WireGuard over TCP, new state file

[jwijenbergh]

Sorry for not splitting this up further.

Breaking changes

State machine

The state machine has been simplified and some states have been remove or renamed

Renamed: No Server -> Main

Removed:

• Chosen location
• Chosen profile
• Loading server
• Authorized

Added:

• Adding server
• Getting config
• Disconnected

The new FSM is:

graph TD

style Deregistered fill:white
Deregistered(Deregistered) -->|Register| Main

style Main fill:white
Main(Main) -->|Deregister| Deregistered

style Main fill:white
Main(Main) -->|Add a server| AddingServer

style Main fill:white
Main(Main) -->|Get a VPN config| GettingConfig

style Main fill:white
Main(Main) -->|Already connected| Connected

style AddingServer fill:white
AddingServer(AddingServer) -->|Authorize| OAuthStarted

style OAuthStarted fill:white
OAuthStarted(OAuthStarted) -->|Authorized| Main

style GettingConfig fill:white
GettingConfig(GettingConfig) -->|Invalid location| AskLocation

style GettingConfig fill:white
GettingConfig(GettingConfig) -->|Invalid or no profile| AskProfile

style GettingConfig fill:white
GettingConfig(GettingConfig) -->|Successfully got a configuration| GotConfig

style GettingConfig fill:white
GettingConfig(GettingConfig) -->|Authorize| OAuthStarted

style AskLocation fill:white
AskLocation(AskLocation) -->|Location chosen| GettingConfig

style AskProfile fill:white
AskProfile(AskProfile) -->|Profile chosen| GettingConfig

style GotConfig fill:white
GotConfig(GotConfig) -->|Get a VPN config again| GettingConfig

style GotConfig fill:white
GotConfig(GotConfig) -->|VPN is connecting| Connecting

style Connecting fill:white
Connecting(Connecting) -->|VPN is connected| Connected

style Connecting fill:white
Connecting(Connecting) -->|Cancel connecting| Disconnecting

style Connected fill:cyan
Connected(Connected) -->|VPN is disconnecting| Disconnecting

style Disconnecting fill:white
Disconnecting(Disconnecting) -->|VPN is disconnected| Disconnected

style Disconnecting fill:white
Disconnecting(Disconnecting) -->|Cancel disconnecting| Connected

style Disconnected fill:white
Disconnected(Disconnected) -->|Connect again| GettingConfig

style Disconnected fill:white
Disconnected(Disconnected) -->|Renew| OAuthStarted

API

The SetSecureLocation function now requires you to pass the organization id. Additionally, you can no longer pass a cookie to this function.

Tokens

Rename the expires_in field to expires_at

Profiles

• Removed the list of protocols for each profile that is returned

Token Setter/Getter

• The first argument of the server JSON has been replaced with two arguments: the server identifier (a string), and the server type (integer, unknown=0, institute access=1, secure internet=2, custom=3)

Additional

WireGuard over HTTP

We return a proxy with the source port, listen port and peer when getting a configuration. Pass these arguments to StartProxyguard. The client has to ensure that the traffic coming out of the proxy is going outside of the VPN. This can be done by using the source port and the peer destination as an exclusion. This function also takes a callback as last argument, set to nil/None or put a value here to do something with the underlying socket FD, e.g. on android you can use this to also exclude routing traffic: https://developer.android.com/reference/android/net/VpnService#protect(int).

Failover

The configuration now returns a should_failover boolean that indicates whether or not failover should be started. The client should only failover when this boolean is true.

Internal changes

• Moved from internal OAuth implementation to https://github.com/jwijenbergh/eduoauth-go
• Created a new state file (version 2, v2), however, common migrates from v1 to v2 automatically
• add a WireGuard ini parser
• refactor internal/server package
• split api into separate package and refactor using the new OAuth implementation into internal/api
• removed go-errors/errors