Merge pull request #5 from fosrl/dev

Add tip and MTU set to 1280

.gitignore

@@ -1 +1,2 @@
-newt
+newt
+.DS_Store

CONTRIBUTING.md

@@ -1,6 +1,12 @@
 ## Contributing
 
-Contributions are welcome! Please see the following page in our documentation with future plans and feature ideas if you are looking for a place to start.
+Contributions are welcome! 
+
+Please see the contribution and local development guide on the docs page before getting started:
+
+https://docs.fossorial.io/development
+
+For ideas about what features to work on and our future plans, please see the roadmap:
 
 https://docs.fossorial.io/roadmap
 
@@ -15,4 +21,4 @@ By creating this pull request, I grant the project maintainers an unlimited,
 perpetual license to use, modify, and redistribute these contributions under any terms they
 choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
 represent that I have the right to grant this license for all contributed content.
-```
+```

Makefile

@@ -11,7 +11,16 @@ test:
 	docker run fosrl/newt:latest
 
 local: 
-	 CGO_ENABLED=0 go build -o newt
+	CGO_ENABLED=0 go build -o newt
+
+all_arches:
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -o newt_linux_arm64
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o newt_linux_amd64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -o newt_darwin_arm64
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o newt_darwin_amd64
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o newt_windows_amd64.exe
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 go build -o newt_freebsd_amd64
+	CGO_ENABLED=0 GOOS=freebsd GOARCH=arm64 go build -o newt_freebsd_arm64
 
 clean:
 	rm newt

README.md

@@ -19,7 +19,7 @@ _Sample output of a Newt container connected to Pangolin and hosting various res
 
 ### Registers with Pangolin
 
-Using the Newt ID and a secret the client will make HTTP requests to Pangolin to receive a session token. Using that token it will connect to a websocket and maintain that connection. Control messages will be sent over the websocket.
+Using the Newt ID and a secret, the client will make HTTP requests to Pangolin to receive a session token. Using that token, it will connect to a websocket and maintain that connection. Control messages will be sent over the websocket.
 
 ### Receives WireGuard Control Messages
 
@@ -27,7 +27,7 @@ When Newt receives WireGuard control messages, it will use the information encod
 
 ### Receives Proxy Control Messages
 
-When Newt receives WireGuard control messages, it will use the information encoded to crate local low level TCP and UDP proxies attached to the virtual tunnel in order to relay traffic to programmed targets.
+When Newt receives WireGuard control messages, it will use the information encoded to create a local low level TCP and UDP proxies attached to the virtual tunnel in order to relay traffic to programmed targets.
 
 ## CLI Args
 
@@ -46,6 +46,22 @@ Example:
 --endpoint https://example.com
 ```
 
+You can also run it with Docker compose. For example, a service in your `docker-compose.yml` might look like this using environment vars (recommended):
+
+```yaml
+services:
+  newt:
+    image: fosrl/newt
+    container_name: newt
+    restart: unless-stopped
+    environment:
+      - PANGOLIN_ENDPOINT=https://example.com
+      - NEWT_ID=2ix2t8xk22ubpfy 
+      - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
+```
+
+You can also pass the CLI args to the container:
+
 ```yaml
 services:
   newt:
@@ -53,8 +69,8 @@ services:
     container_name: newt
     restart: unless-stopped
     command:
-        - --id 31frd0uzbjvp721 \
-        - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6 \
+        - --id 31frd0uzbjvp721
+        - --secret h51mmlknrvrwv8s4r1i210azhumt6isgbpyavxodibx1k2d6
         - --endpoint https://example.com
 ```
 
@@ -82,4 +98,4 @@ Newt is dual licensed under the AGPLv3 and the Fossorial Commercial license. For
 
 ## Contributions
 
-Please see [CONTRIBUTIONS](./CONTRIBUTING.md) in the repository for guidelines and best practices.
+Please see [CONTRIBUTIONS](./CONTRIBUTING.md) in the repository for guidelines and best practices.

SECURITY.md

@@ -0,0 +1,14 @@
+# Security Policy
+
+If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
+
+1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
+2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+
+- Description and location of the vulnerability.
+- Potential impact of the vulnerability.
+- Steps to reproduce the vulnerability.
+- Potential solutions to fix the vulnerability.
+- Your name/handle and a link for recognition (optional).
+
+We aim to address the issue as soon as possible.

docker-compose.yml

@@ -0,0 +1,10 @@
+services:
+  newt:
+    image: fosrl/newt:latest
+    container_name: newt
+    restart: unless-stopped
+    environment:
+      - PANGOLIN_ENDPOINT=https://example.com
+      - NEWT_ID=2ix2t8xk22ubpfy 
+      - NEWT_SECRET=nnisrfsdfc7prqsp9ewo1dvtvci50j5uiqotez00dgap0ii2 
+      - LOG_LEVEL=DEBUG

entrypoint.sh

@@ -1,7 +1,5 @@
 #!/bin/sh
 
-# Sample from https://github.com/traefik/traefik-library-image/blob/5070edb25b03cca6802d75d5037576c840f73fdd/v3.1/alpine/entrypoint.sh
-
 set -e
 
 # first arg is `-f` or `--some-option`
@@ -9,13 +7,4 @@ if [ "${1#-}" != "$1" ]; then
     set -- newt "$@"
 fi
 
-# if our command is a valid newt subcommand, let's invoke it through newt instead
-# (this allows for "docker run newt version", etc)
-if newt "$1" --help >/dev/null 2>&1
-then
-    set -- newt "$@"
-else
-    echo "= '$1' is not a newt command: assuming shell execution." 1>&2
-fi
-
 exec "$@"

main.go

@@ -12,6 +12,7 @@ import (
 	"net/netip"
 	"os"
 	"os/signal"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -112,6 +113,27 @@ func ping(tnet *netstack.Net, dst string) error {
 	return nil
 }
 
+func startPingCheck(tnet *netstack.Net, serverIP string, stopChan chan struct{}) {
+	ticker := time.NewTicker(10 * time.Second)
+	defer ticker.Stop()
+
+	go func() {
+		for {
+			select {
+			case <-ticker.C:
+				err := ping(tnet, serverIP)
+				if err != nil {
+					logger.Warn("Periodic ping failed: %v", err)
+					logger.Warn("HINT: Do you have UDP port 51280 (or the port in config.yml) open on your Pangolin server?")
+				}
+			case <-stopChan:
+				logger.Info("Stopping ping check")
+				return
+			}
+		}
+	}()
+}
+
 func pingWithRetry(tnet *netstack.Net, dst string) error {
 	const (
 		maxAttempts = 5
@@ -222,30 +244,45 @@ func resolveDomain(domain string) (string, error) {
 	return ipAddr, nil
 }
 
-func getEnvWithDefault(key, defaultValue string) string {
-	if value := os.Getenv(key); value != "" {
-		return value
-	}
-	return defaultValue
-}
-
 func main() {
 	var (
 		endpoint   string
 		id         string
 		secret     string
+		mtu        string
+		mtuInt     int
 		dns        string
 		privateKey wgtypes.Key
 		err        error
 		logLevel   string
 	)
 
-	// Define CLI flags with default values from environment variables
-	flag.StringVar(&endpoint, "endpoint", os.Getenv("PANGOLIN_ENDPOINT"), "Endpoint of your pangolin server")
-	flag.StringVar(&id, "id", os.Getenv("NEWT_ID"), "Newt ID")
-	flag.StringVar(&secret, "secret", os.Getenv("NEWT_SECRET"), "Newt secret")
-	flag.StringVar(&dns, "dns", getEnvWithDefault("DEFAULT_DNS", "8.8.8.8"), "DNS server to use")
-	flag.StringVar(&logLevel, "log-level", getEnvWithDefault("LOG_LEVEL", "INFO"), "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
+	// if PANGOLIN_ENDPOINT, NEWT_ID, and NEWT_SECRET are set as environment variables, they will be used as default values
+	endpoint = os.Getenv("PANGOLIN_ENDPOINT")
+	id = os.Getenv("NEWT_ID")
+	secret = os.Getenv("NEWT_SECRET")
+	mtu = os.Getenv("MTU")
+	dns = os.Getenv("DNS")
+	logLevel = os.Getenv("LOG_LEVEL")
+
+	if endpoint == "" {
+		flag.StringVar(&endpoint, "endpoint", "", "Endpoint of your pangolin server")
+	}
+	if id == "" {
+		flag.StringVar(&id, "id", "", "Newt ID")
+	}
+	if secret == "" {
+		flag.StringVar(&secret, "secret", "", "Newt secret")
+	}
+	if mtu == "" {
+		flag.StringVar(&mtu, "mtu", "1280", "MTU to use")
+	}
+	if dns == "" {
+		flag.StringVar(&dns, "dns", "8.8.8.8", "DNS server to use")
+	}
+	if logLevel == "" {
+		flag.StringVar(&logLevel, "log-level", "INFO", "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
+	}
 	flag.Parse()
 
 	logger.Init()
@@ -257,6 +294,12 @@ func main() {
 		logger.Fatal("endpoint, id, and secret are required either via CLI flags or environment variables")
 	}
 
+	// parse the mtu string into an int
+	mtuInt, err = strconv.Atoi(mtu)
+	if err != nil {
+		logger.Fatal("Failed to parse MTU: %v", err)
+	}
+
 	privateKey, err = wgtypes.GeneratePrivateKey()
 	if err != nil {
 		logger.Fatal("Failed to generate private key: %v", err)
@@ -291,17 +334,21 @@ func main() {
 		client.Close()
 	})
 
+	pingStopChan := make(chan struct{})
+	defer close(pingStopChan)
+
 	// Register handlers for different message types
 	client.RegisterHandler("newt/wg/connect", func(msg websocket.WSMessage) {
 		logger.Info("Received registration message")
 
 		if connected {
-			logger.Info("Already connected! Put I will send a ping anyway...")
+			logger.Info("Already connected! But I will send a ping anyway...")
 			// ping(tnet, wgData.ServerIP)
 			err = pingWithRetry(tnet, wgData.ServerIP)
 			if err != nil {
 				// Handle complete failure after all retries
-				logger.Error("Failed to ping %s: %v", wgData.ServerIP, err)
+				logger.Warn("Failed to ping %s: %v", wgData.ServerIP, err)
+				logger.Warn("HINT: Do you have UDP port 51280 (or the port in config.yml) open on your Pangolin server?")
 			}
 			return
 		}
@@ -321,7 +368,7 @@ func main() {
 		tun, tnet, err = netstack.CreateNetTUN(
 			[]netip.Addr{netip.MustParseAddr(wgData.TunnelIP)},
 			[]netip.Addr{netip.MustParseAddr(dns)},
-			1420)
+			mtuInt)
 		if err != nil {
 			logger.Error("Failed to create TUN device: %v", err)
 		}
@@ -365,6 +412,11 @@ persistent_keepalive_interval=5`, fixKey(fmt.Sprintf("%s", privateKey)), fixKey(
 			logger.Error("Failed to ping %s: %v", wgData.ServerIP, err)
 		}
 
+		if !connected {
+			logger.Info("Starting ping check")
+			startPingCheck(tnet, wgData.ServerIP, pingStopChan)
+		}
+
 		// Create proxy manager
 		pm = proxy.NewProxyManager(tnet)