pex: add support for figuring out the external data port via STUN servers

When establishing a direct connection on the auth/PEX port via DHT, both sides
need to know the externally mapped data port number in order to establish a
wireguard connection.
If there is an existing data connection, the port can be queried via PEX
over the tunnel. If that is not available, an external public server is needed
in order to poke a hole in the NAT. The easiest way to do this is to use
STUN, since there are a lot of public servers available.

The servers can be configured via the network data, based on the assumption,
that an auth exchange with network data update can be done directly

Signed-off-by: Felix Fietkau <[email protected]>

Author: nbd168

CMakeLists.txt

@@ -4,7 +4,7 @@ PROJECT(unetd C)
 
 
 SET(SOURCES
-	main.c network.c host.c service.c pex.c
+	main.c network.c host.c service.c pex.c pex-stun.c
 	wg.c wg-user.c
 )
 
@@ -43,7 +43,7 @@ ELSE()
   SET(ubus "")
 ENDIF()
 
-ADD_LIBRARY(unet SHARED curve25519.c siphash.c sha512.c fprime.c f25519.c ed25519.c edsign.c auth-data.c chacha20.c pex-msg.c utils.c)
+ADD_LIBRARY(unet SHARED curve25519.c siphash.c sha512.c fprime.c f25519.c ed25519.c edsign.c auth-data.c chacha20.c pex-msg.c utils.c stun.c)
 TARGET_LINK_LIBRARIES(unet ubox)
 
 ADD_EXECUTABLE(unetd ${SOURCES})

network.c

@@ -32,6 +32,7 @@ enum {
 	NETCONF_ATTR_PORT,
 	NETCONF_ATTR_PEX_PORT,
 	NETCONF_ATTR_KEEPALIVE,
+	NETCONF_ATTR_STUN_SERVERS,
 	__NETCONF_ATTR_MAX
 };
 
@@ -40,6 +41,7 @@ static const struct blobmsg_policy netconf_policy[__NETCONF_ATTR_MAX] = {
 	[NETCONF_ATTR_PORT] = { "port", BLOBMSG_TYPE_INT32 },
 	[NETCONF_ATTR_PEX_PORT] = { "peer-exchange-port", BLOBMSG_TYPE_INT32 },
 	[NETCONF_ATTR_KEEPALIVE] = { "keepalive", BLOBMSG_TYPE_INT32 },
+	[NETCONF_ATTR_STUN_SERVERS] = { "stun-servers", BLOBMSG_TYPE_ARRAY },
 };
 
 const struct blobmsg_policy network_policy[__NETWORK_ATTR_MAX] = {
@@ -61,6 +63,15 @@ const struct blobmsg_policy network_policy[__NETWORK_ATTR_MAX] = {
 AVL_TREE(networks, avl_strcmp, false, NULL);
 static struct blob_buf b;
 
+static void network_load_stun_servers(struct network *net, struct blob_attr *data)
+{
+	struct blob_attr *cur;
+	int rem;
+
+	blobmsg_for_each_attr(cur, data, rem)
+		network_stun_server_add(net, blobmsg_get_string(cur));
+}
+
 static void network_load_config_data(struct network *net, struct blob_attr *data)
 {
 	struct blob_attr *tb[__NETCONF_ATTR_MAX];
@@ -95,6 +106,10 @@ static void network_load_config_data(struct network *net, struct blob_attr *data
 		net->net_config.keepalive = blobmsg_get_u32(cur);
 	else
 		net->net_config.keepalive = 0;
+
+	if ((cur = tb[NETCONF_ATTR_STUN_SERVERS]) != NULL &&
+	    blobmsg_check_array(cur, BLOBMSG_TYPE_STRING) > 0)
+		network_load_stun_servers(net, cur);
 }
 
 static int network_load_data(struct network *net, struct blob_attr *data)
@@ -398,6 +413,7 @@ static void network_reload(struct uloop_timeout *t)
 
 	memset(&net->net_config, 0, sizeof(net->net_config));
 
+	network_stun_free(net);
 	network_pex_close(net);
 	network_services_free(net);
 	network_hosts_update_start(net);
@@ -424,6 +440,7 @@ static void network_reload(struct uloop_timeout *t)
 	unetd_write_hosts();
 	network_do_update(net, true);
 	network_pex_open(net);
+	network_stun_start(net);
 	unetd_ubus_notify(net);
 }
 
@@ -469,6 +486,7 @@ static void network_teardown(struct network *net)
 	uloop_timeout_cancel(&net->connect_timer);
 	uloop_timeout_cancel(&net->reload_timer);
 	network_do_update(net, false);
+	network_stun_free(net);
 	network_pex_close(net);
 	network_pex_free(net);
 	network_hosts_free(net);
@@ -600,6 +618,7 @@ network_alloc(const char *name)
 	avl_insert(&networks, &net->node);
 
 	network_pex_init(net);
+	network_stun_init(net);
 	network_hosts_init(net);
 	network_services_init(net);
 

network.h

@@ -49,6 +49,7 @@ struct network {
 		int port;
 		int pex_port;
 		bool local_host_changed;
+		struct blob_attr *stun_list;
 	} net_config;
 
 	void *net_data;
@@ -71,6 +72,7 @@ struct network {
 	struct uloop_timeout connect_timer;
 
 	struct network_pex pex;
+	struct network_stun stun;
 };
 
 enum {

pex-msg.h

@@ -24,6 +24,7 @@ enum pex_opcode {
 	PEX_MSG_UPDATE_RESPONSE_DATA,
 	PEX_MSG_UPDATE_RESPONSE_NO_DATA,
 	PEX_MSG_ENDPOINT_NOTIFY,
+	PEX_MSG_ENDPOINT_PORT_NOTIFY,
 };
 
 #define PEX_ID_LEN		8
@@ -76,6 +77,10 @@ struct pex_update_response_no_data {
 	uint64_t cur_version;
 };
 
+struct pex_endpoint_port_notify {
+	uint16_t port;
+};
+
 struct pex_msg_update_send_ctx {
 	const uint8_t *pubkey;
 	const uint8_t *auth_key;