From f7456361b5b94f3c69f8fa0f34f8bff0ef68f9aa Mon Sep 17 00:00:00 2001 From: hagbard Date: Mon, 9 Sep 2019 09:32:57 -0700 Subject: [wireguard] - T1639: wireguard pubkey change error - removed sudo as is already runs as root - set privte key as variable in preparation to support multiple pk's --- python/vyos/ifconfig.py | 4 ++-- src/conf_mode/interface-wireguard.py | 15 +++++---------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/python/vyos/ifconfig.py b/python/vyos/ifconfig.py index 5b1c11a47..62bf94d79 100644 --- a/python/vyos/ifconfig.py +++ b/python/vyos/ifconfig.py @@ -1349,7 +1349,7 @@ class WireGuardIf(Interface): # fmask permission check? pass - cmd = "sudo wg set {} ".format(self._ifname) + cmd = "wg set {} ".format(self._ifname) cmd += "listen-port {} ".format(self.config['port']) cmd += "fwmark {} ".format(str(self.config['fwmark'])) cmd += "private-key {} ".format(self.config['private-key']) @@ -1380,7 +1380,7 @@ class WireGuardIf(Interface): Giving it a readable name is a vyos feature, to remove a peer the pubkey and the interface is needed, to remove the entry. """ - cmd = "sudo wg set {0} peer {1} remove".format( + cmd = "wg set {0} peer {1} remove".format( self._ifname, str(peerkey)) self._cmd(cmd) diff --git a/src/conf_mode/interface-wireguard.py b/src/conf_mode/interface-wireguard.py index e7b9a267f..4c0e90ca6 100755 --- a/src/conf_mode/interface-wireguard.py +++ b/src/conf_mode/interface-wireguard.py @@ -29,12 +29,6 @@ from vyos.ifconfig import WireGuardIf ifname = str(os.environ['VYOS_TAGNODE_VALUE']) intfc = WireGuardIf(ifname) -dir = r'/config/auth/wireguard' -pk = dir + '/private.key' -pub = dir + '/public.key' -psk_file = dir + '/psk' - - def check_kmod(): if not os.path.exists('/sys/module/wireguard'): sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") @@ -57,7 +51,8 @@ def get_config(): 'state': 'enabled', 'fwmark': 0x00, 'mtu': 1420, - 'peer': {} + 'peer': {}, + 'pk' : '/config/auth/wireguard/private.key' } } @@ -112,12 +107,11 @@ def get_config(): return config_data - def verify(c): if not c: return None - if not os.path.exists(pk): + if not os.path.exists(c[ifname]['pk']): raise ConfigError( "No keys found, generate them by executing: \'run generate wireguard keypair\'") @@ -225,7 +219,7 @@ def apply(c): sl.LOG_NOTICE, "peer {0} pubkey changed from {1} to {2} on interface {3}".format(p, ekey, nkey, ifname)) intfc.remove_peer(ekey) - intfc.config['private-key'] = pk + intfc.config['private-key'] = c[ifname]['pk'] for p in c[ifname]['peer']: intfc.config['pubkey'] = str(c[ifname]['peer'][p]['pubkey']) intfc.config['allowed-ips'] = (c[ifname]['peer'][p]['allowed-ips']) @@ -249,6 +243,7 @@ def apply(c): # preshared-key - needs to be read from a file if 'psk' in c[ifname]['peer'][p]: + psk_file = '/config/auth/wireguard/psk' old_umask = os.umask(0o077) open(psk_file, 'w').write(str(c[ifname]['peer'][p]['psk'])) os.umask(old_umask) -- cgit v1.2.3