summaryrefslogtreecommitdiff
path: root/src/op_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-19 19:25:48 +0200
committerGitHub <noreply@github.com>2021-07-19 19:25:48 +0200
commita2e708384f1e1136016ceb7c45494a9a3ddaeb49 (patch)
tree4ee54246820dacee33eba93504f83ae5f962025a /src/op_mode
parent02043297db68d45b2ca398486cc119d1c103e68c (diff)
parentc96c3ea2ed672394b04fcae924d351565ec9dc6c (diff)
downloadvyos-1x-a2e708384f1e1136016ceb7c45494a9a3ddaeb49.tar.gz
vyos-1x-a2e708384f1e1136016ceb7c45494a9a3ddaeb49.zip
Merge pull request #929 from sarthurdev/pki_wg
pki: wireguard: T3642: Migrate Wireguard private key directly into CLI
Diffstat (limited to 'src/op_mode')
-rwxr-xr-xsrc/op_mode/pki.py2
-rwxr-xr-xsrc/op_mode/wireguard.py154
-rwxr-xr-xsrc/op_mode/wireguard_client.py2
3 files changed, 43 insertions, 115 deletions
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 7dbeb4097..b4a68b31c 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -215,7 +215,7 @@ def install_wireguard_key(name, private_key, public_key):
print("")
print("Public key for use on peer configuration: " + public_key)
else:
- print("set interfaces wireguard [INTERFACE] peer %s pubkey '%s'" % (name, public_key))
+ print("set interfaces wireguard [INTERFACE] peer %s public-key '%s'" % (name, public_key))
print("")
print("Private key for use on peer configuration: " + private_key)
diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py
index e08bc983a..3ed8e17ca 100755
--- a/src/op_mode/wireguard.py
+++ b/src/op_mode/wireguard.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -15,132 +15,65 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import argparse
-import os
import sys
-import shutil
-import syslog as sl
-import re
+import tabulate
from vyos.config import Config
from vyos.ifconfig import WireGuardIf
from vyos.util import cmd
-from vyos.util import run
-from vyos.util import check_kmod
from vyos import ConfigError
-dir = r'/config/auth/wireguard'
-psk = dir + '/preshared.key'
-
-k_mod = 'wireguard'
-
-def generate_keypair(pk, pub):
- """ generates a keypair which is stored in /config/auth/wireguard """
- old_umask = os.umask(0o027)
- if run(f'wg genkey | tee {pk} | wg pubkey > {pub}') != 0:
- raise ConfigError("wireguard key-pair generation failed")
- else:
- sl.syslog(
- sl.LOG_NOTICE, "new keypair wireguard key generated in " + dir)
- os.umask(old_umask)
-
-
-def genkey(location):
- """ helper function to check, regenerate the keypair """
- pk = "{}/private.key".format(location)
- pub = "{}/public.key".format(location)
- old_umask = os.umask(0o027)
- if os.path.exists(pk) and os.path.exists(pub):
- try:
- choice = input(
- "You already have a wireguard key-pair, do you want to re-generate? [y/n] ")
- if choice == 'y' or choice == 'Y':
- generate_keypair(pk, pub)
- except KeyboardInterrupt:
- sys.exit(0)
- else:
- """ if keypair is bing executed from a running iso """
- if not os.path.exists(location):
- run(f'sudo mkdir -p {location}')
- run(f'sudo chgrp vyattacfg {location}')
- run(f'sudo chmod 750 {location}')
- generate_keypair(pk, pub)
- os.umask(old_umask)
-
-
-def showkey(key):
- """ helper function to show privkey or pubkey """
- if os.path.exists(key):
- print (open(key).read().strip())
- else:
- print ("{} not found".format(key))
-
-
-def genpsk():
- """
- generates a preshared key and shows it on stdout,
- it's stored only in the cli config
- """
-
- psk = cmd('wg genpsk')
- print(psk)
-
-def list_key_dirs():
- """ lists all dirs under /config/auth/wireguard """
- if os.path.exists(dir):
- nks = next(os.walk(dir))[1]
- for nk in nks:
- print (nk)
-
-def del_key_dir(kname):
- """ deletes /config/auth/wireguard/<kname> """
- kdir = "{0}/{1}".format(dir,kname)
- if not os.path.isdir(kdir):
- print ("named keypair {} not found".format(kname))
- return 1
- shutil.rmtree(kdir)
-
+base = ['interfaces', 'wireguard']
+
+def get_public_keys():
+ config = Config()
+ headers = ['Interface', 'Peer', 'Public Key']
+ out = []
+ if config.exists(base):
+ wg_interfaces = config.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ for wg, wg_conf in wg_interfaces.items():
+ if 'peer' in wg_conf:
+ for peer, peer_conf in wg_conf['peer'].items():
+ out.append([wg, peer, peer_conf['public_key']])
+
+ print("Wireguard Public Keys:")
+ print(tabulate.tabulate(out, headers))
+
+def get_private_keys():
+ config = Config()
+ headers = ['Interface', 'Private Key', 'Public Key']
+ out = []
+ if config.exists(base):
+ wg_interfaces = config.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ for wg, wg_conf in wg_interfaces.items():
+ private_key = wg_conf['private_key']
+ public_key = cmd('wg pubkey', input=private_key)
+ out.append([wg, private_key, public_key])
+
+ print("Wireguard Private Keys:")
+ print(tabulate.tabulate(out, headers))
if __name__ == '__main__':
- check_kmod(k_mod)
parser = argparse.ArgumentParser(description='wireguard key management')
parser.add_argument(
- '--genkey', action="store_true", help='generate key-pair')
- parser.add_argument(
- '--showpub', action="store_true", help='shows public key')
- parser.add_argument(
- '--showpriv', action="store_true", help='shows private key')
- parser.add_argument(
- '--genpsk', action="store_true", help='generates preshared-key')
- parser.add_argument(
- '--location', action="store", help='key location within {}'.format(dir))
- parser.add_argument(
- '--listkdir', action="store_true", help='lists named keydirectories')
+ '--showpub', action="store_true", help='shows public keys')
parser.add_argument(
- '--delkdir', action="store_true", help='removes named keydirectories')
+ '--showpriv', action="store_true", help='shows private keys')
parser.add_argument(
'--showinterface', action="store", help='shows interface details')
args = parser.parse_args()
try:
- if args.genkey:
- if args.location:
- genkey("{0}/{1}".format(dir, args.location))
- else:
- genkey("{}/default".format(dir))
if args.showpub:
- if args.location:
- showkey("{0}/{1}/public.key".format(dir, args.location))
- else:
- showkey("{}/default/public.key".format(dir))
+ get_public_keys()
if args.showpriv:
- if args.location:
- showkey("{0}/{1}/private.key".format(dir, args.location))
- else:
- showkey("{}/default/private.key".format(dir))
- if args.genpsk:
- genpsk()
- if args.listkdir:
- list_key_dirs()
+ get_private_keys()
if args.showinterface:
try:
intf = WireGuardIf(args.showinterface, create=False, debug=False)
@@ -148,11 +81,6 @@ if __name__ == '__main__':
# the interface does not exists
except Exception:
pass
- if args.delkdir:
- if args.location:
- del_key_dir(args.location)
- else:
- del_key_dir("default")
except ConfigError as e:
print(e)
diff --git a/src/op_mode/wireguard_client.py b/src/op_mode/wireguard_client.py
index 7a620a01e..7661254da 100755
--- a/src/op_mode/wireguard_client.py
+++ b/src/op_mode/wireguard_client.py
@@ -38,7 +38,7 @@ To enable this configuration on a VyOS router you can use the following commands
{% for addr in address if address is defined %}
set interfaces wireguard {{ interface }} peer {{ name }} allowed-ips '{{ addr }}'
{% endfor %}
-set interfaces wireguard {{ interface }} peer {{ name }} pubkey '{{ pubkey }}'
+set interfaces wireguard {{ interface }} peer {{ name }} public-key '{{ pubkey }}'
"""
client_config = """