Merge pull request #85 from aramperes/dependabot/cargo/async-trait-0.1.87

build(deps): bump async-trait from 0.1.83 to 0.1.87
Merge pull request #86 from aramperes/dependabot/cargo/anyhow-1.0.97
2025-09-09 05:58:31 -04:00 · 2025-03-10 23:32:19 -04:00 · 2025-03-10 23:32:12 -04:00 · 2025-03-10 23:31:55 -04:00 · 2025-03-10 16:58:22 +00:00 · 2025-03-03 16:47:17 +00:00
19 changed files with 761 additions and 563 deletions
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@ -0,0 +1,4 @@
+[env]
+# Each interface needs 1 IP allocated to the WireGuard peer IP.
+# "8" = 7 tunnels per protocol.
+SMOLTCP_IFACE_MAX_ADDR_COUNT = "8"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,10 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    rebase-strategy: "disabled"
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -10,7 +10,7 @@ jobs:
      matrix:
        rust:
          - stable
-          - 1.70.0
+          - 1.80.0
    steps:
      - name: Checkout sources
        uses: actions/checkout@v2
@ -39,7 +39,7 @@ jobs:
      matrix:
        rust:
          - stable
-          - 1.70.0
+          - 1.80.0
    steps:
      - name: Checkout sources
        uses: actions/checkout@v2
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -61,7 +61,7 @@ jobs:
        run: echo "${{ env.VERSION }}" > artifacts/release-version

      - name: Upload artifacts
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
        with:
          name: artifacts
          path: artifacts
@ -75,20 +75,28 @@ jobs:
      RUST_BACKTRACE: 1
    strategy:
      matrix:
-        build: [ linux-amd64, macos-intel, windows ]
+        build: [ linux-amd64, linux-aarch64, macos-aarch64, windows ]
        include:
          - build: linux-amd64
            os: ubuntu-latest
            rust: stable
            target: x86_64-unknown-linux-musl
-          - build: macos-intel
+            cross: true
+          - build: linux-aarch64
+            os: ubuntu-latest
+            rust: stable
+            target: aarch64-unknown-linux-musl
+            cross: true
+          - build: macos-aarch64
            os: macos-latest
            rust: stable
-            target: x86_64-apple-darwin
+            target: aarch64-apple-darwin
+            cross: false
          - build: windows
            os: windows-2019
            rust: stable
            target: x86_64-pc-windows-msvc
+            cross: false

    steps:
      - name: Checkout repository
@ -113,7 +121,7 @@ jobs:
          target: ${{ matrix.target }}

      - name: Get release download URL
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
        with:
          name: artifacts
          path: artifacts
@ -126,17 +134,24 @@ jobs:
          echo "release upload url: $release_upload_url"

      - name: Build onetun binary
-        run: cargo build --release
+        shell: bash
+        run: |
+          if [ "${{ matrix.cross }}" = "true" ]; then
+            cargo install cross
+            cross build --release --target ${{ matrix.target }}
+          else
+            cargo build --release --target ${{ matrix.target }}
+          fi

      - name: Prepare onetun binary
        shell: bash
        run: |
          mkdir -p ci/assets
          if [ "${{ matrix.build }}" = "windows" ]; then
-            cp "target/release/onetun.exe" "ci/assets/onetun.exe"
+            cp "target/${{ matrix.target }}/release/onetun.exe" "ci/assets/onetun.exe"
            echo "ASSET=onetun.exe" >> $GITHUB_ENV
          else
-            cp "target/release/onetun" "ci/assets/onetun-${{ matrix.build }}"
+            cp "target/${{ matrix.target }}/release/onetun" "ci/assets/onetun-${{ matrix.build }}"
            echo "ASSET=onetun-${{ matrix.build }}" >> $GITHUB_ENV
          fi

--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "onetun"
-version = "0.3.7"
+version = "0.3.10"
 edition = "2021"
 license = "MIT"
 description = "A cross-platform, user-space WireGuard port-forwarder that requires no system network configurations."
@ -11,7 +11,7 @@ repository = "https://github.com/aramperes/onetun"

 [dependencies]
 # Required dependencies (bin and lib)
-boringtun = { version = "0.4.0", default-features = false }
+boringtun = { version = "0.6.0", default-features = false }
 log = "0.4"
 anyhow = "1"
 tokio = { version = "1", features = [ "rt", "sync", "io-util", "net", "time", "fs", "macros" ] }
@ -19,8 +19,8 @@ futures = "0.3"
 rand = "0.8"
 nom = "7"
 async-trait = "0.1"
-priority-queue = "1.3"
-smoltcp = { version = "0.10", default-features = false, features = [
+priority-queue = "2.1"
+smoltcp = { version = "0.12", default-features = false, features = [
    "std",
    "log",
    "medium-ip",
@ -37,7 +37,7 @@ tracing = { version = "0.1", default-features = false, features = ["log"] }

 # bin-only dependencies
 clap = { version = "4.4.11", default-features = false, features = ["suggestions", "std", "env", "help", "wrap_help"], optional = true }
-pretty_env_logger = { version = "0.4", optional = true }
+pretty_env_logger = { version = "0.5", optional = true }
 async-recursion = "1.0"

 [features]
--- a/7
+++ b/7
@ -1,4 +1,4 @@
-FROM rust:1.70.0 as cargo-build
+FROM rust:1.82.0 as cargo-build

 WORKDIR /usr/src/onetun
 COPY Cargo.toml Cargo.toml
@ -15,8 +15,9 @@ COPY . .
 RUN cargo build --release

 FROM debian:11-slim
-RUN apt-get update
-RUN apt-get install dumb-init -y
+RUN apt-get update \
+    && apt-get install dumb-init -y \
+    && rm -rf /var/lib/apt/lists/*

 COPY --from=cargo-build /usr/src/onetun/target/release/onetun /usr/local/bin/onetun

--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2023 Aram Peres
+Copyright (c) 2025 Aram Peres

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -21,13 +21,13 @@ For example,

 ## Download

-onetun is available to install from [crates.io](https://crates.io/crates/onetun) with Rust ≥1.70.0:
+onetun is available to install from [crates.io](https://crates.io/crates/onetun) with Rust ≥1.80.0:

 ```shell
 cargo install onetun
 ```

-You can also download the binary for Windows, macOS (Intel), and Linux (amd64) from
+You can also download the binary for Windows, macOS (Apple Silicon), and Linux (amd64, arm64) from
 the [Releases](https://github.com/aramperes/onetun/releases) page.

 You can also run onetun using [Docker](https://hub.docker.com/r/aramperes/onetun):
@ -37,7 +37,7 @@ docker run --rm --name onetun --user 1000 -p 8080:8080 aramperes/onetun \
    0.0.0.0:8080:192.168.4.2:8080 [...options...]
 ```

-You can also build onetun locally, using Rust ≥1.70.0:
+You can also build onetun locally, using Rust ≥1.80.0:

 ```shell
 git clone https://github.com/aramperes/onetun && cd onetun
@ -126,6 +126,14 @@ INFO  onetun::tunnel > Tunneling TCP [127.0.0.1:8081]->[192.168.4.4:8081] (via [

 ... would open TCP ports 8080 and 8081 locally, which forward to their respective ports on the different peers.

+#### Maximum number of tunnels
+
+`smoltcp` imposes a compile-time limit on the number of IP addresses assigned to an interface. **onetun** increases
+the default value to support most use-cases. In effect, the default limit on the number of **onetun** peers
+is **7 per protocol** (TCP and UDP).
+
+Should you need more unique IP addresses to forward ports to, you can increase the limit in `.cargo/config.toml` and recompile **onetun**.
+
 ### UDP Support

 **onetun** supports UDP forwarding. You can add `:UDP` at the end of the port-forward configuration, or `UDP,TCP` to support
@ -311,4 +319,4 @@ Please consider opening a GitHub issue if you are unsure if your contribution is

 ## License

-MIT License. See `LICENSE` for details. Copyright &copy; 2023 Aram Peres.
+MIT License. See `LICENSE` for details. Copyright &copy; 2025 Aram Peres.
--- a/src/config.rs
+++ b/src/config.rs
@ -5,18 +5,18 @@ use std::fs::read_to_string;
 use std::net::{IpAddr, SocketAddr, ToSocketAddrs};
 use std::sync::Arc;

-use anyhow::Context;
-pub use boringtun::crypto::{X25519PublicKey, X25519SecretKey};
+use anyhow::{bail, Context};
+pub use boringtun::x25519::{PublicKey, StaticSecret};

 const DEFAULT_PORT_FORWARD_SOURCE: &str = "127.0.0.1";

-#[derive(Clone, Debug)]
+#[derive(Clone)]
 pub struct Config {
    pub port_forwards: Vec<PortForwardConfig>,
    #[allow(dead_code)]
    pub remote_port_forwards: Vec<PortForwardConfig>,
-    pub private_key: Arc<X25519SecretKey>,
-    pub endpoint_public_key: Arc<X25519PublicKey>,
+    pub private_key: Arc<StaticSecret>,
+    pub endpoint_public_key: Arc<PublicKey>,
    pub preshared_key: Option<[u8; 32]>,
    pub endpoint_addr: SocketAddr,
    pub endpoint_bind_addr: SocketAddr,
@ -161,14 +161,14 @@ impl Config {
            .map(|s| PortForwardConfig::from_notation(&s, DEFAULT_PORT_FORWARD_SOURCE))
            .collect();
        let port_forwards: Vec<PortForwardConfig> = port_forwards
-            .with_context(|| "Failed to parse port forward config")?
+            .context("Failed to parse port forward config")?
            .into_iter()
            .flatten()
            .collect();

        // Read source-peer-ip
        let source_peer_ip = parse_ip(matches.get_one::<String>("source-peer-ip"))
-            .with_context(|| "Invalid source peer IP")?;
+            .context("Invalid source peer IP")?;

        // Combined `remote` arg and `ONETUN_REMOTE_PORT_FORWARD_#` envs
        let mut port_forward_strings = HashSet::new();
@ -196,20 +196,20 @@ impl Config {
                })
                .collect();
        let mut remote_port_forwards: Vec<PortForwardConfig> = remote_port_forwards
-            .with_context(|| "Failed to parse remote port forward config")?
+            .context("Failed to parse remote port forward config")?
            .into_iter()
            .flatten()
            .collect();
        for port_forward in remote_port_forwards.iter_mut() {
            if port_forward.source.ip() != source_peer_ip {
-                return Err(anyhow::anyhow!("Remote port forward config <src_host> must match --source-peer-ip ({}), or be omitted.", source_peer_ip));
+                bail!("Remote port forward config <src_host> must match --source-peer-ip ({}), or be omitted.", source_peer_ip);
            }
            port_forward.source = SocketAddr::from((source_peer_ip, port_forward.source.port()));
            port_forward.remote = true;
        }

        if port_forwards.is_empty() && remote_port_forwards.is_empty() {
-            return Err(anyhow::anyhow!("No port forward configurations given."));
+            bail!("No port forward configurations given.");
        }

        // Read private key from file or CLI argument
@ -229,7 +229,7 @@ impl Config {
        {
            read_to_string(private_key_file)
                .map(|s| s.trim().to_string())
-                .with_context(|| "Failed to read private key file")
+                .context("Failed to read private key file")
        } else {
            if std::env::var("ONETUN_PRIVATE_KEY").is_err() {
                warnings.push("Private key was passed using CLI. This is insecure. \
@ -238,20 +238,18 @@ impl Config {
            matches
                .get_one::<String>("private-key")
                .cloned()
-                .with_context(|| "Missing private key")
+                .context("Missing private key")
        }?;

        let endpoint_addr = parse_addr(matches.get_one::<String>("endpoint-addr"))
-            .with_context(|| "Invalid endpoint address")?;
+            .context("Invalid endpoint address")?;

        let endpoint_bind_addr = if let Some(addr) = matches.get_one::<String>("endpoint-bind-addr")
        {
-            let addr = parse_addr(Some(addr)).with_context(|| "Invalid bind address")?;
+            let addr = parse_addr(Some(addr)).context("Invalid bind address")?;
            // Make sure the bind address and endpoint address are the same IP version
            if addr.ip().is_ipv4() != endpoint_addr.ip().is_ipv4() {
-                return Err(anyhow::anyhow!(
-                    "Endpoint and bind addresses must be the same IP version"
-                ));
+                bail!("Endpoint and bind addresses must be the same IP version");
            }
            addr
        } else {
@ -265,21 +263,19 @@ impl Config {
        Ok(Self {
            port_forwards,
            remote_port_forwards,
-            private_key: Arc::new(
-                parse_private_key(&private_key).with_context(|| "Invalid private key")?,
-            ),
+            private_key: Arc::new(parse_private_key(&private_key).context("Invalid private key")?),
            endpoint_public_key: Arc::new(
                parse_public_key(matches.get_one::<String>("endpoint-public-key"))
-                    .with_context(|| "Invalid endpoint public key")?,
+                    .context("Invalid endpoint public key")?,
            ),
            preshared_key: parse_preshared_key(matches.get_one::<String>("preshared-key"))?,
            endpoint_addr,
            endpoint_bind_addr,
            source_peer_ip,
            keepalive_seconds: parse_keep_alive(matches.get_one::<String>("keep-alive"))
-                .with_context(|| "Invalid keep-alive value")?,
+                .context("Invalid keep-alive value")?,
            max_transmission_unit: parse_mtu(matches.get_one::<String>("max-transmission-unit"))
-                .with_context(|| "Invalid max-transmission-unit value")?,
+                .context("Invalid max-transmission-unit value")?,
            log: matches
                .get_one::<String>("log")
                .cloned()
@ -291,38 +287,47 @@ impl Config {
 }

 fn parse_addr<T: AsRef<str>>(s: Option<T>) -> anyhow::Result<SocketAddr> {
-    s.with_context(|| "Missing address")?
+    s.context("Missing address")?
        .as_ref()
        .to_socket_addrs()
-        .with_context(|| "Invalid address")?
+        .context("Invalid address")?
        .next()
-        .with_context(|| "Could not lookup address")
+        .context("Could not lookup address")
 }

 fn parse_ip(s: Option<&String>) -> anyhow::Result<IpAddr> {
-    s.with_context(|| "Missing IP")?
+    s.context("Missing IP address")?
        .parse::<IpAddr>()
-        .with_context(|| "Invalid IP address")
+        .context("Invalid IP address")
 }

-fn parse_private_key(s: &str) -> anyhow::Result<X25519SecretKey> {
-    s.parse::<X25519SecretKey>()
-        .map_err(|e| anyhow::anyhow!("{}", e))
+fn parse_private_key(s: &str) -> anyhow::Result<StaticSecret> {
+    let decoded = base64::decode(s).context("Failed to decode private key")?;
+    if let Ok::<[u8; 32], _>(bytes) = decoded.try_into() {
+        Ok(StaticSecret::from(bytes))
+    } else {
+        bail!("Invalid private key")
+    }
 }

-fn parse_public_key(s: Option<&String>) -> anyhow::Result<X25519PublicKey> {
-    s.with_context(|| "Missing public key")?
-        .parse::<X25519PublicKey>()
-        .map_err(|e| anyhow::anyhow!("{}", e))
-        .with_context(|| "Invalid public key")
+fn parse_public_key(s: Option<&String>) -> anyhow::Result<PublicKey> {
+    let encoded = s.context("Missing public key")?;
+    let decoded = base64::decode(encoded).context("Failed to decode public key")?;
+    if let Ok::<[u8; 32], _>(bytes) = decoded.try_into() {
+        Ok(PublicKey::from(bytes))
+    } else {
+        bail!("Invalid public key")
+    }
 }

 fn parse_preshared_key(s: Option<&String>) -> anyhow::Result<Option<[u8; 32]>> {
    if let Some(s) = s {
-        let psk = base64::decode(s).with_context(|| "Invalid pre-shared key")?;
-        Ok(Some(psk.try_into().map_err(|_| {
-            anyhow::anyhow!("Unsupported pre-shared key")
-        })?))
+        let decoded = base64::decode(s).context("Failed to decode preshared key")?;
+        if let Ok::<[u8; 32], _>(bytes) = decoded.try_into() {
+            Ok(Some(bytes))
+        } else {
+            bail!("Invalid preshared key")
+        }
    } else {
        Ok(None)
    }
@ -343,9 +348,7 @@ fn parse_keep_alive(s: Option<&String>) -> anyhow::Result<Option<u16>> {
 }

 fn parse_mtu(s: Option<&String>) -> anyhow::Result<usize> {
-    s.with_context(|| "Missing MTU")?
-        .parse()
-        .with_context(|| "Invalid MTU")
+    s.context("Missing MTU")?.parse().context("Invalid MTU")
 }

 #[cfg(unix)]
@ -474,27 +477,21 @@ impl PortForwardConfig {

        let source = (
            src_addr.0.unwrap_or(default_source),
-            src_addr
-                .1
-                .parse::<u16>()
-                .with_context(|| "Invalid source port")?,
+            src_addr.1.parse::<u16>().context("Invalid source port")?,
        )
            .to_socket_addrs()
-            .with_context(|| "Invalid source address")?
+            .context("Invalid source address")?
            .next()
-            .with_context(|| "Could not resolve source address")?;
+            .context("Could not resolve source address")?;

        let destination = (
            dst_addr.0,
-            dst_addr
-                .1
-                .parse::<u16>()
-                .with_context(|| "Invalid source port")?,
+            dst_addr.1.parse::<u16>().context("Invalid source port")?,
        )
            .to_socket_addrs() // TODO: Pass this as given and use DNS config instead (issue #15)
-            .with_context(|| "Invalid destination address")?
+            .context("Invalid destination address")?
            .next()
-            .with_context(|| "Could not resolve destination address")?;
+            .context("Could not resolve destination address")?;

        // Parse protocols
        let protocols = if let Some(protocols) = protocols {
@ -504,7 +501,7 @@ impl PortForwardConfig {
        } else {
            Ok(vec![PortProtocol::Tcp])
        }
-        .with_context(|| "Failed to parse protocols")?;
+        .context("Failed to parse protocols")?;

        // Returns an config for each protocol
        Ok(protocols
--- a/src/lib.rs
+++ b/src/lib.rs
@ -41,7 +41,7 @@ pub async fn start_tunnels(config: Config, bus: Bus) -> anyhow::Result<()> {

    let wg = WireGuardTunnel::new(&config, bus.clone())
        .await
-        .with_context(|| "Failed to initialize WireGuard tunnel")?;
+        .context("Failed to initialize WireGuard tunnel")?;
    let wg = Arc::new(wg);

    {
--- a/src/main.rs
+++ b/src/main.rs
@ -8,7 +8,7 @@ async fn main() -> anyhow::Result<()> {
    use anyhow::Context;
    use onetun::{config::Config, events::Bus};

-    let config = Config::from_args().with_context(|| "Failed to read config")?;
+    let config = Config::from_args().context("Configuration has errors")?;
    init_logger(&config)?;

    for warning in &config.warnings {
@ -32,7 +32,5 @@ fn init_logger(config: &onetun::config::Config) -> anyhow::Result<()> {

    let mut builder = pretty_env_logger::formatted_timed_builder();
    builder.parse_filters(&config.log);
-    builder
-        .try_init()
-        .with_context(|| "Failed to initialize logger")
+    builder.try_init().context("Failed to initialize logger")
 }
--- a/src/pcap.rs
+++ b/src/pcap.rs
@ -16,7 +16,7 @@ impl Pcap {
        self.writer
            .flush()
            .await
-            .with_context(|| "Failed to flush pcap writer")
+            .context("Failed to flush pcap writer")
    }

    async fn write(&mut self, data: &[u8]) -> anyhow::Result<usize> {
@ -30,14 +30,14 @@ impl Pcap {
        self.writer
            .write_u16(value)
            .await
-            .with_context(|| "Failed to write u16 to pcap writer")
+            .context("Failed to write u16 to pcap writer")
    }

    async fn write_u32(&mut self, value: u32) -> anyhow::Result<()> {
        self.writer
            .write_u32(value)
            .await
-            .with_context(|| "Failed to write u32 to pcap writer")
+            .context("Failed to write u32 to pcap writer")
    }

    async fn global_header(&mut self) -> anyhow::Result<()> {
@ -64,14 +64,14 @@ impl Pcap {
    async fn packet(&mut self, timestamp: Instant, packet: &[u8]) -> anyhow::Result<()> {
        self.packet_header(timestamp, packet.len())
            .await
-            .with_context(|| "Failed to write packet header to pcap writer")?;
+            .context("Failed to write packet header to pcap writer")?;
        self.write(packet)
            .await
-            .with_context(|| "Failed to write packet to pcap writer")?;
+            .context("Failed to write packet to pcap writer")?;
        self.writer
            .flush()
            .await
-            .with_context(|| "Failed to flush pcap writer")?;
+            .context("Failed to flush pcap writer")?;
        self.flush().await
    }
 }
@ -81,14 +81,14 @@ pub async fn capture(pcap_file: String, bus: Bus) -> anyhow::Result<()> {
    let mut endpoint = bus.new_endpoint();
    let file = File::create(&pcap_file)
        .await
-        .with_context(|| "Failed to create pcap file")?;
+        .context("Failed to create pcap file")?;
    let writer = BufWriter::new(file);

    let mut writer = Pcap { writer };
    writer
        .global_header()
        .await
-        .with_context(|| "Failed to write global header to pcap writer")?;
+        .context("Failed to write global header to pcap writer")?;

    info!("Capturing WireGuard IP packets to {}", &pcap_file);
    loop {
@ -98,14 +98,14 @@ pub async fn capture(pcap_file: String, bus: Bus) -> anyhow::Result<()> {
                writer
                    .packet(instant, &ip)
                    .await
-                    .with_context(|| "Failed to write inbound IP packet to pcap writer")?;
+                    .context("Failed to write inbound IP packet to pcap writer")?;
            }
            Event::OutboundInternetPacket(ip) => {
                let instant = Instant::now();
                writer
                    .packet(instant, &ip)
                    .await
-                    .with_context(|| "Failed to write output IP packet to pcap writer")?;
+                    .context("Failed to write output IP packet to pcap writer")?;
            }
            _ => {}
        }
--- a/src/tunnel/tcp.rs
+++ b/src/tunnel/tcp.rs
@ -27,14 +27,14 @@ pub async fn tcp_proxy_server(
 ) -> anyhow::Result<()> {
    let listener = TcpListener::bind(port_forward.source)
        .await
-        .with_context(|| "Failed to listen on TCP proxy server")?;
+        .context("Failed to listen on TCP proxy server")?;

    loop {
        let port_pool = port_pool.clone();
        let (socket, peer_addr) = listener
            .accept()
            .await
-            .with_context(|| "Failed to accept connection on TCP proxy server")?;
+            .context("Failed to accept connection on TCP proxy server")?;

        // Assign a 'virtual port': this is a unique port number used to route IP packets
        // received from the WireGuard tunnel. It is the port number that the virtual client will
@ -192,7 +192,7 @@ impl TcpPortPool {
        let port = inner
            .queue
            .pop_front()
-            .with_context(|| "TCP virtual port pool is exhausted")?;
+            .context("TCP virtual port pool is exhausted")?;
        Ok(VirtualPort::new(port, PortProtocol::Tcp))
    }

--- a/src/tunnel/udp.rs
+++ b/src/tunnel/udp.rs
@ -37,7 +37,7 @@ pub async fn udp_proxy_server(
    let mut endpoint = bus.new_endpoint();
    let socket = UdpSocket::bind(port_forward.source)
        .await
-        .with_context(|| "Failed to bind on UDP proxy address")?;
+        .context("Failed to bind on UDP proxy address")?;

    let mut buffer = [0u8; MAX_PACKET];
    loop {
@ -103,7 +103,7 @@ async fn next_udp_datagram(
    let (size, peer_addr) = socket
        .recv_from(buffer)
        .await
-        .with_context(|| "Failed to accept incoming UDP datagram")?;
+        .context("Failed to accept incoming UDP datagram")?;

    // Assign a 'virtual port': this is a unique port number used to route IP packets
    // received from the WireGuard tunnel. It is the port number that the virtual client will
@ -212,7 +212,7 @@ impl UdpPortPool {
                    None
                }
            })
-            .with_context(|| "virtual port pool is exhausted")?;
+            .context("Virtual port pool is exhausted")?;

        inner.port_by_peer_addr.insert(peer_addr, port);
        inner.peer_addr_by_port.insert(port, peer_addr);
--- a/src/virtual_device.rs
+++ b/src/virtual_device.rs
@ -55,8 +55,14 @@ impl VirtualIpDevice {
 }

 impl smoltcp::phy::Device for VirtualIpDevice {
-    type RxToken<'a> = RxToken where Self: 'a;
-    type TxToken<'a> = TxToken where Self: 'a;
+    type RxToken<'a>
+        = RxToken
+    where
+        Self: 'a;
+    type TxToken<'a>
+        = TxToken
+    where
+        Self: 'a;

    fn receive(&mut self, _timestamp: Instant) -> Option<(Self::RxToken<'_>, Self::TxToken<'_>)> {
        let next = {
@ -103,11 +109,11 @@ pub struct RxToken {
 }

 impl smoltcp::phy::RxToken for RxToken {
-    fn consume<R, F>(mut self, f: F) -> R
+    fn consume<R, F>(self, f: F) -> R
    where
-        F: FnOnce(&mut [u8]) -> R,
+        F: FnOnce(&[u8]) -> R,
    {
-        f(&mut self.buffer)
+        f(&self.buffer)
    }
 }

--- a/src/virtual_iface/tcp.rs
+++ b/src/virtual_iface/tcp.rs
@ -6,6 +6,7 @@ use crate::Bus;
 use anyhow::Context;
 use async_trait::async_trait;
 use bytes::Bytes;
+use smoltcp::iface::PollResult;
 use smoltcp::{
    iface::{Config, Interface, SocketHandle, SocketSet},
    socket::tcp,
@ -21,14 +22,14 @@ use std::{
 const MAX_PACKET: usize = 65536;

 /// A virtual interface for proxying Layer 7 data to Layer 3 packets, and vice-versa.
-pub struct TcpVirtualInterface<'a> {
+pub struct TcpVirtualInterface {
    source_peer_ip: IpAddr,
    port_forwards: Vec<PortForwardConfig>,
    bus: Bus,
-    sockets: SocketSet<'a>,
+    sockets: SocketSet<'static>,
 }

-impl<'a> TcpVirtualInterface<'a> {
+impl TcpVirtualInterface {
    /// Initialize the parameters for a new virtual interface.
    /// Use the `poll_loop()` future to start the virtual interface poll loop.
    pub fn new(port_forwards: Vec<PortForwardConfig>, bus: Bus, source_peer_ip: IpAddr) -> Self {
@ -56,7 +57,7 @@ impl<'a> TcpVirtualInterface<'a> {
                IpAddress::from(port_forward.destination.ip()),
                port_forward.destination.port(),
            ))
-            .with_context(|| "Virtual server socket failed to listen")?;
+            .context("Virtual server socket failed to listen")?;

        Ok(socket)
    }
@ -84,7 +85,7 @@ impl<'a> TcpVirtualInterface<'a> {
 }

 #[async_trait]
-impl VirtualInterfacePoll for TcpVirtualInterface<'_> {
+impl VirtualInterfacePoll for TcpVirtualInterface {
    async fn poll_loop(mut self, mut device: VirtualIpDevice) -> anyhow::Result<()> {
        // Create CIDR block for source peer IP + each port forward IP
        let addresses = self.addresses();
@ -94,7 +95,9 @@ impl VirtualInterfacePoll for TcpVirtualInterface<'_> {
        let mut iface = Interface::new(config, &mut device, Instant::now());
        iface.update_ip_addrs(|ip_addrs| {
            addresses.into_iter().for_each(|addr| {
-                ip_addrs.push(addr).unwrap();
+                ip_addrs
+                    .push(addr)
+                    .expect("maximum number of IPs in TCP interface reached");
            });
        });

@ -139,7 +142,7 @@ impl VirtualInterfacePoll for TcpVirtualInterface<'_> {
                        }
                    });

-                    if iface.poll(loop_start, &mut device, &mut self.sockets) {
+                    if iface.poll(loop_start, &mut device, &mut self.sockets) == PollResult::SocketStateChanged {
                        log::trace!("TCP virtual interface polled some packets to be processed");
                    }

@ -218,7 +221,7 @@ impl VirtualInterfacePoll for TcpVirtualInterface<'_> {
                                    ),
                                    (IpAddress::from(self.source_peer_ip), virtual_port.num()),
                                )
-                                .with_context(|| "Virtual server socket failed to listen")?;
+                                .context("Virtual server socket failed to listen")?;

                            next_poll = None;
                        }
--- a/src/virtual_iface/udp.rs
+++ b/src/virtual_iface/udp.rs
@ -6,6 +6,7 @@ use crate::{Bus, PortProtocol};
 use anyhow::Context;
 use async_trait::async_trait;
 use bytes::Bytes;
+use smoltcp::iface::PollResult;
 use smoltcp::{
    iface::{Config, Interface, SocketHandle, SocketSet},
    socket::udp::{self, UdpMetadata},
@ -20,14 +21,14 @@ use std::{

 const MAX_PACKET: usize = 65536;

-pub struct UdpVirtualInterface<'a> {
+pub struct UdpVirtualInterface {
    source_peer_ip: IpAddr,
    port_forwards: Vec<PortForwardConfig>,
    bus: Bus,
-    sockets: SocketSet<'a>,
+    sockets: SocketSet<'static>,
 }

-impl<'a> UdpVirtualInterface<'a> {
+impl UdpVirtualInterface {
    /// Initialize the parameters for a new virtual interface.
    /// Use the `poll_loop()` future to start the virtual interface poll loop.
    pub fn new(port_forwards: Vec<PortForwardConfig>, bus: Bus, source_peer_ip: IpAddr) -> Self {
@ -61,7 +62,7 @@ impl<'a> UdpVirtualInterface<'a> {
                IpAddress::from(port_forward.destination.ip()),
                port_forward.destination.port(),
            ))
-            .with_context(|| "UDP virtual server socket failed to bind")?;
+            .context("UDP virtual server socket failed to bind")?;
        Ok(socket)
    }

@ -78,7 +79,7 @@ impl<'a> UdpVirtualInterface<'a> {
        let mut socket = udp::Socket::new(udp_rx_buffer, udp_tx_buffer);
        socket
            .bind((IpAddress::from(source_peer_ip), client_port.num()))
-            .with_context(|| "UDP virtual client failed to bind")?;
+            .context("UDP virtual client failed to bind")?;
        Ok(socket)
    }

@ -96,7 +97,7 @@ impl<'a> UdpVirtualInterface<'a> {
 }

 #[async_trait]
-impl<'a> VirtualInterfacePoll for UdpVirtualInterface<'a> {
+impl VirtualInterfacePoll for UdpVirtualInterface {
    async fn poll_loop(mut self, mut device: VirtualIpDevice) -> anyhow::Result<()> {
        // Create CIDR block for source peer IP + each port forward IP
        let addresses = self.addresses();
@ -106,7 +107,9 @@ impl<'a> VirtualInterfacePoll for UdpVirtualInterface<'a> {
        let mut iface = Interface::new(config, &mut device, Instant::now());
        iface.update_ip_addrs(|ip_addrs| {
            addresses.into_iter().for_each(|addr| {
-                ip_addrs.push(addr).unwrap();
+                ip_addrs
+                    .push(addr)
+                    .expect("maximum number of IPs in UDP interface reached");
            });
        });

@ -138,7 +141,7 @@ impl<'a> VirtualInterfacePoll for UdpVirtualInterface<'a> {
                } => {
                    let loop_start = smoltcp::time::Instant::now();

-                    if iface.poll(loop_start, &mut device, &mut self.sockets) {
+                    if iface.poll(loop_start, &mut device, &mut self.sockets) == PollResult::SocketStateChanged {
                        log::trace!("UDP virtual interface polled some packets to be processed");
                    }

--- a/src/wg.rs
+++ b/src/wg.rs
@ -1,4 +1,4 @@
-use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
+use std::net::{IpAddr, SocketAddr};
 use std::time::Duration;

 use crate::Bus;
@ -9,6 +9,7 @@ use boringtun::noise::{Tunn, TunnResult};
 use log::Level;
 use smoltcp::wire::{IpProtocol, IpVersion, Ipv4Packet, Ipv6Packet};
 use tokio::net::UdpSocket;
+use tokio::sync::Mutex;

 use crate::config::{Config, PortProtocol};
 use crate::events::Event;
@ -23,7 +24,7 @@ const MAX_PACKET: usize = 65536;
 pub struct WireGuardTunnel {
    pub(crate) source_peer_ip: IpAddr,
    /// `boringtun` peer/tunnel implementation, used for crypto & WG protocol.
-    peer: Box<Tunn>,
+    peer: Mutex<Box<Tunn>>,
    /// The UDP socket for the public WireGuard endpoint to connect to.
    udp: UdpSocket,
    /// The address of the public WireGuard endpoint (UDP).
@ -36,11 +37,11 @@ impl WireGuardTunnel {
    /// Initialize a new WireGuard tunnel.
    pub async fn new(config: &Config, bus: Bus) -> anyhow::Result<Self> {
        let source_peer_ip = config.source_peer_ip;
-        let peer = Self::create_tunnel(config)?;
+        let peer = Mutex::new(Box::new(Self::create_tunnel(config)?));
        let endpoint = config.endpoint_addr;
        let udp = UdpSocket::bind(config.endpoint_bind_addr)
            .await
-            .with_context(|| "Failed to create UDP socket for WireGuard connection")?;
+            .context("Failed to create UDP socket for WireGuard connection")?;

        Ok(Self {
            source_peer_ip,
@ -55,12 +56,16 @@ impl WireGuardTunnel {
    pub async fn send_ip_packet(&self, packet: &[u8]) -> anyhow::Result<()> {
        trace_ip_packet("Sending IP packet", packet);
        let mut send_buf = [0u8; MAX_PACKET];
-        match self.peer.encapsulate(packet, &mut send_buf) {
+        let encapsulate_result = {
+            let mut peer = self.peer.lock().await;
+            peer.encapsulate(packet, &mut send_buf)
+        };
+        match encapsulate_result {
            TunnResult::WriteToNetwork(packet) => {
                self.udp
                    .send_to(packet, self.endpoint)
                    .await
-                    .with_context(|| "Failed to send encrypted IP packet to WireGuard endpoint.")?;
+                    .context("Failed to send encrypted IP packet to WireGuard endpoint.")?;
                debug!(
                    "Sent {} bytes to WireGuard endpoint (encrypted IP packet)",
                    packet.len()
@ -104,7 +109,7 @@ impl WireGuardTunnel {

        loop {
            let mut send_buf = [0u8; MAX_PACKET];
-            let tun_result = self.peer.update_timers(&mut send_buf);
+            let tun_result = { self.peer.lock().await.update_timers(&mut send_buf) };
            self.handle_routine_tun_result(tun_result).await;
        }
    }
@ -131,7 +136,11 @@ impl WireGuardTunnel {
                warn!("Wireguard handshake has expired!");

                let mut buf = vec![0u8; MAX_PACKET];
-                let result = self.peer.format_handshake_initiation(&mut buf[..], false);
+                let result = self
+                    .peer
+                    .lock()
+                    .await
+                    .format_handshake_initiation(&mut buf[..], false);

                self.handle_routine_tun_result(result).await
            }
@ -172,7 +181,11 @@ impl WireGuardTunnel {
            };

            let data = &recv_buf[..size];
-            match self.peer.decapsulate(None, data, &mut send_buf) {
+            let decapsulate_result = {
+                let mut peer = self.peer.lock().await;
+                peer.decapsulate(None, data, &mut send_buf)
+            };
+            match decapsulate_result {
                TunnResult::WriteToNetwork(packet) => {
                    match self.udp.send_to(packet, self.endpoint).await {
                        Ok(_) => {}
@ -181,9 +194,10 @@ impl WireGuardTunnel {
                            continue;
                        }
                    };
+                    let mut peer = self.peer.lock().await;
                    loop {
                        let mut send_buf = [0u8; MAX_PACKET];
-                        match self.peer.decapsulate(None, &[], &mut send_buf) {
+                        match peer.decapsulate(None, &[], &mut send_buf) {
                            TunnResult::WriteToNetwork(packet) => {
                                match self.udp.send_to(packet, self.endpoint).await {
                                    Ok(_) => {}
@ -217,17 +231,20 @@ impl WireGuardTunnel {
        }
    }

-    fn create_tunnel(config: &Config) -> anyhow::Result<Box<Tunn>> {
+    fn create_tunnel(config: &Config) -> anyhow::Result<Tunn> {
+        let private = config.private_key.as_ref().clone();
+        let public = *config.endpoint_public_key.as_ref();
+
        Tunn::new(
-            config.private_key.clone(),
-            config.endpoint_public_key.clone(),
+            private,
+            public,
            config.preshared_key,
            config.keepalive_seconds,
            0,
            None,
        )
        .map_err(|s| anyhow::anyhow!("{}", s))
-        .with_context(|| "Failed to initialize boringtun Tunn")
+        .context("Failed to initialize boringtun Tunn")
    }

    /// Determine the inner protocol of the incoming IP packet (TCP/UDP).
@ -236,7 +253,7 @@ impl WireGuardTunnel {
            Ok(IpVersion::Ipv4) => Ipv4Packet::new_checked(&packet)
                .ok()
                // Only care if the packet is destined for this tunnel
-                .filter(|packet| Ipv4Addr::from(packet.dst_addr()) == self.source_peer_ip)
+                .filter(|packet| packet.dst_addr() == self.source_peer_ip)
                .and_then(|packet| match packet.next_header() {
                    IpProtocol::Tcp => Some(PortProtocol::Tcp),
                    IpProtocol::Udp => Some(PortProtocol::Udp),
@ -246,7 +263,7 @@ impl WireGuardTunnel {
            Ok(IpVersion::Ipv6) => Ipv6Packet::new_checked(&packet)
                .ok()
                // Only care if the packet is destined for this tunnel
-                .filter(|packet| Ipv6Addr::from(packet.dst_addr()) == self.source_peer_ip)
+                .filter(|packet| packet.dst_addr() == self.source_peer_ip)
                .and_then(|packet| match packet.next_header() {
                    IpProtocol::Tcp => Some(PortProtocol::Tcp),
                    IpProtocol::Udp => Some(PortProtocol::Udp),
Author	SHA1	Message	Date
Aram Peres	3ca5ae2181	Merge pull request #85 from aramperes/dependabot/cargo/async-trait-0.1.87 build(deps): bump async-trait from 0.1.83 to 0.1.87	2025-03-10 23:32:19 -04:00
Aram Peres	ac83ddbd4d	Merge pull request #86 from aramperes/dependabot/cargo/anyhow-1.0.97 build(deps): bump anyhow from 1.0.94 to 1.0.97	2025-03-10 23:32:12 -04:00
Aram Peres	17f424140d	Merge pull request #87 from aramperes/dependabot/cargo/tokio-1.44.0 build(deps): bump tokio from 1.42.0 to 1.44.0	2025-03-10 23:31:55 -04:00
dependabot[bot]	8030ca1a2d	build(deps): bump tokio from 1.42.0 to 1.44.0 Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.42.0 to 1.44.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.42.0...tokio-1.44.0) --- updated-dependencies: - dependency-name: tokio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2025-03-10 16:58:22 +00:00
dependabot[bot]	7eddf3f17f	build(deps): bump anyhow from 1.0.94 to 1.0.97 Bumps [anyhow](https://github.com/dtolnay/anyhow) from 1.0.94 to 1.0.97. - [Release notes](https://github.com/dtolnay/anyhow/releases) - [Commits](https://github.com/dtolnay/anyhow/compare/1.0.94...1.0.97) --- updated-dependencies: - dependency-name: anyhow dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2025-03-03 16:47:17 +00:00
dependabot[bot]	bcfa43702a	build(deps): bump async-trait from 0.1.83 to 0.1.87 Bumps [async-trait](https://github.com/dtolnay/async-trait) from 0.1.83 to 0.1.87. - [Release notes](https://github.com/dtolnay/async-trait/releases) - [Commits](https://github.com/dtolnay/async-trait/compare/0.1.83...0.1.87) --- updated-dependencies: - dependency-name: async-trait dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2025-03-03 16:47:00 +00:00
Aram Peres	d0fcab38c3	docs: update README and LICENSE	2025-01-25 21:45:38 -05:00
Aram Peres	c83c9ec500	Merge pull request #67 from aramperes/dependabot/cargo/priority-queue-2.1.1	2024-12-11 19:56:22 -05:00
Aram Peres	caadd415cd	Merge pull request #68 from aramperes/dependabot/cargo/pretty_env_logger-0.5.0	2024-12-11 19:55:18 -05:00
Aram Peres	3a89f2877d	Merge pull request #69 from aramperes/dependabot/cargo/anyhow-1.0.94	2024-12-11 19:54:56 -05:00
Aram Peres	341849762c	Merge pull request #70 from aramperes/dependabot/cargo/tokio-1.42.0	2024-12-11 19:54:32 -05:00
dependabot[bot]	57e6ddc74c	Bump tokio from 1.41.1 to 1.42.0 Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.41.1 to 1.42.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.41.1...tokio-1.42.0) --- updated-dependencies: - dependency-name: tokio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-09 17:28:44 +00:00
dependabot[bot]	08d99b9d22	Bump anyhow from 1.0.93 to 1.0.94 Bumps [anyhow](https://github.com/dtolnay/anyhow) from 1.0.93 to 1.0.94. - [Release notes](https://github.com/dtolnay/anyhow/releases) - [Commits](https://github.com/dtolnay/anyhow/compare/1.0.93...1.0.94) --- updated-dependencies: - dependency-name: anyhow dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-09 17:28:37 +00:00
dependabot[bot]	2661a2d29f	Bump pretty_env_logger from 0.4.0 to 0.5.0 Bumps [pretty_env_logger](https://github.com/seanmonstar/pretty-env-logger) from 0.4.0 to 0.5.0. - [Commits](https://github.com/seanmonstar/pretty-env-logger/compare/v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: pretty_env_logger dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-02 03:38:35 +00:00
dependabot[bot]	6722237902	Bump priority-queue from 1.4.0 to 2.1.1 Bumps [priority-queue](https://github.com/garro95/priority-queue) from 1.4.0 to 2.1.1. - [Release notes](https://github.com/garro95/priority-queue/releases) - [Commits](https://github.com/garro95/priority-queue/commits/2.1.1) --- updated-dependencies: - dependency-name: priority-queue dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2024-12-02 03:38:32 +00:00
Aram Peres	83ef02c695	Create dependabot.yml	2024-12-01 22:37:33 -05:00
Aram Peres	89c3b59610	fix: typo	2024-12-01 16:03:32 -05:00
Aram Peres	c6544cfe05	fix: assume path is target	2024-12-01 16:01:27 -05:00
Aram Peres	f75909fd8f	fix: expected output location in release	2024-12-01 15:56:37 -05:00
Aram Peres	52d1d589ac	use cross to cross-build	2024-12-01 15:45:25 -05:00
Aram Peres	eb9c0be437	force cargo build with target	2024-12-01 15:39:16 -05:00
Aram Peres	d307a11819	release: v0.3.10	2024-12-01 15:33:13 -05:00
Aram Peres	c4c52babae	Merge pull request #65 from aramperes/smoltcp-0.12	2024-12-01 15:31:03 -05:00
Aram Peres	6b2f6148c6	chore: add linux-aarch64 build	2024-12-01 15:29:59 -05:00
Aram Peres	991eef0311	chore: update MSRV to 1.80.0	2024-12-01 15:27:12 -05:00
Aram Peres	0e93a6435a	chore: udpate to smoltcp 0.12	2024-12-01 15:22:37 -05:00
Aram Peres	ca3590a4c0	chore: bump minor dependencies	2024-12-01 15:13:46 -05:00
Aram Peres	784ab97c8b	release: v0.3.9; add macos-aarch64 build	2024-12-01 12:41:23 -05:00
Aram Peres	f3661c0a2c	fix docker build	2024-12-01 12:33:56 -05:00
Aram Peres	4fa8304799	bump MSRV to 1.78.0	2024-12-01 12:30:13 -05:00
Aram Peres	1f3d9f035f	release: v0.3.8	2024-12-01 12:28:13 -05:00
Aram Peres	06049161ab	bump MSRV to 1.74.0	2024-12-01 12:27:41 -05:00
Aram Peres	e26cca089f	Merge pull request #64 from aramperes/fix/63	2024-12-01 12:08:24 -05:00
Aram Peres	88ce124544	formatting	2024-12-01 12:03:51 -05:00
Aram Peres	9ccd2e19f6	increase default smoltcp interface limit and add to README	2024-12-01 12:03:41 -05:00
Aram Peres	c86784ed70	log a better error regarding smoltcp max interface limit	2024-12-01 11:33:53 -05:00
Aram Peres	e25c88410e	Merge pull request #61 from PeterDaveHelloKitchen/OptimizeDockerfile	2024-04-07 20:38:08 -04:00
Peter Dave Hello	2b6d21572e	Optimize apt-get commands to reduce image size in Dockerfile This commit improves the Dockerfile by consolidating apt-get update and apt-get install commands into a single RUN statement and adding cleanup steps for the apt cache.	2024-04-07 01:32:37 +08:00
Aram Peres	56c950d159	Use bail when possible	2023-12-24 15:23:12 -05:00
Aram Peres	ce40f85efa	Cleanup usage of anyhow with_context	2023-12-24 15:06:22 -05:00
Aram Peres	3ccd000ea8	Minor dependency updates	2023-12-24 14:58:51 -05:00
Aram Peres	5fd28164b5	Merge pull request #60 from aramperes/patch/boringtun-0.6	2023-12-24 14:45:45 -05:00
Aram Peres	1d703facc0	Implement locking of Tunn in WireGuardTunnel	2023-12-24 14:42:34 -05:00
Aram Peres	e23cfc3e7e	Update to new x25519 primitives	2023-12-24 11:52:07 -05:00
Aram Peres	0931ed496a	update boringtun to 0.6.0	2023-12-24 11:51:28 -05:00
Aram Peres	91e6c79832	Merge pull request #59 from aramperes/patch/smoltcp-0.11	2023-12-24 11:31:00 -05:00
Aram Peres	72ab679142	update to smoltcp 0.11	2023-12-24 11:28:15 -05:00
Aram Peres	10b88ccc60	cleanup: SockSet can be owned by static ref: https://github.com/smoltcp-rs/smoltcp/pull/813	2023-12-24 11:23:58 -05:00