From 8cb56942e141f19af71f97d1093395326c99dbe5 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 17 Aug 2018 16:56:52 +0000 Subject: remove endpoint check, which is optional. server mode find the endpoint from an authenticated package. --- src/conf_mode/wireguard.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 7d52cfe94..3426acbe3 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -135,8 +135,8 @@ def verify(c): for p in c['interfaces'][i]['peer']: if not c['interfaces'][i]['peer'][p]['allowed-ips']: raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) - if not c['interfaces'][i]['peer'][p]['endpoint']: - raise ConfigError("endpoint required on interface " + i + " for peer " + p) +# if not c['interfaces'][i]['peer'][p]['endpoint']: +# raise ConfigError("endpoint required on interface " + i + " for peer " + p) ### eventually check allowed-ips (if it's an ip and valid CIDR or so) ### endpoint needs to be IP:port -- cgit v1.2.3 From 85a80fe59443a91b66185a06e192f99bec30af68 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 17 Aug 2018 18:25:25 +0000 Subject: T427: endpoint is only required for client mode, it's now an optional parameter --- src/conf_mode/wireguard.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 3426acbe3..dda5c4d8a 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -135,8 +135,6 @@ def verify(c): for p in c['interfaces'][i]['peer']: if not c['interfaces'][i]['peer'][p]['allowed-ips']: raise ConfigError("allowed-ips required on interface " + i + " for peer " + p) -# if not c['interfaces'][i]['peer'][p]['endpoint']: -# raise ConfigError("endpoint required on interface " + i + " for peer " + p) ### eventually check allowed-ips (if it's an ip and valid CIDR or so) ### endpoint needs to be IP:port @@ -205,14 +203,19 @@ def configure_interface(c, intf): cmd = "wg set " + intf + \ " listen-port " + c['interfaces'][intf]['lport'] + \ " private-key " + pk + \ - " peer " + p + \ - " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + " peer " + p cmd += " allowed-ips " + for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']: if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]: cmd += ap + "," else: cmd += ap + + ## endpoint is only required if wg runs as client + if c['interfaces'][intf]['peer'][p]['endpoint']: + cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) subprocess.call([ 'sudo ' + cmd], shell=True) -- cgit v1.2.3 From f184700bdb0c070be7f3bf9d9b2712581c29e798 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 17 Aug 2018 19:32:47 +0000 Subject: T783: conf mode persistent-keepalive implementation --- interface-definitions/wireguard.xml | 9 +++++++++ src/conf_mode/wireguard.py | 15 +++++++++++++++ 2 files changed, 24 insertions(+) (limited to 'src') diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 008f82a0b..eec7a404b 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -68,6 +68,15 @@ Remote endpoint + + + how often send keep alives in seconds + + ^(1|[1-9][0-9]{0,5})$ + + keepliave timer has to be between 1 and 99999 seconds + + diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index dda5c4d8a..94378a6ef 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -116,6 +116,10 @@ def get_config(): if c.exists(cnf + ' peer ' + p + ' endpoint'): config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint') + ### persistent-keepalive + if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'): + config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') + #print (config_data) return config_data @@ -190,6 +194,14 @@ def apply(c): for addr in addr_add: add_addr(intf, addr) + ### persistent-keepalive + for p in c_eff.list_nodes(intf + ' peer'): + pklv_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') + pklv = c_eff.return_value(intf + ' peer ' + p + ' persistent-keepalive') + if pklv_eff == pklv: + del c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ## wg command call configure_interface(c,intf) ### ifalias for snmp from description @@ -216,6 +228,9 @@ def configure_interface(c, intf): if c['interfaces'][intf]['peer'][p]['endpoint']: cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] + if c['interfaces'][intf]['peer'][p]['persistent-keepalive']: + cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive']) + sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) subprocess.call([ 'sudo ' + cmd], shell=True) -- cgit v1.2.3 From 14f37d3ecbab133b0259de540ae16bd065494dd7 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 17 Aug 2018 22:38:06 +0000 Subject: T783: to disable keepalive is has to be set to 0. --- src/conf_mode/wireguard.py | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index 94378a6ef..e1c076e2a 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -196,11 +196,27 @@ def apply(c): ### persistent-keepalive for p in c_eff.list_nodes(intf + ' peer'): - pklv_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') - pklv = c_eff.return_value(intf + ' peer ' + p + ' persistent-keepalive') - if pklv_eff == pklv: + val_eff = "" + val = "" + + if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'): + val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive') + + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: + val = c['interfaces'][intf]['peer'][p]['persistent-keepalive'] + + ### disable keepalive + if val_eff and not val: + c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0 + + ### set ne keepalive value + if not val_eff and val: + c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = val + + ## config == effective config, no change + if val_eff == val: del c['interfaces'][intf]['peer'][p]['persistent-keepalive'] - + ## wg command call configure_interface(c,intf) @@ -228,7 +244,7 @@ def configure_interface(c, intf): if c['interfaces'][intf]['peer'][p]['endpoint']: cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint'] - if c['interfaces'][intf]['peer'][p]['persistent-keepalive']: + if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]: cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive']) sl.syslog(sl.LOG_NOTICE, "sudo " + cmd) -- cgit v1.2.3