diff options
-rw-r--r-- | Makefile | 4 | ||||
-rw-r--r-- | data/interface-types.json | 1 | ||||
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | debian/control | 1 | ||||
-rw-r--r-- | interface-definitions/ssh.xml | 22 | ||||
-rw-r--r-- | interface-definitions/wireguard.xml | 78 | ||||
-rw-r--r-- | op-mode-definitions/wireguard-keys.xml | 42 | ||||
-rwxr-xr-x | src/conf_mode/wireguard.py | 243 | ||||
-rwxr-xr-x | src/op_mode/wireguard_key.py | 92 |
9 files changed, 480 insertions, 9 deletions
@@ -9,9 +9,10 @@ interface_definitions: find $(CURDIR)/interface-definitions/ -type f -name "*.xml" | xargs -I {} $(CURDIR)/scripts/build-command-templates {} $(CURDIR)/schema/interface_definition.rng $(TMPL_DIR) || exit 1 # XXX: delete top level node.def's that now live in other packages + rm -f $(TMPL_DIR)/interfaces/node.def + rm -f $(TMPL_DIR)/protocols/node.def rm -f $(TMPL_DIR)/system/node.def rm -f $(TMPL_DIR)/system/options/node.def - rm -f $(TMPL_DIR)/protocols/node.def rm -f $(TMPL_DIR)/vpn/node.def rm -f $(TMPL_DIR)/vpn/ipsec/node.def @@ -28,6 +29,7 @@ op_mode_definitions: rm -f $(OP_TMPL_DIR)/reset/node.def rm -f $(OP_TMPL_DIR)/restart/node.def rm -f $(OP_TMPL_DIR)/monitor/node.def + rm -f $(OP_TMPL_DIR)/generate/node.def .PHONY: all all: clean interface_definitions op_mode_definitions diff --git a/data/interface-types.json b/data/interface-types.json index c452122af..f5820f403 100644 --- a/data/interface-types.json +++ b/data/interface-types.json @@ -10,6 +10,7 @@ "vti": "vti", "l2tpv3": "l2tpeth", "vxlan": "vxlan", + "wireguard": "wg", "wireless": "wireless", "wirelessmodem": "wlm", "input": "ifb", diff --git a/debian/changelog b/debian/changelog index e8519e87a..a7c428cda 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyos-1x (1.2.0-2) unstable; urgency=medium + + * T773: adding wireguard support + + -- hagbard <vyosdev@derith.de> Sat, 11 Aug 2018 15:51:34 -0700 + vyos-1x (1.2.0-1) unstable; urgency=medium * T666, T616: new implementation of the VRRP CLI. diff --git a/debian/control b/debian/control index c87e7452c..ce9d925d3 100644 --- a/debian/control +++ b/debian/control @@ -36,6 +36,7 @@ Depends: python3, libvyosconfig0, beep, keepalived (>=2.0.5), + wireguard, ${shlibs:Depends}, ${misc:Depends} Description: VyOS configuration scripts and data diff --git a/interface-definitions/ssh.xml b/interface-definitions/ssh.xml index e8786d202..35fe79214 100644 --- a/interface-definitions/ssh.xml +++ b/interface-definitions/ssh.xml @@ -1,7 +1,5 @@ <?xml version="1.0"?> - <!--SSH configuration --> - <interfaceDefinition> <node name="service"> <children> @@ -13,18 +11,23 @@ <children> <node name="access-control"> <properties> - <help>SSH user/group access controls. Directives are processed in this order: deny-users, allow-users, deny-groups and allow-groups</help> + <help>SSH user/group access controls. Directives are processed + in the following order: deny-users, allow-users, deny-groups and + allow-groups.</help> </properties> <children> <node name="allow"> + <properties> + <help>Allow user/group SSH access</help> + </properties> <children> <leafNode name="group"> <properties> <help>Allow members of a group to login</help> - <constraint> - <regex>^[a-z_][a-z0-9_-]{1,31}[$]?</regex> - </constraint> - <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> + <constraint> + <regex>^[a-z_][a-z0-9_-]{1,31}[$]?</regex> + </constraint> + <constraintErrorMessage>illegal characters or more than 32 characters</constraintErrorMessage> <multi/> </properties> </leafNode> @@ -41,6 +44,9 @@ </children> </node> <node name="deny"> + <properties> + <help>Deny user/group SSH access</help> + </properties> <children> <leafNode name="group"> <properties> @@ -147,7 +153,7 @@ </leafNode> <leafNode name="mac"> <properties> - <help>Allowed message authentication code (MAC) algorithms</help> + <help>Allowed message authentication code (MAC) algorithms</help> <completionHelp> <script>ssh -Q mac | tr '\n' ' '</script> </completionHelp> diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml new file mode 100644 index 000000000..008f82a0b --- /dev/null +++ b/interface-definitions/wireguard.xml @@ -0,0 +1,78 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="interfaces"> + <children> + <tagNode name="wireguard" owner="${vyos_conf_scripts_dir}/wireguard.py"> + <properties> + <help>WireGuard interface name</help> + <priority>459</priority> <!-- subsequent ones may be removed, just make sure ethernet ifs are present --> + <constraint> + <regex>^wg[0-9]{1,4}</regex> + </constraint> + <constraintErrorMessage>illegal interface name</constraintErrorMessage> + <valueHelp> + <format>wgN</format> + <description>WireGuard interface name</description> + </valueHelp> + </properties> + <children> + <leafNode name="address"> + <properties> + <help>IP address</help> + <valueHelp> + <format>ipv4net</format> + <description>IPv4 address and prefix length</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address and prefix length</description> + </valueHelp> + <multi/> + <constraint> + <validator name="interface-address"/> + </constraint> + </properties> + </leafNode> + <leafNode name="description"> + <properties> + <help>description</help> + <constraint> + <regex>.[^ ]{1,100}$</regex> + </constraint> + <constraintErrorMessage>interface description is too long (limit 100 characters)</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="listen-port"> + <properties> + <help>Local port number to accept connections</help> + </properties> + </leafNode> + <tagNode name="peer"> + <properties> + <help>Base64 encoded public key</help> + <constraint> + <regex>^[0-9a-zA-Z\+/]{43}=$</regex> + </constraint> + <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> + </properties> + <children> + <leafNode name="allowed-ips"> + <properties> + <help>IP addresses allowed to traverse the peer</help> + <multi/> + </properties> + </leafNode> + <!-- check format IP:port --> + <leafNode name="endpoint"> + <properties> + <help>Remote endpoint</help> + </properties> + </leafNode> + + </children> + </tagNode> + </children> + </tagNode> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/wireguard-keys.xml b/op-mode-definitions/wireguard-keys.xml new file mode 100644 index 000000000..29fce33b6 --- /dev/null +++ b/op-mode-definitions/wireguard-keys.xml @@ -0,0 +1,42 @@ +<?xml version="1.0"?> +<!-- wireguard key management --> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="wireguard"> + <properties> + <help>wireguard key generation utility</help> + </properties> + <children> + <leafNode name="keypair"> + <properties> + <help>generate a wireguard keypair</help> + </properties> + <command>${vyos_op_scripts_dir}/wireguard_key.py --genkey</command> + </leafNode> + </children> + </node> + </children> + </node> + <node name="show"> + <children> + <node name="wireguard"> + <children> + <leafNode name="pubkey"> + <properties> + <help>show wireguard public key</help> + </properties> + <command>${vyos_op_scripts_dir}/wireguard_key.py --showpub</command> + </leafNode> + <leafNode name="privkey"> + <properties> + <help>show wireguard private key</help> + </properties> + <command>${vyos_op_scripts_dir}/wireguard_key.py --showpriv</command> + </leafNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> + diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py new file mode 100755 index 000000000..7d52cfe94 --- /dev/null +++ b/src/conf_mode/wireguard.py @@ -0,0 +1,243 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import sys +import os +import re +import syslog as sl +import subprocess + +from vyos.config import Config +from vyos import ConfigError + +dir = r'/config/auth/wireguard' +pk = dir + '/private.key' +pub = dir + '/public.key' + +### check_kmod may be removed in the future, +### just want to have everything smoothly running after reboot +def check_kmod(): + if not os.path.exists('/sys/module/wireguard'): + sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") + if os.system('sudo modprobe wireguard') != 0: + sl.syslog(sl.LOG_NOTICE, "modprobe wireguard failed") + raise ConfigError("modprobe wireguard failed") + +def get_config(): + config_data = { + 'interfaces' : {} + } + + c = Config() + if not c.exists('interfaces wireguard'): + return None + + c.set_level('interfaces') + intfcs = c.list_nodes('wireguard') + intfcs_eff = c.list_effective_nodes('wireguard') + new_lst = list( set(intfcs) - set(intfcs_eff) ) + del_lst = list( set(intfcs_eff) - set(intfcs) ) + + ### setting deafult and determine status of the config + for intfc in intfcs: + cnf = 'wireguard ' + intfc + # default data struct + config_data['interfaces'].update ( + { + intfc : { + 'addr' : '', + 'descr' : intfc, ## snmp ifAlias + 'lport' : '', + 'status' : 'exists', + 'state' : 'enabled', + 'mtu' : 1420, + 'peer' : {} + } + } + ) + + for i in new_lst: + config_data['interfaces'][i]['status'] = 'create' + + for i in del_lst: + config_data['interfaces'].update ( + { + i : { + 'status': 'delete' + } + } + ) + + ### based on the status, set real values + for intfc in intfcs: + cnf = 'wireguard ' + intfc + if config_data['interfaces'][intfc]['status'] != 'delete': + #### addresses + if c.exists(cnf + ' address'): + config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') + ### listen port + if c.exists(cnf + ' listen-port'): + config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' listen-port') + ### description + if c.exists(cnf + ' description'): + config_data['interfaces'][intfc]['descr'] = c.return_value(cnf + ' description') + ### mtu + if c.exists(cnf + ' mtu'): + config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') + + ### peers + if c.exists(cnf + ' peer'): + for p in c.list_nodes(cnf + ' peer'): + config_data['interfaces'][intfc]['peer'].update ( + { + p : { + 'allowed-ips' : [], + 'endpoint' : '' + } + } + ) + if c.exists(cnf + ' peer ' + p + ' allowed-ips'): + config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips') + if c.exists(cnf + ' peer ' + p + ' endpoint'): + config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') + + #print (config_data) + return config_data + +def verify(c): + if not c: + return None + + for i in c['interfaces']: + if c['interfaces'][i]['status'] != 'delete': + if not c['interfaces'][i]['addr']: + raise ConfigError("address required for interface " + i) + if not c['interfaces'][i]['lport']: + raise ConfigError("listen-port required for interface " + i) + if not c['interfaces'][i]['peer']: + raise ConfigError("peer required on interface " + i) + else: + for p in c['interfaces'][i]['peer']: + if not c['interfaces'][i]['peer'][p]['allowed-ips']: + raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) + if not c['interfaces'][i]['peer'][p]['endpoint']: + raise ConfigError("endpoint required on interface " + i + " for peer " + p) + + ### eventually check allowed-ips (if it's an ip and valid CIDR or so) + ### endpoint needs to be IP:port + +def apply(c): + ### no wg config left, delete all wireguard devices on the os + if not c: + net_devs = os.listdir('/sys/class/net/') + for dev in net_devs: + buf = open('/sys/class/net/' + dev + '/uevent','r').read() + if re.search("DEVTYPE=wireguard", buf, re.I|re.M): + wg_intf = re.sub("INTERFACE=","", re.search("INTERFACE=.*", buf, re.I|re.M).group(0) ) + sl.syslog(sl.LOG_NOTICE, "removing interface " + wg_intf) + subprocess.call(['ip l d dev ' + wg_intf + ' >/dev/null'], shell=True) + return None + + ### + ## to find the diffs between old config an new config + ## so we only configure/delete what was not previously configured + ### + c_eff = Config() + c_eff.set_level('interfaces wireguard') + + ### deletion of specific interface + for intf in c['interfaces']: + if c['interfaces'][intf]['status'] == 'delete': + sl.syslog(sl.LOG_NOTICE, "removing interface " + intf) + subprocess.call(['ip l d dev ' + intf + ' &>/dev/null'], shell=True) + + ### new config + if c['interfaces'][intf]['status'] == 'create': + if not os.path.exists(pk): + raise ConfigError("No keys found, generate them by executing: \'run generate wireguard keypair\'") + + subprocess.call(['ip l a dev ' + intf + ' type wireguard 2>/dev/null'], shell=True) + for addr in c['interfaces'][intf]['addr']: + add_addr(intf, addr) + configure_interface(c,intf) + subprocess.call(['ip l set up dev ' + intf + ' &>/dev/null'], shell=True) + + ### config updates + if c['interfaces'][intf]['status'] == 'exists': + ### IP address change + addr_eff = re.sub("\'", "", c_eff.return_effective_values(intf + ' address')).split() + addr_rem = list( set(addr_eff) - set(c['interfaces'][intf]['addr']) ) + addr_add = list( set(c['interfaces'][intf]['addr']) - set(addr_eff) ) + + if len(addr_rem) !=0: + for addr in addr_rem: + del_addr(intf, addr) + + if len(addr_add) !=0: + for addr in addr_add: + add_addr(intf, addr) + + configure_interface(c,intf) + + ### ifalias for snmp from description + descr_eff = c_eff.return_effective_value(intf + ' description') + cnf_descr = c['interfaces'][intf]['descr'] + if descr_eff != cnf_descr: + open('/sys/class/net/' + str(intf) + '/ifalias','w').write(str(cnf_descr)) + +def configure_interface(c, intf): + for p in c['interfaces'][intf]['peer']: + cmd = "wg set " + intf + \ + " listen-port " + c['interfaces'][intf]['lport'] + \ + " private-key " + pk + \ + " peer " + p + \ + " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + cmd += " allowed-ips " + for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']: + if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]: + cmd += ap + "," + else: + cmd += ap + sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) + subprocess.call([ 'sudo ' + cmd], shell=True) + +def add_addr(intf, addr): + ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) + if ret != 0: + raise ConfigError('Can\'t set IP ' + addr + ' on ' + intf ) + else: + sl.syslog(sl.LOG_NOTICE, "ip a a dev " + intf + " " + addr) + +def del_addr(intf, addr): + ret = subprocess.call(['ip a d dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) + if ret != 0: + raise ConfigError('Can\'t delete IP ' + addr + ' on ' + intf ) + else: + sl.syslog(sl.LOG_NOTICE, "ip a d dev " + intf + " " + addr) + +if __name__ == '__main__': + try: + check_kmod() + c = get_config() + verify(c) + #generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) + diff --git a/src/op_mode/wireguard_key.py b/src/op_mode/wireguard_key.py new file mode 100755 index 000000000..811cff1ca --- /dev/null +++ b/src/op_mode/wireguard_key.py @@ -0,0 +1,92 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import argparse +import os +import sys +import syslog as sl +import subprocess + +from vyos import ConfigError + +dir = r'/config/auth/wireguard' +pk = dir + '/private.key' +pub = dir + '/public.key' + +### check_kmod may be removed in the future, +### once it's loaded automatically +def check_kmod(): + if not os.path.exists('/sys/module/wireguard'): + sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") + if os.system('sudo modprobe wireguard') != 0: + sl.syslog(sl.LOG_ERR, "modprobe wireguard failed") + raise ConfigError("modprobe wireguard failed") + +def generate_keypair(): + ret = subprocess.call(['wg genkey | tee ' + pk + '|wg pubkey > ' + pub], shell=True) + if ret != 0: + raise ConfigError("wireguard key-pair generation failed") + else: + sl.syslog(sl.LOG_NOTICE, "new keypair wireguard key generated in " + dir) + +def genkey(): + ### if umask 077 makes trouble, 027 will work + old_umask = os.umask(0o077) + if os.path.exists(pk) and os.path.exists(pub): + choice = input("You have a wireguard key-pair already, do you want to re-generate? [y/n] ") + if choice == 'y' or choice == 'Y': + generate_keypair() + else: + os.mkdir(dir) + generate_keypair() + os.umask(old_umask) + +def showkey(key): + if key == "pub": + if os.path.exists(pub): + print ( open(pub).read().strip() ) + else: + print("no public key found") + + if key == "pk": + if os.path.exists(pk): + print ( open(pk).read().strip() ) + else: + print("no private key found") + +if __name__ == '__main__': + check_kmod() + + parser = argparse.ArgumentParser(description='wireguard key management') + parser.add_argument('--genkey', action="store_true", help='generate key-pair') + parser.add_argument('--showpub', action="store_true", help='shows public key') + parser.add_argument('--showpriv', action="store_true", help='shows private key') + args = parser.parse_args() + + try: + if args.genkey: + genkey() + if args.showpub: + showkey("pub") + if args.showpriv: + showkey("pk") + + except ConfigError as e: + print(e) + sys.exit(1) + |