WireGuard Inbound (User-space WireGuard server) (#2477)

* feat: wireguard inbound * feat(command): generate wireguard compatible keypair * feat(wireguard): connection idle timeout * fix(wireguard): close endpoint after connection closed * fix(wireguard): resolve conflicts * feat(wireguard): set cubic as default cc algorithm in gVisor TUN * chore(wireguard): resolve conflict * chore(wireguard): remove redurant code * chore(wireguard): remove redurant code * feat: rework server for gvisor tun * feat: keep user-space tun as an option * fix: exclude android from native tun build * feat: auto kernel tun * fix: build * fix: regulate function name & fix test
2025-04-30 17:38:41 +00:00 · 2023-11-18 11:27:17 +08:00 · 2023-11-18 11:27:17 +08:00 · 0ac7da2fc8
commit 0ac7da2fc8
parent f1c81557dc
17 changed files with 1049 additions and 500 deletions
--- a/proxy/wireguard/tun_linux.go
+++ b/proxy/wireguard/tun_linux.go
@ -1,3 +1,5 @@
+//go:build linux && !android
+
 package wireguard

 import (
@ -69,7 +71,11 @@ func (d *deviceNet) Close() (err error) {
 	return errors.Join(errs...)
 }

-func CreateTun(localAddresses []netip.Addr, mtu int) (t Tunnel, err error) {
+func createKernelTun(localAddresses []netip.Addr, mtu int, handler promiscuousModeHandler) (t Tunnel, err error) {
+	if handler != nil {
+		return nil, newError("TODO: support promiscuous mode")
+	}
+
 	var v4, v6 *netip.Addr
 	for _, prefixes := range localAddresses {
 		if v4 == nil && prefixes.Is4() {
@ -221,3 +227,11 @@ func CreateTun(localAddresses []netip.Addr, mtu int) (t Tunnel, err error) {
 	out.tun = wgt
 	return out, nil
 }
+
+func KernelTunSupported() bool {
+	// run a superuser permission check to check
+	// if the current user has the sufficient permission
+	// to create a tun device.
+
+	return unix.Geteuid() == 0 // 0 means root
+}