search

sandialabs / wiretap

Wiretap is a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
Other
843 stars 37 forks source link

Not closing connection on RST #13

Closed SkyperTHC closed 1 year ago

SkyperTHC commented 1 year ago

I'm sorry for not investigation this further and please accept the 'observation' rather than a bug report.

I'm using https://thc.org/segfault/wireguard with the wiretap v0.3.0 (--simple branch) with WIRETAP_SIMPLE=true ./wiretap_linux_amd64 serve --ipv4-relay 192.168.0.1 --ipv6-relay fd::1 --allowed 192.168.0.1/28,fd::1/125

The Exit Node is a Linux x86_64 running wiretap. The origin host runs nmap -n -Pn -sT -p1-512 --open scanme.nmap.org

Issue: The scan never finishes.

It appears that the wiretap keeps the connection open even when the Origin-Server sent a RST.

On the Exit node:

root@gs6:~# tcpdump -n -i ens3 host 45.33.32.156 and port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:42:56.401101 IP 51.83.131.42.55984 > 45.33.32.156.80: Flags [S], seq 2942595855, win 1460, options [mss 1460,sackOK,TS val 766681198 ecr 0,nop,wscale 2], length 0
16:42:56.579900 IP 45.33.32.156.80 > 51.83.131.42.55984: Flags [S.], seq 1777498995, ack 2942595856, win 65160, options [mss 1460,sackOK,TS val 2105695364 ecr 766681198,nop,wscale 7], length 0
16:42:56.579928 IP 51.83.131.42.55984 > 45.33.32.156.80: Flags [.], ack 1, win 365, options [nop,nop,TS val 766681377 ecr 2105695364], length 0

On the origin (where nmap is running)

┌──(EXIT:Dirt)(root💀sf-BiologyMetal)-[~]
└─# tcpdump -n  -i wgExit port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wgExit, link-type RAW (Raw IP), snapshot length 262144 bytes

16:42:56.389574 IP 192.168.0.2.40372 > 45.33.32.156.80: Flags [S], seq 1050340797, win 64860, options [mss 1380,sackOK,TS val 2860797468 ecr 0,nop,wscale 7], length 0
16:42:56.591281 IP 45.33.32.156.80 > 192.168.0.2.40372: Flags [S.], seq 4170675645, ack 1050340798, win 27584, options [mss 1380,sackOK,TS val 3287297152 ecr 2860797468,nop,wscale 5], length 0
16:42:56.591319 IP 192.168.0.2.40372 > 45.33.32.156.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 2860797670 ecr 3287297152], length 0
16:42:56.591406 IP 192.168.0.2.40372 > 45.33.32.156.80: Flags [R.], seq 1, ack 1, win 507, options [nop,nop,TS val 2860797670 ecr 3287297152], length 0

On the Exit Node the connection still shows ESTAB:

root@gs6:~# ss -antp | grep -F 45.33.32.156
ESTAB  0      0       51.83.131.42:55984   45.33.32.156:80    users:(("wiretap_linux_a",pid=125573,fd=11))

My gut feeling is that wiretap only processes for a 'clean close' (FIN) but ignores the RST.

luker983 commented 1 year ago

Thanks for the report!

Completed connections that were immediately terminated hit a condition where a goroutine would just spin in a busy loop and the connection would never be reaped.

Added some logic to get the remote address of a connection up-front and then respond correctly to closed connections in f2cf27d as a part of the tcp-fixes branch. This will be merged into main and a new release once I go through the rest of the related issues and verify that things are working properly.