[client] Add IPv6 support to UDP WireGuard proxy (#5169)

* Add IPv6 support to UDP WireGuard proxy Add IPv6 packet header support in UDP raw socket proxy to handle both IPv4 and IPv6 source addresses. Refactor error handling in proxy bind implementations to validate endpoints before acquiring locks.
2026-04-21 01:36:46 +00:00 · 2026-01-26 14:03:32 +01:00
parent 074df56c3d
commit 05af39a69b
7 changed files with 565 additions and 67 deletions
--- a/client/iface/wgproxy/udp/rawsocket.go
+++ b/client/iface/wgproxy/udp/rawsocket.go
@@ -19,37 +19,56 @@ var (
 		FixLengths:       true,
 	}

-	localHostNetIPAddr = &net.IPAddr{
+	localHostNetIPAddrV4 = &net.IPAddr{
 		IP: net.ParseIP("127.0.0.1"),
 	}
+	localHostNetIPAddrV6 = &net.IPAddr{
+		IP: net.ParseIP("::1"),
+	}
 )

 type SrcFaker struct {
 	srcAddr *net.UDPAddr

-	rawSocket   net.PacketConn
-	ipH         gopacket.SerializableLayer
-	udpH        gopacket.SerializableLayer
-	layerBuffer gopacket.SerializeBuffer
+	rawSocket     net.PacketConn
+	ipH           gopacket.SerializableLayer
+	udpH          gopacket.SerializableLayer
+	layerBuffer   gopacket.SerializeBuffer
+	localHostAddr *net.IPAddr
 }

 func NewSrcFaker(dstPort int, srcAddr *net.UDPAddr) (*SrcFaker, error) {
-	rawSocket, err := rawsocket.PrepareSenderRawSocket()
+	// Create only the raw socket for the address family we need
+	var rawSocket net.PacketConn
+	var err error
+	var localHostAddr *net.IPAddr
+
+	if srcAddr.IP.To4() != nil {
+		rawSocket, err = rawsocket.PrepareSenderRawSocketIPv4()
+		localHostAddr = localHostNetIPAddrV4
+	} else {
+		rawSocket, err = rawsocket.PrepareSenderRawSocketIPv6()
+		localHostAddr = localHostNetIPAddrV6
+	}
 	if err != nil {
 		return nil, err
 	}

 	ipH, udpH, err := prepareHeaders(dstPort, srcAddr)
 	if err != nil {
+		if closeErr := rawSocket.Close(); closeErr != nil {
+			log.Warnf("failed to close raw socket: %v", closeErr)
+		}
 		return nil, err
 	}

 	f := &SrcFaker{
-		srcAddr:     srcAddr,
-		rawSocket:   rawSocket,
-		ipH:         ipH,
-		udpH:        udpH,
-		layerBuffer: gopacket.NewSerializeBuffer(),
+		srcAddr:       srcAddr,
+		rawSocket:     rawSocket,
+		ipH:           ipH,
+		udpH:          udpH,
+		layerBuffer:   gopacket.NewSerializeBuffer(),
+		localHostAddr: localHostAddr,
 	}

 	return f, nil
@@ -72,7 +91,7 @@ func (f *SrcFaker) SendPkg(data []byte) (int, error) {
 	if err != nil {
 		return 0, fmt.Errorf("serialize layers: %w", err)
 	}
-	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), localHostNetIPAddr)
+	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), f.localHostAddr)
 	if err != nil {
 		return 0, fmt.Errorf("write to raw conn: %w", err)
 	}
@@ -80,19 +99,40 @@ func (f *SrcFaker) SendPkg(data []byte) (int, error) {
 }

 func prepareHeaders(dstPort int, srcAddr *net.UDPAddr) (gopacket.SerializableLayer, gopacket.SerializableLayer, error) {
-	ipH := &layers.IPv4{
-		DstIP:    net.ParseIP("127.0.0.1"),
-		SrcIP:    srcAddr.IP,
-		Version:  4,
-		TTL:      64,
-		Protocol: layers.IPProtocolUDP,
+	var ipH gopacket.SerializableLayer
+	var networkLayer gopacket.NetworkLayer
+
+	// Check if source IP is IPv4 or IPv6
+	if srcAddr.IP.To4() != nil {
+		// IPv4
+		ipv4 := &layers.IPv4{
+			DstIP:    localHostNetIPAddrV4.IP,
+			SrcIP:    srcAddr.IP,
+			Version:  4,
+			TTL:      64,
+			Protocol: layers.IPProtocolUDP,
+		}
+		ipH = ipv4
+		networkLayer = ipv4
+	} else {
+		// IPv6
+		ipv6 := &layers.IPv6{
+			DstIP:      localHostNetIPAddrV6.IP,
+			SrcIP:      srcAddr.IP,
+			Version:    6,
+			HopLimit:   64,
+			NextHeader: layers.IPProtocolUDP,
+		}
+		ipH = ipv6
+		networkLayer = ipv6
 	}
+
 	udpH := &layers.UDP{
 		SrcPort: layers.UDPPort(srcAddr.Port),
 		DstPort: layers.UDPPort(dstPort), // dst is the localhost WireGuard port
 	}

-	err := udpH.SetNetworkLayerForChecksum(ipH)
+	err := udpH.SetNetworkLayerForChecksum(networkLayer)
 	if err != nil {
 		return nil, nil, fmt.Errorf("set network layer for checksum: %w", err)
 	}