|
|
@@ -208,17 +208,6 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- if !anyVpnAddrsInCommon {
|
|
|
- f.l.WithField("vpnNetworks", vpnNetworks).
|
|
|
- WithField("udpAddr", addr).
|
|
|
- WithField("certName", certName).
|
|
|
- WithField("certVersion", certVersion).
|
|
|
- WithField("fingerprint", fingerprint).
|
|
|
- WithField("issuer", issuer).
|
|
|
- WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).Error("No usable vpn addresses from host, refusing handshake")
|
|
|
- return
|
|
|
- }
|
|
|
-
|
|
|
if addr.IsValid() {
|
|
|
// addr can be invalid when the tunnel is being relayed.
|
|
|
// We only want to apply the remote allow list for direct tunnels here
|
|
|
@@ -253,26 +242,30 @@ func ixHandshakeStage1(f *Interface, addr netip.AddrPort, via *ViaSender, packet
|
|
|
},
|
|
|
}
|
|
|
|
|
|
- f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
|
|
|
- WithField("certName", certName).
|
|
|
- WithField("certVersion", certVersion).
|
|
|
- WithField("fingerprint", fingerprint).
|
|
|
- WithField("issuer", issuer).
|
|
|
- WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
|
|
|
- WithField("remoteIndex", h.RemoteIndex).WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).
|
|
|
- Info("Handshake message received")
|
|
|
+ msgRxL := f.l.WithFields(m{
|
|
|
+ "vpnAddrs": vpnAddrs,
|
|
|
+ "udpAddr": addr,
|
|
|
+ "certName": certName,
|
|
|
+ "certVersion": certVersion,
|
|
|
+ "fingerprint": fingerprint,
|
|
|
+ "issuer": issuer,
|
|
|
+ "initiatorIndex": hs.Details.InitiatorIndex,
|
|
|
+ "responderIndex": hs.Details.ResponderIndex,
|
|
|
+ "remoteIndex": h.RemoteIndex,
|
|
|
+ "handshake": m{"stage": 1, "style": "ix_psk0"},
|
|
|
+ })
|
|
|
+
|
|
|
+ if anyVpnAddrsInCommon {
|
|
|
+ msgRxL.Info("Handshake message received")
|
|
|
+ } else {
|
|
|
+ //todo warn if not lighthouse or relay?
|
|
|
+ msgRxL.Info("Handshake message received, but no vpnNetworks in common.")
|
|
|
+ }
|
|
|
|
|
|
hs.Details.ResponderIndex = myIndex
|
|
|
hs.Details.Cert = cs.getHandshakeBytes(ci.myCert.Version())
|
|
|
if hs.Details.Cert == nil {
|
|
|
- f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
|
|
|
- WithField("certName", certName).
|
|
|
- WithField("certVersion", certVersion).
|
|
|
- WithField("fingerprint", fingerprint).
|
|
|
- WithField("issuer", issuer).
|
|
|
- WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
|
|
|
- WithField("remoteIndex", h.RemoteIndex).WithField("handshake", m{"stage": 1, "style": "ix_psk0"}).
|
|
|
- WithField("certVersion", ci.myCert.Version()).
|
|
|
+ msgRxL.WithField("myCertVersion", ci.myCert.Version()).
|
|
|
Error("Unable to handshake with host because no certificate handshake bytes is available")
|
|
|
return
|
|
|
}
|
|
|
@@ -580,17 +573,8 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
|
|
|
}
|
|
|
}
|
|
|
|
|
|
- if !anyVpnAddrsInCommon {
|
|
|
- f.l.WithError(err).WithField("udpAddr", addr).
|
|
|
- WithField("certName", certName).
|
|
|
- WithField("certVersion", certVersion).
|
|
|
- WithField("fingerprint", fingerprint).
|
|
|
- WithField("issuer", issuer).
|
|
|
- WithField("handshake", m{"stage": 2, "style": "ix_psk0"}).Error("No usable vpn addresses from host, refusing handshake")
|
|
|
- return true
|
|
|
- }
|
|
|
-
|
|
|
// Ensure the right host responded
|
|
|
+ // todo is it more correct to see if any of hostinfo.vpnAddrs are in the cert? it should have len==1, but one day it might not?
|
|
|
if !slices.Contains(vpnAddrs, hostinfo.vpnAddrs[0]) {
|
|
|
f.l.WithField("intendedVpnAddrs", hostinfo.vpnAddrs).WithField("haveVpnNetworks", vpnNetworks).
|
|
|
WithField("udpAddr", addr).
|
|
|
@@ -630,7 +614,7 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
|
|
|
ci.window.Update(f.l, 2)
|
|
|
|
|
|
duration := time.Since(hh.startTime).Nanoseconds()
|
|
|
- f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
|
|
|
+ msgRxL := f.l.WithField("vpnAddrs", vpnAddrs).WithField("udpAddr", addr).
|
|
|
WithField("certName", certName).
|
|
|
WithField("certVersion", certVersion).
|
|
|
WithField("fingerprint", fingerprint).
|
|
|
@@ -638,8 +622,13 @@ func ixHandshakeStage2(f *Interface, addr netip.AddrPort, via *ViaSender, hh *Ha
|
|
|
WithField("initiatorIndex", hs.Details.InitiatorIndex).WithField("responderIndex", hs.Details.ResponderIndex).
|
|
|
WithField("remoteIndex", h.RemoteIndex).WithField("handshake", m{"stage": 2, "style": "ix_psk0"}).
|
|
|
WithField("durationNs", duration).
|
|
|
- WithField("sentCachedPackets", len(hh.packetStore)).
|
|
|
- Info("Handshake message received")
|
|
|
+ WithField("sentCachedPackets", len(hh.packetStore))
|
|
|
+ if anyVpnAddrsInCommon {
|
|
|
+ msgRxL.Info("Handshake message received")
|
|
|
+ } else {
|
|
|
+ //todo warn if not lighthouse or relay?
|
|
|
+ msgRxL.Info("Handshake message received, but no vpnNetworks in common.")
|
|
|
+ }
|
|
|
|
|
|
// Build up the radix for the firewall if we have subnets in the cert
|
|
|
hostinfo.vpnAddrs = vpnAddrs
|
JackDoan