diff --git a/op-mode-definitions/wireguard.xml.in b/op-mode-definitions/wireguard.xml.in
index a84980b44..ac3daa3b8 100644
--- a/op-mode-definitions/wireguard.xml.in
+++ b/op-mode-definitions/wireguard.xml.in
@@ -1,194 +1,171 @@
<?xml version="1.0"?>
<!-- Wireguard key management -->
<interfaceDefinition>
<node name="generate">
<children>
<node name="wireguard">
<properties>
<help>Generate Wireguard keys</help>
</properties>
<children>
- <leafNode name="default-keypair">
- <properties>
- <help>Generate the default Wireguard keypair</help>
- </properties>
- <command>sudo ${vyos_op_scripts_dir}/wireguard.py --genkey</command>
- </leafNode>
- <leafNode name="preshared-key">
- <properties>
- <help>Generate a Wireguard preshared key</help>
- </properties>
- <command>${vyos_op_scripts_dir}/wireguard.py --genpsk</command>
- </leafNode>
- <tagNode name="named-keypairs">
- <properties>
- <help>Generate specified Wireguard keypairs</help>
- </properties>
- <command>sudo ${vyos_op_scripts_dir}/wireguard.py --genkey --location "$4"</command>
- </tagNode>
<tagNode name="client-config">
<properties>
<help>Generate Client config QR code</help>
<completionHelp>
<list><client-name></list>
</completionHelp>
</properties>
<children>
<tagNode name="interface">
<properties>
<help>Local interface used for connection</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script>
</completionHelp>
</properties>
<children>
<tagNode name="server">
<properties>
<help>IP address/FQDN used for client connection</help>
<completionHelp>
<script>${vyos_completion_dir}/list_local_ips.sh --both</script>
<list><hostname></list>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8"</command>
<children>
<tagNode name="address">
<properties>
<help>IPv4/IPv6 address used by client</help>
<completionHelp>
<list><x.x.x.x> <h:h:h:h:h:h:h:h></list>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}"</command>
<children>
<tagNode name="address">
<properties>
<help>IPv4/IPv6 address used by client</help>
<completionHelp>
<list><x.x.x.x> <h:h:h:h:h:h:h:h></list>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/wireguard_client.py --name "$4" --interface "$6" --server "$8" --address "${10}" --address "${12}"</command>
</tagNode>
</children>
</tagNode>
</children>
</tagNode>
</children>
</tagNode>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<node name="show">
<children>
<node name="wireguard">
<properties>
<help>Show Wireguard properties</help>
</properties>
<children>
<node name="keypairs">
<properties>
<help>Show Wireguard keys</help>
</properties>
<children>
- <tagNode name="pubkey">
+ <leafNode name="pubkey">
<properties>
- <help>Show specified Wireguard public key</help>
- <completionHelp>
- <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script>
- </completionHelp>
+ <help>Show Wireguard public keys</help>
</properties>
- <command>${vyos_op_scripts_dir}/wireguard.py --showpub --location "$5"</command>
- </tagNode>
- <tagNode name="privkey">
+ <command>${vyos_op_scripts_dir}/wireguard.py --showpub</command>
+ </leafNode>
+ <leafNode name="privkey">
<properties>
- <help>Show specified Wireguard private key</help>
- <completionHelp>
- <script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script>
- </completionHelp>
+ <help>Show Wireguard private keys</help>
</properties>
- <command>${vyos_op_scripts_dir}/wireguard.py --showpriv --location "$5"</command>
- </tagNode>
+ <command>${vyos_op_scripts_dir}/wireguard.py --showpriv</command>
+ </leafNode>
</children>
+ <command>${vyos_op_scripts_dir}/wireguard.py --showpub --showpriv</command>
</node>
</children>
</node>
<node name="interfaces">
<children>
<tagNode name="wireguard">
<properties>
<help>Show Wireguard interface information</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py --type wireguard</script>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/wireguard.py --showinterface "$4"</command>
<children>
<leafNode name="allowed-ips">
<properties>
<help>Show all IP addresses allowed for the specified interface</help>
</properties>
<command>sudo wg show "$4" allowed-ips</command>
</leafNode>
<leafNode name="endpoints">
<properties>
<help>Show all endpoints for the specified interface</help>
</properties>
<command>sudo wg show "$4" endpoints</command>
</leafNode>
<leafNode name="peers">
<properties>
<help>Show all peer IDs for the specified interface</help>
</properties>
<command>sudo wg show "$4" peers</command>
</leafNode>
<leafNode name="summary">
<properties>
<help>Shows current configuration and device information</help>
</properties>
<command>sudo wg show "$4"</command>
</leafNode>
</children>
</tagNode>
<node name="wireguard">
<properties>
<help>Show Wireguard interface information</help>
</properties>
<command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show-brief</command>
<children>
<leafNode name="detail">
<properties>
<help>Show detailed Wireguard interface information</help>
</properties>
<command>${vyos_op_scripts_dir}/show_interfaces.py --intf-type=wireguard --action=show</command>
</leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
<node name="delete">
<children>
<node name="wireguard">
<properties>
<help>Delete Wireguard properties</help>
</properties>
<children>
<tagNode name="keypair">
<properties>
<help>Delete a Wireguard keypair</help>
<completionHelp>
<script>${vyos_op_scripts_dir}/wireguard.py --listkdir</script>
</completionHelp>
</properties>
<command>sudo ${vyos_op_scripts_dir}/wireguard.py --delkdir --location "$4"</command>
</tagNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/src/op_mode/wireguard.py b/src/op_mode/wireguard.py
index e08bc983a..3ed8e17ca 100755
--- a/src/op_mode/wireguard.py
+++ b/src/op_mode/wireguard.py
@@ -1,159 +1,87 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2020 VyOS maintainers and contributors
+# Copyright (C) 2018-2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import argparse
-import os
import sys
-import shutil
-import syslog as sl
-import re
+import tabulate
from vyos.config import Config
from vyos.ifconfig import WireGuardIf
from vyos.util import cmd
-from vyos.util import run
-from vyos.util import check_kmod
from vyos import ConfigError
-dir = r'/config/auth/wireguard'
-psk = dir + '/preshared.key'
-
-k_mod = 'wireguard'
-
-def generate_keypair(pk, pub):
- """ generates a keypair which is stored in /config/auth/wireguard """
- old_umask = os.umask(0o027)
- if run(f'wg genkey | tee {pk} | wg pubkey > {pub}') != 0:
- raise ConfigError("wireguard key-pair generation failed")
- else:
- sl.syslog(
- sl.LOG_NOTICE, "new keypair wireguard key generated in " + dir)
- os.umask(old_umask)
-
-
-def genkey(location):
- """ helper function to check, regenerate the keypair """
- pk = "{}/private.key".format(location)
- pub = "{}/public.key".format(location)
- old_umask = os.umask(0o027)
- if os.path.exists(pk) and os.path.exists(pub):
- try:
- choice = input(
- "You already have a wireguard key-pair, do you want to re-generate? [y/n] ")
- if choice == 'y' or choice == 'Y':
- generate_keypair(pk, pub)
- except KeyboardInterrupt:
- sys.exit(0)
- else:
- """ if keypair is bing executed from a running iso """
- if not os.path.exists(location):
- run(f'sudo mkdir -p {location}')
- run(f'sudo chgrp vyattacfg {location}')
- run(f'sudo chmod 750 {location}')
- generate_keypair(pk, pub)
- os.umask(old_umask)
-
-
-def showkey(key):
- """ helper function to show privkey or pubkey """
- if os.path.exists(key):
- print (open(key).read().strip())
- else:
- print ("{} not found".format(key))
-
-
-def genpsk():
- """
- generates a preshared key and shows it on stdout,
- it's stored only in the cli config
- """
-
- psk = cmd('wg genpsk')
- print(psk)
-
-def list_key_dirs():
- """ lists all dirs under /config/auth/wireguard """
- if os.path.exists(dir):
- nks = next(os.walk(dir))[1]
- for nk in nks:
- print (nk)
-
-def del_key_dir(kname):
- """ deletes /config/auth/wireguard/<kname> """
- kdir = "{0}/{1}".format(dir,kname)
- if not os.path.isdir(kdir):
- print ("named keypair {} not found".format(kname))
- return 1
- shutil.rmtree(kdir)
-
+base = ['interfaces', 'wireguard']
+
+def get_public_keys():
+ config = Config()
+ headers = ['Interface', 'Peer', 'Public Key']
+ out = []
+ if config.exists(base):
+ wg_interfaces = config.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ for wg, wg_conf in wg_interfaces.items():
+ if 'peer' in wg_conf:
+ for peer, peer_conf in wg_conf['peer'].items():
+ out.append([wg, peer, peer_conf['public_key']])
+
+ print("Wireguard Public Keys:")
+ print(tabulate.tabulate(out, headers))
+
+def get_private_keys():
+ config = Config()
+ headers = ['Interface', 'Private Key', 'Public Key']
+ out = []
+ if config.exists(base):
+ wg_interfaces = config.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ for wg, wg_conf in wg_interfaces.items():
+ private_key = wg_conf['private_key']
+ public_key = cmd('wg pubkey', input=private_key)
+ out.append([wg, private_key, public_key])
+
+ print("Wireguard Private Keys:")
+ print(tabulate.tabulate(out, headers))
if __name__ == '__main__':
- check_kmod(k_mod)
parser = argparse.ArgumentParser(description='wireguard key management')
parser.add_argument(
- '--genkey', action="store_true", help='generate key-pair')
- parser.add_argument(
- '--showpub', action="store_true", help='shows public key')
- parser.add_argument(
- '--showpriv', action="store_true", help='shows private key')
- parser.add_argument(
- '--genpsk', action="store_true", help='generates preshared-key')
- parser.add_argument(
- '--location', action="store", help='key location within {}'.format(dir))
- parser.add_argument(
- '--listkdir', action="store_true", help='lists named keydirectories')
+ '--showpub', action="store_true", help='shows public keys')
parser.add_argument(
- '--delkdir', action="store_true", help='removes named keydirectories')
+ '--showpriv', action="store_true", help='shows private keys')
parser.add_argument(
'--showinterface', action="store", help='shows interface details')
args = parser.parse_args()
try:
- if args.genkey:
- if args.location:
- genkey("{0}/{1}".format(dir, args.location))
- else:
- genkey("{}/default".format(dir))
if args.showpub:
- if args.location:
- showkey("{0}/{1}/public.key".format(dir, args.location))
- else:
- showkey("{}/default/public.key".format(dir))
+ get_public_keys()
if args.showpriv:
- if args.location:
- showkey("{0}/{1}/private.key".format(dir, args.location))
- else:
- showkey("{}/default/private.key".format(dir))
- if args.genpsk:
- genpsk()
- if args.listkdir:
- list_key_dirs()
+ get_private_keys()
if args.showinterface:
try:
intf = WireGuardIf(args.showinterface, create=False, debug=False)
print(intf.operational.show_interface())
# the interface does not exists
except Exception:
pass
- if args.delkdir:
- if args.location:
- del_key_dir(args.location)
- else:
- del_key_dir("default")
except ConfigError as e:
print(e)
sys.exit(1)