diff options
| -rw-r--r-- | interface-definitions/wireguard.xml | 9 | ||||
| -rw-r--r-- | op-mode-definitions/wireguard.xml (renamed from op-mode-definitions/wireguard-keys.xml) | 0 | ||||
| -rwxr-xr-x | src/conf_mode/wireguard.py | 42 |
3 files changed, 47 insertions, 4 deletions
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 008f82a0b..eec7a404b 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -68,6 +68,15 @@ <help>Remote endpoint</help> </properties> </leafNode> + <leafNode name="persistent-keepalive"> + <properties> + <help>how often send keep alives in seconds</help> + <constraint> + <regex>^(1|[1-9][0-9]{0,5})$</regex> + </constraint> + <constraintErrorMessage>keepliave timer has to be between 1 and 99999 seconds</constraintErrorMessage> + </properties> + </leafNode> </children> </tagNode> diff --git a/op-mode-definitions/wireguard-keys.xml b/op-mode-definitions/wireguard.xml index 29fce33b6..29fce33b6 100644 --- a/op-mode-definitions/wireguard-keys.xml +++ b/op-mode-definitions/wireguard.xml diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 7d52cfe94..e1c076e2a 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -116,6 +116,10 @@ def get_config(): if c.exists(cnf + ' peer ' + p + ' endpoint'): config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') + ### persistent-keepalive + if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): + config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') + #print (config_data) return config_data @@ -135,8 +139,6 @@ def verify(c): for p in c['interfaces'][i]['peer']: if not c['interfaces'][i]['peer'][p]['allowed-ips']: raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) - if not c['interfaces'][i]['peer'][p]['endpoint']: - raise ConfigError("endpoint required on interface " + i + " for peer " + p) ### eventually check allowed-ips (if it's an ip and valid CIDR or so) ### endpoint needs to be IP:port @@ -192,6 +194,30 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) + ### persistent-keepalive + for p in c_eff.list_nodes(intf + ' peer'): + val_eff = "" + val = "" + + if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'): + val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') + + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: + val = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ### disable keepalive + if val_eff and not val: + c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0 + + ### set ne keepalive value + if not val_eff and val: + c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = val + + ## config == effective config, no change + if val_eff == val: + del c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ## wg command call configure_interface(c,intf) ### ifalias for snmp from description @@ -205,14 +231,22 @@ def configure_interface(c, intf): cmd = "wg set " + intf + \ " listen-port " + c['interfaces'][intf]['lport'] + \ " private-key " + pk + \ - " peer " + p + \ - " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + " peer " + p cmd += " allowed-ips " + for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']: if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]: cmd += ap + "," else: cmd += ap + + ## endpoint is only required if wg runs as client + if c['interfaces'][intf]['peer'][p]['endpoint']: + cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: + cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive']) + sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) subprocess.call([ 'sudo ' + cmd], shell=True) |