mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00

Files

Thomas Eizinger f5425ac8e4 fix(snownet): fail connection on handshake decryption errors (#9850 )

As per the WireGuard paper, `boringtun` tries to handshake with the
remote peer for 90s before it gives up. This timeout is important
because when a session is discarded due to e.g. missing replies,
WireGuard attempts to handshake a new session. Without this timeout, we
would then try to handshake a session forever.

Unfortunately, `boringtun` does not distinguish a missing handshake
response from a bad one. Decryption errors whilst decoding a handshake
response are simply passed up to the upper layer, in our case `snownet`.

I am not sure how we can actually fail to decrypt a handshake but the
pattern we are seeing in customer logs is that this happens over and
over again, so there is no point in having `boringtun` retry the
handshake. Therefore, we immediately fail the connection when this
happens.

Failed connections are immediately removed, triggering the client send a
new connection-intent to the portal. Such a new connection intent will
then sync-up the state between Client and Gateway so both of them use
the most recent public key.

Resolves: #9845

2025-07-14 13:22:23 +00:00

.cargo

fix(rust): use rust-lld linker for MSVC (#9641 )

2025-06-24 01:55:36 +10:00

apple-client-ffi

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

bin-shared

chore(linux): add more error context to TUN device (#9853 )

2025-07-13 05:51:02 +00:00

client-ffi

feat(telemetry): grab env and distinct_id from Sentry session (#9801 )

2025-07-10 20:05:08 +00:00

client-shared

chore(connlib): silence EHOSTDOWN errors (#9797 )

2025-07-07 22:52:39 +00:00

connlib

fix(snownet): fail connection on handshake decryption errors (#9850 )

2025-07-14 13:22:23 +00:00

gateway

feat(gateway): allow exporting metrics to an OTEL collector (#9838 )

2025-07-14 03:54:38 +00:00

gui-client

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

headless-client

feat(gateway): allow exporting metrics to an OTEL collector (#9838 )

2025-07-14 03:54:38 +00:00

logging

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

relay

fix(rust): remove jemalloc (#9849 )

2025-07-12 19:22:06 +00:00

telemetry

fix(snownet): fail connection on handshake decryption errors (#9850 )

2025-07-14 13:22:23 +00:00

tests

chore(gui-smoke-test): wait for tunnel service to boot (#9766 )

2025-07-02 05:16:15 +00:00

tools/uniffi-bindgen

refactor: use UniFFI for Android FFI (#9415 )

2025-06-17 21:48:34 +00:00

.dockerignore

refactor(portal): Don't pin session token to user_agent or remote_ip (#2195 )

2023-09-30 07:40:57 -07:00

.gitignore

Implement basic STUN server (#1603 )

2023-05-10 07:58:32 -07:00

Cargo.lock

fix(snownet): fail connection on handshake decryption errors (#9850 )

2025-07-14 13:22:23 +00:00

Cargo.toml

fix(rust): remove jemalloc (#9849 )

2025-07-12 19:22:06 +00:00

clippy.toml

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

deny.toml

build(deps): bump the tauri group in /rust with 6 updates (#9720 )

2025-06-30 13:25:20 +00:00

docker-init-gateway.sh

fix(gateway): Apply more specific firewall rules on start (#8483 )

2025-03-19 05:32:50 +00:00

docker-init-relay.sh

feat(relay): add ec2 metadata discovery (#6617 )

2024-09-12 12:28:55 -06:00

docker-init.sh

fix(gateway): always masquerade for docker-deployed gateways (#6169 )

2024-08-07 03:00:50 +00:00

Dockerfile

chore(rust): remove dev stage in Dockerfile (#8688 )

2025-04-10 04:00:58 +00:00

Dockerfile.xdp-tools

chore(relay): Add xdp-tools debug Docker image build script (#8591 )

2025-04-03 18:17:23 +00:00

README.md

docs(rust): fix profiling command (#7547 )

2024-12-18 13:01:23 +00:00

rust-toolchain.toml

chore(rust): bump to Rust 1.88 (#9714 )

2025-07-12 06:42:50 +00:00

README.md

Rust development guide

Firezone uses Rust for all data plane components. This directory contains the Linux and Windows clients, and low-level networking implementations related to STUN/TURN.

We target the last stable release of Rust using rust-toolchain.toml. If you are using rustup, that is automatically handled for you. Otherwise, ensure you have the latest stable version of Rust installed.

Reading Client logs

The Client logs are written as JSONL for machine-readability.

To make them more human-friendly, pipe them through jq like this:

cd path/to/logs  # e.g. `$HOME/.cache/dev.firezone.client/data/logs` on Linux
cat *.log | jq -r '"\(.time) \(.severity) \(.message)"'

Resulting in, e.g.

2024-04-01T18:25:47.237661392Z INFO started log
2024-04-01T18:25:47.238193266Z INFO GIT_VERSION = 1.0.0-pre.11-35-gcc0d43531
2024-04-01T18:25:48.295243016Z INFO No token / actor_name on disk, starting in signed-out state
2024-04-01T18:25:48.295360641Z INFO null

Benchmarking on Linux

The recommended way for benchmarking any of the Rust components is Linux' perf utility. For example, to attach to a running application, do:

Ensure the binary you are profiling is compiled with the release profile.
sudo perf record -g --freq 10000 --pid $(pgrep <your-binary>).
Run the speed test or whatever load-inducing task you want to measure.
sudo perf script > profile.perf
Open profiler.firefox.com and load profile.perf

Instead of attaching to a process with --pid, you can also specify the path to executable directly. That is useful if you want to capture perf data for a test or a micro-benchmark.