1 files changed, 43 insertions, 1 deletions

diff --git a/src/services/vyos-domain-resolver b/src/services/vyos-domain-resolver
index bc74a05d1..fe0f40a07 100755
--- a/src/services/vyos-domain-resolver
+++ b/src/services/vyos-domain-resolver
@@ -22,8 +22,10 @@ from vyos.configdict import dict_merge
 from vyos.configquery import ConfigTreeQuery
 from vyos.firewall import fqdn_config_parse
 from vyos.firewall import fqdn_resolve
+from vyos.ifconfig import WireGuardIf
 from vyos.utils.commit import commit_in_progress
 from vyos.utils.dict import dict_search_args
+from vyos.utils.kernel import WIREGUARD_REKEY_AFTER_TIME
 from vyos.utils.process import cmd
 from vyos.utils.process import run
 from vyos.xml_ref import get_defaults
@@ -33,6 +35,7 @@ timeout = 300
 cache = False
 base_firewall = ['firewall']
 base_nat = ['nat']
+base_interfaces = ['interfaces']
 
 domain_state = {}
 
@@ -171,8 +174,45 @@ def update_fqdn(config, node):
 
     logger.info(f'Updated {count} sets in {node} - result: {code}')
 
+def update_interfaces(config, node):
+    if node == 'interfaces':
+        wg_interfaces = dict_search_args(config, 'wireguard')
+
+        peer_public_keys = {}
+        # for each wireguard interfaces
+        for interface, wireguard in wg_interfaces.items():
+            peer_public_keys[interface] = []
+            for peer, peer_config in wireguard['peer'].items():
+                # check peer if peer host-name or address is set
+                if 'host_name' in peer_config or 'address' in peer_config:
+                    # check latest handshake
+                    peer_public_keys[interface].append(
+                        peer_config['public_key']
+                    )
+
+        now_time = time.time()
+        for (interface, check_peer_public_keys) in peer_public_keys.items():
+            if len(check_peer_public_keys) == 0:
+                continue
+
+            intf = WireGuardIf(interface, create=False, debug=False)
+            handshakes = intf.operational.get_latest_handshakes()
+
+            # WireGuard performs a handshake every WIREGUARD_REKEY_AFTER_TIME
+            # if data is being transmitted between the peers. If no data is
+            # transmitted, the handshake will not be initiated unless new
+            # data begins to flow. Each handshake generates a new session
+            # key, and the key is rotated at least every 120 seconds or
+            # upon data transmission after a prolonged silence.
+            for public_key, handshake_time in handshakes.items():
+                if public_key in check_peer_public_keys and (
+                    handshake_time == 0
+                    or (now_time - handshake_time > 3*WIREGUARD_REKEY_AFTER_TIME)
+                ):
+                    intf.operational.reset_peer(public_key=public_key)
+
 if __name__ == '__main__':
-    logger.info(f'VyOS domain resolver')
+    logger.info('VyOS domain resolver')
 
     count = 1
     while commit_in_progress():
@@ -184,10 +224,12 @@ if __name__ == '__main__':
     conf = ConfigTreeQuery()
     firewall = get_config(conf, base_firewall)
     nat = get_config(conf, base_nat)
+    interfaces = get_config(conf, base_interfaces)
 
     logger.info(f'interval: {timeout}s - cache: {cache}')
 
     while True:
         update_fqdn(firewall, 'firewall')
         update_fqdn(nat, 'nat')
+        update_interfaces(interfaces, 'interfaces')
         time.sleep(timeout)