Quiet up the logs

Implement more privacy-respecting DNS service

README.md

@@ -35,7 +35,7 @@ When Newt receives WireGuard control messages, it will use the information encod
 -   `endpoint`: The endpoint where both Gerbil and Pangolin reside in order to connect to the websocket.
 
 -   `mtu` (optional): MTU for the internal WG interface. Default: 1280
--   `dns` (optional): DNS server to use to resolve the endpoint. Default: 8.8.8.8
+-   `dns` (optional): DNS server to use to resolve the endpoint. Default: 9.9.9.9
 -   `log-level` (optional): The log level to use (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO
 -   `enforce-hc-cert` (optional): Enforce certificate validation for health checks. Default: false (accepts any cert)
 -   `docker-socket` (optional): Set the Docker socket to use the container discovery integration
@@ -62,7 +62,7 @@ All CLI arguments can be set using environment variables as an alternative to co
 -   `NEWT_ID`: Newt ID generated by Pangolin (equivalent to `--id`)
 -   `NEWT_SECRET`: Newt secret for authentication (equivalent to `--secret`)
 -   `MTU`: MTU for the internal WG interface. Default: 1280 (equivalent to `--mtu`)
--   `DNS`: DNS server to use to resolve the endpoint. Default: 8.8.8.8 (equivalent to `--dns`)
+-   `DNS`: DNS server to use to resolve the endpoint. Default: 9.9.9.9 (equivalent to `--dns`)
 -   `LOG_LEVEL`: Log level (DEBUG, INFO, WARN, ERROR, FATAL). Default: INFO (equivalent to `--log-level`)
 -   `DOCKER_SOCKET`: Path to Docker socket for container discovery (equivalent to `--docker-socket`)
 -   `PING_INTERVAL`: Interval for pinging the server. Default: 3s (equivalent to `--ping-interval`)

blueprint.yaml

@@ -0,0 +1,37 @@
+resources:
+  resource-nice-id:
+    name: this is my resource
+    protocol: http
+    full-domain: level1.test3.example.com
+    host-header: example.com
+    tls-server-name: example.com
+    auth:
+      pincode: 123456
+      password: sadfasdfadsf
+      sso-enabled: true
+      sso-roles:
+      - Member
+      sso-users:
+      - owen@fossorial.io
+      whitelist-users:
+      - owen@fossorial.io
+    targets:
+    # - site: glossy-plains-viscacha-rat
+    - hostname: localhost
+      method: http
+      port: 8000
+      healthcheck:
+        port: 8000
+        hostname: localhost
+    # - site: glossy-plains-viscacha-rat
+    - hostname: localhost
+      method: http
+      port: 8001
+  resource-nice-id2:
+    name: this is other resource
+    protocol: tcp
+    proxy-port: 3000
+    targets:
+    # - site: glossy-plains-viscacha-rat
+    - hostname: localhost
+      port: 3000

clients.go

@@ -39,7 +39,7 @@ func setupClients(client *websocket.Client) {
 func setupClientsNetstack(client *websocket.Client, host string) {
 	logger.Info("Setting up clients with netstack...")
 	// Create WireGuard service
-	wgService, err = wgnetstack.NewWireGuardService(interfaceName, mtuInt, generateAndSaveKeyTo, host, id, client, "8.8.8.8")
+	wgService, err = wgnetstack.NewWireGuardService(interfaceName, mtuInt, generateAndSaveKeyTo, host, id, client, "9.9.9.9")
 	if err != nil {
 		logger.Fatal("Failed to create WireGuard service: %v", err)
 	}

go.mod

@@ -51,4 +51,5 @@ require (
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -161,6 +161,7 @@ google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
 google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=

healthcheck/healthcheck.go

@@ -76,7 +76,7 @@ type Monitor struct {
 
 // NewMonitor creates a new health check monitor
 func NewMonitor(callback StatusChangeCallback, enforceCert bool) *Monitor {
-	logger.Info("Creating new health check monitor with certificate enforcement: %t", enforceCert)
+	logger.Debug("Creating new health check monitor with certificate enforcement: %t", enforceCert)
 
 	// Configure TLS settings based on certificate enforcement
 	transport := &http.Transport{

main.go

@@ -74,6 +74,11 @@ type ExitNodePingResult struct {
 	WasPreviouslyConnected bool    `json:"wasPreviouslyConnected"`
 }
 
+type BlueprintResult struct {
+	Success bool   `json:"success"`
+	Message string `json:"message,omitempty"`
+}
+
 // Custom flag type for multiple CA files
 type stringSlice []string
 
@@ -115,6 +120,7 @@ var (
 	preferEndpoint                     string
 	healthMonitor                      *healthcheck.Monitor
 	enforceHealthcheckCert             bool
+	blueprintFile                      string
 
 	// New mTLS configuration variables
 	tlsClientCert string
@@ -172,6 +178,7 @@ func main() {
 	if tlsPrivateKey == "" {
 		tlsPrivateKey = os.Getenv("TLS_CLIENT_CERT")
 	}
+	blueprintFile = os.Getenv("BLUEPRINT_FILE")
 
 	if endpoint == "" {
 		flag.StringVar(&endpoint, "endpoint", "", "Endpoint of your pangolin server")
@@ -186,7 +193,7 @@ func main() {
 		flag.StringVar(&mtu, "mtu", "1280", "MTU to use")
 	}
 	if dns == "" {
-		flag.StringVar(&dns, "dns", "8.8.8.8", "DNS server to use")
+		flag.StringVar(&dns, "dns", "9.9.9.9", "DNS server to use")
 	}
 	if logLevel == "" {
 		flag.StringVar(&logLevel, "log-level", "INFO", "Log level (DEBUG, INFO, WARN, ERROR, FATAL)")
@@ -271,6 +278,9 @@ func main() {
 	if healthFile == "" {
 		flag.StringVar(&healthFile, "health-file", "", "Path to health file (if unset, health file won't be written)")
 	}
+	if blueprintFile == "" {
+		flag.StringVar(&blueprintFile, "blueprint-file", "", "Path to blueprint file (if unset, no blueprint will be applied)")
+	}
 
 	// do a --version check
 	version := flag.Bool("version", false, "Print the version")
@@ -468,7 +478,7 @@ func main() {
 
 	// Register handlers for different message types
 	client.RegisterHandler("newt/wg/connect", func(msg websocket.WSMessage) {
-		logger.Info("Received registration message")
+		logger.Debug("Received registration message")
 		if stopFunc != nil {
 			stopFunc()     // stop the ws from sending more requests
 			stopFunc = nil // reset stopFunc to nil to avoid double stopping
@@ -561,7 +571,7 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		if err != nil {
 			logger.Warn("Initial reliable ping failed, but continuing: %v", err)
 		} else {
-			logger.Info("Initial connection test successful")
+			logger.Debug("Initial connection test successful")
 		}
 
 		pingWithRetryStopChan, _ = pingWithRetry(tnet, wgData.ServerIP, pingTimeout)
@@ -600,7 +610,7 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		if err := healthMonitor.AddTargets(wgData.HealthCheckTargets); err != nil {
 			logger.Error("Failed to bulk add health check targets: %v", err)
 		} else {
-			logger.Info("Successfully added %d health check targets", len(wgData.HealthCheckTargets))
+			logger.Debug("Successfully added %d health check targets", len(wgData.HealthCheckTargets))
 		}
 
 		err = pm.Start()
@@ -647,7 +657,7 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 	})
 
 	client.RegisterHandler("newt/ping/exitNodes", func(msg websocket.WSMessage) {
-		logger.Info("Received ping message")
+		logger.Debug("Received ping message")
 		if stopFunc != nil {
 			stopFunc()     // stop the ws from sending more requests
 			stopFunc = nil // reset stopFunc to nil to avoid double stopping
@@ -969,7 +979,7 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		if err != nil {
 			logger.Error("Failed to send Docker container list: %v", err)
 		} else {
-			logger.Info("Docker container list sent, count: %d", len(containers))
+			logger.Debug("Docker container list sent, count: %d", len(containers))
 		}
 	})
 
@@ -1085,7 +1095,7 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		if err := healthMonitor.AddTargets(config.Targets); err != nil {
 			logger.Error("Failed to add health check targets: %v", err)
 		} else {
-			logger.Info("Added %d health check targets", len(config.Targets))
+			logger.Debug("Added %d health check targets", len(config.Targets))
 		}
 
 		logger.Debug("Health check targets added: %+v", config.Targets)
@@ -1193,6 +1203,29 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 		}
 	})
 
+	// Register handler for getting health check status
+	client.RegisterHandler("newt/blueprint/results", func(msg websocket.WSMessage) {
+		logger.Debug("Received blueprint results message")
+
+		var blueprintResult BlueprintResult
+
+		jsonData, err := json.Marshal(msg.Data)
+		if err != nil {
+			logger.Info("Error marshaling data: %v", err)
+			return
+		}
+		if err := json.Unmarshal(jsonData, &blueprintResult); err != nil {
+			logger.Info("Error unmarshaling config results data: %v", err)
+			return
+		}
+
+		if blueprintResult.Success {
+			logger.Info("Blueprint applied successfully!")
+		} else {
+			logger.Warn("Blueprint application failed: %s", blueprintResult.Message)
+		}
+	})
+
 	client.OnConnect(func() error {
 		publicKey = privateKey.PublicKey()
 		logger.Debug("Public key: %s", publicKey)
@@ -1205,7 +1238,7 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 			}
 			// request from the server the list of nodes to ping at newt/ping/request
 			stopFunc = client.SendMessageInterval("newt/ping/request", map[string]interface{}{}, 3*time.Second)
-			logger.Info("Requesting exit nodes from server")
+			logger.Debug("Requesting exit nodes from server")
 			clientsOnConnect()
 		}
 
@@ -1216,6 +1249,8 @@ persistent_keepalive_interval=5`, fixKey(privateKey.String()), fixKey(wgData.Pub
 			"backwardsCompatible": true,
 		})
 
+		sendBlueprint(client)
+
 		if err != nil {
 			logger.Error("Failed to send registration message: %v", err)
 			return err

util.go

@@ -21,6 +21,7 @@ import (
 	"golang.org/x/net/ipv4"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
+	"gopkg.in/yaml.v3"
 )
 
 func fixKey(key string) string {
@@ -558,3 +559,47 @@ func executeUpdownScript(action, proto, target string) (string, error) {
 
 	return target, nil
 }
+
+func sendBlueprint(client *websocket.Client) error {
+	if blueprintFile == "" {
+		return nil
+	}
+	// try to read the blueprint file
+	blueprintData, err := os.ReadFile(blueprintFile)
+	if err != nil {
+		logger.Error("Failed to read blueprint file: %v", err)
+	} else {
+		// first we should convert the yaml to json and error if the yaml is bad
+		var yamlObj interface{}
+		var blueprintJsonData string
+
+		err = yaml.Unmarshal(blueprintData, &yamlObj)
+		if err != nil {
+			logger.Error("Failed to parse blueprint YAML: %v", err)
+		} else {
+			// convert to json
+			jsonBytes, err := json.Marshal(yamlObj)
+			if err != nil {
+				logger.Error("Failed to convert blueprint to JSON: %v", err)
+			} else {
+				blueprintJsonData = string(jsonBytes)
+				logger.Debug("Converted blueprint to JSON: %s", blueprintJsonData)
+			}
+		}
+
+		// if we have valid json data, we can send it to the server
+		if blueprintJsonData == "" {
+			logger.Error("No valid blueprint JSON data to send to server")
+			return nil
+		}
+
+		logger.Info("Sending blueprint to server for application")
+
+		// send the blueprint data to the server
+		err = client.SendMessage("newt/blueprint/apply", map[string]interface{}{
+			"blueprint": blueprintJsonData,
+		})
+	}
+
+	return nil
+}