Create FUNDING.yml

.github/FUNDING.yml

@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: dswd
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: ['https://paypal.me/dswd73']

.travis.yml

@@ -27,7 +27,8 @@ script:
   - |
       cargo build && cargo test
 after_success:
-  - cargo coveralls
+  - |
+      [ $TRAVIS_RUST_VERSION = stable ] && cargo coveralls
 env:
   global:
     - TRAVIS_CARGO_NIGHTLY_FEATURE=""

CHANGELOG.md

@@ -2,6 +2,15 @@
 
 This project follows [semantic versioning](http://semver.org).
 
+### Unreleased
+
+- [added] Added service restrictions to systemd
+- [changed] Also drop privileges in foreground mode
+- [changed] Set builders to Ubuntu 16.04 and CentOS 7
+- [changed] Set keepalive to 120 secs when NAT is detected
+- [fixed] Added parameter keepalive to manpage
+- [fixed] Fixed problems on stats file when dropping permissions
+
 ### v1.1.0 (2019-12-04)
 
 - [added] Exchange peer timeout and adapt keepalive accordingly

Cargo.lock

@@ -230,6 +230,18 @@ dependencies = [
  "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "nix"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cc 1.0.47 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
+ "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
+ "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "nom"
 version = "4.2.3"
@@ -254,6 +266,15 @@ name = "ppv-lite86"
 version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "privdrop"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
+ "nix 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.6"
@@ -551,6 +572,7 @@ dependencies = [
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "net2 0.2.33 (registry+https://github.com/rust-lang/crates.io-index)",
  "pkg-config 0.3.17 (registry+https://github.com/rust-lang/crates.io-index)",
+ "privdrop 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
  "rand 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "ring 0.16.9 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 1.0.103 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -728,10 +750,12 @@ dependencies = [
 "checksum memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "88579771288728879b57485cc7d6b07d648c9f0141eb955f8ab7f9d45394468e"
 "checksum net2 0.2.33 (registry+https://github.com/rust-lang/crates.io-index)" = "42550d9fb7b6684a6d404d9fa7250c2eb2646df731d1c06afc06dcee9e1bcf88"
 "checksum nix 0.14.1 (registry+https://github.com/rust-lang/crates.io-index)" = "6c722bee1037d430d0f8e687bbdbf222f27cc6e4e68d5caf630857bb2b6dbdce"
+"checksum nix 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3b2e0b4f3320ed72aaedb9a5ac838690a8047c7b275da22711fddff4f8a14229"
 "checksum nom 4.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "2ad2a91a8e869eeb30b9cb3119ae87773a8f4ae617f41b1eb9c154b2905f7bd6"
 "checksum percent-encoding 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "31010dd2e1ac33d5b46a5b413495239882813e0369f8ed8a5e266f173602f831"
 "checksum pkg-config 0.3.17 (registry+https://github.com/rust-lang/crates.io-index)" = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
 "checksum ppv-lite86 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "74490b50b9fbe561ac330df47c08f3f33073d2d00c150f719147d7c54522fa1b"
+"checksum privdrop 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "432c2e1a6d9d56e3c14710a9b807ade349c48ccd5647bcda9a175f40f81ca5a9"
 "checksum proc-macro2 1.0.6 (registry+https://github.com/rust-lang/crates.io-index)" = "9c9e470a8dc4aeae2dee2f335e8f533e2d4b347e1434e5671afc49b054592f27"
 "checksum quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "053a8c8bcc71fcce321828dc897a98ab9760bef03a4fc36693c231e5b3216cfe"
 "checksum rand 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293"

Cargo.toml

@@ -28,6 +28,7 @@ igd = "0.9"
 siphasher = "0.3"
 daemonize = "0.4"
 ring = "0.16"
+privdrop = "0.3"
 
 [build-dependencies]
 cc = "^1"

assets/vpncloud@.service

@@ -2,12 +2,22 @@
 Description=VpnCloud network '%I'
 After=network-online.target
 Wants=network-online.target
+Documentation=man:vpncloud(1)
 
 [Service]
-Type=forking
+Type=simple
-ExecStart=/usr/bin/vpncloud --config /etc/vpncloud/%i.net --daemon --log-file /var/log/vpncloud-%i.log --stats-file /var/log/vpncloud-%i.stats --pid-file /run/vpncloud-%i.pid
+ExecStart=/usr/bin/vpncloud --config /etc/vpncloud/%i.net --log-file /var/log/vpncloud-%i.log --stats-file /var/log/vpncloud-%i.stats
 WorkingDirectory=/etc/vpncloud
-PIDFile=/run/vpncloud-%i.pid
+RestartSec=5s
+Restart=on-failure
+LimitNPROC=10
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ReadWritePaths=/var/log/vpncloud-%i.log /var/log/vpncloud-%i.stats
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
 
 [Install]
 WantedBy=multi-user.target

src/cloud.rs

@@ -6,12 +6,11 @@ use std::{
     cmp::min,
     collections::HashMap,
     fmt,
-    fs::{self, File, Permissions},
+    fs::File,
     hash::BuildHasherDefault,
     io::{self, Write},
     marker::PhantomData,
-    net::{SocketAddr, ToSocketAddrs},
+    net::{SocketAddr, ToSocketAddrs}
-    os::unix::fs::PermissionsExt
 };
 
 use fnv::FnvHasher;
@@ -230,6 +229,7 @@ pub struct GenericCloud<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSou
     peer_timeout_publish: u16,
     update_freq: u16,
     buffer_out: [u8; 64 * 1024],
+    stats_file: Option<File>,
     next_housekeep: Time,
     next_stats_out: Time,
     next_beacon: Time,
@@ -244,7 +244,7 @@ impl<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSource> GenericCloud<D
     #[allow(clippy::too_many_arguments)]
     pub fn new(
         config: &Config, device: D, table: T, learning: bool, broadcast: bool, addresses: Vec<Range>, crypto: Crypto,
-        port_forwarding: Option<PortForwarding>
+        port_forwarding: Option<PortForwarding>, stats_file: Option<File>
     ) -> Self
     {
         let socket4 = match S::listen_v4("0.0.0.0", config.port) {
@@ -256,11 +256,11 @@ impl<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSource> GenericCloud<D
             Err(err) => fail!("Failed to open ipv6 address ::{}: {}", config.port, err)
         };
         let now = TS::now();
-        let peer_timeout_publish = if socket4.detect_nat() {
+        let update_freq = if socket4.detect_nat() && config.get_keepalive() > 120 {
-            info!("Private IP detected, setting published peer timeout to 300s");
+            info!("Private IP detected, setting keepalive interval to 120s");
-            300
+            120
         } else {
-            config.peer_timeout as u16
+            config.get_keepalive() as u16
         };
         let mut res = GenericCloud {
             magic: config.get_magic(),
@@ -271,13 +271,14 @@ impl<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSource> GenericCloud<D
             broadcast,
             reconnect_peers: Vec::new(),
             own_addresses: Vec::new(),
-            peer_timeout_publish,
+            peer_timeout_publish: config.peer_timeout as u16,
             table,
             socket4,
             socket6,
             device,
             next_peerlist: now,
-            update_freq: config.get_keepalive() as u16,
+            update_freq,
+            stats_file,
             buffer_out: [0; 64 * 1024],
             next_housekeep: now,
             next_stats_out: now + STATS_INTERVAL,
@@ -480,8 +481,8 @@ impl<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSource> GenericCloud<D
             let mut msg = Message::Peers(peers);
             self.broadcast_msg(&mut msg)?;
             // Reschedule for next update
-            self.update_freq = min(self.config.get_keepalive() as u16, self.peers.min_peer_timeout());
+            let interval = min(self.update_freq as u16, self.peers.min_peer_timeout());
-            self.next_peerlist = now + Time::from(self.update_freq);
+            self.next_peerlist = now + Time::from(interval);
         }
         // Connect to those reconnect_peers that are due
         for entry in self.reconnect_peers.clone() {
@@ -526,7 +527,7 @@ impl<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSource> GenericCloud<D
             // Write out the statistics
             self.write_out_stats().map_err(|err| Error::File("Failed to write stats file", err))?;
             self.next_stats_out = now + STATS_INTERVAL;
-            self.traffic.period(Some(60));
+            self.traffic.period(Some(5));
         }
         if let Some(peers) = self.beacon_serializer.get_cmd_results() {
             debug!("Loaded beacon with peers: {:?}", peers);
@@ -586,18 +587,16 @@ impl<D: Device, P: Protocol, T: Table, S: Socket, TS: TimeSource> GenericCloud<D
 
     /// Calculates, resets and writes out the statistics to a file
     fn write_out_stats(&mut self) -> Result<(), io::Error> {
-        if self.config.stats_file.is_none() {
+        if let Some(ref mut f) = self.stats_file {
-            return Ok(())
+            debug!("Writing out stats");
+            f.set_len(0)?;
+            self.peers.write_out(f)?;
+            writeln!(f)?;
+            self.table.write_out(f)?;
+            writeln!(f)?;
+            self.traffic.write_out(f)?;
+            writeln!(f)?;
         }
-        debug!("Writing out stats");
-        let mut f = File::create(self.config.stats_file.as_ref().unwrap())?;
-        self.peers.write_out(&mut f)?;
-        writeln!(&mut f)?;
-        self.table.write_out(&mut f)?;
-        writeln!(&mut f)?;
-        self.traffic.write_out(&mut f)?;
-        writeln!(&mut f)?;
-        fs::set_permissions(self.config.stats_file.as_ref().unwrap(), Permissions::from_mode(0o644))?;
         Ok(())
     }
 

src/main.rs

@@ -33,9 +33,10 @@ pub mod udpmessage;
 use docopt::Docopt;
 
 use std::{
-    fs::File,
+    fs::{self, File, Permissions},
     io::{self, Write},
     net::UdpSocket,
+    os::unix::fs::PermissionsExt,
     path::Path,
     process::Command,
     str::FromStr,
@@ -166,7 +167,7 @@ impl<P: Protocol> AnyCloud<P> {
     #[allow(unknown_lints, clippy::too_many_arguments)]
     fn new(
         config: &Config, device: TunTapDevice, table: AnyTable, learning: bool, broadcast: bool, addresses: Vec<Range>,
-        crypto: Crypto, port_forwarding: Option<PortForwarding>
+        crypto: Crypto, port_forwarding: Option<PortForwarding>, stats_file: Option<File>
     ) -> Self
     {
         match table {
@@ -178,7 +179,15 @@ impl<P: Protocol> AnyCloud<P> {
                     UdpSocket,
                     SystemTimeSource
                 >::new(
-                    config, device, t, learning, broadcast, addresses, crypto, port_forwarding
+                    config,
+                    device,
+                    t,
+                    learning,
+                    broadcast,
+                    addresses,
+                    crypto,
+                    port_forwarding,
+                    stats_file
                 ))
             }
             AnyTable::Routing(t) => {
@@ -190,7 +199,8 @@ impl<P: Protocol> AnyCloud<P> {
                     broadcast,
                     addresses,
                     crypto,
-                    port_forwarding
+                    port_forwarding,
+                    stats_file
                 ))
             }
         }
@@ -256,7 +266,19 @@ fn run<P: Protocol>(config: Config) {
         None => Crypto::None
     };
     let port_forwarding = if config.port_forwarding { PortForwarding::new(config.port) } else { None };
-    let mut cloud = AnyCloud::<P>::new(&config, device, table, learning, broadcasting, ranges, crypto, port_forwarding);
+    let stats_file = match config.stats_file {
+        None => None,
+        Some(ref name) => {
+            let file = try_fail!(File::create(name), "Failed to create stats file: {}");
+            try_fail!(
+                fs::set_permissions(name, Permissions::from_mode(0o644)),
+                "Failed to set permissions on stats file: {}"
+            );
+            Some(file)
+        }
+    };
+    let mut cloud =
+        AnyCloud::<P>::new(&config, device, table, learning, broadcasting, ranges, crypto, port_forwarding, stats_file);
     if let Some(script) = config.ifup {
         run_script(&script, cloud.ifname());
     }
@@ -277,6 +299,16 @@ fn run<P: Protocol>(config: Config) {
             daemonize = daemonize.pid_file(pid_file).chown_pid_file(true);
         }
         try_fail!(daemonize.start(), "Failed to daemonize: {}");
+    } else if config.user.is_some() || config.group.is_some() {
+        info!("Dropping privileges");
+        let mut pd = privdrop::PrivDrop::default();
+        if let Some(user) = config.user {
+            pd = pd.user(user);
+        }
+        if let Some(group) = config.group {
+            pd = pd.group(group);
+        }
+        try_fail!(pd.apply(), "Failed to drop privileges: {}");
     }
     cloud.run();
     if let Some(script) = config.ifdown {

src/tests/mod.rs

@@ -80,7 +80,7 @@ fn create_tap_node(nat: bool) -> TapTestNode {
 fn create_tap_node_with_config(nat: bool, mut config: Config) -> TapTestNode {
     MockSocket::set_nat(nat);
     config.port = NEXT_PORT.with(|p| p.fetch_add(1, Ordering::Relaxed)) as u16;
-    TestNode::new(&config, MockDevice::new(), SwitchTable::new(1800, 10), true, true, vec![], Crypto::None, None)
+    TestNode::new(&config, MockDevice::new(), SwitchTable::new(1800, 10), true, true, vec![], Crypto::None, None, None)
 }
 
 #[allow(dead_code)]
@@ -94,6 +94,7 @@ fn create_tun_node(nat: bool, addresses: Vec<Range>) -> TunTestNode {
         false,
         addresses,
         Crypto::None,
+        None,
         None
     )
 }

src/usage.txt

@@ -31,8 +31,8 @@ Options:
                                     interface.
     --pid-file <file>               Store the process id in this file when
                                     daemonizing.
-    --user <user>                   Run as other user when daemonizing.
+    --user <user>                   Run as other user.
-    --group <group>                 Run as other group when daemonizing.
+    --group <group>                 Run as other group.
     --log-file <file>               Print logs also to this file.
     --stats-file <file>             Print statistics to this file.
     --no-port-forwarding            Disable automatic port forward.

vpncloud.md

@@ -80,6 +80,12 @@ vpncloud(1) -- Peer-to-peer VPN
     Peer timeout in seconds. The peers will exchange information periodically
     and drop peers that are silent for this period of time. [default: `1800`]
 
+  * `--keepalive <secs>`:
+
+    Interval of peer exchange messages in seconds. The peers will exchange 
+    information periodically to keep connections alive. This setting overrides
+    how often this will happen. [default: `peer-timeout/2-60`]  
+
   * `--dst-timeout <secs>`:
 
     Switch table entry timeout in seconds. This parameter is only used in switch
@@ -140,8 +146,7 @@ vpncloud(1) -- Peer-to-peer VPN
   * `--group <group>`:
 
     Change the user and/or group of the process once all the setup has been
-    done and before spawning the background process. This option is only used
+    done.
-    when running in background.
 
   * `--log-file <file>`: