github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b7795dfa03267fde7779fcae942eb427e30c8bd8
firezone/rust/headless-client
History
Thomas Eizinger 2d4818e007 refactor(connlib): rotate tunnel private key on reset (#6909) 
With the new control protocol specified in #6461, the client will no
longer initiate new connections. Instead, the credentials are generated
deterministically by the portal based on the gateway's and the client's
public key. For as long as they use the same public key, they also have
the same in-memory state which makes creating connections idempotent.

What we didn't consider in the new design at first is that when clients
roam, they discard all connections but keep the same private key. As a
result, the portal would generate the same ICE credentials which means
the gateway thinks it can reuse the existing connection when new flows
get authorized. The client however discarded all connections (and
rotated its ports and maybe IPs), meaning the previous candidates sent
to the gateway are no longer valid and connectivity fails.

We fix this by also rotating the private keys upon reset. Rotating the
keys itself isn't enough, we also need to propagate the new public key
all the way "over" to the phoenix channel component which lives
separately from connlib's data plane.

To achieve this, we change `PhoenixChannel` to now start in the
"disconnected" state and require an explicit `connect` call. In
addition, the `LoginUrl` constructed by various components now acts
merely as a "prototype", which may require additional data to construct
a fully valid URL. In the case of client and gateway, this is the public
key of the `Node`. This additional parameter needs to be passed to
`PhoenixChannel` in the `connect` call, thus forming a type-safe
contract that ensures we never attempt to connect without providing a
public key.

For the relay, this doesn't apply.

Lastly, this allows us to tidy up the code a bit by:

a) generating the `Node`'s private key from the existing RNG
b) removing `ConnectArgs` which only had two members left

Related: #6461.
Related: #6732.
2024-10-07 22:28:51 +00:00
..
docs
refactor(linux-client): replace client-tunnel with headless-client which is the same thing (#4516)
2024-04-10 22:01:55 +00:00
src
refactor(connlib): rotate tunnel private key on reset (#6909)
2024-10-07 22:28:51 +00:00
Cargo.toml
fix(rust/client/windows): set our DNS resolvers on our interface (#6931)
2024-10-07 15:03:22 +00:00
README.md
refactor(headless-client): remove "linux-client" alias (#4933)
2024-05-10 15:43:02 +00:00

README.md

headless-client

This crate acts as the CLI / headless Client, and the privileged tunnel service for the GUI Client, for both Linux and Windows.

It is built as:

  • headless-client to act as the Linux / Windows headless Client
  • firezone-headless-client to act as the Linux tunnel service, Windows headless Client, or Windows tunnel service

In general, the brand name should be part of the file name, but the OS name should not be.

Running

To run the headless Client:

  1. Generate a new Service account token from the "Actors -> Service Accounts" section of the admin portal and save it in your secrets manager. The Firezone Linux client requires a service account at this time.
  2. Ensure /etc/dev.firezone.client/token is only readable by root (i.e. chmod 400)
  3. Ensure /etc/dev.firezone.client/token contains the Service account token. The Client needs this before it can start
  4. Set FIREZONE_ID to a unique string to identify this client in the portal, e.g. export FIREZONE_ID=$(uuidgen). The client requires this variable at startup.
  5. Set LOG_DIR to a suitable directory for writing logs 
    export LOG_DIR=/tmp/firezone-logs
mkdir $LOG_DIR
  6. Now, you can start the client with:
./firezone-headless-client standalone

If you're running as an unprivileged user, you'll need the CAP_NET_ADMIN capability to open /dev/net/tun. You can add this to the client binary with:

sudo setcap 'cap_net_admin+eip' /path/to/firezone-headless-client

Building

Assuming you have Rust installed, you can build the headless Client with:

cargo build --release -p firezone-headless-client

The binary will be in target/release/firezone-headless-client

The release on Github are built with musl. To build this way, use:

rustup target add x86_64-unknown-linux-musl
sudo apt-get install musl-tools
cargo build --release -p headless-client --target x86_64-unknown-linux-musl

Files

  • /etc/dev.firezone.client/token - The service account token, provided by the human administrator. Must be owned by root and have 600 permissions (r/w by owner, nobody else can read) If present, the tunnel will ignore any GUI Client and run as a headless Client. If absent, the tunnel will wait for commands from a GUI Client
  • /usr/bin/firezone-headless-client - The tunnel binary. This must run as root so it can modify the system's DNS settings. If DNS is not needed, it only needs CAP_NET_ADMIN.
  • /usr/lib/systemd/system/firezone-headless-client.service - A systemd service unit, installed by the deb package.
  • /var/lib/dev.firezone.client/config/firezone-id - The device ID, unique across an organization. The tunnel will generate this if it's not present.
Reference in New Issue View Git Blame Copy Permalink