~arx10/procustodibus-agent

1.7.0 3 months ago

procustodibus-agent-1.7.0.tar.gz.sha256
sha256:169dfd43fe8b2c18ad4f3190194d58e1940888bc1cf931eadb593fe95c8f3ea2
procustodibus-agent-1.7.0.tar.gz.sig
sha256:af6dbb8ee9d309182fb9bfe5afd6bb4d0ecf813bb053aa74fbed82f24920b52e
Pro Custodibus Agent 1.7.0

Added
-----

* Additional helper scripts for Windows.

Changed
-------

* Use external DNS resolver by default (see below).
* Apply packet mark (aka fwmark) to agent connections on Linux
  when wg-quick will use the mark to override the default gateway
  (see below).
* Installer automatically installs wireguard-tools package.

New DNS Settings
----------------

Previously, the agent would use the host operating system's own DNS
resolver. Now, by default, the agent will use the
[Quad9](https://www.quad9.net/) resolvers via DoH (DNS over HTTPS)
to resolve the IP address of the Pro Custodibus API, as well as any
WireGuard endpoint addresses specified by DNS name.

This is particularly useful when a WireGuard interface is itself used
for the host's default route, to ensure that the agent can resolve the
IP address needed to connect to the API even when the WireGuard tunnel
is not working.

To revert to the previous behavior, and use the host operating system's
DNS resolver, add the following setting to the procustodibus.conf file:

    Dns = off

To use a custom DoH resolver (such as
[Cloudflare's](https://1.1.1.1/dns/)), add the following settings
to the procustodibus.conf file, customizing the `Dns` setting to
specify the DNS servers to contact, and the `Doh` setting to specify
the hostname that the servers' TLS certificate must match:

    Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
    Doh = cloudflare-dns.com

To use a custom UDP resolver, add the following settings to the
procustodibus.conf file, customizing the `Dns` setting to specify the
DNS servers to contact:

    Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
    DnsProtocol = udp

To use a custom TCP resolver, add the following settings to the
procustodibus.conf file, customizing the `Dns` setting to specify the
DNS servers to contact:

    Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
    DnsProtocol = tcp

The agent will automatically attempt to detect whether to use IPv4 or
IPv6 addresses. To force the agent to always prefer IPv4 addresses,
add the following setting to the procustodibus.conf file:

    ResolveHostnames = ipv4

To force the agent to always prefer IPv6 addresses, add the following
setting to the procustodibus.conf file:

    ResolveHostnames = ipv6

New FwMark Setting
------------------

When a network mask of `/0` (aka the default route) is used on Linux
for the `AllowedIPs` setting of a WireGuard peer, WireGuard`s
`wg-quick` helper script will set up some policy routing rules to
ensure that the WireGuard interface's own traffic is not recursively
routed through the interface's tunnel; these rules rely on the
interface emitting packets with a specific mark (configurable via the
`FwMark` setting on the interface).

Now when the agent detects this scenario, it will also mark its own
packets with the same mark, ensuring that its connections to the
Pro Custodibus API (and the agent's DNS resolver) do not go through the
WireGuard tunnel (and so the agent will still work even if the tunnel
does not).

To prevent the agent from doing this, add the following setting to the
procustodibus.conf file:

    FwMark = off

To force the agent to always mark its packets with a specific mark
(such as 123), add the following setting to the procustodibus.conf file:

    FwMark = 123