feat(cli): add WireGuard peer management commands (#47)

* feat(cli): add WireGuard peer management commands

* update Dockerfile to use new cmd format

Author: garmr-ulfr

Dockerfile

@@ -18,14 +18,14 @@ ENV GOARCH=$TARGETARCH
 RUN set -ex \
     && go build -v -tags \
        "with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api" \
-       -o /usr/local/bin/sing-box-extensions ./cmd/sing-box-extensions
+       -o /usr/local/bin/sbx ./cmd/sing-box-extensions
 
 FROM debian:bullseye-slim
 RUN set -ex \
     && apt-get update \
     && apt-get install -y ca-certificates tzdata nftables wireguard-tools \
     && rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /usr/local/bin/sing-box-extensions /usr/local/bin/sing-box-extensions
+COPY --from=builder /usr/local/bin/sbx /usr/local/bin/sbx
 
-ENTRYPOINT ["/usr/local/bin/sing-box-extensions", "-d", "/data", "-c", "/config.json", "run"]
+ENTRYPOINT ["/usr/local/bin/sbx", "run", "--config", "/config.json"]

cmd/sing-box-extensions/Makefile

@@ -0,0 +1,6 @@
+build:
+	go build -v -tags \
+		"with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_acme" \
+		-o sbx .
+run:
+	go run -tags=with_gvisor,with_dhcp,with_wireguard,with_reality_server,with_clash_api,with_quic,with_utls,with_acme . run --config $(config)

cmd/sing-box-extensions/cmd_check.go

@@ -1,26 +1,46 @@
 package main
 
-import "fmt"
+import (
+	"context"
+	"fmt"
 
-type CheckCmd struct {
+	box "github.com/sagernet/sing-box"
+	"github.com/spf13/cobra"
+)
+
+var checkCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Check configuration",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path, err := cmd.Flags().GetString("config")
+		if err != nil {
+			return fmt.Errorf("get config flag: %w", err)
+		}
+		if err := check(path); err != nil {
+			return fmt.Errorf("configuration check failed: %w", err)
+		}
+		return nil
+	},
 }
 
-func check(configFile string) error {
-	instance, cancel, err := prepare(configFile)
+func init() {
+	rootCmd.AddCommand(checkCmd)
+	checkCmd.Flags().String("config", "config.json", "Configuration file path")
+}
 
+func check(configPath string) error {
+	options, err := readConfig(configPath)
+	if err != nil {
+		return err
+	}
+	ctx, cancel := context.WithCancel(globalCtx)
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
 	if err == nil {
-		_ = instance.Close()
+		instance.Close()
 	}
 	cancel()
 	return err
 }
-
-func (c *CheckCmd) Run() error {
-	err := check(args.ConfigFile)
-	if err == nil {
-		fmt.Println("Configuration is valid")
-	} else {
-		return err
-	}
-	return nil
-}

cmd/sing-box-extensions/cmd_run.go

@@ -3,48 +3,63 @@ package main
 import (
 	"context"
 	"fmt"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/experimental/libbox"
-	"github.com/sagernet/sing-box/log"
-	E "github.com/sagernet/sing/common/exceptions"
 	"os"
 	"os/signal"
-	"path/filepath"
 	runtimeDebug "runtime/debug"
 	"syscall"
 	"time"
+
+	box "github.com/sagernet/sing-box"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/json"
+	"github.com/spf13/cobra"
 )
 
-type RunCmd struct {
+func init() {
+	rootCmd.AddCommand(runCmd)
+	runCmd.Flags().String("config", "config.json", "Configuration file path")
 }
 
-func prepare(configFile string) (*libbox.BoxService, context.CancelFunc, error) {
-	ctx, cancel := context.WithCancel(newBaseContext())
-
-	var config string
+var runCmd = &cobra.Command{
+	Use:   "run",
+	Short: "Run service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		path, err := cmd.Flags().GetString("config")
+		if err != nil {
+			return fmt.Errorf("get config flag: %w", err)
+		}
+		return run(path)
+	},
+}
 
-	if data, err := os.ReadFile(configFile); err != nil {
-		return nil, cancel, fmt.Errorf("reading config file: %w", err)
-	} else {
-		config = string(data)
+func readConfig(path string) (option.Options, error) {
+	content, err := os.ReadFile(path)
+	if err != nil {
+		return option.Options{}, fmt.Errorf("reading config file: %w", err)
 	}
-	if err := libbox.Setup(&libbox.SetupOptions{
-		BasePath:    args.DataDir,
-		WorkingPath: filepath.Join(args.DataDir, "data"),
-		TempPath:    filepath.Join(args.DataDir, "temp"),
-	}); err != nil {
-		return nil, cancel, fmt.Errorf("setup libbox: %w", err)
+	options, err := json.UnmarshalExtendedContext[option.Options](globalCtx, content)
+	if err != nil {
+		return option.Options{}, fmt.Errorf("parsing config file: %w", err)
 	}
-
-	instance, err := libbox.NewServiceWithContext(ctx, config, nil)
-	return instance, cancel, err
+	return options, nil
 }
 
-func create(config string) (*libbox.BoxService, context.CancelFunc, error) {
-	instance, cancel, err := prepare(config)
+func create(configPath string) (*box.Box, context.CancelFunc, error) {
+	options, err := readConfig(configPath)
 	if err != nil {
-		cancel()
-		return nil, nil, fmt.Errorf("setup libbox: %w", err)
+		return nil, nil, fmt.Errorf("read config: %w", err)
+	}
+
+	ctx, cancel := context.WithCancel(globalCtx)
+	instance, err := box.New(box.Options{
+		Context: ctx,
+		Options: options,
+	})
+	if err != nil {
+		return nil, nil, fmt.Errorf("create service: %w", err)
 	}
 
 	osSignals := make(chan os.Signal, 1)
@@ -80,20 +95,20 @@ func closeMonitor(ctx context.Context) {
 	log.Fatal("sing-box did not close!")
 }
 
-func (c *RunCmd) Run() error {
+func run(configPath string) error {
 	osSignals := make(chan os.Signal, 1)
 	signal.Notify(osSignals, os.Interrupt, syscall.SIGTERM, syscall.SIGHUP)
 	defer signal.Stop(osSignals)
 	for {
-		instance, cancel, err := create(args.ConfigFile)
+		instance, cancel, err := create(configPath)
 		if err != nil {
 			return err
 		}
 		runtimeDebug.FreeOSMemory()
 		for {
 			osSignal := <-osSignals
 			if osSignal == syscall.SIGHUP {
-				err = check(args.ConfigFile)
+				err = check(configPath)
 				if err != nil {
 					log.Error(E.Cause(err, "reload service"))
 					continue

cmd/sing-box-extensions/cmd_wg_peer.go

@@ -0,0 +1,184 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+const socket = "/var/run/wireguard/wg0.sock"
+
+func init() {
+	rootCmd.AddCommand(wgPeersCmd)
+
+	addPeerCmd.Flags().String("public-key", "", "Public key of the peer to add")
+	addPeerCmd.Flags().StringSlice("allowed-ips", []string{"0.0.0.0/0"}, "Allowed IPs for the peer")
+	addPeerCmd.Flags().String("socket", socket, "WireGuard socket path")
+	addPeerCmd.MarkFlagRequired("public-key")
+
+	removePeerCmd.Flags().String("public-key", "", "Public key of the peer to remove")
+	removePeerCmd.Flags().String("socket", socket, "WireGuard socket path")
+	removePeerCmd.MarkFlagRequired("public-key")
+
+	listPeersCmd.Flags().String("socket", socket, "WireGuard socket path")
+
+	wgPeersCmd.AddCommand(addPeerCmd)
+	wgPeersCmd.AddCommand(removePeerCmd)
+	wgPeersCmd.AddCommand(listPeersCmd)
+}
+
+var wgPeersCmd = &cobra.Command{
+	Use:   "wg-peers",
+	Short: "Manage WireGuard peers",
+	Long:  `Add or remove WireGuard peers`,
+}
+
+var addPeerCmd = &cobra.Command{
+	Use:   "add",
+	Short: "Add a WireGuard peer",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		key, _ := cmd.Flags().GetString("public-key")
+		allowedIPs, _ := cmd.Flags().GetStringSlice("allowed-ips")
+		sock, _ := cmd.Flags().GetString("socket")
+		err := addPeer(key, allowedIPs, sock)
+		if err != nil {
+			return fmt.Errorf("adding peer: %w", err)
+		}
+		fmt.Println("Peer added")
+		return nil
+	},
+}
+
+func addPeer(publicKey string, allowedIPs []string, wgIfc string) error {
+	publicKeyHex, err := keyToHex(publicKey)
+	if err != nil {
+		return err
+	}
+
+	req := "public_key=" + publicKeyHex + "\n"
+	for _, ip := range allowedIPs {
+		_, _, err := net.ParseCIDR(ip)
+		if err != nil {
+			return fmt.Errorf("parsing allowed IP %s: %w", ip, err)
+		}
+		req += "allowed_ip=" + ip + "\n"
+	}
+	_, err = sendReq("set=1\n"+req, wgIfc)
+	if err != nil {
+		return fmt.Errorf("sending request: %w", err)
+	}
+	return nil
+}
+
+var removePeerCmd = &cobra.Command{
+	Use:   "remove",
+	Short: "Remove a WireGuard peer",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		key, _ := cmd.Flags().GetString("public-key")
+		sock, _ := cmd.Flags().GetString("socket")
+		err := removePeer(key, sock)
+		if err != nil {
+			return fmt.Errorf("removing peer: %w", err)
+		}
+		fmt.Println("Peer removed")
+		return nil
+	},
+}
+
+func removePeer(publicKey string, wgIfc string) error {
+	publicKeyHex, err := keyToHex(publicKey)
+	if err != nil {
+		return err
+	}
+
+	req := "set=1\npublic_key=" + publicKeyHex + "\nremove=true\n"
+	_, err = sendReq(req, wgIfc)
+	if err != nil {
+		return fmt.Errorf("sending request: %w", err)
+	}
+	return nil
+}
+
+var listPeersCmd = &cobra.Command{
+	Use:   "list",
+	Short: "List WireGuard peers",
+	Long:  `List all WireGuard peers`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		sock, _ := cmd.Flags().GetString("socket")
+		res, err := sendReq("get=1\n\n", sock)
+		if err != nil {
+			return fmt.Errorf("retrieving peers: %w", err)
+		}
+		idx := strings.Index(res, "public_key")
+		if idx == -1 {
+			fmt.Println("No peers found.")
+			return nil
+		}
+		printPeers(res[idx:])
+		return nil
+	},
+}
+
+func printPeers(s string) {
+	var peers []string
+	s = strings.TrimSpace(s)
+	for {
+		idx := strings.Index(s[1:], "public_key")
+		if idx == -1 {
+			peers = append(peers, s)
+			break
+		}
+		idx++ // adjust for the offset
+		peers = append(peers, s[:idx])
+		s = s[idx:]
+	}
+	fmt.Println("--------------------------------")
+	fmt.Println(strings.Join(peers, "\n--------------------------------\n"))
+	fmt.Println()
+}
+
+func keyToHex(publicKey string) (string, error) {
+	publicKeyBytes, err := base64.StdEncoding.DecodeString(publicKey)
+	if err != nil {
+		return "", fmt.Errorf("decoding public key: %w", err)
+	}
+	return hex.EncodeToString(publicKeyBytes), nil
+}
+
+func sendReq(req, wgSock string) (string, error) {
+	conn, err := net.Dial("unix", wgSock)
+	if err != nil {
+		return "", fmt.Errorf("dialing socket: %w", err)
+	}
+	defer conn.Close()
+
+	switch {
+	case req[len(req)-1] != '\n': // has no trailing newline
+		req += "\n\n"
+	case req[len(req)-2:] != "\n\n": // has one trailing newline
+		req += "\n"
+	}
+	_, err = conn.Write([]byte(req))
+	if err != nil {
+		return "", fmt.Errorf("writing to socket: %w", err)
+	}
+
+	r := bufio.NewReader(conn)
+	out := make([]byte, 0, 1024)
+	for {
+		b, err := r.ReadBytes('\n')
+		if err != nil {
+			return "", fmt.Errorf("reading from socket: %w", err)
+		}
+		if bytes.Equal(b, []byte{'\n'}) {
+			return string(out), nil
+		}
+		out = append(out, b...)
+	}
+}