#!/usr/bin/env python3 # # Copyright (C) 2018 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # # import sys import os import re import syslog as sl import subprocess from vyos.config import Config from vyos import ConfigError from vyos.ifconfig import WireGuardIf ifname = str(os.environ['VYOS_TAGNODE_VALUE']) intfc = WireGuardIf(ifname) dir = r'/config/auth/wireguard' pk = dir + '/private.key' pub = dir + '/public.key' psk_file = dir + '/psk' def check_kmod(): if not os.path.exists('/sys/module/wireguard'): sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod") if os.system('sudo modprobe wireguard') != 0: sl.syslog(sl.LOG_NOTICE, "modprobe wireguard failed") raise ConfigError("modprobe wireguard failed") def get_config(): c = Config() if not c.exists('interfaces wireguard'): return None config_data = { ifname: { 'addr': '', 'descr': ifname, 'lport': None, 'status': 'exists', 'state': 'enabled', 'fwmark': 0x00, 'mtu': 1420, 'peer': {} } } c.set_level('interfaces wireguard') if not c.exists_effective(ifname): config_data[ifname]['status'] = 'create' if not c.exists(ifname) and c.exists_effective(ifname): config_data[ifname]['status'] = 'delete' if config_data[ifname]['status'] != 'delete': if c.exists(ifname + ' address'): config_data[ifname]['addr'] = c.return_values(ifname + ' address') if c.exists(ifname + ' disable'): config_data[ifname]['state'] = 'disable' if c.exists(ifname + ' port'): config_data[ifname]['lport'] = c.return_value(ifname + ' port') if c.exists(ifname + ' fwmark'): config_data[ifname]['fwmark'] = c.return_value(ifname + ' fwmark') if c.exists(ifname + ' description'): config_data[ifname]['descr'] = c.return_value( ifname + ' description') if c.exists(ifname + ' mtu'): config_data[ifname]['mtu'] = c.return_value(ifname + ' mtu') if c.exists(ifname + ' peer'): for p in c.list_nodes(ifname + ' peer'): if not c.exists(ifname + ' peer ' + p + ' disable'): config_data[ifname]['peer'].update( { p: { 'allowed-ips': [], 'endpoint': '', 'pubkey': '' } } ) if c.exists(ifname + ' peer ' + p + ' pubkey'): config_data[ifname]['peer'][p]['pubkey'] = c.return_value( ifname + ' peer ' + p + ' pubkey') if c.exists(ifname + ' peer ' + p + ' allowed-ips'): config_data[ifname]['peer'][p]['allowed-ips'] = c.return_values( ifname + ' peer ' + p + ' allowed-ips') if c.exists(ifname + ' peer ' + p + ' endpoint'): config_data[ifname]['peer'][p]['endpoint'] = c.return_value( ifname + ' peer ' + p + ' endpoint') if c.exists(ifname + ' peer ' + p + ' persistent-keepalive'): config_data[ifname]['peer'][p]['persistent-keepalive'] = c.return_value( ifname + ' peer ' + p + ' persistent-keepalive') if c.exists(ifname + ' peer ' + p + ' preshared-key'): config_data[ifname]['peer'][p]['psk'] = c.return_value( ifname + ' peer ' + p + ' preshared-key') return config_data def verify(c): if not c: return None if not os.path.exists(pk): raise ConfigError( "No keys found, generate them by executing: \'run generate wireguard keypair\'") if c[ifname]['status'] != 'delete': if not c[ifname]['addr']: raise ConfigError("ERROR: IP address required") if not c[ifname]['peer']: raise ConfigError("ERROR: peer required") for p in c[ifname]['peer']: if not c[ifname]['peer'][p]['allowed-ips']: raise ConfigError("ERROR: allowed-ips required for peer " + p) if not c[ifname]['peer'][p]['pubkey']: raise ConfigError("peer pubkey required for peer " + p) def apply(c): # no wg config left, delete all wireguard devices, if any if not c: net_devs = os.listdir('/sys/class/net/') for dev in net_devs: if os.path.isdir('/sys/class/net/' + dev): buf = open('/sys/class/net/' + dev + '/uevent', 'r').read() if re.search("DEVTYPE=wireguard", buf, re.I | re.M): wg_intf = re.sub("INTERFACE=", "", re.search( "INTERFACE=.*", buf, re.I | re.M).group(0)) sl.syslog(sl.LOG_NOTICE, "removing interface " + wg_intf) subprocess.call( ['ip l d dev ' + wg_intf + ' >/dev/null'], shell=True) return None # interface removal if c[ifname]['status'] == 'delete': sl.syslog(sl.LOG_NOTICE, "removing interface " + ifname) intfc.remove() return None c_eff = Config() c_eff.set_level('interfaces wireguard') # interface state if c[ifname]['state'] == 'disable': sl.syslog(sl.LOG_NOTICE, "disable interface " + ifname) intfc.state = 'down' else: if not intfc.state == 'up': sl.syslog(sl.LOG_NOTICE, "enable interface " + ifname) intfc.state = 'up' # IP address if not c_eff.exists_effective(ifname + ' address'): for ip in c[ifname]['addr']: intfc.add_addr(ip) else: addr_eff = c_eff.return_effective_values(ifname + ' address') addr_rem = list(set(addr_eff) - set(c[ifname]['addr'])) addr_add = list(set(c[ifname]['addr']) - set(addr_eff)) if len(addr_rem) != 0: for ip in addr_rem: sl.syslog( sl.LOG_NOTICE, "remove IP address {0} from {1}".format(ip, ifname)) intfc.del_addr(ip) if len(addr_add) != 0: for ip in addr_add: sl.syslog( sl.LOG_NOTICE, "add IP address {0} to {1}".format(ip, ifname)) intfc.add_addr(ip) # interface MTU if c[ifname]['mtu'] != 1420: intfc.mtu = int(c[ifname]['mtu']) else: # default is set to 1420 in config_data intfc.mtu = int(c[ifname]['mtu']) # ifalias for snmp from description descr_eff = c_eff.return_effective_value(ifname + ' description') if descr_eff != c[ifname]['descr']: intfc.ifalias = str(c[ifname]['descr']) # peer deletion peer_eff = c_eff.list_effective_nodes(ifname + ' peer') peer_cnf = [] try: for p in c[ifname]['peer']: peer_cnf.append(p) except KeyError: pass peer_rem = list(set(peer_eff) - set(peer_cnf)) for p in peer_rem: pkey = c_eff.return_effective_value(ifname + ' peer ' + p + ' pubkey') intfc.remove_peer(pkey) # peer key update for p in peer_eff: if p in peer_cnf: ekey = c_eff.return_effective_value( ifname + ' peer ' + p + ' pubkey') nkey = c[ifname]['peer'][p]['pubkey'] if nkey != ekey: sl.syslog( sl.LOG_NOTICE, "peer {0} pubkey changed from {1} to {2} on interface {3}".format(p, ekey, nkey, ifname)) print ( "peer {0} pubkey changed from {1} to {2} on interface {3}".format(p, ekey, nkey, ifname)) intfc.remove_peer(ekey) intfc.config['private-key'] = pk for p in c[ifname]['peer']: intfc.config['pubkey'] = str(c[ifname]['peer'][p]['pubkey']) intfc.config['allowed-ips'] = (c[ifname]['peer'][p]['allowed-ips']) # listen-port if c[ifname]['lport']: intfc.config['port'] = c[ifname]['lport'] # fwmark if c[ifname]['fwmark']: intfc.config['fwmark'] = c[ifname]['fwmark'] # endpoint if c[ifname]['peer'][p]['endpoint']: intfc.config['endpoint'] = c[ifname]['peer'][p]['endpoint'] # persistent-keepalive if 'persistent-keepalive' in c[ifname]['peer'][p]: intfc.config['keepalive'] = c[ifname][ 'peer'][p]['persistent-keepalive'] # preshared-key - needs to be read from a file if 'psk' in c[ifname]['peer'][p]: old_umask = os.umask(0o077) open(psk_file, 'w').write(str(c[ifname]['peer'][p]['psk'])) os.umask(old_umask) intfc.config['psk'] = psk_file intfc.update() if __name__ == '__main__': try: check_kmod() c = get_config() verify(c) apply(c) except ConfigError as e: print(e) sys.exit(1)