summaryrefslogtreecommitdiff
path: root/python/vyos/ifconfig.py
diff options
context:
space:
mode:
authorhagbard <vyosdev@derith.de>2019-09-04 12:50:43 -0700
committerhagbard <vyosdev@derith.de>2019-09-04 12:50:43 -0700
commitff34756f534bfc0f09a5ab6db0d36e1bf43546a8 (patch)
treeff68412937229b787b4eb63b115133adec2706bd /python/vyos/ifconfig.py
parent8257a5e67679fe6b7b74e8ba4b57547209a281d2 (diff)
downloadvyos-1x-ff34756f534bfc0f09a5ab6db0d36e1bf43546a8.tar.gz
vyos-1x-ff34756f534bfc0f09a5ab6db0d36e1bf43546a8.zip
[wireguard] - T1628: Adopt WireGuard configuration script to new vyos.ifconfig class
Diffstat (limited to 'python/vyos/ifconfig.py')
-rw-r--r--python/vyos/ifconfig.py70
1 files changed, 70 insertions, 0 deletions
diff --git a/python/vyos/ifconfig.py b/python/vyos/ifconfig.py
index 449923f09..ad3a066a8 100644
--- a/python/vyos/ifconfig.py
+++ b/python/vyos/ifconfig.py
@@ -1273,3 +1273,73 @@ class BondIf(EthernetIf):
return self._write_sysfs('/sys/class/net/{}/bonding/mode'
.format(self._ifname), mode)
+
+class WireGuardIf(Interface):
+ """
+ Wireguard interface class, contains a comnfig dictionary since
+ wireguard VPN is being comnfigured via the wg command rather than
+ writing the config into a file. Otherwise if a pre-shared key is used
+ (symetric enryption key), it would we exposed within multiple files.
+ Currently it's only within the config.boot if the config was saved.
+
+ Example:
+ >>> from vyos.ifconfig import WireGuardIf as wg_if
+ >>> wg_intfc = wg_if("wg01")
+ >>> print (wg_intfc.wg_config)
+ {'private-key': None, 'keepalive': 0, 'endpoint': None, 'port': 0, 'allowed-ips': [], 'pubkey': None, 'fwmark': 0, 'psk': '/dev/null'}
+ >>> wg_intfc.wg_config['keepalive'] = 100
+ >>> print (wg_intfc.wg_config)
+ {'private-key': None, 'keepalive': 100, 'endpoint': None, 'port': 0, 'allowed-ips': [], 'pubkey': None, 'fwmark': 0, 'psk': '/dev/null'}
+ """
+ def __init__(self, ifname):
+ super().__init__(ifname, type='wireguard')
+ self.wg_config = {
+ 'port' : 0,
+ 'private-key' : None,
+ 'pubkey' : None,
+ 'psk' : '/dev/null',
+ 'allowed-ips' : [],
+ 'fwmark' : 0x00,
+ 'endpoint' : None,
+ 'keepalive' : 0
+ }
+
+ def wg_update(self):
+ if not self.wg_config['private-key']:
+ raise ValueError("private key required")
+ else:
+ ### fmask permission check?
+ pass
+
+ cmd = "wg set {} ".format(self._ifname)
+ cmd += "listen-port {} ".format(self.wg_config['port'])
+ cmd += "fwmark {} ".format(str(self.wg_config['fwmark']))
+ cmd += "private-key {} ".format(self.wg_config['private-key'])
+ cmd += "peer {} ".format(self.wg_config['pubkey'])
+ cmd += " preshared-key {} ".format(self.wg_config['psk'])
+ cmd += " allowed-ips "
+ for aip in self.wg_config['allowed-ips']:
+ if aip != self.wg_config['allowed-ips'][-1]:
+ cmd += aip + ","
+ else:
+ cmd += aip
+ if self.wg_config['endpoint']:
+ cmd += " endpoint {}".format(self.wg_config['endpoint'])
+ cmd += " persistent-keepalive {}".format(self.wg_config['keepalive'])
+
+ self._cmd(cmd)
+
+ ### remove psk since it isn't required anymore and is saved in the cli config only !!
+ if self.wg_config['psk'] != '/dev/null':
+ if os.path.exists(self.wg_config['psk']):
+ os.remove(self.wg_config['psk'])
+
+ """
+ Remove a peer of an interface, peers are identified by their public key.
+ Giving it a readable name is a vyos feature, to remove a peer the pubkey
+ and the interface is needed, to remove the entry.
+ """
+ def wg_remove_peer(self, peerkey):
+ cmd = "sudo wg set {0} peer {1} remove".format(self._ifname, str(peerkey))
+ self._cmd(cmd)
+