Audit changes

peer/control/ping.go

@@ -65,14 +65,18 @@ func Unmarshal(buf [Size]byte) (Ping, error) {
 	p := Ping{
 		PingTS: int64(binary.BigEndian.Uint64(buf[1:9])),
 	}
-	if addr := netip.AddrFrom4([4]byte(buf[9:13])); !addr.IsUnspecified() {
+
+	if addr := netip.AddrFrom4([4]byte(buf[9:13])); !addr.IsUnspecified() && addr.Is4() {
 		p.SrcV4 = netip.AddrPortFrom(addr, binary.BigEndian.Uint16(buf[13:15]))
 	}
-	if addr := netip.AddrFrom16([16]byte(buf[15:31])); !addr.IsUnspecified() {
+
+	if addr := netip.AddrFrom16([16]byte(buf[15:31])); !addr.IsUnspecified() && addr.Is6() {
 		p.SrcV6 = netip.AddrPortFrom(addr, binary.BigEndian.Uint16(buf[31:33]))
 	}
+
 	if addr := netip.AddrFrom16([16]byte(buf[33:49])).Unmap(); !addr.IsUnspecified() {
 		p.Dst = netip.AddrPortFrom(addr, binary.BigEndian.Uint16(buf[49:51]))
 	}
+
 	return p, nil
 }

peer/device.go

@@ -61,7 +61,7 @@ func (a *App) devPromote(p *Peer) {
 	if ep.IsValid() {
 		log.Printf("PROMOTED: %s - %s @ %s", p.Name, p.VPNIP.String(), p.WGEndpoint().String())
 	} else {
-		log.Printf("PROMOTED: %s - %s (no IP)", p.Name, p.VPNIP.String())
+		log.Printf("DIRECT: %s - %s (waiting for handshake)", p.Name, p.VPNIP.String())
 	}
 	devRetry(p.VPNIP, "Promote", func() error { return a.dev.Promote(p.PubKey(), p.VPNIP) })
 	p.State = StateDirect

peer/hub_poller.go

@@ -89,7 +89,7 @@ func (hp *HubPoller) poll() {
 		return
 	}
 
-	body, err := io.ReadAll(resp.Body)
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 128*1024))
 	if err != nil {
 		log.Printf("[HubPoller] read body: %v", err)
 		return

peer/on_multicast.go

@@ -15,7 +15,7 @@ func (a *App) onMulticastDiscovery(pkt multicast.Packet) {
 	vpnIP := netip.AddrFrom4(octets)
 
 	peer, ok := a.peersByIP[vpnIP]
-	if !ok {
+	if !ok || peer.IsPublic {
 		return
 	}
 

peer/on_ping.go

@@ -58,10 +58,12 @@ func (a *App) onPing(e PingEvent) {
 	peer.UpdateEndpoints(e.ping.SrcV4, e.ping.SrcV6)
 }
 
+var cgnatPrefix = netip.MustParsePrefix("100.64.0.0/10")
+
 func addrIsRoutable(addrPort netip.AddrPort) bool {
 	if addrPort.Port() == 0 {
 		return false
 	}
 	addr := addrPort.Addr()
-	return addr.IsGlobalUnicast() && !addr.IsPrivate()
+	return addr.IsGlobalUnicast() && !addr.IsPrivate() && !cgnatPrefix.Contains(addr)
 }

peer/on_tick.go

@@ -39,6 +39,7 @@ func (a *App) onTick() {
 		case StateRelayed:
 			// If we have an ep to probe, add it.
 			if ep := p.PreferredEndpoint(); ep.IsValid() {
+				p.ProbeStart = time.Now()
 				a.devAddProbe(p, ep)
 			}
 
@@ -50,6 +51,12 @@ func (a *App) onTick() {
 			} else if ep := p.PreferredEndpoint(); ep.IsValid() && ep != p.WGEndpoint() {
 				// Update the probe address if it's changed.
 				a.devAddProbe(p, ep)
+			} else if time.Since(p.ProbeStart) > 8*wginterface.ProbeKeepalive {
+				// Give up probing if we haven't been able to handshake.
+				p.EndpointV4 = netip.AddrPort{}
+				p.EndpointV6 = netip.AddrPort{}
+				p.EndpointLAN = netip.AddrPort{}
+				a.devAddPeer(p)
 			}
 
 		case StateDirect:

peer/remote.go

@@ -27,8 +27,9 @@ type Peer struct {
 	EndpointV4  netip.AddrPort // Reported IPv4 endpoint.
 	EndpointV6  netip.AddrPort // Reported IPv6 endpoint.
 	EndpointLAN netip.AddrPort // Discovered via multicast.
-	EndpointWG  netip.AddrPort // Current wireguard port.
+	EndpointWG  netip.AddrPort // Current wireguard endpoint.
 	RTT         time.Duration  // Round-trip time.
+	ProbeStart  time.Time      // When we started probing.
 	State       PeerState      // Current routing state; updated on each devXxx call.
 	Role        control.Role   // Role in relation to the local application.
 	SignPubKey  [32]byte       // nacl/sign public key for verifying multicast beacons.