replace package to local imports

addressconfig.go

@@ -14,9 +14,9 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.zx2c4.com/wireguard/tun"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/tunnel/firewall"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/tunnel/firewall"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 )
 
 func cleanupAddressesOnDisconnectedInterfaces(family winipcfg.AddressFamily, addresses []net.IPNet) {

conf/config.go

@@ -9,6 +9,7 @@ import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"net/netip"
 	"strings"
@@ -16,7 +17,7 @@ import (
 
 	"golang.org/x/crypto/curve25519"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 )
 
 const KeyLength = 32
@@ -50,6 +51,16 @@ type Interface struct {
 	PreDown    string
 	PostDown   string
 	TableOff   bool
+
+	JunkPacketCount            uint16
+	JunkPacketMinSize          uint16
+	JunkPacketMaxSize          uint16
+	InitPacketJunkSize         uint16
+	ResponsePacketJunkSize     uint16
+	InitPacketMagicHeader      uint32
+	ResponsePacketMagicHeader  uint32
+	UnderloadPacketMagicHeader uint32
+	TransportPacketMagicHeader uint32
 }
 
 type Peer struct {
@@ -100,6 +111,10 @@ func (e *Endpoint) String() string {
 	return fmt.Sprintf("%s:%d", e.Host, e.Port)
 }
 
+func (k *Key) HexString() string {
+	return hex.EncodeToString(k[:])
+}
+
 func (e *Endpoint) IsEmpty() bool {
 	return len(e.Host) == 0
 }

conf/dnsresolver_windows.go

@@ -11,10 +11,10 @@ import (
 	"time"
 	"unsafe"
 
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 
+	"github.com/amnezia-vpn/awg-windows/services"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/services"
 )
 
 //sys	internetGetConnectedState(flags *uint32, reserved uint32) (connected bool) = wininet.InternetGetConnectedState

conf/parser.go

@@ -7,6 +7,7 @@ package conf
 
 import (
 	"encoding/base64"
+	"math"
 	"net/netip"
 	"strconv"
 	"strings"
@@ -14,8 +15,8 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.org/x/text/encoding/unicode"
 
-	"golang.zx2c4.com/wireguard/windows/driver"
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/driver"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 )
 
 type ParseError struct {
@@ -94,6 +95,28 @@ func parsePort(s string) (uint16, error) {
 	return uint16(m), nil
 }
 
+func parseUint16(value, name string) (uint16, error) {
+	m, err := strconv.Atoi(value)
+	if err != nil {
+		return 0, err
+	}
+	if m < 0 || m > math.MaxUint16 {
+		return 0, &ParseError{l18n.Sprintf("Invalid %s", name), value}
+	}
+	return uint16(m), nil
+}
+
+func parseUint32(value, name string) (uint32, error) {
+	m, err := strconv.ParseInt(value, 10, 64)
+	if err != nil {
+		return 0, err
+	}
+	if m < 0 || m > math.MaxUint32 {
+		return 0, &ParseError{l18n.Sprintf("Invalid %s", name), value}
+	}
+	return uint32(m), nil
+}
+
 func parsePersistentKeepalive(s string) (uint16, error) {
 	if s == "off" {
 		return 0, nil
@@ -213,6 +236,66 @@ func FromWgQuick(s, name string) (*Config, error) {
 					return nil, err
 				}
 				conf.Interface.ListenPort = p
+			case "jc":
+				junkPacketCount, err := parseUint16(val, "junkPacketCount")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.JunkPacketCount = junkPacketCount
+			case "jmin":
+				junkPacketMinSize, err := parseUint16(val, "junkPacketMinSize")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.JunkPacketMinSize = junkPacketMinSize
+			case "jmax":
+				junkPacketMaxSize, err := parseUint16(val, "junkPacketMaxSize")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.JunkPacketMaxSize = junkPacketMaxSize
+			case "s1":
+				initPacketJunkSize, err := parseUint16(
+					val,
+					"initPacketJunkSize",
+				)
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.InitPacketJunkSize = initPacketJunkSize
+			case "s2":
+				responsePacketJunkSize, err := parseUint16(
+					val,
+					"responsePacketJunkSize",
+				)
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.ResponsePacketJunkSize = responsePacketJunkSize
+			case "h1":
+				initPacketMagicHeader, err := parseUint32(val, "initPacketMagicHeader")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.InitPacketMagicHeader = initPacketMagicHeader
+			case "h2":
+				responsePacketMagicHeader, err := parseUint32(val, "responsePacketMagicHeader")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.ResponsePacketMagicHeader = responsePacketMagicHeader
+			case "h3":
+				underloadPacketMagicHeader, err := parseUint32(val, "underloadPacketMagicHeader")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.UnderloadPacketMagicHeader = underloadPacketMagicHeader
+			case "h4":
+				transportPacketMagicHeader, err := parseUint32(val, "transportPacketMagicHeader")
+				if err != nil {
+					return nil, err
+				}
+				conf.Interface.TransportPacketMagicHeader = transportPacketMagicHeader
 			case "mtu":
 				m, err := parseMTU(val)
 				if err != nil {
@@ -356,6 +439,33 @@ func FromDriverConfiguration(interfaze *driver.Interface, existingConfig *Config
 	if interfaze.Flags&driver.InterfaceHasListenPort != 0 {
 		conf.Interface.ListenPort = interfaze.ListenPort
 	}
+	if interfaze.Flags&driver.InterfaceHasJc != 0 {
+		conf.Interface.JunkPacketCount = interfaze.Jc
+	}
+	if interfaze.Flags&driver.InterfaceHasJmin != 0 {
+		conf.Interface.JunkPacketMinSize = interfaze.Jmin
+	}
+	if interfaze.Flags&driver.InterfaceHasJmax != 0 {
+		conf.Interface.JunkPacketMaxSize = interfaze.Jmax
+	}
+	if interfaze.Flags&driver.InterfaceHasS1 != 0 {
+		conf.Interface.InitPacketJunkSize = interfaze.S1
+	}
+	if interfaze.Flags&driver.InterfaceHasS2 != 0 {
+		conf.Interface.ResponsePacketJunkSize = interfaze.S2
+	}
+	if interfaze.Flags&driver.InterfaceHasH1 != 0 {
+		conf.Interface.InitPacketMagicHeader = interfaze.H1
+	}
+	if interfaze.Flags&driver.InterfaceHasH2 != 0 {
+		conf.Interface.ResponsePacketMagicHeader = interfaze.H2
+	}
+	if interfaze.Flags&driver.InterfaceHasH3 != 0 {
+		conf.Interface.UnderloadPacketMagicHeader = interfaze.H3
+	}
+	if interfaze.Flags&driver.InterfaceHasH4 != 0 {
+		conf.Interface.TransportPacketMagicHeader = interfaze.H4
+	}
 	var p *driver.Peer
 	for i := uint32(0); i < interfaze.PeerCount; i++ {
 		if p == nil {

conf/parser_test.go

@@ -18,6 +18,15 @@ Address = 10.192.122.1/24
 Address = 10.10.0.1/16 
 PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk= 
 ListenPort = 51820  #comments don't matter
+Jc = 10
+Jmin = 20
+Jmax = 30
+S1 = 40
+S2 = 50
+H1 = 60
+H2 = 70
+H3 = 80
+H4 = 90
 
 [Peer] 
 PublicKey   =   xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=    
@@ -85,6 +94,16 @@ func TestFromWgQuick(t *testing.T) {
 		equal(t, "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=", conf.Interface.PrivateKey.String())
 		equal(t, uint16(51820), conf.Interface.ListenPort)
 
+		equal(t, uint16(10), conf.Interface.JunkPacketCount)
+		equal(t, uint16(20), conf.Interface.JunkPacketMinSize)
+		equal(t, uint16(30), conf.Interface.JunkPacketMaxSize)
+		equal(t, uint16(40), conf.Interface.InitPacketJunkSize)
+		equal(t, uint16(50), conf.Interface.ResponsePacketJunkSize)
+		equal(t, uint32(60), conf.Interface.InitPacketMagicHeader)
+		equal(t, uint32(70), conf.Interface.ResponsePacketMagicHeader)
+		equal(t, uint32(80), conf.Interface.UnderloadPacketMagicHeader)
+		equal(t, uint32(90), conf.Interface.TransportPacketMagicHeader)
+
 		lenTest(t, conf.Peers, 3)
 		lenTest(t, conf.Peers[0].AllowedIPs, 2)
 		equal(t, Endpoint{Host: "192.95.5.67", Port: 1234}, conf.Peers[0].Endpoint)

conf/store.go

@@ -11,7 +11,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"golang.zx2c4.com/wireguard/windows/conf/dpapi"
+	"github.com/amnezia-vpn/awg-windows/conf/dpapi"
 )
 
 const (

conf/writer.go

@@ -11,9 +11,9 @@ import (
 	"strings"
 	"unsafe"
 
+	"github.com/amnezia-vpn/awg-windows/driver"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/driver"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 func (conf *Config) ToWgQuick() string {
@@ -26,6 +26,42 @@ func (conf *Config) ToWgQuick() string {
 		output.WriteString(fmt.Sprintf("ListenPort = %d\n", conf.Interface.ListenPort))
 	}
 
+	if conf.Interface.JunkPacketCount > 0 {
+		output.WriteString(fmt.Sprintf("Jc = %d\n", conf.Interface.JunkPacketCount))
+	}
+
+	if conf.Interface.JunkPacketMinSize > 0 {
+		output.WriteString(fmt.Sprintf("Jmin = %d\n", conf.Interface.JunkPacketMinSize))
+	}
+
+	if conf.Interface.JunkPacketMaxSize > 0 {
+		output.WriteString(fmt.Sprintf("Jmax = %d\n", conf.Interface.JunkPacketMaxSize))
+	}
+
+	if conf.Interface.InitPacketJunkSize > 0 {
+		output.WriteString(fmt.Sprintf("S1 = %d\n", conf.Interface.InitPacketJunkSize))
+	}
+
+	if conf.Interface.ResponsePacketJunkSize > 0 {
+		output.WriteString(fmt.Sprintf("S2 = %d\n", conf.Interface.ResponsePacketJunkSize))
+	}
+
+	if conf.Interface.InitPacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("H1 = %d\n", conf.Interface.InitPacketMagicHeader))
+	}
+
+	if conf.Interface.ResponsePacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("H2 = %d\n", conf.Interface.ResponsePacketMagicHeader))
+	}
+
+	if conf.Interface.UnderloadPacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("H3 = %d\n", conf.Interface.UnderloadPacketMagicHeader))
+	}
+
+	if conf.Interface.TransportPacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("H4 = %d\n", conf.Interface.TransportPacketMagicHeader))
+	}
+
 	if len(conf.Interface.Addresses) > 0 {
 		addrStrings := make([]string, len(conf.Interface.Addresses))
 		for i, address := range conf.Interface.Addresses {
@@ -98,12 +134,67 @@ func (config *Config) ToDriverConfiguration() (*driver.Interface, uint32) {
 	}
 	var c driver.ConfigBuilder
 	c.Preallocate(uint32(preallocation))
-	c.AppendInterface(&driver.Interface{
-		Flags:      driver.InterfaceHasPrivateKey | driver.InterfaceHasListenPort,
+	interfaceFlags := driver.InterfaceHasPrivateKey | driver.InterfaceHasListenPort
+	if config.Interface.JunkPacketCount > 0 {
+		interfaceFlags |= driver.InterfaceHasJc
+	}
+
+	if config.Interface.JunkPacketMinSize > 0 {
+		interfaceFlags |= driver.InterfaceHasJmin
+	}
+
+	if config.Interface.JunkPacketMaxSize > 0 {
+		interfaceFlags |= driver.InterfaceHasJmax
+	}
+
+	if config.Interface.InitPacketJunkSize > 0 {
+		interfaceFlags |= driver.InterfaceHasS1
+	}
+
+	if config.Interface.ResponsePacketJunkSize > 0 {
+		interfaceFlags |= driver.InterfaceHasS2
+	}
+
+	if config.Interface.InitPacketMagicHeader > 0 {
+		interfaceFlags |= driver.InterfaceHasH1
+	}
+
+	if config.Interface.ResponsePacketMagicHeader > 0 {
+		interfaceFlags |= driver.InterfaceHasH2
+	}
+
+	if config.Interface.UnderloadPacketMagicHeader > 0 {
+		interfaceFlags |= driver.InterfaceHasH3
+	}
+
+	if config.Interface.TransportPacketMagicHeader > 0 {
+		interfaceFlags |= driver.InterfaceHasH4
+	}
+
+	defaultInterface := driver.DefaultInterface{
+		Flags: interfaceFlags,
 		ListenPort: config.Interface.ListenPort,
 		PrivateKey: config.Interface.PrivateKey,
 		PeerCount:  uint32(len(config.Peers)),
-	})
+	}
+	
+	hasNewFields := interfaceFlags >= (1 << 4)
+	if hasNewFields {
+		c.AppendInterface(&driver.Interface{
+			DefaultInterface: defaultInterface,
+			Jc: config.Interface.JunkPacketCount,
+			Jmin: config.Interface.JunkPacketMinSize,
+			Jmax: config.Interface.JunkPacketMaxSize,
+			S1: config.Interface.InitPacketJunkSize,
+			S2: config.Interface.ResponsePacketJunkSize,
+			H1: config.Interface.InitPacketMagicHeader,
+			H2: config.Interface.ResponsePacketMagicHeader,
+			H3: config.Interface.UnderloadPacketMagicHeader,
+			H4: config.Interface.TransportPacketMagicHeader,
+		})
+	} else {
+		c.AppendDefaultInterface(&defaultInterface)
+	}
 	for i := range config.Peers {
 		flags := driver.PeerHasPublicKey | driver.PeerHasPersistentKeepalive
 		if !config.Peers[i].PresharedKey.IsZero() {
@@ -138,3 +229,80 @@ func (config *Config) ToDriverConfiguration() (*driver.Interface, uint32) {
 	}
 	return c.Interface()
 }
+
+func (conf *Config) ToUAPI() (uapi string, dnsErr error) {
+	var output strings.Builder
+	output.WriteString(fmt.Sprintf("private_key=%s\n", conf.Interface.PrivateKey.HexString()))
+
+	if conf.Interface.ListenPort > 0 {
+		output.WriteString(fmt.Sprintf("listen_port=%d\n", conf.Interface.ListenPort))
+	}
+
+	if conf.Interface.JunkPacketCount > 0 {
+		output.WriteString(fmt.Sprintf("jc=%d\n", conf.Interface.JunkPacketCount))
+	}
+	
+	if conf.Interface.JunkPacketMinSize > 0 {
+		output.WriteString(fmt.Sprintf("jmin=%d\n", conf.Interface.JunkPacketMinSize))
+	}
+	
+	if conf.Interface.JunkPacketMaxSize > 0 {
+		output.WriteString(fmt.Sprintf("jmax=%d\n", conf.Interface.JunkPacketMaxSize))
+	}
+	
+	if conf.Interface.InitPacketJunkSize > 0 {
+		output.WriteString(fmt.Sprintf("s1=%d\n", conf.Interface.InitPacketJunkSize))
+	}
+	
+	if conf.Interface.ResponsePacketJunkSize > 0 {
+		output.WriteString(fmt.Sprintf("s2=%d\n", conf.Interface.ResponsePacketJunkSize))
+	}
+	
+	if conf.Interface.InitPacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("h1=%d\n", conf.Interface.InitPacketMagicHeader))
+	}
+	
+	if conf.Interface.ResponsePacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("h2=%d\n", conf.Interface.ResponsePacketMagicHeader))
+	}
+	
+	if conf.Interface.UnderloadPacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("h3=%d\n", conf.Interface.UnderloadPacketMagicHeader))
+	}
+	
+	if conf.Interface.TransportPacketMagicHeader > 0 {
+		output.WriteString(fmt.Sprintf("h4=%d\n", conf.Interface.TransportPacketMagicHeader))
+	}
+
+	if len(conf.Peers) > 0 {
+		output.WriteString("replace_peers=true\n")
+	}
+
+	for _, peer := range conf.Peers {
+		output.WriteString(fmt.Sprintf("public_key=%s\n", peer.PublicKey.HexString()))
+
+		if !peer.PresharedKey.IsZero() {
+			output.WriteString(fmt.Sprintf("preshared_key=%s\n", peer.PresharedKey.HexString()))
+		}
+
+		if !peer.Endpoint.IsEmpty() {
+			var resolvedIP string
+			resolvedIP, dnsErr = resolveHostname(peer.Endpoint.Host)
+			if dnsErr != nil {
+				return
+			}
+			resolvedEndpoint := Endpoint{resolvedIP, peer.Endpoint.Port}
+			output.WriteString(fmt.Sprintf("endpoint=%s\n", resolvedEndpoint.String()))
+		}
+
+		output.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", peer.PersistentKeepalive))
+
+		if len(peer.AllowedIPs) > 0 {
+			output.WriteString("replace_allowed_ips=true\n")
+			for _, address := range peer.AllowedIPs {
+				output.WriteString(fmt.Sprintf("allowed_ip=%s\n", address.String()))
+			}
+		}
+	}
+	return output.String(), nil
+}

deterministicguid.go

@@ -15,7 +15,7 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.org/x/text/unicode/norm"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
+	"github.com/amnezia-vpn/awg-windows/conf"
 )
 
 const deterministicGUIDLabel = "Deterministic WireGuard Windows GUID v1 jason@zx2c4.com"

driver/configuration_windows.go

@@ -9,8 +9,8 @@ import (
 	"syscall"
 	"unsafe"
 
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 type AdapterState uint32
@@ -57,13 +57,22 @@ type Peer struct {
 type InterfaceFlag uint32
 
 const (
-	InterfaceHasPublicKey  InterfaceFlag = 1 << 0
-	InterfaceHasPrivateKey InterfaceFlag = 1 << 1
-	InterfaceHasListenPort InterfaceFlag = 1 << 2
-	InterfaceReplacePeers  InterfaceFlag = 1 << 3
+	InterfaceHasPublicKey  	InterfaceFlag = 1 << 0
+	InterfaceHasPrivateKey 	InterfaceFlag = 1 << 1
+	InterfaceHasListenPort 	InterfaceFlag = 1 << 2
+	InterfaceReplacePeers  	InterfaceFlag = 1 << 3
+	InterfaceHasJc 			InterfaceFlag = 1 << 4
+	InterfaceHasJmin 		InterfaceFlag = 1 << 5
+	InterfaceHasJmax 		InterfaceFlag = 1 << 6
+	InterfaceHasS1 			InterfaceFlag = 1 << 7
+	InterfaceHasS2 			InterfaceFlag = 1 << 8
+	InterfaceHasH1 			InterfaceFlag = 1 << 9
+	InterfaceHasH2 			InterfaceFlag = 1 << 10
+	InterfaceHasH3 			InterfaceFlag = 1 << 11
+	InterfaceHasH4 			InterfaceFlag = 1 << 12
 )
 
-type Interface struct {
+type DefaultInterface struct {
 	Flags      InterfaceFlag
 	ListenPort uint16
 	PrivateKey [32]byte
@@ -72,6 +81,20 @@ type Interface struct {
 	_          [4]byte
 }
 
+type Interface struct {
+	DefaultInterface
+
+	Jc 		   uint16
+	Jmin       uint16
+	Jmax       uint16
+	S1 		   uint16
+	S2 		   uint16
+	H1 		   uint32
+	H2 		   uint32
+	H3 		   uint32
+	H4 		   uint32
+}
+
 var (
 	procWireGuardSetAdapterState  = modwireguard.NewProc("WireGuardSetAdapterState")
 	procWireGuardGetAdapterState  = modwireguard.NewProc("WireGuardGetAdapterState")
@@ -156,6 +179,12 @@ func (builder *ConfigBuilder) Preallocate(size uint32) {
 	}
 }
 
+// AppendDefaultInterface appends an interface to the building configuration. This should be called first.
+func (builder *ConfigBuilder) AppendDefaultInterface(interfaze *DefaultInterface) {
+	newBytes := unsafe.Slice((*byte)(unsafe.Pointer(interfaze)), unsafe.Sizeof(*interfaze))
+	builder.buffer = append(builder.buffer, newBytes...)
+}
+
 // AppendInterface appends an interface to the building configuration. This should be called first.
 func (builder *ConfigBuilder) AppendInterface(interfaze *Interface) {
 	newBytes := unsafe.Slice((*byte)(unsafe.Pointer(interfaze)), unsafe.Sizeof(*interfaze))

driver/dll_fromrsrc_windows.go

@@ -13,8 +13,8 @@ import (
 	"sync/atomic"
 	"unsafe"
 
+	"github.com/amnezia-vpn/awg-windows/driver/memmod"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/driver/memmod"
 )
 
 type lazyDLL struct {

driver/driver_windows.go

@@ -11,8 +11,8 @@ import (
 	"syscall"
 	"unsafe"
 
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 type loggerLevel int

elevate/shellexecute.go

@@ -14,7 +14,7 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
 
-	"golang.zx2c4.com/wireguard/windows/version"
+	"github.com/amnezia-vpn/awg-windows/version"
 )
 
 const (

go.mod

@@ -1,11 +1,18 @@
-module github.com/mozilla-mobile/mozilla-vpn-client/windows/tunnel
+module github.com/amnezia-vpn/awg-windows
 
-go 1.16
+go 1.18
 
 require (
+	github.com/lxn/walk v0.0.0-20210112085537-c389da54e794
+	github.com/lxn/win v0.0.0-20210218163916-a377121e959e
 	golang.org/x/crypto v0.12.0
 	golang.org/x/sys v0.11.0
 	golang.org/x/text v0.12.0
 	golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2
-	golang.zx2c4.com/wireguard/windows v0.3.15
+	golang.zx2c4.com/wireguard/windows v0.5.3
+)
+
+require (
+	golang.org/x/net v0.10.0 // indirect
+	gopkg.in/Knetic/govaluate.v3 v3.0.0 // indirect
 )

go.sum

@@ -1,60 +1,32 @@
+github.com/lxn/walk v0.0.0-20210112085537-c389da54e794 h1:NVRJ0Uy0SOFcXSKLsS65OmI1sgCCfiDUPj+cwnH7GZw=
 github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20210218163916-a377121e959e h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc=
 github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2 h1:wfOOSvHgIzTZ9h5Vb6yUFZNn7uf3bT7PeYsHOO7tYDM=
 golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
-golang.zx2c4.com/wireguard/windows v0.3.15 h1:4v4ukisxYzOP/hOx3DJ3PXR57snWnxY6nEkwaO/7U/8=
-golang.zx2c4.com/wireguard/windows v0.3.15/go.mod h1:oW8CSblGDJbOg6m1/wW23j+ExasfXyTBeoRpodi9KYk=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
+gopkg.in/Knetic/govaluate.v3 v3.0.0 h1:18mUyIt4ZlRlFZAAfVetz4/rzlJs9yhN+U02F4u1AOc=
+gopkg.in/Knetic/govaluate.v3 v3.0.0/go.mod h1:csKLBORsPbafmSCGTEh3U7Ozmsuq8ZSIlKk1bcqph0E=

interfacewatcher.go

@@ -15,10 +15,10 @@ import (
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/tun"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/services"
-	"golang.zx2c4.com/wireguard/windows/tunnel/firewall"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/services"
+	"github.com/amnezia-vpn/awg-windows/tunnel/firewall"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 )
 
 type interfaceWatcherError struct {

ipcpermissions.go

@@ -10,7 +10,7 @@ import (
 
 	"golang.zx2c4.com/wireguard/ipc"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
+	"github.com/amnezia-vpn/awg-windows/conf"
 )
 
 func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error {

scriptrunner.go

@@ -15,7 +15,7 @@ import (
 
 	"golang.org/x/sys/windows"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
+	"github.com/amnezia-vpn/awg-windows/conf"
 )
 
 func runScriptCommand(command, interfaceName string) error {

service.go

@@ -22,11 +22,11 @@ import (
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/elevate"
-	"golang.zx2c4.com/wireguard/windows/ringlogger"
-	"golang.zx2c4.com/wireguard/windows/services"
-	"golang.zx2c4.com/wireguard/windows/version"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/elevate"
+	"github.com/amnezia-vpn/awg-windows/ringlogger"
+	"github.com/amnezia-vpn/awg-windows/services"
+	"github.com/amnezia-vpn/awg-windows/version"
 )
 
 type tunnelService struct {

services/boot.go

@@ -11,9 +11,9 @@ import (
 	"sync"
 	"time"
 
+	"github.com/amnezia-vpn/awg-windows/version"
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
-	"golang.zx2c4.com/wireguard/windows/version"
 )
 
 var (

services/names.go

@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package services
+
+import (
+	"errors"
+
+	"github.com/amnezia-vpn/awg-windows/conf"
+)
+
+func ServiceNameOfTunnel(tunnelName string) (string, error) {
+	if !conf.TunnelNameIsValid(tunnelName) {
+		return "", errors.New("Tunnel name is not valid")
+	}
+	return "WireGuardTunnel$" + tunnelName, nil
+}
+
+func PipePathOfTunnel(tunnelName string) (string, error) {
+	if !conf.TunnelNameIsValid(tunnelName) {
+		return "", errors.New("Tunnel name is not valid")
+	}
+	return `\\.\pipe\ProtectedPrefix\Administrators\WireGuard\` + tunnelName, nil
+}

tunnel/addressconfig.go

@@ -11,11 +11,11 @@ import (
 	"net/netip"
 	"time"
 
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/services"
+	"github.com/amnezia-vpn/awg-windows/tunnel/firewall"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/services"
-	"golang.zx2c4.com/wireguard/windows/tunnel/firewall"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 func cleanupAddressesOnDisconnectedInterfaces(family winipcfg.AddressFamily, addresses []netip.Prefix) {

tunnel/defaultroutemonitor.go

@@ -0,0 +1,156 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package tunnel
+
+import (
+	"log"
+	"sync"
+	"time"
+
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
+)
+
+func bindSocketRoute(family winipcfg.AddressFamily, binder conn.BindSocketToInterface, ourLUID winipcfg.LUID, lastLUID *winipcfg.LUID, lastIndex *uint32, blackholeWhenLoop bool) error {
+	r, err := winipcfg.GetIPForwardTable2(family)
+	if err != nil {
+		return err
+	}
+	lowestMetric := ^uint32(0)
+	index := uint32(0)       // Zero is "unspecified", which for IP_UNICAST_IF resets the value, which is what we want.
+	luid := winipcfg.LUID(0) // Hopefully luid zero is unspecified, but hard to find docs saying so.
+	for i := range r {
+		if r[i].DestinationPrefix.PrefixLength != 0 || r[i].InterfaceLUID == ourLUID {
+			continue
+		}
+		ifrow, err := r[i].InterfaceLUID.Interface()
+		if err != nil || ifrow.OperStatus != winipcfg.IfOperStatusUp {
+			continue
+		}
+
+		iface, err := r[i].InterfaceLUID.IPInterface(family)
+		if err != nil {
+			continue
+		}
+
+		if r[i].Metric+iface.Metric < lowestMetric {
+			lowestMetric = r[i].Metric + iface.Metric
+			index = r[i].InterfaceIndex
+			luid = r[i].InterfaceLUID
+		}
+	}
+	if luid == *lastLUID && index == *lastIndex {
+		return nil
+	}
+	*lastLUID = luid
+	*lastIndex = index
+	blackhole := blackholeWhenLoop && index == 0
+	if family == windows.AF_INET {
+		log.Printf("Binding v4 socket to interface %d (blackhole=%v)", index, blackhole)
+		return binder.BindSocketToInterface4(index, blackhole)
+	} else if family == windows.AF_INET6 {
+		log.Printf("Binding v6 socket to interface %d (blackhole=%v)", index, blackhole)
+		return binder.BindSocketToInterface6(index, blackhole)
+	}
+	return nil
+}
+
+func monitorDefaultRoutes(family winipcfg.AddressFamily, binder conn.BindSocketToInterface, autoMTU bool, blackholeWhenLoop bool, tun *tun.NativeTun) ([]winipcfg.ChangeCallback, error) {
+	var minMTU uint32
+	if family == windows.AF_INET {
+		minMTU = 576
+	} else if family == windows.AF_INET6 {
+		minMTU = 1280
+	}
+	ourLUID := winipcfg.LUID(tun.LUID())
+	lastLUID := winipcfg.LUID(0)
+	lastIndex := ^uint32(0)
+	lastMTU := uint32(0)
+	doIt := func() error {
+		err := bindSocketRoute(family, binder, ourLUID, &lastLUID, &lastIndex, blackholeWhenLoop)
+		if err != nil {
+			return err
+		}
+		if !autoMTU {
+			return nil
+		}
+		mtu := uint32(0)
+		if lastLUID != 0 {
+			iface, err := lastLUID.Interface()
+			if err != nil {
+				return err
+			}
+			if iface.MTU > 0 {
+				mtu = iface.MTU
+			}
+		}
+		if mtu > 0 && lastMTU != mtu {
+			iface, err := ourLUID.IPInterface(family)
+			if err != nil {
+				return err
+			}
+			iface.NLMTU = mtu - 80
+			if iface.NLMTU < minMTU {
+				iface.NLMTU = minMTU
+			}
+			err = iface.Set()
+			if err != nil {
+				return err
+			}
+			tun.ForceMTU(int(iface.NLMTU)) // TODO: having one MTU for both v4 and v6 kind of breaks the windows model, so right now this just gets the second one which is... bad.
+			lastMTU = mtu
+		}
+		return nil
+	}
+	err := doIt()
+	if err != nil {
+		return nil, err
+	}
+
+	firstBurst := time.Time{}
+	burstMutex := sync.Mutex{}
+	burstTimer := time.AfterFunc(time.Hour*200, func() {
+		burstMutex.Lock()
+		firstBurst = time.Time{}
+		doIt()
+		burstMutex.Unlock()
+	})
+	burstTimer.Stop()
+	bump := func() {
+		burstMutex.Lock()
+		burstTimer.Reset(time.Millisecond * 150)
+		if firstBurst.IsZero() {
+			firstBurst = time.Now()
+		} else if time.Since(firstBurst) > time.Second*2 {
+			firstBurst = time.Time{}
+			burstTimer.Stop()
+			doIt()
+		}
+		burstMutex.Unlock()
+	}
+
+	cbr, err := winipcfg.RegisterRouteChangeCallback(func(notificationType winipcfg.MibNotificationType, route *winipcfg.MibIPforwardRow2) {
+		if route != nil && route.DestinationPrefix.PrefixLength == 0 {
+			bump()
+		}
+	})
+	if err != nil {
+		return nil, err
+	}
+	cbi, err := winipcfg.RegisterInterfaceChangeCallback(func(notificationType winipcfg.MibNotificationType, iface *winipcfg.MibIPInterfaceRow) {
+		if notificationType == winipcfg.MibParameterNotification {
+			bump()
+		}
+	})
+	if err != nil {
+		cbr.Unregister()
+		return nil, err
+	}
+	return []winipcfg.ChangeCallback{cbr, cbi}, nil
+}

tunnel/deterministicguid.go

@@ -15,7 +15,7 @@ import (
 	"golang.org/x/sys/windows"
 	"golang.org/x/text/unicode/norm"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
+	"github.com/amnezia-vpn/awg-windows/conf"
 )
 
 const (

tunnel/interfacewatcher.go

@@ -12,12 +12,12 @@ import (
 	"sync"
 	"time"
 
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/driver"
+	"github.com/amnezia-vpn/awg-windows/services"
+	"github.com/amnezia-vpn/awg-windows/tunnel/firewall"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/driver"
-	"golang.zx2c4.com/wireguard/windows/services"
-	"golang.zx2c4.com/wireguard/windows/tunnel/firewall"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 type interfaceWatcherError struct {

tunnel/ipcpermissions.go

@@ -0,0 +1,63 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2021 WireGuard LLC. All Rights Reserved.
+ */
+
+package tunnel
+
+import (
+	"golang.org/x/sys/windows"
+
+	"golang.zx2c4.com/wireguard/ipc"
+
+	"github.com/amnezia-vpn/awg-windows/conf"
+)
+
+func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error {
+	if conf.PathIsEncrypted(filename) {
+		return nil
+	}
+
+	fileSd, err := windows.GetNamedSecurityInfo(filename, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION)
+	if err != nil {
+		return err
+	}
+	fileOwner, _, err := fileSd.Owner()
+	if err != nil {
+		return err
+	}
+	if fileOwner.IsWellKnown(windows.WinLocalSystemSid) {
+		return nil
+	}
+	additionalEntries := []windows.EXPLICIT_ACCESS{{
+		AccessPermissions: windows.GENERIC_ALL,
+		AccessMode:        windows.GRANT_ACCESS,
+		Trustee: windows.TRUSTEE{
+			TrusteeForm:  windows.TRUSTEE_IS_SID,
+			TrusteeType:  windows.TRUSTEE_IS_USER,
+			TrusteeValue: windows.TrusteeValueFromSID(fileOwner),
+		},
+	}}
+
+	sd, err := ipc.UAPISecurityDescriptor.ToAbsolute()
+	if err != nil {
+		return err
+	}
+	dacl, defaulted, _ := sd.DACL()
+
+	newDacl, err := windows.ACLFromEntries(additionalEntries, dacl)
+	if err != nil {
+		return err
+	}
+	err = sd.SetDACL(newDacl, true, defaulted)
+	if err != nil {
+		return err
+	}
+	sd, err = sd.ToSelfRelative()
+	if err != nil {
+		return err
+	}
+	ipc.UAPISecurityDescriptor = sd
+
+	return nil
+}

tunnel/mtumonitor.go

@@ -6,8 +6,8 @@
 package tunnel
 
 import (
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 func findDefaultLUID(family winipcfg.AddressFamily, ourLUID winipcfg.LUID, lastLUID *winipcfg.LUID, lastIndex *uint32) error {

tunnel/pitfalls.go

@@ -11,10 +11,10 @@ import (
 	"strings"
 	"unsafe"
 
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc/mgr"
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 func evaluateStaticPitfalls() {

tunnel/scriptrunner.go

@@ -15,7 +15,7 @@ import (
 
 	"golang.org/x/sys/windows"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
+	"github.com/amnezia-vpn/awg-windows/conf"
 )
 
 func runScriptCommand(command, interfaceName string) error {

tunnel/service.go

@@ -13,15 +13,15 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/driver"
+	"github.com/amnezia-vpn/awg-windows/elevate"
+	"github.com/amnezia-vpn/awg-windows/ringlogger"
+	"github.com/amnezia-vpn/awg-windows/services"
+	"github.com/amnezia-vpn/awg-windows/tunnel/winipcfg"
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/mgr"
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/driver"
-	"golang.zx2c4.com/wireguard/windows/elevate"
-	"golang.zx2c4.com/wireguard/windows/ringlogger"
-	"golang.zx2c4.com/wireguard/windows/services"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 )
 
 type tunnelService struct {

ui/aboutdialog.go

@@ -9,13 +9,13 @@ import (
 	"runtime"
 	"strings"
 
+	"github.com/amnezia-vpn/awg-windows/driver"
 	"github.com/lxn/walk"
 	"github.com/lxn/win"
 	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/windows/driver"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
-	"golang.zx2c4.com/wireguard/windows/version"
+	"github.com/amnezia-vpn/awg-windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/version"
 )
 
 var (

ui/confview.go

@@ -13,8 +13,8 @@ import (
 	"github.com/lxn/walk"
 	"github.com/lxn/win"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 	"golang.zx2c4.com/wireguard/windows/manager"
 )
 
@@ -47,6 +47,17 @@ type interfaceView struct {
 	status       *labelStatusLine
 	publicKey    *labelTextLine
 	listenPort   *labelTextLine
+
+	junkPacketCount 			*labelTextLine
+	junkPacketMinSize 			*labelTextLine
+	junkPacketMaxSize 			*labelTextLine
+	initPacketJunkSize 			*labelTextLine
+	responsePacketJunkSize 		*labelTextLine
+	initPacketMagicHeader 		*labelTextLine
+	responsePacketMagicHeader 	*labelTextLine
+	underloadPacketMagicHeader 	*labelTextLine
+	transportPacketMagicHeader 	*labelTextLine
+	
 	mtu          *labelTextLine
 	addresses    *labelTextLine
 	dns          *labelTextLine
@@ -304,6 +315,15 @@ func newInterfaceView(parent walk.Container) (*interfaceView, error) {
 	items := []labelTextLineItem{
 		{l18n.Sprintf("Public key:"), &iv.publicKey},
 		{l18n.Sprintf("Listen port:"), &iv.listenPort},
+		{l18n.Sprintf("Jc:"), &iv.junkPacketCount},
+		{l18n.Sprintf("Jmin:"), &iv.junkPacketMinSize},
+		{l18n.Sprintf("Jmax:"), &iv.junkPacketMaxSize},
+		{l18n.Sprintf("S1:"), &iv.initPacketJunkSize},
+		{l18n.Sprintf("S2:"), &iv.responsePacketJunkSize},
+		{l18n.Sprintf("H1:"), &iv.initPacketMagicHeader},
+		{l18n.Sprintf("H2:"), &iv.responsePacketMagicHeader},
+		{l18n.Sprintf("H3:"), &iv.underloadPacketMagicHeader},
+		{l18n.Sprintf("H4:"), &iv.transportPacketMagicHeader},
 		{l18n.Sprintf("MTU:"), &iv.mtu},
 		{l18n.Sprintf("Addresses:"), &iv.addresses},
 		{l18n.Sprintf("DNS servers:"), &iv.dns},
@@ -380,6 +400,60 @@ func (iv *interfaceView) apply(c *conf.Interface) {
 		iv.listenPort.hide()
 	}
 
+	if c.JunkPacketCount > 0 {
+		iv.junkPacketCount.show(strconv.Itoa(int(c.JunkPacketCount)))
+	} else {
+		iv.junkPacketCount.hide()
+	}
+
+	if c.JunkPacketMinSize > 0 {
+		iv.junkPacketMinSize.show(strconv.Itoa(int(c.JunkPacketMinSize)))
+	} else {
+		iv.junkPacketMinSize.hide()
+	}
+
+	if c.JunkPacketMaxSize > 0 {
+		iv.junkPacketMaxSize.show(strconv.Itoa(int(c.JunkPacketMaxSize)))
+	} else {
+		iv.junkPacketMaxSize.hide()
+	}
+
+	if c.InitPacketJunkSize > 0 {
+		iv.initPacketJunkSize.show(strconv.Itoa(int(c.InitPacketJunkSize)))
+	} else {
+		iv.initPacketJunkSize.hide()
+	}
+
+	if c.ResponsePacketJunkSize > 0 {
+		iv.responsePacketJunkSize.show(strconv.Itoa(int(c.ResponsePacketJunkSize)))
+	} else {
+		iv.responsePacketJunkSize.hide()
+	}
+
+	if c.InitPacketMagicHeader > 0 {
+		iv.initPacketMagicHeader.show(strconv.FormatUint(uint64(c.InitPacketMagicHeader), 10))
+	} else {
+		iv.initPacketMagicHeader.hide()
+	}
+
+	if c.ResponsePacketMagicHeader > 0 {
+		iv.responsePacketMagicHeader.show(strconv.FormatUint(uint64(c.ResponsePacketMagicHeader), 10))
+	} else {
+		iv.responsePacketMagicHeader.hide()
+	}
+
+	if c.UnderloadPacketMagicHeader > 0 {
+		iv.underloadPacketMagicHeader.show(strconv.FormatUint(uint64(c.UnderloadPacketMagicHeader), 10))
+	} else {
+		iv.underloadPacketMagicHeader.hide()
+	}
+
+	if c.TransportPacketMagicHeader > 0 {
+		iv.transportPacketMagicHeader.show(strconv.FormatUint(uint64(c.TransportPacketMagicHeader), 10))
+	} else {
+		iv.transportPacketMagicHeader.hide()
+	}
+
 	if c.MTU > 0 {
 		iv.mtu.show(strconv.Itoa(int(c.MTU)))
 	} else {

ui/editdialog.go

@@ -13,10 +13,10 @@ import (
 	"github.com/lxn/win"
 	"golang.org/x/sys/windows"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/ui/syntax"
 	"golang.zx2c4.com/wireguard/windows/manager"
-	"golang.zx2c4.com/wireguard/windows/ui/syntax"
 )
 
 type EditDialog struct {

ui/filesave.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/lxn/walk"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 )
 
 func writeFileWithOverwriteHandling(owner walk.Form, filePath string, write func(file *os.File) error) bool {

ui/iconprovider.go

@@ -8,7 +8,7 @@ package ui
 import (
 	"github.com/lxn/walk"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 	"golang.zx2c4.com/wireguard/windows/manager"
 )
 

ui/listview.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/lxn/win"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
+	"github.com/amnezia-vpn/awg-windows/conf"
 	"golang.zx2c4.com/wireguard/windows/manager"
 
 	"github.com/lxn/walk"

ui/logpage.go

@@ -11,9 +11,9 @@ import (
 	"strings"
 	"time"
 
+	"github.com/amnezia-vpn/awg-windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/ringlogger"
 	"github.com/lxn/walk"
-	"golang.zx2c4.com/wireguard/windows/l18n"
-	"golang.zx2c4.com/wireguard/windows/ringlogger"
 )
 
 const (

ui/managewindow.go

@@ -13,7 +13,7 @@ import (
 	"github.com/lxn/win"
 	"golang.org/x/sys/windows"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 	"golang.zx2c4.com/wireguard/windows/manager"
 )
 

ui/raise.go

@@ -12,7 +12,7 @@ import (
 	"github.com/lxn/win"
 	"golang.org/x/sys/windows"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 )
 
 func raise(hwnd win.HWND) {

ui/syntax/highlighter.go

@@ -8,7 +8,10 @@
 
 package syntax
 
-import "unsafe"
+import (
+	"math"
+	"unsafe"
+)
 
 type highlight int
 
@@ -28,6 +31,15 @@ const (
 	highlightDelimiter
 	highlightTable
 	highlightCmd
+	highlightJc
+	highlightJmin
+	highlightJmax
+	highlightS1
+	highlightS2
+	highlightH1
+	highlightH2
+	highlightH3
+	highlightH4
 	highlightError
 )
 
@@ -253,6 +265,14 @@ func (s stringSpan) isValidPort() bool {
 	return s.isValidUint(false, 0, 65535)
 }
 
+func (s stringSpan) isValidUint16() bool {
+	return s.isValidUint(false, 0, math.MaxUint16)
+}
+
+func (s stringSpan) isValidUint32() bool {
+	return s.isValidUint(false, 0, math.MaxUint32)
+}
+
 func (s stringSpan) isValidMTU() bool {
 	return s.isValidUint(false, 576, 65535)
 }
@@ -376,6 +396,15 @@ const (
 	fieldAllowedIPs
 	fieldEndpoint
 	fieldPersistentKeepalive
+	fieldJc
+	fieldJmin
+	fieldJmax
+	fieldS1
+	fieldS2
+	fieldH1
+	fieldH2
+	fieldH3
+	fieldH4
 	fieldInvalid
 )
 
@@ -395,6 +424,24 @@ func (s stringSpan) field() field {
 		return fieldPrivateKey
 	case s.isCaselessSame("ListenPort"):
 		return fieldListenPort
+	case s.isCaselessSame("Jc"):
+		return fieldJc
+	case s.isCaselessSame("Jmin"):
+		return fieldJmin
+	case s.isCaselessSame("Jmax"):
+		return fieldJmax
+	case s.isCaselessSame("S1"):
+		return fieldS1
+	case s.isCaselessSame("S2"):
+		return fieldS2
+	case s.isCaselessSame("H1"):
+		return fieldH1
+	case s.isCaselessSame("H2"):
+		return fieldH2
+	case s.isCaselessSame("H3"):
+		return fieldH3
+	case s.isCaselessSame("H4"):
+		return fieldH4
 	case s.isCaselessSame("Address"):
 		return fieldAddress
 	case s.isCaselessSame("DNS"):
@@ -512,6 +559,24 @@ func (hsa *highlightSpanArray) highlightValue(parent, s stringSpan, section fiel
 		hsa.append(parent.s, s, validateHighlight(s.isValidKey(), highlightPrivateKey))
 	case fieldPublicKey:
 		hsa.append(parent.s, s, validateHighlight(s.isValidKey(), highlightPublicKey))
+	case fieldJc:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint16(), highlightJc))
+	case fieldJmin:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint16(), highlightJmin))
+	case fieldJmax:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint16(), highlightJmax))
+	case fieldS1:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint16(), highlightS1))
+	case fieldS2:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint16(), highlightS2))
+	case fieldH1:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint32(), highlightH1))
+	case fieldH2:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint32(), highlightH2))
+	case fieldH3:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint32(), highlightH3))
+	case fieldH4:
+		hsa.append(parent.s, s, validateHighlight(s.isValidUint32(), highlightH4))
 	case fieldPresharedKey:
 		hsa.append(parent.s, s, validateHighlight(s.isValidKey(), highlightPresharedKey))
 	case fieldMTU:

ui/syntax/syntaxedit.go

@@ -99,6 +99,15 @@ var stylemap = map[highlight]spanStyle{
 	highlightCidr:         {color: win.RGB(0x81, 0x5F, 0x03)},
 	highlightHost:         {color: win.RGB(0x0E, 0x0E, 0xFF)},
 	highlightPort:         {color: win.RGB(0x81, 0x5F, 0x03)},
+	highlightJc: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightJmin: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightJmax: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightS1: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightS2: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightH1: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightH2: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightH3: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
+	highlightH4: 		   {color:win.RGB(0x81, 0x5F, 0x03)},
 	highlightMTU:          {color: win.RGB(0x1C, 0x00, 0xCF)},
 	highlightTable:        {color: win.RGB(0x1C, 0x00, 0xCF)},
 	highlightKeepalive:    {color: win.RGB(0x1C, 0x00, 0xCF)},

ui/tray.go

@@ -10,8 +10,8 @@ import (
 	"strings"
 	"time"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 	"golang.zx2c4.com/wireguard/windows/manager"
 
 	"github.com/lxn/walk"

ui/tunnelspage.go

@@ -17,8 +17,8 @@ import (
 
 	"github.com/lxn/walk"
 
-	"golang.zx2c4.com/wireguard/windows/conf"
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/conf"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 	"golang.zx2c4.com/wireguard/windows/manager"
 )
 

ui/ui.go

@@ -15,9 +15,9 @@ import (
 	"github.com/lxn/win"
 	"golang.org/x/sys/windows"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/version"
 	"golang.zx2c4.com/wireguard/windows/manager"
-	"golang.zx2c4.com/wireguard/windows/version"
 )
 
 var (

ui/updatepage.go

@@ -8,7 +8,7 @@ package ui
 import (
 	"github.com/lxn/walk"
 
-	"golang.zx2c4.com/wireguard/windows/l18n"
+	"github.com/amnezia-vpn/awg-windows/l18n"
 	"golang.zx2c4.com/wireguard/windows/manager"
 	"golang.zx2c4.com/wireguard/windows/updater"
 )