Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wireguard VPN support #86020

Draft
wants to merge 28 commits into
base: main
Choose a base branch
from
Draft

Wireguard VPN support #86020

wants to merge 28 commits into from

Conversation

jukkar
Copy link
Member

@jukkar jukkar commented Feb 19, 2025
edited
Loading

This is initial Wireguard VPN support. Part of the implementation is ported from wireguard-lwip project.
Some discussion about this can be found in #63722

Some of the commits in this PR might be sent separately to review.

@jukkar jukkar added the In progress For PRs: is work in progress and should not be merged yet. For issues: Is being worked on label Feb 19, 2025
@jukkar jukkar force-pushed the devel/wireguard-support branch from 005e7bb to 01dba8d Compare February 20, 2025 08:30
@jukkar
Copy link
Member Author

jukkar commented Feb 20, 2025

  • Updated to latest main
  • Fixed compilation issues
  • Added VPN support to echo-client and http-server sample applications

@jukkar jukkar force-pushed the devel/wireguard-support branch from 01dba8d to 2fd6262 Compare February 20, 2025 15:07
@jukkar
Copy link
Member Author

jukkar commented Feb 20, 2025

  • Documentation added
  • VPN statistics support added

@jukkar jukkar force-pushed the devel/wireguard-support branch from 2fd6262 to 261c30f Compare February 21, 2025 13:03
@jukkar
Copy link
Member Author

jukkar commented Feb 21, 2025

  • manifest update for net-tools
  • allowed ip address list fixes
  • shell print allowed ips and endpoint
  • more statistics collection

@zephyrbot
Copy link
Collaborator

zephyrbot commented Feb 21, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@zephyrbot zephyrbot added manifest manifest-net-tools DNM (manifest) This PR should not be merged (controlled by action-manifest) labels Feb 21, 2025
@jukkar jukkar force-pushed the devel/wireguard-support branch from 261c30f to fe241b0 Compare February 21, 2025 16:44
@jukkar
Copy link
Member Author

jukkar commented Feb 21, 2025

  • housekeeping timer works now
  • keepalive timer is working and can be set from application

@jukkar jukkar force-pushed the devel/wireguard-support branch from fe241b0 to 456783b Compare February 23, 2025 14:39
@jukkar
Copy link
Member Author

jukkar commented Feb 23, 2025

  • updated to latest main
  • fixed Zephyr initiated handshake issues
  • CI fixes

@jukkar jukkar force-pushed the devel/wireguard-support branch from 456783b to d7a004e Compare February 24, 2025 09:55
@jukkar jukkar marked this pull request as ready for review February 24, 2025 09:56
@zephyrbot zephyrbot added area: Networking area: Sockets Networking sockets area: HTTP HTTP client/server support area: Samples Samples labels Feb 24, 2025
@jukkar jukkar removed the In progress For PRs: is work in progress and should not be merged yet. For issues: Is being worked on label Feb 24, 2025
jukkar added 23 commits March 23, 2025 16:19
@jukkar
net: wireguard: Add crypto support
f8ee50b 
The crypto code is taken from wireguard-lwip project at
https://github.com/smartalock/wireguard-lwip
and is BSD-3-Clause and MIT licensed code.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wireguard: crypto: Add SPDX license identifiers
c03899a 
Add relevant SPDX license identifier to crypto algorithm
implementations.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wireguard: crypto: Fix CI compliance issues
895c1ea 
Make the Wireguard crypto code pass Zephyr CI compliance check script.
Following changes were done:

* Convert // comments to /* */ comments
* Run the code through clang-format
* Empty line after variable declaration
* Removing Tab after Space characters
* Removing trailing white space
* Removing empty lines at the end of the file
* Changed "unsigned i" to "unsigned int i"

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wireguard: crypto: Fix warning in x25519.c mul()
4a88ae3 
Compiler gives this warning

In function ‘ladder_part1’,
    inlined from ‘x25519_core’ at wireguard/crypto/refc/x25519.c:306:3,
    inlined from ‘x25519’ at wireguard/crypto/refc/x25519.c:317:2:
wireguard/crypto/refc/x25519.c:259:9: warning: ‘mul’ reading 32 bytes
 from a region of size 4 [-Wstringop-overread]
  259 |         mul(z2, x2, a24, ARRAY_SIZE(a24));  /*  z2 = E*a24 */
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
wireguard/crypto/refc/x25519.c: In function ‘x25519’:
wireguard/crypto/refc/x25519.c:259:9: note: referencing argument 3 of
 type ‘const limb_t *’ {aka ‘const unsigned int *’}
wireguard/crypto/refc/x25519.c:148:13: note: in a call to function ‘mul’
  148 | static void mul(fe out, const fe a, const fe b, unsigned int nb)
      |             ^~~

Fix for this can be found from original sources at

https://sourceforge.net/p/strobe/code/ci/0aa9e2abcaa4e6364c97a914d397517668475209/

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: shell: Add Wireguard VPN support
884a4f6 
Add commands to manipulate Wireguard connectivity.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: shell: iface: Print Wireguard public key
b491b58 
If the interface is Wireguard VPN interface, then print
the public key of the interface.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wireguard: stats: Add statistics support
cf02cbf 
Collect Wireguard VPN statistics and allow user to fetch it.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: shell: wg: Add VPN statistics support
d2d7d5d 
Show VPN statistics support if enabled.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: shell: wg: Print detailed peer information
306c23b 
The "net wg show 1" will show detailed information of the peer
id 1. This is useful when debugging connectivity issues.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wireguard: Send network events for VPN activity
046cc7b 
Send peer add/del network event when the peers is either added
to the system or deleted from the system.
Send VPN connected / disconnected event when a VPN connection
is successfully established or the peer connection is disconnected.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: shell: events: Print wireguard event information
2488bef 
Add Wireguard VPN events information printouts to event monitor.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: l2: virtual: Add support for VPN public/private key set/get
d359674 
Add support for getting public address and setting private
key for the virtual interface. This is needed for Wireguard VPN.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: if: Add helper to get src interface and address from dst address
43265da 
Instead of calling various network interface API functions to get
the network interface and related source IP address, have a single
function that can return both data.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
samples: net: echo-server: Add Wireguard VPN support
17548a3 
Add Wireguard configuration to echo-server application.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
samples: net: echo-client: Add Wireguard VPN support
6b55d11 
Add Wireguard configuration to echo-client application.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
samples: net: echo-client: Enable event mgmt info support
8978a35 
CONFIG_NET_MGMT_EVENT_INFO needs to be enabled for this sample so
that we can get detailed information when the event is generated.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
samples: net: http-server: Add Wireguard VPN support
8b96b6c 
Add Wireguard configuration to http-server application.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
samples: net: Enable Wireguard VPN compilation in tests
abea492 
Add a test that enables Wireguard VPN compilation so that
we at least compile test the code.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
samples: net: common: Add information about VPN and VLAN
4e300e2 
Add example and information how to run VPN over a VLAN with
the echo-server sample.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: if: Add special handling for IPv4/6 address check for VPN
9f33e05 
This is a hack that is used until we have proper IP routing
in place. The code has now special check that makes sure that
we only route IP packets to VPN interface when the packet is
destined to that subnet. So if destination IP address does
not belong to VPN interface subnet, it is not routed there.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
doc: Add WireGuard VPN licensing info to license file
d830ac1 
Add WireGuard VPN licensing information to LICENSE.rst file
in the documentation.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wg: Make getting current time extensible
c71c299 
Allow user to provide a function that will need to get
the current time from a RTC or SNTP or similar.
Wireguard handshake replay prevention needs a monotonic
time so the application should get it from somewhere.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar
net: wg: Support RTC with native_sim board
c2f2471 
If running wg in native-sim, use the host clock to get the
current time. This helps to have a proper handshake when
connecting even after restarting the zephyr.exe process.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar jukkar force-pushed the devel/wireguard-support branch from b9647cb to c2f2471 Compare March 23, 2025 14:22
@jukkar
Copy link
Member Author

jukkar commented Mar 23, 2025

  • Fixing merge conflicts, no other changes

@ceolin
Copy link
Member

ceolin commented Mar 25, 2025

@ceolin couple of notes

  • As there was no PSA support for some of these algorithms, I thought that isolating the implementations to Wireguard lib would avoid any possible issues for people using these for other parts of the code. That is why they were placed to the directory they are in this PR.

Yes, that was indeed good. Most of these algorithms are already available in the PSA / mbedTLS, the only one I saw that is definitely not there is blake2s. So why having duplicated functionality ?

  • As the implementations of these algorithms are several years old and seems to be used in other projects too, I would think they are more or less working properly. Probably they work better than any other fresh re-implementation.

Not necessarily, specially in cryptography. Some of these implementation state that they should not be used in production that they have alpha quality, which is very problematic at least.

  • Could security team provide implementations for the missing features, as the security team has probably the best knowledge of this domain?

For sure, we started conversation with mbedTLS / PSA folks regarding missing algorithm. Obviously since this involves another project the timeline can vary. Can we change it to use PSA for what is available and work together in a temporary solution for the missing bits ? We can't simply import another cryptography implementation to Zephyr that is not properly maintained.

@jukkar
Copy link
Member Author

jukkar commented Mar 26, 2025

Most of these algorithms are already available in the PSA / mbedTLS, the only one I saw that is definitely not there is blake2s. So why having duplicated functionality ?

I did not want to have part of the code use PSA/mbedTLS and some part use the internal implementation. But I could consider porting the code to use the PSA and leave the blake implementation as is if that would be acceptable.

@jukkar
Copy link
Member Author

jukkar commented Mar 30, 2025

Hi, as it might take some time before PSA has support for Wireguard needed crypto, I created an external module for the Wireguard support. This way people can try it more easily and give feedback to make it work better. The module can be found here https://github.com/jukkar/zephyr-wireguard. The module contain a demo of the usage and configuration with native_sim board. Note that you would need Zephyr version (4.1.99+), specifically from commit 8e90817 ("net: shell: iface: Print VPN public key") or later to use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabiobaltieri fabiobaltieri fabiobaltieri left review comments

@pdgendt pdgendt pdgendt left review comments

@rlubos rlubos rlubos left review comments

@kartben kartben Awaiting requested review from kartben

@mrodgers-witekio mrodgers-witekio Awaiting requested review from mrodgers-witekio

@nashif nashif Awaiting requested review from nashif

@ssharks ssharks Awaiting requested review from ssharks

@tbursztyka tbursztyka Awaiting requested review from tbursztyka

At least 2 approving reviews are required to merge this pull request.

Assignees

@rlubos rlubos

Labels
area: HTTP HTTP client/server support area: Networking area: Samples Samples area: Sockets Networking sockets Security Review To be reviewed by a security expert
Projects
TSC Attention Needed
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@jukkar @zephyrbot @nashif @ceolin @fabiobaltieri @pdgendt @rlubos @kartben