Merge branch 'netbirdio:main' into main-custom-ports-ssl-certs

.github/workflows/release.yml

@@ -20,7 +20,7 @@ on:
  - 'client/ui/**'
 
 env:
- SIGN_PIPE_VER: "v0.0.10"
+ SIGN_PIPE_VER: "v0.0.11"
  GORELEASER_VER: "v1.14.1"
 
 concurrency:

CONTRIBUTING.md

@@ -189,6 +189,8 @@ CGO_ENABLED=0 go build .
 
 > Windows clients have a Wireguard driver requirement. You can download the wintun driver from https://www.wintun.net/builds/wintun-0.14.1.zip, after decompressing, you can copy the file `windtun\bin\ARCH\wintun.dll` to the same path as your binary file or to `C:\Windows\System32\wintun.dll`.
 
+> To test the client GUI application on Windows machines with RDP or vituralized environments (e.g. virtualbox or cloud), you need to download and extract the opengl32.dll from https://fdossena.com/?p=mesa/index.frag next to the built application.
+
 To start NetBird the client in the foreground:
 
 ```

README.md

@@ -54,7 +54,7 @@ https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a4
 | <ul><li> - \[x] Peer-to-peer connections </ul></li> | <ul><li> - \[x] Auto peer discovery and configuration </ul></li> | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li> |
 | <ul><li> - \[x] Peer-to-peer encryption </ul></li> | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li> | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li> | <ul><li> - \[x] Windows </ul></li> |
 | <ul><li> - \[x] Connection relay fallback </ul></li> | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li> | <ul><li> - \[x] IdP groups sync with JWT </ul></li> | <ul><li> - \[x] Android </ul></li> |
-| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li> | | <ul><li> - \[ ] iOS </ul></li> |
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li> | | <ul><li> - \[x] iOS </ul></li> |
 | <ul><li> - \[x] NAT traversal with BPF </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li> | | <ul><li> - \[x] Docker </ul></li> |
 | | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | | <ul><li> - \[x] OpenWRT </ul></li> |
 | | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li> | | |

client/cmd/login.go

@@ -60,7 +60,7 @@ var loginCmd = &cobra.Command{
  return fmt.Errorf("get config file: %v", err)
  }
 
- config, _ = internal.UpdateOldManagementPort(ctx, config, configPath)
+ config, _ = internal.UpdateOldManagementURL(ctx, config, configPath)
 
  err = foregroundLogin(ctx, cmd, config, setupKey)
  if err != nil {

client/cmd/up.go

@@ -95,7 +95,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
  return fmt.Errorf("get config file: %v", err)
  }
 
- config, _ = internal.UpdateOldManagementPort(ctx, config, configPath)
+ config, _ = internal.UpdateOldManagementURL(ctx, config, configPath)
 
  err = foregroundLogin(ctx, cmd, config, setupKey)
  if err != nil {

client/installer.nsis

@@ -193,6 +193,7 @@ Sleep 3000
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
 Delete "$INSTDIR\wintun.dll"
+Delete "$INSTDIR\opengl32.dll"
 RmDir /r "$INSTDIR"
 
 SetShellVarContext all

client/internal/config.go

@@ -1,6 +1,7 @@
 package internal
 
 import (
+ "context"
  "fmt"
  "net/url"
  "os"
@@ -12,16 +13,19 @@ import (
 
  "github.com/netbirdio/netbird/client/ssh"
  "github.com/netbirdio/netbird/iface"
+ mgm "github.com/netbirdio/netbird/management/client"
  "github.com/netbirdio/netbird/util"
 )
 
 const (
- // ManagementLegacyPort is the port that was used before by the Management gRPC server.
+ // managementLegacyPortString is the port that was used before by the Management gRPC server.
  // It is used for backward compatibility now.
  // NB: hardcoded from github.com/netbirdio/netbird/management/cmd to avoid import
- ManagementLegacyPort = 33073
+ managementLegacyPortString = "33073"
  // DefaultManagementURL points to the NetBird's cloud management endpoint
- DefaultManagementURL = "https://api.wiretrustee.com:443"
+ DefaultManagementURL = "https://api.netbird.io:443"
+ // oldDefaultManagementURL points to the NetBird's old cloud management endpoint
+ oldDefaultManagementURL = "https://api.wiretrustee.com:443"
  // DefaultAdminURL points to NetBird's cloud management console
  DefaultAdminURL = "https://app.netbird.io:443"
 )
@@ -302,3 +306,86 @@ func configFileIsExists(path string) bool {
  _, err := os.Stat(path)
  return !os.IsNotExist(err)
 }
+
+// UpdateOldManagementURL checks whether client can switch to the new Management URL with port 443 and the management domain.
+// If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
+// The check is performed only for the NetBird's managed version.
+func UpdateOldManagementURL(ctx context.Context, config *Config, configPath string) (*Config, error) {
+
+ defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
+ if err != nil {
+ return nil, err
+ }
+
+ parsedOldDefaultManagementURL, err := parseURL("Management URL", oldDefaultManagementURL)
+ if err != nil {
+ return nil, err
+ }
+
+ if config.ManagementURL.Hostname() != defaultManagementURL.Hostname() &&
+ config.ManagementURL.Hostname() != parsedOldDefaultManagementURL.Hostname() {
+ // only do the check for the NetBird's managed version
+ return config, nil
+ }
+
+ var mgmTlsEnabled bool
+ if config.ManagementURL.Scheme == "https" {
+ mgmTlsEnabled = true
+ }
+
+ if !mgmTlsEnabled {
+ // only do the check for HTTPs scheme (the hosted version of the Management service is always HTTPs)
+ return config, nil
+ }
+
+ if config.ManagementURL.Port() != managementLegacyPortString &&
+ config.ManagementURL.Hostname() == defaultManagementURL.Hostname() {
+ return config, nil
+ }
+
+ newURL, err := parseURL("Management URL", fmt.Sprintf("%s://%s:%d",
+ config.ManagementURL.Scheme, defaultManagementURL.Hostname(), 443))
+ if err != nil {
+ return nil, err
+ }
+ // here we check whether we could switch from the legacy 33073 port to the new 443
+ log.Infof("attempting to switch from the legacy Management URL %s to the new one %s",
+ config.ManagementURL.String(), newURL.String())
+ key, err := wgtypes.ParseKey(config.PrivateKey)
+ if err != nil {
+ log.Infof("couldn't switch to the new Management %s", newURL.String())
+ return config, err
+ }
+
+ client, err := mgm.NewClient(ctx, newURL.Host, key, mgmTlsEnabled)
+ if err != nil {
+ log.Infof("couldn't switch to the new Management %s", newURL.String())
+ return config, err
+ }
+ defer func() {
+ err = client.Close()
+ if err != nil {
+ log.Warnf("failed to close the Management service client %v", err)
+ }
+ }()
+
+ // gRPC check
+ _, err = client.GetServerPublicKey()
+ if err != nil {
+ log.Infof("couldn't switch to the new Management %s", newURL.String())
+ return nil, err
+ }
+
+ // everything is alright => update the config
+ newConfig, err := UpdateConfig(ConfigInput{
+ ManagementURL: newURL.String(),
+ ConfigPath: configPath,
+ })
+ if err != nil {
+ log.Infof("couldn't switch to the new Management %s", newURL.String())
+ return config, fmt.Errorf("failed updating config file: %v", err)
+ }
+ log.Infof("successfully switched to the new Management URL: %s", newURL.String())
+
+ return newConfig, nil
+}

client/internal/config_test.go

@@ -1,12 +1,14 @@
 package internal
 
 import (
+ "context"
  "errors"
  "os"
  "path/filepath"
  "testing"
 
  "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
 
  "github.com/netbirdio/netbird/util"
 )
@@ -120,3 +122,60 @@ func TestHiddenPreSharedKey(t *testing.T) {
  })
  }
 }
+
+func TestUpdateOldManagementURL(t *testing.T) {
+ tests := []struct {
+ name string
+ previousManagementURL string
+ expectedManagementURL string
+ fileShouldNotChange bool
+ }{
+ {
+ name: "Update old management URL with legacy port",
+ previousManagementURL: "https://api.wiretrustee.com:33073",
+ expectedManagementURL: DefaultManagementURL,
+ },
+ {
+ name: "Update old management URL",
+ previousManagementURL: oldDefaultManagementURL,
+ expectedManagementURL: DefaultManagementURL,
+ },
+ {
+ name: "No update needed when management URL is up to date",
+ previousManagementURL: DefaultManagementURL,
+ expectedManagementURL: DefaultManagementURL,
+ fileShouldNotChange: true,
+ },
+ {
+ name: "No update needed when not using cloud management",
+ previousManagementURL: "https://netbird.example.com:33073",
+ expectedManagementURL: "https://netbird.example.com:33073",
+ fileShouldNotChange: true,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ tempDir := t.TempDir()
+ configPath := filepath.Join(tempDir, "config.json")
+ config, err := UpdateOrCreateConfig(ConfigInput{
+ ManagementURL: tt.previousManagementURL,
+ ConfigPath: configPath,
+ })
+ require.NoError(t, err, "failed to create testing config")
+ previousStats, err := os.Stat(configPath)
+ require.NoError(t, err, "failed to create testing config stats")
+ resultConfig, err := UpdateOldManagementURL(context.TODO(), config, configPath)
+ require.NoError(t, err, "got error when updating old management url")
+ require.Equal(t, tt.expectedManagementURL, resultConfig.ManagementURL.String())
+ newStats, err := os.Stat(configPath)
+ require.NoError(t, err, "failed to create testing config stats")
+ switch tt.fileShouldNotChange {
+ case true:
+ require.Equal(t, previousStats.ModTime(), newStats.ModTime(), "file should not change")
+ case false:
+ require.NotEqual(t, previousStats.ModTime(), newStats.ModTime(), "file should have changed")
+ }
+ })
+ }
+}

client/internal/connect.go

@@ -283,83 +283,6 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte)
  return loginResp, nil
 }
 
-// UpdateOldManagementPort checks whether client can switch to the new Management port 443.
-// If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
-// The check is performed only for the NetBird's managed version.
-func UpdateOldManagementPort(ctx context.Context, config *Config, configPath string) (*Config, error) {
-
- defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
- if err != nil {
- return nil, err
- }
-
- if config.ManagementURL.Hostname() != defaultManagementURL.Hostname() {
- // only do the check for the NetBird's managed version
- return config, nil
- }
-
- var mgmTlsEnabled bool
- if config.ManagementURL.Scheme == "https" {
- mgmTlsEnabled = true
- }
-
- if !mgmTlsEnabled {
- // only do the check for HTTPs scheme (the hosted version of the Management service is always HTTPs)
- return config, nil
- }
-
- if mgmTlsEnabled && config.ManagementURL.Port() == fmt.Sprintf("%d", ManagementLegacyPort) {
-
- newURL, err := parseURL("Management URL", fmt.Sprintf("%s://%s:%d",
- config.ManagementURL.Scheme, config.ManagementURL.Hostname(), 443))
- if err != nil {
- return nil, err
- }
- // here we check whether we could switch from the legacy 33073 port to the new 443
- log.Infof("attempting to switch from the legacy Management URL %s to the new one %s",
- config.ManagementURL.String(), newURL.String())
- key, err := wgtypes.ParseKey(config.PrivateKey)
- if err != nil {
- log.Infof("couldn't switch to the new Management %s", newURL.String())
- return config, err
- }
-
- client, err := mgm.NewClient(ctx, newURL.Host, key, mgmTlsEnabled)
- if err != nil {
- log.Infof("couldn't switch to the new Management %s", newURL.String())
- return config, err
- }
- defer func() {
- err = client.Close()
- if err != nil {
- log.Warnf("failed to close the Management service client %v", err)
- }
- }()
-
- // gRPC check
- _, err = client.GetServerPublicKey()
- if err != nil {
- log.Infof("couldn't switch to the new Management %s", newURL.String())
- return nil, err
- }
-
- // everything is alright => update the config
- newConfig, err := UpdateConfig(ConfigInput{
- ManagementURL: newURL.String(),
- ConfigPath: configPath,
- })
- if err != nil {
- log.Infof("couldn't switch to the new Management %s", newURL.String())
- return config, fmt.Errorf("failed updating config file: %v", err)
- }
- log.Infof("successfully switched to the new Management URL: %s", newURL.String())
-
- return newConfig, nil
- }
-
- return config, nil
-}
-
 func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {
  var sri interface{} = statusRecorder
  mgmNotifier, _ := sri.(mgm.ConnStateNotifier)

client/internal/dns/server_test.go

@@ -12,6 +12,7 @@ import (
 
  "github.com/golang/mock/gomock"
  log "github.com/sirupsen/logrus"
+ "golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
  "github.com/netbirdio/netbird/client/firewall/uspfilter"
  "github.com/netbirdio/netbird/client/internal/stdnet"
@@ -250,11 +251,12 @@ func TestUpdateDNSServer(t *testing.T) {
 
  for n, testCase := range testCases {
  t.Run(testCase.name, func(t *testing.T) {
+ privKey, _ := wgtypes.GenerateKey()
  newNet, err := stdnet.NewNet(nil)
  if err != nil {
  t.Fatal(err)
  }
- wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil, newNet)
+ wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
  if err != nil {
  t.Fatal(err)
  }
@@ -331,7 +333,8 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
  return
  }
 
- wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", iface.DefaultMTU, nil, newNet)
+ privKey, _ := wgtypes.GeneratePrivateKey()
+ wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
  if err != nil {
  t.Errorf("build interface wireguard: %v", err)
  return
@@ -782,7 +785,8 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
  return nil, err
  }
 
- wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", iface.DefaultMTU, nil, newNet)
+ privKey, _ := wgtypes.GeneratePrivateKey()
+ wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
  if err != nil {
  t.Fatalf("build interface wireguard: %v", err)
  return nil, err