From 8e66b803f020ed25cd6066d86d3e66e324b27e5f Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 22 Aug 2018 12:32:37 -0700 Subject: T791: interface implementation --- interface-definitions/wireguard.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 1437e9f0c..70bde6088 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -49,6 +49,24 @@ +<<<<<<< HEAD + peer alias + + ^[0-9a-zA-Z]{1,100} + + input limited to 100 alphanumerical characters + + + + + base64 encoded public key + + ^[0-9a-zA-Z\+/]{43}=$ + + Key is not valid 44-character (32-bytes) base64 + + +======= Base64 encoded public key ^[0-9a-zA-Z\+/]{43}=$ @@ -56,18 +74,24 @@ Key is not valid 44-character (32-bytes) base64 +>>>>>>> upstream/current IP addresses allowed to traverse the peer +<<<<<<< HEAD +======= +>>>>>>> upstream/current Remote endpoint +<<<<<<< HEAD +======= how often send keep alives in seconds @@ -77,6 +101,7 @@ keepliave timer has to be between 1 and 99999 seconds +>>>>>>> upstream/current -- cgit v1.2.3 From 9e059f826fb2f0a76df9fe8a6067b51f7259dfe2 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 22 Aug 2018 12:37:55 -0700 Subject: T791: interface file updated --- Makefile | 2 +- interface-definitions/wireguard.xml | 17 ----------------- 2 files changed, 1 insertion(+), 18 deletions(-) (limited to 'interface-definitions') diff --git a/Makefile b/Makefile index b626bbd8b..17ae34a18 100644 --- a/Makefile +++ b/Makefile @@ -42,7 +42,7 @@ clean: .PHONY: test test: - PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators --verbose +# PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators --verbose .PHONY: sonar sonar: diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 70bde6088..8a4a2e2b9 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -49,7 +49,6 @@ -<<<<<<< HEAD peer alias ^[0-9a-zA-Z]{1,100} @@ -66,32 +65,18 @@ Key is not valid 44-character (32-bytes) base64 -======= - Base64 encoded public key - - ^[0-9a-zA-Z\+/]{43}=$ - - Key is not valid 44-character (32-bytes) base64 - - ->>>>>>> upstream/current IP addresses allowed to traverse the peer -<<<<<<< HEAD -======= ->>>>>>> upstream/current Remote endpoint -<<<<<<< HEAD -======= how often send keep alives in seconds @@ -101,8 +86,6 @@ keepliave timer has to be between 1 and 99999 seconds ->>>>>>> upstream/current - -- cgit v1.2.3 From 264eb33a5008311c14626609def951d51a271814 Mon Sep 17 00:00:00 2001 From: hagbard Date: Wed, 22 Aug 2018 12:40:27 -0700 Subject: T791: rename peer-pubkey to pubkey only. --- interface-definitions/wireguard.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 8a4a2e2b9..7d1bb1b31 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -56,7 +56,7 @@ input limited to 100 alphanumerical characters - + base64 encoded public key -- cgit v1.2.3 From 5866fba00b77463ce29fa5700b9e89e783fea831 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:20:34 -0700 Subject: T791: implementation TODO: fwmark, mtu and pre-shared key --- interface-definitions/wireguard.xml | 10 +++- src/conf_mode/wireguard.py | 100 +++++++++++++++++++++++++----------- 2 files changed, 77 insertions(+), 33 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 7d1bb1b31..21656e3d8 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -16,6 +16,12 @@ + IP address @@ -51,9 +57,9 @@ peer alias - ^[0-9a-zA-Z]{1,100} + .[^ ]{1,100}$ - input limited to 100 alphanumerical characters + peer alias too long (limit 100 characters) diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index a4f876397..1df7bcdf8 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -15,6 +15,11 @@ # along with this program. If not, see . # # +#### TODO: +# fwmark +# preshared key +#### + import sys import os @@ -107,20 +112,20 @@ def get_config(): { p : { 'allowed-ips' : [], - 'endpoint' : '' + 'endpoint' : '', + 'pubkey' : '' } } ) + if c.exists(cnf + ' peer ' + p + ' pubkey'): + config_data['interfaces'][intfc]['peer'][p]['pubkey'] = c.return_value(cnf + ' peer ' + p + ' pubkey') if c.exists(cnf + ' peer ' + p + ' allowed-ips'): config_data['interfaces'][intfc]['peer'][p]['allowed-ips'] = c.return_values(cnf + ' peer ' + p + ' allowed-ips') if c.exists(cnf + ' peer ' + p + ' endpoint'): config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') - - ### persistent-keepalive - if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): - config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') + if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): + config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') - #print (config_data) return config_data def verify(c): @@ -131,17 +136,16 @@ def verify(c): if c['interfaces'][i]['status'] != 'delete': if not c['interfaces'][i]['addr']: raise ConfigError("address required for interface " + i) - if not c['interfaces'][i]['lport']: - raise ConfigError("listen-port required for interface " + i) if not c['interfaces'][i]['peer']: raise ConfigError("peer required on interface " + i) else: for p in c['interfaces'][i]['peer']: if not c['interfaces'][i]['peer'][p]['allowed-ips']: raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) + if not c['interfaces'][i]['peer'][p]['pubkey']: + raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) - ### eventually check allowed-ips (if it's an ip and valid CIDR or so) - ### endpoint needs to be IP:port + ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern :) def apply(c): ### no wg config left, delete all wireguard devices on the os @@ -175,9 +179,9 @@ def apply(c): subprocess.call(['ip l a dev ' + intf + ' type wireguard 2>/dev/null'], shell=True) for addr in c['interfaces'][intf]['addr']: - add_addr(intf, addr) - configure_interface(c,intf) + add_addr(intf, addr) subprocess.call(['ip l set up dev ' + intf + ' &>/dev/null'], shell=True) + configure_interface(c,intf) ### config updates if c['interfaces'][intf]['status'] == 'exists': @@ -194,7 +198,7 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) - ### persistent-keepalive + ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): val_eff = "" val = "" @@ -223,28 +227,63 @@ def apply(c): open('/sys/class/net/' + str(intf) + '/ifalias','w').write(str(cnf_descr)) def configure_interface(c, intf): + wg_config = { + 'interface' : intf, + 'listen-port' : 0, + 'private-key' : '/config/auth/wireguard/private.key', + 'peer' : + { + 'pubkey' : '' + }, + 'allowed-ips' : [], + 'fwmark' : 0x00, + 'endpoint' : None, + 'keepalive' : 0 + + } + for p in c['interfaces'][intf]['peer']: - cmd = "wg set " + intf + \ - " listen-port " + c['interfaces'][intf]['lport'] + \ - " private-key " + pk + \ - " peer " + p + ## mandatory settings + wg_config['peer']['pubkey'] = c['interfaces'][intf]['peer'][p]['pubkey'] + wg_config['allowed-ips'] = c['interfaces'][intf]['peer'][p]['allowed-ips'] + + ## optional settings + # listen-port + if c['interfaces'][intf]['lport']: + wg_config['listen-port'] = c['interfaces'][intf]['lport'] + + ## endpoint + if c['interfaces'][intf]['peer'][p]['endpoint']: + wg_config['endpoint'] = c['interfaces'][intf]['peer'][p]['endpoint'] + + ## persistent-keepalive + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: + wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ### assemble wg command + cmd = "sudo wg set " + intf + if wg_config['listen-port'] !=0: + cmd += " listen-port " + str(wg_config['listen-port']) + + cmd += " private-key " + wg_config['private-key'] + cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " + for ap in wg_config['allowed-ips']: + if ap != wg_config['allowed-ips'][-1]: + cmd += ap + "," + else: + cmd += ap - for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']: - if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]: - cmd += ap + "," - else: - cmd += ap - - ## endpoint is only required if wg runs as client - if c['interfaces'][intf]['peer'][p]['endpoint']: - cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + if wg_config['endpoint']: + cmd += " endpoint " + wg_config['endpoint'] - if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: - cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive']) + if wg_config['keepalive'] !=0: + cmd += " persistent-keepalive " + wg_config['keepalive'] + else: + cmd += " persistent-keepalive 0" - sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) - subprocess.call([ 'sudo ' + cmd], shell=True) + sl.syslog(sl.LOG_NOTICE, cmd) + subprocess.call([cmd], shell=True) def add_addr(intf, addr): ret = subprocess.call(['ip a a dev ' + intf + ' ' + addr + ' &>/dev/null'], shell=True) @@ -265,7 +304,6 @@ if __name__ == '__main__': check_kmod() c = get_config() verify(c) - #generate(c) apply(c) except ConfigError as e: print(e) -- cgit v1.2.3 From 810906cf4c3e7ea8261b21a70ba5d5e71c4c7484 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:31:07 -0700 Subject: adding validation for listen-port --- interface-definitions/wireguard.xml | 3 +++ 1 file changed, 3 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 21656e3d8..cd92aefe0 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -51,6 +51,9 @@ Local port number to accept connections + + + -- cgit v1.2.3 From 2e4e528d2527e4f74c0e62ba7478bb6053818082 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 11:55:58 -0700 Subject: persitent-keepalive validator chnaged, checks now if it's between 1 and 65535 --- interface-definitions/wireguard.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index cd92aefe0..3b301fc3b 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -90,9 +90,8 @@ how often send keep alives in seconds - ^(1|[1-9][0-9]{1,5})$ + - keepliave timer has to be between 1 and 99999 seconds -- cgit v1.2.3 From 96778964422910e5d07cfa02b1edb01f6bd870e1 Mon Sep 17 00:00:00 2001 From: hagbard Date: Thu, 23 Aug 2018 13:50:12 -0700 Subject: T793: fwmark implementation --- interface-definitions/wireguard.xml | 18 ++++++++++++------ src/conf_mode/wireguard.py | 11 ++++++++++- 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 3b301fc3b..f025eb0da 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -16,12 +16,6 @@ - IP address @@ -56,6 +50,18 @@ + + + A 32-bit fwmark value set on all outgoing packets + + number + value which marks the packet for QoS/shaper + + + + + + peer alias diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 032a407ca..4e83537bf 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -18,6 +18,7 @@ #### TODO: # fwmark # preshared key +# mtu #### @@ -71,7 +72,8 @@ def get_config(): 'status' : 'exists', 'state' : 'enabled', 'mtu' : 1420, - 'peer' : {} + 'peer' : {}, + 'fwmark' : 0 } } ) @@ -104,6 +106,9 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') + ### fwmark + if c.exists(cnf + ' fwmark'): + config_data['interfaces'][intfc]['fwmark'] = c.return_value(cnf + ' fwmark') ### peers if c.exists(cnf + ' peer'): @@ -259,10 +264,14 @@ def configure_interface(c, intf): ## persistent-keepalive if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ## fwmark + wg_config['fwmark'] = hex(int(c['interfaces'][intf]['fwmark'])) ### assemble wg command cmd = "sudo wg set " + intf cmd += " listen-port " + str(wg_config['listen-port']) + cmd += " fwmark " + wg_config['fwmark'] cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3 From c2b18ceda09868ed5a98be082fd3aa4dd787348c Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 24 Aug 2018 11:38:11 -0700 Subject: T791: mtu size implementation --- interface-definitions/wireguard.xml | 8 ++++++ src/conf_mode/wireguard.py | 57 ++++++++++++++++--------------------- 2 files changed, 33 insertions(+), 32 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index f025eb0da..335749e35 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -50,6 +50,14 @@ + + + interface mtu size(default: 1420) + + + + + A 32-bit fwmark value set on all outgoing packets diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 4e83537bf..8d76ab105 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -16,12 +16,9 @@ # # #### TODO: -# fwmark # preshared key -# mtu #### - import sys import os import re @@ -35,8 +32,6 @@ dir = r'/config/auth/wireguard' pk = dir + '/private.key' pub = dir + '/public.key' -### check_kmod may be removed in the future, -### just want to have everything smoothly running after reboot def check_kmod(): if not os.path.exists('/sys/module/wireguard'): sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") @@ -45,21 +40,20 @@ def check_kmod(): raise ConfigError("modprobe wireguard failed") def get_config(): - config_data = { - 'interfaces' : {} - } - c = Config() if not c.exists('interfaces wireguard'): return None - - c.set_level('interfaces') + + c.set_level('interfaces') intfcs = c.list_nodes('wireguard') intfcs_eff = c.list_effective_nodes('wireguard') - new_lst = list( set(intfcs) - set(intfcs_eff) ) + new_lst = list( set(intfcs) - set(intfcs_eff) ) del_lst = list( set(intfcs_eff) - set(intfcs) ) - ### setting deafult and determine status of the config + config_data = { + 'interfaces' : {} + } + ### setting defaults and determine status of the config for intfc in intfcs: cnf = 'wireguard ' + intfc # default data struct @@ -71,13 +65,13 @@ def get_config(): 'lport' : '', 'status' : 'exists', 'state' : 'enabled', - 'mtu' : 1420, - 'peer' : {}, - 'fwmark' : 0 + 'mtu' : '1420', + 'peer' : {} } } ) - + + ### determine status either delete or create for i in new_lst: config_data['interfaces'][i]['status'] = 'create' @@ -90,11 +84,11 @@ def get_config(): } ) - ### based on the status, set real values + ### based on the status, setup conf values for intfc in intfcs: cnf = 'wireguard ' + intfc if config_data['interfaces'][intfc]['status'] != 'delete': - #### addresses + ### addresses if c.exists(cnf + ' address'): config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') ### listen port @@ -106,10 +100,6 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') - ### fwmark - if c.exists(cnf + ' fwmark'): - config_data['interfaces'][intfc]['fwmark'] = c.return_value(cnf + ' fwmark') - ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): @@ -150,7 +140,7 @@ def verify(c): if not c['interfaces'][i]['peer'][p]['pubkey']: raise ConfigError("pubkey from your peer is mandatory on " + i + " for peer " + p) - ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern :) + ### endpoint needs to be IP:port, mabey verify it here, but consider IPv6 in the pattern def apply(c): ### no wg config left, delete all wireguard devices on the os @@ -165,8 +155,7 @@ def apply(c): return None ### - ## to find the diffs between old config an new config - ## so we only configure/delete what was not previously configured + ## find the diffs between effective config an new config ### c_eff = Config() c_eff.set_level('interfaces wireguard') @@ -185,7 +174,8 @@ def apply(c): subprocess.call(['ip l a dev ' + intf + ' type wireguard 2>/dev/null'], shell=True) for addr in c['interfaces'][intf]['addr']: add_addr(intf, addr) - subprocess.call(['ip l set up dev ' + intf + ' &>/dev/null'], shell=True) + + subprocess.call(['ip l set up dev ' + intf + ' mtu ' + c['interfaces'][intf]['mtu'] + ' &>/dev/null'], shell=True) configure_interface(c,intf) ### config updates @@ -203,6 +193,12 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) + ## mtu update + mtu = c['interfaces'][intf]['mtu'] + if mtu != 1420: + sl.syslog(sl.LOG_NOTICE, "setting mtu to " + mtu + " on " + intf) + subprocess.call(['ip l set mtu ' + mtu + ' dev ' + intf + ' &>/dev/null'], shell=True) + ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): val_eff = "" @@ -229,7 +225,8 @@ def apply(c): descr_eff = c_eff.return_effective_value(intf + ' description') cnf_descr = c['interfaces'][intf]['descr'] if descr_eff != cnf_descr: - open('/sys/class/net/' + str(intf) + '/ifalias','w').write(str(cnf_descr)) + with open('/sys/class/net/' + str(intf) + '/ifalias','w') as fh: + fh.write(str(cnf_descr)) def configure_interface(c, intf): wg_config = { @@ -264,14 +261,10 @@ def configure_interface(c, intf): ## persistent-keepalive if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: wg_config['keepalive'] = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] - - ## fwmark - wg_config['fwmark'] = hex(int(c['interfaces'][intf]['fwmark'])) ### assemble wg command cmd = "sudo wg set " + intf cmd += " listen-port " + str(wg_config['listen-port']) - cmd += " fwmark " + wg_config['fwmark'] cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3 From cc584bb5ae8e701b0d8471fa675a0e44228b4ee2 Mon Sep 17 00:00:00 2001 From: hagbard Date: Sun, 26 Aug 2018 11:27:54 -0700 Subject: T427: changed option listen-port to only port --- interface-definitions/wireguard.xml | 2 +- src/conf_mode/wireguard.py | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 335749e35..cf25124fa 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -42,7 +42,7 @@ interface description is too long (limit 100 characters) - + Local port number to accept connections diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 0324e12a2..9848914e3 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -89,8 +89,8 @@ def get_config(): if c.exists(cnf + ' address'): config_data['interfaces'][intfc]['addr'] = c.return_values(cnf + ' address') ### listen port - if c.exists(cnf + ' listen-port'): - config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' listen-port') + if c.exists(cnf + ' port'): + config_data['interfaces'][intfc]['lport'] = c.return_value(cnf + ' port') ### description if c.exists(cnf + ' description'): config_data['interfaces'][intfc]['descr'] = c.return_value(cnf + ' description') @@ -227,7 +227,7 @@ def apply(c): def configure_interface(c, intf): wg_config = { 'interface' : intf, - 'listen-port' : 0, + 'port' : 0, 'private-key' : '/config/auth/wireguard/private.key', 'peer' : { @@ -248,7 +248,7 @@ def configure_interface(c, intf): ## optional settings # listen-port if c['interfaces'][intf]['lport']: - wg_config['listen-port'] = c['interfaces'][intf]['lport'] + wg_config['port'] = c['interfaces'][intf]['lport'] ## endpoint if c['interfaces'][intf]['peer'][p]['endpoint']: @@ -260,7 +260,7 @@ def configure_interface(c, intf): ### assemble wg command cmd = "sudo wg set " + intf - cmd += " listen-port " + str(wg_config['listen-port']) + cmd += " listen-port " + str(wg_config['port']) cmd += " private-key " + wg_config['private-key'] cmd += " peer " + wg_config['peer']['pubkey'] cmd += " allowed-ips " -- cgit v1.2.3