Add permissive mode to rosenpass (#1599)

* add rosenpass-permissive flag * Clarify rosenpass-permissive flag message Co-authored-by: Maycon Santos <mlsmaycon@gmail.com> --------- Co-authored-by: Misha Bragin <bangvalo@gmail.com> Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
2026-04-16 15:26:40 +00:00 · 2024-02-21 18:23:17 +02:00
parent 51fa3c92c5
commit e18bf565a2
8 changed files with 234 additions and 185 deletions
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -35,17 +35,18 @@ var defaultInterfaceBlacklist = []string{iface.WgInterfaceDefault, "wt", "utun",

 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
-	ManagementURL    string
-	AdminURL         string
-	ConfigPath       string
-	PreSharedKey     *string
-	ServerSSHAllowed *bool
-	NATExternalIPs     []string
-	CustomDNSAddress   []byte
-	RosenpassEnabled   *bool
-	InterfaceName      *string
-	WireguardPort      *int
-	DisableAutoConnect *bool
+	ManagementURL       string
+	AdminURL            string
+	ConfigPath          string
+	PreSharedKey        *string
+	ServerSSHAllowed    *bool
+	NATExternalIPs      []string
+	CustomDNSAddress    []byte
+	RosenpassEnabled    *bool
+	RosenpassPermissive *bool
+	InterfaceName       *string
+	WireguardPort       *int
+	DisableAutoConnect  *bool
 }

 // Config Configuration type
@@ -60,9 +61,10 @@ type Config struct {
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
 	RosenpassEnabled     bool
+	RosenpassPermissive  bool
 	ServerSSHAllowed     *bool
 	// SSHKey is a private SSH key in a PEM format
-	SSHKey               string
+	SSHKey string

 	// ExternalIP mappings, if different from the host interface IP
 	//
@@ -79,9 +81,9 @@ type Config struct {
 	//      "12.34.56.78/eth0"     => IPv4 assigned to interface eth0 will be mapped to external IP of 12.34.56.78
 	//      "12.34.56.78/10.1.2.3" => interface IP 10.1.2.3 will be mapped to external IP of 12.34.56.78

-	NATExternalIPs       []string
+	NATExternalIPs []string
 	// CustomDNSAddress sets the DNS resolver listening address in format ip:port
-	CustomDNSAddress     string
+	CustomDNSAddress string

 	// DisableAutoConnect determines whether the client should not start with the service
 	// it's set to false by default due to backwards compatibility
@@ -196,6 +198,10 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 		config.RosenpassEnabled = *input.RosenpassEnabled
 	}

+	if input.RosenpassPermissive != nil {
+		config.RosenpassPermissive = *input.RosenpassPermissive
+	}
+
 	if input.ServerSSHAllowed != nil {
 		config.ServerSSHAllowed = input.ServerSSHAllowed
 	}
@@ -294,6 +300,11 @@ func update(input ConfigInput) (*Config, error) {
 		refresh = true
 	}

+	if input.RosenpassPermissive != nil {
+		config.RosenpassPermissive = *input.RosenpassPermissive
+		refresh = true
+	}
+
 	if input.DisableAutoConnect != nil {
 		config.DisableAutoConnect = *input.DisableAutoConnect
 		refresh = true
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -284,6 +284,7 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		NATExternalIPs:       config.NATExternalIPs,
 		CustomDNSAddress:     config.CustomDNSAddress,
 		RosenpassEnabled:     config.RosenpassEnabled,
+		RosenpassPermissive:  config.RosenpassPermissive,
 		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
 	}

--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -79,7 +79,8 @@ type EngineConfig struct {

 	CustomDNSAddress string

-	RosenpassEnabled bool
+	RosenpassEnabled    bool
+	RosenpassPermissive bool

 	ServerSSHAllowed bool
 }
@@ -236,6 +237,11 @@ func (e *Engine) Start() error {

 	if e.config.RosenpassEnabled {
 		log.Infof("rosenpass is enabled")
+		if e.config.RosenpassPermissive {
+			log.Infof("running rosenpass in permissive mode")
+		} else {
+			log.Infof("running rosenpass in strict mode")
+		}
 		e.rpManager, err = rosenpass.NewManager(e.config.PreSharedKey, e.config.WgIfaceName)
 		if err != nil {
 			return err
@@ -484,12 +490,12 @@ func isNil(server nbssh.Server) bool {
 }

 func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
-	
+
 	if !e.config.ServerSSHAllowed {
 		log.Warnf("running SSH server is not permitted")
 		return nil
 	} else {
-	
+
 		if sshConf.GetSshEnabled() {
 			if runtime.GOOS == "windows" {
 				log.Warnf("running SSH server on Windows is not supported")
@@ -870,7 +876,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		PreSharedKey: e.config.PreSharedKey,
 	}

-	if e.config.RosenpassEnabled {
+	if e.config.RosenpassEnabled && !e.config.RosenpassPermissive {
 		lk := []byte(e.config.WgPrivateKey.PublicKey().String())
 		rk := []byte(wgConfig.RemoteKey)
 		var keyInput []byte