Peer management login (#83)

* feature: replace RegisterPeer with Login method that does both - registration and login

* test: add management login test

* feature: add WiretrusteeConfig to the Login response to configure peer global config

* feature: add client peer login support

* fix: missing parts

* chore: update go deps

* feature: support Management Service gRPC endpoints [CLIENT]

* feature: finalize client sync with management

* fix: management store peer key lower case restore

* fix: management returns peer ip without a mask

* refactor: remove cmd pkg

* fix: invalid tun interface name on mac

* fix: timeout when calling management client

* fix: tests and lint errors

* fix: golang-test workflow

* fix: client service tests

* fix: iface build

* feature: detect management scheme on startup

* chore: better logs for management

* fix: goreleaser

* fix: lint errors

* fix: signal TLS

* fix: direct Wireguard connection

* chore: verbose logging on direct connection

client/cmd/root.go

@@ -0,0 +1,74 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"os/signal"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+const (
+	// ExitSetupFailed defines exit code
+	ExitSetupFailed   = 1
+	DefaultConfigPath = ""
+)
+
+var (
+	configPath        string
+	defaultConfigPath string
+	logLevel          string
+
+	rootCmd = &cobra.Command{
+		Use:   "wiretrustee",
+		Short: "",
+		Long:  "",
+	}
+
+	// Execution control channel for stopCh signal
+	stopCh chan int
+)
+
+// Execute executes the root command.
+func Execute() error {
+	return rootCmd.Execute()
+}
+func init() {
+
+	stopCh = make(chan int)
+
+	defaultConfigPath = "/etc/wiretrustee/config.json"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+	}
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location to write new config to")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "")
+	rootCmd.AddCommand(serviceCmd)
+	rootCmd.AddCommand(upCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
+	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
+}
+
+// SetupCloseHandler handles SIGTERM signal and exits with success
+func SetupCloseHandler() {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, os.Interrupt)
+	go func() {
+		for range c {
+			fmt.Println("\r- Ctrl+C pressed in Terminal")
+			stopCh <- 0
+		}
+	}()
+}
+
+// InitLog parses and sets log-level input
+func InitLog(logLevel string) {
+	level, err := log.ParseLevel(logLevel)
+	if err != nil {
+		log.Errorf("Failed parsing log-level %s: %s", logLevel, err)
+		os.Exit(ExitSetupFailed)
+	}
+	log.SetLevel(level)
+}

client/cmd/service.go

@@ -0,0 +1,48 @@
+package cmd
+
+import (
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+type program struct {
+	cmd  *cobra.Command
+	args []string
+}
+
+var logger service.Logger
+
+func newSVCConfig() *service.Config {
+	return &service.Config{
+		Name:        "wiretrustee",
+		DisplayName: "Wiretrustee",
+		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
+	}
+}
+
+func newSVC(prg *program, conf *service.Config) (service.Service, error) {
+	s, err := service.New(prg, conf)
+	if err != nil {
+		log.Fatal(err)
+		return nil, err
+	}
+	logger, err = s.Logger(nil)
+	if err != nil {
+		log.Fatal(err)
+		return nil, err
+	}
+	return s, nil
+}
+
+var (
+	serviceCmd = &cobra.Command{
+		Use:   "service",
+		Short: "manages wiretrustee service",
+		//Run: func(cmd *cobra.Command, args []string) {
+		//},
+	}
+)
+
+func init() {
+}

client/cmd/service_controller.go

@@ -0,0 +1,109 @@
+package cmd
+
+import (
+	"github.com/kardianos/service"
+	"github.com/spf13/cobra"
+)
+
+func (p *program) Start(s service.Service) error {
+	// Start should not block. Do the actual work async.
+	logger.Info("Starting service") //nolint
+	return nil
+}
+
+func (p *program) Stop(s service.Service) error {
+	stopCh <- 1
+	return nil
+}
+
+var (
+	runCmd = &cobra.Command{
+		Use:   "run",
+		Short: "runs wiretrustee as service",
+		Run: func(cmd *cobra.Command, args []string) {
+
+			prg := &program{
+				cmd:  cmd,
+				args: args,
+			}
+
+			s, err := newSVC(prg, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Run()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee service is running")
+		},
+	}
+)
+
+var (
+	startCmd = &cobra.Command{
+		Use:   "start",
+		Short: "starts wiretrustee service",
+		Run: func(cmd *cobra.Command, args []string) {
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Start()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee service has been started")
+		},
+	}
+)
+
+var (
+	stopCmd = &cobra.Command{
+		Use:   "stop",
+		Short: "stops wiretrustee service",
+		Run: func(cmd *cobra.Command, args []string) {
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Stop()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee service has been stopped")
+		},
+	}
+)
+
+var (
+	restartCmd = &cobra.Command{
+		Use:   "restart",
+		Short: "restarts wiretrustee service",
+		Run: func(cmd *cobra.Command, args []string) {
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Restart()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee service has been restarted")
+		},
+	}
+)
+
+func init() {
+}

client/cmd/service_installer.go

@@ -0,0 +1,69 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"runtime"
+)
+
+var (
+	installCmd = &cobra.Command{
+		Use:   "install",
+		Short: "installs wiretrustee service",
+		Run: func(cmd *cobra.Command, args []string) {
+
+			svcConfig := newSVCConfig()
+
+			svcConfig.Arguments = []string{
+				"service",
+				"run",
+				"--config",
+				configPath,
+				"--log-level",
+				logLevel,
+			}
+
+			if runtime.GOOS == "linux" {
+				// Respected only by systemd systems
+				svcConfig.Dependencies = []string{"After=network.target syslog.target"}
+			}
+
+			s, err := newSVC(&program{}, svcConfig)
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+
+			err = s.Install()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee service has been installed")
+		},
+	}
+)
+
+var (
+	uninstallCmd = &cobra.Command{
+		Use:   "uninstall",
+		Short: "uninstalls wiretrustee service from system",
+		Run: func(cmd *cobra.Command, args []string) {
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+
+			err = s.Uninstall()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee has been uninstalled")
+		},
+	}
+)
+
+func init() {
+}

client/cmd/service_test.go

@@ -0,0 +1,129 @@
+package cmd
+
+import (
+	"bytes"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/kardianos/service"
+)
+
+func Test_ServiceInstallCMD(t *testing.T) {
+	b := bytes.NewBufferString("")
+	rootCmd.SetOut(b)
+	rootCmd.SetErr(b)
+	rootCmd.SetArgs([]string{
+		"service",
+		"install",
+		"--config",
+		"/tmp/config.json",
+	})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+	out, err := ioutil.ReadAll(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedMSG := "Wiretrustee service has been installed"
+	if string(out) != expectedMSG {
+		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
+	}
+}
+
+func Test_ServiceStartCMD(t *testing.T) {
+	b := bytes.NewBufferString("")
+	rootCmd.SetOut(b)
+	rootCmd.SetErr(b)
+	rootCmd.SetArgs([]string{"service", "start"})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+	out, err := ioutil.ReadAll(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedMSG := "Wiretrustee service has been started"
+	if string(out) != expectedMSG {
+		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
+	}
+}
+
+func Test_ServiceRunCMD(t *testing.T) {
+	configFilePath := "/tmp/config.json"
+	if _, err := os.Stat(configFilePath); err == nil {
+		e := os.Remove(configFilePath)
+		if e != nil {
+			t.Fatal(err)
+		}
+	}
+	rootCmd.SetArgs([]string{
+		"--config",
+		configFilePath,
+	})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rootCmd.ResetFlags()
+	rootCmd.SetArgs([]string{"service", "start"})
+	err = rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+	s, err := newSVC(&program{}, newSVCConfig())
+	if err != nil {
+		t.Fatal(err)
+	}
+	status, err := s.Status()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if status != service.StatusRunning {
+		t.Fatalf("expected running status of \"%d\" got \"%d\"", service.StatusRunning, status)
+	}
+}
+
+/*func Test_ServiceStopCMD(t *testing.T) {
+	b := bytes.NewBufferString("")
+	rootCmd.SetOut(b)
+	rootCmd.SetErr(b)
+	rootCmd.SetArgs([]string{"service", "stop"})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+	out, err := ioutil.ReadAll(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedMSG := "Wiretrustee service has been stopped"
+	if string(out) != expectedMSG {
+		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
+	}
+}*/
+
+func Test_ServiceUninstallCMD(t *testing.T) {
+	b := bytes.NewBufferString("")
+	rootCmd.SetOut(b)
+	rootCmd.SetErr(b)
+	rootCmd.SetArgs([]string{"service", "uninstall"})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+	out, err := ioutil.ReadAll(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedMSG := "Wiretrustee has been uninstalled"
+	if string(out) != expectedMSG {
+		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
+	}
+}

client/cmd/up.go

@@ -0,0 +1,246 @@
+package cmd
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"net/url"
+	"os"
+	"strings"
+)
+
+var (
+	managementAddr string
+
+	upCmd = &cobra.Command{
+		Use:   "up",
+		Short: "start wiretrustee",
+		Run: func(cmd *cobra.Command, args []string) {
+			InitLog(logLevel)
+
+			config, err := internal.GetConfig(managementAddr, configPath)
+			if err != nil {
+				log.Errorf("failed getting config %s %v", configPath, err)
+				os.Exit(ExitSetupFailed)
+			}
+
+			//validate our peer's Wireguard PRIVATE key
+			myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+			if err != nil {
+				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+				os.Exit(ExitSetupFailed)
+			}
+
+			ctx := context.Background()
+
+			managementURL, err := url.Parse(config.ManagementURL)
+			if err != nil {
+				log.Errorf("failed parsing managemtn URL%s: [%s]", config.ManagementURL, err.Error())
+				os.Exit(ExitSetupFailed)
+			}
+
+			mgmTlsEnabled := false
+			if managementURL.Scheme == "https" {
+				mgmTlsEnabled = true
+			}
+
+			// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
+
+			mgmClient, loginResp, err := connectToManagement(ctx, managementURL.Host, myPrivateKey, mgmTlsEnabled)
+			if err != nil {
+				log.Error(err)
+				os.Exit(ExitSetupFailed)
+			}
+
+			// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
+			signalClient, err := connectToSignal(ctx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
+			if err != nil {
+				log.Error(err)
+				os.Exit(ExitSetupFailed)
+			}
+
+			engineConfig, err := createEngineConfig(myPrivateKey, config, loginResp.GetWiretrusteeConfig(), loginResp.GetPeerConfig())
+			if err != nil {
+				log.Error(err)
+				os.Exit(ExitSetupFailed)
+			}
+
+			// create start the Wiretrustee Engine that will connect to the Signal and Management streams and manage connections to remote peers.
+			engine := internal.NewEngine(signalClient, mgmClient, engineConfig)
+			err = engine.Start()
+			if err != nil {
+				log.Errorf("error while starting Wiretrustee Connection Engine: %s", err)
+				os.Exit(ExitSetupFailed)
+			}
+
+			SetupCloseHandler()
+			<-stopCh
+			log.Infof("receive signal to stop running")
+			err = mgmClient.Close()
+			if err != nil {
+				log.Errorf("failed closing Management Service client %v", err)
+			}
+			err = signalClient.Close()
+			if err != nil {
+				log.Errorf("failed closing Signal Service client %v", err)
+			}
+
+			log.Debugf("removing Wiretrustee interface %s", config.WgIface)
+			err = iface.Close()
+			if err != nil {
+				log.Errorf("failed closing Wiretrustee interface %s %v", config.WgIface, err)
+			}
+		},
+	}
+)
+
+func init() {
+	upCmd.PersistentFlags().StringVar(&managementAddr, "management-addr", "", "Management Service address (e.g. app.wiretrustee.com")
+}
+
+// createEngineConfig converts configuration received from Management Service to EngineConfig
+func createEngineConfig(key wgtypes.Key, config *internal.Config, wtConfig *mgmProto.WiretrusteeConfig, peerConfig *mgmProto.PeerConfig) (*internal.EngineConfig, error) {
+	iFaceBlackList := make(map[string]struct{})
+	for i := 0; i < len(config.IFaceBlackList); i += 2 {
+		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
+	}
+
+	stunTurns, err := toStunTurnURLs(wtConfig)
+	if err != nil {
+		return nil, status.Errorf(codes.FailedPrecondition, "failed parsing STUN and TURN URLs received from Management Service : %s", err)
+	}
+
+	return &internal.EngineConfig{
+		StunsTurns:     stunTurns,
+		WgIface:        config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: iFaceBlackList,
+		WgPrivateKey:   key,
+	}, nil
+}
+
+// toStunTurnURLs converts Wiretrustee STUN and TURN configs to ice.URL array
+func toStunTurnURLs(wtConfig *mgmProto.WiretrusteeConfig) ([]*ice.URL, error) {
+
+	var stunsTurns []*ice.URL
+	for _, stun := range wtConfig.Stuns {
+		url, err := ice.ParseURL(stun.Uri)
+		if err != nil {
+			return nil, err
+		}
+		stunsTurns = append(stunsTurns, url)
+	}
+	for _, turn := range wtConfig.Turns {
+		url, err := ice.ParseURL(turn.HostConfig.Uri)
+		if err != nil {
+			return nil, err
+		}
+		url.Username = turn.User
+		url.Password = turn.Password
+		stunsTurns = append(stunsTurns, url)
+	}
+
+	return stunsTurns, nil
+}
+
+// connectToSignal creates Signal Service client and established a connection
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.Client, error) {
+	var sigTLSEnabled bool
+	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
+		sigTLSEnabled = true
+	} else {
+		sigTLSEnabled = false
+	}
+	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
+	if err != nil {
+		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+	}
+
+	return signalClient, nil
+}
+
+// connectToManagement creates Management Services client, establishes a connection and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.Client, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to management server %s", managementAddr)
+	mgmClient, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)
+
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
+	wtConfig, err := loginPeer(*serverKey, mgmClient)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed logging-in peer on Management Service : %s", err)
+	}
+
+	log.Debugf("peer logged in to Management Service %s", wtConfig)
+
+	return mgmClient, wtConfig, nil
+}
+
+func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client) (*mgmProto.LoginResponse, error) {
+	setupKey, err := promptPeerSetupKey()
+	if err != nil {
+		log.Errorf("failed getting setup key: %s", err)
+		return nil, err
+	}
+
+	log.Debugf("sending peer registration request")
+	loginResp, err := client.Register(serverPublicKey, *setupKey)
+	if err != nil {
+		log.Errorf("failed registering peer %v", err)
+		return nil, err
+	}
+
+	return loginResp, nil
+}
+
+func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client) (*mgmProto.LoginResponse, error) {
+
+	loginResp, err := client.Login(serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(serverPublicKey, client)
+		} else {
+			return nil, err
+		}
+	}
+
+	return loginResp, nil
+}
+
+// promptPeerSetupKey prompts user to input a Setup Key
+func promptPeerSetupKey() (*string, error) {
+	fmt.Print("Enter setup key: ")
+	reader := bufio.NewReader(os.Stdin)
+	input, err := reader.ReadString('\n')
+	if err != nil {
+		return nil, err
+	}
+	input = strings.TrimSuffix(input, "\n")
+
+	if input == "" {
+		fmt.Print("Specified key is empty, try again.")
+		return promptPeerSetupKey()
+	}
+
+	return &input, err
+}

client/internal/cond.go

@@ -0,0 +1,32 @@
+package internal
+
+import "sync"
+
+// A Cond is a condition variable like sync.Cond, but using a channel so we can use select.
+type Cond struct {
+	once sync.Once
+	C    chan struct{}
+}
+
+// NewCond creates a new condition variable.
+func NewCond() *Cond {
+	return &Cond{C: make(chan struct{})}
+}
+
+// Do runs f if the condition hasn't been signaled yet. Afterwards it will be signaled.
+func (c *Cond) Do(f func()) {
+	c.once.Do(func() {
+		f()
+		close(c.C)
+	})
+}
+
+// Signal closes the condition variable channel.
+func (c *Cond) Signal() {
+	c.Do(func() {})
+}
+
+// Wait waits for the condition variable channel to close.
+func (c *Cond) Wait() {
+	<-c.C
+}

client/internal/config.go

@@ -0,0 +1,72 @@
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"os"
+)
+
+const ManagementAddrDefault = "https://app.wiretrustee.com"
+
+// Config Configuration type
+type Config struct {
+	// Wireguard private key of local peer
+	PrivateKey     string
+	ManagementURL  string
+	WgIface        string
+	IFaceBlackList []string
+}
+
+//createNewConfig creates a new config generating a new Wireguard key and saving to file
+func createNewConfig(managementURL string, configPath string) (*Config, error) {
+	wgKey := generateKey()
+	config := &Config{PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
+	if managementURL != "" {
+		config.ManagementURL = managementURL
+	} else {
+		config.ManagementURL = ManagementAddrDefault
+	}
+
+	err := util.WriteJson(configPath, config)
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+// GetConfig reads existing config or generates a new one
+func GetConfig(managementURL string, configPath string) (*Config, error) {
+
+	var config *Config
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		log.Warnf("first run - generating new config %s", configPath)
+		config, err = createNewConfig(managementURL, configPath)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		config = &Config{}
+		_, err := util.ReadJson(configPath, config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if managementURL != "" {
+		config.ManagementURL = managementURL
+	}
+
+	return config, nil
+}
+
+// generateKey generates a new Wireguard private key
+func generateKey() string {
+	key, err := wgtypes.GenerateKey()
+	if err != nil {
+		panic(err)
+	}
+	return key.String()
+}

client/internal/connection.go

@@ -0,0 +1,383 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	ice "github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"sync"
+	"time"
+)
+
+var (
+	// DefaultWgKeepAlive default Wireguard keep alive constant
+	DefaultWgKeepAlive = 20 * time.Second
+	privateIPBlocks    []*net.IPNet
+)
+
+type Status string
+
+const (
+	StatusConnected    Status = "Connected"
+	StatusConnecting   Status = "Connecting"
+	StatusDisconnected Status = "Disconnected"
+)
+
+func init() {
+	for _, cidr := range []string{
+		"127.0.0.0/8",    // IPv4 loopback
+		"10.0.0.0/8",     // RFC1918
+		"172.16.0.0/12",  // RFC1918
+		"192.168.0.0/16", // RFC1918
+		"169.254.0.0/16", // RFC3927 link-local
+		"::1/128",        // IPv6 loopback
+		"fe80::/10",      // IPv6 link-local
+		"fc00::/7",       // IPv6 unique local addr
+	} {
+		_, block, err := net.ParseCIDR(cidr)
+		if err != nil {
+			panic(fmt.Errorf("parse error on %q: %v", cidr, err))
+		}
+		privateIPBlocks = append(privateIPBlocks, block)
+	}
+}
+
+// ConnConfig Connection configuration struct
+type ConnConfig struct {
+	// Local Wireguard listening address  e.g. 127.0.0.1:51820
+	WgListenAddr string
+	// A Local Wireguard Peer IP address in CIDR notation e.g. 10.30.30.1/24
+	WgPeerIP string
+	// Local Wireguard Interface name (e.g. wg0)
+	WgIface string
+	// Wireguard allowed IPs (e.g. 10.30.30.2/32)
+	WgAllowedIPs string
+	// Local Wireguard private key
+	WgKey wgtypes.Key
+	// Remote Wireguard public key
+	RemoteWgKey wgtypes.Key
+
+	StunTurnURLS []*ice.URL
+
+	iFaceBlackList map[string]struct{}
+}
+
+// IceCredentials ICE protocol credentials struct
+type IceCredentials struct {
+	uFrag string
+	pwd   string
+}
+
+// Connection Holds information about a connection and handles signal protocol
+type Connection struct {
+	Config ConnConfig
+	// signalCandidate is a handler function to signal remote peer about local connection candidate
+	signalCandidate func(candidate ice.Candidate) error
+
+	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
+	signalOffer func(uFrag string, pwd string) error
+
+	// signalOffer is a handler function to signal remote peer our connection answer (credentials)
+	signalAnswer func(uFrag string, pwd string) error
+
+	// remoteAuthChannel is a channel used to wait for remote credentials to proceed with the connection
+	remoteAuthChannel chan IceCredentials
+
+	// agent is an actual ice.Agent that is used to negotiate and maintain a connection to a remote peer
+	agent *ice.Agent
+
+	wgProxy *WgProxy
+
+	connected *Cond
+	closeCond *Cond
+
+	remoteAuthCond sync.Once
+
+	Status Status
+}
+
+// NewConnection Creates a new connection and sets handling functions for signal protocol
+func NewConnection(config ConnConfig,
+	signalCandidate func(candidate ice.Candidate) error,
+	signalOffer func(uFrag string, pwd string) error,
+	signalAnswer func(uFrag string, pwd string) error,
+) *Connection {
+
+	return &Connection{
+		Config:            config,
+		signalCandidate:   signalCandidate,
+		signalOffer:       signalOffer,
+		signalAnswer:      signalAnswer,
+		remoteAuthChannel: make(chan IceCredentials, 1),
+		closeCond:         NewCond(),
+		connected:         NewCond(),
+		agent:             nil,
+		wgProxy:           NewWgProxy(config.WgIface, config.RemoteWgKey.String(), config.WgAllowedIPs, config.WgListenAddr),
+		Status:            StatusDisconnected,
+	}
+}
+
+// Open opens connection to a remote peer.
+// Will block until the connection has successfully established
+func (conn *Connection) Open(timeout time.Duration) error {
+
+	// create an ice.Agent that will be responsible for negotiating and establishing actual peer-to-peer connection
+	a, err := ice.NewAgent(&ice.AgentConfig{
+		// MulticastDNSMode: ice.MulticastDNSModeQueryAndGather,
+		NetworkTypes: []ice.NetworkType{ice.NetworkTypeUDP4},
+		Urls:         conn.Config.StunTurnURLS,
+		InterfaceFilter: func(s string) bool {
+			if conn.Config.iFaceBlackList == nil {
+				return true
+			}
+			_, ok := conn.Config.iFaceBlackList[s]
+			return !ok
+		},
+	})
+	conn.agent = a
+
+	if err != nil {
+		return err
+	}
+
+	err = conn.listenOnLocalCandidates()
+	if err != nil {
+		return err
+	}
+
+	err = conn.listenOnConnectionStateChanges()
+	if err != nil {
+		return err
+	}
+
+	err = conn.signalCredentials()
+	if err != nil {
+		return err
+	}
+
+	conn.Status = StatusConnecting
+	log.Infof("trying to connect to peer %s", conn.Config.RemoteWgKey.String())
+
+	// wait until credentials have been sent from the remote peer (will arrive via a signal server)
+	select {
+	case remoteAuth := <-conn.remoteAuthChannel:
+
+		log.Infof("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())
+
+		err = conn.agent.GatherCandidates()
+		if err != nil {
+			return err
+		}
+
+		isControlling := conn.Config.WgKey.PublicKey().String() > conn.Config.RemoteWgKey.String()
+		remoteConn, err := conn.openConnectionToRemote(isControlling, remoteAuth)
+		if err != nil {
+			log.Errorf("failed establishing connection with the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
+			return err
+		}
+
+		pair, err := conn.agent.GetSelectedCandidatePair()
+		if err != nil {
+			return err
+		}
+		remoteIP := net.ParseIP(pair.Remote.Address())
+		myIp := net.ParseIP(pair.Remote.Address())
+		// in case the remote peer is in the local network or one of the peers has public static IP -> no need for a Wireguard proxy, direct communication is possible.
+		if (pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost) && (isPublicIP(remoteIP) || isPublicIP(myIp)) {
+			log.Debugf("it is possible to establish a direct connection (without proxy) to peer %s - my addr: %s, remote addr: %s", conn.Config.RemoteWgKey.String(), pair.Local.Address(), pair.Remote.Address())
+			err = conn.wgProxy.StartLocal(fmt.Sprintf("%s:%d", pair.Remote.Address(), iface.WgPort))
+			if err != nil {
+				return err
+			}
+		} else {
+			log.Infof("establishing secure tunnel to peer %s via selected candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
+			err = conn.wgProxy.Start(remoteConn)
+			if err != nil {
+				return err
+			}
+		}
+
+		conn.Status = StatusConnected
+		log.Infof("opened connection to peer %s", conn.Config.RemoteWgKey.String())
+	case <-conn.closeCond.C:
+		conn.Status = StatusDisconnected
+		return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
+	case <-time.After(timeout):
+		err := conn.Close()
+		if err != nil {
+			log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
+		}
+		conn.Status = StatusDisconnected
+		return fmt.Errorf("timeout of %vs exceeded while waiting for the remote peer %s", timeout.Seconds(), conn.Config.RemoteWgKey.String())
+	}
+
+	// wait until connection has been closed
+	<-conn.closeCond.C
+	conn.Status = StatusDisconnected
+	return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
+}
+
+func isPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return false
+	}
+
+	for _, block := range privateIPBlocks {
+		if block.Contains(ip) {
+			return false
+		}
+	}
+	return true
+}
+
+// Close Closes a peer connection
+func (conn *Connection) Close() error {
+	var err error
+	conn.closeCond.Do(func() {
+
+		log.Warnf("closing connection to peer %s", conn.Config.RemoteWgKey.String())
+
+		if a := conn.agent; a != nil {
+			e := a.Close()
+			if e != nil {
+				log.Warnf("error while closing ICE agent of peer connection %s", conn.Config.RemoteWgKey.String())
+				err = e
+			}
+		}
+
+		if c := conn.wgProxy; c != nil {
+			e := c.Close()
+			if e != nil {
+				log.Warnf("error while closingWireguard proxy connection of peer connection %s", conn.Config.RemoteWgKey.String())
+				err = e
+			}
+		}
+	})
+	return err
+}
+
+// OnAnswer Handles the answer from the other peer
+func (conn *Connection) OnAnswer(remoteAuth IceCredentials) error {
+
+	conn.remoteAuthCond.Do(func() {
+		log.Debugf("OnAnswer from peer %s", conn.Config.RemoteWgKey.String())
+		conn.remoteAuthChannel <- remoteAuth
+	})
+	return nil
+}
+
+// OnOffer Handles the offer from the other peer
+func (conn *Connection) OnOffer(remoteAuth IceCredentials) error {
+
+	conn.remoteAuthCond.Do(func() {
+		log.Debugf("OnOffer from peer %s", conn.Config.RemoteWgKey.String())
+		conn.remoteAuthChannel <- remoteAuth
+		uFrag, pwd, err := conn.agent.GetLocalUserCredentials()
+		if err != nil { //nolint
+		}
+
+		err = conn.signalAnswer(uFrag, pwd)
+		if err != nil { //nolint
+		}
+	})
+
+	return nil
+}
+
+// OnRemoteCandidate Handles remote candidate provided by the peer.
+func (conn *Connection) OnRemoteCandidate(candidate ice.Candidate) error {
+
+	log.Debugf("onRemoteCandidate from peer %s -> %s", conn.Config.RemoteWgKey.String(), candidate.String())
+
+	err := conn.agent.AddRemoteCandidate(candidate)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// openConnectionToRemote opens an ice.Conn to the remote peer. This is a real peer-to-peer connection
+// blocks until connection has been established
+func (conn *Connection) openConnectionToRemote(isControlling bool, credentials IceCredentials) (*ice.Conn, error) {
+	var realConn *ice.Conn
+	var err error
+
+	if isControlling {
+		realConn, err = conn.agent.Dial(context.TODO(), credentials.uFrag, credentials.pwd)
+	} else {
+		realConn, err = conn.agent.Accept(context.TODO(), credentials.uFrag, credentials.pwd)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return realConn, err
+}
+
+// signalCredentials prepares local user credentials and signals them to the remote peer
+func (conn *Connection) signalCredentials() error {
+	localUFrag, localPwd, err := conn.agent.GetLocalUserCredentials()
+	if err != nil {
+		return err
+	}
+
+	err = conn.signalOffer(localUFrag, localPwd)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// listenOnLocalCandidates registers callback of an ICE Agent to receive new local connection candidates and then
+// signals them to the remote peer
+func (conn *Connection) listenOnLocalCandidates() error {
+	err := conn.agent.OnCandidate(func(candidate ice.Candidate) {
+		if candidate != nil {
+			log.Debugf("discovered local candidate %s", candidate.String())
+			err := conn.signalCandidate(candidate)
+			if err != nil {
+				log.Errorf("failed signaling candidate to the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
+				//todo ??
+				return
+			}
+		}
+	})
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// listenOnConnectionStateChanges registers callback of an ICE Agent to track connection state
+func (conn *Connection) listenOnConnectionStateChanges() error {
+	err := conn.agent.OnConnectionStateChange(func(state ice.ConnectionState) {
+		log.Debugf("ICE Connection State has changed for peer %s -> %s", conn.Config.RemoteWgKey.String(), state.String())
+		if state == ice.ConnectionStateConnected {
+			// closed the connection has been established we can check the selected candidate pair
+			pair, err := conn.agent.GetSelectedCandidatePair()
+			if err != nil {
+				log.Errorf("failed selecting active ICE candidate pair %s", err)
+				return
+			}
+			log.Debugf("ICE connected to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
+		} else if state == ice.ConnectionStateDisconnected || state == ice.ConnectionStateFailed {
+			err := conn.Close()
+			if err != nil {
+				log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
+			}
+		}
+	})
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

client/internal/engine.go

@@ -0,0 +1,376 @@
+package internal
+
+import (
+	"fmt"
+	"github.com/cenkalti/backoff/v4"
+	ice "github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"strings"
+	"sync"
+	"time"
+)
+
+// PeerConnectionTimeout is a timeout of an initial connection attempt to a remote peer.
+// E.g. this peer will wait PeerConnectionTimeout for the remote peer to respond, if not successful then it will retry the connection attempt.
+const PeerConnectionTimeout = 60 * time.Second
+
+// EngineConfig is a config for the Engine
+type EngineConfig struct {
+	// StunsTurns is a list of STUN and TURN servers used by ICE
+	StunsTurns []*ice.URL
+	WgIface    string
+	// WgAddr is a Wireguard local address (Wiretrustee Network IP)
+	WgAddr string
+	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
+	WgPrivateKey wgtypes.Key
+	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
+	IFaceBlackList map[string]struct{}
+}
+
+// Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
+type Engine struct {
+	// signal is a Signal Service client
+	signal *signal.Client
+	// mgmClient is a Management Service client
+	mgmClient *mgm.Client
+	// conns is a collection of remote peer connections indexed by local public key of the remote peers
+	conns map[string]*Connection
+
+	// peerMux is used to sync peer operations (e.g. open connection, peer removal)
+	peerMux *sync.Mutex
+	// syncMsgMux is used to guarantee sequential Management Service message processing
+	syncMsgMux *sync.Mutex
+
+	config *EngineConfig
+
+	// wgPort is a Wireguard local listen port
+	wgPort int
+}
+
+// Peer is an instance of the Connection Peer
+type Peer struct {
+	WgPubKey     string
+	WgAllowedIps string
+}
+
+// NewEngine creates a new Connection Engine
+func NewEngine(signalClient *signal.Client, mgmClient *mgm.Client, config *EngineConfig) *Engine {
+	return &Engine{
+		signal:     signalClient,
+		mgmClient:  mgmClient,
+		conns:      map[string]*Connection{},
+		peerMux:    &sync.Mutex{},
+		syncMsgMux: &sync.Mutex{},
+		config:     config,
+	}
+}
+
+// Start creates a new Wireguard tunnel interface and listens to events from Signal and Management services
+// Connections to remote peers are not established here.
+// However, they will be established once an event with a list of peers to connect to will be received from Management Service
+func (e *Engine) Start() error {
+
+	wgIface := e.config.WgIface
+	wgAddr := e.config.WgAddr
+	myPrivateKey := e.config.WgPrivateKey
+
+	err := iface.Create(wgIface, wgAddr)
+	if err != nil {
+		log.Errorf("failed creating interface %s: [%s]", wgIface, err.Error())
+		return err
+	}
+
+	err = iface.Configure(wgIface, myPrivateKey.String())
+	if err != nil {
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIface, err.Error())
+		return err
+	}
+
+	port, err := iface.GetListenPort(wgIface)
+	if err != nil {
+		log.Errorf("failed getting Wireguard listen port [%s]: %s", wgIface, err.Error())
+		return err
+	}
+	e.wgPort = *port
+
+	e.receiveSignalEvents()
+	e.receiveManagementEvents()
+
+	return nil
+}
+
+// initializePeer peer agent attempt to open connection
+func (e *Engine) initializePeer(peer Peer) {
+	var backOff = &backoff.ExponentialBackOff{
+		InitialInterval:     backoff.DefaultInitialInterval,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         5 * time.Second,
+		MaxElapsedTime:      time.Duration(0), //never stop
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+	operation := func() error {
+		_, err := e.openPeerConnection(e.wgPort, e.config.WgPrivateKey, peer)
+		e.peerMux.Lock()
+		defer e.peerMux.Unlock()
+		if _, ok := e.conns[peer.WgPubKey]; !ok {
+			log.Infof("removing connection attempt with Peer: %v, not retrying", peer.WgPubKey)
+			return nil
+		}
+
+		if err != nil {
+			log.Warnln(err)
+			log.Warnln("retrying connection because of error: ", err.Error())
+			return err
+		}
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		// should actually never happen
+		panic(err)
+	}
+}
+
+func (e *Engine) removePeerConnections(peers []string) error {
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+	for _, peer := range peers {
+		err := e.removePeerConnection(peer)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// removePeerConnection closes existing peer connection and removes peer
+func (e *Engine) removePeerConnection(peerKey string) error {
+	conn, exists := e.conns[peerKey]
+	if exists && conn != nil {
+		delete(e.conns, peerKey)
+		return conn.Close()
+	}
+	return nil
+}
+
+// GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
+func (e *Engine) GetPeerConnectionStatus(peerKey string) *Status {
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+
+	conn, exists := e.conns[peerKey]
+	if exists && conn != nil {
+		return &conn.Status
+	}
+
+	return nil
+}
+
+// openPeerConnection opens a new remote peer connection
+func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
+	e.peerMux.Lock()
+
+	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
+	connConfig := &ConnConfig{
+		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
+		WgPeerIP:       e.config.WgAddr,
+		WgIface:        e.config.WgIface,
+		WgAllowedIPs:   peer.WgAllowedIps,
+		WgKey:          myKey,
+		RemoteWgKey:    remoteKey,
+		StunTurnURLS:   e.config.StunsTurns,
+		iFaceBlackList: e.config.IFaceBlackList,
+	}
+
+	signalOffer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
+	}
+
+	signalAnswer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
+	}
+	signalCandidate := func(candidate ice.Candidate) error {
+		return signalCandidate(candidate, myKey, remoteKey, e.signal)
+	}
+	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
+	e.conns[remoteKey.String()] = conn
+	e.peerMux.Unlock()
+
+	// blocks until the connection is open (or timeout)
+	err := conn.Open(PeerConnectionTimeout)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
+	err := s.Send(&sProto.Message{
+		Key:       myKey.PublicKey().String(),
+		RemoteKey: remoteKey.String(),
+		Body: &sProto.Body{
+			Type:    sProto.Body_CANDIDATE,
+			Payload: candidate.Marshal(),
+		},
+	})
+	if err != nil {
+		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
+		//todo ??
+		return err
+	}
+
+	return nil
+}
+
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
+
+	var t sProto.Body_Type
+	if isAnswer {
+		t = sProto.Body_ANSWER
+	} else {
+		t = sProto.Body_OFFER
+	}
+
+	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
+		UFrag: uFrag,
+		Pwd:   pwd}, t)
+	if err != nil {
+		return err
+	}
+	err = s.Send(msg)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
+// E.g. when a new peer has been registered and we are allowed to connect to it.
+func (e *Engine) receiveManagementEvents() {
+
+	log.Debugf("connecting to Management Service updates stream")
+
+	e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
+		// todo handle changes of global settings (in update.GetWiretrusteeConfig())
+		// todo handle changes of peer settings (in update.GetPeerConfig())
+
+		e.syncMsgMux.Lock()
+		defer e.syncMsgMux.Unlock()
+
+		remotePeers := update.GetRemotePeers()
+		if len(remotePeers) != 0 {
+
+			remotePeerMap := make(map[string]struct{})
+			for _, peer := range remotePeers {
+				remotePeerMap[peer.GetWgPubKey()] = struct{}{}
+			}
+
+			//remove peers that are no longer available for us
+			toRemove := []string{}
+			for p := range e.conns {
+				if _, ok := remotePeerMap[p]; !ok {
+					toRemove = append(toRemove, p)
+				}
+			}
+			err := e.removePeerConnections(toRemove)
+			if err != nil {
+				return err
+			}
+
+			// add new peers
+			for _, peer := range remotePeers {
+				peerKey := peer.GetWgPubKey()
+				peerIPs := peer.GetAllowedIps()
+				if _, ok := e.conns[peerKey]; !ok {
+					go e.initializePeer(Peer{
+						WgPubKey:     peerKey,
+						WgAllowedIps: strings.Join(peerIPs, ","),
+					})
+				}
+
+			}
+		}
+
+		return nil
+	})
+
+	log.Infof("connected to Management Service updates stream")
+}
+
+// receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
+func (e *Engine) receiveSignalEvents() {
+	// connect to a stream of messages coming from the signal server
+	e.signal.Receive(func(msg *sProto.Message) error {
+
+		e.syncMsgMux.Lock()
+		defer e.syncMsgMux.Unlock()
+
+		conn := e.conns[msg.Key]
+		if conn == nil {
+			return fmt.Errorf("wrongly addressed message %s", msg.Key)
+		}
+
+		if conn.Config.RemoteWgKey.String() != msg.Key {
+			return fmt.Errorf("unknown peer %s", msg.Key)
+		}
+
+		switch msg.GetBody().Type {
+		case sProto.Body_OFFER:
+			remoteCred, err := signal.UnMarshalCredential(msg)
+			if err != nil {
+				return err
+			}
+			err = conn.OnOffer(IceCredentials{
+				uFrag: remoteCred.UFrag,
+				pwd:   remoteCred.Pwd,
+			})
+
+			if err != nil {
+				return err
+			}
+
+			return nil
+		case sProto.Body_ANSWER:
+			remoteCred, err := signal.UnMarshalCredential(msg)
+			if err != nil {
+				return err
+			}
+			err = conn.OnAnswer(IceCredentials{
+				uFrag: remoteCred.UFrag,
+				pwd:   remoteCred.Pwd,
+			})
+
+			if err != nil {
+				return err
+			}
+
+		case sProto.Body_CANDIDATE:
+
+			candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
+			if err != nil {
+				log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
+				return err
+			}
+
+			err = conn.OnRemoteCandidate(candidate)
+			if err != nil {
+				log.Errorf("error handling CANDIATE from %s", msg.Key)
+				return err
+			}
+		}
+
+		return nil
+	})
+
+	e.signal.WaitConnected()
+}

client/internal/engine_test.go

@@ -0,0 +1,174 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgmClient "github.com/wiretrustee/wiretrustee/management/client"
+	signalClient "github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"testing"
+	"time"
+)
+
+var engine *Engine
+var testKey wgtypes.Key
+var testPeer Peer
+
+const ifaceName = "utun9991"
+
+func Test_Start(t *testing.T) {
+	level, _ := log.ParseLevel("Debug")
+	log.SetLevel(level)
+
+	var err error
+	testKey, err = wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ctx := context.Background()
+
+	iceUrl, err := ice.ParseURL("stun:stun.wiretrustee.com:3468")
+	if err != nil {
+		t.Fatal(err)
+	}
+	var stunURLs = []*ice.URL{iceUrl}
+
+	iFaceBlackList := make(map[string]struct{})
+
+	signal, err := signalClient.NewClient(ctx, "signal.wiretrustee.com:10000", testKey, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mgm, err := mgmClient.NewClient(ctx, "app.wiretrustee.com:33073", testKey, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+	conf := &EngineConfig{
+		StunsTurns:     stunURLs,
+		WgIface:        ifaceName,
+		WgAddr:         "10.99.91.1/24",
+		WgPrivateKey:   testKey,
+		IFaceBlackList: iFaceBlackList,
+	}
+	engine = NewEngine(signal, mgm, conf)
+
+	err = engine.Start()
+	if err != nil {
+		t.Fatal(err)
+	}
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer wg.Close()
+
+	_, err = wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestEngine_InitializePeerWithoutRemote(t *testing.T) {
+	tmpKey, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testPeer = Peer{
+		tmpKey.PublicKey().String(),
+		"10.99.91.2/32",
+	}
+	go engine.initializePeer(testPeer)
+	// Let the connections initialize
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+	for {
+		status := engine.GetPeerConnectionStatus(testPeer.WgPubKey)
+		err = ctx.Err()
+		if (status != nil && *status == StatusConnecting) || err != nil {
+			if err != nil {
+				t.Fatal(err)
+			}
+			//success
+			break
+		}
+	}
+}
+
+func TestEngine_Initialize2PeersWithoutRemote(t *testing.T) {
+	tmpKey1, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmpKey2, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testPeer1 := Peer{
+		tmpKey1.PublicKey().String(),
+		"10.99.91.2/32",
+	}
+	testPeer2 := Peer{
+		tmpKey2.PublicKey().String(),
+		"10.99.91.3/32",
+	}
+	go engine.initializePeer(testPeer1)
+	go engine.initializePeer(testPeer2)
+	// Let the connections initialize
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+	for {
+		status1 := engine.GetPeerConnectionStatus(testPeer1.WgPubKey)
+		status2 := engine.GetPeerConnectionStatus(testPeer2.WgPubKey)
+		err = ctx.Err()
+		if (status1 != nil && status2 != nil) || err != nil {
+			if err != nil {
+				t.Fatal(err)
+			}
+			if *status1 == StatusConnecting && *status2 == StatusConnecting {
+				//success
+				break
+			}
+		}
+	}
+}
+
+func TestEngine_RemovePeerConnectionWithoutRemote(t *testing.T) {
+
+	// Let the connections initialize
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+	for {
+		status := engine.GetPeerConnectionStatus(testPeer.WgPubKey)
+		err := ctx.Err()
+		if (status != nil && *status == StatusConnecting) || err != nil {
+			if err != nil {
+				t.Fatal(err)
+			}
+			break
+		}
+	}
+
+	// Let the connections close
+	err := engine.removePeerConnection(testPeer.WgPubKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	status := engine.GetPeerConnectionStatus(testPeer.WgPubKey)
+	if status != nil {
+		t.Fatal(fmt.Errorf("wrong status %v", status))
+	}
+}
+
+func Test_CloseInterface(t *testing.T) {
+	err := iface.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}

client/internal/wgproxy.go

@@ -0,0 +1,132 @@
+package internal
+
+import (
+	ice "github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"net"
+)
+
+// WgProxy an instance of an instance of the Connection Wireguard Proxy
+type WgProxy struct {
+	iface      string
+	remoteKey  string
+	allowedIps string
+	wgAddr     string
+	close      chan struct{}
+	wgConn     net.Conn
+}
+
+// NewWgProxy creates a new Connection Wireguard Proxy
+func NewWgProxy(iface string, remoteKey string, allowedIps string, wgAddr string) *WgProxy {
+	return &WgProxy{
+		iface:      iface,
+		remoteKey:  remoteKey,
+		allowedIps: allowedIps,
+		wgAddr:     wgAddr,
+		close:      make(chan struct{}),
+	}
+}
+
+// Close closes the proxy
+func (p *WgProxy) Close() error {
+
+	close(p.close)
+	if c := p.wgConn; c != nil {
+		err := p.wgConn.Close()
+		if err != nil {
+			return err
+		}
+	}
+	err := iface.RemovePeer(p.iface, p.remoteKey)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// StartLocal configure the interface with a peer using a direct IP:Port endpoint to the remote host
+func (p *WgProxy) StartLocal(host string) error {
+	err := iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive, host)
+	if err != nil {
+		log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error())
+		return err
+	}
+	return nil
+}
+
+// Start starts a new proxy using the ICE connection
+func (p *WgProxy) Start(remoteConn *ice.Conn) error {
+
+	wgConn, err := net.Dial("udp", p.wgAddr)
+	if err != nil {
+		log.Fatalf("failed dialing to local Wireguard port %s", err)
+		return err
+	}
+	p.wgConn = wgConn
+	// add local proxy connection as a Wireguard peer
+	err = iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive,
+		wgConn.LocalAddr().String())
+	if err != nil {
+		log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error())
+		return err
+	}
+
+	go func() { p.proxyToRemotePeer(remoteConn) }()
+	go func() { p.proxyToLocalWireguard(remoteConn) }()
+
+	return err
+}
+
+// proxyToRemotePeer proxies everything from Wireguard to the remote peer
+// blocks
+func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.close:
+			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
+			return
+		default:
+			n, err := p.wgConn.Read(buf)
+			if err != nil {
+				//log.Warnln("failed reading from peer: ", err.Error())
+				continue
+			}
+
+			_, err = remoteConn.Write(buf[:n])
+			if err != nil {
+				//log.Warnln("failed writing to remote peer: ", err.Error())
+				continue
+			}
+		}
+	}
+}
+
+// proxyToLocalWireguard proxies everything from the remote peer to local Wireguard
+// blocks
+func (p *WgProxy) proxyToLocalWireguard(remoteConn *ice.Conn) {
+
+	buf := make([]byte, 1500)
+	for {
+		select {
+		case <-p.close:
+			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
+			return
+		default:
+			n, err := remoteConn.Read(buf)
+			if err != nil {
+				//log.Errorf("failed reading from remote connection %s", err)
+				continue
+			}
+
+			_, err = p.wgConn.Write(buf[:n])
+			if err != nil {
+				//log.Errorf("failed writing to local Wireguard instance %s", err)
+				continue
+			}
+		}
+	}
+}

client/main.go

@@ -0,0 +1,12 @@
+package main
+
+import (
+	"github.com/wiretrustee/wiretrustee/client/cmd"
+	"os"
+)
+
+func main() {
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}