Merge branch 'master' into pr-https

Author: windtf

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2024 Wind Wong <me@windtfw.com>
+Copyright (c) 2026 Tsz Fung Wong <im@windtfw.com>
 
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

README.md

@@ -1,17 +1,20 @@
 # wireproxy
+
 [![ISC licensed](https://img.shields.io/badge/license-ISC-blue)](./LICENSE)
 [![Build status](https://github.com/octeep/wireproxy/actions/workflows/build.yml/badge.svg)](https://github.com/octeep/wireproxy/actions)
 [![Documentation](https://img.shields.io/badge/godoc-wireproxy-blue)](https://pkg.go.dev/github.com/octeep/wireproxy)
 
 A wireguard client that exposes itself as a socks5/http proxy or tunnels.
 
 # What is this
+
 `wireproxy` is a completely userspace application that connects to a wireguard peer,
 and exposes a socks5/http proxy or tunnels on the machine. This can be useful if you need
 to connect to certain sites via a wireguard peer, but can't be bothered to setup a new network
 interface for whatever reasons.
 
 # Why you might want this
+
 - You simply want to use wireguard as a way to proxy some traffic.
 - You don't want root permission just to change wireguard settings.
 
@@ -20,23 +23,33 @@ and configured my browser to use wireproxy for certain sites. It's pretty useful
 wireproxy is completely isolated from my network interfaces, and I don't need root to configure
 anything.
 
-Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/juev/wireproxy/tree/feature/amnezia-go)
-of wireproxy by [@juev](https://github.com/juev).
+Users who want something similar but for Amnezia VPN can use [this fork](https://github.com/artem-russkikh/wireproxy-awg)
+of wireproxy by [@artem-russkikh](https://github.com/artem-russkikh).
+
+# Sponsor
+
+This project is supported by [IPRoyal](https://iproyal.com/?r=795836). You can get premium quality proxies at unbeatable prices
+with a discount using [this referral link](https://iproyal.com/?r=795836)! 🚀
+
+![IPRoyal](/assets/iproyal.png)
 
 # Feature
+
 - TCP static routing for client and server
 - SOCKS5/HTTP proxy (currently only CONNECT is supported)
 
 # TODO
+
 - UDP Support in SOCKS5
 - UDP static routing
 
 # Usage
-```
+
+```bash
 ./wireproxy [-c path to config]
 ```
 
-```
+```bash
 usage: wireproxy [-h|--help] [-c|--config "<value>"] [-s|--silent]
                  [-d|--daemon] [-i|--info "<value>"] [-v|--version]
                  [-n|--configtest]
@@ -54,21 +67,29 @@ Arguments:
   -v  --version     Print version
   -n  --configtest  Configtest mode. Only check the configuration file for
                     validity.
-
 ```
 
 # Build instruction
-```
+
+```bash
 git clone https://github.com/octeep/wireproxy
 cd wireproxy
 make
 ```
 
+# Install
+
+```bash
+go install github.com/pufferffish/wireproxy/cmd/wireproxy@v1.0.9 # or @latest
+```
+
 # Use with VPN
+
 Instructions for using wireproxy with Firefox container tabs and auto-start on MacOS can be found [here](/UseWithVPN.md).
 
 # Sample config file
-```
+
+```ini
 # The [Interface] and [Peer] configurations follow the same semantics and meaning
 # of a wg-quick configuration. To understand what these fields mean, please refer to:
 # https://wiki.archlinux.org/title/WireGuard#Persistent_configuration
@@ -139,7 +160,8 @@ BindAddress = 127.0.0.1:25345
 
 Alternatively, if you already have a wireguard config, you can import it in the
 wireproxy config file like this:
-```
+
+```ini
 WGConfig = <path to the wireguard config>
 
 # Same semantics as above
@@ -155,7 +177,8 @@ WGConfig = <path to the wireguard config>
 
 Having multiple peers is also supported. `AllowedIPs` would need to be specified
 such that wireproxy would know which peer to forward to.
-```
+
+```ini
 [Interface]
 Address = 10.254.254.40/32
 PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
@@ -187,7 +210,8 @@ Target = service-three.servicenet:80
 ```
 
 Wireproxy can also allow peers to connect to it:
-```
+
+```ini
 [Interface]
 ListenPort = 5400
 ...
@@ -197,7 +221,9 @@ PublicKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=
 AllowedIPs = 10.254.254.100/32
 # Note there is no Endpoint defined here.
 ```
+
 # Health endpoint
+
 Wireproxy supports exposing a health endpoint for monitoring purposes.
 The argument `--info/-i` specifies an address and port (e.g. `localhost:9080`), which exposes a HTTP server that provides health status metric of the server.
 
@@ -208,7 +234,8 @@ Currently two endpoints are implemented:
 `/readyz`: This responds with a json which shows the last time a pong is received from an IP specified with `CheckAlive`. When `CheckAlive` is set, a ping is sent out to addresses in `CheckAlive` per `CheckAliveInterval` seconds (defaults to 5) via wireguard. If a pong has not been received from one of the addresses within the last `CheckAliveInterval` seconds (+2 seconds for some leeway to account for latency), then it would respond with a 503, otherwise a 200.
 
 For example:
-```
+
+```ini
 [Interface]
 PrivateKey = censored
 Address = 10.2.0.2/32
@@ -224,8 +251,10 @@ Endpoint = 149.34.244.174:51820
 [Socks5]
 BindAddress = 127.0.0.1:25344
 ```
+
 `/readyz` would respond with
-```
+
+```text
 < HTTP/1.1 503 Service Unavailable
 < Date: Thu, 11 Apr 2024 00:54:59 GMT
 < Content-Length: 35
@@ -235,15 +264,18 @@ BindAddress = 127.0.0.1:25344
 ```
 
 And for:
-```
+
+```ini
 [Interface]
 PrivateKey = censored
 Address = 10.2.0.2/32
 DNS = 10.2.0.1
 CheckAlive = 1.1.1.1
 ```
+
 `/readyz` would respond with
-```
+
+```text
 < HTTP/1.1 200 OK
 < Date: Thu, 11 Apr 2024 00:56:21 GMT
 < Content-Length: 23
@@ -257,4 +289,5 @@ If nothing is set for `CheckAlive`, an empty JSON object with 200 will be the re
 The peer which the ICMP ping packet is routed to depends on the `AllowedIPs` set for each peers.
 
 # Stargazers over time
+
 [![Stargazers over time](https://starchart.cc/octeep/wireproxy.svg)](https://starchart.cc/octeep/wireproxy)

UseWithVPN.md

@@ -1,11 +1,12 @@
 # Getting a Wireguard Server
+
 You can create your own wireguard server using a host service like DigitalOcean,
 or you can get a VPN service that provides WireGuard configs.
 
 I recommend ProtonVPN, because it is highly secure and has a great WireGuard
 config generator.
 
-Simply go to https://account.protonvpn.com/downloads and scroll down to the
+Simply go to <https://account.protonvpn.com/downloads> and scroll down to the
 wireguard section to generate your configs, then paste into the appropriate
 section below.
 
@@ -25,9 +26,11 @@ naming should also be similar (e.g.
 `/Users/jonny/Library/LaunchAgents/com.ProtonUS.adblock.plist`)
 
 ## Config File
+
 Make sure you use a unique port for every separate server
 I recommend you set proxy authentication, you can use the same user/pass for all
-```
+
+```ini
 # Link to the Downloaded config
 WGConfig = /Users/jonny/vpntabs/ProtonUS.adblock.server.conf
 
@@ -43,24 +46,27 @@ BindAddress = 127.0.0.1:25344 # Update the port here for each new server
 ```
 
 ## Startup Script File
+
 This is a bash script to facilitate startup, not strictly essential, but adds
 ease.
 Note, you MUST update the first path to wherever you installed this code to.
 Make sure you use the path for the config file above, not the one you downloaded
 from e.g. protonvpn.
-```
+
+```bash
 #!/bin/bash
 /Users/jonny/wireproxy/wireproxy -c /Users/jonny/vpntabs/ProtonUS.adblock.conf
 ```
 
 ## MacOS LaunchAgent
+
 To make it run every time you start your computer, you can create a launch agent
 in `$HOME/Library/LaunchAgents`. Name reference above.
 
 That file should contain the following, the label should be the same as the file
 name and the paths should be set correctly:
 
-```
+```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -70,7 +76,7 @@ name and the paths should be set correctly:
     <key>Program</key>
     <string>/Users/jonny/vpntabs/ProtonUS.adblock.sh</string>
     <key>RunAtLoad</key>
-	<true/>
+    <true/>
     <key>KeepAlive</key>
     <true/>
 </dict>
@@ -82,6 +88,7 @@ To enable it, run
 `launchtl start ~/Library/LaunchAgents/com.PortonUS.adblock.plist`
 
 # Firefox Setup
+
 You will need to enable the Multi Account Container Tabs extension and a proxy extension, I
 recommend Sideberry, but Container Proxy also works.
 

assets/iproyal.png

@@ -80,6 +80,7 @@ func lock(stage string) {
 		// Linux
 		panicIfError(landlock.V1.BestEffort().RestrictPaths(
 			landlock.RODirs("/"),
+			landlock.RWFiles("/dev/null").IgnoreIfMissing(),
 		))
 	case "boot-daemon":
 	case "read-config":
@@ -236,7 +237,7 @@ func main() {
 	// Wireguard doesn't allow configuring which FD to use for logging
 	// https://github.com/WireGuard/wireguard-go/blob/master/device/logger.go#L39
 	// so redirect STDOUT to STDERR, we don't want to print anything to STDOUT anyways
-	os.Stdout = os.NewFile(uintptr(syscall.Stderr), "/dev/stderr")
+	os.Stdout = os.Stderr
 	logLevel := device.LogLevelVerbose
 	if *silent {
 		logLevel = device.LogLevelSilent

cmd/wireproxy/main.go

@@ -33,13 +33,21 @@ type DeviceConfig struct {
 	CheckAliveInterval int
 }
 
+type UDPProxyTunnelConfig struct {
+	BindAddress       string
+	Target            string
+	InactivityTimeout int
+}
+
 type TCPClientTunnelConfig struct {
 	BindAddress *net.TCPAddr
 	Target      string
 }
 
 type STDIOTunnelConfig struct {
 	Target string
+	Input  *os.File
+	Output *os.File
 }
 
 type TCPServerTunnelConfig struct {
@@ -328,7 +336,8 @@ func ParsePeers(cfg *ini.File, peers *[]PeerConfig) error {
 			peer.PreSharedKey = value
 		}
 
-		if value, err := parseString(section, "Endpoint"); err == nil {
+		if sectionKey, err := section.GetKey("Endpoint"); err == nil {
+			value := sectionKey.String()
 			decoded, err = resolveIPPAndPort(strings.ToLower(value))
 			if err != nil {
 				return err
@@ -378,6 +387,8 @@ func parseSTDIOTunnelConfig(section *ini.Section) (RoutineSpawner, error) {
 		return nil, err
 	}
 	config.Target = targetSection
+	config.Input = os.Stdin
+	config.Output = os.Stdout
 
 	return config, nil
 }
@@ -442,6 +453,34 @@ func parseHTTPConfig(section *ini.Section) (RoutineSpawner, error) {
 	return config, nil
 }
 
+func parseUDPProxyTunnelConfig(section *ini.Section) (RoutineSpawner, error) {
+	config := &UDPProxyTunnelConfig{}
+
+	bindAddress, err := parseString(section, "BindAddress")
+	if err != nil {
+		return nil, err
+	}
+	config.BindAddress = bindAddress
+
+	target, err := parseString(section, "Target")
+	if err != nil {
+		return nil, err
+	}
+	config.Target = target
+
+	inactivityTimeout := 0
+	if sectionKey, err := section.GetKey("InactivityTimeout"); err == nil {
+		timeoutVal, err := sectionKey.Int()
+		if err != nil {
+			return nil, err
+		}
+		inactivityTimeout = timeoutVal
+	}
+	config.InactivityTimeout = inactivityTimeout
+
+	return config, nil
+}
+
 // Takes a function that parses an individual section into a config, and apply it on all
 // specified sections
 func parseRoutinesConfig(routines *[]RoutineSpawner, cfg *ini.File, sectionName string, f func(*ini.Section) (RoutineSpawner, error)) error {
@@ -526,6 +565,11 @@ func ParseConfig(path string) (*Configuration, error) {
 		return nil, err
 	}
 
+	err = parseRoutinesConfig(&routinesSpawners, cfg, "UDPProxyTunnel", parseUDPProxyTunnelConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	return &Configuration{
 		Device:   device,
 		Routines: routinesSpawners,

config.go

@@ -9,17 +9,16 @@ require (
 	github.com/akamensky/argparse v1.4.0
 	github.com/go-ini/ini v1.67.0
 	github.com/landlock-lsm/go-landlock v0.0.0-20240216195629-efb66220540a
-	github.com/sourcegraph/conc v0.3.0
 	github.com/things-go/go-socks5 v0.0.5
-	golang.org/x/net v0.23.0
+	golang.org/x/net v0.33.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	suah.dev/protect v1.2.3
 )
 
 require (
 	github.com/google/btree v1.1.2 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 // indirect