Add naive speed test

Without it the WG can not exit from the read loop

client/firewall/nftables/manager_linux.go

@@ -143,7 +143,7 @@ func (m *Manager) AllowNetbird() error {
 	}
 
 	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
-		log.Debugf("allow netbird rule already exists: %v", rule)
+		log.Debugf("allow netbird rule already exists: %#v", rule)
 		return nil
 	}
 

client/internal/engine.go

@@ -138,6 +138,7 @@ type Engine struct {
 	signalProbe *Probe
 	relayProbe  *Probe
 	wgProbe     *Probe
+	turnRelay   *relay.PermanentTurn
 }
 
 // Peer is an instance of the Connection Peer
@@ -199,7 +200,7 @@ func NewEngineWithProbes(
 		networkSerial:  0,
 		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
-		wgProxyFactory: wgproxy.NewFactory(config.WgPort),
+		wgProxyFactory: &wgproxy.Factory{},
 		mgmProbe:       mgmProbe,
 		signalProbe:    signalProbe,
 		relayProbe:     relayProbe,
@@ -452,10 +453,19 @@ func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKe
 		t = sProto.Body_OFFER
 	}
 
-	msg, err := signal.MarshalCredential(myKey, offerAnswer.WgListenPort, remoteKey, &signal.Credential{
-		UFrag: offerAnswer.IceCredentials.UFrag,
-		Pwd:   offerAnswer.IceCredentials.Pwd,
-	}, t, offerAnswer.RosenpassPubKey, offerAnswer.RosenpassAddr)
+	msg, err := signal.MarshalCredential(
+		myKey,
+		offerAnswer.WgListenPort,
+		remoteKey, &signal.Credential{
+			UFrag: offerAnswer.IceCredentials.UFrag,
+			Pwd:   offerAnswer.IceCredentials.Pwd,
+		},
+		t,
+		offerAnswer.RosenpassPubKey,
+		offerAnswer.RosenpassAddr,
+		offerAnswer.RelayedAddr.String(),
+		offerAnswer.RemoteAddr.String(),
+	)
 	if err != nil {
 		return err
 	}
@@ -483,6 +493,14 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 			return err
 		}
 
+		turnRelay := relay.NewPermanentTurn(e.STUNs[0], e.TURNs[0])
+		err = turnRelay.Open()
+		if err != nil {
+			return fmt.Errorf("faile to open turn relay: %w", err)
+		}
+		e.turnRelay = turnRelay
+		e.wgInterface.SetRelayConn(e.turnRelay.RelayConn())
+
 		// todo update signal
 	}
 
@@ -621,6 +639,7 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 	var newTURNs []*stun.URI
 	log.Debugf("got TURNs update from Management Service, updating")
 	for _, turn := range turns {
+		log.Debugf("-----updated Turn %v, %s, %s", turn.HostConfig.Uri, turn.User, turn.Password)
 		url, err := stun.ParseURI(turn.HostConfig.Uri)
 		if err != nil {
 			return err
@@ -630,7 +649,6 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 		newTURNs = append(newTURNs, url)
 	}
 	e.TURNs = newTURNs
-
 	return nil
 }
 
@@ -934,7 +952,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		RosenpassAddr:        e.getRosenpassAddr(),
 	}
 
-	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
+	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover, e.turnRelay)
 	if err != nil {
 		return nil, err
 	}
@@ -1000,6 +1018,17 @@ func (e *Engine) receiveSignalEvents() {
 					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
 					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
 				}
+
+				relayedAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetRelayedAddress())
+				if err != nil {
+					return err
+				}
+
+				remoteAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetSrvRefAddress())
+				if err != nil {
+					return err
+				}
+
 				conn.OnRemoteOffer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
@@ -1009,6 +1038,8 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
+					RelayedAddr:     relayedAddr,
+					RemoteAddr:      remoteAddr,
 				})
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
@@ -1024,6 +1055,17 @@ func (e *Engine) receiveSignalEvents() {
 					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
 					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
 				}
+
+				relayedAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetRelayedAddress())
+				if err != nil {
+					return err
+				}
+
+				remoteAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetSrvRefAddress())
+				if err != nil {
+					return err
+				}
+
 				conn.OnRemoteAnswer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
@@ -1033,6 +1075,8 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
+					RelayedAddr:     relayedAddr,
+					RemoteAddr:      remoteAddr,
 				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
@@ -1043,7 +1087,6 @@ func (e *Engine) receiveSignalEvents() {
 				conn.OnRemoteCandidate(candidate)
 			case sProto.Body_MODE:
 			}
-
 			return nil
 		})
 		if err != nil {
@@ -1115,6 +1158,8 @@ func (e *Engine) close() {
 		log.Errorf("failed closing ebpf proxy: %s", err)
 	}
 
+	e.turnRelay.Close()
+
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	if e.dnsServer != nil {
 		e.dnsServer.Stop()

client/internal/peer/conn.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -14,6 +13,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	"github.com/netbirdio/netbird/iface"
@@ -93,6 +93,10 @@ type OfferAnswer struct {
 	// RosenpassAddr is the Rosenpass server address (IP:port) of the remote peer when receiving this message
 	// This value is the local Rosenpass server address when sending the message
 	RosenpassAddr string
+
+	// Turn Relay
+	RelayedAddr net.Addr
+	RemoteAddr  net.Addr
 }
 
 // IceCredentials ICE protocol credentials struct
@@ -141,11 +145,11 @@ type Conn struct {
 	sentExtraSrflx bool
 
 	remoteEndpoint *net.UDPAddr
-	remoteConn     *ice.Conn
 
 	connID               nbnet.ConnectionID
 	beforeAddPeerHooks   []BeforeAddPeerHookFunc
 	afterRemovePeerHooks []AfterRemovePeerHookFunc
+	turnRelay            *relay.PermanentTurn
 }
 
 // meta holds meta information about a connection
@@ -176,7 +180,7 @@ func (conn *Conn) UpdateStunTurn(turnStun []*stun.URI) {
 
 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.Factory, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
+func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.Factory, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover, turnRelay *relay.PermanentTurn) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
@@ -189,6 +193,7 @@ func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.
 		wgProxyFactory: wgProxyFactory,
 		adapter:        adapter,
 		iFaceDiscover:  iFaceDiscover,
+		turnRelay:      turnRelay,
 	}, nil
 }
 
@@ -212,7 +217,7 @@ func (conn *Conn) reCreateAgent() error {
 		MulticastDNSMode:       ice.MulticastDNSModeDisabled,
 		NetworkTypes:           []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
 		Urls:                   conn.config.StunTurn,
-		CandidateTypes:         conn.candidateTypes(),
+		CandidateTypes:         []ice.CandidateType{},
 		FailedTimeout:          &failedTimeout,
 		InterfaceFilter:        stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
 		UDPMux:                 conn.config.UDPMux,
@@ -262,17 +267,6 @@ func (conn *Conn) reCreateAgent() error {
 	return nil
 }
 
-func (conn *Conn) candidateTypes() []ice.CandidateType {
-	if hasICEForceRelayConn() {
-		return []ice.CandidateType{ice.CandidateTypeRelay}
-	}
-	// TODO: remove this once we have refactored userspace proxy into the bind package
-	if runtime.GOOS == "ios" {
-		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
-	}
-	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
-}
-
 // Open opens connection to the remote peer starting ICE candidate gathering process.
 // Blocks until connection has been closed or connection timeout.
 // ConnStatus will be set accordingly
@@ -351,42 +345,53 @@ func (conn *Conn) Open() error {
 		log.Warnf("error while updating the state of peer %s,err: %v", conn.config.Key, err)
 	}
 
-	err = conn.agent.GatherCandidates()
-	if err != nil {
-		return err
-	}
-
-	// will block until connection succeeded
-	// but it won't release if ICE Agent went into Disconnected or Failed state,
-	// so we have to cancel it with the provided context once agent detected a broken connection
-	isControlling := conn.config.LocalKey > conn.config.Key
-	var remoteConn *ice.Conn
+	isControlling := conn.config.LocalKey < conn.config.Key
 	if isControlling {
-		remoteConn, err = conn.agent.Dial(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		log.Debugf("---- use this peer's tunr connection")
+		err = conn.turnRelay.PunchHole(remoteOfferAnswer.RemoteAddr)
+		if err != nil {
+			log.Errorf("failed to punch hole: %v", err)
+		}
+		addr, ok := remoteOfferAnswer.RemoteAddr.(*net.UDPAddr)
+		if !ok {
+			return fmt.Errorf("failed to cast addr to udp addr")
+		}
+		addr.Port = remoteOfferAnswer.WgListenPort
+		err := conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, addr, conn.config.WgConfig.PreSharedKey)
+		if err != nil {
+			if conn.wgProxy != nil {
+				_ = conn.wgProxy.CloseConn()
+			}
+			// todo close
+			return err
+		}
 	} else {
-		remoteConn, err = conn.agent.Accept(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
-	}
-	if err != nil {
-		return err
-	}
+		log.Debugf("---- use remote peer tunr connection")
+		addr, ok := remoteOfferAnswer.RelayedAddr.(*net.UDPAddr)
+		if !ok {
+			return fmt.Errorf("failed to cast addr to udp addr")
+		}
+		err := conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, addr, conn.config.WgConfig.PreSharedKey)
+		if err != nil {
+			if conn.wgProxy != nil {
+				_ = conn.wgProxy.CloseConn()
+			}
+			// todo close
+			return err
+		}
 
-	// dynamically set remote WireGuard port is other side specified a different one from the default one
-	remoteWgPort := iface.DefaultWgPort
-	if remoteOfferAnswer.WgListenPort != 0 {
-		remoteWgPort = remoteOfferAnswer.WgListenPort
+		// the ice connection has been established successfully so we are ready to start the proxy
+		/*
+			remoteAddr, err := conn.configureConnection(remoteOfferAnswer.RelayedAddr, remoteWgPort, remoteOfferAnswer.RosenpassPubKey,
+				remoteOfferAnswer.RosenpassAddr)
+			if err != nil {
+				return err
+			}
+
+		*/
+		log.Infof("connected to peer %s, endpoint address: %s", conn.config.Key, addr.String())
 	}
 
-	conn.remoteConn = remoteConn
-
-	// the ice connection has been established successfully so we are ready to start the proxy
-	remoteAddr, err := conn.configureConnection(remoteConn, remoteWgPort, remoteOfferAnswer.RosenpassPubKey,
-		remoteOfferAnswer.RosenpassAddr)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("connected to peer %s, endpoint address: %s", conn.config.Key, remoteAddr.String())
-
 	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
 	select {
 	case <-conn.closeCh:
@@ -415,25 +420,8 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
-	pair, err := conn.agent.GetSelectedCandidatePair()
-	if err != nil {
-		return nil, err
-	}
-
 	var endpoint net.Addr
-	if isRelayCandidate(pair.Local) {
-		log.Debugf("setup relay connection")
-		conn.wgProxy = conn.wgProxyFactory.GetProxy()
-		endpoint, err = conn.wgProxy.AddTurnConn(remoteConn)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// To support old version's with direct mode we attempt to punch an additional role with the remote WireGuard port
-		go conn.punchRemoteWGPort(pair, remoteWgPort)
-		endpoint = remoteConn.RemoteAddr()
-	}
-
+	endpoint = remoteConn.RemoteAddr()
 	endpointUdpAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
 	conn.remoteEndpoint = endpointUdpAddr
 	log.Debugf("Conn resolved IP for %s: %s", endpoint, endpointUdpAddr.IP)
@@ -445,7 +433,7 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 		}
 	}
 
-	err = conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
+	err := conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
 	if err != nil {
 		if conn.wgProxy != nil {
 			_ = conn.wgProxy.CloseConn()
@@ -454,31 +442,33 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	}
 
 	conn.status = StatusConnected
-	rosenpassEnabled := false
-	if remoteRosenpassPubKey != nil {
-		rosenpassEnabled = true
-	}
+	/*
+		rosenpassEnabled := false
+		if remoteRosenpassPubKey != nil {
+			rosenpassEnabled = true
+		}
 
-	peerState := State{
-		PubKey:                     conn.config.Key,
-		ConnStatus:                 conn.status,
-		ConnStatusUpdate:           time.Now(),
-		LocalIceCandidateType:      pair.Local.Type().String(),
-		RemoteIceCandidateType:     pair.Remote.Type().String(),
-		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
-		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
-		Direct:                     !isRelayCandidate(pair.Local),
-		RosenpassEnabled:           rosenpassEnabled,
-		Mux:                        new(sync.RWMutex),
-	}
-	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
-		peerState.Relayed = true
-	}
+			peerState := State{
+				PubKey:                     conn.config.Key,
+				ConnStatus:                 conn.status,
+				ConnStatusUpdate:           time.Now(),
+				LocalIceCandidateType:      pair.Local.Type().String(),
+				RemoteIceCandidateType:     pair.Remote.Type().String(),
+				LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
+				RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
+				Direct:                     !isRelayCandidate(pair.Local),
+				RosenpassEnabled:           rosenpassEnabled,
+				Mux:                        new(sync.RWMutex),
+			}
+			if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
+				peerState.Relayed = true
+			}
 
-	err = conn.statusRecorder.UpdatePeerState(peerState)
-	if err != nil {
-		log.Warnf("unable to save peer's state, got error: %v", err)
-	}
+			err = conn.statusRecorder.UpdatePeerState(peerState)
+			if err != nil {
+				log.Warnf("unable to save peer's state, got error: %v", err)
+			}
+	*/
 
 	_, ipNet, err := net.ParseCIDR(conn.config.WgConfig.AllowedIps)
 	if err != nil {
@@ -680,6 +670,8 @@ func (conn *Conn) sendAnswer() error {
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: conn.config.RosenpassPubKey,
 		RosenpassAddr:   conn.config.RosenpassAddr,
+		RelayedAddr:     conn.turnRelay.RelayedAddress(),
+		RemoteAddr:      conn.turnRelay.SrvRefAddr(),
 	})
 	if err != nil {
 		return err
@@ -703,6 +695,8 @@ func (conn *Conn) sendOffer() error {
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: conn.config.RosenpassPubKey,
 		RosenpassAddr:   conn.config.RosenpassAddr,
+		RelayedAddr:     conn.turnRelay.RelayedAddress(),
+		RemoteAddr:      conn.turnRelay.SrvRefAddr(),
 	})
 	if err != nil {
 		return err
@@ -742,6 +736,10 @@ func (conn *Conn) Status() ConnStatus {
 	return conn.status
 }
 
+func (conn *Conn) OnRemoteRelayRequest(relayedAddr string, remoteIP string) {
+
+}
+
 // OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
 func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {

client/internal/relay/speed.go

@@ -0,0 +1,143 @@
+package relay
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	bufferSize = 800
+	testFile   = "/tmp/1MB"
+)
+
+type Speed struct {
+}
+
+func NewSpeed() *Speed {
+	return &Speed{}
+}
+
+func (s *Speed) ReceiveFileFromAddr(remoteAddr net.Addr) error {
+	pc, err := net.ListenPacket("udp4", "0.0.0.0:0")
+	if err != nil {
+		log.Errorf("failed to lisen: %s", err.Error())
+		return err
+	}
+	defer pc.Close()
+
+	log.Debugf("--- sending initial message to: %s", remoteAddr.String())
+	_, err = pc.WriteTo([]byte("hey, I am the receiver"), remoteAddr)
+	if err != nil {
+		log.Errorf("failed to send initial msg: %s", err.Error())
+		return err
+	}
+
+	return s.receiveFile(pc)
+}
+
+func (s *Speed) ReceiveFileFromPC(pc net.PacketConn) error {
+	return s.receiveFile(pc)
+}
+
+func (s *Speed) receiveFile(pc net.PacketConn) error {
+	log.Debugf("--- start to receive file...")
+	file, err := os.OpenFile(fmt.Sprintf("%s.cp", testFile), os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		log.Errorf("failed to open file: %s", err.Error())
+		return err
+	}
+	_ = file.Truncate(0)
+	defer file.Close()
+
+	buffer := make([]byte, bufferSize)
+	for {
+		n, addr, err := pc.ReadFrom(buffer)
+		if err != nil {
+			log.Errorf("failed to read from connection: %s", err.Error())
+			return err
+		}
+
+		n, err = file.Write(buffer[:n])
+		if err != nil {
+			log.Errorf("failed to write to file: %s", err.Error())
+			return err
+		}
+
+		_, err = pc.WriteTo([]byte("ack"), addr)
+		if err != nil {
+			log.Errorf("failed to send ack: %s", err.Error())
+		}
+
+		log.Debugf("received %d bytes from %s", n, addr)
+	}
+}
+
+func (s *Speed) SendFileToPC(relayConn net.PacketConn) error {
+	buf := make([]byte, bufferSize)
+	log.Debugf("--- wait for initial message")
+	n, rAddr, err := relayConn.ReadFrom(buf)
+	if err != nil {
+		log.Errorf("failed to read from connection: %s", err.Error())
+		return err
+	}
+	log.Errorf("received initial msg %d bytes (%s), addr %s", n, string(buf[:n]), rAddr.String())
+	return s.sendFile(relayConn, rAddr)
+}
+
+func (s *Speed) SendFileToAddr(addr net.Addr) error {
+	pc, err := net.ListenPacket("udp4", "0.0.0.0:0")
+	if err != nil {
+		log.Errorf("failed to lisen: %s", err.Error())
+		return err
+	}
+	defer pc.Close()
+
+	return s.sendFile(pc, addr)
+}
+
+func (s *Speed) sendFile(conn net.PacketConn, rAddr net.Addr) error {
+	log.Debugf("--- start to send file...")
+	file, err := os.Open(testFile)
+	if err != nil {
+		// Handle error
+		return nil
+	}
+	defer file.Close()
+
+	buf := make([]byte, bufferSize)
+	start := time.Now()
+	sent := 0
+
+	for {
+		n, err := file.Read(buf)
+		if err != nil && err != io.EOF {
+			return err
+		}
+		if n == 0 {
+			break
+		}
+
+		n, err = conn.WriteTo(buf[:n], rAddr)
+		if err != nil {
+			log.Errorf("failed to write to connection: %s", err.Error())
+			return err
+		}
+		sent += n
+		log.Debugf("sent %d bytes, (%d) to %s", n, sent, rAddr.String())
+
+		// wait for ack
+		_, _, err = conn.ReadFrom(make([]byte, bufferSize))
+		if err != nil {
+			log.Errorf("failed to read from connection: %s", err.Error())
+			return err
+		}
+	}
+	elapsed := time.Since(start)
+	log.Infof("sent %d bytes, troughtput: %f MB/s", sent, float64(sent)/1024/1024/elapsed.Seconds())
+	return nil
+}

client/internal/relay/turn.go

@@ -0,0 +1,198 @@
+package relay
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"sync"
+
+	"github.com/pion/logging"
+	"github.com/pion/stun/v2"
+	"github.com/pion/turn/v3"
+	log "github.com/sirupsen/logrus"
+)
+
+type PermanentTurn struct {
+	stunURI *stun.URI
+	turnURI *stun.URI
+
+	stunConn             net.PacketConn
+	turnClient           *turn.Client
+	turnClientListenLock sync.Mutex
+	relayConn            net.PacketConn // represents the remote socket.
+	srvReflexiveAddress  *net.UDPAddr
+}
+
+func NewPermanentTurn(stunURL, turnURL *stun.URI) *PermanentTurn {
+	return &PermanentTurn{
+		stunURI: stunURL,
+		turnURI: turnURL,
+	}
+}
+
+func (r *PermanentTurn) Open() error {
+	stunConn, err := net.ListenPacket("udp4", "0.0.0.0:0")
+	if err != nil {
+		return err
+	}
+	r.stunConn = stunConn
+
+	cfg := &turn.ClientConfig{
+		STUNServerAddr: toURL(r.stunURI),
+		TURNServerAddr: toURL(r.turnURI),
+		Conn:           stunConn,
+		Username:       r.turnURI.Username,
+		Password:       r.turnURI.Password,
+		LoggerFactory:  logging.NewDefaultLoggerFactory(),
+	}
+
+	client, err := turn.NewClient(cfg)
+	if err != nil {
+		log.Errorf("failed to create turn client: %v", err)
+		return err
+	}
+	r.turnClient = client
+	err = r.turnClient.Listen()
+	if err != nil {
+		log.Errorf("failed to listen turn client: %v", err)
+		return err
+	}
+
+	relayConn, err := client.Allocate()
+	if err != nil {
+		log.Errorf("failed to allocate relay connection: %v", err)
+		return err
+	}
+	r.relayConn = relayConn
+
+	srvReflexiveAddress, err := r.discoverPublicIPByStun()
+	if err != nil {
+		log.Errorf("failed to discover public IP: %v", err)
+		return err
+	}
+	r.srvReflexiveAddress = srvReflexiveAddress
+	return nil
+}
+
+func (r *PermanentTurn) RelayedAddress() net.Addr {
+	return r.relayConn.LocalAddr()
+}
+
+func (r *PermanentTurn) SrvRefAddr() net.Addr {
+	return r.srvReflexiveAddress
+}
+
+func (r *PermanentTurn) PunchHole(mappedAddr net.Addr) error {
+	/*
+		err := r.turnClient.CreatePermission(mappedAddr)
+		if err != nil {
+			log.Errorf("---- failed to create permission: %v", err)
+			return err
+		}
+
+		msg, err := stun.Build(stun.BindingRequest, stun.TransactionID,
+			stun.Fingerprint,
+		)
+		if err != nil {
+			log.Errorf("--- failed to build stun message: %v", err)
+			return nil
+		}
+		_, err = r.relayConn.WriteTo(msg.Raw, mappedAddr)
+		if err != nil {
+			log.Errorf("failed to write to relay conn: %v", err)
+			return err
+		}
+	*/
+	_, err := r.relayConn.WriteTo([]byte("Hello"), mappedAddr)
+	return err
+}
+
+func (r *PermanentTurn) RelayConn() net.PacketConn {
+	return r.relayConn
+}
+
+func (r *PermanentTurn) Close() {
+	r.turnClient.Close()
+
+	err := r.relayConn.Close()
+	if err != nil {
+		log.Errorf("failed to close relayConn: %s", err.Error())
+	}
+
+	err = r.stunConn.Close()
+	if err != nil {
+		log.Errorf("failed to close stunConn: %s", err.Error())
+	}
+}
+
+func (r *PermanentTurn) discoverPublicIP() (*net.UDPAddr, error) {
+	addr, err := r.turnClient.SendBindingRequest()
+	if err != nil {
+		log.Errorf("failed to send binding request: %v", err)
+		return nil, err
+
+	}
+
+	udpAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
+		return nil, fmt.Errorf("failed to cast addr to udp addr")
+	}
+
+	return udpAddr, nil
+}
+
+func (r *PermanentTurn) discoverPublicIPByStun() (*net.UDPAddr, error) {
+	c, err := stun.DialURI(r.stunURI, &stun.DialConfig{})
+	if err != nil {
+		panic(err)
+	}
+	message := stun.MustBuild(stun.TransactionID, stun.BindingRequest)
+	var addr *net.UDPAddr
+	err = c.Do(message, func(res stun.Event) {
+		if res.Error != nil {
+			panic(res.Error)
+		}
+		var xorAddr stun.XORMappedAddress
+		if err := xorAddr.GetFrom(res.Message); err != nil {
+			log.Errorf("failed to get xor address: %v", err)
+			return
+		}
+		addr = &net.UDPAddr{
+			IP:   xorAddr.IP,
+			Port: xorAddr.Port,
+		}
+	})
+	if err != nil {
+		return nil, err
+	}
+	return addr, nil
+}
+
+func (r *PermanentTurn) listen() {
+	if !r.turnClientListenLock.TryLock() {
+		return
+	}
+
+	go func() {
+		defer r.turnClientListenLock.Unlock()
+
+		buf := make([]byte, math.MaxUint16)
+		for {
+			n, from, err := r.stunConn.ReadFrom(buf)
+			if err != nil {
+				log.Errorf("Failed to read from stun conn. Exiting loop %v", err)
+				break
+			}
+
+			_, err = r.turnClient.HandleInbound(buf[:n], from)
+			if err != nil {
+				log.Errorf("Failed to handle inbound turn message: %s. Exiting loop", err)
+				break
+			}
+		}
+	}()
+}
+
+func toURL(uri *stun.URI) string {
+	return fmt.Sprintf("%s:%d", uri.Host, uri.Port)
+}

client/internal/relay/turn_test.go

@@ -0,0 +1,137 @@
+package relay
+
+import (
+	"os"
+	"sync"
+	"testing"
+
+	"github.com/pion/stun/v2"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+const (
+	userName = "1714092678"
+	password = "8PEprGKo+UARpYpQOulNz3H24dI="
+)
+
+func TestMain(m *testing.M) {
+	_ = util.InitLog("trace", "console")
+	code := m.Run()
+	os.Exit(code)
+}
+
+func TestMyTurnUpload(t *testing.T) {
+	turnURI, err := stun.ParseURI("turn:api.stage.netbird.io:3478?transport=udp")
+	if err != nil {
+		t.Fatalf("failed to parse stun url: %v", err)
+	}
+	turnURI.Username = userName
+	turnURI.Password = password
+
+	stunURI, err := stun.ParseURI("stun:api.stage.netbird.io:3478")
+	if err != nil {
+		t.Fatalf("failed to parse stun url: %v", err)
+	}
+	turnRelayA := NewPermanentTurn(stunURI, turnURI)
+	err = turnRelayA.Open()
+	if err != nil {
+		t.Fatalf("failed to open turn relay: %v", err)
+	}
+	defer turnRelayA.Close()
+
+	turnRelayB := NewPermanentTurn(stunURI, turnURI)
+	peerBAddr, err := turnRelayB.discoverPublicIPByStun()
+	if err != nil {
+		t.Fatalf("failed to discover public ip: %v", err)
+	}
+
+	err = turnRelayA.PunchHole(peerBAddr)
+	if err != nil {
+		t.Fatalf("failed to punch hole: %v", err)
+	}
+
+	// at this point, the relayed side should be established
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+
+	speedB := NewSpeed()
+	go func() {
+		err := speedB.ReceiveFileFromAddr(turnRelayA.relayConn.LocalAddr())
+		if err != nil {
+			log.Errorf("failed to receive file: %v", err)
+		}
+		wg.Done()
+	}()
+
+	speedA := NewSpeed()
+	go func() {
+		err := speedA.SendFileToPC(turnRelayA.relayConn)
+		if err != nil {
+			log.Errorf("failed to send file: %v", err)
+		}
+		log.Debugf("file sent")
+		wg.Done()
+	}()
+
+	wg.Wait()
+}
+
+func TestMyTurnDownload(t *testing.T) {
+	turnURI, err := stun.ParseURI("turn:api.stage.netbird.io:3478?transport=udp")
+	if err != nil {
+		t.Fatalf("failed to parse stun url: %v", err)
+	}
+	turnURI.Username = "1714016034"
+	turnURI.Password = "oDpL6tDu0d+xcO3rQnHoEvbcS/Q="
+
+	stunURI, err := stun.ParseURI("stun:api.stage.netbird.io:3478")
+	if err != nil {
+		t.Fatalf("failed to parse stun url: %v", err)
+	}
+	turnRelayA := NewPermanentTurn(stunURI, turnURI)
+	err = turnRelayA.Open()
+	if err != nil {
+		t.Fatalf("failed to open turn relay: %v", err)
+	}
+	defer turnRelayA.Close()
+
+	turnRelayB := NewPermanentTurn(stunURI, turnURI)
+	peerBAddr, err := turnRelayB.discoverPublicIPByStun()
+	if err != nil {
+		t.Fatalf("failed to discover public ip: %v", err)
+	}
+
+	err = turnRelayA.PunchHole(peerBAddr)
+	if err != nil {
+		t.Fatalf("failed to punch hole: %v", err)
+	}
+
+	// at this point, the relayed side should be established
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+
+	speedB := NewSpeed()
+	go func() {
+		err := speedB.SendFileToAddr(turnRelayA.relayConn.LocalAddr())
+		if err != nil {
+			log.Errorf("failed to receive file: %v", err)
+		}
+		wg.Done()
+	}()
+
+	speedA := NewSpeed()
+	go func() {
+		err := speedA.ReceiveFileFromPC(turnRelayA.relayConn)
+		if err != nil {
+			log.Errorf("failed to send file: %v", err)
+		}
+		log.Debugf("file sent")
+		wg.Done()
+	}()
+
+	wg.Wait()
+}

go.mod

@@ -172,7 +172,7 @@ replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-2023
 
 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949
 
-replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20240105182236-6c340dd55aed
+replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20240422165616-c6832bb477d5
 
 replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
 

go.sum

@@ -389,8 +389,8 @@ github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949 h1:xbWM9BU6mwZZLHxEjxIX/V8Hv3HurQt4mReIE4mY4DM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949/go.mod h1:AecygODWIsBquJCJFop8MEQcJbWFfw/1yWbVabNgpCM=
-github.com/netbirdio/wireguard-go v0.0.0-20240105182236-6c340dd55aed h1:t0UADZUJDaaZgfKrt8JUPrOLL9Mg/ryjP85RAH53qgs=
-github.com/netbirdio/wireguard-go v0.0.0-20240105182236-6c340dd55aed/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
+github.com/netbirdio/wireguard-go v0.0.0-20240422165616-c6832bb477d5 h1:m48qfB2ILlFx3oZlw7aEeD+V6vXnMb0hNwmDCtdcgv0=
+github.com/netbirdio/wireguard-go v0.0.0-20240422165616-c6832bb477d5/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=

iface/bind/bind.go

@@ -13,14 +13,6 @@ import (
 	wgConn "golang.zx2c4.com/wireguard/conn"
 )
 
-type receiverCreator struct {
-	iceBind *ICEBind
-}
-
-func (rc receiverCreator) CreateIPv4ReceiverFn(msgPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
-	return rc.iceBind.createIPv4ReceiverFn(msgPool, pc, conn)
-}
-
 type ICEBind struct {
 	*wgConn.StdNetBind
 
@@ -28,6 +20,8 @@ type ICEBind struct {
 
 	transportNet transport.Net
 	udpMux       *UniversalUDPMuxDefault
+
+	receiverCreator *receiverCreator
 }
 
 func NewICEBind(transportNet transport.Net) *ICEBind {
@@ -35,9 +29,9 @@ func NewICEBind(transportNet transport.Net) *ICEBind {
 		transportNet: transportNet,
 	}
 
-	rc := receiverCreator{
-		ib,
-	}
+	rc := newReceiverCreator(ib)
+	ib.receiverCreator = rc
+
 	ib.StdNetBind = wgConn.NewStdNetBindWithReceiverCreator(rc)
 	return ib
 }
@@ -53,16 +47,22 @@ func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	return s.udpMux, nil
 }
 
-func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
+func (s *ICEBind) SetTurnConn(conn interface{}) {
+	s.receiverCreator.setTurnConn(conn)
+}
+
+func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn, netConn net.PacketConn) wgConn.ReceiveFunc {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 
-	s.udpMux = NewUniversalUDPMuxDefault(
-		UniversalUDPMuxParams{
-			UDPConn: conn,
-			Net:     s.transportNet,
-		},
-	)
+	if conn != nil {
+		s.udpMux = NewUniversalUDPMuxDefault(
+			UniversalUDPMuxParams{
+				UDPConn: conn,
+				Net:     s.transportNet,
+			},
+		)
+	}
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
 		msgs := ipv4MsgsPool.Get().(*[]ipv4.Message)
 		defer ipv4MsgsPool.Put(msgs)
@@ -71,17 +71,40 @@ func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketC
 		}
 		var numMsgs int
 		if runtime.GOOS == "linux" {
-			numMsgs, err = pc.ReadBatch(*msgs, 0)
-			if err != nil {
-				return 0, err
+			if netConn != nil {
+				log.Debugf("----read from turn conn...")
+				msg := &(*msgs)[0]
+				msg.N, msg.Addr, err = netConn.ReadFrom(msg.Buffers[0])
+				if err != nil {
+					return 0, err
+				}
+				log.Debugf("----msg address is: %s, size: %d", msg.Addr.String(), msg.N)
+				numMsgs = 1
+			} else {
+				log.Debugf("----read from pc...")
+				numMsgs, err = pc.ReadBatch(*msgs, 0)
+				if err != nil {
+					return 0, err
+				}
 			}
 		} else {
-			msg := &(*msgs)[0]
-			msg.N, msg.NN, _, msg.Addr, err = conn.ReadMsgUDP(msg.Buffers[0], msg.OOB)
-			if err != nil {
-				return 0, err
+			if netConn != nil {
+				log.Debugf("----read from turn conn...")
+				msg := &(*msgs)[0]
+				msg.N, msg.Addr, err = netConn.ReadFrom(msg.Buffers[0])
+				if err != nil {
+					return 0, err
+				}
+				log.Debugf("----msg address is: %s, size: %d", msg.Addr.String(), msg.N)
+				numMsgs = 1
+			} else {
+				msg := &(*msgs)[0]
+				msg.N, msg.NN, _, msg.Addr, err = conn.ReadMsgUDP(msg.Buffers[0], msg.OOB)
+				if err != nil {
+					return 0, err
+				}
+				numMsgs = 1
 			}
-			numMsgs = 1
 		}
 		for i := 0; i < numMsgs; i++ {
 			msg := &(*msgs)[i]
@@ -95,7 +118,10 @@ func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketC
 			}
 
 			addrPort := msg.Addr.(*net.UDPAddr).AddrPort()
-			ep := &wgConn.StdNetEndpoint{AddrPort: addrPort} // TODO: remove allocation
+			ep := &wgConn.StdNetEndpoint{
+				AddrPort: addrPort,
+				Conn:     netConn,
+			}
 			wgConn.GetSrcFromControl(msg.OOB[:msg.NN], ep)
 			eps[i] = ep
 		}

iface/bind/receiver_creator.go

@@ -0,0 +1,38 @@
+package bind
+
+import (
+	"net"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/ipv4"
+	wgConn "golang.zx2c4.com/wireguard/conn"
+)
+
+type receiverCreator struct {
+	iceBind   *ICEBind
+	relayConn net.PacketConn
+}
+
+func newReceiverCreator(iceBind *ICEBind) *receiverCreator {
+	return &receiverCreator{
+		iceBind: iceBind,
+	}
+}
+
+func (rc *receiverCreator) CreateIPv4ReceiverFn(msgPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
+	return rc.iceBind.createIPv4ReceiverFn(msgPool, pc, conn, nil)
+}
+
+func (rc *receiverCreator) CreateRelayReceiverFn(msgPool *sync.Pool) wgConn.ReceiveFunc {
+	if rc.relayConn == nil {
+		log.Debugf("-------rc.conn is nil")
+		return nil
+	}
+	return rc.iceBind.createIPv4ReceiverFn(msgPool, nil, nil, rc.relayConn)
+}
+
+func (rc *receiverCreator) setTurnConn(relayConn interface{}) {
+	log.Debug("------ SET TURN CONN")
+	rc.relayConn = relayConn.(net.PacketConn)
+}

iface/iface.go

@@ -150,3 +150,10 @@ func (w *WGIface) GetDevice() *DeviceWrapper {
 func (w *WGIface) GetStats(peerKey string) (WGStats, error) {
 	return w.configurer.getStats(peerKey)
 }
+
+func (w *WGIface) SetRelayConn(conn interface{}) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	w.tun.SetTurnConn(conn)
+}

iface/module_linux.go

@@ -85,23 +85,27 @@ func tunModuleIsLoaded() bool {
 
 // WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
 func WireGuardModuleIsLoaded() bool {
+	return false
 
-	if os.Getenv(envDisableWireGuardKernel) == "true" {
-		log.Debugf("WireGuard kernel module disabled because the %s env is set to true", envDisableWireGuardKernel)
-		return false
-	}
+	/*
+		if os.Getenv(envDisableWireGuardKernel) == "true" {
+			log.Debugf("WireGuard kernel module disabled because the %s env is set to true", envDisableWireGuardKernel)
+			return false
+		}
 
-	if canCreateFakeWireGuardInterface() {
-		return true
-	}
+		if canCreateFakeWireGuardInterface() {
+			return true
+		}
 
-	loaded, err := tryToLoadModule("wireguard")
-	if err != nil {
-		log.Info(err)
-		return false
-	}
+		loaded, err := tryToLoadModule("wireguard")
+		if err != nil {
+			log.Info(err)
+			return false
+		}
 
-	return loaded
+		return loaded
+
+	*/
 }
 
 func canCreateFakeWireGuardInterface() bool {

iface/tun.go

@@ -15,4 +15,5 @@ type wgTunDevice interface {
 	DeviceName() string
 	Close() error
 	Wrapper() *DeviceWrapper // todo eliminate this function
+	SetTurnConn(conn interface{})
 }

iface/tun_darwin.go

@@ -28,6 +28,14 @@ type tunDevice struct {
 	configurer wgConfigurer
 }
 
+func (t *tunDevice) SetTurnConn(conn interface{}) {
+	t.iceBind.SetTurnConn(conn)
+	err := t.device.BindUpdate()
+	if err != nil {
+		log.Errorf("failed to update bind: %v", err)
+	}
+}
+
 func newTunDevice(name string, address WGAddress, port int, key string, mtu int, transportNet transport.Net) wgTunDevice {
 	return &tunDevice{
 		name:    name,

iface/tun_kernel_linux.go

@@ -31,6 +31,11 @@ type tunKernelDevice struct {
 	udpMux     *bind.UniversalUDPMuxDefault
 }
 
+func (t *tunKernelDevice) SetTurnConn(interface{}) {
+	//TODO implement me
+	panic("implement me")
+}
+
 func newTunDevice(name string, address WGAddress, wgPort int, key string, mtu int, transportNet transport.Net) wgTunDevice {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &tunKernelDevice{

iface/tun_netstack.go

@@ -30,6 +30,11 @@ type tunNetstackDevice struct {
 	configurer wgConfigurer
 }
 
+func (t *tunNetstackDevice) SetTurnConn(interface{}) {
+	//TODO implement me
+	panic("implement me")
+}
+
 func newTunNetstackDevice(name string, address WGAddress, wgPort int, key string, mtu int, transportNet transport.Net, listenAddress string) wgTunDevice {
 	return &tunNetstackDevice{
 		name:          name,

iface/tun_usp_linux.go

@@ -54,7 +54,7 @@ func (t *tunUSPDevice) Create() (wgConfigurer, error) {
 	t.device = device.NewDevice(
 		t.wrapper,
 		t.iceBind,
-		device.NewLogger(device.LogLevelSilent, "[netbird] "),
+		device.NewLogger(device.LogLevelError, "[netbird] "),
 	)
 
 	err = t.assignAddr()
@@ -70,6 +70,7 @@ func (t *tunUSPDevice) Create() (wgConfigurer, error) {
 		t.configurer.close()
 		return nil, err
 	}
+	log.Debugf("configuration done")
 	return t.configurer, nil
 }
 
@@ -125,6 +126,14 @@ func (t *tunUSPDevice) Wrapper() *DeviceWrapper {
 	return t.wrapper
 }
 
+func (t *tunUSPDevice) SetTurnConn(conn interface{}) {
+	t.iceBind.SetTurnConn(conn)
+	err := t.device.BindUpdate()
+	if err != nil {
+		log.Errorf("failed to update bind: %v", err)
+	}
+}
+
 // assignAddr Adds IP address to the tunnel interface
 func (t *tunUSPDevice) assignAddr() error {
 	link := newWGLink(t.name)

signal/client/client.go

@@ -56,7 +56,7 @@ func UnMarshalCredential(msg *proto.Message) (*Credential, error) {
 
 // MarshalCredential marshal a Credential instance and returns a Message object
 func MarshalCredential(myKey wgtypes.Key, myPort int, remoteKey wgtypes.Key, credential *Credential, t proto.Body_Type,
-	rosenpassPubKey []byte, rosenpassAddr string) (*proto.Message, error) {
+	rosenpassPubKey []byte, rosenpassAddr, relayedAddress, serverRefIP string) (*proto.Message, error) {
 	return &proto.Message{
 		Key:       myKey.PublicKey().String(),
 		RemoteKey: remoteKey.String(),
@@ -69,6 +69,10 @@ func MarshalCredential(myKey wgtypes.Key, myPort int, remoteKey wgtypes.Key, cre
 				RosenpassPubKey:     rosenpassPubKey,
 				RosenpassServerAddr: rosenpassAddr,
 			},
+			Relay: &proto.Relay{
+				RelayedAddress: relayedAddress,
+				SrvRefAddress:  serverRefIP,
+			},
 		},
 	}, nil
 }

signal/proto/signalexchange.pb.go

@@ -215,16 +215,21 @@ type Body struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	Type    Body_Type `protobuf:"varint,1,opt,name=type,proto3,enum=signalexchange.Body_Type" json:"type,omitempty"`
-	Payload string    `protobuf:"bytes,2,opt,name=payload,proto3" json:"payload,omitempty"`
+	Type Body_Type `protobuf:"varint,1,opt,name=type,proto3,enum=signalexchange.Body_Type" json:"type,omitempty"`
+	// these will be set in OFFER, ANSWER, CANDIDATE only
+	Payload string `protobuf:"bytes,2,opt,name=payload,proto3" json:"payload,omitempty"`
 	// wgListenPort is an actual WireGuard listen port
-	WgListenPort   uint32 `protobuf:"varint,3,opt,name=wgListenPort,proto3" json:"wgListenPort,omitempty"`
+	// these will be set in OFFER, ANSWER, CANDIDATE only
+	WgListenPort uint32 `protobuf:"varint,3,opt,name=wgListenPort,proto3" json:"wgListenPort,omitempty"`
+	// these will be set in OFFER, ANSWER, CANDIDATE only
 	NetBirdVersion string `protobuf:"bytes,4,opt,name=netBirdVersion,proto3" json:"netBirdVersion,omitempty"`
 	Mode           *Mode  `protobuf:"bytes,5,opt,name=mode,proto3" json:"mode,omitempty"`
 	// featuresSupported list of supported features by the client of this protocol
 	FeaturesSupported []uint32 `protobuf:"varint,6,rep,packed,name=featuresSupported,proto3" json:"featuresSupported,omitempty"`
 	// RosenpassConfig is a Rosenpass config of the remote peer our peer tries to connect to
+	// is this optional or mandatory?
 	RosenpassConfig *RosenpassConfig `protobuf:"bytes,7,opt,name=rosenpassConfig,proto3" json:"rosenpassConfig,omitempty"`
+	Relay           *Relay           `protobuf:"bytes,8,opt,name=relay,proto3" json:"relay,omitempty"`
 }
 
 func (x *Body) Reset() {
@@ -308,13 +313,18 @@ func (x *Body) GetRosenpassConfig() *RosenpassConfig {
 	return nil
 }
 
+func (x *Body) GetRelay() *Relay {
+	if x != nil {
+		return x.Relay
+	}
+	return nil
+}
+
 // Mode indicates a connection mode
 type Mode struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-
-	Direct *bool `protobuf:"varint,1,opt,name=direct,proto3,oneof" json:"direct,omitempty"`
 }
 
 func (x *Mode) Reset() {
@@ -349,11 +359,59 @@ func (*Mode) Descriptor() ([]byte, []int) {
 	return file_signalexchange_proto_rawDescGZIP(), []int{3}
 }
 
-func (x *Mode) GetDirect() bool {
-	if x != nil && x.Direct != nil {
-		return *x.Direct
+type Relay struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	RelayedAddress string `protobuf:"bytes,1,opt,name=relayedAddress,proto3" json:"relayedAddress,omitempty"`
+	SrvRefAddress  string `protobuf:"bytes,2,opt,name=srvRefAddress,proto3" json:"srvRefAddress,omitempty"`
+}
+
+func (x *Relay) Reset() {
+	*x = Relay{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_signalexchange_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
 	}
-	return false
+}
+
+func (x *Relay) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Relay) ProtoMessage() {}
+
+func (x *Relay) ProtoReflect() protoreflect.Message {
+	mi := &file_signalexchange_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Relay.ProtoReflect.Descriptor instead.
+func (*Relay) Descriptor() ([]byte, []int) {
+	return file_signalexchange_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *Relay) GetRelayedAddress() string {
+	if x != nil {
+		return x.RelayedAddress
+	}
+	return ""
+}
+
+func (x *Relay) GetSrvRefAddress() string {
+	if x != nil {
+		return x.SrvRefAddress
+	}
+	return ""
 }
 
 type RosenpassConfig struct {
@@ -369,7 +427,7 @@ type RosenpassConfig struct {
 func (x *RosenpassConfig) Reset() {
 	*x = RosenpassConfig{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_signalexchange_proto_msgTypes[4]
+		mi := &file_signalexchange_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -382,7 +440,7 @@ func (x *RosenpassConfig) String() string {
 func (*RosenpassConfig) ProtoMessage() {}
 
 func (x *RosenpassConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_signalexchange_proto_msgTypes[4]
+	mi := &file_signalexchange_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -395,7 +453,7 @@ func (x *RosenpassConfig) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use RosenpassConfig.ProtoReflect.Descriptor instead.
 func (*RosenpassConfig) Descriptor() ([]byte, []int) {
-	return file_signalexchange_proto_rawDescGZIP(), []int{4}
+	return file_signalexchange_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *RosenpassConfig) GetRosenpassPubKey() []byte {
@@ -431,7 +489,7 @@ var file_signalexchange_proto_rawDesc = []byte{
 	0x52, 0x09, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x04, 0x62,
 	0x6f, 0x64, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x73, 0x69, 0x67, 0x6e,
 	0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x42, 0x6f, 0x64, 0x79, 0x52,
-	0x04, 0x62, 0x6f, 0x64, 0x79, 0x22, 0xf6, 0x02, 0x0a, 0x04, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x2d,
+	0x04, 0x62, 0x6f, 0x64, 0x79, 0x22, 0xa3, 0x03, 0x0a, 0x04, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x2d,
 	0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x19, 0x2e, 0x73,
 	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x42, 0x6f,
 	0x64, 0x79, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a,
@@ -451,33 +509,39 @@ var file_signalexchange_proto_rawDesc = []byte{
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63,
 	0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x52, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x36, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09,
-	0x0a, 0x05, 0x4f, 0x46, 0x46, 0x45, 0x52, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x4e, 0x53,
-	0x57, 0x45, 0x52, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x43, 0x41, 0x4e, 0x44, 0x49, 0x44, 0x41,
-	0x54, 0x45, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x4d, 0x4f, 0x44, 0x45, 0x10, 0x04, 0x22, 0x2e,
-	0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74,
-	0x88, 0x01, 0x01, 0x42, 0x09, 0x0a, 0x07, 0x5f, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22, 0x6d,
-	0x0a, 0x0f, 0x52, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x12, 0x28, 0x0a, 0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x75,
-	0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x72, 0x6f, 0x73, 0x65,
-	0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x13, 0x72,
-	0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64,
-	0x64, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70,
-	0x61, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x32, 0xb9, 0x01,
-	0x0a, 0x0e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65,
-	0x12, 0x4c, 0x0a, 0x04, 0x53, 0x65, 0x6e, 0x64, 0x12, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61,
-	0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20, 0x2e, 0x73, 0x69, 0x67,
-	0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x59,
-	0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12,
-	0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65,
-	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x1a, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e,
-	0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x22, 0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2b, 0x0a, 0x05, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x18,
+	0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78,
+	0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x52, 0x65, 0x6c, 0x61, 0x79, 0x52, 0x05, 0x72, 0x65,
+	0x6c, 0x61, 0x79, 0x22, 0x36, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x4f,
+	0x46, 0x46, 0x45, 0x52, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x4e, 0x53, 0x57, 0x45, 0x52,
+	0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x43, 0x41, 0x4e, 0x44, 0x49, 0x44, 0x41, 0x54, 0x45, 0x10,
+	0x02, 0x12, 0x08, 0x0a, 0x04, 0x4d, 0x4f, 0x44, 0x45, 0x10, 0x04, 0x22, 0x06, 0x0a, 0x04, 0x4d,
+	0x6f, 0x64, 0x65, 0x22, 0x55, 0x0a, 0x05, 0x52, 0x65, 0x6c, 0x61, 0x79, 0x12, 0x26, 0x0a, 0x0e,
+	0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x41, 0x64, 0x64,
+	0x72, 0x65, 0x73, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x73, 0x72, 0x76, 0x52, 0x65, 0x66, 0x41, 0x64,
+	0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x73, 0x72, 0x76,
+	0x52, 0x65, 0x66, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x22, 0x6d, 0x0a, 0x0f, 0x52, 0x6f,
+	0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x28, 0x0a,
+	0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73,
+	0x73, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e,
+	0x70, 0x61, 0x73, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x53,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x41, 0x64, 0x64, 0x72, 0x32, 0xb9, 0x01, 0x0a, 0x0e, 0x53, 0x69,
+	0x67, 0x6e, 0x61, 0x6c, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x4c, 0x0a, 0x04,
+	0x53, 0x65, 0x6e, 0x64, 0x12, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63,
+	0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d,
+	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20, 0x2e, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65,
+	0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x59, 0x0a, 0x0d, 0x43, 0x6f,
+	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x53, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x12, 0x20, 0x2e, 0x73, 0x69,
+	0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x20, 0x2e,
+	0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2e, 0x45,
+	0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22,
+	0x00, 0x28, 0x01, 0x30, 0x01, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -493,29 +557,31 @@ func file_signalexchange_proto_rawDescGZIP() []byte {
 }
 
 var file_signalexchange_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_signalexchange_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_signalexchange_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_signalexchange_proto_goTypes = []interface{}{
 	(Body_Type)(0),           // 0: signalexchange.Body.Type
 	(*EncryptedMessage)(nil), // 1: signalexchange.EncryptedMessage
 	(*Message)(nil),          // 2: signalexchange.Message
 	(*Body)(nil),             // 3: signalexchange.Body
 	(*Mode)(nil),             // 4: signalexchange.Mode
-	(*RosenpassConfig)(nil),  // 5: signalexchange.RosenpassConfig
+	(*Relay)(nil),            // 5: signalexchange.Relay
+	(*RosenpassConfig)(nil),  // 6: signalexchange.RosenpassConfig
 }
 var file_signalexchange_proto_depIdxs = []int32{
 	3, // 0: signalexchange.Message.body:type_name -> signalexchange.Body
 	0, // 1: signalexchange.Body.type:type_name -> signalexchange.Body.Type
 	4, // 2: signalexchange.Body.mode:type_name -> signalexchange.Mode
-	5, // 3: signalexchange.Body.rosenpassConfig:type_name -> signalexchange.RosenpassConfig
-	1, // 4: signalexchange.SignalExchange.Send:input_type -> signalexchange.EncryptedMessage
-	1, // 5: signalexchange.SignalExchange.ConnectStream:input_type -> signalexchange.EncryptedMessage
-	1, // 6: signalexchange.SignalExchange.Send:output_type -> signalexchange.EncryptedMessage
-	1, // 7: signalexchange.SignalExchange.ConnectStream:output_type -> signalexchange.EncryptedMessage
-	6, // [6:8] is the sub-list for method output_type
-	4, // [4:6] is the sub-list for method input_type
-	4, // [4:4] is the sub-list for extension type_name
-	4, // [4:4] is the sub-list for extension extendee
-	0, // [0:4] is the sub-list for field type_name
+	6, // 3: signalexchange.Body.rosenpassConfig:type_name -> signalexchange.RosenpassConfig
+	5, // 4: signalexchange.Body.relay:type_name -> signalexchange.Relay
+	1, // 5: signalexchange.SignalExchange.Send:input_type -> signalexchange.EncryptedMessage
+	1, // 6: signalexchange.SignalExchange.ConnectStream:input_type -> signalexchange.EncryptedMessage
+	1, // 7: signalexchange.SignalExchange.Send:output_type -> signalexchange.EncryptedMessage
+	1, // 8: signalexchange.SignalExchange.ConnectStream:output_type -> signalexchange.EncryptedMessage
+	7, // [7:9] is the sub-list for method output_type
+	5, // [5:7] is the sub-list for method input_type
+	5, // [5:5] is the sub-list for extension type_name
+	5, // [5:5] is the sub-list for extension extendee
+	0, // [0:5] is the sub-list for field type_name
 }
 
 func init() { file_signalexchange_proto_init() }
@@ -573,6 +639,18 @@ func file_signalexchange_proto_init() {
 			}
 		}
 		file_signalexchange_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Relay); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_signalexchange_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RosenpassConfig); i {
 			case 0:
 				return &v.state
@@ -585,14 +663,13 @@ func file_signalexchange_proto_init() {
 			}
 		}
 	}
-	file_signalexchange_proto_msgTypes[3].OneofWrappers = []interface{}{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_signalexchange_proto_rawDesc,
 			NumEnums:      1,
-			NumMessages:   5,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

signal/proto/signalexchange.proto

@@ -49,22 +49,33 @@ message Body {
     MODE = 4;
   }
   Type type = 1;
+  // these will be set in OFFER, ANSWER, CANDIDATE only
   string payload = 2;
   // wgListenPort is an actual WireGuard listen port
+  // these will be set in OFFER, ANSWER, CANDIDATE only
   uint32 wgListenPort = 3;
+  // these will be set in OFFER, ANSWER, CANDIDATE only
   string netBirdVersion = 4;
+
   Mode mode = 5;
 
   // featuresSupported list of supported features by the client of this protocol
   repeated uint32 featuresSupported = 6;
 
   // RosenpassConfig is a Rosenpass config of the remote peer our peer tries to connect to
+  // is this optional or mandatory?
   RosenpassConfig rosenpassConfig = 7;
+
+  Relay relay = 8;
 }
 
 // Mode indicates a connection mode
 message Mode {
-  optional bool direct = 1;
+}
+
+message Relay {
+  string relayedAddress = 1;
+  string srvRefAddress = 2;
 }
 
 message RosenpassConfig {