mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00

Files

Thomas Eizinger ce5650b554 fix(snownet): compare preshared_key on connection upsert (#9999 )

By chance, I've discovered in a CI failure that we won't be able to
handshake a new session if the `preshared_key` changes. This makes a lot
of sense. The `preshared_key` needs to be the same on both ends as it is
a shared secret that gets mixed into the Noise handshake.

In following sequence of events, we would thus previously run into a
"failed to decrypt handshake packet" scenario:

1. Client requests a connection.
2. Gateway authorizes the connection.
3. Portal restarts / gets deployed. To my knowledge, this will rotate
the `preshared_key` to a new secret. Restarting the portal also cuts all
WebSockets and therefore, the Gateways response never arrives.
4. Client reconnects to the WebSocket, requests a new connection.
5. Gateway reuses the local connection but this connection still uses
the old `preshared_key`!
6. Client needs to wait for the Gateway's ICE timeout before it can
establish a new connection.

How exactly (3) happens doesn't matter. There are probably other
conditions as to where the WebSocket connections get cut and we cannot
complete our connection handshake.

2025-07-25 21:14:58 +00:00

.cargo

fix(rust): use rust-lld linker for MSVC (#9641 )

2025-06-24 01:55:36 +10:00

apple-client-ffi

feat(connlib): add reason argument to reset API (#9878 )

2025-07-15 13:48:33 +00:00

bin-shared

refactor(windows): share src IP cache across UDP sockets (#9976 )

2025-07-24 01:36:53 +00:00

client-ffi

feat(connlib): add reason argument to reset API (#9878 )

2025-07-15 13:48:33 +00:00

client-shared

test(iperf): install iptables rule inside of container (#9880 )

2025-07-16 10:29:33 +00:00

connlib

fix(snownet): compare preshared_key on connection upsert (#9999 )

2025-07-25 21:14:58 +00:00

gateway

feat(gateway): update expiry of access authoritzations on init (#9975 )

2025-07-24 06:36:56 +00:00

gui-client

build(deps): bump flowbite-react from 0.11.8 to 0.11.9 in /rust/gui-client in the flowbite group (#9931 )

2025-07-24 22:32:27 +00:00

headless-client

refactor(windows): share src IP cache across UDP sockets (#9976 )

2025-07-24 01:36:53 +00:00

logging

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

relay

chore(relay): remove spans (#9962 )

2025-07-22 13:24:58 +00:00

telemetry

chore(connlib): only log span field name into message (#9981 )

2025-07-24 01:37:43 +00:00

tests

chore(gui-smoke-test): wait for tunnel service to boot (#9766 )

2025-07-02 05:16:15 +00:00

tools/uniffi-bindgen

refactor: use UniFFI for Android FFI (#9415 )

2025-06-17 21:48:34 +00:00

.dockerignore

refactor(portal): Don't pin session token to user_agent or remote_ip (#2195 )

2023-09-30 07:40:57 -07:00

.gitignore

Implement basic STUN server (#1603 )

2023-05-10 07:58:32 -07:00

Cargo.lock

fix(snownet): compare preshared_key on connection upsert (#9999 )

2025-07-25 21:14:58 +00:00

Cargo.toml

refactor(windows): share src IP cache across UDP sockets (#9976 )

2025-07-24 01:36:53 +00:00

clippy.toml

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

deny.toml

build(deps): bump the tauri group in /rust with 6 updates (#9720 )

2025-06-30 13:25:20 +00:00

docker-init-gateway.sh

fix(gateway): Apply more specific firewall rules on start (#8483 )

2025-03-19 05:32:50 +00:00

docker-init-relay.sh

feat(relay): add ec2 metadata discovery (#6617 )

2024-09-12 12:28:55 -06:00

docker-init.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

Dockerfile

test(iperf): install iptables rule inside of container (#9880 )

2025-07-16 10:29:33 +00:00

Dockerfile.xdp-tools

chore(relay): Add xdp-tools debug Docker image build script (#8591 )

2025-04-03 18:17:23 +00:00

README.md

docs(rust): fix profiling command (#7547 )

2024-12-18 13:01:23 +00:00

rust-toolchain.toml

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

README.md

Rust development guide

Firezone uses Rust for all data plane components. This directory contains the Linux and Windows clients, and low-level networking implementations related to STUN/TURN.

We target the last stable release of Rust using rust-toolchain.toml. If you are using rustup, that is automatically handled for you. Otherwise, ensure you have the latest stable version of Rust installed.

Reading Client logs

The Client logs are written as JSONL for machine-readability.

To make them more human-friendly, pipe them through jq like this:

cd path/to/logs  # e.g. `$HOME/.cache/dev.firezone.client/data/logs` on Linux
cat *.log | jq -r '"\(.time) \(.severity) \(.message)"'

Resulting in, e.g.

2024-04-01T18:25:47.237661392Z INFO started log
2024-04-01T18:25:47.238193266Z INFO GIT_VERSION = 1.0.0-pre.11-35-gcc0d43531
2024-04-01T18:25:48.295243016Z INFO No token / actor_name on disk, starting in signed-out state
2024-04-01T18:25:48.295360641Z INFO null

Benchmarking on Linux

The recommended way for benchmarking any of the Rust components is Linux' perf utility. For example, to attach to a running application, do:

Ensure the binary you are profiling is compiled with the release profile.
sudo perf record -g --freq 10000 --pid $(pgrep <your-binary>).
Run the speed test or whatever load-inducing task you want to measure.
sudo perf script > profile.perf
Open profiler.firefox.com and load profile.perf

Instead of attaching to a process with --pid, you can also specify the path to executable directly. That is useful if you want to capture perf data for a test or a micro-benchmark.