mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00

Files

Thomas Eizinger ce5650b554 fix(snownet): compare preshared_key on connection upsert (#9999 )

By chance, I've discovered in a CI failure that we won't be able to
handshake a new session if the `preshared_key` changes. This makes a lot
of sense. The `preshared_key` needs to be the same on both ends as it is
a shared secret that gets mixed into the Noise handshake.

In following sequence of events, we would thus previously run into a
"failed to decrypt handshake packet" scenario:

1. Client requests a connection.
2. Gateway authorizes the connection.
3. Portal restarts / gets deployed. To my knowledge, this will rotate
the `preshared_key` to a new secret. Restarting the portal also cuts all
WebSockets and therefore, the Gateways response never arrives.
4. Client reconnects to the WebSocket, requests a new connection.
5. Gateway reuses the local connection but this connection still uses
the old `preshared_key`!
6. Client needs to wait for the Gateway's ICE timeout before it can
establish a new connection.

How exactly (3) happens doesn't matter. There are probably other
conditions as to where the WebSocket connections get cut and we cannot
complete our connection handshake.

2025-07-25 21:14:58 +00:00

bufferpool

refactor(rust): use spinlock-based buffer pool (#9951 )

2025-07-22 23:22:48 +00:00

dns-over-tcp

test(connlib): establish real TCP connections in proptests (#9814 )

2025-07-11 15:10:22 +00:00

dns-types

build(deps): bump domain from 0.10.4 to 0.11.0 in /rust (#9274 )

2025-05-28 10:37:16 +00:00

etherparse-ext

refactor(rust): move crates into a more sensical hierarchy (#9066 )

2025-05-12 01:04:17 +00:00

ip-packet

feat(gateway): translate TimeExceeded ICMP messages (#9812 )

2025-07-12 21:09:48 +00:00

l3-tcp

test(connlib): establish real TCP connections in proptests (#9814 )

2025-07-11 15:10:22 +00:00

l4-tcp-dns-server

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

l4-udp-dns-server

build(rust): upgrade to Rust 1.85 and Edition 2024 (#8240 )

2025-03-19 02:58:55 +00:00

model

feat(connlib): allow controlling IP stack per DNS resource (#9300 )

2025-05-31 00:27:59 +00:00

phoenix-channel

fix(connlib): clear join requests on reconnect (#9985 )

2025-07-24 20:41:26 +00:00

snownet

fix(snownet): compare preshared_key on connection upsert (#9999 )

2025-07-25 21:14:58 +00:00

socket-factory

refactor(connlib): only enable wire logs in debug builds (#10002 )

2025-07-25 12:24:25 +00:00

tun

ci: update to new cargo sort release (#9354 )

2025-06-02 02:01:09 +00:00

tunnel

refactor(connlib): only enable wire logs in debug builds (#10002 )

2025-07-25 12:24:25 +00:00

.gitignore

android: update connlib dependency and integration (#1752 )

2023-07-17 18:50:39 +00:00

README.md

chore(docs): Remove outdated rust/connlib/README.md info (#3099 )

2024-01-03 18:10:52 +00:00

README.md

Connlib

Firezone's connectivity library shared by all clients.

Building Connlib

You shouldn't need to build connlib directly; it's typically built as a dependency of one of the other Firezone components. See READMEs in those directories for relevant instructions.