summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhagbard <vyosdev@derith.de>2018-09-02 09:23:11 -0700
committerhagbard <vyosdev@derith.de>2018-09-02 09:23:11 -0700
commit228a3beec9d1fadd91b73b8547caec93c8e009f1 (patch)
tree29e4878b34e9c7e4fddcf9a9e8d8e55b77744579
parent737afd170b0b2dfbb86514e0fcf4959794064632 (diff)
downloadvyos-1x-228a3beec9d1fadd91b73b8547caec93c8e009f1.tar.gz
vyos-1x-228a3beec9d1fadd91b73b8547caec93c8e009f1.zip
T793: wireguard preshared-key implementation
- the psk is only read from a file, due to sudo it's redirection doesn't work file is created in /tmp (it's tmpfs), wg comand executed and the psk file is deleted again, to avoid leakage of the psk. It's create umaks(077) and root:root
-rwxr-xr-xsrc/conf_mode/wireguard.py37
1 files changed, 25 insertions, 12 deletions
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 9848914e3..c6440ad81 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -28,6 +28,7 @@ from vyos import ConfigError
dir = r'/config/auth/wireguard'
pk = dir + '/private.key'
pub = dir + '/public.key'
+psk_file = r'/tmp/psk'
def check_kmod():
if not os.path.exists('/sys/module/wireguard'):
@@ -117,7 +118,9 @@ def get_config():
config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint')
if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'):
config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive')
-
+ if c.exists(cnf + ' peer ' + p + ' preshared-key'):
+ config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key')
+
return config_data
def verify(c):
@@ -225,24 +228,22 @@ def apply(c):
fh.write(str(cnf_descr))
def configure_interface(c, intf):
- wg_config = {
+ for p in c['interfaces'][intf]['peer']:
+ ## config init for wg call
+ wg_config = {
'interface' : intf,
- 'port' : 0,
- 'private-key' : '/config/auth/wireguard/private.key',
- 'peer' :
- {
- 'pubkey' : ''
- },
+ 'port' : 0,
+ 'private-key' : pk,
+ 'pubkey' : '',
+ 'psk' : '/dev/null',
'allowed-ips' : [],
'fwmark' : 0x00,
'endpoint' : None,
'keepalive' : 0
-
}
- for p in c['interfaces'][intf]['peer']:
## mandatory settings
- wg_config['peer']['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey']
+ wg_config['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey']
wg_config['allowed-ips'] = c['interfaces'][intf]['peer'][p]['allowed-ips']
## optional settings
@@ -258,11 +259,19 @@ def configure_interface(c, intf):
if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]:
wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive']
+ ## preshared-key - is only read from a file, it's called via sudo redirection doesn't work either
+ if 'psk' in c['interfaces'][intf]['peer'][p]:
+ old_umask = os.umask(0o077)
+ open(psk_file, 'w').write(str(c['interfaces'][intf]['peer'][p]['psk']))
+ os.umask(old_umask)
+ wg_config['psk'] = psk_file
+
### assemble wg command
cmd = "sudo wg set " + intf
cmd += " listen-port " + str(wg_config['port'])
cmd += " private-key " + wg_config['private-key']
- cmd += " peer " + wg_config['peer']['pubkey']
+ cmd += " peer " + wg_config['pubkey']
+ cmd += " preshared-key " + wg_config['psk']
cmd += " allowed-ips "
for ap in wg_config['allowed-ips']:
if ap != wg_config['allowed-ips'][-1]:
@@ -279,7 +288,11 @@ def configure_interface(c, intf):
cmd += " persistent-keepalive 0"
sl.syslog(sl.LOG_NOTICE, cmd)
+ #print (cmd)
subprocess.call([cmd], shell=True)
+ """ remove psk_file """
+ if os.path.exists(psk_file):
+ os.remove(psk_file)
def add_addr(intf, addr):
ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True)