Skip to content

Wireguard VPN support #86020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 28 commits into from
Closed

Wireguard VPN support #86020

wants to merge 28 commits into from

Conversation

@jukkar
Copy link
Member

@jukkar jukkar commented Feb 19, 2025
edited
Loading

This is initial Wireguard VPN support. Part of the implementation is ported from wireguard-lwip project.
Some discussion about this can be found in #63722

Some of the commits in this PR might be sent separately to review.

@jukkar jukkar added the In progress For PRs: is work in progress and should not be merged yet. For issues: Is being worked on label Feb 19, 2025
@jukkar jukkar force-pushed the devel/wireguard-support branch from 005e7bb to 01dba8d Compare February 20, 2025 08:30
@jukkar
Copy link
Member Author

jukkar commented Feb 20, 2025

  • Updated to latest main
  • Fixed compilation issues
  • Added VPN support to echo-client and http-server sample applications

@jukkar jukkar force-pushed the devel/wireguard-support branch from 01dba8d to 2fd6262 Compare February 20, 2025 15:07
@jukkar
Copy link
Member Author

jukkar commented Feb 20, 2025

  • Documentation added
  • VPN statistics support added

@jukkar jukkar force-pushed the devel/wireguard-support branch from 2fd6262 to 261c30f Compare February 21, 2025 13:03
@jukkar
Copy link
Member Author

jukkar commented Feb 21, 2025

  • manifest update for net-tools
  • allowed ip address list fixes
  • shell print allowed ips and endpoint
  • more statistics collection

@zephyrbot
Copy link

zephyrbot commented Feb 21, 2025
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff

All manifest checks OK

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@zephyrbot zephyrbot added manifest manifest-net-tools DNM (manifest) This PR should not be merged (controlled by action-manifest) labels Feb 21, 2025
@jukkar jukkar force-pushed the devel/wireguard-support branch from 261c30f to fe241b0 Compare February 21, 2025 16:44
@jukkar
Copy link
Member Author

jukkar commented Feb 21, 2025

  • housekeeping timer works now
  • keepalive timer is working and can be set from application

@jukkar jukkar force-pushed the devel/wireguard-support branch from fe241b0 to 456783b Compare February 23, 2025 14:39
@jukkar
Copy link
Member Author

jukkar commented Feb 23, 2025

  • updated to latest main
  • fixed Zephyr initiated handshake issues
  • CI fixes

@jukkar jukkar force-pushed the devel/wireguard-support branch from 456783b to d7a004e Compare February 24, 2025 09:55
@jukkar jukkar marked this pull request as ready for review February 24, 2025 09:56
@zephyrbot zephyrbot added area: Networking area: Sockets Networking sockets area: HTTP HTTP client/server support area: Samples Samples labels Feb 24, 2025
@jukkar jukkar removed the In progress For PRs: is work in progress and should not be merged yet. For issues: Is being worked on label Feb 24, 2025
jukkar added 18 commits March 23, 2025 16:19
@jukkar
net: shell: iface: Print Wireguard public key
b491b58 
If the interface is Wireguard VPN interface, then print
the public key of the interface.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: wireguard: stats: Add statistics support
cf02cbf 
Collect Wireguard VPN statistics and allow user to fetch it.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: shell: wg: Add VPN statistics support
d2d7d5d 
Show VPN statistics support if enabled.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: shell: wg: Print detailed peer information
306c23b 
The "net wg show 1" will show detailed information of the peer
id 1. This is useful when debugging connectivity issues.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: wireguard: Send network events for VPN activity
046cc7b 
Send peer add/del network event when the peers is either added
to the system or deleted from the system.
Send VPN connected / disconnected event when a VPN connection
is successfully established or the peer connection is disconnected.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: shell: events: Print wireguard event information
2488bef 
Add Wireguard VPN events information printouts to event monitor.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: l2: virtual: Add support for VPN public/private key set/get
d359674 
Add support for getting public address and setting private
key for the virtual interface. This is needed for Wireguard VPN.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: if: Add helper to get src interface and address from dst address
43265da 
Instead of calling various network interface API functions to get
the network interface and related source IP address, have a single
function that can return both data.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
samples: net: echo-server: Add Wireguard VPN support
17548a3 
Add Wireguard configuration to echo-server application.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
samples: net: echo-client: Add Wireguard VPN support
6b55d11 
Add Wireguard configuration to echo-client application.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
samples: net: echo-client: Enable event mgmt info support
8978a35 
CONFIG_NET_MGMT_EVENT_INFO needs to be enabled for this sample so
that we can get detailed information when the event is generated.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
samples: net: http-server: Add Wireguard VPN support
8b96b6c 
Add Wireguard configuration to http-server application.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
samples: net: Enable Wireguard VPN compilation in tests
abea492 
Add a test that enables Wireguard VPN compilation so that
we at least compile test the code.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
samples: net: common: Add information about VPN and VLAN
4e300e2 
Add example and information how to run VPN over a VLAN with
the echo-server sample.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: if: Add special handling for IPv4/6 address check for VPN
9f33e05 
This is a hack that is used until we have proper IP routing
in place. The code has now special check that makes sure that
we only route IP packets to VPN interface when the packet is
destined to that subnet. So if destination IP address does
not belong to VPN interface subnet, it is not routed there.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
doc: Add WireGuard VPN licensing info to license file
d830ac1 
Add WireGuard VPN licensing information to LICENSE.rst file
in the documentation.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: wg: Make getting current time extensible
c71c299 
Allow user to provide a function that will need to get
the current time from a RTC or SNTP or similar.
Wireguard handshake replay prevention needs a monotonic
time so the application should get it from somewhere.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar
net: wg: Support RTC with native_sim board
c2f2471 
If running wg in native-sim, use the host clock to get the
current time. This helps to have a proper handshake when
connecting even after restarting the zephyr.exe process.

Signed-off-by: Jukka Rissanen <[email protected]>
@jukkar jukkar force-pushed the devel/wireguard-support branch from b9647cb to c2f2471 Compare March 23, 2025 14:22
@jukkar
Copy link
Member Author

jukkar commented Mar 23, 2025

  • Fixing merge conflicts, no other changes

@ceolin
Copy link
Member

ceolin commented Mar 25, 2025

@ceolin couple of notes

  • As there was no PSA support for some of these algorithms, I thought that isolating the implementations to Wireguard lib would avoid any possible issues for people using these for other parts of the code. That is why they were placed to the directory they are in this PR.

Yes, that was indeed good. Most of these algorithms are already available in the PSA / mbedTLS, the only one I saw that is definitely not there is blake2s. So why having duplicated functionality ?

  • As the implementations of these algorithms are several years old and seems to be used in other projects too, I would think they are more or less working properly. Probably they work better than any other fresh re-implementation.

Not necessarily, specially in cryptography. Some of these implementation state that they should not be used in production that they have alpha quality, which is very problematic at least.

  • Could security team provide implementations for the missing features, as the security team has probably the best knowledge of this domain?

For sure, we started conversation with mbedTLS / PSA folks regarding missing algorithm. Obviously since this involves another project the timeline can vary. Can we change it to use PSA for what is available and work together in a temporary solution for the missing bits ? We can't simply import another cryptography implementation to Zephyr that is not properly maintained.

@jukkar
Copy link
Member Author

jukkar commented Mar 26, 2025

Most of these algorithms are already available in the PSA / mbedTLS, the only one I saw that is definitely not there is blake2s. So why having duplicated functionality ?

I did not want to have part of the code use PSA/mbedTLS and some part use the internal implementation. But I could consider porting the code to use the PSA and leave the blake implementation as is if that would be acceptable.

@jukkar
Copy link
Member Author

jukkar commented Mar 30, 2025

Hi, as it might take some time before PSA has support for Wireguard needed crypto, I created an external module for the Wireguard support. This way people can try it more easily and give feedback to make it work better. The module can be found here https://github.com/jukkar/zephyr-wireguard. The module contain a demo of the usage and configuration with native_sim board. Note that you would need Zephyr version (4.1.99+), specifically from commit 8e90817 ("net: shell: iface: Print VPN public key") or later to use it.

@nashif nashif moved this from Todo to Under Review in TSC Attention Needed Apr 16, 2025
@github-actions
Copy link

github-actions bot commented May 30, 2025

This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time.

@github-actions github-actions bot added the Stale label May 30, 2025
@github-actions github-actions bot closed this Jun 13, 2025
@github-project-automation github-project-automation bot moved this from Under Review to Done in TSC Attention Needed Jun 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabiobaltieri fabiobaltieri fabiobaltieri left review comments

@pdgendt pdgendt pdgendt left review comments

@rlubos rlubos rlubos left review comments

@kartben kartben Awaiting requested review from kartben

@mrodgers-witekio mrodgers-witekio Awaiting requested review from mrodgers-witekio

@nashif nashif Awaiting requested review from nashif

@ssharks ssharks Awaiting requested review from ssharks

@tbursztyka tbursztyka Awaiting requested review from tbursztyka

Assignees

@rlubos rlubos

Labels

area: HTTP HTTP client/server support area: Networking area: Samples Samples area: Sockets Networking sockets Security Review To be reviewed by a security expert Stale

Projects

TSC Attention Needed
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@jukkar @zephyrbot @nashif @ceolin @fabiobaltieri @pdgendt @rlubos @kartben