification (error="%S"), will use password authentication.
 LO_CLIENT_NO_CERT	Client certificate is not provided, will use password authentication.
-LH_AUTH_OPENVPN_CERT	OpenVPN certificate authentication
 CMD_AccessAddEx_REDIRECTURL	The specified URL will be mandatory replied to the client as a response for TCP connecting request packets which matches the conditions of this access list entry via this Virtual Hub. To use this setting, you can enforce the web browser of the VPN Client computer to show the specified web site when that web browser tries to access the specific IP address.
 CMD_AccessAddEx6_REDIRECTURL	The specified URL will be mandatory replied to the client as a response for TCP connecting request packets which matches the conditions of this access list entry via this Virtual Hub. To use this setting, you can enforce the web browser of the VPN Client computer to show the specified web site when that web browser tries to access the specific IP address.
 CMD_TrafficServer_NOHUP		When "yes" is specified, the server process never stops without regard to any input from the console. It is convenient when you want to run the TrafficServer endlessly.

src/bin/hamcore/strtable_pt_br.stb

@@ -1769,6 +1769,7 @@ LS_SSL_START	SSL communication for connection "%S" has been started. The encrypt
 LS_CONNECTION_ERROR	Connection "%S" terminated by the cause "%s" (code %u).
 LS_FARMMEMBER_NOT_ADMIN	Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused.
 LS_HUB_NOT_FOUND	Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server.
+LS_WG_KEY_NOT_FOUND	Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED	Connection "%S": The source IP address "%S" of the client has refused based on the Source IP Address Limit List defined for the Virtual Hub.
 LS_LICENSE_ERROR	Connection "%S": Because a license-related error has been occurred, the client is unable to connect to the server.
 LS_BETA_EXPIRES	This beta version of SoftEther VPN Server is expired. The beta version period of use has expired. Download a new beta version or full version from http://selinks.org/.
@@ -1800,6 +1801,16 @@ LP_SESSION_CREATED		Session created.
 LP_SESSION_DELETED		Session deleted.
 
 
+# (WireGuard log)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN Logs)
 LO_PREFIX_RAW	OpenVPN Module: 
 LO_PREFIX_SESSION	OpenVPN Session %u (%r:%u -> %r:%u): 
@@ -1902,7 +1913,8 @@ LH_AUTH_PASSWORD	Senha
 LH_AUTH_PLAIN_PASSWORD	External server authentication
 LH_AUTH_CERT	Certificate authentication
 LH_AUTH_TICKET	Ticket authentication
-LH_AUTH_OPENVPN_CERT  OpenVPN certificate authentication
+LH_AUTH_WIREGUARD_KEY	WireGuard public key authentication
+LH_AUTH_OPENVPN_CERT	OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT	Connection "%S": The authentication method of the user "%S" has been specified as RADIUS Authentication or Active Directory Authentication (NT Domain Authentication). However, the edition of the VPN Server is "%S". This edition does not support RADIUS Authentication nor Active Directory Authentication (NT Domain Authentication). The connection will be denied.
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	Connection "%S": The authentication method of the user "%S" has been specified as RADIUS Authentication or Active Directory Authentication (NT Domain Authentication). However, such an external user-authentication function hasn't been implemented on the Open-Source version of SoftEther VPN yet. The connection will be denied.
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE	Connection "%S": The authentication method of the user "%S" has been specified as Certificate Authentication. However, the Certificate Authentication function hasn't been implemented on the Open-Source version of SoftEther VPN yet. The connection will be denied.

src/bin/hamcore/strtable_ru.stb

@@ -1769,6 +1769,7 @@ LS_SSL_START			SSL communication for connection "%S" has been started. The encry
 LS_CONNECTION_ERROR		Connection "%S" terminated by the cause "%s" (code %u).
 LS_FARMMEMBER_NOT_ADMIN	Connection "%S": Although the server is a cluster member, the client attempted that to directly connect to the Virtual Hub "%S" while not being administrator user "%S". The user name provided by the client is "%S". Access is refused.
 LS_HUB_NOT_FOUND		Connection "%S": Virtual Hub "%S" that the client is trying to connect to does not exist on the server.
+LS_WG_KEY_NOT_FOUND		Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED			Connection "%S": The source IP address "%S" of the client has refused based on the Source IP Address Limit List defined for the Virtual Hub.
 LS_LICENSE_ERROR		Connection "%S": Because a license-related error has been occurred, the client is unable to connect to the server.
 LS_BETA_EXPIRES			This beta version of SoftEther VPN Server is expired. The beta version period of use has expired. Download a new beta version or full version from http://selinks.org/.
@@ -1800,6 +1801,16 @@ LP_SESSION_CREATED		Session created.
 LP_SESSION_DELETED		Session deleted.
 
 
+# (WireGuard log)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN Logs)
 LO_PREFIX_RAW			OpenVPN Module: 
 LO_PREFIX_SESSION		OpenVPN Session %u (%r:%u -> %r:%u): 
@@ -1902,7 +1913,8 @@ LH_AUTH_PASSWORD		Password authentication
 LH_AUTH_PLAIN_PASSWORD	External server authentication
 LH_AUTH_CERT			Certificate authentication
 LH_AUTH_TICKET			Ticket authentication
-LH_AUTH_OPENVPN_CERT    OpenVPN certificate authentication
+LH_AUTH_WIREGUARD_KEY	WireGuard public key authentication
+LH_AUTH_OPENVPN_CERT	OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT	Connection "%S": The authentication method of the user "%S" has been specified as RADIUS Authentication or Active Directory Authentication (NT Domain Authentication). However, the edition of the VPN Server is "%S". This edition does not support RADIUS Authentication nor Active Directory Authentication (NT Domain Authentication). The connection will be denied.
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	Connection "%S": The authentication method of the user "%S" has been specified as RADIUS Authentication or Active Directory Authentication (NT Domain Authentication). However, such an external user-authentication function hasn't been implemented on the Open-Source version of SoftEther VPN yet. The connection will be denied.
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE	Connection "%S": The authentication method of the user "%S" has been specified as Certificate Authentication. However, the Certificate Authentication function hasn't been implemented on the Open-Source version of SoftEther VPN yet. The connection will be denied.

src/bin/hamcore/strtable_tw.stb

@@ -1789,6 +1789,7 @@ LS_SSL_START			連接 "%S" 的 SSL 通信已啟動。加密演算法名為 "%S"
 LS_CONNECTION_ERROR		連接 "%S"因原因 "%s" (代碼 %u)已終止。
 LS_FARMMEMBER_NOT_ADMIN	連接 "%S": 服務端是群集成員，但用戶端在非管理員 (%S) 使用者情況下，嘗試直接與虛擬 HUB "%S" 連接。用戶端用戶名為 "%S"。訪問被拒絕。
 LS_HUB_NOT_FOUND		連接 "%S": 客戶端正在嘗試連接的虛擬 HUB "%S" 在服務端上不存在。
+LS_WG_KEY_NOT_FOUND		Connection "%S": The WireGuard key is not associated with a user on the server.
 LS_IP_DENIED			連接 "%S": 基於虛擬 HUB 上定義的源 IP 訪問限制列表，用戶端的源 IP 位址 "%S" 被拒絕。
 LS_LICENSE_ERROR		連接 "%S": 因為發生許可證相關錯誤，用戶端無法連接到服務端。
 LS_BETA_EXPIRES			SoftEther VPN Server 測試版已過期。測試版使用期限已到。請從 http://selinks.org/ 下載新的測試版或完整版。
@@ -1820,6 +1821,16 @@ LP_SESSION_CREATED		Session created.
 LP_SESSION_DELETED		Session deleted.
 
 
+# (WireGuard 日誌)
+LW_PREFIX_SESSION	[WireGuard] %r:%u -> %r:%u: 
+LW_KEYPAIR_EXPIRED	Current keypair (%x -> %x) is expired!
+LW_KEYPAIR_UNKNOWN	The packet was encrypted with an unknown keypair!
+LW_DECRYPT_FAIL		Decryption failure!
+LW_REPLAY_ATTACK	Replay attack detected!
+LW_FLOOD_ATTACK		Flood attack detected!
+LW_HUB_DISCONNECT	The administrator of the Virtual Hub has disconnected this session.
+
+
 # (OpenVPN 日誌)
 LO_PREFIX_RAW			OpenVPN 模組:
 LO_PREFIX_SESSION		OpenVPN 會話%u (%r:%u -> %r:%u):
@@ -1922,7 +1933,8 @@ LH_AUTH_PASSWORD		密碼驗證
 LH_AUTH_PLAIN_PASSWORD	外部伺服器身份驗證
 LH_AUTH_CERT			證書驗證
 LH_AUTH_TICKET			票證驗證
-LH_AUTH_OPENVPN_CERT			OpenVPN certificate authentication
+LH_AUTH_WIREGUARD_KEY	WireGuard public key authentication
+LH_AUTH_OPENVPN_CERT	OpenVPN certificate authentication
 LH_AUTH_RADIUS_NOT_SUPPORT	連接 "%S": 用戶 "%S" 身份驗證方法 RADIUS 或 Active Directory (NT 域)，但 VPN Server 是 "%S"，因為 RADIUS 或 Active Directory (NT 域)不能使用。連接被拒絕。
 LH_AUTH_RADIUS_NOT_SUPPORT_ON_OPEN_SOURCE	"%S" 的連接方法: 用戶 "%S" 的身份驗證方法被指定為 RADIUS 身份驗證或 Active Directory 身份驗證 (NT 域驗證)。然而，這樣一個外部用戶身份驗證功能尚未在 SoftEther VPN 的開源版本上實施。該連接將被拒絕。
 LH_AUTH_CERT_NOT_SUPPORT_ON_OPEN_SOURCE	"%S" 的連接方法: 用戶 "%S" 的身份驗證方法被指定為證書認證。然而，證書驗證功能尚未在 SoftEther VPN 的開源版本上實施。該連接將被拒絕。