Record project continuation changes

2026-05-12 21:02:29 +03:00
parent 3059d1d7a3
commit 8f69d53193
339 changed files with 101111 additions and 1769 deletions
@@ -0,0 +1,170 @@
+//go:build windows && rap_vpn_windows_tun
+
+package vpnruntime
+
+import (
+	"crypto/sha256"
+	_ "embed"
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	wgtun "golang.zx2c4.com/wireguard/tun"
+)
+
+const windowsGatewayMTU = 1420
+
+//go:embed assets/windows/amd64/wintun.dll
+var embeddedWintunDLL []byte
+
+type tunDevice struct {
+	dev  wgtun.Device
+	name string
+}
+
+func openGatewayTun(name, addressCIDR, routeCIDR string) (*tunDevice, error) {
+	if _, _, err := net.ParseCIDR(addressCIDR); err != nil {
+		return nil, fmt.Errorf("invalid vpn gateway address %q: %w", addressCIDR, err)
+	}
+	if _, _, err := net.ParseCIDR(routeCIDR); err != nil {
+		return nil, fmt.Errorf("invalid vpn gateway route %q: %w", routeCIDR, err)
+	}
+	if err := ensureWintunDLL(); err != nil {
+		return nil, err
+	}
+
+	dev, err := wgtun.CreateTUN(name, windowsGatewayMTU)
+	if err != nil {
+		return nil, fmt.Errorf("create wintun interface %s: %w", name, err)
+	}
+	if err := configureGatewayInterface(name, addressCIDR, routeCIDR); err != nil {
+		_ = dev.Close()
+		return nil, err
+	}
+	return &tunDevice{dev: dev, name: name}, nil
+}
+
+func (d *tunDevice) Read(packet []byte) (int, error) {
+	bufs := [][]byte{packet}
+	sizes := []int{0}
+	n, err := d.dev.Read(bufs, sizes, 0)
+	if err != nil {
+		return 0, err
+	}
+	if n <= 0 {
+		return 0, nil
+	}
+	return sizes[0], nil
+}
+
+func (d *tunDevice) Write(packet []byte) (int, error) {
+	n, err := d.dev.Write([][]byte{packet}, 0)
+	if err != nil {
+		return 0, err
+	}
+	if n <= 0 {
+		return 0, nil
+	}
+	return len(packet), nil
+}
+
+func (d *tunDevice) Close() error {
+	_ = removeWindowsGatewayNat()
+	return d.dev.Close()
+}
+
+func configureGatewayInterface(name, addressCIDR, routeCIDR string) error {
+	ip, network, err := net.ParseCIDR(addressCIDR)
+	if err != nil {
+		return fmt.Errorf("invalid vpn gateway address %q: %w", addressCIDR, err)
+	}
+	ones, bits := network.Mask.Size()
+	if bits != 32 || ones <= 0 {
+		return fmt.Errorf("invalid vpn gateway prefix %q", addressCIDR)
+	}
+	_, route, err := net.ParseCIDR(routeCIDR)
+	if err != nil {
+		return fmt.Errorf("invalid vpn gateway route %q: %w", routeCIDR, err)
+	}
+
+	script := fmt.Sprintf(`
+$ErrorActionPreference = 'Stop'
+$alias = %s
+$address = %s
+$prefixLength = %d
+$natPrefix = %s
+$natName = 'RAPVPN'
+$adapter = Get-NetAdapter -Name $alias -ErrorAction Stop
+$adapter | Enable-NetAdapter -Confirm:$false -ErrorAction SilentlyContinue | Out-Null
+$existing = Get-NetIPAddress -InterfaceAlias $alias -AddressFamily IPv4 -ErrorAction SilentlyContinue
+foreach ($addr in $existing) {
+  if ($addr.IPAddress -ne $address -or $addr.PrefixLength -ne $prefixLength) {
+    Remove-NetIPAddress -InterfaceAlias $alias -IPAddress $addr.IPAddress -Confirm:$false -ErrorAction SilentlyContinue
+  }
+}
+if (-not (Get-NetIPAddress -InterfaceAlias $alias -IPAddress $address -AddressFamily IPv4 -ErrorAction SilentlyContinue)) {
+  New-NetIPAddress -InterfaceAlias $alias -IPAddress $address -PrefixLength $prefixLength -Type Unicast | Out-Null
+}
+Set-NetIPInterface -InterfaceAlias $alias -AddressFamily IPv4 -Forwarding Enabled
+Get-NetIPInterface -AddressFamily IPv4 | Where-Object { $_.ConnectionState -eq 'Connected' -and $_.InterfaceAlias -ne 'Loopback Pseudo-Interface 1' } | Set-NetIPInterface -Forwarding Enabled
+$existingNat = Get-NetNat -Name $natName -ErrorAction SilentlyContinue
+if ($existingNat -and $existingNat.InternalIPInterfaceAddressPrefix -ne $natPrefix) {
+  $existingNat | Remove-NetNat -Confirm:$false
+  $existingNat = $null
+}
+if (-not $existingNat) {
+  New-NetNat -Name $natName -InternalIPInterfaceAddressPrefix $natPrefix | Out-Null
+}
+`, psQuote(name), psQuote(ip.String()), ones, psQuote(route.String()))
+
+	if err := runPowerShell(script); err != nil {
+		return fmt.Errorf("configure windows vpn gateway interface %s: %w", name, err)
+	}
+	return nil
+}
+
+func removeWindowsGatewayNat() error {
+	return runPowerShell(`Get-NetNat -Name 'RAPVPN' -ErrorAction SilentlyContinue | Remove-NetNat -Confirm:$false -ErrorAction SilentlyContinue`)
+}
+
+func runPowerShell(script string) error {
+	cmd := exec.Command("powershell.exe", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", script)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("powershell failed: %w: %s", err, strings.TrimSpace(string(out)))
+	}
+	return nil
+}
+
+func psQuote(value string) string {
+	return "'" + strings.ReplaceAll(value, "'", "''") + "'"
+}
+
+func ensureWintunDLL() error {
+	exePath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("locate node-agent executable for wintun.dll: %w", err)
+	}
+	target := filepath.Join(filepath.Dir(exePath), "wintun.dll")
+	if payload, err := os.ReadFile(target); err == nil && sameSHA256(payload, embeddedWintunDLL) {
+		return nil
+	}
+	tmp := target + ".tmp"
+	if err := os.WriteFile(tmp, embeddedWintunDLL, 0o644); err != nil {
+		return fmt.Errorf("write embedded wintun.dll: %w", err)
+	}
+	_ = os.Remove(target)
+	if err := os.Rename(tmp, target); err != nil {
+		_ = os.Remove(tmp)
+		return fmt.Errorf("install embedded wintun.dll: %w", err)
+	}
+	return nil
+}
+
+func sameSHA256(a, b []byte) bool {
+	left := sha256.Sum256(a)
+	right := sha256.Sum256(b)
+	return left == right
+}