diff options
-rw-r--r-- | interface-definitions/wireguard.xml | 10 | ||||
-rwxr-xr-x | src/conf_mode/wireguard.py | 100 |
2 files changed, 77 insertions, 33 deletions
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 7d1bb1b31..21656e3d8 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -16,6 +16,12 @@ </valueHelp> </properties> <children> + <!-- + <leafNode name="mtu"> + <properties> + <help>set interface mtu (default: 1420)</help> + </leafNode> + --> <leafNode name="address"> <properties> <help>IP address</help> @@ -51,9 +57,9 @@ <properties> <help>peer alias</help> <constraint> - <regex>^[0-9a-zA-Z]{1,100}</regex> + <regex>.[^ ]{1,100}$</regex> </constraint> - <constraintErrorMessage>input limited to 100 alphanumerical characters</constraintErrorMessage> + <constraintErrorMessage>peer alias too long (limit 100 characters)</constraintErrorMessage> </properties> <children> <leafNode name="pubkey"> diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index a4f876397..1df7bcdf8 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -15,6 +15,11 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # # +#### TODO: +# fwmark +# preshared key +#### + import sys import os @@ -107,20 +112,20 @@ def get_config(): { p : { 'allowed-ips' : [], - 'endpoint' : '' + 'endpoint' : '', + 'pubkey' : '' } } ) + if c.exists(cnf + ' peer ' + p + ' pubkey'): + config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey') if c.exists(cnf + ' peer ' + p + ' allowed-ips'): config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips') if c.exists(cnf + ' peer ' + p + ' endpoint'): config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') - - ### persistent-keepalive - if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): - config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') + if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): + config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') - #print (config_data) return config_data def verify(c): @@ -131,17 +136,16 @@ def verify(c): if c['interfaces'][i]['status'] != 'delete': if not c['interfaces'][i]['addr']: raise ConfigError("address required for interface " + i) - if not c['interfaces'][i]['lport']: - raise ConfigError("listen-port required for interface " + i) if not c['interfaces'][i]['peer']: raise ConfigError("peer required on interface " + i) else: for p in c['interfaces'][i]['peer']: if not c['interfaces'][i]['peer'][p]['allowed-ips']: raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) + if not c['interfaces'][i]['peer'][p]['pubkey']: + raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) - ### eventually check allowed-ips (if it's an ip and valid CIDR or so) - ### endpoint needs to be IP:port + ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern :) def apply(c): ### no wg config left, delete all wireguard devices on the os @@ -175,9 +179,9 @@ def apply(c): subprocess.call(['ip l a dev ' + intf + ' type wireguard 2>/dev/null'], shell=True) for addr in c['interfaces'][intf]['addr']: - add_addr(intf, addr) - configure_interface(c,intf) + add_addr(intf, addr) subprocess.call(['ip l set up dev ' + intf + ' &>/dev/null'], shell=True) + configure_interface(c,intf) ### config updates if c['interfaces'][intf]['status'] == 'exists': @@ -194,7 +198,7 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) - ### persistent-keepalive + ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): val_eff = "" val = "" @@ -223,28 +227,63 @@ def apply(c): open('/sys/class/net/' + str(intf) + '/ifalias','w').write(str(cnf_descr)) def configure_interface(c, intf): + wg_config = { + 'interface' : intf, + 'listen-port' : 0, + 'private-key' : '/config/auth/wireguard/private.key', + 'peer' : + { + 'pubkey' : '' + }, + 'allowed-ips' : [], + 'fwmark' : 0x00, + 'endpoint' : None, + 'keepalive' : 0 + + } + for p in c['interfaces'][intf]['peer']: - cmd = "wg set " + intf + \ - " listen-port " + c['interfaces'][intf]['lport'] + \ - " private-key " + pk + \ - " peer " + p + ## mandatory settings + wg_config['peer']['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey'] + wg_config['allowed-ips'] = c['interfaces'][intf]['peer'][p]['allowed-ips'] + + ## optional settings + # listen-port + if c['interfaces'][intf]['lport']: + wg_config['listen-port'] = c['interfaces'][intf]['lport'] + + ## endpoint + if c['interfaces'][intf]['peer'][p]['endpoint']: + wg_config['endpoint'] = c['interfaces'][intf]['peer'][p]['endpoint'] + + ## persistent-keepalive + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: + wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ### assemble wg command + cmd = "sudo wg set " + intf + if wg_config['listen-port'] !=0: + cmd += " listen-port " + str(wg_config['listen-port']) + + cmd += " private-key " + wg_config['private-key'] + cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " + for ap in wg_config['allowed-ips']: + if ap != wg_config['allowed-ips'][-1]: + cmd += ap + "," + else: + cmd += ap - for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']: - if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]: - cmd += ap + "," - else: - cmd += ap - - ## endpoint is only required if wg runs as client - if c['interfaces'][intf]['peer'][p]['endpoint']: - cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + if wg_config['endpoint']: + cmd += " endpoint " + wg_config['endpoint'] - if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: - cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive']) + if wg_config['keepalive'] !=0: + cmd += " persistent-keepalive " + wg_config['keepalive'] + else: + cmd += " persistent-keepalive 0" - sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) - subprocess.call([ 'sudo ' + cmd], shell=True) + sl.syslog(sl.LOG_NOTICE, cmd) + subprocess.call([cmd], shell=True) def add_addr(intf, addr): ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) @@ -265,7 +304,6 @@ if __name__ == '__main__': check_kmod() c = get_config() verify(c) - #generate(c) apply(c) except ConfigError as e: print(e) |