.gitignore

@@ -2,4 +2,4 @@ hyp.secret
 *.exe
 hypd/hypd
 hyp/hyp
-hypd/hypdconfig.json
+hypdconfig.json

hypd/cmd/defaultconfig.go

@@ -31,4 +31,5 @@ hypd generate defaultconfig | tee hypdconfig.json`,
 
 func init() {
 	generateCmd.AddCommand(defaultconfigCmd)
+
 }

hypd/cmd/secret.go

@@ -31,4 +31,14 @@ hypd generate secret > hyp.secret`,
 
 func init() {
 	generateCmd.AddCommand(secretCmd)
+
+	// Here you will define your flags and configuration settings.
+
+	// Cobra supports Persistent Flags which will work for this command
+	// and all subcommands, e.g.:
+	// secretCmd.PersistentFlags().String("foo", "", "A help for foo")
+
+	// Cobra supports local flags which will only run when this command
+	// is called directly, e.g.:
+	// secretCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
 }

hypd/cmd/server.go

@@ -37,6 +37,7 @@ Example Usage:
 	hypd server /etc/hyp/hypdconfig.json
 	`,
 	Run: func(cmd *cobra.Command, args []string) {
+
 		currentUser, err := user.Current()
 		if err != nil {
 			panic(fmt.Errorf("could not determine current user: %w", err))
@@ -53,6 +54,7 @@ Example Usage:
 		if err != nil {
 			panic(fmt.Errorf("failed to start packet server: %w", err))
 		}
+
 	},
 }
 

hypd/examples/openwrt-wireguard/closewireguard.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 1 ]; then
-    echo "Usage: $0 <srcip>"
-    exit 1
-fi
-
-# Can't use dots in rule name, so swap for underscores
-rulename="hypd_${1//./_}_wireguard"
-
-# Configure the rule in OpenWRT's uci interface
-uci delete firewall.$rulename
-uci commit firewall
-service firewall restart

hypd/examples/openwrt-wireguard/hypdconfig.json

@@ -1,7 +0,0 @@
-{
-    "networkInterface": "enp0s3",
-    "preSharedKeyDirectory": "./secrets/",
-    "successAction": "./examples/openwrt-wireguard/openwireguard.sh %s",
-    "timeoutSeconds": 1440,
-    "timeoutAction": "./examples/openwrt-wireguard/closewireguard.sh %s"
-}

hypd/examples/openwrt-wireguard/openwireguard.sh

@@ -1,24 +0,0 @@
-#!/bin/sh
-
-if [ $# -lt 1 ]; then
-    echo "Usage: $0 <srcip>"
-    exit 1
-fi
-
-# Can't use dots in rule name, so swap for underscores
-# example: 10.69.69.100 changes to hypd_10_69_69_100_wireguard
-rulename="hypd_${1//./_}_wireguard"
-
-# Configure the rule in OpenWRT's uci interface
-uci set firewall.$rulename=redirect
-uci set firewall.$rulename.dest=lan
-uci set firewall.$rulename.target=DNAT
-uci set firewall.$rulename.name=$rulename
-uci set firewall.$rulename.src=wan
-uci set firewall.$rulename.src_dport=51820
-uci set firewall.$rulename.dest_ip=10.0.100.1
-uci set firewall.$rulename.dest_port=51820
-uci set firewall.$rulename.src_ip=$1
-uci add_list firewall.$rulename.proto=udp
-uci commit firewall
-service firewall restart

hypd/server/packet.go

@@ -50,6 +50,7 @@ var (
 // it sets up the pcap on the capture device and starts a goroutine
 // to rotate the knock sequence
 func PacketServer(config *configuration.HypdConfiguration) error {
+
 	iface, err := net.InterfaceByName(config.NetworkInterface)
 	if err != nil {
 		log.Fatalf("lookup network iface %q: %v", config.NetworkInterface, err)
@@ -147,6 +148,8 @@ func handleKnock(knockEvent hyp_bpfKnockData) {
 	}
 
 	// if it's wrong, reset progress
+	// TBD: vulnerable to sweep attack - this won't be triggered if a wrong packet doesn't match BPF filter
+	// TBD: make the sweep attack fix on by default, but configurable to be off to allow for limited BPF filter for extremely low overhead as compromise.
 	if knockEvent.Dstport != client.Sequence[client.Progress] {
 		delete(clients, knockEvent.Srcip)
 		fmt.Printf("port '%d' is in sequence, but came at unexpected order - resetting progress", knockEvent.Dstport)