hassio-addons/addon-wireguard
1
0
Fork 0
mirror of https://github.com/hassio-addons/addon-wireguard.git synced 2025-05-05 03:11:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

🔨 Refactor + better server/peer separation

Browse source
This commit is contained in:
Franck Nijhof 2019-08-28 01:18:50 +02:00
parent d10123b040
commit edceaa6186
No known key found for this signature in database
GPG key ID: D62583BA8AB11CA3
2 changed files with 103 additions and 81 deletions
Download patch file Download diff file Expand all files Collapse all files

6
wireguard/config.json
View file

@ -42,7 +42,8 @@
"addresses": [ "addresses": [
"172.244.66.2" "172.244.66.2"
], ],
"allowed_ips": [] "allowed_ips": [],
"client_allowed_ips": []
} }
] ]
}, },
@ -53,15 +54,18 @@
"addresses": ["str"], "addresses": ["str"],
"dns": ["str"], "dns": ["str"],
"private_key": "str?", "private_key": "str?",
"public_key": "str?",
"post_up": "str?", "post_up": "str?",
"post_down": "str?" "post_down": "str?"
}, },
"peers": [ "peers": [
{ {
"name": "match(^!secret [a-zA-Z0-9_\\-]+$|^[a-zA-Z0-9\\d](?:[a-zA-Z0-9\\d]|-(?=[a-zA-Z0-9\\d])){0,32}$)", "name": "match(^!secret [a-zA-Z0-9_\\-]+$|^[a-zA-Z0-9\\d](?:[a-zA-Z0-9\\d]|-(?=[a-zA-Z0-9\\d])){0,32}$)",
"private_key": "str?",
"public_key": "str?", "public_key": "str?",
"addresses": ["str"], "addresses": ["str"],
"allowed_ips": ["str"], "allowed_ips": ["str"],
"client_allowed_ips": ["str"],
"persistent_keep_alive": "int?", "persistent_keep_alive": "int?",
"endpoint": "str?", "endpoint": "str?",
"pre_shared_key": "str?" "pre_shared_key": "str?"

172
wireguard/rootfs/etc/cont-init.d/config.sh
View file

@ -13,18 +13,21 @@ declare endpoint
declare host declare host
declare keep_alive declare keep_alive
declare name declare name
declare peer_private_key
declare peer_public_key
declare port declare port
declare post_down declare post_down
declare post_up declare post_up
declare pre_shared_key declare pre_shared_key
declare private_key declare server_private_key
declare public_key declare server_public_key
if ! bashio::fs.directory_exists '/ssl/wireguard'; then if ! bashio::fs.directory_exists '/ssl/wireguard'; then
mkdir -p /ssl/wireguard || mkdir -p /ssl/wireguard ||
bashio::exit.nok "Could create wireguard storage folder!" bashio::exit.nok "Could create wireguard storage folder!"
fi fi
# Start creation of configuration
echo "[Interface]" > "${CONFIG}" echo "[Interface]" > "${CONFIG}"
# Check if at least 1 address is specified # Check if at least 1 address is specified
@ -48,16 +51,23 @@ else
echo "DNS = ${dns}" >> ${CONFIG} echo "DNS = ${dns}" >> ${CONFIG}
fi fi
# Add the server's private key to the configuration # Get the server's private key
if bashio::config.has_value 'server.private_key'; then if bashio::config.has_value 'server.private_key'; then
private_key=$(bashio::config 'server.private_key') server_private_key=$(bashio::config 'server.private_key')
else else
if ! bashio::fs.file_exists '/ssl/wireguard/private_key'; then if ! bashio::fs.file_exists '/ssl/wireguard/private_key'; then
umask 077 || bashio::exit.nok "Could not set a proper umask" umask 077 || bashio::exit.nok "Could not set a proper umask"
wg genkey > /ssl/wireguard/private_key || wg genkey > /ssl/wireguard/private_key ||
bashio::exit.nok "Could not generate private key!" bashio::exit.nok "Could not generate private key!"
fi fi
private_key=$(</ssl/wireguard/private_key) server_private_key=$(</ssl/wireguard/private_key)
fi
# Get the server pubic key
if bashio::config.has_value 'server.public_key'; then
server_public_key=$(bashio::config 'server.public_key')
else
server_public_key=$(wg pubkey <<< "${server_private_key}")
fi fi
# Post Up & Down defaults # Post Up & Down defaults
@ -75,8 +85,8 @@ if [[ $(</proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
bashio::log.warning bashio::log.warning
# Set fake placeholders for Up & Down commands # Set fake placeholders for Up & Down commands
post_up="true" post_up=""
post_down="true" post_down=""
fi fi
# Load custom PostUp setting if provided # Load custom PostUp setting if provided
@ -89,21 +99,26 @@ if bashio::config.has_value 'server.post_down'; then
post_down=$(bashio::config 'server.post_down') post_down=$(bashio::config 'server.post_down')
fi fi
# Finish up the configuration # Finish up the main server configuration
{ {
echo "PrivateKey = ${private_key}"; echo "PrivateKey = ${server_private_key}"
# Adds server port to the configuration # Adds server port to the configuration
echo "ListenPort = 51820"; echo "ListenPort = 51820"
# Post up & down # Post up & down
echo "PostUp = ${post_up}"; bashio::var.has_value "${post_up}" && echo "PostUp = ${post_up}"
echo "PostDown = ${post_down}"; bashio::var.has_value "${post_down}" && echo "PostDown = ${post_down}"
# End configuration file with an empty line # End configuration file with an empty line
echo ""; echo ""
} >> "${CONFIG}" } >> "${CONFIG}"
# Get DNS for client configurations
if bashio::config.has_value 'server.dns'; then
dns=$(bashio::config "server.dns | join(\", \")")
fi
# Fetch all the peers # Fetch all the peers
for peer in $(bashio::config 'peers|keys'); do for peer in $(bashio::config 'peers|keys'); do
@ -114,94 +129,97 @@ for peer in $(bashio::config 'peers|keys'); do
name=$(bashio::config "peers[${peer}].name") name=$(bashio::config "peers[${peer}].name")
config_dir="/ssl/wireguard/${name}" config_dir="/ssl/wireguard/${name}"
host=$(bashio::config 'server.host')
port=$(bashio::addon.port "51820/udp")
keep_alive=$(bashio::config "peers[${peer}].persistent_keep_alive")
pre_shared_key=$(bashio::config "peers[${peer}].pre_shared_key")
endpoint=$(bashio::config "peers[${peer}].endpoint")
mkdir -p "${config_dir}" || # Get the private key
bashio::exit.nok "Failed creating client folder for ${name}" peer_private_key=""
if bashio::config.has_value "peers[${peer}].private_key"; then
# Write peer header peer_private_key=$(bashio::config "peers[${peer}].private_key")
echo "[Peer]" >> "${CONFIG}" elif ! basio::config.has_value "peers[${peer}].public_key"; then
# If a public key is not provided, try get a private key from disk
# Get the public key # or generate one if needed.
if bashio::config.has_value "peers[${peer}].public_key"; then if ! bashio::fs.file_exists '/ssl/wireguard/private_key'; then
public_key=$(bashio::config "peers[${peer}].public_key")
elif bashio::fs.file_exists "${config_dir}/public_key"; then
public_key=$(<"${config_dir}/public_key")
else
umask 077 || bashio::exit.nok "Could not set a proper umask" umask 077 || bashio::exit.nok "Could not set a proper umask"
wg genkey > "${config_dir}/private_key" || wg genkey > "${config_dir}/private_key" ||
bashio::exit.nok "Could not generate private key for ${name}!" bashio::exit.nok "Could not generate private key for ${name}!"
fi
wg pubkey < "${config_dir}/private_key" > "${config_dir}/public_key" || peer_private_key=$(<"${config_dir}/private_key")
bashio::exit.nok "Could not get public key for ${name}!"
public_key=$(<"${config_dir}/public_key")
fi fi
echo "PublicKey = ${public_key}" >> "${CONFIG}" # Get the public key
peer_public_key=""
if bashio::config.has_value "peers[${peer}].public_key"; then
peer_public_key=$(bashio::config "peers[${peer}].public_key")
elif bashio::var.has_value "${peer_private_key}"; then
peer_public_key=$(wg pubkey <<< "${peer_private_key}")
fi
# Addresses in peer configuration become AllowedIPS from server side. # Get peer addresses
list=() list=()
for address in $(bashio::config "peers[${peer}].addresses"); do for address in $(bashio::config "peers[${peer}].addresses"); do
[[ "${address}" == *"/"* ]] || address="${address}/24" [[ "${address}" == *"/"* ]] || address="${address}/24"
list+=("${address}") list+=("${address}")
done done
allowed_ips=$(IFS=", "; echo "${list[*]}") addresses=$(IFS=", "; echo "${list[*]}")
echo "AllowedIPs = ${allowed_ips}" >> "${CONFIG}"
if bashio::config.has_value "peers[${peer}].persistent_keep_alive"; then
keep_alive=$(bashio::config "peers[${peer}].persistent_keep_alive")
echo "PersistentKeepalive = ${keep_alive}" >> "${CONFIG}"
fi
if bashio::config.has_value "peers[${peer}].pre_shared_key"; then
pre_shared_key=$(bashio::config "peers[${peer}].pre_shared_key")
echo "PreSharedKey = ${pre_shared_key}" >> "${CONFIG}"
fi
if bashio::config.has_value "peers[${peer}].endpoint"; then
endpoint=$(bashio::config "peers[${peer}].endpoint")
echo "Endpoint = ${endpoint}" >> "${CONFIG}"
fi
# End file with an empty line
echo "" >> "${CONFIG}"
# Generate client config
echo "[Interface]" > "${config_dir}/client.conf"
if bashio::fs.file_exists "${config_dir}/private_key"; then
private_key=$(<"${config_dir}/private_key")
echo "PrivateKey = ${private_key}" >> "${config_dir}/client.conf"
fi
if bashio::config.has_value 'server.dns'; then
dns=$(bashio::config "server.dns | join(\", \")")
else
dns=$(bashio::dns.host)
fi
# Determine allowed IPs for server side config, by default use
# peer defined addresses.
allowed_ips="${addresses}"
if bashio::config.has_value "peers[${peer}].allowed_ips"; then if bashio::config.has_value "peers[${peer}].allowed_ips"; then
allowed_ips=$(bashio::config "peers[${peer}].allowed_ips | join(\", \")") # Use allowed IP's defined by the user.
else list=()
allowed_ips="0.0.0.0/0" for address in $(bashio::config "peers[${peer}].allowed_ips"); do
[[ "${address}" == *"/"* ]] || address="${address}/24"
list+=("${address}")
done
allowed_ips=$(IFS=", "; echo "${list[*]}")
fi fi
addresses=$(bashio::config "peers[${peer}].addresses | join(\", \")") # Start writing peer information in server config
public_key=$(wg pubkey < /ssl/wireguard/private_key)
host=$(bashio::config 'server.host')
port=$(bashio::addon.port "51820/udp")
{ {
echo "[Peer]"
echo "PublicKey = ${peer_public_key}"
echo "AllowedIPs = ${allowed_ips}"
bashio::config.has_value "peers[${peer}].persistent_keep_alive" \
&& echo "PersistentKeepalive = ${keep_alive}"
bashio::config.has_value "peers[${peer}].pre_shared_key" \
&& echo "PreSharedKey = ${pre_shared_key}"
bashio::config.has_value "peers[${peer}].endpoint" \
&& echo "Endpoint = ${endpoint}"
echo ""
} >> "${CONFIG}"
# Generate client configuration
mkdir -p "${config_dir}" ||
bashio::exit.nok "Failed creating client folder for ${name}"
# Determine allowed IPs for client configuration
allowed_ips="0.0.0.0/0"
if bashio::config.has_value "peers[${peer}].client_allowed_ips"; then
allowed_ips=$(
bashio::config "peers[${peer}].client_allowed_ips | join(\", \")"
)
fi
# Write client configuration file
{
echo "[Interface]"
bashio::fs.file_exists "${config_dir}/private_key" \
&& echo "PrivateKey = ${peer_private_key}"
echo "Address = ${addresses}" echo "Address = ${addresses}"
echo "DNS = ${dns}" echo "DNS = ${dns}"
echo "" echo ""
echo "[Peer]" echo "[Peer]"
echo "PublicKey = ${public_key}" echo "PublicKey = ${server_public_key}"
echo "Endpoint = ${host}:${port}" echo "Endpoint = ${host}:${port}"
echo "AllowedIPs = ${allowed_ips}" echo "AllowedIPs = ${allowed_ips}"
echo "" echo ""
} >> "${config_dir}/client.conf" } > "${config_dir}/client.conf"
# Generate QR code with client configuration
qrencode -t PNG -o "${config_dir}/qrcode.png" < "${config_dir}/client.conf" qrencode -t PNG -o "${config_dir}/qrcode.png" < "${config_dir}/client.conf"
done done