From 8cb56942e141f19af71f97d1093395326c99dbe5 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 16:56:52 +0000
Subject: remove endpoint check, which is optional. server mode find the
endpoint from an authenticated package.
---
src/conf_mode/wireguard.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
(limited to 'src')
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 7d52cfe94..3426acbe3 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -135,8 +135,8 @@ def verify(c):
for p in c['interfaces'][i]['peer']:
if not c['interfaces'][i]['peer'][p]['allowed-ips']:
raise ConfigError("allowed-ips required on interface " + i + " for peer " + p)
- if not c['interfaces'][i]['peer'][p]['endpoint']:
- raise ConfigError("endpoint required on interface " + i + " for peer " + p)
+# if not c['interfaces'][i]['peer'][p]['endpoint']:
+# raise ConfigError("endpoint required on interface " + i + " for peer " + p)
### eventually check allowed-ips (if it's an ip and valid CIDR or so)
### endpoint needs to be IP:port
--
cgit v1.2.3
From 85a80fe59443a91b66185a06e192f99bec30af68 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 18:25:25 +0000
Subject: T427: endpoint is only required for client mode, it's now an optional
parameter
---
src/conf_mode/wireguard.py | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
(limited to 'src')
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 3426acbe3..dda5c4d8a 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -135,8 +135,6 @@ def verify(c):
for p in c['interfaces'][i]['peer']:
if not c['interfaces'][i]['peer'][p]['allowed-ips']:
raise ConfigError("allowed-ips required on interface " + i + " for peer " + p)
-# if not c['interfaces'][i]['peer'][p]['endpoint']:
-# raise ConfigError("endpoint required on interface " + i + " for peer " + p)
### eventually check allowed-ips (if it's an ip and valid CIDR or so)
### endpoint needs to be IP:port
@@ -205,14 +203,19 @@ def configure_interface(c, intf):
cmd = "wg set " + intf + \
" listen-port " + c['interfaces'][intf]['lport'] + \
" private-key " + pk + \
- " peer " + p + \
- " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
+ " peer " + p
cmd += " allowed-ips "
+
for ap in c['interfaces'][intf]['peer'][p]['allowed-ips']:
if ap != c['interfaces'][intf]['peer'][p]['allowed-ips'][-1]:
cmd += ap + ","
else:
cmd += ap
+
+ ## endpoint is only required if wg runs as client
+ if c['interfaces'][intf]['peer'][p]['endpoint']:
+ cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
+
sl.syslog(sl.LOG_NOTICE, "sudo " + cmd)
subprocess.call([ 'sudo ' + cmd], shell=True)
--
cgit v1.2.3
From f184700bdb0c070be7f3bf9d9b2712581c29e798 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 19:32:47 +0000
Subject: T783: conf mode persistent-keepalive implementation
---
interface-definitions/wireguard.xml | 9 +++++++++
src/conf_mode/wireguard.py | 15 +++++++++++++++
2 files changed, 24 insertions(+)
(limited to 'src')
diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml
index 008f82a0b..eec7a404b 100644
--- a/interface-definitions/wireguard.xml
+++ b/interface-definitions/wireguard.xml
@@ -68,6 +68,15 @@
<help>Remote endpoint</help>
</properties>
</leafNode>
+ <leafNode name="persistent-keepalive">
+ <properties>
+ <help>how often send keep alives in seconds</help>
+ <constraint>
+ <regex>^(1|[1-9][0-9]{0,5})$</regex>
+ </constraint>
+ <constraintErrorMessage>keepliave timer has to be between 1 and 99999 seconds</constraintErrorMessage>
+ </properties>
+ </leafNode>
</children>
</tagNode>
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index dda5c4d8a..94378a6ef 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -116,6 +116,10 @@ def get_config():
if c.exists(cnf + ' peer ' + p + ' endpoint'):
config_data['interfaces'][intfc]['peer'][p]['endpoint'] = c.return_value(cnf + ' peer ' + p + ' endpoint')
+ ### persistent-keepalive
+ if c.exists(cnf + ' peer ' + p + ' persistent-keepalive'):
+ config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive')
+
#print (config_data)
return config_data
@@ -190,6 +194,14 @@ def apply(c):
for addr in addr_add:
add_addr(intf, addr)
+ ### persistent-keepalive
+ for p in c_eff.list_nodes(intf + ' peer'):
+ pklv_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive')
+ pklv = c_eff.return_value(intf + ' peer ' + p + ' persistent-keepalive')
+ if pklv_eff == pklv:
+ del c['interfaces'][intf]['peer'][p]['persistent-keepalive']
+
+ ## wg command call
configure_interface(c,intf)
### ifalias for snmp from description
@@ -216,6 +228,9 @@ def configure_interface(c, intf):
if c['interfaces'][intf]['peer'][p]['endpoint']:
cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
+ if c['interfaces'][intf]['peer'][p]['persistent-keepalive']:
+ cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive'])
+
sl.syslog(sl.LOG_NOTICE, "sudo " + cmd)
subprocess.call([ 'sudo ' + cmd], shell=True)
--
cgit v1.2.3
From 14f37d3ecbab133b0259de540ae16bd065494dd7 Mon Sep 17 00:00:00 2001
From: hagbard <vyosdev@derith.de>
Date: Fri, 17 Aug 2018 22:38:06 +0000
Subject: T783: to disable keepalive is has to be set to 0.
---
src/conf_mode/wireguard.py | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
(limited to 'src')
diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py
index 94378a6ef..e1c076e2a 100755
--- a/src/conf_mode/wireguard.py
+++ b/src/conf_mode/wireguard.py
@@ -196,11 +196,27 @@ def apply(c):
### persistent-keepalive
for p in c_eff.list_nodes(intf + ' peer'):
- pklv_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive')
- pklv = c_eff.return_value(intf + ' peer ' + p + ' persistent-keepalive')
- if pklv_eff == pklv:
+ val_eff = ""
+ val = ""
+
+ if c_eff.exists_effective(intf + ' peer ' + p + ' persistent-keepalive'):
+ val_eff = c_eff.return_effective_value(intf + ' peer ' + p + ' persistent-keepalive')
+
+ if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]:
+ val = c['interfaces'][intf]['peer'][p]['persistent-keepalive']
+
+ ### disable keepalive
+ if val_eff and not val:
+ c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = 0
+
+ ### set ne keepalive value
+ if not val_eff and val:
+ c['interfaces'][intf]['peer'][p]['persistent-keepalive'] = val
+
+ ## config == effective config, no change
+ if val_eff == val:
del c['interfaces'][intf]['peer'][p]['persistent-keepalive']
-
+
## wg command call
configure_interface(c,intf)
@@ -228,7 +244,7 @@ def configure_interface(c, intf):
if c['interfaces'][intf]['peer'][p]['endpoint']:
cmd += " endpoint " + c['interfaces'][intf]['peer'][p]['endpoint']
- if c['interfaces'][intf]['peer'][p]['persistent-keepalive']:
+ if 'persistent-keepalive' in c['interfaces'][intf]['peer'][p]:
cmd += " persistent-keepalive " + str( c['interfaces'][intf]['peer'][p]['persistent-keepalive'])
sl.syslog(sl.LOG_NOTICE, "sudo " + cmd)
--
cgit v1.2.3