feat: support encrypted config

Author: bestmike007

.gitignore

@@ -18,4 +18,6 @@ Cargo.lock
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+#.idea/
+
+config.json

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "wg-multizone"
-version = "1.0.1"
+version = "1.0.2"
 edition = "2024"
 
 [[bin]]
@@ -17,27 +17,27 @@ opt-level = 3
 incremental = true
 
 [dependencies]
-anyhow = "1.0.97"
+anyhow = "1.0.100"
 base64 = "0.22.1"
 hex = "^0.4.3"
-openssl = { version = "0.10.71", features = ["vendored"] }
-reqwest = { version = "0.12.15", features = ["json"] }
-serde = { version = "1.0.219", features = ["derive"] }
-serde_json = "1.0.140"
-thiserror = "2.0.12"
-tokio = { version = "1.44.1", features = ["full"] }
+openssl = { version = "0.10.74", features = ["vendored"] }
+reqwest = { version = "0.12.24", features = ["json"] }
+serde = { version = "1.0.228", features = ["derive"] }
+serde_json = "1.0.145"
+thiserror = "2.0.17"
+tokio = { version = "1.48.0", features = ["full"] }
 tracing = "0.1.41"
-tracing-subscriber = "0.3.19"
+tracing-subscriber = "0.3.20"
 tracing-appender = "^0.2.3"
 x25519-dalek = { version = "2.0.1", features = ["getrandom", "static_secrets"] }
 
 [dependencies.defguard_wireguard_rs]
 package = "defguard_wireguard_rs"
 git = "https://github.com/DefGuard/wireguard-rs.git"
-rev = "v0.7.1"
+rev = "v0.7.8"
 
 [target.'cfg(not(any(target_os = "macos", target_os="windows", target_arch = "arm")))'.dependencies]
-tikv-jemallocator = "0.6.0"
+tikv-jemallocator = "0.6.1"
 
 [workspace.metadata.cross.target.x86_64-unknown-linux-gnu]
 image = "ghcr.io/cross-rs/x86_64-unknown-linux-gnu:main-centos"

src/main.rs

@@ -11,6 +11,7 @@ use base64::Engine;
 use defguard_wireguard_rs::{
     InterfaceConfiguration, WGApi, WireguardInterfaceApi, host::Peer, key::Key, net::IpAddrMask,
 };
+use openssl::symm::{Cipher, Crypter, Mode};
 use serde::{Deserialize, Serialize};
 use tokio::time::sleep;
 use x25519_dalek::{PublicKey, StaticSecret};
@@ -42,6 +43,7 @@ struct NetworkConfig {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 struct DaemonConfig {
     pub config_url: String,
+    pub secret: Option<String>,
     pub fetch_interval: u64,
     pub interface_name: String,
 }
@@ -65,16 +67,57 @@ fn load_key() -> (PublicKey, StaticSecret) {
     (pubkey, secret_key)
 }
 
+fn decrypt_config(encrypted: &str, secret: &str) -> Result<String, Box<dyn Error>> {
+    // Step 1: Base64 decode
+    let data = base64::engine::general_purpose::STANDARD
+        .decode(encrypted)
+        .unwrap();
+
+    // Step 2: Verify prefix
+    assert!(&data[0..8] == b"Salted__");
+    let salt = &data[8..16];
+    let ciphertext = &data[16..];
+
+    // Step 3: Derive key and iv using PBKDF2-HMAC-SHA256
+    let mut key = [0u8; 32]; // AES-256 => 32-byte key
+    let mut iv = [0u8; 16]; // CBC IV
+    let mut derived = [0u8; 48]; // key + iv = 48 bytes total
+
+    openssl::pkcs5::pbkdf2_hmac(
+        secret.as_bytes(),
+        salt,
+        10_000,
+        openssl::hash::MessageDigest::sha256(),
+        &mut derived,
+    )
+    .unwrap();
+    key.copy_from_slice(&derived[..32]);
+    iv.copy_from_slice(&derived[32..48]);
+
+    // Step 4: Decrypt
+    let cipher = Cipher::aes_256_cbc();
+    let mut crypter = Crypter::new(cipher, Mode::Decrypt, &key, Some(&iv)).unwrap();
+    crypter.pad(true);
+
+    let mut plaintext = vec![0; ciphertext.len() + cipher.block_size()];
+    let mut count = crypter.update(ciphertext, &mut plaintext).unwrap();
+    count += crypter.finalize(&mut plaintext[count..]).unwrap();
+    plaintext.truncate(count);
+
+    Ok(String::from_utf8(plaintext)?)
+}
+
 async fn fetch_and_apply_config(
     wgapi: &WGApi,
     interface_config: &mut InterfaceConfiguration,
     pubkey: &str,
     config: &DaemonConfig,
 ) -> Result<(), Box<dyn Error>> {
-    let r = reqwest::get(&config.config_url)
-        .await?
-        .json::<NetworkConfig>()
-        .await?;
+    let mut r = reqwest::get(&config.config_url).await?.text().await?;
+    if config.secret.is_some() {
+        r = decrypt_config(&r, &config.secret.as_ref().unwrap())?;
+    }
+    let r: NetworkConfig = serde_json::from_str(&r)?;
     let mut my_config: Option<ServerConfig> = None;
     for peer in r.peers.iter() {
         if peer.pubkey == pubkey {
@@ -200,3 +243,23 @@ async fn main() {
         sleep(Duration::from_secs(config.fetch_interval)).await;
     }
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[tokio::test]
+    async fn test_decrypt_config() {
+        let mut r = r#"
+            U2FsdGVkX19nIrNUt9Wpcyw2qK2rEqJkHX6Wv7ot3sZGR5wIBtkHPvmBXkre46a4
+            T+8hHiRtwvrZZithpFHi9Y1Tq+T7DrwT4A1auJ15ZZbRSEA5quEl/ywF/65FaDeA
+            5uhj5lr+BcO8bvLbT7dQzmpAP7rCzY0l067fQh6pNuaiDhK31XnZ0WIK/E+o5k+1
+            +JwiloAjeMGdP5jNFTws+XjFTPYPJAfhIVdpGqfmb5+hFZh9rZsRTsb+TaGC0tWS
+            UtXcZz6A4RmXWLx+YgEGUg=="#
+            .replace("\n", "")
+            .replace(" ", "");
+        r = decrypt_config(&r, "mysecret").unwrap();
+        let r: NetworkConfig = serde_json::from_str(&r).unwrap();
+        println!("{:?}", r);
+    }
+}