The original link: fuckcloudnative. IO/posts/wireg…

WireGuard is A next-generation open source VPN protocol created by Jason A. Donenfeld et al., designed to solve many of the problems that have plagued other VPN protocols such as IPSec/IKEv2, OpenVPN, or L2TP. On January 29, 2020, WireGuard was incorporated into the Linux 5.6 kernel mainline.

Using WireGuard, we can achieve a lot of wonderful functions, such as building Kubernetes cluster across the public cloud, local direct access to the public cloud Kubernetes cluster Pod IP and Service IP. Connect directly to devices at home without a public IP address, and so on.

If you are hearing about WireGuard for the first time, it is recommended that you take some time to see how WireGuard works as I wrote earlier. Then you can refer to the following two articles to get started quickly:

  • WireGuard quick installation tutorial
  • WireGuard Configuration Tutorial: Use WG-gen-Web to manage the WireGuard configuration

If you encounter some details are not clear, then refer to the WireGuard configuration details.

This article explores one of the major challenges of using WireGuard: establishing a direct connection between two clients that are behind a NAT and do not specify a public network exit.

WireGuard does not distinguish between servers and clients. All clients connected to WireGuard are called peers.

1. Peer with an unfixed IP address

At the heart of the WireGuard is the Cryptokey Routing, which works by associating public keys with IP address lists. Each network interface has a private key and a Peer list, and each Peer has a public key and an IP address list. When sending data, you can regard the IP address list as a routing table. When receiving data, you can treat the IP address list as an access control list.

The association between the public key and the IP address list constitutes the necessary configuration of the Peer. From the perspective of tunnel authentication, the Peer does not need to have a static IP address. Theoretically, if the IP address of a Peer changes at the same time, IP roaming can be implemented in the WireGuard.

Now back to the original problem: Assume that both peers are behind the NAT, and the NAT is not controlled by us, and UDP port forwarding cannot be configured, that is, the egress of the public network cannot be specified. To establish a connection, not only the IP address of the Peer but also the port of the Peer must be dynamically discovered.

After looking around, existing tools simply cannot implement this requirement, so this article will focus on implementing this requirement without making any changes to the WireGuard source code.

2. Hub-and-spoke network topology

You may ask why I don’t use a Hub-and-spoke network topology? A hub-and-spoke network has a VPN gateway, which usually has a static IP address. All other clients need to connect to this VPN gateway, and then the gateway forwards traffic to other clients. Assuming that Both Alice and Bob are behind NAT, both Alice and Bob need to establish a tunnel with the gateway, and then Alice and Bob can communicate with each other by forwarding traffic through the VPN gateway.

In fact, this method is now used by everyone, there is no more to say, the disadvantages are quite obvious:

  • When there are more and more peers, the VPN gateway becomes the bottleneck of vertical expansion.
  • The cost of forwarding traffic through a VPN gateway is high, because traffic from a cloud server is expensive.
  • Forwarding traffic through the VPN gateway brings high latency.

The purpose of this article is to establish a tunnel between Alice and Bob directly, which cannot be done in hub-and-spoke network topology.

3. NAT penetration

To establish a WireGuard tunnel directly between Alice and Bob, they need to be able to pass through the NAT that stands in their way. Because WireGuard communicates with each other through UDP, UDP hole punching is theoretically the best option.

UDP hole punching exploits the fact that most NAts are lax about matching inbound packets to existing connections. This allows the port state to be reused for holes, because the NAT router does not limit traffic to receive only from the original destination address (the messenger server), and traffic from other clients can also receive traffic.

For example, suppose Alice sends a UDP packet to Carol, the new host, and Bob somehow obtains the outbound source IP address used by Alice’s NAT during address translation :Port. Bob can then send a UDP packet to the IP:Port (2.2.2.2:7777) to establish contact with Alice.

In fact, this is Full cone NAT, or one-to-one NAT. It has the following characteristics:

  • Once the internal address (iAddr:iPort) is mapped to the external address (eAddr:ePort), all packets originating from iAddr:iPort are sent out via eAddr:ePort.
  • Any external host can reach iAddr:iPort by sending a packet to eAddr:ePort.

Most NAts are of this type, and for a few less common NAts, this hole-making method has some limitations and cannot be used smoothly.

4. STUN

Returning to the above example, there are several issues that are critical to UDP holing:

  • How can Alice know her public networkIP:Port?
  • How does Alice establish a connection with Bob?
  • How to make holes using UDP in WireGuard?

RFC5389’s detailed description of STUN (Session Traversal Utilities for NAT) defines a protocol that answers some of these questions. It’s a long RFC, so I’ll summarize it as best I can. Just to be clear, STUN isn’t a direct solution to the above problem, it’s just a wrench that you need to build a weighing tool:

STUN itself is not a solution to the NAT penetration problem, it just defines a mechanism that you can use to build an actual solution.

– RFC5389

STUN (Session Traversal Utilities for NAT) is a network protocol that allows a client behind a NAT (or multiple NAT) to find out its public address. Find out which type of NAT you are behind and the public network port that the NAT binds to a local port. This information is used to establish UDP communication between two hosts that are behind the NAT router. This protocol is defined by RFC 5389.

STUN is a client-server protocol. In the example above, Alice is the client and Carol is the server. Alice sends a STUN Binding request to Carol. When the Binding request passes Through Alice’s NAT, the source IP:Port will be rewritten. When Carol receives the Binding request, it copies the layer 3 and 4 source IP:Port into the payload of the Binding response and sends it to Alice. The Binding response is forwarded to Alice on the Intranet through THE NAT of Alice. At this time, the target IP:Port is rewritten as the Intranet address, but the payload remains unchanged. After Alice receives the Binding response, it realizes that the public IP:Port of the Socket is 2.2.2.2:7777.

However, STUN is not a complete solution. It provides a mechanism for an application to obtain its public IP:Port, but it does not provide a specific way to signal in the relevant direction. If you’re going to write an application with NAT penetration all over again, you’re going to use STUN. Of course, it is wise not to modify the WireGuard source code, and it is best to use STUN concepts to implement it. In any case, you need a host with a static public address to act as a messenger server.

5. Example of NAT penetration

Back in August 2016, the creator of WireGuard shared an example of NAT penetration on the WireGuard mailing list. Jason’s example includes a client application and a server application, where the client application runs together with the WireGuard, the server runs on a host with a static address to discover the IP address of each Peer :Port, and the client communicates with the server using raw sockets.

/* We use raw sockets so that the WireGuard interface can actually own the real socket. */
sock = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
if (sock < 0) {
	perror("socket");
	return errno;
}
Copy the code

As noted in the comment, WireGuard has “real sockets”. By using raw sockets, clients can mask the source Port of the local WireGuard to the server, ensuring that the destination IP address :Port is mapped to the WireGuard socket when the server returns a response through NAT.

The client uses a classic BPF filter on its raw socket to filter the replies sent by the server to the WireGuard port.

static void apply_bpf(int sock, uint16_t port, uint32_t ip)
{
	struct sock_filter filter[] = {
		BPF_STMT(BPF_LD + BPF_W + BPF_ABS, 12 /* src ip */),
		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, ip, 0.5),
		BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 20 /* src port */),
		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, PORT, 0.3),
		BPF_STMT(BPF_LD + BPF_H + BPF_ABS, 22 /* dst port */),
		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, port, 0.1),
		BPF_STMT(BPF_RET + BPF_K, - 1),
		BPF_STMT(BPF_RET + BPF_K, 0)};struct sock_fprog filter_prog = {
		.len = sizeof(filter) / sizeof(filter[0]),
		.filter = filter
	};
	if (setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &filter_prog, sizeof(filter_prog)) < 0) {
		perror("setsockopt(bpf)");
		exit(errno); }}Copy the code

The communication data between client and server is defined in packet and reply structures:

struct {
    struct udphdr udp;
    uint8_t my_pubkey[32];
    uint8_t their_pubkey[32];
} __attribute__((packed)) packet = {
    .udp = {
        .len = htons(sizeof(packet)),
        .dest = htons(PORT)
    }
};
struct {
    struct iphdr iphdr;
    struct udphdr udp;
    uint32_t ip;
    uint16_t port;
} __attribute__((packed)) reply;
Copy the code

The client iterates through the configured WireGuard Peer (WG show

peers) and sends a packet for each Peer to the server with the my_pubkey and their_pubkey fields appropriately populated. When receiving data packets from clients, the server inserts or updates an entry of pubkey=my_pubkey into the Peer memory table with the public key as the key, and searches for an entry of pubkey=their_pubkey in the table. As soon as an entry is found, the IP:Port is sent to the client. When the client receives the reply, it unpacks the IP and port from the packet and configures the endpoint address of the Peer (WG set

Peer

Endpoint < IP >: ).



Entry structure source code:

struct entry {
	uint8_t pubkey[32];
	uint32_t ip;
	uint16_t port;
};
Copy the code

The IP and port fields in the entry structure are the IP and UDP headers extracted from the data packets received by the client. Each time the client requests the IP and port information of the Peer, the IP and port information of the Peer is refreshed in the Peer list.

The example above shows how WireGuard can implement UDP holing, but it is too complicated because not all peers can open raw sockets and not all peers can utilize BPF filters. In addition, custom Wire Protocol is also used here. The data at the code level (linked list, queue, binary tree) are all structured, but all the data at the network layer are binary streams. The so-called Wire Protocol is to serialize structured data into binary streams and send them out. And the other side can be deserialized in the same format. This approach is difficult to debug, so we need to take a different approach and use existing tools to do this.

6. WireGuard NAT traversal

WireGuard is a WireGuard WireGuard that uses UDP to drill holes in UDP packets.

You might think of this as a Hub-and-spoke network topology, but there are actually some differences in that the Registry Peer does not act as a gateway because it has no corresponding routing and does not forward traffic. The WireGuard interface address of Registry is 10.0.0.254/32. AllowedIPs of Alice and Bob only contain 10.0.0.254/32, indicating that only traffic from Registry is received. Therefore, Alice and Bob cannot communicate through Registry.

Registry establishes two tunnels with Alice and Bob, which opens a hole in Alice and Bob’s NAT. We need to find a way to query the IP of these holes from the Registry Peer :Port, The DNS protocol comes naturally to mind. The advantages of DNS are obvious: it is simple, mature, and cross-platform. There is a DNS Record type called Service Record (SRV), which is used to Record the services provided by the server, that is, to identify the IP address and port of the Service. RFC6763 extends this Record type with a specific structure and query mode, which is used to discover the services in a given domain. We can take advantage of these extended semantics directly.

7. CoreDNS

Once you have selected the service discovery protocol, you also need a way to connect it to the WireGuard. CoreDNS is a plug-in DNS server written by Golang. It is currently the default DNS server built into Kubernetes and has graduated from CNCF. CoreDNS (dns-based Service Discovery) is used to query the WireGuard Peer. The public key is used as the record name. Fuckcloudnative. IO as the domain. If you’re familiar with bind-style domain files, you can imagine domain data that looks something like this:

_wireguard._udp IN PTR alice._wireguard._udp.fuckcloudnative.io. _wireguard._udp IN PTR bob._wireguard._udp.fuckcloudnative.io. alice._wireguard._udp IN SRV 0 1 7777 alice.fuckcloudnative.io. alice IN A 2.2.2.2 Bob._wireguard._udp IN SRV 0 1 8888 Bob.fuckCloudna.io. Bob IN A 3.3.3.3Copy the code

Is the public key Base64 or Base32?

So far, we have used aliases Alice and Bob instead of their corresponding WireGuard public keys. The WireGuard public key is Base64 encoded and 44 bytes long:

$ wg genkey | wg pubkey
UlVJVmPSwuG4U9BwyVILFDNlM+Gk9nQ7444HimPPgQg=
Copy the code

The Base 64 encoding is designed to represent arbitrary sequences of eight-bit bytes in a form that allows the use of uppercase and lowercase letters.

– RFC4648

Unfortunately, the DNS SRV record for the service name is case insensitive:

Each node in the DNS tree has a name made up of zero or more labels [STD13, RFC1591, RFC2606] that are case insensitive.

– RFC4343

Base32 produces a slightly longer string (56 bytes), but its representation allows us to represent the WireGuard public key within DNS:

The purpose of Base32 encoding is to represent any sequence of eight-bit bytes in a form that must be case insensitive.

We can convert the encoding format back and forth using the base64 and base32 commands, for example:

$ wg genkey | wg pubkey > pub.txt $ cat pub.txt O9rAAiO5qTejOEtFbsQhCl745ovoM9coTGiprFTaHUE= $ cat pub.txt | base64 -D |  base32 HPNMAARDXGUTPIZYJNCW5RBBBJPPRZUL5AZ5OKCMNCU2YVG2DVAQ==== $ cat pub.txt | base64 -D | base32 | base32 -d | base64  O9rAAiO5qTejOEtFbsQhCl745ovoM9coTGiprFTaHUE=Copy the code

We can directly use base32, a case-insensitive public key encoding, to make it DNS compatible.

Compile the plug-in

CoreDNS provides documentation for writing plug-ins that must implement the plugin.handler interface:

type Handler interface {
    ServeDNS(context.Context, dns.ResponseWriter, *dns.Msg) (int, error)
    Name() string
}
Copy the code

I have written a plug-in to provide WireGuard Peer information using dns-based Service Discovery (DNS-BASED Service Discovery) semantics. This plug-in is called WGSD. Self-written plug-ins are not official built-in plug-ins, and the executable downloaded from the CoreDNS official download page does not include these plug-ins, so you need to compile CoreDNS yourself.

Compiling CoreDNS is not complicated and can be done without external plug-ins:

$ git clone https://github.com/coredns/coredns.git
$ cd coredns
$ make
Copy the code

To add the WGSD plugin, modify the plugin.cfg file before make by adding the following line:

wgsd:github.com/jwhited/wgsd
Copy the code

Then start compiling:

$ go generate
$ go build
Copy the code

See if the compiled binary contains the plug-in:

$ ./coredns -plugins | grep wgsd
  dns.wgsd
Copy the code

After compiling, you can enable the WGSD plug-in in the configuration file:

.:53 {
  wgsd <zone> <wg device>
}
Copy the code

The configuration file is as follows:

$ cat Corefile
.:53 {
  debug
  wgsd fuckcloudnative.io. wg0
}
Copy the code

Running CoreDNS.

$./ coredns-conf Corefile.:53 coreDNs-1.8.1 Linux/AMd64, go1.15,Copy the code

WireGuard information for the current node:

$ sudo wg show
interface: wg0
  listening port: 52022

peer: mvplwow3agnGM8G78+BiJ3tmlPf9gDtbJ2NdxqV44D8=
  endpoint: 3.3.3.3:8888
  allowed ips: 10.0.0.2/32
Copy the code

Here is the time to witness the miracle, listing all the peers:

$dig @ 127.0.0.1_wireguard._udp.fuckCloudna.io. PTR +noall +answer + Additional; <<>> DiG 9.10.6 <<>> @127.0.0.1_wireguard._udp.fuckCloudna.io. PTR +noall +answer + Additional; (1 server found) ;; global options: +cmd _wireguard._udp.fuckcloudnative.io. 0 IN PTR TL5GLQUMG5VATRRTYG57HYDCE55WNFHX7WADWWZHMNO4NJLY4A7Q====._wireguard._udp.fuckcloudnative.io.Copy the code

To query the IP address and port of each Peer:

$dig @ 127.0.0.1 TL5GLQUMG5VATRRTYG57HYDCE55WNFHX7WADWWZHMNO4NJLY4A7Q. = = = = _wireguard. _udp. Fuckcloudnative. IO. The SRV + noall  +answer +additional ; <<>> DiG 9.10.6 <<>> @127.0.0.1 TL5GLQUMG5VATRRTYG57HYDCE55WNFHX7WADWWZHMNO4NJLY4A7Q====._wireguard._udp.fuckcloudnative.io. SRV +noall +answer +additional ; (1 server found) ;; global options: +cmd tl5glqumg5vatrrtyg57hydce55wnfhx7wadwwzhmno4njly4a7q====._wireguard._udp.fuckcloudnative.io. 0 IN SRV 0 0 8888 TL5GLQUMG5VATRRTYG57HYDCE55WNFHX7WADWWZHMNO4NJLY4A7Q====.fuckcloudnative.io. TL5GLQUMG5VATRRTYG57HYDCE55WNFHX7WADWWZHMNO4NJLY4A7Q. = = = = fuckcloudnative. IO. 0 IN A 3.3.3.3Copy the code

๐ŸŽ‰ ๐ŸŽ‰ ๐ŸŽ‰ Perfect! ๐ŸŽ‰ ๐ŸŽ‰ ๐ŸŽ‰

Verify whether the public key matches:

$wg show wg0 peers mvplwow3agnGM8G78 + BiJ3tmlPf9gDtbJ2NdxqV44D8 = $dig @ 127.0.0.1 _wireguard. _udp. Fuckcloudnative. IO. PTR +short | cut -d. -f1 | base32 -d | base64 mvplwow3agnGM8G78+BiJ3tmlPf9gDtbJ2NdxqV44D8=Copy the code

๐Ÿ‘ ๐Ÿ‘ ๐Ÿ‘

8. Final communication process

The final communication process is as follows:

At first, Alice and Bob set up tunnels with Registry respectively; Next, the WGSD-Client on Alice issues a query request to the CoreDNS plug-in (WGSD) running on the Registry node, which retrits Bob’s endpoint information from the WireGuard information, And returns it to wGSD-client; Then wGSD-client starts setting Bob’s endpoint; Finally, a tunnel is established directly between Alice and Bob.

Any mention of “establishing a tunnel” simply means that a handshake has taken place and packets can be transmitted between peers. While WireGuard does have a handshake mechanism, it is more of a connectionless protocol than you might think.

Any security protocol needs to maintain some state, so the initial handshake is very simple, just establishing the symmetric key for data transmission. This handshake occurs every few minutes to provide a rotating key for perfect forward secrecy. It is done in terms of time, rather than the contents of previous packets, as it is designed to gracefully handle packet loss.

– wireguard.com/protocol

All we need to do is implement WGSD-Client.

9. Implement WGSD – client

Wgsd-client is responsible for keeping the endpoint configuration of the Peer up to date. It retrieves the list of peers in the configuration, searches for the matching public key in CoreDNS, and updates the endpoint value for the corresponding Peer if necessary. The initial implementation was to run a scheduled task or similar scheduling mechanism, check all peers in serialized mode, set the endpoint, and exit. It is not a daemon yet and will continue to be refined.

The source code for wGSD-client is located in the CMD/wGSD-client directory in the WGSD repository.

Let’s start with the final test.

Both Alice and Bob are behind NAT. Registry does not have NAT and has a fixed public address. The information of the three peers is as follows:

Peer Public Key Tunnel Address
Alice xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4= 10.0.0.1
Bob syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js= 10.0.0.2
Registry JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY= 10.0.0.254

Their respective initial configuration:

Alice

$cat /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.1/32 PrivateKey = 0CtieMOYKa2RduPbJss/Um9BiQPSjgvHW+B7Mor5OnE= ListenPort = 51820# Registry[Peer] PublicKey = JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY = the Endpoint = 4.4.4.4:51820 PersistentKeepalive = 5 AllowedIPs = 10.0.0.254/32# Bob[Peer] PublicKey = syKB97XhGnvC + kynh2KqQJPXoOoOpx/HmpMRTc + r4js = 5 AllowedIPs PersistentKeepalive = = 10.0.0.2/32 $wg show interface: wg0 public key: xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4= private key: (hidden) listening port: 51820 peer: JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY = the endpoint: 4.4.4.4:51820 allowed ips: 10.0.0.254/32 Latest Handshake: 48 seconds ago Transfer: 1.67 KiB received, 11.99 KiB sent Persistent keepalive: Every 5 seconds peer: syKB97XhGnvC + kynh2KqQJPXoOoOpx/HmpMRTc + r4js = allowed ips: 10.0.0.2/32 persistent keepalive: every 5 secondsCopy the code

Bob

Conf [Interface] Address = 10.0.0.2/32 PrivateKey = cIN5NqeWcbreXoaIhR/4wgrrQJGym/E7WrTttMtK8Gc= ListenPort = 51820# Registry[Peer] PublicKey = JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY = the Endpoint = 4.4.4.4:51820 PersistentKeepalive = 5 AllowedIPs = 10.0.0.254/32# Alice[Peer] PublicKey = xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6 + 5 AllowedIPs yffAHw4 = PersistentKeepalive = = 10.0.0.1/32 $wg show interface: wg0 public key: syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js= private key: (hidden) listening port: 51820 peer: JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY = the endpoint: 4.4.4.4:51820 allowed ips: 10.0.0.254/32 latest Handshake: 26 seconds ago Transfer: 1.54 KiB received, 11.75 KiB sent Persistent keepalive: Every 5 seconds peer: xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6 + yffAHw4 = allowed ips: 10.0.0.1/32 persistent keepalive: every 5 secondsCopy the code

Registry

$cat /etc/wireguard/wg0.conf [Interface] Address = 10.0.0.254/32 PrivateKey = wLw2ja5AapryT+3SsBiyYVNVDYABJiWfPxLzyuiy5nE= ListenPort = 51820# Alice[Peer] PublicKey = xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6 + yffAHw4 = AllowedIPs = 10.0.0.1/32# Bob[Peer] PublicKey = syKB97XhGnvC + kynh2KqQJPXoOoOpx/HmpMRTc + r4js = AllowedIPs = 10.0.0.2/32 $wg show interface: wg0 public key: JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY= private key: (hidden) listening port: 51820 peer: XScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6 + yffAHw4 = the endpoint: 2.2.2.2:41424 allowed ips: 10.0.0.1/32 latest handshake: 6 seconds ago Transfer: 510.29 KiB received, 52.11 KiB sent peer: SyKB97XhGnvC + kynh2KqQJPXoOoOpx/HmpMRTc + r4js = the endpoint: 3.3.3.3:51820 allowed ips: 10.0.0.2/32 latest handshake: 1 minute, 46 seconds ago Transfer: 498.04 KiB received, 50.59 KiB sentCopy the code

Registry is connected to both Alice and Bob and can query their endpoint information directly:

$dig @4.4.4.4 -p 53 _wireguard._udp.fuckCloudna.io. PTR +noall +answer + Additional; <<>> DiG 9.10.6 <<>> @4.4.4.4 -p 53 _wireguard._udp.fuckCloudna.io. PTR +noall +answer + Additional; (1 server found) ;; global options: +cmd _wireguard._udp.fuckcloudnative.io. 0 IN PTR YUTRLED535IGKL7BDLERL6M4VJXSXM3UQQPL4NMSN27MT56AD4HA====._wireguard._udp.fuckcloudnative.io. _wireguard._udp.fuckcloudnative.io. 0 IN PTR WMRID55V4ENHXQX2JSTYOYVKICJ5PIHKB2TR7R42SMIU3T5L4I5Q. = = = = _wireguard. _udp. Fuckcloudnative. IO. $dig @ 4.4.4.4 - p 53 YUTRLED535IGKL7BDLERL6M4VJXSXM3UQQPL4NMSN27MT56AD4HA====._wireguard._udp.fuckcloudnative.io. SRV +noall +answer +additional ; <<>> DiG 9.10.6 <<>> @4.4.4.4 -p 53 YUTRLED535IGKL7BDLERL6M4VJXSXM3UQQPL4NMSN27MT56AD4HA====._wireguard._udp.fuckcloudnative.io. SRV +noall +answer +additional ; (1 server found) ;; global options: +cmd yutrled535igkl7bdlerl6m4vjxsxm3uqqpl4nmsn27mt56ad4ha====._wireguard._udp.fuckcloudnative.io. 0 IN SRV 0 0 41424 YUTRLED535IGKL7BDLERL6M4VJXSXM3UQQPL4NMSN27MT56AD4HA====.fuckcloudnative.io. YUTRLED535IGKL7BDLERL6M4VJXSXM3UQQPL4NMSN27MT56AD4HA. = = = = fuckcloudnative. IO. 0 IN A 2.2.2.2Copy the code

Start wGSD-client on Alice and Bob

# Alice$./ wgsD-client-device = wg0-dns = 4.4.4.4:53-zone = fuckCloudna.io. 2020/05/20 13:24:02 [JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY =] no SRV records found jwhited @ Alice: ~ $ping 10.0.0.2 ping 10.0.0.2 (10.0.0.2): 56 data bytes 64 bytes from 10.0.0.2: Icmp_seq =0 TTL =64 time=173.260 ms ^C jwhited@Alice:~$wg show interface: wg0 public key: xScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6+yffAHw4= private key: (hidden) listening port: 51820 peer: SyKB97XhGnvC + kynh2KqQJPXoOoOpx/HmpMRTc + r4js = the endpoint: 3.3.3.3:51820 allowed ips: 10.0.0.2/32 latest handshake: 2 seconds ago transfer: 252 B received, 264 B sent persistent keepalive: every 5 seconds peer: JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY = the endpoint: 4.4.4.4:51820 allowed ips: 10.0.0.254/32 latest handshake: 1 minute, 19 seconds ago Transfer: 184 B received, 1.57 KiB sent persistent keepalive: every 5 secondsCopy the code
# Bob$./ wgsD-client-device = wg0-dns = 4.4.4.4:53-zone = fuckCloudna.io. 2020/05/20 13:24:04 [JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY=] no SRV records found jwhited@Bob:~$ wg show interface: wg0 public key: syKB97XhGnvC+kynh2KqQJPXoOoOpx/HmpMRTc+r4js= private key: (hidden) listening port: 51820 peer: XScVkH3fUGUv4RrJFfmcqm8rs3SEHr41km6 + yffAHw4 = the endpoint: 2.2.2.2:41424 allowed ips: 10.0.0.1/32 latest handshake: 22 seconds ago Transfer: 392 B received, 9.73 KiB sent persistent keepalive: every 5 seconds peer: JeZlz14G8tg1Bqh6apteFCwVhNhpexJ19FDPfuxQtUY = the endpoint: 4.4.4.4:51820 allowed ips: 10.0.0.254/32 latest handshake: 1 minute, 14 seconds ago Transfer: 2.08 KiB received, 17.59 KiB sent persistent keepalive: every 5 secondsCopy the code

Wgsd-client successfully discovered the endpoint address of the Peer and updated the WireGuard configuration. Finally, a tunnel was established between Alice and Bob.

conclusion

This article discussed how to establish a WireGuard tunnel directly between two PEERS restricted by NAT. The solutions provided in this article use existing protocol and service discovery technologies and write your own plugins that you can use directly with dig or NSLookup to debug without interfering with or modifying the WireGuard itself.

Of course, the CoreDNS plug-in can definitely be optimized, and wGSD-Client needs to be optimized as well. For example, should the CoreDNS server be restricted to being available only in Registry’s tunnels? Should the domain be signed? Do I need to query the WireGuard Peer information each time I query the DNS server or can I use the cache to solve the problem? These are all good questions to ponder.

WGSD plug-in code is open source, welcome to contribute.