Merge with devel branch (#110)

* back merge main onto devel (#94) * Update main to latest (#77) * Updated pkg-plist * Makefile fix * Experimenting with wireguard service * Update README.md Co-authored-by: vajonam <152501+vajonam@users.noreply.github.com> Co-authored-by: Manojav Sridhar <manojav@manojav.com> * docs: add theonemcdonald as a contributor (#84) * docs: update README.md [skip ci] * docs: create .all-contributorsrc [skip ci] Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * Update README.md * Update README.md * Update .all-contributorsrc * Update .all-contributorsrc * Update README.md * Update README.md * Update Makefile * Cleanup * Cleanup * Clean upload of v0.1.2 * Create FUNDING.yml * Add files via upload Co-authored-by: vajonam <152501+vajonam@users.noreply.github.com> Co-authored-by: Manojav Sridhar <manojav@manojav.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * Clean ups * Syntax * Updated README * Improve input error clarity * Syntax * More syntax * Fix missing address, allowedip fields after tunnel or peer input errors * Reorganized peer post validation * Reorder all input errors to be consistent with UI order * Fix input being flushed on peer validation error * Fix * Test * Fix #98 * Also Fix #98 * v0.1.3 will be reserved for the next PR with Netgate * Further fixes #98 * More fixes for #98... * Removed exit() while working on #98 * Refactor wg_generate_tunnel_address_popover_link for readability * Working on guiconfig cleaning * Should fix #99 * Fix variable #99 * Fix re-saving unchanged tunnel or peer * Fix broke status icon * Back out some boiler plate code * Relocate pf reload trigger on tunnel sync * Test * Fixes some php errors on newer PHP versions * this has to be absolute apparently * Can't redeclare this * wg_clamp_key and wg_is_key_clamped functions * wg_gen_publickey now detects if a privkey was clamped or not * fix wg_gen_keypair to correctly consume new gen_publickey * Bump net/wireguard-kmod to 0.0.20210606 * Fix some logic in new functioons * syntax * Clamp private keys on UI * Don't block unclamped private keys in the UI * Validate pre-shared key * Missed a call that needs tweaking * Slight cleanup * Candidate 0.1.3 build for Netgate PR * Small bump * Tweak subsystem names * Testing * Add some comments to .conf files for the curious * Add some useful debug bits to .conf files * Testing extra services restart on apply * We are now going to restart extra services (currently dpinger and unbound) on config apply (in addition to service restart) * Bump v0.1.2_5 * Enable data-sortable on relevant tables * Missed a table * Peers should become unassigned when their tunnel is deleted * allowedips needs to be an array even when empty * Implement package apply conf on tunnels_edit.php * Tweaks to form post handling * Syntax * Private and PSKs are now hidden by default * Syntax * sortable tables doesn't play nicely with popovers, will revisit in the future * Slight UI tweaks * syntax * Improve sync logic * Test * Testing * Implement conf file downloads from UI * Fixed incorrect tunnel name variable * Bump 0.1.2_6 Co-authored-by: vajonam <152501+vajonam@users.noreply.github.com> Co-authored-by: Manojav Sridhar <manojav@manojav.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com>
rcmcdonald91 · Jun 10, 2021 · 2a9b08f · 2a9b08f
1 parent 7a5948b
commit 2a9b08f
Show file tree

Hide file tree

Showing 17 changed files with 547 additions and 283 deletions.
diff --git a/net/pfSense-pkg-WireGuard/Makefile b/net/pfSense-pkg-WireGuard/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	pfSense-pkg-WireGuard
 PORTVERSION=	0.1.2
-PORTREVISION=	1
+PORTREVISION=	6
 CATEGORIES=	net
 MASTER_SITES=	# empty
 DISTFILES=	# empty

diff --git a/net/pfSense-pkg-WireGuard/files/usr/local/pkg/wireguard.xml b/net/pfSense-pkg-WireGuard/files/usr/local/pkg/wireguard.xml
@@ -10,7 +10,7 @@
  * part of pfSense (https://www.pfsense.org)
  * Copyright (c) 2015-2021 Rubicon Communications, LLC (Netgate)
  * Copyright (c) 2021 R. Christian McDonald
- * Copyright (2) 2020 Ascord
+ * Copyright (2) 2020 Ascrod
  * All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");

diff --git a/net/pfSense-pkg-WireGuard/files/usr/local/pkg/wireguard/wg.inc b/net/pfSense-pkg-WireGuard/files/usr/local/pkg/wireguard/wg.inc
@@ -79,14 +79,14 @@ function wg_toggle_tunnel($tunnel_name) {
 			// We've got meaningful changes...
 			$changes = true;
 
-			// Add tunnel to the list to apply
-			wg_apply_list_add($tunnel['name'], 'tunnels');
+			// What tunnel would we need to sync to apply these changes?
+			$tun_to_sync = $tunnel['name'];
 
 		}
 
 	}
 
-	return array('input_errors' => $input_errors, 'changes' => $changes);
+	return array('input_errors' => $input_errors, 'changes' => $changes, 'tun_to_sync' => $tun_to_sync);
 
 }
 
@@ -130,16 +130,16 @@ function wg_toggle_peer($peer_idx) {
 				// We've got meaningful changes...
 				$changes = true;
 
-				// Add peer's tunnel to the list to apply
-				wg_apply_list_add($peer['tun'], 'tunnels');
+				// What tunnel would we need to sync to apply these changes?
+				$tun_to_sync = $peer['tun'];
 
 			}
 
 		}
 
 	}
 
-	return array('input_errors' => $input_errors, 'changes' => $changes);
+	return array('input_errors' => $input_errors, 'changes' => $changes, 'tun_to_sync' => $tun_to_sync);
 
 }
 
@@ -178,16 +178,16 @@ function wg_delete_peer($peer_idx) {
 				// We've got meaningful changes...
 				$changes = true;
 
-				// Add peer's tunnel to the list to apply
-				wg_apply_list_add($peer['tun'], 'tunnels');
+				// What tunnel would we need to sync to apply these changes?
+				$tun_to_sync = $peer['tun'];
 
 			}
 
 		}
 
 	}
 
-	return array('input_errors' => $input_errors, 'changes' => $changes);
+	return array('input_errors' => $input_errors, 'changes' => $changes, 'tun_to_sync' => $tun_to_sync);
 
 }
 
@@ -232,14 +232,14 @@ function wg_delete_tunnel($tunnel_name) {
 			// We've got meaningful changes...
 			$changes = true;
 
-			// Add tunnel to the list to apply
-			wg_apply_list_add($tunnel['name'], 'tunnels');
+			// What tunnel would we need to sync to apply these changes?
+			$tun_to_sync = $tunnel['name'];
 
 		}
 
 	}
 
-	return array('input_errors' => $input_errors, 'changes' => $changes);
+	return array('input_errors' => $input_errors, 'changes' => $changes, 'tun_to_sync' => $tun_to_sync);
 
 }
 
@@ -402,24 +402,26 @@ function wg_do_peer_post($post) {
 
 				// We've got meaningful changes...
 				$changes = true;
+
+				// What tunnel would we need to sync to apply these changes?
+				$tun_to_sync = $pconfig['tun'];
 
-				wg_apply_list_add($pconfig['tun'], 'tunnels');
-
-			// Now try the old_config tunnel...
+			// Now try the old_config tunnel?
 			} elseif (in_array($old_config['tun'], $tunnel_names)) {
 
 				// We've got meaningful changes...
 				$changes = true;
 
-				wg_apply_list_add($old_config['tun'], 'tunnels');
+				// What tunnel would we need to sync to apply these changes?
+				$tun_to_sync = $old_config['tun'];
 
 			}
 
 		}
 
 	}
 
-	return array('input_errors' => $input_errors, 'changes' => $changes, 'pconfig' => $pconfig);
+	return array('input_errors' => $input_errors, 'changes' => $changes, 'tun_to_sync' => $tun_to_sync, 'pconfig' => $pconfig);
 
 }
 
@@ -443,23 +445,25 @@ function wg_do_tunnel_post($post) {
 	// We need to save the "old config" to compare against later...
 	$pconfig = $old_config = $wgg['tunnels'][$tun_idx];
 
+	$key = wg_gen_publickey($post['privatekey']);
+
 	$pconfig['name']		= empty($pconfig['name']) ? next_wg_if() : $pconfig['name'];
 
-	$pconfig['enabled'] 		= empty($post['enabled']) ? 'no' : $post['enabled'];
+	$pconfig['enabled']		= empty($post['enabled']) ? 'no' : $post['enabled'];
 
-	$pconfig['descr'] 		= $post['descr'];
+	$pconfig['descr']		= $post['descr'];
 
-	$pconfig['listenport'] 		= empty($post['listenport']) ? next_wg_port() : $post['listenport'];
+	$pconfig['listenport']		= empty($post['listenport']) ? next_wg_port() : $post['listenport'];
 
-	$pconfig['privatekey'] 		= $post['privatekey'];
+	$pconfig['privatekey']		= $key['privkey'];
 
-	$pconfig['publickey'] 		= wg_gen_publickey($post['privatekey']);
+	$pconfig['publickey']		= $key['pubkey'];
 
-	$pconfig['mtu'] 		= empty($post['mtu']) ? $wgg['default_mtu'] : $post['mtu'];
+	$pconfig['mtu']			= empty($post['mtu']) ? $wgg['default_mtu'] : $post['mtu'];
 
 	$pconfig['addresses']['row'] 	= wg_tunnel_addresses($post);
 
-	$input_errors 			= wg_validate_tunnel_post($pconfig, $tun_idx);
+	$input_errors			= wg_validate_tunnel_post($pconfig, $tun_idx);
 
 	if (empty($input_errors)) {
 
@@ -474,14 +478,14 @@ function wg_do_tunnel_post($post) {
 			// We've got meaningful changes...
 			$changes = true;
 
-			// Add tunnel to the list to apply
-			wg_apply_list_add($pconfig['name'], 'tunnels');
+			// What tunnel would we need to sync to apply these changes?
+			$tun_to_sync = $pconfig['name'];
 
 		}
 
 	}
 
-	return array('input_errors' => $input_errors, 'changes' => $changes, 'pconfig' => $pconfig);
+	return array('input_errors' => $input_errors, 'changes' => $changes, 'tun_to_sync' => $tun_to_sync, 'pconfig' => $pconfig);
 
 }
 
@@ -535,15 +539,19 @@ function wg_apply_list_add($entry, $list) {
 
 		file_put_contents($listpath, serialize($toapplylist));
 
+		$toapplylist = unserialize(file_get_contents($listpath));
+
 	}
 
+	return $toapplylist;
+
 }
 
 /*
  * This builds, rebuilds, or destroys tunnel interfaces
  * If $tunnels is empty, this will apply to all configured tunnel interfaces
  */
-function wg_tunnel_sync($tunnel_names = null) {
+function wg_tunnel_sync($tunnel_names = null, $restart_services = false) {
 	global $wgg;
 
 	$tunnels = array();
@@ -595,6 +603,12 @@ function wg_tunnel_sync($tunnel_names = null) {
 		// Reload the filter
 		filter_configure();
 
+		if ($restart_services) {
+
+			wg_restart_extra_services();
+
+		}
+
 	}
 
 	return array('ret_code' => $ret_code, 'tunnels' => $tunnels);
@@ -702,27 +716,37 @@ function wg_tunnel_sync_by_name($tunnel_name) {
  * This performs some routine checks just to make sure everything is still in order
  */
 function wg_resync() {
-	global $wgg;
+	global $g, $wgg;
 
 	// Create WireGuard configuration files
 	wg_create_config_files();
 
-	// Reinstall earlyshellcmd in case it was accidently deleted
-	wg_earlyshellcmd_install();
+	// Not really important if we are installing...
+	if (!$g['wireguard_installing']) {
 
-	// Recreate interface group in case it was accidently deleted
-	wg_ifgroup_install();
+		// Reinstall earlyshellcmd in case it was accidently deleted
+		wg_earlyshellcmd_install();
 
-	// Update Unbound ACL by recreating it
-	wg_unbound_acl_install();
+		// Recreate interface group in case it was accidently deleted
+		wg_ifgroup_install();
 
+		// Update Unbound ACL by recreating it
+		wg_unbound_acl_install();
+
+	}
+
 	// We don't want active tunnels when the service isn't running
-	if (is_module_loaded($wgg['kmod']) && !wg_is_service_running()) {
+	if (!wg_is_service_running() &&
+		is_module_loaded($wgg['kmod']) &&
+			!is_subsystem_dirty($wgg['subsystems']['postboot'])) {
 
 		wg_destroy_tunnels();
 
 	}
 
+	// We definitely aren't installing at this point...
+	unset($g['wireguard_installing']);
+
 }
 
 /*
@@ -889,16 +913,28 @@ function wg_remove_config_settings() {
 function make_wg_conf($tunnel) {
 	global $wgg;
 
-	$txt = "# This WireGuard config file has been created automatically. Do not edit!\n";
+	$txt = "# This WireGuard config file has been created automatically. Do not edit!\n\n";
 
-	$txt .= "# Description: {$tunnel['descr']}\n\n";
+	$txt .= "# Description: {$tunnel['descr']}\n";
 
 	// Process Interfaces section
 	$txt .= "[Interface]\n";
 
 	if (!empty($tunnel['privatekey'])) {
 
-		$txt .= "PrivateKey = {$tunnel['privatekey']}\n";
+		$key = wg_gen_publickey($tunnel['privatekey']);
+
+		if (!$key['was_clamped']) {
+
+			$txt .= "# The provided PrivateKey was not pre-clamped by the key generator.\n";
+
+			$txt .= "# PrivateKey = {$key['privkey']}\n";
+
+			$txt .= "# PublicKey = {$key['pubkey']}\n";
+
+		}
+
+		$txt .= "PrivateKey = {$key['privkey_clamped']}\n";
 
 	}
 
@@ -935,7 +971,6 @@ function make_wg_conf($tunnel) {
 
 				}
 
-
 				if (is_array($peer['allowedips']['row'])) {
 
 					$allowedips = implode(',', array_map(fn($x) => "{$x['address']}/{$x['mask']}", $peer['allowedips']['row']));
@@ -977,4 +1012,23 @@ function make_wg_conf($tunnel) {
 
 }
 
+function wg_download_tunnel($tunnel_name, $failure_redirect) {
+	global $wgg;
+
+	// Make sure conf files are current
+	wg_resync();
+
+	$conf_path = "{$wgg['conf_path']}/{$tunnel_name}.conf";
+
+	if (file_exists($conf_path)) {
+
+		send_user_download('file', $conf_path);
+
+	}
+
+	// If something goes wrong, bail out to the failure redirect location
+	header("Location: {$failure_redirect}");
+
+}
+
 ?>