From: Christoph Heiss <[email protected]> A new module that contains helper functions for dealing with WireGuard config and key generation. They are later used in the API methods, as well as the SDN commit_config.
Co-authored-by: Stefan Hanreich <[email protected]> Signed-off-by: Christoph Heiss <[email protected]> --- src/PVE/Network/SDN/Makefile | 15 ++- src/PVE/Network/SDN/WireGuard.pm | 163 +++++++++++++++++++++++++++++++ 2 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 src/PVE/Network/SDN/WireGuard.pm diff --git a/src/PVE/Network/SDN/Makefile b/src/PVE/Network/SDN/Makefile index d1ffef9..90bfffa 100644 --- a/src/PVE/Network/SDN/Makefile +++ b/src/PVE/Network/SDN/Makefile @@ -1,4 +1,17 @@ -SOURCES=Vnets.pm VnetPlugin.pm Zones.pm Controllers.pm Subnets.pm SubnetPlugin.pm Ipams.pm Dns.pm Dhcp.pm Fabrics.pm Frr.pm +SOURCES=\ + Controllers.pm \ + Dhcp.pm \ + Dns.pm \ + Fabrics.pm \ + Frr.pm \ + Ipams.pm \ + RouteMap.pm \ + SubnetPlugin.pm \ + Subnets.pm \ + VnetPlugin.pm \ + Vnets.pm \ + WireGuard.pm \ + Zones.pm PERL5DIR=${DESTDIR}/usr/share/perl5 diff --git a/src/PVE/Network/SDN/WireGuard.pm b/src/PVE/Network/SDN/WireGuard.pm new file mode 100644 index 0000000..1db44db --- /dev/null +++ b/src/PVE/Network/SDN/WireGuard.pm @@ -0,0 +1,163 @@ +package PVE::Network::SDN::WireGuard; + +use strict; +use warnings; + +=head1 NAME + +C<PVE::Network::SDN::WireGuard> - Helper module for WireGuard + +=head1 DESCRIPTION + +This module contains helpers for handling and applying WireGuard configuration. + +=cut + +use File::Basename; + +use PVE::File; +use PVE::INotify; +use PVE::RESTEnvironment qw(log_warn); +use PVE::Tools qw(file_get_contents file_set_contents run_command); + +use PVE::Network::SDN::Fabrics; + +my $local_wireguard_lock = "/var/lock/proxmox_wg.lock"; +my $wireguard_config_folder = "/etc/wireguard/proxmox"; + +=head3 create_wireguard_keypair($interface_name) + +Creates a new WireGuard keypair on the current node. The keys are stored in the +$wireguard_config_folder path as '${interface_name}.key' and +'${interface_name}.key.pub' respectively. + +If the private key file already exists, then a warning is printed and the +existing corresponding public key returned. + +=cut + +sub create_wireguard_keypair { + my ($interface_name) = @_; + + my $code = sub { + mkdir("/etc/wireguard") if !-d '/etc/wireguard'; + mkdir($wireguard_config_folder) if !-d $wireguard_config_folder; + + my $private_key_file = "$wireguard_config_folder/${interface_name}.key"; + my $public_key_file = "$wireguard_config_folder/${interface_name}.key.pub"; + + if (-e $private_key_file) { + warn + "trying to create keypair for interface $interface_name, but file already exists!\n"; + return PVE::File::file_get_contents($public_key_file); + } + + my $private_key = undef; + PVE::Tools::run_command( + ['wg', 'genkey'], + outfunc => sub { + $private_key = shift; + }, + ); + + my $public_key = undef; + PVE::Tools::run_command( + ['wg', 'pubkey'], + input => $private_key, + outfunc => sub { + $public_key = shift; + }, + ); + + PVE::File::file_set_contents($private_key_file, $private_key, 400); + PVE::File::file_set_contents($public_key_file, $public_key, 400); + + return $public_key; + }; + + my $public_key = PVE::Tools::lock_file($local_wireguard_lock, 10, $code); + die $@ if $@; + + return $public_key; +} + +=head3 delete_wireguard_keypair($interface_name) + +Deletes the public / private key files for a given WireGuard interface with name +$interface_name, if they exist in the filesystem. Otherwise a warning is printed +and nothing deleted. + +=cut + +sub delete_wireguard_keypair { + my ($interface_name) = @_; + + my $code = sub { + unlink "$wireguard_config_folder/${interface_name}.key" + if -e "$wireguard_config_folder/${interface_name}.key"; + + unlink "$wireguard_config_folder/${interface_name}.key.pub" + if -e "$wireguard_config_folder/${interface_name}.key.pub"; + }; + + PVE::Tools::lock_file($local_wireguard_lock, 10, $code); + warn $@ if $@; +} + +=head3 generate_wireguard_config($apply) + +Generates the WireGuard configuration files on the current node, based on the +current running SDN configuration. If $apply is passed, then the WireGuard +configuration will be applied via the syncconf command of wg(8). + +=cut + +sub generate_wireguard_config { + my ($apply) = @_; + + my $fabric_config = PVE::Network::SDN::Fabrics::config(1); + + my $nodename = PVE::INotify::nodename(); + my $raw_config = $fabric_config->get_wireguard_raw_config($nodename); + + if (!-e "/usr/bin/wg") { + warn + "In order to apply the generated WireGuard configuration the package 'wg-tools' needs to be installed.\n"; + } + + write_wireguard_config($raw_config, $apply); +} + +=head3 write_wireguard_config($raw_config) + +Takes a raw_config of the following format: + + interface_name => "<configuration>" + +and generates the respective configuration files in $wireguard_config_folder. If +$apply is set, then the configuration will be synced via the syncconf command of +wg(8). This requires the interfaces to exist on the node, otherwise the wg +command will fail. A warning is emitted in that case. + +=cut + +sub write_wireguard_config { + my ($raw_config, $apply) = @_; + + for my $interface (keys $raw_config->%*) { + PVE::File::file_set_contents( + "$wireguard_config_folder/$interface.conf", + $raw_config->{$interface}, + 400, + ); + + if ($apply) { + eval { + PVE::Tools::run_command( + ['wg', 'syncconf', $interface, "/etc/wireguard/proxmox/$interface.conf"]); + }; + warn $@ if $@; + } + } +} + -- 2.47.3
