Default route handling for IPv6 conversion

README.md

@@ -24,6 +24,8 @@ The program will convert IPv4-only wireguard-interfaces to IPv6. It converts and
 
 IPv6-Adresses are generated based on the IPv4-Adress.
 
+If not filtered out, then default routes (0.0.0.0/0) are handled specially and are converted to the IPv6 default route (::/0).
+
 Beware: This program needs `NET_ADMIN` privileges for setting Adresses and to access the wireguard-daemon.
 
 <br>
@@ -51,7 +53,8 @@ Variable|Description|Default
 -|-|-
 `INTERFACE`*        | Wireguard-Interface Name                  |
 `IPV6_FORMAT`       | Format to use for converting v4 to v6 <br> The CIDR-Mask gets translated using 128 - 24 - Mask <br> e.g. `10.0.100.5/16` -> `fc12::0a00:6405/96`   | `fc12::%02x%02x:%02x%02x/%d`
-`RECHECK_INTERVAL`  | Interval in seconds to recheck AllowedIPs entries in case something changed  | 300
+`FILTER_PREFIX`     | Prefix to filter for IP-Networks          | `100.100`
+`RECHECK_INTERVAL`  | Interval in go-time-format to recheck AllowedIPs entries in case something changed  | 5m
 
 *\* Required*
 
@@ -71,16 +74,17 @@ Or using a systemd-service based on the example:
 [Unit]
 Description=WireGuard IPv6 converter for netbird
 BindsTo=netbird.service
+After=netbird.service
 
 [Service]
 Type=simple
+ExecStartPre=/bin/sleep 10
 ExecStart=/usr/local/bin/wg-ipv6-converter
 Restart=always
-RestartSec=60
+RestartSec=30
-StandardOutput=syslog
-StandardError=syslog
 
 Environment="INTERFACE=wt0"
+Environment="RECHECK_INTERVAL=60s"
 
 [Install]
 WantedBy=multi-user.target

build/Dockerfile

@@ -0,0 +1,13 @@
+# ---- Build ----
+FROM golang:1.19-alpine AS build
+WORKDIR /build
+# Copy sources
+ADD . .
+# Get dependencies
+RUN go get ./cmd/app
+# Compile
+RUN CGO_ENABLED=0 go build -a -o app ./cmd/app
+
+# ---- Output ----
+FROM scratch AS export-stage
+COPY --from=build /build/app .

build/build-multiarch.sh

@@ -0,0 +1,9 @@
+PLATFORM="linux/amd64,linux/arm64/v8,linux/arm/v7"
+EXTRA_ARGS="$@"
+
+docker buildx build \
+    --platform $PLATFORM \
+    -f $(dirname $0)/Dockerfile \
+    --output out \
+    $EXTRA_ARGS \
+    .

build/build-ownarch.sh

@@ -0,0 +1,7 @@
+EXTRA_ARGS="$@"
+
+docker build \
+    -f $(dirname $0)/Dockerfile \
+    --output out \
+    $EXTRA_ARGS \
+    .

cmd/app/main.go

@@ -7,7 +7,7 @@ import (
 	"time"
 
 	envChecks "git.ruekov.eu/ruakij/routingtabletowg/lib/environmentchecks"
-    "git.ruekov.eu/ruakij/routingtabletowg/lib/wgchecks/netchecks"
+	"git.ruekov.eu/ruakij/routingtabletowg/lib/wgchecks/netchecks"
 
 	"github.com/vishvananda/netlink"
 	"golang.zx2c4.com/wireguard/wgctrl"
@@ -17,133 +17,162 @@ import (
 var envRequired = []string{
 	"INTERFACE",
 }
+
 var envDefaults = map[string]string{
-    "IPV6_FORMAT": "fc12::%02x%02x:%02x%02x/%s",
+	"IPV6_FORMAT":      "fc12::%02x%02x:%02x%02x/%d",
-    "FILTER_PREFIX": "100.100",
+	"FILTER_PREFIX":    "100.100",
+	"RECHECK_INTERVAL": "5m",
 }
 
 func main() {
 	// Environment-vars
 	err := envChecks.HandleRequired(envRequired)
-	if(err != nil){
+	if err != nil {
 		logger.Error.Fatal(err)
 	}
 	envChecks.HandleDefaults(envDefaults)
 
-    // Get the network interface object
+	// Get the network interface object
 	iface := os.Getenv("INTERFACE")
-    netInterface, err := netlink.LinkByName(iface)
+	netInterface, err := netlink.LinkByName(iface)
-    if err != nil {
+	if err != nil {
-        logger.Error.Fatal(err)
+		logger.Error.Fatal(err)
-    }
+	}
 
-    ipv6Format := os.Getenv("IPV6_FORMAT")
+	ipv6Format := os.Getenv("IPV6_FORMAT")
-    ipv6TestStr := *convertIPv4ToIPv6(&ipv6Format, &net.IPNet{IP: net.IPv4(1,1,1,1), Mask: net.CIDRMask(24, net.IPv4len)})
+	ipv6TestStr := *convertIPv4ToIPv6(&ipv6Format, &net.IPNet{IP: net.IPv4(1, 1, 1, 1), Mask: net.CIDRMask(24, net.IPv4len)})
-    _, err = netlink.ParseIPNet(ipv6TestStr)
+	_, err = netlink.ParseIPNet(ipv6TestStr)
-    if err != nil {
+	if err != nil {
-        logger.Error.Fatalf("IPV6_FORMAT is invalid: %s", err)
+		logger.Error.Fatalf("IPV6_FORMAT is invalid: %s", err)
-    }
+	}
 
-    filterPrefix := os.Getenv("FILTER_PREFIX")
+	filterPrefix := os.Getenv("FILTER_PREFIX")
 
+	checkIntervalStr := os.Getenv("RECHECK_INTERVAL")
+	checkInterval, err := time.ParseDuration(checkIntervalStr)
+	if err != nil {
+		logger.Error.Fatalf("Couldn't parse RECHECK_INTERVAL '%s': %s", checkIntervalStr, err)
+	}
 
-    // Get the IPv4 address of the interface
+	// Create a WireGuard client
-    addrs, err := netlink.AddrList(netInterface, netlink.FAMILY_V4)
+	client, err := wgctrl.New()
-    if err != nil {
+	if err != nil {
-        logger.Error.Fatal(err)
+		logger.Error.Fatal(err)
-    }
+	}
-    if(len(addrs) == 0){
+	defer client.Close()
-        logger.Error.Fatal("Interface doesnt have IPv4-Adresses")
-    }
 
-    // Add the IPv6 address to the interface
+	// Loop indefinitely
-    ipv6Str := *convertIPv4ToIPv6(&ipv6Format, addrs[0].IPNet)
+	for {
-    ipv6, err := netlink.ParseAddr(ipv6Str)
+		// Get the IPv4 addresses of the interface
-    if err != nil {
+		addrs, err := netlink.AddrList(netInterface, netlink.FAMILY_V4)
-        logger.Error.Fatal(err)
+		if err != nil {
-    }
+			logger.Error.Fatal(err)
-    err = netlink.AddrAdd(netInterface, ipv6)
+		}
-    if err != nil {
+		processedCount := 0
-        switch {
+		filteredCount := 0
-        case os.IsExist(err):
+		for _, addr := range addrs {
-            logger.Warn.Println("Address is already set on interface")
+			// Check filter
-        default:
+			if addr.String()[:len(filterPrefix)] != filterPrefix {
-            logger.Error.Fatalf("Failed to set address on interface: %v", err)
+				filteredCount++
-        }
+				continue
-    }
+			}
 
-    // Create a WireGuard client
+			// Add the IPv6 address to the interface
-    client, err := wgctrl.New()
+			ipv6Str := *convertIPv4ToIPv6(&ipv6Format, addr.IPNet)
-    if err != nil {
+			ipv6, err := netlink.ParseAddr(ipv6Str)
-        logger.Error.Fatal(err)
+			if err != nil {
-    }
+				logger.Warn.Printf("failed parsing converted %s -> %s : %s", addr.IPNet.String(), ipv6Str, err)
-    defer client.Close()
+				continue
+			}
 
-    // Loop indefinitely
+			logger.Info.Printf("Adding converted %s -> %s to interface", addr.IPNet.String(), ipv6Str)
-    for {
+			err = netlink.AddrAdd(netInterface, ipv6)
-        // Get the WireGuard peers on the interface
+			if err != nil {
-        wgDevice, err := client.Device(iface)
+				switch {
-        if err != nil {
+				case os.IsExist(err):
-            logger.Error.Fatalf("getting WireGuard device from interface '%s' failed: %s", iface, err)
+					logger.Warn.Println("Address is already set on interface")
-        }
+				default:
+					logger.Error.Fatalf("Failed to set address on interface: %v", err)
+				}
+			}
+			processedCount++
+		}
+		if processedCount != len(addrs) {
+			logger.Warn.Printf("Not all Interface-Addresses were processed. Summary: %d processed, %d filtered, %d failed", processedCount, filteredCount, len(addrs)-processedCount-filteredCount)
+		}
+
+		// Get the WireGuard peers on the interface
+		wgDevice, err := client.Device(iface)
+		if err != nil {
+			logger.Error.Fatalf("getting WireGuard device from interface '%s' failed: %s", iface, err)
+		}
 
 		var wgConfig wgtypes.Config
-        wgConfig.Peers = make([]wgtypes.PeerConfig, 0, len(wgDevice.Peers))
+		wgConfig.Peers = make([]wgtypes.PeerConfig, 0, len(wgDevice.Peers))
 
-        for _, peer := range wgDevice.Peers {
+		for _, peer := range wgDevice.Peers {
-            // Create slice for 1 expected addition
+			// Create slice for 1 expected addition
-            var addAllowedIPs = make([]net.IPNet, 0, 1)
+			addAllowedIPs := make([]net.IPNet, 0, 1)
 
-            // Loop through the allowed-ips and add the ones starting with 100.100
+			// Loop through the allowed-ips and add the ones starting with 100.100
-            for _, allowedIP := range peer.AllowedIPs {
+			for _, allowedIP := range peer.AllowedIPs {
-                if allowedIP.String()[:len(filterPrefix)] == filterPrefix {
+				if allowedIP.String()[:len(filterPrefix)] == filterPrefix {
-                    // Convert the IPv4 allowed-ip to an IPv6 address
+					// Convert the IPv4 allowed-ip to an IPv6 address
-                    ipv6Str := *convertIPv4ToIPv6(&ipv6Format, &net.IPNet{IP: allowedIP.IP, Mask: allowedIP.Mask})
+					ipv6Str := *convertIPv4ToIPv6(&ipv6Format, &allowedIP)
-                    ipv6, err := netlink.ParseIPNet(ipv6Str)
+					logger.Info.Printf("AllowedIP %s -> %s to peer %s", allowedIP.String(), ipv6Str, peer.PublicKey)
-                    if err != nil {
+					ipv6, err := netlink.ParseIPNet(ipv6Str)
-                        logger.Warn.Printf("Couldnt parse IPv6 address %s of peer %s: %s", ipv6Str, peer.PublicKey, err)
+					if err != nil {
-                        continue
+						logger.Warn.Printf("Couldnt parse IPv6 address %s of peer %s: %s", ipv6Str, peer.PublicKey, err)
-                    }
+						continue
+					}
 
-                    // Check if already set
+					// Check if already set
-                    if i, _ := netchecks.IPNetIndexByIPNet(&peer.AllowedIPs, ipv6); i != -1 {
+					if i, _ := netchecks.IPNetIndexByIPNet(&peer.AllowedIPs, ipv6); i != -1 {
-                        continue
+						continue
-                    }
+					}
 
-                    // Add the IPv6 allowed-ip to the peer
+					// Add the IPv6 allowed-ip to the peer
-                    addAllowedIPs = append(addAllowedIPs, *ipv6)
+					addAllowedIPs = append(addAllowedIPs, *ipv6)
-                }
+				}
-            }
+			}
 
-            if(len(addAllowedIPs) > 0){
+			if len(addAllowedIPs) > 0 {
-                // Create peer-config
+				// Create peer-config
-                peerConfig := wgtypes.PeerConfig{
+				peerConfig := wgtypes.PeerConfig{
-                    PublicKey: peer.PublicKey,
+					PublicKey:  peer.PublicKey,
-                    AllowedIPs: append(peer.AllowedIPs, addAllowedIPs...),
+					AllowedIPs: append(peer.AllowedIPs, addAllowedIPs...),
-                }
+				}
 
-                // Add entry
+				// Add entry
-                wgConfig.Peers = append(wgConfig.Peers, peerConfig)
+				wgConfig.Peers = append(wgConfig.Peers, peerConfig)
-            }
+			}
-        }
+		}
 
-        if(len(wgConfig.Peers) == 0){
+		if len(wgConfig.Peers) == 0 {
-            logger.Info.Println("No changes, skipping")
+			logger.Info.Println("No changes, skipping")
-        } else {
+		} else {
-            err = client.ConfigureDevice(iface, wgConfig)
+			err = client.ConfigureDevice(iface, wgConfig)
-            if(err != nil){
+			if err != nil {
-                logger.Error.Fatalf("Error configuring wg-device '%s': %s", iface, err)
+				logger.Error.Fatalf("Error configuring wg-device '%s': %s", iface, err)
-            }
+			}
-        }
+		}
 
-        // Sleep for 300 seconds before running the loop again
+		// Sleep for x seconds before running the loop again
-        time.Sleep(time.Second * 300)
+		time.Sleep(checkInterval)
-    }
+	}
 }
 
-func convertIPv4ToIPv6(ipv6Format *string, ipv4 *net.IPNet) (*string) {
+func convertIPv4ToIPv6(ipv6Format *string, ipv4 *net.IPNet) *string {
-    CIDR, _ := ipv4.Mask.Size()
+	// Check if this is a default route (0.0.0.0/0)
-    // Run format
+	if ipv4.IP.Equal(net.IPv4zero) {
-    ipv6Str := fmt.Sprintf(*ipv6Format, (*ipv4).IP[0], (*ipv4).IP[1], (*ipv4).IP[2], (*ipv4).IP[4], 128-CIDR)
+		if ones, _ := ipv4.Mask.Size(); ones == 0 {
-    return &ipv6Str
+			defaultRoute := "::/0"
+			return &defaultRoute
+		}
+	}
+
+	CIDR, _ := ipv4.Mask.Size()
+	// Run format
+	ipv6Str := fmt.Sprintf(*ipv6Format, (*ipv4).IP[0], (*ipv4).IP[1], (*ipv4).IP[2], (*ipv4).IP[3], net.IPv6len*8-(net.IPv4len*8-CIDR))
+	return &ipv6Str
 }