add openwrt-wireguard example

.gitignore

@@ -2,4 +2,4 @@ hyp.secret
 *.exe
 hypd/hypd
 hyp/hyp
-hypdconfig.json
+hypd/hypdconfig.json

hypd/cmd/defaultconfig.go

@@ -31,5 +31,4 @@ hypd generate defaultconfig | tee hypdconfig.json`,
 
 func init() {
 	generateCmd.AddCommand(defaultconfigCmd)
-
 }

hypd/cmd/secret.go

@@ -31,14 +31,4 @@ hypd generate secret > hyp.secret`,
 
 func init() {
 	generateCmd.AddCommand(secretCmd)
-
-	// Here you will define your flags and configuration settings.
-
-	// Cobra supports Persistent Flags which will work for this command
-	// and all subcommands, e.g.:
-	// secretCmd.PersistentFlags().String("foo", "", "A help for foo")
-
-	// Cobra supports local flags which will only run when this command
-	// is called directly, e.g.:
-	// secretCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
 }

hypd/cmd/server.go

@@ -37,7 +37,6 @@ Example Usage:
 	hypd server /etc/hyp/hypdconfig.json
 	`,
 	Run: func(cmd *cobra.Command, args []string) {
-
 		currentUser, err := user.Current()
 		if err != nil {
 			panic(fmt.Errorf("could not determine current user: %w", err))
@@ -54,7 +53,6 @@ Example Usage:
 		if err != nil {
 			panic(fmt.Errorf("failed to start packet server: %w", err))
 		}
-
 	},
 }
 

hypd/examples/openwrt-wireguard/closewireguard.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <srcip>"
+    exit 1
+fi
+
+# Can't use dots in rule name, so swap for underscores
+rulename="hypd_${1//./_}_wireguard"
+
+# Configure the rule in OpenWRT's uci interface
+uci delete firewall.$rulename
+uci commit firewall
+service firewall restart

hypd/examples/openwrt-wireguard/hypdconfig.json

@@ -0,0 +1,7 @@
+{
+    "networkInterface": "enp0s3",
+    "preSharedKeyDirectory": "./secrets/",
+    "successAction": "./examples/openwrt-wireguard/openwireguard.sh %s",
+    "timeoutSeconds": 1440,
+    "timeoutAction": "./examples/openwrt-wireguard/closewireguard.sh %s"
+}

hypd/examples/openwrt-wireguard/openwireguard.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+    echo "Usage: $0 <srcip>"
+    exit 1
+fi
+
+# Can't use dots in rule name, so swap for underscores
+# example: 10.69.69.100 changes to hypd_10_69_69_100_wireguard
+rulename="hypd_${1//./_}_wireguard"
+
+# Configure the rule in OpenWRT's uci interface
+uci set firewall.$rulename=redirect
+uci set firewall.$rulename.dest=lan
+uci set firewall.$rulename.target=DNAT
+uci set firewall.$rulename.name=$rulename
+uci set firewall.$rulename.src=wan
+uci set firewall.$rulename.src_dport=51820
+uci set firewall.$rulename.dest_ip=10.0.100.1
+uci set firewall.$rulename.dest_port=51820
+uci set firewall.$rulename.src_ip=$1
+uci add_list firewall.$rulename.proto=udp
+uci commit firewall
+service firewall restart

hypd/server/packet.go

@@ -50,7 +50,6 @@ var (
 // it sets up the pcap on the capture device and starts a goroutine
 // to rotate the knock sequence
 func PacketServer(config *configuration.HypdConfiguration) error {
-
 	iface, err := net.InterfaceByName(config.NetworkInterface)
 	if err != nil {
 		log.Fatalf("lookup network iface %q: %v", config.NetworkInterface, err)
@@ -148,8 +147,6 @@ func handleKnock(knockEvent hyp_bpfKnockData) {
 	}
 
 	// if it's wrong, reset progress
-	// TBD: vulnerable to sweep attack - this won't be triggered if a wrong packet doesn't match BPF filter
-	// TBD: make the sweep attack fix on by default, but configurable to be off to allow for limited BPF filter for extremely low overhead as compromise.
 	if knockEvent.Dstport != client.Sequence[client.Progress] {
 		delete(clients, knockEvent.Srcip)
 		fmt.Printf("port '%d' is in sequence, but came at unexpected order - resetting progress", knockEvent.Dstport)