ipn/wg: make endpoints & warp cfg update-able

ignoramous · ignoramous · commit cd3832433d21 · 2025-05-13T23:37:51.000+05:30
warp/amenzia configuration and peer endpoints may change their endpoints
on-the-fly. Make wgconn.go aware of those changes by passing it raw volatile
values for warp/amnezia configuration and peer endpoints rather than fixed
pointers (which may be later rendered obselete due to wgproxy.update()).

wireguard's ipc can handle adding or updating new peers in-place, just fine.
diff --git a/intra/ipn/wg/wgconn.go b/intra/ipn/wg/wgconn.go
@@ -100,9 +100,9 @@ type connector func(network, to string) (net.PacketConn, error)
 type StdNetBind struct {
 	id      string
 	connect connector
-	pm      *multihost.MHMap // peer ip:port or host => preferred-addrs
+	pm      *core.Volatile[*multihost.MHMap] // peer ip:port or host => preferred-addrs
 
-	amnezia *Amnezia
+	amnezia *core.Volatile[*Amnezia] // may return nil *Amnezia
 	floodBa *core.Barrier[int, netip.AddrPort]
 
 	mu         sync.Mutex     // protects following fields
@@ -119,7 +119,7 @@ type StdNetBind struct {
 }
 
 // TODO: get d, ep, f, rb through an Opts bag?
-func NewEndpoint(id string, d connector, pm *multihost.MHMap, f rwobserver, a *Amnezia) *StdNetBind {
+func NewEndpoint(id string, d connector, pm *core.Volatile[*multihost.MHMap], f rwobserver, a *core.Volatile[*Amnezia]) *StdNetBind {
 	s := &StdNetBind{
 		id:       id,
 		connect:  d,
@@ -161,7 +161,7 @@ func (e *StdNetBind) ParseEndpoint(s string) (conn.Endpoint, error) {
 	// do what tailscale does, and share a preferred endpoint regardless of "s"
 	// github.com/tailscale/tailscale/blob/3a6d3f1a5b7/wgengine/magicsock/magicsock.go#L2568
 	// d.Add([]string{host}) // resolves host if needed
-	d, err := e.pm.Get(s)
+	d, err := e.pm.Load().Get(s)
 	if err != nil || d == nil /*nilaway; can't happen*/ {
 		log.E("wg: bind: %s parse: invalid endpoint in(%s); err: %v", e.id, s, err)
 		return nil, err
@@ -347,7 +347,7 @@ func (s *StdNetBind) makeReceiveFn(uc net.PacketConn) conn.ReceiveFunc {
 		extend(uc, wgtimeout)
 		n, addr, err := uc.ReadFrom(b)
 		if err == nil {
-			recvOverwritten = s.amnezia.recv(&b)
+			recvOverwritten = s.amnezia.Load().recv(&b)
 			numMsgs++
 		}
 
@@ -357,7 +357,7 @@ func (s *StdNetBind) makeReceiveFn(uc net.PacketConn) conn.ReceiveFunc {
 		}
 
 		logeif(err != nil && !timedout(err))("wg: bind: %s recvFrom(%v): %d / ov? %t<=%t / err? %v",
-			s.id, addr, n, s.amnezia.Set(), recvOverwritten, err)
+			s.id, addr, n, s.amnezia.Load().Set(), recvOverwritten, err)
 		return numMsgs, err
 	}
 }
@@ -414,9 +414,9 @@ func (s *StdNetBind) Send(buf [][]byte, peer conn.Endpoint) (err error) {
 
 		datalen := len(data) // grab the length before we overwrite it
 
-		overwritten = s.amnezia.send(&data)
+		overwritten = s.amnezia.Load().send(&data)
 
-		if !flooded && (experimentalWg || s.amnezia.Set()) {
+		if !flooded && (experimentalWg || s.amnezia.Load().Set()) {
 			if datalen == device.MessageInitiationSize {
 				s.flood(uc, ep, fkHandshake) // was probably a handshake
 				flooded = true
diff --git a/intra/ipn/wgproxy.go b/intra/ipn/wgproxy.go
@@ -101,7 +101,6 @@ type wgtun struct {
 	ep            *channel.Endpoint // reads and writes packets to/from stack
 	ingress       chan *buffer.View // pipes ep writes to wg
 	events        chan tun.Event    // wg specific tun (interface) events
-	amnezia       *wg.Amnezia       // amnezia config, if any
 	finalize      chan struct{}     // close signal for incomingPacket
 	once          sync.Once         // closer fn; exec exactly once
 	preferOffload bool              // UDP GRO/GSO offloads
@@ -120,10 +119,12 @@ type wgtun struct {
 	desiredmtu atomic.Uint32 // desired mtu
 	netmtu     atomic.Uint32 // underlay network mtu
 
-	peers  *core.Volatile[map[string]device.NoisePublicKey] // peer (remote endpoint) public keys
-	dns    *core.Volatile[*multihost.MH]                    // dns resolver for this interface
-	remote *core.Volatile[*multihost.MHMap]                 // peer (remote endpoint) addrs
-	rt     x.IpTree                                         // route table for this interface
+	peers   *core.Volatile[map[string]device.NoisePublicKey] // peer (remote endpoint) public keys
+	dns     *core.Volatile[*multihost.MH]                    // dns resolver for this interface
+	remote  *core.Volatile[*multihost.MHMap]                 // peer (remote endpoint) addrs
+	amnezia *core.Volatile[*wg.Amnezia]                      // amnezia/warp config, if any
+
+	rt x.IpTree // route table for this interface
 
 	refreshBa *core.Barrier[bool, string] // 2mins refresh barrier
 
@@ -385,8 +386,9 @@ func (w *wgproxy) update(id, txt string) bool {
 	}
 
 	if settings.Debug {
-		if !w.amnezia.Same(opts.amnezia) {
-			log.D("proxy: wg: update(%s): failed; amnezia %v != %v", w.id, opts.amnezia, w.amnezia)
+		if !w.amnezia.Load().Same(opts.amnezia) {
+			log.D("proxy: wg: update(%s): failed; amnezia %v != %v",
+				w.id, opts.amnezia, w.amnezia.Load())
 		}
 		if opts.dns != nil && !opts.dns.EqualAddrs(w.dns.Load()) {
 			log.D("proxy: wg: update(%s): failed; new/mismatched dns", w.id)
@@ -403,10 +405,10 @@ func (w *wgproxy) update(id, txt string) bool {
 
 	w.peers.Store(opts.peers) // re-assignment is okay (map entry modification is not)
 	w.allowedIPs(opts.allowed)
-	w.remote.Store(opts.eps)             // requires refresh
-	w.dns.Store(opts.dns)                // requires refresh
+	w.remote.Store(opts.eps)             // requires refresh (wg.Conn:ParseEndpoint must be re-called)
+	w.dns.Store(opts.dns)                // requires refresh (client must also re-add via intra.AddDNSProxy)
 	w.desiredmtu.Store(uint32(opts.mtu)) // requires reset; [NOMTU, MAXMTU)
-	w.amnezia = opts.amnezia             // TODO: core.Volatile?
+	w.amnezia.Store(opts.amnezia)
 	w.resetMtu(w.getVia())
 
 	return reuse
@@ -651,9 +653,11 @@ func NewWgProxy(id string, ctl protect.Controller, px ProxyProvider, lp LinkProp
 	var wgep wgconn
 	if wgtun.preferOffload {
 		// todo: use wgtun.serve fn instead of ctl
+		// todo: wgtun.remote instead of opts.eps
+		// todo: amnezia/warp config
 		wgep = wg.NewEndpoint2(id, ctl, opts.eps, wgtun.listener)
 	} else {
-		wgep = wg.NewEndpoint(id, wgtun.serve, opts.eps, wgtun.listener, wgtun.amnezia)
+		wgep = wg.NewEndpoint(id, wgtun.serve, wgtun.remote, wgtun.listener, wgtun.amnezia)
 	}
 
 	wgdev := device.NewDevice(wgtun, wgep, wglogger(id))
@@ -786,7 +790,7 @@ func makeWgTun(id, cfg string, ctl protect.Controller, px ProxyProvider, lp Link
 		remote:        core.NewVolatile(ifopts.eps),   // may be nil
 		peers:         core.NewVolatile(ifopts.peers), // its entries must never be modified
 		rt:            x.NewIpTree(),                  // must be set to allowedaddrs
-		amnezia:       ifopts.amnezia,
+		amnezia:       core.NewVolatile(ifopts.amnezia),
 		status:        core.NewVolatile(TUP),
 		preferOffload: preferOffload(id),
 		refreshBa:     core.NewBarrier[bool](refreshInterval),
