Gateway probe localnet mode #6274
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add CLI args for localnet testing (no HTTP API needed): --entry-gateway-identity, --exit-gateway-identity --entry-lp-address, --exit-lp-address, --lp-port - Add TestMode enum (Mixnet, SingleHop, TwoHop, LpOnly) with --mode CLI arg and auto-inference from legacy flags - Add TestedNodeDetails::from_cli() for localnet mode - Add Probe::new_localnet() constructor - Fix LpRegistrationClient API calls for packet-per-connection model
The mode_to_flags() function was discarding the original only_wireguard flag. Now we preserve args.only_wireguard since it's orthogonal to the test mode (it means "skip ping tests" in mixnet mode).
- Extract TestMode enum to mode/mod.rs for cleaner organization - Add common/wireguard.rs with shared WireGuard tunnel testing - Deduplicate netstack code from wg_probe() and wg_probe_lp() - Net reduction of 174 lines in lib.rs
- from_flags() tests for all flag combinations - Helper method tests (needs_mixnet, uses_lp, tests_wireguard, needs_exit_gateway) - Display and FromStr tests with alternate formats - Roundtrip test ensuring Display/FromStr consistency Closes: nym-39mt
- Replace only_lp_registration and test_lp_wg boolean params with TestMode - Keep only_wireguard separate (controls ping behavior in Mixnet mode) - Use TestMode helper methods for cleaner control flow: - needs_mixnet() && !only_wireguard → run ping tests - tests_wireguard() → run WG tests - uses_lp() → use LP path instead of authenticator - Convert legacy flags to TestMode at call sites for backward compatibility Closes: nym-dd70
- Add early validation for --mode two-hop without exit gateway (nym-c0hl) Clear error message instead of silent failure deep in probe - Add safe_ratio() helper for division by zero protection (nym-ktvz) Returns 0.0 when sent_hosts/sent_ips is 0 instead of NaN/Inf - Refactor run_tunnel_tests to take &mut WgProbeResults (nym-4v1p) Eliminates 40+ lines of field-by-field copying at call sites Closes: nym-c0hl, nym-ktvz, nym-4v1p
- Remove unused _storage parameter from wg_probe_lp (nym-r3w9) - Fix common/mod.rs docs to match implemented features (nym-1nsv) Closes: nym-r3w9, nym-1nsv, nym-inol (epic)
- Add Test Modes section explaining mixnet/single-hop/two-hop/lp-only - Add Localnet Mode (run-local) usage examples - Add Split Network Configuration for docker setups - Add CLI Reference with all new flags - Add Output section with JSON example Closes: nym-mj2q
Key changes: - Add outer_aead_key_for_sending() to gate outer encryption on PSQ completion (fixes bug where initiator encrypted msg 1 before responder could decrypt) - Add handshake_and_register_with_credential() to NestedLpSession for mock ecash - Update PSQState::InitiatorWaiting to store PSK instead of ciphertext - Add probe-localnet.sh script for two-hop localnet testing - Update gateway handler with connection lifecycle statistics The PSK timing fix ensures the first Noise message is sent in cleartext because the responder hasn't derived the PSK yet from the PSQ payload.
Add UDP forwarder pattern (copied from VPN client) to enable proper two-hop tunneling where traffic flows: Client → Entry Gateway → Exit Gateway → Internet. Key changes: - Add udp_forwarder.go for tunnel-in-tunnel traffic forwarding - Add wgPingTwoHop() Go function and Rust FFI bindings - Configure NAT/iptables in localnet for gateway routing - Remove unnecessary PSK from gateway LP registration (was breaking handshakes) - Document known container networking instability issue (nym-vbdo) The probe now correctly uses the entry tunnel to reach the exit gateway's WireGuard endpoint, rather than trying to connect directly to unreachable container-internal IPs.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add gateway-probe localnet mode with LP-based two-hop WireGuard testing
Summary
Key Changes
Gateway Probe Localnet Mode (nym-gateway-probe/)
Localnet Infrastructure (docker/localnet/)
Gateway LP Registration (gateway/src/node/lp_listener/)
Known Issues
This change is