diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-07-19 19:25:48 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-19 19:25:48 +0200 |
commit | a2e708384f1e1136016ceb7c45494a9a3ddaeb49 (patch) | |
tree | 4ee54246820dacee33eba93504f83ae5f962025a /src | |
parent | 02043297db68d45b2ca398486cc119d1c103e68c (diff) | |
parent | c96c3ea2ed672394b04fcae924d351565ec9dc6c (diff) | |
download | vyos-1x-a2e708384f1e1136016ceb7c45494a9a3ddaeb49.tar.gz vyos-1x-a2e708384f1e1136016ceb7c45494a9a3ddaeb49.zip |
Merge pull request #929 from sarthurdev/pki_wg
pki: wireguard: T3642: Migrate Wireguard private key directly into CLI
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 16 | ||||
-rwxr-xr-x | src/migration-scripts/interfaces/22-to-23 | 66 | ||||
-rwxr-xr-x | src/op_mode/pki.py | 2 | ||||
-rwxr-xr-x | src/op_mode/wireguard.py | 154 | ||||
-rwxr-xr-x | src/op_mode/wireguard_client.py | 2 |
5 files changed, 115 insertions, 125 deletions
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index 024ab8f59..4c566a5ad 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -46,17 +46,14 @@ def get_config(config=None): base = ['interfaces', 'wireguard'] wireguard = get_interface_dict(conf, base) - # Mangle private key - it has a default so its always valid - wireguard['private_key'] = '/config/auth/wireguard/{private_key}/private.key'.format(**wireguard) - # Determine which Wireguard peer has been removed. # Peers can only be removed with their public key! dict = {} tmp = node_changed(conf, ['peer'], key_mangling=('-', '_')) for peer in (tmp or []): - pubkey = leaf_node_changed(conf, ['peer', peer, 'pubkey']) - if pubkey: - dict = dict_merge({'peer_remove' : {peer : {'pubkey' : pubkey[0]}}}, dict) + public_key = leaf_node_changed(conf, ['peer', peer, 'public_key']) + if public_key: + dict = dict_merge({'peer_remove' : {peer : {'public_key' : public_key[0]}}}, dict) wireguard.update(dict) return wireguard @@ -70,9 +67,8 @@ def verify(wireguard): verify_address(wireguard) verify_vrf(wireguard) - if not os.path.exists(wireguard['private_key']): - raise ConfigError('Wireguard private-key not found! Execute: ' \ - '"run generate wireguard [default-keypair|named-keypairs]"') + if 'private_key' not in wireguard: + raise ConfigError('Wireguard private-key not defined') if 'peer' not in wireguard: raise ConfigError('At least one Wireguard peer is required!') @@ -84,7 +80,7 @@ def verify(wireguard): if 'allowed_ips' not in peer: raise ConfigError(f'Wireguard allowed-ips required for peer "{tmp}"!') - if 'pubkey' not in peer: + if 'public_key' not in peer: raise ConfigError(f'Wireguard public-key required for peer "{tmp}"!') if ('address' in peer and 'port' not in peer) or ('port' in peer and 'address' not in peer): diff --git a/src/migration-scripts/interfaces/22-to-23 b/src/migration-scripts/interfaces/22-to-23 new file mode 100755 index 000000000..c52a26908 --- /dev/null +++ b/src/migration-scripts/interfaces/22-to-23 @@ -0,0 +1,66 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# A VTI interface also requires an IPSec configuration - VyOS 1.2 supported +# having a VTI interface in the CLI but no IPSec configuration - drop VTI +# configuration if this is the case for VyOS 1.4 + +import os +import sys +from vyos.configtree import ConfigTree + +if __name__ == '__main__': + if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + + file_name = sys.argv[1] + + with open(file_name, 'r') as f: + config_file = f.read() + + config = ConfigTree(config_file) + base = ['interfaces', 'wireguard'] + if not config.exists(base): + # Nothing to do + sys.exit(0) + + for interface in config.list_nodes(base): + private_key_path = base + [interface, 'private-key'] + + key_file = 'default' + if config.exists(private_key_path): + key_file = config.return_value(private_key_path) + + full_key_path = f'/config/auth/wireguard/{key_file}/private.key' + + if not os.path.exists(full_key_path): + print(f'Could not find wireguard private key for migration on interface "{interface}"') + continue + + with open(full_key_path, 'r') as f: + key_data = f.read().strip() + config.set(private_key_path, value=key_data) + + for peer in config.list_nodes(base + [interface, 'peer']): + config.rename(base + [interface, 'peer', peer, 'pubkey'], 'public-key') + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py index 7dbeb4097..b4a68b31c 100755 --- a/src/op_mode/pki.py +++ b/src/op_mode/pki.py @@ -215,7 +215,7 @@ def install_wireguard_key(name, private_key, public_key): print("") print("Public key for use on peer configuration: " + public_key) else: - print("set interfaces wireguard [INTERFACE] peer %s pubkey '%s'" % (name, public_key)) + print("set interfaces wireguard [INTERFACE] peer %s public-key '%s'" % (name, public_key)) print("") print("Private key for use on peer configuration: " + private_key) diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py index e08bc983a..3ed8e17ca 100755 --- a/src/op_mode/wireguard.py +++ b/src/op_mode/wireguard.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2021 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -15,132 +15,65 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import argparse -import os import sys -import shutil -import syslog as sl -import re +import tabulate from vyos.config import Config from vyos.ifconfig import WireGuardIf from vyos.util import cmd -from vyos.util import run -from vyos.util import check_kmod from vyos import ConfigError -dir = r'/config/auth/wireguard' -psk = dir + '/preshared.key' - -k_mod = 'wireguard' - -def generate_keypair(pk, pub): - """ generates a keypair which is stored in /config/auth/wireguard """ - old_umask = os.umask(0o027) - if run(f'wg genkey | tee {pk} | wg pubkey > {pub}') != 0: - raise ConfigError("wireguard key-pair generation failed") - else: - sl.syslog( - sl.LOG_NOTICE, "new keypair wireguard key generated in " + dir) - os.umask(old_umask) - - -def genkey(location): - """ helper function to check, regenerate the keypair """ - pk = "{}/private.key".format(location) - pub = "{}/public.key".format(location) - old_umask = os.umask(0o027) - if os.path.exists(pk) and os.path.exists(pub): - try: - choice = input( - "You already have a wireguard key-pair, do you want to re-generate? [y/n] ") - if choice == 'y' or choice == 'Y': - generate_keypair(pk, pub) - except KeyboardInterrupt: - sys.exit(0) - else: - """ if keypair is bing executed from a running iso """ - if not os.path.exists(location): - run(f'sudo mkdir -p {location}') - run(f'sudo chgrp vyattacfg {location}') - run(f'sudo chmod 750 {location}') - generate_keypair(pk, pub) - os.umask(old_umask) - - -def showkey(key): - """ helper function to show privkey or pubkey """ - if os.path.exists(key): - print (open(key).read().strip()) - else: - print ("{} not found".format(key)) - - -def genpsk(): - """ - generates a preshared key and shows it on stdout, - it's stored only in the cli config - """ - - psk = cmd('wg genpsk') - print(psk) - -def list_key_dirs(): - """ lists all dirs under /config/auth/wireguard """ - if os.path.exists(dir): - nks = next(os.walk(dir))[1] - for nk in nks: - print (nk) - -def del_key_dir(kname): - """ deletes /config/auth/wireguard/<kname> """ - kdir = "{0}/{1}".format(dir,kname) - if not os.path.isdir(kdir): - print ("named keypair {} not found".format(kname)) - return 1 - shutil.rmtree(kdir) - +base = ['interfaces', 'wireguard'] + +def get_public_keys(): + config = Config() + headers = ['Interface', 'Peer', 'Public Key'] + out = [] + if config.exists(base): + wg_interfaces = config.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + for wg, wg_conf in wg_interfaces.items(): + if 'peer' in wg_conf: + for peer, peer_conf in wg_conf['peer'].items(): + out.append([wg, peer, peer_conf['public_key']]) + + print("Wireguard Public Keys:") + print(tabulate.tabulate(out, headers)) + +def get_private_keys(): + config = Config() + headers = ['Interface', 'Private Key', 'Public Key'] + out = [] + if config.exists(base): + wg_interfaces = config.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + + for wg, wg_conf in wg_interfaces.items(): + private_key = wg_conf['private_key'] + public_key = cmd('wg pubkey', input=private_key) + out.append([wg, private_key, public_key]) + + print("Wireguard Private Keys:") + print(tabulate.tabulate(out, headers)) if __name__ == '__main__': - check_kmod(k_mod) parser = argparse.ArgumentParser(description='wireguard key management') parser.add_argument( - '--genkey', action="store_true", help='generate key-pair') - parser.add_argument( - '--showpub', action="store_true", help='shows public key') - parser.add_argument( - '--showpriv', action="store_true", help='shows private key') - parser.add_argument( - '--genpsk', action="store_true", help='generates preshared-key') - parser.add_argument( - '--location', action="store", help='key location within {}'.format(dir)) - parser.add_argument( - '--listkdir', action="store_true", help='lists named keydirectories') + '--showpub', action="store_true", help='shows public keys') parser.add_argument( - '--delkdir', action="store_true", help='removes named keydirectories') + '--showpriv', action="store_true", help='shows private keys') parser.add_argument( '--showinterface', action="store", help='shows interface details') args = parser.parse_args() try: - if args.genkey: - if args.location: - genkey("{0}/{1}".format(dir, args.location)) - else: - genkey("{}/default".format(dir)) if args.showpub: - if args.location: - showkey("{0}/{1}/public.key".format(dir, args.location)) - else: - showkey("{}/default/public.key".format(dir)) + get_public_keys() if args.showpriv: - if args.location: - showkey("{0}/{1}/private.key".format(dir, args.location)) - else: - showkey("{}/default/private.key".format(dir)) - if args.genpsk: - genpsk() - if args.listkdir: - list_key_dirs() + get_private_keys() if args.showinterface: try: intf = WireGuardIf(args.showinterface, create=False, debug=False) @@ -148,11 +81,6 @@ if __name__ == '__main__': # the interface does not exists except Exception: pass - if args.delkdir: - if args.location: - del_key_dir(args.location) - else: - del_key_dir("default") except ConfigError as e: print(e) diff --git a/src/op_mode/wireguard_client.py b/src/op_mode/wireguard_client.py index 7a620a01e..7661254da 100755 --- a/src/op_mode/wireguard_client.py +++ b/src/op_mode/wireguard_client.py @@ -38,7 +38,7 @@ To enable this configuration on a VyOS router you can use the following commands {% for addr in address if address is defined %} set interfaces wireguard {{ interface }} peer {{ name }} allowed-ips '{{ addr }}' {% endfor %} -set interfaces wireguard {{ interface }} peer {{ name }} pubkey '{{ pubkey }}' +set interfaces wireguard {{ interface }} peer {{ name }} public-key '{{ pubkey }}' """ client_config = """ |