Documentation
¶
Overview ¶
Package wireguard provides an embedded WireGuard VPN server for secure NIP-46 bunker access. It uses wireguard-go with gVisor netstack for userspace networking (no root required).
Index ¶
- Variables
- func DerivePublicKey(privateKey []byte) (publicKey []byte, err error)
- func GenerateKeyPair() (privateKey, publicKey []byte, err error)
- type Config
- type Peer
- type Server
- func (s *Server) AddPeer(nostrPubkey, wgPublicKey []byte, assignedIP string) error
- func (s *Server) Endpoint() string
- func (s *Server) GetNetstack() *netstack.Net
- func (s *Server) GetPeer(wgPublicKey []byte) (*Peer, bool)
- func (s *Server) IsRunning() bool
- func (s *Server) PeerCount() int
- func (s *Server) RemovePeer(wgPublicKey []byte) error
- func (s *Server) ServerIP() string
- func (s *Server) ServerPublicKey() []byte
- func (s *Server) Start() error
- func (s *Server) Stop() error
- type Subnet
- type SubnetPool
- func (p *SubnetPool) AllocatedCount() int
- func (p *SubnetPool) GetSequence(clientPubkeyHex string) int
- func (p *SubnetPool) GetSubnet(clientPubkeyHex string) *Subnet
- func (p *SubnetPool) MaxSequence() uint32
- func (p *SubnetPool) RestoreAllocation(clientPubkeyHex string, seq uint32)
- func (p *SubnetPool) Seed() []byte
- func (p *SubnetPool) ServerIPs() []netip.Addr
- func (p *SubnetPool) SubnetForSequence(seq uint32) Subnet
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidKeyLength is returned when a key is not exactly 32 bytes. ErrInvalidKeyLength = errors.New("invalid key length: must be 32 bytes") // ErrServerNotRunning is returned when an operation requires a running server. ErrServerNotRunning = errors.New("wireguard server not running") // ErrEndpointRequired is returned when WireGuard is enabled but no endpoint is set. ErrEndpointRequired = errors.New("ORLY_WG_ENDPOINT is required when WireGuard is enabled") // ErrInvalidNetwork is returned when the network CIDR is invalid. ErrInvalidNetwork = errors.New("invalid network CIDR") // ErrPeerNotFound is returned when a peer lookup fails. ErrPeerNotFound = errors.New("peer not found") // ErrIPExhausted is returned when no more IPs are available in the network. ErrIPExhausted = errors.New("no more IP addresses available in network") )
Functions ¶
func DerivePublicKey ¶
DerivePublicKey derives the public key from a private key.
Types ¶
type Config ¶
type Config struct {
Port int // UDP port for WireGuard (default 51820)
Endpoint string // Public IP/domain for clients to connect to
PrivateKey []byte // Server's 32-byte Curve25519 private key
Network string // CIDR for internal network (e.g., "10.73.0.0/16")
ServerIP string // Server's internal IP (e.g., "10.73.0.1")
}
Config holds the WireGuard server configuration.
type Peer ¶
type Peer struct {
NostrPubkey []byte // User's Nostr pubkey (32 bytes)
WGPublicKey []byte // WireGuard public key (32 bytes)
AssignedIP string // Assigned internal IP
}
Peer represents a WireGuard peer (client).
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server manages the embedded WireGuard VPN server.
func New ¶
New creates a new WireGuard server with the given configuration.
func (*Server) AddPeer ¶
AddPeer adds a new peer to the WireGuard server.
func (*Server) Endpoint ¶
Endpoint returns the configured endpoint address.
func (*Server) GetNetstack ¶
GetNetstack returns the netstack networking interface. This is used by the bunker to listen on the WireGuard network.
func (*Server) GetPeer ¶
GetPeer returns a peer by their WireGuard public key.
func (*Server) IsRunning ¶
IsRunning returns whether the server is currently running.
func (*Server) PeerCount ¶
PeerCount returns the number of active peers.
func (*Server) RemovePeer ¶
RemovePeer removes a peer from the WireGuard server.
func (*Server) ServerIP ¶
ServerIP returns the server's internal IP address.
func (*Server) ServerPublicKey ¶
ServerPublicKey returns the server's WireGuard public key.
func (*Server) Start ¶
Start initializes and starts the WireGuard server.
type Subnet ¶
type Subnet struct {
ServerIP netip.Addr // Even address (server side)
ClientIP netip.Addr // Odd address (client side)
}
Subnet represents a /31 point-to-point subnet.
type SubnetPool ¶
type SubnetPool struct {
// contains filtered or unexported fields
}
SubnetPool manages deterministic /31 subnet generation from a seed. Given the same seed and sequence number, the same subnet is always generated.
func NewSubnetPool ¶
func NewSubnetPool(baseNetwork string) (*SubnetPool, error)
NewSubnetPool creates a subnet pool with a new random seed.
func NewSubnetPoolWithSeed ¶
func NewSubnetPoolWithSeed(baseNetwork string, seed []byte) (*SubnetPool, error)
NewSubnetPoolWithSeed creates a subnet pool with an existing seed.
func (*SubnetPool) AllocatedCount ¶
func (p *SubnetPool) AllocatedCount() int
AllocatedCount returns the number of allocated subnets.
func (*SubnetPool) GetSequence ¶
func (p *SubnetPool) GetSequence(clientPubkeyHex string) int
GetSequence returns the sequence number for a client, or -1 if not assigned.
func (*SubnetPool) GetSubnet ¶
func (p *SubnetPool) GetSubnet(clientPubkeyHex string) *Subnet
GetSubnet returns the subnet for a client, or nil if not assigned.
func (*SubnetPool) MaxSequence ¶
func (p *SubnetPool) MaxSequence() uint32
MaxSequence returns the current max sequence number.
func (*SubnetPool) RestoreAllocation ¶
func (p *SubnetPool) RestoreAllocation(clientPubkeyHex string, seq uint32)
RestoreAllocation restores a previously saved allocation.
func (*SubnetPool) Seed ¶
func (p *SubnetPool) Seed() []byte
Seed returns the pool's seed for persistence.
func (*SubnetPool) ServerIPs ¶
func (p *SubnetPool) ServerIPs() []netip.Addr
ServerIPs returns server-side IPs for sequences 0 to maxSeq (for netstack).
func (*SubnetPool) SubnetForSequence ¶
func (p *SubnetPool) SubnetForSequence(seq uint32) Subnet
SubnetForSequence returns the subnet for a given sequence number.
Source Files
¶
- errors.go
- keygen.go
- server.go
- subnet_pool.go