.dockerignore

@@ -0,0 +1,5 @@
+# Ignore everything
+*
+
+# Allow the tunnel binary
+!/build/tunneld

.github/workflows/release.yaml

@@ -87,7 +87,7 @@ jobs:
         uses: ncipollo/release-action@v1
         with:
           artifacts: "build/tunneld"
-          body: "Docker image: `${{ env.docker_image_tag }}`"
+          body: "Docker image: `${{ steps.build.outputs.docker_tag }}`"
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload artifacts to actions (if dry-run or snapshot)

.golangci.yaml

@@ -211,7 +211,6 @@ linters:
     - asciicheck
     - bidichk
     - bodyclose
-    - deadcode
     - dogsled
     - errcheck
     - errname
@@ -255,4 +254,3 @@ linters:
     - typecheck
     - unconvert
     - unused
-    - varcheck

Dockerfile

@@ -11,6 +11,6 @@ LABEL \
 RUN adduser -D -u 1000 tunneld
 USER tunneld
 
-COPY tunneld /
+COPY ./build/tunneld /
 
 CMD ["/tunneld"]

LICENSE

@@ -1,18 +1,21 @@
-Copyright (c) 2023 Coder Technologies, Inc - https://coder.com
+The MIT License (MIT)
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-the Software, and to permit persons to whom the Software is furnished to do so,
-subject to the following conditions:
+Copyright (c) 2023 Coder Technologies, Inc.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

Makefile

@@ -49,17 +49,12 @@ build/tunneld.tag: build/tunneld
 	version="$(VERSION)"
 	tag="ghcr.io/coder/wgtunnel/tunneld:$${version//+/-}"
 
-	# make a temp directory, copy the binary into it, and build the image.
-	temp_dir=$$(mktemp -d)
-	cp build/tunneld "$$temp_dir"
-
 	docker build \
 		--file Dockerfile \
 		--build-arg "WGTUNNEL_VERSION=$(VERSION)" \
 		--tag "$$tag" \
-		"$$temp_dir"
+		.
 
-	rm -rf "$$temp_dir"
 	echo "$$tag" > "$@"
 
 test:

cmd/tunneld/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"errors"
 	"io"
 	"log"
 	"net/http"
@@ -104,6 +105,12 @@ func main() {
 				Value:   tunneld.DefaultWireguardNetworkPrefix.String(),
 				EnvVars: []string{"TUNNELD_WIREGUARD_NETWORK_PREFIX"},
 			},
+			&cli.StringFlag{
+				Name:    "real-ip-header",
+				Usage:   "Use the given header as the real IP address rather than the remote socket address.",
+				Value:   "",
+				EnvVars: []string{"TUNNELD_REAL_IP_HEADER"},
+			},
 			&cli.StringFlag{
 				Name:    "pprof-listen-address",
 				Usage:   "The address to listen on for pprof. If set to an empty string, pprof will not be enabled.",
@@ -115,6 +122,11 @@ func main() {
 				Usage:   "The Honeycomb team ID to send tracing data to. If not specified, tracing will not be shipped anywhere.",
 				EnvVars: []string{"TUNNELD_TRACING_HONEYCOMB_TEAM"},
 			},
+			&cli.StringFlag{
+				Name:    "tracing-instance-id",
+				Usage:   "The instance ID to annotate all traces with that uniquely identifies this deployment.",
+				EnvVars: []string{"TUNNELD_TRACING_INSTANCE_ID"},
+			},
 		},
 		Action: runApp,
 	}
@@ -137,8 +149,10 @@ func runApp(ctx *cli.Context) error {
 		wireguardMTU           = ctx.Int("wireguard-mtu")
 		wireguardServerIP      = ctx.String("wireguard-server-ip")
 		wireguardNetworkPrefix = ctx.String("wireguard-network-prefix")
+		realIPHeader           = ctx.String("real-ip-header")
 		pprofListenAddress     = ctx.String("pprof-listen-address")
 		tracingHoneycombTeam   = ctx.String("tracing-honeycomb-team")
+		tracingInstanceID      = ctx.String("tracing-instance-id")
 	)
 	if baseURL == "" {
 		return xerrors.New("base-url is required. See --help for more information.")
@@ -166,12 +180,12 @@ func runApp(ctx *cli.Context) error {
 	if tracingHoneycombTeam != "" {
 		exp, err := newHoneycombExporter(ctx.Context, tracingHoneycombTeam)
 		if err != nil {
-			return xerrors.Errorf("failed to create honeycomb telemetry exporter: %w", err)
+			return xerrors.Errorf("create honeycomb telemetry exporter: %w", err)
 		}
 
 		// Create a new tracer provider with a batch span processor and the otlp
 		// exporter.
-		tp := newTraceProvider(exp)
+		tp := newTraceProvider(exp, tracingInstanceID)
 		otel.SetTracerProvider(tp)
 		otel.SetTextMapPropagator(
 			propagation.NewCompositeTextMapPropagator(
@@ -203,7 +217,7 @@ func runApp(ctx *cli.Context) error {
 
 	if wireguardKeyFile != "" {
 		_, err = os.Stat(wireguardKeyFile)
-		if xerrors.Is(err, os.ErrNotExist) {
+		if errors.Is(err, os.ErrNotExist) {
 			logger.Info(ctx.Context, "generating private key to file", slog.F("path", wireguardKeyFile))
 			key, err := tunnelsdk.GeneratePrivateKey()
 			if err != nil {
@@ -240,6 +254,7 @@ func runApp(ctx *cli.Context) error {
 		WireguardMTU:           wireguardMTU,
 		WireguardServerIP:      wireguardServerIPParsed,
 		WireguardNetworkPrefix: wireguardNetworkPrefixParsed,
+		RealIPHeader:           realIPHeader,
 	}
 	td, err := tunneld.New(options)
 	if err != nil {

cmd/tunneld/tracing.go

@@ -7,8 +7,10 @@ import (
 	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
 	"go.opentelemetry.io/otel/sdk/resource"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
-	semconv "go.opentelemetry.io/otel/semconv/v1.4.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.11.0"
 	"google.golang.org/grpc/credentials"
+
+	"github.com/coder/wgtunnel/buildinfo"
 )
 
 func newHoneycombExporter(ctx context.Context, teamID string) (*otlptrace.Exporter, error) {
@@ -24,10 +26,12 @@ func newHoneycombExporter(ctx context.Context, teamID string) (*otlptrace.Export
 	return otlptrace.New(ctx, client)
 }
 
-func newTraceProvider(exp *otlptrace.Exporter) *sdktrace.TracerProvider {
+func newTraceProvider(exp *otlptrace.Exporter, instanceID string) *sdktrace.TracerProvider {
 	rsc := resource.NewWithAttributes(
 		semconv.SchemaURL,
 		semconv.ServiceNameKey.String("WireguardTunnel"),
+		semconv.ServiceInstanceIDKey.String(instanceID),
+		semconv.ServiceVersionKey.String(buildinfo.Version()),
 	)
 
 	return sdktrace.NewTracerProvider(

compose/.env.example

@@ -0,0 +1,2 @@
+CLOUDFLARE_TOKEN=
+HONEYCOMB_TEAM=

compose/.gitignore

@@ -0,0 +1 @@
+.env

compose/Makefile

@@ -0,0 +1,17 @@
+# Use a single bash shell for each job, and immediately exit on failure
+SHELL := bash
+.SHELLFLAGS := -ceu
+.ONESHELL:
+
+# Don't print the commands in the file unless you specify VERBOSE. This is
+# essentially the same as putting "@" at the start of each line.
+ifndef VERBOSE
+.SILENT:
+endif
+
+up:
+	pushd ..
+		make -B build
+	popd
+	docker compose -p wgtunnel up --build
+.PHONY: up

compose/caddy/Dockerfile

@@ -0,0 +1,12 @@
+ARG CADDY_VERSION=2.6.4
+FROM caddy:${CADDY_VERSION}-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/lucaslorentz/caddy-docker-proxy/v2 \
+    --with github.com/caddy-dns/cloudflare
+
+FROM caddy:${CADDY_VERSION}
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
+
+CMD ["caddy", "docker-proxy"]

compose/docker-compose.yml

@@ -0,0 +1,47 @@
+version: "3.9"
+services:
+  caddy:
+    build: ./caddy
+    ports:
+      - 8080:80
+      - 4443:443
+    environment:
+      - CADDY_INGRESS_NETWORKS=caddy
+    networks:
+      - caddy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - caddy_data:/data
+    restart: unless-stopped
+
+  tunnel:
+    build: ..
+    restart: always
+    ports:
+      - 55551:55551/udp
+    networks:
+      - caddy
+    environment:
+      TUNNELD_LISTEN_ADDRESS: "0.0.0.0:8080"
+      TUNNELD_BASE_URL: "https://local.try.coder.app:4443"
+      TUNNELD_WIREGUARD_ENDPOINT: "local.try.coder.app:55551"
+      TUNNELD_WIREGUARD_PORT: "55551"
+      TUNNELD_WIREGUARD_KEY_FILE: "/home/tunneld/wg.key"
+      TUNNELD_WIREGUARD_MTU: "1280"
+      TUNNELD_WIREGUARD_SERVER_IP: "fcca::1"
+      TUNNELD_WIREGUARD_NETWORK_PREFIX: "fcca::/16"
+      TUNNELD_REAL_IP_HEADER: "X-Forwarded-For"
+      TUNNELD_PPROF_LISTEN_ADDRESS: "127.0.0.1:6060"
+      TUNNELD_TRACING_HONEYCOMB_TEAM: "${HONEYCOMB_TEAM}"
+      TUNNELD_TRACING_INSTANCE_ID: "local"
+    labels:
+      caddy: "local.try.coder.app, *.local.try.coder.app"
+      caddy.reverse_proxy: "{{upstreams 8080}}"
+      caddy.tls.dns: cloudflare ${CLOUDFLARE_TOKEN}
+
+networks:
+  caddy:
+    external: true
+
+volumes:
+  caddy_data: {}

go.mod

@@ -2,60 +2,65 @@ module github.com/coder/wgtunnel
 
 go 1.20
 
+replace github.com/tailscale/wireguard-go => github.com/coder/wireguard-go v0.0.0-20240502122727-a4cb23ac736d
+
 require (
-	cdr.dev/slog v1.4.1
-	github.com/go-chi/chi v1.5.4
-	github.com/go-chi/httprate v0.7.1
-	github.com/stretchr/testify v1.8.1
-	github.com/urfave/cli/v2 v2.24.4
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.36.4
-	go.opentelemetry.io/otel v1.11.1
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.11.1
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.1
-	go.opentelemetry.io/otel/sdk v1.11.1
-	go.opentelemetry.io/otel/trace v1.11.1
-	golang.org/x/mod v0.8.0
-	golang.org/x/sync v0.1.0
+	cdr.dev/slog v1.6.2-0.20230901043036-3e17d6de9749
+	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/hostrouter v0.2.0
+	github.com/go-chi/httprate v0.7.4
+	github.com/riandyrn/otelchi v0.5.1
+	github.com/stretchr/testify v1.8.4
+	github.com/tailscale/wireguard-go v0.0.0-20231121184858-cc193a0b3272
+	github.com/urfave/cli/v2 v2.25.7
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
+	go.opentelemetry.io/otel v1.18.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.18.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.18.0
+	go.opentelemetry.io/otel/sdk v1.18.0
+	go.opentelemetry.io/otel/trace v1.18.0
+	golang.org/x/mod v0.12.0
+	golang.org/x/sync v0.3.0
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
-	golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde
-	google.golang.org/grpc v1.53.0
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
+	google.golang.org/grpc v1.58.3
 )
 
 require (
-	github.com/alecthomas/chroma v0.10.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/charmbracelet/lipgloss v0.7.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dlclark/regexp2 v1.8.1 // indirect
-	github.com/fatih/color v1.14.1 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/golang/glog v1.0.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.1 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/muesli/reflow v0.3.0 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.1 // indirect
-	go.opentelemetry.io/otel/metric v0.33.0 // indirect
-	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	go.opentelemetry.io/contrib v1.19.0 // indirect
+	go.opentelemetry.io/otel/metric v1.18.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 // indirect
-	google.golang.org/protobuf v1.28.2-0.20230118093459-a9481185b34d // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 // indirect
+	gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 // indirect
 )