diff options
author | hagbard <vyosdev@derith.de> | 2018-09-02 09:23:11 -0700 |
---|---|---|
committer | hagbard <vyosdev@derith.de> | 2018-09-02 09:23:11 -0700 |
commit | 228a3beec9d1fadd91b73b8547caec93c8e009f1 (patch) | |
tree | 29e4878b34e9c7e4fddcf9a9e8d8e55b77744579 | |
parent | 737afd170b0b2dfbb86514e0fcf4959794064632 (diff) | |
download | vyos-1x-228a3beec9d1fadd91b73b8547caec93c8e009f1.tar.gz vyos-1x-228a3beec9d1fadd91b73b8547caec93c8e009f1.zip |
T793: wireguard preshared-key implementation
- the psk is only read from a file, due to sudo it's redirection doesn't work
file is created in /tmp (it's tmpfs), wg comand executed and the psk file
is deleted again, to avoid leakage of the psk. It's create umaks(077) and root:root
-rwxr-xr-x | src/conf_mode/wireguard.py | 37 |
1 files changed, 25 insertions, 12 deletions
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 9848914e3..c6440ad81 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -28,6 +28,7 @@ from vyos import ConfigError dir = r'/config/auth/wireguard' pk = dir + '/private.key' pub = dir + '/public.key' +psk_file = r'/tmp/psk' def check_kmod(): if not os.path.exists('/sys/module/wireguard'): @@ -117,7 +118,9 @@ def get_config(): config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') - + if c.exists(cnf + ' peer ' + p + ' preshared-key'): + config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') + return config_data def verify(c): @@ -225,24 +228,22 @@ def apply(c): fh.write(str(cnf_descr)) def configure_interface(c, intf): - wg_config = { + for p in c['interfaces'][intf]['peer']: + ## config init for wg call + wg_config = { 'interface' : intf, - 'port' : 0, - 'private-key' : '/config/auth/wireguard/private.key', - 'peer' : - { - 'pubkey' : '' - }, + 'port' : 0, + 'private-key' : pk, + 'pubkey' : '', + 'psk' : '/dev/null', 'allowed-ips' : [], 'fwmark' : 0x00, 'endpoint' : None, 'keepalive' : 0 - } - for p in c['interfaces'][intf]['peer']: ## mandatory settings - wg_config['peer']['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey'] + wg_config['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey'] wg_config['allowed-ips'] = c['interfaces'][intf]['peer'][p]['allowed-ips'] ## optional settings @@ -258,11 +259,19 @@ def configure_interface(c, intf): if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + ## preshared-key - is only read from a file, it's called via sudo redirection doesn't work either + if 'psk' in c['interfaces'][intf]['peer'][p]: + old_umask = os.umask(0o077) + open(psk_file, 'w').write(str(c['interfaces'][intf]['peer'][p]['psk'])) + os.umask(old_umask) + wg_config['psk'] = psk_file + ### assemble wg command cmd = "sudo wg set " + intf cmd += " listen-port " + str(wg_config['port']) cmd += " private-key " + wg_config['private-key'] - cmd += " peer " + wg_config['peer']['pubkey'] + cmd += " peer " + wg_config['pubkey'] + cmd += " preshared-key " + wg_config['psk'] cmd += " allowed-ips " for ap in wg_config['allowed-ips']: if ap != wg_config['allowed-ips'][-1]: @@ -279,7 +288,11 @@ def configure_interface(c, intf): cmd += " persistent-keepalive 0" sl.syslog(sl.LOG_NOTICE, cmd) + #print (cmd) subprocess.call([cmd], shell=True) + """ remove psk_file """ + if os.path.exists(psk_file): + os.remove(psk_file) def add_addr(intf, addr): ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) |