CN117834753A - System and method for supporting port sharing and IP binding of WireGuard device - Google Patents

Abstract

The invention relates to the technical field of computer network security and network communication, in particular to a system and a method for supporting port sharing and IP binding of a WireGuard device, wherein the specific method comprises the following steps: s1: providing a Netlink interface to a management tool or application by a WireGuard driver to configure an IP address and so_reusabort; establishing a UDP socket according to the configured monitoring port, configuring a unique identifier WNI for the wireless guard device, and correlating the plurality of wireless guard devices with the UDP socket; the sender sends the encrypted and packaged message to the opposite end through the UDP socket; when receiving the message, the receiver acquires the WiregGuard device from the UDP socket and delivers the message to the WiregGuard device for unpacking and decryption. The invention solves the problems of port waste and easy conflict with other applications or services in the prior art.

Description

System and method for supporting port sharing and IP binding of WireGuard device

Technical Field

The invention relates to the technical fields of computer network security and network communication, in particular to a system and a method for supporting port sharing and IP binding of a WireGuard device.

Background

WireGuard is a modern, high performance, secure VPN protocol. Compared to the traditional VPN protocol (e.g. OpenVPN, IPsec), wireGuard has the following advantages: high performance: the WireGuard uses the latest encryption algorithm, and adopts a lighter-weight protocol design, so that the WireGuard has higher performance and lower delay, and the WireGuard can be excellent in both high-speed networks and low-power consumption devices. Safety: wireGuard uses the most advanced encryption algorithms (such as ChaCha20, poly1305, curve25519, etc.), and meanwhile adopts various security measures (such as integrity check, key rotation, etc.) to ensure the security and reliability of VPN connection; in addition, the WirelGuard protocol is simple in design, and a plurality of security holes are avoided. Simple and easy to use: the WirelGuard protocol is simple in design, small in code quantity, and easy to deploy and maintain. At the same time, wireGuard also provides a set of easy-to-use command line tools and APIs that allow users to easily create and manage VPN connections. Cross-platform support: wireGuard supports a variety of operating systems, linux, windows, macOS, iOS, android, etc., and may run on various types of devices, including embedded devices, routers, servers, etc.

In the prior art, as disclosed in the patent with application publication number CN114285697a, a multi-network single-entry VPN system based on WireGuard and OpenVPN is disclosed, where the system is: the user carries out single-entry access through the OpenVPN, tunnels are established at a third layer of the network through the wire guard to open different networks, user traffic is transmitted to a VPN gateway through an SSL secure tunnel by a tun0 network interface of the OpenVPN, data packets are filtered through nftables and forwarded to a network interface of the wire guard, data is sent to a target network through the tunnel, and authentication and access right control are carried out on the enterprise-level user through a lightweight directory access protocol LDAP protocol.

As another example, patent application publication No. CN115225493a discloses a configuration generation of a networking node based on a wireless, and the UI platform end in the wireless network responds to the change operation of the maintenance personnel on the update topology structure of the networking node in the wireless network at the operation interface to obtain a change result and carry a change request initiated by the change result to the central control server; the central control server invokes a target configuration generation strategy corresponding to the change type, determines at least one target networking node in the wireless network, which is associated with the change result, generates the latest wireless configuration information and sends the latest wireless configuration information to the at least one target networking node respectively, so that each target networking node updates the own wireless configuration information according to the latest wireless configuration information.

The WireGuard protocol in the above patent is an end-to-end connection implemented through the UDP protocol, one WireGuard device creates two UDP sockets (IPv 4 and IPv 6), and may designate a listening port of the UDP socket, or may be a randomly selected available port by the kernel, where the listening address (IP address) is any address (i.e. all 0 addresses, IPv4 is 0.0.0, IPv6 is:), which has the problems described in the background art.

Disclosure of Invention

This section is intended to outline some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description summary and in the title of the application, to avoid obscuring the purpose of this section, the description summary and the title of the invention, which should not be used to limit the scope of the invention.

The current WirelGuard protocol is an end-to-end connection realized through the UDP protocol, one WirelGuard device can create two UDP sockets (IPv 4 and IPv 6), a monitoring port of the UDP socket can be designated, an available port can be randomly selected by a kernel, and a monitoring address (IP address) is any address (namely, an all 0 address, IPv4 is 0.0.0 and IPv6 is:). This brings about 2 problems:

1. as more and more WireGuard devices are created on one server, more and more UDP ports are occupied, and as the number of available UDP ports is 65535 at most, it is limited that only 65535 WireGuard devices can be created on one server at most (regardless of the network namespace scenario). Meanwhile, each wireless guard device needs to monopolize one UDP port, so that the UDP ports need to be well managed, the phenomenon that the device cannot work normally due to collision of the UDP ports is avoided, and the complexity of a management plane is increased. On the other hand, too many ports may cause security policies not to be easily set, and it is necessary to configure the security policies for each port.

The WireGuard device listens to any address and does not turn on port multiplexing (so_reuport), SO that the port that is listened to by the WireGuard device cannot be listened to by other applications, for example, the listening port configured by the WireGuard device is 12345, and then the other applications cannot listen to the 12345 port of UDP on any IP address. This can affect the availability of other applications or services.

The invention aims at solving the following 3 problems in the prior art:

1. the port sharing of the wireless guard devices is supported, the plurality of the wireless guard devices share the same monitoring port, namely, the plurality of the wireless guard devices are supported to only create two UDP sockets (IPv 4 and IPv 6), and the ports are saved.

2. IP binding of the WirelGuard device is supported, namely the WirelGuard device is supported to monitor a specific IP address except any address, such as 127.0.0.1 (IPv 4) and 2001:1 (IPv 6) and the like, so that collision with other applications or services is avoided.

3. UDP socket opening supporting creation of Wirelguard device

So_reuport, i.e. allowing both WireGuard devices and other applications/services to listen on the same port at the same time with so_reuport on both, one party listening for any address, one party listening for a specific IP address, e.g. WireGuard listening 127.0.0.1:12345, gateway service listening 0.0.0.0:12345.

In order to achieve the above purpose, the technical scheme of the method for supporting port sharing and IP binding of the WirelGuard device of the present invention comprises the following steps:

s1: providing a Netlink interface to a management tool or application by a WireGuard driver to configure an IP address and so_reusabort;

s2: establishing a UDP socket according to the configured monitoring port, configuring a unique identifier WNI for the wireless guard device, and correlating the plurality of wireless guard devices with the UDP socket;

s3: the sender sends the encrypted and packaged message to the opposite end through the UDP socket;

s4: when receiving the message, the receiver acquires the WiregGuard device from the UDP socket and delivers the message to the WiregGuard device for unpacking and decryption.

Specifically, in S1, the IP address includes: the specific IPv4 and IPv6 monitoring addresses are shared by combining ports, and a plurality of wireless guard devices are supported to use the same UDP socket.

Specifically, S1 includes the following specific steps:

s11: performing uniqueness confirmation to determine that WNI of the WirelGuard device under the same IP address is unique;

s12: when establishing UDP socket, using configured IP address by the WireGuard driver;

s13: and determining the device state, and providing a Netlink interface for a management tool or an application by using a Wireluard driver to configure the Wireluard device to determine whether to start SO_REUSEPORT.

Specifically, in S13, the device state is a DOWN state.

Specifically, in S13, the determination of whether to turn on so_reusabort includes: when the Wirelguard driver is creating the UDP socket, the open state of the SO_REUSEPORT is determined, and if the state is open, the setsockop interface is called to set the SO_REUSEPORT.

Specifically, in S2, the UDP socket may be bound to specific IPv4 and IPv6 addresses.

Specifically, in S2, the unique identifier of the WireGuard device includes: wireGuard Network Identifier, WNI, wherein the configuration steps of the WNI are as follows:

s21: adding a structural body, wherein wg_socket points to a UDP socket, and a hash table, and a wireless guard device sharing the same port (i.e. socket) is hung under the hash table; (referred to as wg_device);

s22: directing wg_device and sock to wg_sock by taking wg_sock as a bridge;

s23: the device is found through the socket or the socket is found through the device, and the correlation between the plurality of wireless guard devices and the UDP socket is realized.

Specifically, in S3, the sender includes: the WNI is encapsulated in the header of the WirelGuard message, and is carried by the low 16bit of the Reserved field of the WirelGuard protocol header.

Specifically, the receiving side includes: and analyzing the low 16bit of the Reserved field of the Wired guard protocol header, acquiring WNI, and acquiring corresponding Wired guard equipment according to the WNI.

In addition, the system supporting port sharing and IP binding of the WirelGuard device comprises the following modules:

the system comprises a configuration module, an association module, a message sending module and a message receiving module;

the configuration module provides a Netlink interface for a management tool or an application by a WireGuard driver to configure an IP address and an SO_REUSEPORT;

the association module creates a UDP socket according to the configured monitoring port, configures a unique identifier WNI for the wireless guard device, and associates a plurality of wireless guard devices with the UDP socket;

the message sending module is used for sending the encrypted and packaged message to the opposite terminal through the UDP socket by the sender;

the message receiving module is used for acquiring the WiregGuard equipment from the UDP socket when the receiver receives the message at the UDP socket, and delivering the message to the WiregGuard equipment for unpacking and decrypting.

Compared with the prior art, the invention has the following technical effects:

1. the invention supports a plurality of WireGuard devices to use the same monitoring port, can save a large number of UDP ports, avoids the situation that other applications or services are not available, and reduces the complexity of a management plane. On the other hand, the complexity of the security policy configuration of the port opening is also reduced.

2. The invention supports the binding of the wireless guard device to the specific IP address, and avoids that other applications or services cannot monitor the same port on a specific IP address because the wireless guard device binds any address.

3. The invention 3 supports the WiregGuard device to set the SO_REUSEPORT attribute, which can make the WiregGuard device and other applications or services monitor the same port, and one party uses any address and the other party uses specific address, thereby meeting the service requirement.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Wherein:

FIG. 1 is a flow chart of a method for supporting port sharing and IP binding of a WireGuard device according to the present invention;

FIG. 2 is a schematic diagram of the first 4 bytes of a WirelGuard protocol message header according to the present invention;

FIG. 3 is a schematic diagram of a socket and wire device relationship of the present invention;

fig. 4 is a schematic diagram of a system architecture supporting port sharing and IP binding of a WireGuard device according to the present invention.

Detailed Description

In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.

Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.

Embodiment one:

as shown in fig. 1, a method for supporting port sharing and IP binding of a wireless guard device according to an embodiment of the present invention, as shown in fig. 1, includes the following specific steps:

s1: providing a Netlink interface to a management tool or application by a WireGuard driver to configure an IP address and so_reusabort;

in S1, the IP address includes: the specific IPv4 and IPv6 monitoring addresses are shared by combining ports, and a plurality of wireless guard devices are supported to use the same UDP socket.

S1 comprises the following specific steps:

s11: performing uniqueness confirmation to determine that WNI of the WirelGuard device under the same IP address is unique;

s12: when establishing UDP socket, using configured IP address by the WireGuard driver;

s13: and determining the device state, and providing a Netlink interface for a management tool or an application by using a Wireluard driver to configure the Wireluard device to determine whether to start SO_REUSEPORT.

In S13, the device state is a DOWN state;

in S13, the determination of whether to turn on so_reusabort includes: when the Wirelguard driver is creating the UDP socket, the open state of the SO_REUSEPORT is determined, and if the state is open, the setsockop interface is called to set the SO_REUSEPORT.

S2: establishing a UDP socket according to the configured monitoring port, configuring a unique identifier WNI for the wireless guard device, and correlating the plurality of wireless guard devices with the UDP socket;

in S2, the UDP socket may be bound to specific IPv4 and IPv6 addresses.

In S2, the unique identifier of the WireGuard device includes: wireGuardNetwork Identifier, WNI, wherein the configuration steps of the WNI are as follows:

s21: adding a structural body, wherein wg_socket points to a UDP socket, and a hash table, and a wireless guard device sharing the same port (i.e. socket) is hung under the hash table; (referred to as wg_device);

s22: directing wg_device and sock to wg_sock by taking wg_sock as a bridge;

s23: the device is found through the socket or the socket is found through the device, and the correlation between the plurality of wireless guard devices and the UDP socket is realized.

S3: the sender sends the encrypted and packaged message to the opposite end through the UDP socket;

as shown in fig. 4, in S3, the sender includes: the WNI is encapsulated in the header of the WirelGuard message, and is carried by the low 16bit of the Reserved field of the WirelGuard protocol header.

S4: when receiving the message, the receiver acquires the WiregGuard device from the UDP socket and delivers the message to the WiregGuard device for unpacking and decryption.

The receiver includes: and analyzing the low 16bit of the Reserved field of the Wired guard protocol header, acquiring WNI, and acquiring corresponding Wired guard equipment according to the WNI.

Embodiment two:

as shown in fig. 2, 3 and 4, a system supporting port sharing and IP binding of a WireGuard device according to an embodiment of the present invention includes:

the following is a specific embodiment of the present invention, where the application scenario is a secure acceleration scenario (e.g. zero trust in combination with CDN acceleration), and is described by taking fig. 4 as an exemplary diagram:

1. in this embodiment, multiple tenants are supported, the tenants are distinguished by WNI, and the WNI configuration of the WireGuard interfaces of different tenants is different, for example, the WNI of tenant 1 is 1, and the WNI of tenant 2 is 2, so that multiple tenants can access with the same port, for example, 6666 ports in the figure. The tenant may be placed in Network Namespace.

2. The edge node may be interconnected with a plurality of back source nodes, i.e. different back source nodes may be selected for the tenant according to the service quality of the link and the back source nodes. On the other hand, there may be acceleration nodes (or relay nodes) between the edge nodes and the back source nodes.

3. Each tenant of the edge node creates a plurality of WireGuard interfaces (the number is related to the number of the back source nodes), taking 2 back source nodes as an example, 3 WireGuard interfaces (for example, tenant 1 is three of wg1-0, wg1-1 and wg 1-2) are created, one interface is accessed as a client, and different tenants configure the same monitoring port (for example, 6666); the other two interfaces serve as interfaces for interconnection with the back source node, and different interfaces configure different listening ports (e.g., 8888 and 9999). Therefore, the number of the UDP ports is irrelevant to the number of the tenants, and the number of the ports is greatly saved.

4. The back source node and the edge node are similar, the tenants are distinguished by WNI, and different tenants use the same UDP port to communicate with the edge node.

5. Taking tenant 1 as an example, a complete user access procedure is described as follows:

(1) The client initiates the request, when the client encapsulates the WireGuard message, the WNI is carried as 1, and the destination port of the UDP is 6666.

(2) After the message reaches the edge node and is processed by the kernel protocol stack, the UDP socket with the port number 6666 processes that WNI is 1, and the WNI is searched (see figure 2) to wg1-0 according to WNI, so that the WNI is transmitted to wg1-0 for processing, the WirelGuard drive processes such as message de-encapsulation and decryption, and the like, and then the WrelGuard drive processes are transmitted to the kernel protocol stack, and then the application (such as a security gateway or a CDN gateway) processes the security or data in a related manner, and then the corresponding WirelGuard interface is transmitted in a routing manner according to the selected back source node, for example, the Wg1-1 interface is transmitted.

(3) After the message is routed to the wg1-1 interface, the wg1-1 interface encrypts and encapsulates the message, wherein the WNI is set to 1, the UDP destination port of the outer layer is 8888, and the message is sent to the back source node by using the UDP socket with the port of 8888.

(4) After receiving the message, the back source node processes the message by the UDP socket with 8888 port, analyzes the WNI, searches the WirelGuard interface according to the WNI, delivers the WirelGuard interface to the corresponding interface for processing, then carries out decryption and encapsulation processing of the message by the WirelGuard drive, delivers the message to the kernel protocol stack for continuous processing, and finally, the application receives the data and then resends the data to the source station for processing by the source station.

(5) The response message of the source station also passes through the source node, then the edge node and finally the client.

6. According to the requirement, the monitor address can be configured for the WireGuard interface, the same monitor address can be configured by using the same socket, and meanwhile, the SO_REUSEPORT can be started.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

It should be understood that determining B from a does not mean determining B from a alone, but can also determine B from a and/or other information.

The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions in accordance with embodiments of the present invention are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by way of wired or/and wireless networks from one website site, computer, server, or data center to another. Computer readable storage media can be any available media that can be accessed by a computer or data storage devices, such as servers, data centers, etc. that contain one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the partitioning of units is merely one, and there may be additional partitioning in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

In summary, compared with the prior art, the technical effects of the invention are as follows:

1. the invention supports a plurality of WireGuard devices to use the same monitoring port, can save a large number of UDP ports, avoids the situation that other applications or services are not available, and reduces the complexity of a management plane. On the other hand, the complexity of the security policy configuration of the port opening is also reduced.

2. The invention supports the binding of the wireless guard device to the specific IP address, and avoids that other applications or services cannot monitor the same port on a specific IP address because the wireless guard device binds any address.

3. The invention 3 supports the WiregGuard device to set the SO_REUSEPORT attribute, which can make the WiregGuard device and other applications or services monitor the same port, and one party uses any address and the other party uses specific address, thereby meeting the service requirement.

The foregoing has shown and described the basic principles and main features of the present invention and the advantages of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (10)

1. A method for supporting port sharing and IP binding of a WireGuard device is characterized in that: the method comprises the following specific steps:

s1: providing a Netlink interface to a management tool or application by a WireGuard driver to configure an IP address and so_reusabort;

s2: establishing a UDP socket according to the configured monitoring port, configuring a unique identifier WNI for the wireless guard device, and correlating the plurality of wireless guard devices with the UDP socket;

s3: the sender sends the encrypted and packaged message to the opposite end through the UDP socket;

s4: when receiving the message, the receiver acquires the WiregGuard device from the UDP socket and delivers the message to the WiregGuard device for unpacking and decryption.

2. The method for supporting port sharing and IP binding of a WireGuard device according to claim 1, wherein in S1, the IP address comprises: specific IPv4 and IPv6 monitor addresses, and are shared by combining ports.

3. The method for supporting port sharing and IP binding of WireGuard device according to claim 1, wherein S1 comprises the following specific steps:

s11: performing uniqueness confirmation to determine that WNI of the WirelGuard device under the same IP address is unique;

s12: when establishing UDP socket, using configured IP address by the WireGuard driver;

s13: and determining the device state, and providing a Netlink interface for a management tool or an application by using a Wireluard driver to configure the Wireluard device to determine whether to start SO_REUSEPORT.

4. A method for supporting port sharing and IP bonding of a WireGuard device according to claim 3, wherein in S13, the device state is a DOWN state.

5. The method for supporting port sharing and IP binding of a WireGuard device of claim 1, wherein the determining of whether to turn on so_reusabort in S13 comprises: when the Wirelguard driver is creating the UDP socket, the open state of the SO_REUSEPORT is determined, and if the state is open, the setsockop interface is called to set the SO_REUSEPORT.

6. The method for supporting port sharing and IP binding of wireless guard device according to claim 1, wherein in S2, the UDP socket may be bound to specific IPv4 and IPv6 addresses.

7. The method for supporting port sharing and IP binding of a WireGuard device according to claim 1, wherein in S2, the unique identifier of the WireGuard device comprises: wireGuardNetwork Identifier, WNI, wherein the configuration steps of the WNI are as follows:

s21: adding a structural body, wherein wg_socket points to a UDP socket, and a hash table, and a wireless guard device sharing the same port is hung under the hash table;

s22: directing wg_device and sock to wg_sock by taking wg_sock as a bridge;

s23: the device is found through the socket or the socket is found through the device, and the correlation between the plurality of wireless guard devices and the UDP socket is realized.

8. The method for supporting port sharing and IP binding of a WireGuard device according to claim 1, wherein in S3, the sender comprises: the WNI is encapsulated in the header of the WirelGuard message, and is carried by the low 16bit of the Reserved field of the WirelGuard protocol header.

9. The method for supporting port sharing and IP binding of a WireGuard device of claim 1, wherein the receiving party comprises: and analyzing the low 16bit of the Reserved field of the Wired guard protocol header, acquiring WNI, and acquiring corresponding Wired guard equipment according to the WNI.

10. A system supporting port sharing and IP bonding of a WireGuard device, which is implemented based on a method supporting port sharing and IP bonding of a WireGuard device according to any of claims 1-9, characterized in that the system comprises the following modules:

the system comprises a configuration module, an association module, a message sending module and a message receiving module;

the configuration module provides a Netlink interface for a management tool or an application by a WireGuard driver to configure an IP address and an SO_REUSEPORT;

the association module creates a UDP socket according to the configured monitoring port, configures a unique identifier WNI for the wireless guard device, and associates a plurality of wireless guard devices with the UDP socket;

the message sending module is used for sending the encrypted and packaged message to the opposite terminal through the UDP socket by the sender;

the message receiving module is used for acquiring the WiregGuard equipment from the UDP socket when the receiver receives the message at the UDP socket, and delivering the message to the WiregGuard equipment for unpacking and decrypting.