From 8cb56942e141f19af71f97d1093395326c99dbe5 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 16:56:52 +0000
Subject: remove endpoint check, which is optional. server mode find the
 endpoint from an authenticated package.

---
 src/conf_mode/wireguard.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 7d52cfe94..3426acbe3 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -135,8 +135,8 @@ def verify(c):
         for p in c['interfaces'][i]['peer']:
           if not c['interfaces'][i]['peer'][p]['allowed-ips']:
             raise ConfigError("allowed-ips required on interface " + i + " for peer " + p)
-      if not c['interfaces'][i]['peer'][p]['endpoint']:
-        raise ConfigError("endpoint required on interface " + i + " for peer " + p)
+#      if not c['interfaces'][i]['peer'][p]['endpoint']:
+#        raise ConfigError("endpoint required on interface " + i + " for peer " + p)
 
     ### eventually check allowed-ips (if it's an ip and valid CIDR or so)
     ### endpoint needs to be IP:port
-- 
cgit v1.2.3


From aa5f4da1a18eeec1dba9bed3c1d7896605ac51ee Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 17:51:56 +0000
Subject: change xml name for op mode, since it will support non key-management
 related commands in the future as well

---
 op-mode-definitions/wireguard-keys.xml | 42 ----------------------------------
 op-mode-definitions/wireguard.xml      | 42 ++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 42 deletions(-)
 delete mode 100644 op-mode-definitions/wireguard-keys.xml
 create mode 100644 op-mode-definitions/wireguard.xml

diff --git a/op-mode-definitions/wireguard-keys.xml b/op-mode-definitions/wireguard-keys.xml
deleted file mode 100644
index 29fce33b6..000000000
--- a/op-mode-definitions/wireguard-keys.xml
+++ /dev/null
@@ -1,42 +0,0 @@
-<?xml version="1.0"?>
-<!-- wireguard key management -->
-<interfaceDefinition>
-  <node name="generate">
-    <children>
-      <node name="wireguard">
-        <properties>
-          <help>wireguard key generation utility</help>
-        </properties>
-        <children>
-          <leafNode name="keypair">
-            <properties>
-              <help>generate a wireguard keypair</help>
-            </properties>
-            <command>${vyos_op_scripts_dir}/wireguard_key.py --genkey</command>
-          </leafNode>
-        </children>
-      </node>
-    </children>
-  </node>
-  <node name="show">
-    <children>
-      <node name="wireguard">
-        <children>
-          <leafNode name="pubkey">
-            <properties>
-              <help>show wireguard public key</help>
-            </properties>
-            <command>${vyos_op_scripts_dir}/wireguard_key.py --showpub</command>
-          </leafNode>
-          <leafNode name="privkey">
-            <properties>
-              <help>show wireguard private key</help>
-            </properties>
-            <command>${vyos_op_scripts_dir}/wireguard_key.py --showpriv</command>
-          </leafNode>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
-
diff --git a/op-mode-definitions/wireguard.xml b/op-mode-definitions/wireguard.xml
new file mode 100644
index 000000000..29fce33b6
--- /dev/null
+++ b/op-mode-definitions/wireguard.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<!-- wireguard key management -->
+<interfaceDefinition>
+  <node name="generate">
+    <children>
+      <node name="wireguard">
+        <properties>
+          <help>wireguard key generation utility</help>
+        </properties>
+        <children>
+          <leafNode name="keypair">
+            <properties>
+              <help>generate a wireguard keypair</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/wireguard_key.py --genkey</command>
+          </leafNode>
+        </children>
+      </node>
+    </children>
+  </node>
+  <node name="show">
+    <children>
+      <node name="wireguard">
+        <children>
+          <leafNode name="pubkey">
+            <properties>
+              <help>show wireguard public key</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/wireguard_key.py --showpub</command>
+          </leafNode>
+          <leafNode name="privkey">
+            <properties>
+              <help>show wireguard private key</help>
+            </properties>
+            <command>${vyos_op_scripts_dir}/wireguard_key.py --showpriv</command>
+          </leafNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
+
-- 
cgit v1.2.3


From 85a80fe59443a91b66185a06e192f99bec30af68 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 18:25:25 +0000
Subject: T427: endpoint is only required for client mode, it's now an optional
 parameter

---
 src/conf_mode/wireguard.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 3426acbe3..dda5c4d8a 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -135,8 +135,6 @@ def verify(c):
         for p in c['interfaces'][i]['peer']:
           if not c['interfaces'][i]['peer'][p]['allowed-ips']:
             raise ConfigError("allowed-ips required on interface " + i + " for peer " + p)
-#      if not c['interfaces'][i]['peer'][p]['endpoint']:
-#        raise ConfigError("endpoint required on interface " + i + " for peer " + p)
 
     ### eventually check allowed-ips (if it's an ip and valid CIDR or so)
     ### endpoint needs to be IP:port
@@ -205,14 +203,19 @@ def configure_interface(c, intf):
     cmd = "wg set " + intf + \
           " listen-port " + c['interfaces'][intf]['lport'] + \
           " private-key " + pk + \
-          " peer " + p + \
-          " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] 
+          " peer " + p 
     cmd += " allowed-ips "
+
   for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']:
     if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]:
       cmd += ap + ","
     else:
       cmd += ap
+
+  ## endpoint is only required if wg runs as client
+  if c['interfaces'][intf]['peer'][p]['endpoint']:
+    cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
+
   sl.syslog(sl.LOG_NOTICE, "sudo " + cmd)
   subprocess.call([ 'sudo ' + cmd], shell=True)
 
-- 
cgit v1.2.3


From f184700bdb0c070be7f3bf9d9b2712581c29e798 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 19:32:47 +0000
Subject: T783: conf mode persistent-keepalive implementation

---
 interface-definitions/wireguard.xml |  9 +++++++++
 src/conf_mode/wireguard.py          | 15 +++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index 008f82a0b..eec7a404b 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -68,6 +68,15 @@
                   <help>Remote endpoint</help>
                 </properties>
               </leafNode>
+              <leafNode name="persistent-keepalive">
+                <properties>
+                  <help>how often send keep alives in seconds</help>
+                  <constraint>
+                    <regex>^(1|[1-9][0-9]{0,5})$</regex>
+                  </constraint>
+                  <constraintErrorMessage>keepliave timer has to be between 1 and 99999 seconds</constraintErrorMessage>
+                </properties>
+              </leafNode>
 
             </children>
           </tagNode>
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index dda5c4d8a..94378a6ef 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -116,6 +116,10 @@ def get_config():
           if c.exists(cnf + ' peer ' + p + ' endpoint'):
             config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint')
   
+      ### persistent-keepalive
+      if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'):
+        config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive')
+
   #print (config_data)
   return config_data
 
@@ -190,6 +194,14 @@ def apply(c):
         for addr in addr_add:
           add_addr(intf, addr)
 
+      ### persistent-keepalive 
+      for p in c_eff.list_nodes(intf + ' peer'):
+        pklv_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') 
+        pklv = c_eff.return_value(intf + ' peer ' + p + ' persistent-keepalive')
+        if pklv_eff == pklv:
+          del c['interfaces'][intf]['peer'][p]['persistent-keepalive']
+      
+      ## wg command call
       configure_interface(c,intf)
 
     ### ifalias for snmp from description   
@@ -216,6 +228,9 @@ def configure_interface(c, intf):
   if c['interfaces'][intf]['peer'][p]['endpoint']:
     cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
 
+  if c['interfaces'][intf]['peer'][p]['persistent-keepalive']:
+    cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive'])
+
   sl.syslog(sl.LOG_NOTICE, "sudo " + cmd)
   subprocess.call([ 'sudo ' + cmd], shell=True)
 
-- 
cgit v1.2.3


From 14f37d3ecbab133b0259de540ae16bd065494dd7 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 22:38:06 +0000
Subject: T783: to disable keepalive is has to be set to 0.

---
 src/conf_mode/wireguard.py | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 94378a6ef..e1c076e2a 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -196,11 +196,27 @@ def apply(c):
 
       ### persistent-keepalive 
       for p in c_eff.list_nodes(intf + ' peer'):
-        pklv_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') 
-        pklv = c_eff.return_value(intf + ' peer ' + p + ' persistent-keepalive')
-        if pklv_eff == pklv:
+        val_eff = ""
+        val = "" 
+
+        if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'):
+          val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive')
+
+        if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]:
+          val = c['interfaces'][intf]['peer'][p]['persistent-keepalive']
+        
+        ### disable keepalive
+        if val_eff and not val:
+          c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0 
+        
+        ### set ne keepalive value
+        if not val_eff and val:
+          c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = val
+  
+        ## config == effective config, no change
+        if val_eff == val:
           del c['interfaces'][intf]['peer'][p]['persistent-keepalive']
-      
+
       ## wg command call
       configure_interface(c,intf)
 
@@ -228,7 +244,7 @@ def configure_interface(c, intf):
   if c['interfaces'][intf]['peer'][p]['endpoint']:
     cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
 
-  if c['interfaces'][intf]['peer'][p]['persistent-keepalive']:
+  if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]:
     cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive'])
 
   sl.syslog(sl.LOG_NOTICE, "sudo " + cmd)
-- 
cgit v1.2.3