Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize wireguard kernel mode #2757

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Optimize wireguard kernel mode #2757

wants to merge 3 commits into from

Conversation

kunsonx
Copy link
Contributor

@kunsonx kunsonx commented Nov 26, 2023
edited
Loading

  1. 调整 WireGuard kernel mode 只支持 client 模式并支持要求权限.
  2. 不再要求 root 权限(不调整 rp_filter),调整为 cap CAP_NET_ADMIN 和 iptables 与 net.ipv4.conf.all.src_valid_mark=1
  3. docker 打包镜像附带 iptables 预先安装

docker container 运行最低条件

    cap_add:
      - CAP_NET_ADMIN
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    devices:
        - /dev/net/tun

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 26, 2023
edited
Loading

@hax0r31337 It is better for your design on WireGuard server sides?
@yuhan6665 请大佬看看这个版本的优化,解决了 #2736#2477 提到的相关问题。

另外失败的 jobs 应该不是代码问题,rerun 一下应该就好了。

@yuhan6665
Copy link
Member

@kunsonx thanks for your pr. Although I think it is too complex to maintain code to deal with iptables. Is this needed only by the kernel mode tun? If so I think it is reasonable for user to ask for root access if they need it. We just need to make sure the gvisor tun doesn't need it and we clearly document it.
CC @RPRX

@yuhan6665
Copy link
Member

BTW are you sure this tun implementation

Xray-core/proxy/wireguard/tun_linux.go

Line 118 in 2570855

wgt, err := wgtun.CreateTUN(n, mtu)

need privilege access like disable rp_filter?

@Fangliding
Copy link
Member

@yuhan6665 主要的问题是 如果在容器里跑 就会遇到权限问题 还需要给容器特权才可以正常运行 已经有不少反馈这种问题了

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 27, 2023
edited
Loading

@yuhan6665 The user space WireGuard tun device require container device "/dev/net/tun". current version of "kernelMode" implementation create proxy socket and bind to wireguard device so when socket packet come back kernel will check reverse path and drop it(Cause no any changes on routes).

I'm plan to implement native WireGuard device (no userspace device) it also require iptables operation.

So considering the implementations of current and plan.

I think it is better way to do that.

iptables operation package copy from kuberneters so I think maintain thing is ok?

@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 27, 2023
edited
Loading

Current implementations:
go-wireguard(userspace device) + gVIsor(userspace netstack) for default mode(require device "/dev/net/tun").
go-wireguard(userspace device) + sysnetstack for kernel mode(require device "/dev/net/tun" and cap CAP_NET_ADMIN and iptables and net.ipv4.conf.all.src_valid_mark=1)

Planning:
sys wireguard device + sysnetstack(require cap CAP_NET_ADMIN and iptables and net.ipv4.conf.all.src_valid_mark=1)

@yuhan6665
Copy link
Member

Thanks for your info. Seems a rather big question for @RPRX :)

@kunsonx kunsonx mentioned this pull request Nov 27, 2023
Open
@kunsonx
Copy link
Contributor Author

kunsonx commented Nov 27, 2023

The WireGuard outbound non userspace optimization version just created pull request on #2762.

@kunsonx kunsonx changed the title Optimize wireguard kernel model Optimize wireguard kernel mode Nov 29, 2023
@RPRX RPRX force-pushed the main branch 2 times, most recently from b11fcf0 to 7e24239 Compare August 2, 2024 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kunsonx @yuhan6665 @Fangliding