85904d0c36
WireGuard --------- * Migration 0013: wireguard_interfaces (server|client mode, key envelope- encrypted) + wireguard_peers (per-server roster). Drop old empty 0005-Schema (Option-A peer_type, kein Iface-FK), neuer Aufbau mit zwei Tabellen + FK. * internal/services/secrets: Box mit AES-256-GCM, Master-Key in /var/lib/edgeguard/.master_key (lazy-create, 0600). Sealed/Open für PrivateKey + PSK. * internal/services/wireguard: KeyGen (Curve25519 mit clamping), PublicFromPrivate (für Import), InterfacesRepo, PeersRepo, Importer (parst /etc/wireguard/*.conf, server vs. client heuristisch nach ListenPort + Peer-Anzahl). * internal/wireguard: Renderer schreibt /etc/edgeguard/wireguard/<iface>.conf (0600), restartet wg-quick@<iface> via sudo (sudoers im postinst erweitert). Idempotent — re-render nur wenn content geändert. * internal/handlers/wireguard.go: REST CRUD für interfaces+peers, /generate-keypair, /peers/:id/config (text/plain wg-quick conf), /peers/:id/qr (PNG via go-qrcode). Auto-reload nach Mutation. * edgeguard-ctl wg-import [--path /etc/wireguard]: liest existierende conf-Files in die DB. Idempotent (überspringt vorhandene Iface-Namen). Shared UI components (proxy-lb-waf design pattern) -------------------------------------------------- * PageHeader: icon + title + subtitle + extras row, einheitlich oben auf jeder Page. * ActionButtons: Edit + Delete combo mit Popconfirm + Tooltip. * StatusDot: AntD Badge pattern statt "Yes/No" — schneller scanbar in dichten Tabellen. * DataTable: pageSizeOptions [20,50,100,200] + extraActions-Alias + optional renderMobileCard für Card-Liste auf < md Breakpoint. * enterprise.css: .page-header* + .datatable-toolbar Klassen. Frontend WireGuard ------------------ * /vpn/wireguard mit zwei Tabs (Server / Client) im neuen Pattern. * Server-Tab: Modal mit Generate-Keypair-Toggle, Peer-Roster im Drawer per Server. Pro Peer: QR-Code-Modal + .conf-Download. * Client-Tab: Upstream-Card im Modal, full-tunnel-Default (0.0.0.0/0,::/0), Keepalive 25. * i18n DE/EN für wg.* Block + common.* Erweiterung. Misc ---- * Sidebar: WireGuard unter Security-Sektion. * Nav-i18n: "Firewall (v2)" → "Firewall". * Version 1.0.8 → 1.0.11. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
78 lines
2.3 KiB
Go
78 lines
2.3 KiB
Go
// Package wireguard implements the persistence + lifecycle of
|
|
// WireGuard tunnels (server + client mode) and their peer roster.
|
|
// Sub-files split by concern:
|
|
//
|
|
// keys.go — Curve25519 keypair generation + parse helpers
|
|
// interfaces.go — wireguard_interfaces CRUD
|
|
// peers.go — wireguard_peers CRUD
|
|
// import.go — read /etc/wireguard/*.conf into the DB
|
|
package wireguard
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
|
|
"golang.org/x/crypto/curve25519"
|
|
)
|
|
|
|
// Keypair holds a base64-encoded WireGuard keypair (the wire format
|
|
// wg-quick prints — 32 raw bytes, base64 standard padding included).
|
|
type Keypair struct {
|
|
Private string
|
|
Public string
|
|
}
|
|
|
|
// GenerateKeypair returns a fresh Curve25519 keypair, clamped per
|
|
// WireGuard's spec, base64-encoded.
|
|
func GenerateKeypair() (*Keypair, error) {
|
|
priv := make([]byte, 32)
|
|
if _, err := io.ReadFull(rand.Reader, priv); err != nil {
|
|
return nil, fmt.Errorf("rand: %w", err)
|
|
}
|
|
// WireGuard / curve25519 clamping: clear the lowest 3 bits of
|
|
// priv[0], clear the highest bit and set the second-highest of
|
|
// priv[31]. Required to make the scalar a valid Curve25519
|
|
// private key.
|
|
priv[0] &= 248
|
|
priv[31] &= 127
|
|
priv[31] |= 64
|
|
pub, err := curve25519.X25519(priv, curve25519.Basepoint)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("derive pub: %w", err)
|
|
}
|
|
return &Keypair{
|
|
Private: base64.StdEncoding.EncodeToString(priv),
|
|
Public: base64.StdEncoding.EncodeToString(pub),
|
|
}, nil
|
|
}
|
|
|
|
// GeneratePresharedKey returns a fresh 32-byte PSK as base64.
|
|
func GeneratePresharedKey() (string, error) {
|
|
psk := make([]byte, 32)
|
|
if _, err := io.ReadFull(rand.Reader, psk); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.StdEncoding.EncodeToString(psk), nil
|
|
}
|
|
|
|
// PublicFromPrivate derives the matching pubkey for a base64 private
|
|
// key — used by the import path where the operator hands us a
|
|
// private key from an existing wg-quick config.
|
|
func PublicFromPrivate(privB64 string) (string, error) {
|
|
priv, err := base64.StdEncoding.DecodeString(privB64)
|
|
if err != nil {
|
|
return "", fmt.Errorf("decode private key: %w", err)
|
|
}
|
|
if len(priv) != 32 {
|
|
return "", errors.New("private key must be 32 bytes")
|
|
}
|
|
pub, err := curve25519.X25519(priv, curve25519.Basepoint)
|
|
if err != nil {
|
|
return "", fmt.Errorf("derive pub: %w", err)
|
|
}
|
|
return base64.StdEncoding.EncodeToString(pub), nil
|
|
}
|