From c6a486a0a641ff266b0c9b303f88e276394c8d8c Mon Sep 17 00:00:00 2001 From: Owen Date: Wed, 11 Mar 2026 16:47:01 -0700 Subject: [PATCH] Add hardcoded public dns --- go.mod | 14 +++++++------- go.sum | 22 ++++++++++------------ olm/connect.go | 1 + olm/olm.go | 25 ++++++++++++++++++------- olm/peer.go | 4 ++-- olm/types.go | 1 + peers/manager.go | 16 ++++++++++------ peers/monitor/monitor.go | 6 ++++-- peers/peer.go | 4 ++-- 9 files changed, 55 insertions(+), 38 deletions(-) diff --git a/go.mod b/go.mod index 09a5bc4..0a47cd1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/fosrl/olm -go 1.25 +go 1.25.0 require ( github.com/Microsoft/go-winio v0.6.2 @@ -8,7 +8,7 @@ require ( github.com/godbus/dbus/v5 v5.2.2 github.com/gorilla/websocket v1.5.3 github.com/miekg/dns v1.1.70 - golang.org/x/sys v0.40.0 + golang.org/x/sys v0.41.0 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c @@ -20,16 +20,16 @@ require ( github.com/google/go-cmp v0.7.0 // indirect github.com/vishvananda/netlink v1.3.1 // indirect github.com/vishvananda/netns v0.0.5 // indirect - golang.org/x/crypto v0.46.0 // indirect + golang.org/x/crypto v0.48.0 // indirect golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 // indirect - golang.org/x/mod v0.31.0 // indirect - golang.org/x/net v0.48.0 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/net v0.51.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/time v0.12.0 // indirect - golang.org/x/tools v0.40.0 // indirect + golang.org/x/tools v0.41.0 // indirect golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect golang.zx2c4.com/wireguard/windows v0.5.3 // indirect ) // To be used ONLY for local development -// replace github.com/fosrl/newt => ../newt +replace github.com/fosrl/newt => ../newt diff --git a/go.sum b/go.sum index be51e01..2861521 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/fosrl/newt v1.9.0 h1:66eJMo6fA+YcBTbddxTfNJXNQo1WWKzmn6zPRP5kSDE= -github.com/fosrl/newt v1.9.0/go.mod h1:d1+yYMnKqg4oLqAM9zdbjthjj2FQEVouiACjqU468ck= github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ= github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= @@ -16,24 +14,24 @@ github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4= github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY= github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= -golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= -golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= +golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6 h1:zfMcR1Cs4KNuomFFgGefv5N0czO2XZpUbxGUy8i8ug0= golang.org/x/exp v0.0.0-20251113190631-e25ba8c21ef6/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0= -golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= -golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= -golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= -golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= +golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= +golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= -golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= +golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= -golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA= -golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc= +golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= +golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg= golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI= golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A= diff --git a/olm/connect.go b/olm/connect.go index dc05d1f..d2c477f 100644 --- a/olm/connect.go +++ b/olm/connect.go @@ -168,6 +168,7 @@ func (o *Olm) handleConnect(msg websocket.WSMessage) { SharedBind: o.sharedBind, WSClient: o.websocket, APIServer: o.apiServer, + PublicDNS: o.tunnelConfig.PublicDNS, }) for i := range wgData.Sites { diff --git a/olm/olm.go b/olm/olm.go index 9bd41b2..92c8db6 100644 --- a/olm/olm.go +++ b/olm/olm.go @@ -31,7 +31,7 @@ type Olm struct { privateKey wgtypes.Key logFile *os.File - registered bool + registered bool tunnelRunning bool uapiListener net.Listener @@ -111,7 +111,7 @@ func (o *Olm) initTunnelInfo(clientID string) error { logger.Info("Created shared UDP socket on port %d (refcount: %d)", sourcePort, sharedBind.GetRefCount()) // Create the holepunch manager - o.holePunchManager = holepunch.NewManager(sharedBind, clientID, "olm", privateKey.PublicKey().String()) + o.holePunchManager = holepunch.NewManager(sharedBind, clientID, "olm", privateKey.PublicKey().String(), o.tunnelConfig.PublicDNS) return nil } @@ -222,7 +222,7 @@ func (o *Olm) registerAPICallbacks() { tunnelConfig.MTU = 1420 } if req.DNS == "" { - tunnelConfig.DNS = "9.9.9.9" + tunnelConfig.DNS = "8.8.8.8" } // DNSProxyIP has no default - it must be provided if DNS proxy is desired // UpstreamDNS defaults to 8.8.8.8 if not provided @@ -292,16 +292,19 @@ func (o *Olm) StartTunnel(config TunnelConfig) { logger.Info("Tunnel already running") return } - + // debug print out the whole config logger.Debug("Starting tunnel with config: %+v", config) o.tunnelRunning = true // Also set it here in case it is called externally o.tunnelConfig = config + + // TODO: we are hardcoding this for now but we should really pull it from the current config of the system + o.tunnelConfig.PublicDNS = []string{"8.8.8.8:53", "1.1.1.1:53"} // Reset terminated status when tunnel starts o.apiServer.SetTerminated(false) - + fingerprint := config.InitialFingerprint if fingerprint == nil { fingerprint = make(map[string]any) @@ -313,7 +316,7 @@ func (o *Olm) StartTunnel(config TunnelConfig) { } o.SetFingerprint(fingerprint) - o.SetPostures(postures) + o.SetPostures(postures) // Create a cancellable context for this tunnel process tunnelCtx, cancel := context.WithCancel(o.olmCtx) @@ -387,7 +390,7 @@ func (o *Olm) StartTunnel(config TunnelConfig) { if o.registered { o.websocket.StartPingMonitor() - + logger.Debug("Already registered, skipping registration") return nil } @@ -509,6 +512,14 @@ func (o *Olm) StartTunnel(config TunnelConfig) { logger.Info("Tunnel process context cancelled, cleaning up") } +func (o *Olm) RestoreDNSOverride() { + // Restore original DNS configuration + // we do this first to avoid any DNS issues if something else gets stuck + if err := dnsOverride.RestoreDNSOverride(); err != nil { + logger.Error("Failed to restore DNS: %v", err) + } +} + func (o *Olm) Close() { // Stop registration first to prevent it from trying to use closed websocket if o.stopRegister != nil { diff --git a/olm/peer.go b/olm/peer.go index 8007272..0e2d2da 100644 --- a/olm/peer.go +++ b/olm/peer.go @@ -170,7 +170,7 @@ func (o *Olm) handleWgPeerRelay(msg websocket.WSMessage) { return } - primaryRelay, err := util.ResolveDomain(relayData.RelayEndpoint) + primaryRelay, err := util.ResolveDomainUpstream(relayData.RelayEndpoint, o.tunnelConfig.PublicDNS) if err != nil { logger.Error("Failed to resolve primary relay endpoint: %v", err) return @@ -203,7 +203,7 @@ func (o *Olm) handleWgPeerUnrelay(msg websocket.WSMessage) { return } - primaryRelay, err := util.ResolveDomain(relayData.Endpoint) + primaryRelay, err := util.ResolveDomainUpstream(relayData.Endpoint, o.tunnelConfig.PublicDNS) if err != nil { logger.Warn("Failed to resolve primary relay endpoint: %v", err) } diff --git a/olm/types.go b/olm/types.go index 198b222..9dd3189 100644 --- a/olm/types.go +++ b/olm/types.go @@ -61,6 +61,7 @@ type TunnelConfig struct { MTU int DNS string UpstreamDNS []string + PublicDNS []string InterfaceName string // Advanced diff --git a/peers/manager.go b/peers/manager.go index 0566775..514c0af 100644 --- a/peers/manager.go +++ b/peers/manager.go @@ -32,7 +32,8 @@ type PeerManagerConfig struct { SharedBind *bind.SharedBind // WSClient is optional - if nil, relay messages won't be sent WSClient *websocket.Client - APIServer *api.API + APIServer *api.API + PublicDNS []string } type PeerManager struct { @@ -50,7 +51,8 @@ type PeerManager struct { // key is the CIDR string, value is a set of siteIds that want this IP allowedIPClaims map[string]map[int]bool APIServer *api.API - + publicDNS []string + PersistentKeepalive int } @@ -65,6 +67,7 @@ func NewPeerManager(config PeerManagerConfig) *PeerManager { allowedIPOwners: make(map[string]int), allowedIPClaims: make(map[string]map[int]bool), APIServer: config.APIServer, + publicDNS: config.PublicDNS, } // Create the peer monitor @@ -74,6 +77,7 @@ func NewPeerManager(config PeerManagerConfig) *PeerManager { config.LocalIP, config.SharedBind, config.APIServer, + config.PublicDNS, ) return pm @@ -129,7 +133,7 @@ func (pm *PeerManager) AddPeer(siteConfig SiteConfig) error { wgConfig := siteConfig wgConfig.AllowedIps = ownedIPs - if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive); err != nil { + if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive, pm.publicDNS); err != nil { return err } @@ -270,7 +274,7 @@ func (pm *PeerManager) RemovePeer(siteId int) error { ownedIPs := pm.getOwnedAllowedIPs(promotedPeerId) wgConfig := promotedPeer wgConfig.AllowedIps = ownedIPs - if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive); err != nil { + if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive, pm.publicDNS); err != nil { logger.Error("Failed to update promoted peer %d: %v", promotedPeerId, err) } } @@ -346,7 +350,7 @@ func (pm *PeerManager) UpdatePeer(siteConfig SiteConfig) error { wgConfig := siteConfig wgConfig.AllowedIps = ownedIPs - if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive); err != nil { + if err := ConfigurePeer(pm.device, wgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(siteConfig.SiteId), pm.PersistentKeepalive, pm.publicDNS); err != nil { return err } @@ -356,7 +360,7 @@ func (pm *PeerManager) UpdatePeer(siteConfig SiteConfig) error { promotedOwnedIPs := pm.getOwnedAllowedIPs(promotedPeerId) promotedWgConfig := promotedPeer promotedWgConfig.AllowedIps = promotedOwnedIPs - if err := ConfigurePeer(pm.device, promotedWgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive); err != nil { + if err := ConfigurePeer(pm.device, promotedWgConfig, pm.privateKey, pm.peerMonitor.IsPeerRelayed(promotedPeerId), pm.PersistentKeepalive, pm.publicDNS); err != nil { logger.Error("Failed to update promoted peer %d: %v", promotedPeerId, err) } } diff --git a/peers/monitor/monitor.go b/peers/monitor/monitor.go index 28d92ef..cfea418 100644 --- a/peers/monitor/monitor.go +++ b/peers/monitor/monitor.go @@ -34,6 +34,7 @@ type PeerMonitor struct { timeout time.Duration maxAttempts int wsClient *websocket.Client + publicDNS []string // Netstack fields middleDev *middleDevice.MiddleDevice @@ -82,7 +83,7 @@ type PeerMonitor struct { } // NewPeerMonitor creates a new peer monitor with the given callback -func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDevice, localIP string, sharedBind *bind.SharedBind, apiServer *api.API) *PeerMonitor { +func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDevice, localIP string, sharedBind *bind.SharedBind, apiServer *api.API, publicDNS []string) *PeerMonitor { ctx, cancel := context.WithCancel(context.Background()) pm := &PeerMonitor{ monitors: make(map[int]*Client), @@ -91,6 +92,7 @@ func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDe wsClient: wsClient, middleDev: middleDev, localIP: localIP, + publicDNS: publicDNS, activePorts: make(map[uint16]bool), nsCtx: ctx, nsCancel: cancel, @@ -124,7 +126,7 @@ func NewPeerMonitor(wsClient *websocket.Client, middleDev *middleDevice.MiddleDe // Initialize holepunch tester if sharedBind is available if sharedBind != nil { - pm.holepunchTester = holepunch.NewHolepunchTester(sharedBind) + pm.holepunchTester = holepunch.NewHolepunchTester(sharedBind, publicDNS) } return pm diff --git a/peers/peer.go b/peers/peer.go index 8211fa4..7301a9c 100644 --- a/peers/peer.go +++ b/peers/peer.go @@ -11,14 +11,14 @@ import ( ) // ConfigurePeer sets up or updates a peer within the WireGuard device -func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes.Key, relay bool, persistentKeepalive int) error { +func ConfigurePeer(dev *device.Device, siteConfig SiteConfig, privateKey wgtypes.Key, relay bool, persistentKeepalive int, publicDNS []string) error { var endpoint string if relay && siteConfig.RelayEndpoint != "" { endpoint = formatEndpoint(siteConfig.RelayEndpoint) } else { endpoint = formatEndpoint(siteConfig.Endpoint) } - siteHost, err := util.ResolveDomain(endpoint) + siteHost, err := util.ResolveDomainUpstream(endpoint, publicDNS) if err != nil { return fmt.Errorf("failed to resolve endpoint for site %d: %v", siteConfig.SiteId, err) }