It's very likely a user will want at least wireguard-dkms, and having
the userspace tools might be useful in an emergency. This metapackage
draws in both.
For automated installations in e.g. containers, use
apt install --no-install-recommends
to avoid installing recommended packages.
Previously, we treated all IPv6 addresses as assignable, but that causes
problems with setups that expect the first address in a subnet to be the
router anycast address.
Note that this does not fix existing innernet networks, and those
experiencing this problem are advised to revised to recreate their
network after this fix has been merged. Sorry for the annoyance.
Fixes#131
This change adds the ability for peers to report additional candidate endpoints for other peers to attempt connections with outside of the endpoint reported by the coordinating server.
While not a complete solution to the full spectrum of NAT traversal issues (TURN-esque proxying is still notably missing), it allows peers within the same NAT to connect to each other via their LAN addresses, which is a win nonetheless. In the future, more advanced candidate discovery could be used to punch through additional types of NAT cone types as well.
Co-authored-by: Matěj Laitl <matej@laitl.cz>
* Tidy code a bit thanks to clippy
Clippy 1.54 newly detects some redundant constructs, that's nice.
sort_unstable() should yield exact same results as sort() for `Vec<&str>`
and could be faster, clippy says.
* Add clippy to CI
The past behavior of clients was to, on every fetch from the server, update each of its peer's endpoints with the one reported from the server. While this wasn't a problem on certain types of NATs to help with holepunching, in some situations it caused previously working connections to no longer work (when one peer had a port-restricted or symmetric cone type NAT).
This commit adds a subcommand to both the client and server to allow
changing the name of a peer. The peer retains all the same attributes as
before (public keys, IPs, admin/disabled status, etc.).
Closes#87
This subcommand takes a shell as an argument and generates shell
completions for that shell to stdout.
example:
```
$ innernet completions bash
OR
$ innernet-server completions bash
```
This commit adds a `delete-cidr` to both the client and server. It walks
through the prompts just like adding a CIDR.
Only eligible CIDRs are presented to the user. Eligibilty requires:
- CIDR has no child CIDRs
- CIDR has no assigned peers
Closes#23
Based on the conversation from #5 (comment) - this changes innernet's behavior on Linux from automatically falling back to the userspace, instead requiring --backend userspace to be specified.
This should help people avoid weird situations in environments like Docker.
The server now expects a UNIX timestamp after which the invitation will be expired. If a peer invite hasn't been redeemed after it expires, the server will clean up old entries and allow the IP to be re-allocated for a new invite.
Closes#24
change private keys on client earlier to avoid race conditions,
and attempt the fetch call multiple times to avoid spurious issues,
while also not failing the entire command if fetch doesn't succeed.
Scripts that demonstrate building a network of docker containers, doubling as an integration test for innernet.
Includes a number of improvements to the recent non-interactive CLI changes as well.
This may become a warning rather than an action later, but for now
let's make sure older installations that had incorrect permissions
are taken care of.
This is a stop-gap CSRF protection mechanism from unsophisticated attacks. It's to be considered a temporary solution until a more complete one can be implemented, but it should be sufficient in most cases for the time being.
See https://github.com/tonarino/innernet/issues/38 for further discussion.
Introduces `--hosts-path [PATH]` and `--no-write-hosts` options in `innernet`.
This could be further improved to have a persistent setting in a config file i.e. /etc/innernet.conf (which doesn't currently exist).
Fixes#6