From 8e66b803f020ed25cd6066d86d3e66e324b27e5f Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 22 Aug 2018 12:32:37 -0700 Subject: T791: interface implementation --- interface-definitions/wireguard.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 1437e9f0c..70bde6088 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -49,6 +49,24 @@ +<<<<<<< HEAD + peer alias + + ^[0-9a-zA-Z]{1,100} + + input limited to 100 alphanumerical characters + + + + + base64 encoded public key + + ^[0-9a-zA-Z\+/]{43}=$ + + Key is not valid 44-character (32-bytes) base64 + + +======= Base64 encoded public key ^[0-9a-zA-Z\+/]{43}=$ @@ -56,18 +74,24 @@ Key is not valid 44-character (32-bytes) base64 +>>>>>>> upstream/current IP addresses allowed to traverse the peer +<<<<<<< HEAD +======= +>>>>>>> upstream/current Remote endpoint +<<<<<<< HEAD +======= how often send keep alives in seconds @@ -77,6 +101,7 @@ keepliave timer has to be between 1 and 99999 seconds +>>>>>>> upstream/current -- cgit v1.2.3 From 9e059f826fb2f0a76df9fe8a6067b51f7259dfe2 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 22 Aug 2018 12:37:55 -0700 Subject: T791: interface file updated --- Makefile | 2 +- interface-definitions/wireguard.xml | 17 ----------------- 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/Makefile b/Makefile index b626bbd8b..17ae34a18 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ clean: .PHONY: test test: - PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators --verbose +# PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators --verbose .PHONY: sonar sonar: diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 70bde6088..8a4a2e2b9 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -49,7 +49,6 @@ -<<<<<<< HEAD peer alias ^[0-9a-zA-Z]{1,100} @@ -66,32 +65,18 @@ Key is not valid 44-character (32-bytes) base64 -======= - Base64 encoded public key - - ^[0-9a-zA-Z\+/]{43}=$ - - Key is not valid 44-character (32-bytes) base64 - - ->>>>>>> upstream/current IP addresses allowed to traverse the peer -<<<<<<< HEAD -======= ->>>>>>> upstream/current Remote endpoint -<<<<<<< HEAD -======= how often send keep alives in seconds @@ -101,8 +86,6 @@ keepliave timer has to be between 1 and 99999 seconds ->>>>>>> upstream/current - -- cgit v1.2.3 From 264eb33a5008311c14626609def951d51a271814 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 22 Aug 2018 12:40:27 -0700 Subject: T791: rename peer-pubkey to pubkey only. --- interface-definitions/wireguard.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 8a4a2e2b9..7d1bb1b31 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -56,7 +56,7 @@ input limited to 100 alphanumerical characters - + base64 encoded public key -- cgit v1.2.3 From 5866fba00b77463ce29fa5700b9e89e783fea831 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:20:34 -0700 Subject: T791: implementation TODO: fwmark, mtu and pre-shared key --- interface-definitions/wireguard.xml | 10 +++- src/conf_mode/wireguard.py | 100 +++++++++++++++++++++++++----------- 2 files changed, 77 insertions(+), 33 deletions(-) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 7d1bb1b31..21656e3d8 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -16,6 +16,12 @@ + IP address @@ -51,9 +57,9 @@ peer alias - ^[0-9a-zA-Z]{1,100} + .[^ ]{1,100}$ - input limited to 100 alphanumerical characters + peer alias too long (limit 100 characters) diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index a4f876397..1df7bcdf8 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -15,6 +15,11 @@ # along with this program. If not, see . # # +#### TODO: +# fwmark +# preshared key +#### + import sys import os @@ -107,20 +112,20 @@ def get_config(): { p : { 'allowed-ips' : [], - 'endpoint' : '' + 'endpoint' : '', + 'pubkey' : '' } } ) + if c.exists(cnf + ' peer ' + p + ' pubkey'): + config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey') if c.exists(cnf + ' peer ' + p + ' allowed-ips'): config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips') if c.exists(cnf + ' peer ' + p + ' endpoint'): config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') - - ### persistent-keepalive - if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): - config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') + if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): + config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') - #print (config_data) return config_data def verify(c): @@ -131,17 +136,16 @@ def verify(c): if c['interfaces'][i]['status'] != 'delete': if not c['interfaces'][i]['addr']: raise ConfigError("address required for interface " + i) - if not c['interfaces'][i]['lport']: - raise ConfigError("listen-port required for interface " + i) if not c['interfaces'][i]['peer']: raise ConfigError("peer required on interface " + i) else: for p in c['interfaces'][i]['peer']: if not c['interfaces'][i]['peer'][p]['allowed-ips']: raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) + if not c['interfaces'][i]['peer'][p]['pubkey']: + raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) - ### eventually check allowed-ips (if it's an ip and valid CIDR or so) - ### endpoint needs to be IP:port + ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern :) def apply(c): ### no wg config left, delete all wireguard devices on the os @@ -175,9 +179,9 @@ def apply(c): subprocess.call(['ip l a dev ' + intf + ' type wireguard 2>/dev/null'], shell=True) for addr in c['interfaces'][intf]['addr']: - add_addr(intf, addr) - configure_interface(c,intf) + add_addr(intf, addr) subprocess.call(['ip l set up dev ' + intf + ' &>/dev/null'], shell=True) + configure_interface(c,intf) ### config updates if c['interfaces'][intf]['status'] == 'exists': @@ -194,7 +198,7 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) - ### persistent-keepalive + ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): val_eff = "" val = "" @@ -223,28 +227,63 @@ def apply(c): open('/sys/class/net/' + str(intf) + '/ifalias','w').write(str(cnf_descr)) def configure_interface(c, intf): + wg_config = { + 'interface' : intf, + 'listen-port' : 0, + 'private-key' : '/config/auth/wireguard/private.key', + 'peer' : + { + 'pubkey' : '' + }, + 'allowed-ips' : [], + 'fwmark' : 0x00, + 'endpoint' : None, + 'keepalive' : 0 + + } + for p in c['interfaces'][intf]['peer']: - cmd = "wg set " + intf + \ - " listen-port " + c['interfaces'][intf]['lport'] + \ - " private-key " + pk + \ - " peer " + p + ## mandatory settings + wg_config['peer']['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey'] + wg_config['allowed-ips'] = c['interfaces'][intf]['peer'][p]['allowed-ips'] + + ## optional settings + # listen-port + if c['interfaces'][intf]['lport']: + wg_config['listen-port'] = c['interfaces'][intf]['lport'] + + ## endpoint + if c['interfaces'][intf]['peer'][p]['endpoint']: + wg_config['endpoint'] = c['interfaces'][intf]['peer'][p]['endpoint'] + + ## persistent-keepalive + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: + wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ### assemble wg command + cmd = "sudo wg set " + intf + if wg_config['listen-port'] !=0: + cmd += " listen-port " + str(wg_config['listen-port']) + + cmd += " private-key " + wg_config['private-key'] + cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " + for ap in wg_config['allowed-ips']: + if ap != wg_config['allowed-ips'][-1]: + cmd += ap + "," + else: + cmd += ap - for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']: - if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]: - cmd += ap + "," - else: - cmd += ap - - ## endpoint is only required if wg runs as client - if c['interfaces'][intf]['peer'][p]['endpoint']: - cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + if wg_config['endpoint']: + cmd += " endpoint " + wg_config['endpoint'] - if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: - cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive']) + if wg_config['keepalive'] !=0: + cmd += " persistent-keepalive " + wg_config['keepalive'] + else: + cmd += " persistent-keepalive 0" - sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) - subprocess.call([ 'sudo ' + cmd], shell=True) + sl.syslog(sl.LOG_NOTICE, cmd) + subprocess.call([cmd], shell=True) def add_addr(intf, addr): ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) @@ -265,7 +304,6 @@ if __name__ == '__main__': check_kmod() c = get_config() verify(c) - #generate(c) apply(c) except ConfigError as e: print(e) -- cgit v1.2.3 From 810906cf4c3e7ea8261b21a70ba5d5e71c4c7484 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:31:07 -0700 Subject: adding validation for listen-port --- interface-definitions/wireguard.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 21656e3d8..cd92aefe0 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -51,6 +51,9 @@ Local port number to accept connections + + + -- cgit v1.2.3 From dc7bd3227dfea462d1ecd7d285972a61b267cfae Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:46:15 -0700 Subject: listen-port for update mode needs to be 0 to switch back to randomly chosen if previously configured --- src/conf_mode/wireguard.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 1df7bcdf8..032a407ca 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -262,9 +262,7 @@ def configure_interface(c, intf): ### assemble wg command cmd = "sudo wg set " + intf - if wg_config['listen-port'] !=0: - cmd += " listen-port " + str(wg_config['listen-port']) - + cmd += " listen-port " + str(wg_config['listen-port']) cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3 From 2e4e528d2527e4f74c0e62ba7478bb6053818082 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:55:58 -0700 Subject: persitent-keepalive validator chnaged, checks now if it's between 1 and 65535 --- interface-definitions/wireguard.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index cd92aefe0..3b301fc3b 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -90,9 +90,8 @@ how often send keep alives in seconds - ^(1|[1-9][0-9]{1,5})$ + - keepliave timer has to be between 1 and 99999 seconds -- cgit v1.2.3 From 8e685a16a1a478a7aead5b655dac99c3987af35c Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:58:57 -0700 Subject: changed back Makefile and enabled test again. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 17ae34a18..b626bbd8b 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ clean: .PHONY: test test: -# PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators --verbose + PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators --verbose .PHONY: sonar sonar: -- cgit v1.2.3 From 96778964422910e5d07cfa02b1edb01f6bd870e1 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 13:50:12 -0700 Subject: T793: fwmark implementation --- interface-definitions/wireguard.xml | 18 ++++++++++++------ src/conf_mode/wireguard.py | 11 ++++++++++- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 3b301fc3b..f025eb0da 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -16,12 +16,6 @@ - IP address @@ -56,6 +50,18 @@ + + + A 32-bit fwmark value set on all outgoing packets + + number + value which marks the packet for QoS/shaper + + + + + + peer alias diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 032a407ca..4e83537bf 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -18,6 +18,7 @@ #### TODO: # fwmark # preshared key +# mtu #### @@ -71,7 +72,8 @@ def get_config(): 'status' : 'exists', 'state' : 'enabled', 'mtu' : 1420, - 'peer' : {} + 'peer' : {}, + 'fwmark' : 0 } } ) @@ -104,6 +106,9 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') + ### fwmark + if c.exists(cnf + ' fwmark'): + config_data['interfaces'][intfc]['fwmark'] = c.return_value(cnf + ' fwmark') ### peers if c.exists(cnf + ' peer'): @@ -259,10 +264,14 @@ def configure_interface(c, intf): ## persistent-keepalive if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ## fwmark + wg_config['fwmark'] = hex(int(c['interfaces'][intf]['fwmark'])) ### assemble wg command cmd = "sudo wg set " + intf cmd += " listen-port " + str(wg_config['listen-port']) + cmd += " fwmark " + wg_config['fwmark'] cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3 From c2b18ceda09868ed5a98be082fd3aa4dd787348c Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 24 Aug 2018 11:38:11 -0700 Subject: T791: mtu size implementation --- interface-definitions/wireguard.xml | 8 ++++++ src/conf_mode/wireguard.py | 57 ++++++++++++++++--------------------- 2 files changed, 33 insertions(+), 32 deletions(-) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index f025eb0da..335749e35 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -50,6 +50,14 @@ + + + interface mtu size(default: 1420) + + + + + A 32-bit fwmark value set on all outgoing packets diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 4e83537bf..8d76ab105 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -16,12 +16,9 @@ # # #### TODO: -# fwmark # preshared key -# mtu #### - import sys import os import re @@ -35,8 +32,6 @@ dir = r'/config/auth/wireguard' pk = dir + '/private.key' pub = dir + '/public.key' -### check_kmod may be removed in the future, -### just want to have everything smoothly running after reboot def check_kmod(): if not os.path.exists('/sys/module/wireguard'): sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") @@ -45,21 +40,20 @@ def check_kmod(): raise ConfigError("modprobe wireguard failed") def get_config(): - config_data = { - 'interfaces' : {} - } - c = Config() if not c.exists('interfaces wireguard'): return None - - c.set_level('interfaces') + + c.set_level('interfaces') intfcs = c.list_nodes('wireguard') intfcs_eff = c.list_effective_nodes('wireguard') - new_lst = list( set(intfcs) - set(intfcs_eff) ) + new_lst = list( set(intfcs) - set(intfcs_eff) ) del_lst = list( set(intfcs_eff) - set(intfcs) ) - ### setting deafult and determine status of the config + config_data = { + 'interfaces' : {} + } + ### setting defaults and determine status of the config for intfc in intfcs: cnf = 'wireguard ' + intfc # default data struct @@ -71,13 +65,13 @@ def get_config(): 'lport' : '', 'status' : 'exists', 'state' : 'enabled', - 'mtu' : 1420, - 'peer' : {}, - 'fwmark' : 0 + 'mtu' : '1420', + 'peer' : {} } } ) - + + ### determine status either delete or create for i in new_lst: config_data['interfaces'][i]['status'] = 'create' @@ -90,11 +84,11 @@ def get_config(): } ) - ### based on the status, set real values + ### based on the status, setup conf values for intfc in intfcs: cnf = 'wireguard ' + intfc if config_data['interfaces'][intfc]['status'] != 'delete': - #### addresses + ### addresses if c.exists(cnf + ' address'): config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') ### listen port @@ -106,10 +100,6 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') - ### fwmark - if c.exists(cnf + ' fwmark'): - config_data['interfaces'][intfc]['fwmark'] = c.return_value(cnf + ' fwmark') - ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): @@ -150,7 +140,7 @@ def verify(c): if not c['interfaces'][i]['peer'][p]['pubkey']: raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) - ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern :) + ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern def apply(c): ### no wg config left, delete all wireguard devices on the os @@ -165,8 +155,7 @@ def apply(c): return None ### - ## to find the diffs between old config an new config - ## so we only configure/delete what was not previously configured + ## find the diffs between effective config an new config ### c_eff = Config() c_eff.set_level('interfaces wireguard') @@ -185,7 +174,8 @@ def apply(c): subprocess.call(['ip l a dev ' + intf + ' type wireguard 2>/dev/null'], shell=True) for addr in c['interfaces'][intf]['addr']: add_addr(intf, addr) - subprocess.call(['ip l set up dev ' + intf + ' &>/dev/null'], shell=True) + + subprocess.call(['ip l set up dev ' + intf + ' mtu ' + c['interfaces'][intf]['mtu'] + ' &>/dev/null'], shell=True) configure_interface(c,intf) ### config updates @@ -203,6 +193,12 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) + ## mtu update + mtu = c['interfaces'][intf]['mtu'] + if mtu != 1420: + sl.syslog(sl.LOG_NOTICE, "setting mtu to " + mtu + " on " + intf) + subprocess.call(['ip l set mtu ' + mtu + ' dev ' + intf + ' &>/dev/null'], shell=True) + ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): val_eff = "" @@ -229,7 +225,8 @@ def apply(c): descr_eff = c_eff.return_effective_value(intf + ' description') cnf_descr = c['interfaces'][intf]['descr'] if descr_eff != cnf_descr: - open('/sys/class/net/' + str(intf) + '/ifalias','w').write(str(cnf_descr)) + with open('/sys/class/net/' + str(intf) + '/ifalias','w') as fh: + fh.write(str(cnf_descr)) def configure_interface(c, intf): wg_config = { @@ -264,14 +261,10 @@ def configure_interface(c, intf): ## persistent-keepalive if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] - - ## fwmark - wg_config['fwmark'] = hex(int(c['interfaces'][intf]['fwmark'])) ### assemble wg command cmd = "sudo wg set " + intf cmd += " listen-port " + str(wg_config['listen-port']) - cmd += " fwmark " + wg_config['fwmark'] cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3 From a81104c11d5f14e9cb2c0eaf2a75eaf86f667ce7 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 24 Aug 2018 16:17:27 -0700 Subject: T791: endpoint pattern doesn't need to be checked, wg returns an error message if it's not IP:port --- src/conf_mode/wireguard.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 8d76ab105..f90379f53 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -133,14 +133,13 @@ def verify(c): raise ConfigError("address required for interface " + i) if not c['interfaces'][i]['peer']: raise ConfigError("peer required on interface " + i) - else: - for p in c['interfaces'][i]['peer']: - if not c['interfaces'][i]['peer'][p]['allowed-ips']: - raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) - if not c['interfaces'][i]['peer'][p]['pubkey']: - raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) - ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern + for p in c['interfaces'][i]['peer']: + if not c['interfaces'][i]['peer'][p]['allowed-ips']: + raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) + if not c['interfaces'][i]['peer'][p]['pubkey']: + raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) + def apply(c): ### no wg config left, delete all wireguard devices on the os -- cgit v1.2.3 From 81aaced26db8becb1ced9610b7399d870af70f2f Mon Sep 17 00:00:00 2001 From: hagbard Date: Sat, 25 Aug 2018 10:04:27 -0700 Subject: idents fixed (sonarcloud complains) --- src/conf_mode/wireguard.py | 132 ++++++++++++++++++++++----------------------- 1 file changed, 64 insertions(+), 68 deletions(-) diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index f90379f53..0324e12a2 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -15,9 +15,6 @@ # along with this program. If not, see . # # -#### TODO: -# preshared key -#### import sys import os @@ -29,12 +26,12 @@ from vyos.config import Config from vyos import ConfigError dir = r'/config/auth/wireguard' -pk = dir + '/private.key' +pk = dir + '/private.key' pub = dir + '/public.key' def check_kmod(): if not os.path.exists('/sys/module/wireguard'): - sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") + sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") if os.system('sudo modprobe wireguard') != 0: sl.syslog(sl.LOG_NOTICE, "modprobe wireguard failed") raise ConfigError("modprobe wireguard failed") @@ -47,41 +44,41 @@ def get_config(): c.set_level('interfaces') intfcs = c.list_nodes('wireguard') intfcs_eff = c.list_effective_nodes('wireguard') - new_lst = list( set(intfcs) - set(intfcs_eff) ) - del_lst = list( set(intfcs_eff) - set(intfcs) ) + new_lst = list(set(intfcs) - set(intfcs_eff)) + del_lst = list(set(intfcs_eff) - set(intfcs)) config_data = { - 'interfaces' : {} + 'interfaces' : {} } - ### setting defaults and determine status of the config + ### setting defaults and determine status of the config for intfc in intfcs: cnf = 'wireguard ' + intfc # default data struct - config_data['interfaces'].update ( - { - intfc : { - 'addr' : '', - 'descr' : intfc, ## snmp ifAlias - 'lport' : '', - 'status' : 'exists', - 'state' : 'enabled', - 'mtu' : '1420', - 'peer' : {} - } + config_data['interfaces'].update( + { + intfc : { + 'addr' : '', + 'descr' : intfc, ## snmp ifAlias + 'lport' : '', + 'status' : 'exists', + 'state' : 'enabled', + 'mtu' : '1420', + 'peer' : {} + } } - ) - + ) + ### determine status either delete or create for i in new_lst: - config_data['interfaces'][i]['status'] = 'create' + config_data['interfaces'][i]['status'] = 'create' for i in del_lst: - config_data['interfaces'].update ( - { - i : { - 'status': 'delete' + config_data['interfaces'].update( + { + i : { + 'status': 'delete' + } } - } ) ### based on the status, setup conf values @@ -103,14 +100,14 @@ def get_config(): ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): - config_data['interfaces'][intfc]['peer'].update ( - { - p : { - 'allowed-ips' : [], - 'endpoint' : '', - 'pubkey' : '' + config_data['interfaces'][intfc]['peer'].update( + { + p : { + 'allowed-ips' : [], + 'endpoint' : '', + 'pubkey' : '' + } } - } ) if c.exists(cnf + ' peer ' + p + ' pubkey'): config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey') @@ -130,7 +127,7 @@ def verify(c): for i in c['interfaces']: if c['interfaces'][i]['status'] != 'delete': if not c['interfaces'][i]['addr']: - raise ConfigError("address required for interface " + i) + raise ConfigError("address required for interface " + i) if not c['interfaces'][i]['peer']: raise ConfigError("peer required on interface " + i) @@ -146,13 +143,13 @@ def apply(c): if not c: net_devs = os.listdir('/sys/class/net/') for dev in net_devs: - buf = open('/sys/class/net/' + dev + '/uevent','r').read() + buf = open('/sys/class/net/' + dev + '/uevent', 'r').read() if re.search("DEVTYPE=wireguard", buf, re.I|re.M): - wg_intf = re.sub("INTERFACE=","", re.search("INTERFACE=.*", buf, re.I|re.M).group(0) ) + wg_intf = re.sub("INTERFACE=", "", re.search("INTERFACE=.*", buf, re.I|re.M).group(0)) sl.syslog(sl.LOG_NOTICE, "removing interface " + wg_intf) subprocess.call(['ip l d dev ' + wg_intf + ' >/dev/null'], shell=True) return None - + ### ## find the diffs between effective config an new config ### @@ -175,20 +172,20 @@ def apply(c): add_addr(intf, addr) subprocess.call(['ip l set up dev ' + intf + ' mtu ' + c['interfaces'][intf]['mtu'] + ' &>/dev/null'], shell=True) - configure_interface(c,intf) + configure_interface(c, intf) ### config updates if c['interfaces'][intf]['status'] == 'exists': ### IP address change - addr_eff = re.sub("\'", "", c_eff.return_effective_values(intf + ' address')).split() - addr_rem = list( set(addr_eff) - set(c['interfaces'][intf]['addr']) ) - addr_add = list( set(c['interfaces'][intf]['addr']) - set(addr_eff) ) + addr_eff = re.sub("\'", "", c_eff.return_effective_values(intf + ' address')).split() + addr_rem = list(set(addr_eff) - set(c['interfaces'][intf]['addr'])) + addr_add = list(set(c['interfaces'][intf]['addr']) - set(addr_eff)) - if len(addr_rem) !=0: + if len(addr_rem) != 0: for addr in addr_rem: del_addr(intf, addr) - if len(addr_add) !=0: + if len(addr_add) != 0: for addr in addr_add: add_addr(intf, addr) @@ -201,45 +198,45 @@ def apply(c): ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): val_eff = "" - val = "" + val = "" if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'): val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: val = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] - + ### disable keepalive if val_eff and not val: - c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0 - + c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0 + ### set new keepalive value if not val_eff and val: c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = val ## wg command call - configure_interface(c,intf) + configure_interface(c, intf) - ### ifalias for snmp from description + ### ifalias for snmp from description descr_eff = c_eff.return_effective_value(intf + ' description') cnf_descr = c['interfaces'][intf]['descr'] if descr_eff != cnf_descr: - with open('/sys/class/net/' + str(intf) + '/ifalias','w') as fh: + with open('/sys/class/net/' + str(intf) + '/ifalias', 'w') as fh: fh.write(str(cnf_descr)) def configure_interface(c, intf): wg_config = { - 'interface' : intf, - 'listen-port' : 0, - 'private-key' : '/config/auth/wireguard/private.key', - 'peer' : - { - 'pubkey' : '' - }, - 'allowed-ips' : [], - 'fwmark' : 0x00, - 'endpoint' : None, - 'keepalive' : 0 + 'interface' : intf, + 'listen-port' : 0, + 'private-key' : '/config/auth/wireguard/private.key', + 'peer' : + { + 'pubkey' : '' + }, + 'allowed-ips' : [], + 'fwmark' : 0x00, + 'endpoint' : None, + 'keepalive' : 0 } @@ -259,7 +256,7 @@ def configure_interface(c, intf): ## persistent-keepalive if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: - wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] ### assemble wg command cmd = "sudo wg set " + intf @@ -276,7 +273,7 @@ def configure_interface(c, intf): if wg_config['endpoint']: cmd += " endpoint " + wg_config['endpoint'] - if wg_config['keepalive'] !=0: + if wg_config['keepalive'] != 0: cmd += " persistent-keepalive " + wg_config['keepalive'] else: cmd += " persistent-keepalive 0" @@ -287,14 +284,14 @@ def configure_interface(c, intf): def add_addr(intf, addr): ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) if ret != 0: - raise ConfigError('Can\'t set IP ' + addr + ' on ' + intf ) + raise ConfigError('Can\'t set IP ' + addr + ' on ' + intf) else: sl.syslog(sl.LOG_NOTICE, "ip a a dev " + intf + " " + addr) def del_addr(intf, addr): ret = subprocess.call(['ip a d dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) if ret != 0: - raise ConfigError('Can\'t delete IP ' + addr + ' on ' + intf ) + raise ConfigError('Can\'t delete IP ' + addr + ' on ' + intf) else: sl.syslog(sl.LOG_NOTICE, "ip a d dev " + intf + " " + addr) @@ -307,4 +304,3 @@ if __name__ == '__main__': except ConfigError as e: print(e) sys.exit(1) - -- cgit v1.2.3 From cc584bb5ae8e701b0d8471fa675a0e44228b4ee2 Mon Sep 17 00:00:00 2001 From: hagbard Date: Sun, 26 Aug 2018 11:27:54 -0700 Subject: T427: changed option listen-port to only port --- interface-definitions/wireguard.xml | 2 +- src/conf_mode/wireguard.py | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 335749e35..cf25124fa 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -42,7 +42,7 @@ interface description is too long (limit 100 characters) - + Local port number to accept connections diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 0324e12a2..9848914e3 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -89,8 +89,8 @@ def get_config(): if c.exists(cnf + ' address'): config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') ### listen port - if c.exists(cnf + ' listen-port'): - config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' listen-port') + if c.exists(cnf + ' port'): + config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' port') ### description if c.exists(cnf + ' description'): config_data['interfaces'][intfc]['descr'] = c.return_value(cnf + ' description') @@ -227,7 +227,7 @@ def apply(c): def configure_interface(c, intf): wg_config = { 'interface' : intf, - 'listen-port' : 0, + 'port' : 0, 'private-key' : '/config/auth/wireguard/private.key', 'peer' : { @@ -248,7 +248,7 @@ def configure_interface(c, intf): ## optional settings # listen-port if c['interfaces'][intf]['lport']: - wg_config['listen-port'] = c['interfaces'][intf]['lport'] + wg_config['port'] = c['interfaces'][intf]['lport'] ## endpoint if c['interfaces'][intf]['peer'][p]['endpoint']: @@ -260,7 +260,7 @@ def configure_interface(c, intf): ### assemble wg command cmd = "sudo wg set " + intf - cmd += " listen-port " + str(wg_config['listen-port']) + cmd += " listen-port " + str(wg_config['port']) cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3