Bumps [tokio-tungstenite](https://github.com/snapview/tokio-tungstenite)
from 0.20.1 to 0.21.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/snapview/tokio-tungstenite/blob/master/CHANGELOG.md">tokio-tungstenite's
changelog</a>.</em></p>
<blockquote>
<h1>0.21.0</h1>
<ul>
<li>Update TLS dependencies.</li>
<li>Update <code>tungstenite</code> to <code>0.21.0</code>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="52e59dd732"><code>52e59dd</code></a>
Release version 0.21.0</li>
<li><a
href="7b2cf20a10"><code>7b2cf20</code></a>
Update <code>rustls</code> to 0.22 and <code>tokio-rustls</code> to
0.25</li>
<li><a
href="ecf7a7ebae"><code>ecf7a7e</code></a>
Update <code>webpki-roots</code> to 0.26</li>
<li>See full diff in <a
href="https://github.com/snapview/tokio-tungstenite/compare/v0.20.1...v0.21.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
It appears that sometimes, the dialer already considers the connection
as connected whilst the other party is still finishing the ICE
handshake. In that case, the dialer will start wireguard activity. Once
the tunnel is fully established, the dialer will then start to send data
which can lead to a `NotConnected` error in case the listener hasn't yet
finished the handshake and updated the state. This is only a local
inconsistency which we can fix by also updating the `remote_socket`
field based on activity on the wireguard tunnel.
For future debugging, we also raise the log level of `str0m` to see the
STUN messages that are being exchanged.
Fixes: #3178.
Also refactored to extract an auth state machine. The auth logic
previously was scattered throughout the GUI module, which would make it
hard to audit. Because of the refactoring I was able to add some simple
unit tests.
the way we were checking for subdomains in the gateways completely
broke, didn't detect it before because the deployed staging version for
gateways is too old.
~~Added a few CI tests so this doesn't' happen again.~~ seems like
github runners [doesn't support pinging the outside
world](https://github.com/actions/runner-images/issues/1519) so I'm
putting that off for now.
This will fix#3114 and save about 13 seconds at startup, compared to
shelling out to Powershell.
I'm not 100% sure it works for IPv6 routes - I'm setting port, flowinfo,
and scope to 0 and just assuming that it's fine.
For some reason Windows wants a socket address in this API even though I
don't think the port is used for anything.
Bumps
[org.jetbrains.kotlin:kotlin-stdlib](https://github.com/JetBrains/kotlin)
from 1.9.21 to 1.9.22.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/JetBrains/kotlin/releases">org.jetbrains.kotlin:kotlin-stdlib's
releases</a>.</em></p>
<blockquote>
<h2>Kotlin 1.9.22</h2>
<h2>Changelog</h2>
<h3>JavaScript</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63719"><code>KT-63719</code></a>
KJS: Test results ignored for ES module kind</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63808"><code>KT-63808</code></a>
compileTestDevelopmentExecutableKotlinJs failed in
JsIntrinsicTransformers</li>
</ul>
<h3>Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64139"><code>KT-64139</code></a>
Weird bug with while and coroutine in Kotlin Native</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63471"><code>KT-63471</code></a>
linkDebugTestIosX64 Failed to build cache: NoSuchFileException
bitcode_deps</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63789"><code>KT-63789</code></a>
Native: Incremental compilation problem with compose</li>
</ul>
<h3>Tools. CLI</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64485"><code>KT-64485</code></a>
CLI: cache and optimize parsing of command-line arguments</li>
</ul>
<h3>Tools. Gradle</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63990"><code>KT-63990</code></a>
"Cannot query the value of property 'buildFlowServiceProperty'
because it has no value available" with Isolated Projects</li>
</ul>
<h3>Tools. Gradle. Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63363"><code>KT-63363</code></a>
Kotlin Gradle Plugin:
<code>KotlinNativeHostSpecificMetadataArtifact</code> breaks
configuration cache, implicitly includes output file as configuration
cache input</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63742"><code>KT-63742</code></a>
Gradle wrongly caches Kotlin/Native compiler flags</li>
</ul>
<h3>Tools. JPS</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64305"><code>KT-64305</code></a>
Kotlin JPS builder requests chunk rebuild with graph implementation</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64112"><code>KT-64112</code></a>
Avoid using IJ's JPS mappings in Kotlin JPS tests</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63799"><code>KT-63799</code></a>
Make plugin classpath serialization path agnostic</li>
</ul>
<h2>Checksums</h2>
<table>
<thead>
<tr>
<th>File</th>
<th>Sha256</th>
</tr>
</thead>
<tbody>
<tr>
<td>kotlin-compiler-1.9.22.zip</td>
<td>88b39213506532c816ff56348c07bbeefe0c8d18943bffbad11063cf97cac3e6</td>
</tr>
<tr>
<td>kotlin-native-linux-x86_64-1.9.22.tar.gz</td>
<td>c2b0a6481ced5401db4a7028661c039b7466996efaa554bbcc6a3d421ac5e7d4</td>
</tr>
<tr>
<td>kotlin-native-macos-x86_64-1.9.22.tar.gz</td>
<td>4646c9bc289d48a228064f565f3a968dde3dcccd7821f403717c708f6ffa8285</td>
</tr>
<tr>
<td>kotlin-native-macos-aarch64-1.9.22.tar.gz</td>
<td>8a95c0e0eb46b41b6d02a1942dc7dfe8c70082a2a26679490a77cd486f0ec8dd</td>
</tr>
<tr>
<td>kotlin-native-windows-x86_64-1.9.22.zip</td>
<td>a9d7bcf38a41a84002ba7a733b08e97b554225a39656d5158fc31dc6d0acede4</td>
</tr>
</tbody>
</table>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/JetBrains/kotlin/blob/master/ChangeLog.md">org.jetbrains.kotlin:kotlin-stdlib's
changelog</a>.</em></p>
<blockquote>
<h2>1.9.22</h2>
<h3>JavaScript</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63719"><code>KT-63719</code></a>
KJS: Test results ignored for ES module kind</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63808"><code>KT-63808</code></a>
compileTestDevelopmentExecutableKotlinJs failed in
JsIntrinsicTransformers</li>
</ul>
<h3>Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64139"><code>KT-64139</code></a>
Weird bug with while and coroutine in Kotlin Native</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63471"><code>KT-63471</code></a>
linkDebugTestIosX64 Failed to build cache: NoSuchFileException
bitcode_deps</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63789"><code>KT-63789</code></a>
Native: Incremental compilation problem with compose</li>
</ul>
<h3>Tools. CLI</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64485"><code>KT-64485</code></a>
CLI: cache and optimize parsing of command-line arguments</li>
</ul>
<h3>Tools. Gradle</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63990"><code>KT-63990</code></a>
"Cannot query the value of property 'buildFlowServiceProperty'
because it has no value available" with Isolated Projects</li>
</ul>
<h3>Tools. Gradle. Native</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63363"><code>KT-63363</code></a>
Kotlin Gradle Plugin:
<code>KotlinNativeHostSpecificMetadataArtifact</code> breaks
configuration cache, implicitly includes output file as configuration
cache input</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63742"><code>KT-63742</code></a>
Gradle wrongly caches Kotlin/Native compiler flags</li>
</ul>
<h3>Tools. JPS</h3>
<ul>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64305"><code>KT-64305</code></a>
Kotlin JPS builder requests chunk rebuild with graph implementation</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-64112"><code>KT-64112</code></a>
Avoid using IJ's JPS mappings in Kotlin JPS tests</li>
<li><a
href="https://youtrack.jetbrains.com/issue/KT-63799"><code>KT-63799</code></a>
Make plugin classpath serialization path agnostic</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="44ed2e94f5"><code>44ed2e9</code></a>
Add changelog for 1.9.22</li>
<li><a
href="b7b0397d2c"><code>b7b0397</code></a>
[Gradle] Made klib unpacked for native metadata compile task</li>
<li><a
href="262697dc38"><code>262697d</code></a>
[K/JS] Fix file extension inside the JS KGP to run tests with ES modules
^KT-...</li>
<li><a
href="87c8aa1037"><code>87c8aa1</code></a>
[K/JS] Fix case with boxing/unboxing inside the BlockDecomposerLowering
^KT-6...</li>
<li><a
href="316df8d032"><code>316df8d</code></a>
[CLI] Add cache for reflection lookup of CLI arguments</li>
<li><a
href="b0cc245beb"><code>b0cc245</code></a>
Avoid throwing exception when BuildFusService can't be injected</li>
<li><a
href="cfbb957e02"><code>cfbb957</code></a>
[IR] Correct handling of loops in liveness analysis</li>
<li><a
href="204cecd5d9"><code>204cecd</code></a>
[box-tests] Added a reproducer for #KT-64139</li>
<li><a
href="9c7aac2ec0"><code>9c7aac2</code></a>
[gradle] Use more fine grained directory for K/N incremental
compilation</li>
<li><a
href="9012e67fdb"><code>9012e67</code></a>
Add KotlinBuilder 'dumb mode' flag</li>
<li>Additional commits viewable in <a
href="https://github.com/JetBrains/kotlin/compare/v1.9.21...v1.9.22">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Initial version of the `firezone-connection` crate. To begin with, we
only establish a connection in a LAN, i.e. no hole-punching, no STUN or
TURN servers, just host candidates. As such, a lot of this PR is just
scaffolding for setting up the test environment and the actual
`ConnectionPool` implementation.
For the curious, I've left some TODOs where I am going to attempt
extending the implementation once we start dealing with STUN and TURN
servers.
I also extended CI to run these tests.
... and move its methods into ResourceDescription.
This was a TODO from some pull request in the last few days. I assume
the goal is to share this function between all clients if needed. It
doesn't reduce the number of lines of code, since I could have removed
ResourceDisplay and done this on-the-fly when building the systray menu,
as an alternative.
Fix for #2956 this is achieved by refreshing access to every resource
every 5 minutes.
There's still an open question for this PR:
When the gateway resolves an ip the gateway allows access to a DNS
resource it resolves the address and allow access to that ip for that
client.
Right now, until the access for that resource doesn't expire that access
isn't revoked.
We could change it so that we require the client to refresh such
access(with this PR those refresh queries are already being made every 5
minutes) every x minutes on top of the `expires_at` or we can keep
`expires_at` as to mean "allow access until `expires_at` for whatever
this resource resolves to".
cc @jamilbk @AndrewDryga
Previously, we just assumed that the domain in the query is a subdomain
of the resource but a malicious actor can hijack that field to access
domains that doesn't correspond to that resource.
With this patch we don't even resolve the address for unrelated domains.
Fixes#2470, now for linux it looks like:
```
Alpine Linux/3.19.0 (x86_64;5.15.133.1-microsoft-standard-WSL2;) connlib/1.0.0
```
For macos it looks like:
```
Mac OS/13.4.1 (arm64;22.5.0;) connlib/1.0.0
```
and this is how it looks on android:
```
Android/Unknown 6.1.23-android14-4-00257-g7e35917775b8-ab9964412 connlib/1.0.0
```
note: seems like in android emulator at least we can't get the
architecture so easily
Should fix#2880
The way I do it is after ~10 seconds dropping the
`gateway_awaiting_connection` and let the client try the connection
again, depending on upper layer, I think this is fine since the cases
where this happens is unlikely.
It's hard to test thoroughly but I'll test with bad-condition
simulators, [pumba](https://github.com/alexei-led/pumba) seems
promising. In the meantime I'm still creating the PR so that I can have
it reviewed.
Edit: Using Pumba with different % of packet loss things seems to go
well, and connections are actually established even if the packets are
loss. (Making a note that we should integrate pumba with our CI)
Partially fixes#2920
As explained in
https://github.com/firezone/firezone/issues/2920#issuecomment-1861642550
in the future we should change the way we resolve DNS queries in the
gateway to properly handle HTTPS record types.
With this patch this is what happens to an HTTPS query while firezone is
running:
```
kdig -t HTTPS ifconfig.net
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 15773
;; Flags: qr rd; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; ifconfig.net. IN HTTPS
;; Received 30 B
;; Time 2023-12-18 18:34:23 -03
;; From 100.100.111.1@53(UDP) in 0.6 ms
```
Fixes#2948
So it seems that it's easiest just to use an old-fashioned semver
string. This means we'll need to keep a version matrix in the docs of
which components are supported and for how long, but it's better than
having different version schemes for different Firezone components
altogether.
Automatically write the wintun.dll file on startup and then detect
whether we need to elevate to admin privileges.
I check for privileges by making a test tunnel, so I did #2758 as part
of this, which bundles the DLL inside the exe, and then the exe deploys
it.
---------
Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Prevent the edge case where our DNS sentinel could be used as a fallback
resolver. I didn't observe this in the wild, but we should avoid it in
case.
---------
Co-authored-by: Gabi <gabrielalejandro7@gmail.com>
This fixes#2503
Also:
* decouples data-plane and control-plane on the gateway
* fixes a thing were a client would stop retrying connecting to a
resource if it failed too many times
* add all routes on start instead of on a per-route basis
This reduces the failover time by depending on webrtc's keepalive
instead of wireguard's.
We have much more control over that, since boringtun doesn't bubble up
any of the keepalives timeout(only a trace warning).
In the a next commit, when things are more stable, we should just get
rid of wireguard's keep alive. When we remove webrtc we will build our
own.
Events based on `keepalive` timeouts are key to our failover system, so
we **need** it.
Draft because it's built on top of #2891 (which is completely separate
code but without that the failover just doesn't work correctly)
