samples: net: echo-server: Add Wireguard VPN support

Add Wireguard configuration to echo-server application.

Signed-off-by: Jukka Rissanen <[email protected]>

Author: jukkar

samples/net/sockets/echo_server/CMakeLists.txt

@@ -23,6 +23,7 @@ target_sources_ifdef(CONFIG_NET_UDP app PRIVATE src/udp.c)
 target_sources_ifdef(CONFIG_NET_TCP app PRIVATE src/tcp.c)
 target_sources_ifdef(CONFIG_NET_VLAN app PRIVATE src/vlan.c)
 target_sources_ifdef(CONFIG_NET_L2_IPIP app PRIVATE src/tunnel.c)
+target_sources_ifdef(CONFIG_WIREGUARD app PRIVATE src/wg.c)
 
 if (CONFIG_USB_DEVICE_STACK)
   target_sources(app PRIVATE src/usb.c)

samples/net/sockets/echo_server/Kconfig

@@ -104,6 +104,47 @@ config NET_SAMPLE_HTTPS_SERVER_SERVICE_PORT
 	default 443
 	depends on NET_SAMPLE_HTTPS_SERVICE
 
+config NET_SAMPLE_VPN_MY_PRIVATE_KEY
+	string "My private key in base64 format"
+	default ""
+	depends on WIREGUARD
+	help
+	  The public key will be calculated from the private one.
+
+config NET_SAMPLE_VPN_PEER_PUBLIC_KEY
+	string "Peer public key in base64 format"
+	default ""
+	depends on WIREGUARD
+	help
+	  This specifies the public key of the peer that we are being
+	  connected from.
+
+config NET_SAMPLE_VPN_PEER_IP_ADDR
+	string "Peer IP address to connect to"
+	default ""
+	depends on WIREGUARD
+	help
+	  This specifies the IP address of VPN service we are trying to
+	  connect to. You can also set the port number also here like
+	  this: 192.0.2.2:51821 or [2001:db8::2]:51822
+	  if using non standard Wireguard port which is 51820.
+
+config NET_SAMPLE_VPN_ALLOWED_PEER_ADDR
+	string "Allowed peer IP addresses"
+	depends on WIREGUARD
+	help
+	  What peer IP address is allowed to connect.
+	  Format is: ip/masklen
+	  Multiple addresses can be given and must be separated by "," or space
+	  characters.
+	  Example: 192.0.2.0/24,2001:db9::/64
+
+config NET_SAMPLE_VPN_MY_ADDR
+	string "My address for VPN connections"
+	depends on WIREGUARD
+	help
+	  The value depends on your network setup.
+
 if USB_DEVICE_STACK_NEXT
 # Source common USB sample options used to initialize new experimental USB
 # device stack. The scope of these options is limited to USB samples in project

samples/net/sockets/echo_server/src/common.h

@@ -82,6 +82,15 @@ static inline int init_vlan(void)
 }
 #endif /* CONFIG_NET_VLAN */
 
+#if defined(CONFIG_WIREGUARD)
+int init_vpn(void);
+#else
+static inline int init_vpn(void)
+{
+	return 0;
+}
+#endif /* CONFIG_WIREGUARD */
+
 #if defined(CONFIG_NET_SAMPLE_WEBSOCKET_CONSOLE)
 int init_ws(void);
 #else

samples/net/sockets/echo_server/src/echo-server.c

@@ -198,6 +198,7 @@ static void init_app(void)
 	init_tunnel();
 	init_ws();
 	init_usb();
+	init_vpn();
 }
 
 static int cmd_sample_quit(const struct shell *sh,

samples/net/sockets/echo_server/src/wg.c

@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 2025 Intel Corporation.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <zephyr/logging/log.h>
+LOG_MODULE_DECLARE(net_echo_server_sample, LOG_LEVEL_DBG);
+
+#include <zephyr/kernel.h>
+#include <zephyr/sys/base64.h>
+#include <zephyr/net/virtual.h>
+#include <zephyr/net/virtual_mgmt.h>
+#include <zephyr/net/wireguard.h>
+
+/* User data for the interface callback */
+struct ud {
+	struct net_if *vpn[CONFIG_WIREGUARD_MAX_PEER];
+};
+
+static void iface_cb(struct net_if *iface, void *user_data)
+{
+	struct ud *ud = user_data;
+
+	if (net_if_l2(iface) != &NET_L2_GET_NAME(VIRTUAL)) {
+		return;
+	}
+
+	if (!(net_virtual_get_iface_capabilities(iface) & VIRTUAL_INTERFACE_VPN)) {
+		return;
+	}
+
+	for (int i = 0; i < CONFIG_WIREGUARD_MAX_PEER; i++) {
+		if (ud->vpn[i] != NULL) {
+			continue;
+		}
+
+		ud->vpn[i] = iface;
+		return;
+	}
+}
+
+static int setup_iface(struct net_if *iface,
+		       const char *my_ip_addr,
+		       const char *allowed_ip_addr,
+		       const char *my_private_key,
+		       const char *peer_public_key)
+{
+	struct virtual_interface_req_params params = { 0 };
+	struct wireguard_peer_config peer_config = { 0 };
+	struct sockaddr_storage addr = { 0 };
+	struct sockaddr *paddr = (struct sockaddr *)&addr;
+	struct net_if *peer_iface = NULL;
+	uint8_t mask_len = 0;
+	uint8_t private_key[NET_VIRTUAL_MAX_PUBLIC_KEY_LEN];
+	struct net_if_addr *ifaddr;
+	const char *addr_str, *next;
+	bool status, found;
+	size_t olen;
+	int ret;
+
+	(void)base64_decode(private_key, sizeof(private_key), &olen,
+			    my_private_key, strlen(my_private_key));
+
+	params.private_key.data = private_key;
+	params.private_key.len = sizeof(private_key);
+
+	ret = net_mgmt(NET_REQUEST_VIRTUAL_INTERFACE_SET_PRIVATE_KEY,
+		       iface, &params, sizeof(params));
+
+	memset(private_key, 0, sizeof(private_key));
+
+	if (ret < 0) {
+		LOG_ERR("Cannot set private key (%d)", ret);
+		return ret;
+	}
+
+	addr_str = net_ipaddr_parse_mask(my_ip_addr, strlen(my_ip_addr),
+					 paddr, &mask_len);
+	if (addr_str == NULL) {
+		LOG_ERR("Cannot parse IP address \"%s\"", my_ip_addr);
+		return -EINVAL;
+	}
+
+	if (paddr->sa_family == AF_INET) {
+		struct sockaddr_in *addr4 = (struct sockaddr_in *)paddr;
+		struct sockaddr_in mask;
+
+		ifaddr = net_if_ipv4_addr_add(iface, &addr4->sin_addr,
+					      NET_ADDR_MANUAL, 0);
+
+		ret = net_mask_len_to_netmask(AF_INET, mask_len,
+					      (struct sockaddr *)&mask);
+		if (ret < 0) {
+			LOG_ERR("Invalid network mask length (%d)", ret);
+			return ret;
+		}
+
+		status = net_if_ipv4_set_netmask_by_addr(iface,
+							 &addr4->sin_addr,
+							 &mask.sin_addr);
+
+	} else if (paddr->sa_family == AF_INET6) {
+		struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)paddr;
+		struct in6_addr netaddr6;
+
+		ifaddr = net_if_ipv6_addr_add(iface, &addr6->sin6_addr,
+					      NET_ADDR_MANUAL, 0);
+
+		net_ipv6_addr_prefix_mask((uint8_t *)&addr6->sin6_addr,
+					  (uint8_t *)&netaddr6,
+					  mask_len);
+
+		if (!net_if_ipv6_prefix_add(iface, &netaddr6, mask_len,
+					    (uint32_t)0xffffffff)) {
+			LOG_ERR("Cannot add %s to interface %d", my_ip_addr,
+				net_if_get_by_iface(iface));
+			return -EINVAL;
+		}
+
+	} else {
+		LOG_ERR("Cannot parse IP address \"%s\"", my_ip_addr);
+		return -EAFNOSUPPORT;
+	}
+
+	if (ifaddr == NULL) {
+		LOG_ERR("Cannot add IP address \"%s\" to interface %d",
+			my_ip_addr, net_if_get_by_iface(iface));
+		return -ENOENT;
+	}
+
+	peer_config.public_key = peer_public_key;
+
+	addr_str = allowed_ip_addr;
+	found = false;
+
+	do {
+		next = net_ipaddr_parse_mask(addr_str, strlen(addr_str),
+					     paddr, &mask_len);
+		if (next == NULL) {
+			LOG_ERR("Cannot parse IP address \"%s\"", allowed_ip_addr);
+			return -EINVAL;
+		}
+
+		ARRAY_FOR_EACH(peer_config.allowed_ip, i) {
+			if (peer_config.allowed_ip[i].is_valid) {
+				continue;
+			}
+
+			if (paddr->sa_family == AF_INET) {
+				struct sockaddr_in *addr4 = (struct sockaddr_in *)paddr;
+
+				memcpy(&peer_config.allowed_ip[i].addr.in_addr,
+				       &addr4->sin_addr,
+				       sizeof(struct in_addr));
+				peer_config.allowed_ip[i].addr.family = AF_INET;
+				peer_config.allowed_ip[i].is_valid = true;
+				peer_config.allowed_ip[i].mask_len = mask_len;
+				found = true;
+
+			} else if (addr.ss_family == AF_INET6) {
+				struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *)paddr;
+
+				memcpy(&peer_config.allowed_ip[i].addr.in6_addr,
+				       &addr6->sin6_addr,
+				       sizeof(struct in6_addr));
+				peer_config.allowed_ip[i].addr.family = AF_INET6;
+				peer_config.allowed_ip[i].is_valid = true;
+				peer_config.allowed_ip[i].mask_len = mask_len;
+				found = true;
+
+			} else {
+				LOG_ERR("Cannot parse IP address \"%s\"", allowed_ip_addr);
+				return -EAFNOSUPPORT;
+			}
+
+			break;
+		}
+
+		addr_str = next;
+	} while (addr_str != NULL && *addr_str != '\0');
+
+	if (!found) {
+		LOG_ERR("Not enough space for allowed IP addresses");
+		return -ENOMEM;
+	}
+
+	if (CONFIG_NET_SAMPLE_VPN_PEER_IP_ADDR[0] == '\0') {
+		LOG_ERR("Peer IP address is not set");
+		return -EINVAL;
+	}
+
+	if (!net_ipaddr_parse(CONFIG_NET_SAMPLE_VPN_PEER_IP_ADDR,
+			      strlen(CONFIG_NET_SAMPLE_VPN_PEER_IP_ADDR),
+			      paddr)) {
+		LOG_ERR("Cannot parse peer IP address \"%s\"", CONFIG_NET_SAMPLE_VPN_PEER_IP_ADDR);
+		return -EINVAL;
+	}
+
+	if (paddr->sa_family == AF_INET6) {
+		memcpy(&peer_config.endpoint_ip, paddr, sizeof(struct sockaddr_in6));
+	} else {
+		memcpy(&peer_config.endpoint_ip, paddr, sizeof(struct sockaddr_in));
+	}
+
+	ret = wireguard_peer_add(&peer_config, &peer_iface);
+	if (ret < 0) {
+		LOG_ERR("Cannot add peer (%d)", ret);
+	} else if (ret > 0) {
+		if (peer_iface != NULL) {
+			LOG_INF("Added peer id %d using interface %d", ret,
+				 net_if_get_by_iface(peer_iface));
+		} else {
+			LOG_INF("Added peer id %d", ret);
+		}
+	}
+
+	LOG_DBG("Interface %d VPN setup done.", net_if_get_by_iface(iface));
+
+	return 0;
+}
+
+int init_vpn(void)
+{
+	struct ud ud;
+	int ret;
+
+	memset(&ud, 0, sizeof(ud));
+
+	net_if_foreach(iface_cb, &ud);
+
+	/* This sample has support for one VPN connection.
+	 */
+	ret = setup_iface(ud.vpn[0],
+			  CONFIG_NET_SAMPLE_VPN_MY_ADDR,
+			  CONFIG_NET_SAMPLE_VPN_ALLOWED_PEER_ADDR,
+			  CONFIG_NET_SAMPLE_VPN_MY_PRIVATE_KEY,
+			  CONFIG_NET_SAMPLE_VPN_PEER_PUBLIC_KEY);
+	if (ret < 0) {
+		return ret;
+	}
+
+	return 0;
+}