85904d0c36
WireGuard --------- * Migration 0013: wireguard_interfaces (server|client mode, key envelope- encrypted) + wireguard_peers (per-server roster). Drop old empty 0005-Schema (Option-A peer_type, kein Iface-FK), neuer Aufbau mit zwei Tabellen + FK. * internal/services/secrets: Box mit AES-256-GCM, Master-Key in /var/lib/edgeguard/.master_key (lazy-create, 0600). Sealed/Open für PrivateKey + PSK. * internal/services/wireguard: KeyGen (Curve25519 mit clamping), PublicFromPrivate (für Import), InterfacesRepo, PeersRepo, Importer (parst /etc/wireguard/*.conf, server vs. client heuristisch nach ListenPort + Peer-Anzahl). * internal/wireguard: Renderer schreibt /etc/edgeguard/wireguard/<iface>.conf (0600), restartet wg-quick@<iface> via sudo (sudoers im postinst erweitert). Idempotent — re-render nur wenn content geändert. * internal/handlers/wireguard.go: REST CRUD für interfaces+peers, /generate-keypair, /peers/:id/config (text/plain wg-quick conf), /peers/:id/qr (PNG via go-qrcode). Auto-reload nach Mutation. * edgeguard-ctl wg-import [--path /etc/wireguard]: liest existierende conf-Files in die DB. Idempotent (überspringt vorhandene Iface-Namen). Shared UI components (proxy-lb-waf design pattern) -------------------------------------------------- * PageHeader: icon + title + subtitle + extras row, einheitlich oben auf jeder Page. * ActionButtons: Edit + Delete combo mit Popconfirm + Tooltip. * StatusDot: AntD Badge pattern statt "Yes/No" — schneller scanbar in dichten Tabellen. * DataTable: pageSizeOptions [20,50,100,200] + extraActions-Alias + optional renderMobileCard für Card-Liste auf < md Breakpoint. * enterprise.css: .page-header* + .datatable-toolbar Klassen. Frontend WireGuard ------------------ * /vpn/wireguard mit zwei Tabs (Server / Client) im neuen Pattern. * Server-Tab: Modal mit Generate-Keypair-Toggle, Peer-Roster im Drawer per Server. Pro Peer: QR-Code-Modal + .conf-Download. * Client-Tab: Upstream-Card im Modal, full-tunnel-Default (0.0.0.0/0,::/0), Keepalive 25. * i18n DE/EN für wg.* Block + common.* Erweiterung. Misc ---- * Sidebar: WireGuard unter Security-Sektion. * Nav-i18n: "Firewall (v2)" → "Firewall". * Version 1.0.8 → 1.0.11. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
646 lines
18 KiB
Go
646 lines
18 KiB
Go
package handlers
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"net/http"
|
|
"strconv"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
qrcode "github.com/skip2/go-qrcode"
|
|
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/models"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/secrets"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
|
|
)
|
|
|
|
// WireguardHandler exposes /api/v1/wireguard/* — interfaces, peers,
|
|
// per-peer config download (wg-quick text + QR PNG) and a one-shot
|
|
// keypair generator. Mutations trigger Reloader so the kernel state
|
|
// stays in sync.
|
|
type WireguardHandler struct {
|
|
Ifaces *wireguard.InterfacesRepo
|
|
Peers *wireguard.PeersRepo
|
|
Box *secrets.Box
|
|
Audit *audit.Repo
|
|
NodeID string
|
|
Reloader func(ctx context.Context) error
|
|
}
|
|
|
|
func NewWireguardHandler(
|
|
ifaces *wireguard.InterfacesRepo,
|
|
peers *wireguard.PeersRepo,
|
|
box *secrets.Box,
|
|
a *audit.Repo,
|
|
nodeID string,
|
|
reloader func(context.Context) error,
|
|
) *WireguardHandler {
|
|
return &WireguardHandler{Ifaces: ifaces, Peers: peers, Box: box, Audit: a, NodeID: nodeID, Reloader: reloader}
|
|
}
|
|
|
|
func (h *WireguardHandler) reload(ctx context.Context, op string) {
|
|
if h.Reloader == nil {
|
|
return
|
|
}
|
|
if err := h.Reloader(ctx); err != nil {
|
|
slog.Warn("wireguard: render after mutation failed", "op", op, "error", err)
|
|
}
|
|
}
|
|
|
|
func (h *WireguardHandler) Register(rg *gin.RouterGroup) {
|
|
g := rg.Group("/wireguard")
|
|
|
|
// Standalone keygen — no DB write. Frontend uses this to fill
|
|
// the form when the operator wants a fresh keypair without
|
|
// committing.
|
|
g.POST("/generate-keypair", h.GenerateKeypair)
|
|
|
|
g.GET("/interfaces", h.ListIfaces)
|
|
g.POST("/interfaces", h.CreateIface)
|
|
g.GET("/interfaces/:id", h.GetIface)
|
|
g.PUT("/interfaces/:id", h.UpdateIface)
|
|
g.DELETE("/interfaces/:id", h.DeleteIface)
|
|
|
|
g.GET("/interfaces/:id/peers", h.ListPeers)
|
|
g.POST("/interfaces/:id/peers", h.CreatePeer)
|
|
g.GET("/peers/:pid", h.GetPeer)
|
|
g.PUT("/peers/:pid", h.UpdatePeer)
|
|
g.DELETE("/peers/:pid", h.DeletePeer)
|
|
|
|
// Per-peer config download — wg-quick text and QR PNG. The QR
|
|
// embeds the same text so mobile apps can import directly.
|
|
g.GET("/peers/:pid/config", h.PeerConfig)
|
|
g.GET("/peers/:pid/qr", h.PeerQR)
|
|
}
|
|
|
|
// ── Keygen ────────────────────────────────────────────────────────
|
|
|
|
func (h *WireguardHandler) GenerateKeypair(c *gin.Context) {
|
|
kp, err := wireguard.GenerateKeypair()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, gin.H{
|
|
"private_key": kp.Private,
|
|
"public_key": kp.Public,
|
|
})
|
|
}
|
|
|
|
// ── Interfaces ────────────────────────────────────────────────────
|
|
|
|
// ifaceCreateReq splits the wire shape from the model so we can
|
|
// accept a private key by value (operator paste) or auto-generate
|
|
// (operator ticked "generate keypair") without leaking the
|
|
// encrypted-bytes field into the JSON contract.
|
|
type ifaceCreateReq struct {
|
|
Name string `json:"name"`
|
|
Mode string `json:"mode"`
|
|
AddressCIDR string `json:"address_cidr"`
|
|
ListenPort *int `json:"listen_port,omitempty"`
|
|
PeerEndpoint *string `json:"peer_endpoint,omitempty"`
|
|
PeerPublicKey *string `json:"peer_public_key,omitempty"`
|
|
PeerPSK *string `json:"peer_psk,omitempty"`
|
|
AllowedIPs *string `json:"allowed_ips,omitempty"`
|
|
PersistentKeepalive *int `json:"persistent_keepalive,omitempty"`
|
|
MTU *int `json:"mtu,omitempty"`
|
|
Role string `json:"role"`
|
|
Active bool `json:"active"`
|
|
Description *string `json:"description,omitempty"`
|
|
|
|
// Either GenerateKeypair=true (server picks one) or PrivateKey
|
|
// is filled in by the operator. PublicKey is always derived.
|
|
GenerateKeypair bool `json:"generate_keypair,omitempty"`
|
|
PrivateKey string `json:"private_key,omitempty"`
|
|
}
|
|
|
|
func (h *WireguardHandler) CreateIface(c *gin.Context) {
|
|
var req ifaceCreateReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
priv := req.PrivateKey
|
|
if req.GenerateKeypair || priv == "" {
|
|
kp, err := wireguard.GenerateKeypair()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
priv = kp.Private
|
|
}
|
|
pub, err := wireguard.PublicFromPrivate(priv)
|
|
if err != nil {
|
|
response.BadRequest(c, fmt.Errorf("private_key: %w", err))
|
|
return
|
|
}
|
|
encPriv, err := h.Box.Seal([]byte(priv))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
var encPSK []byte
|
|
if req.PeerPSK != nil && *req.PeerPSK != "" {
|
|
encPSK, err = h.Box.Seal([]byte(*req.PeerPSK))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
}
|
|
ifc := models.WireguardInterface{
|
|
Name: req.Name, Mode: req.Mode, AddressCIDR: req.AddressCIDR,
|
|
ListenPort: req.ListenPort, PublicKey: pub, PrivateKeyEnc: encPriv,
|
|
PeerEndpoint: req.PeerEndpoint, PeerPublicKey: req.PeerPublicKey,
|
|
PeerPSKEnc: encPSK, AllowedIPs: req.AllowedIPs,
|
|
PersistentKeepalive: req.PersistentKeepalive, MTU: req.MTU,
|
|
Role: req.Role, Active: req.Active, Description: req.Description,
|
|
}
|
|
if ifc.Role == "" {
|
|
ifc.Role = "wan"
|
|
}
|
|
out, err := h.Ifaces.Create(c.Request.Context(), ifc)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.iface.create", out.Name, out, h.NodeID)
|
|
response.Created(c, out)
|
|
h.reload(c.Request.Context(), "iface.create")
|
|
}
|
|
|
|
// ifaceUpdateReq mirrors ifaceCreateReq but PrivateKey is optional
|
|
// — an empty PrivateKey + GenerateKeypair=false leaves the existing
|
|
// key untouched. This lets the operator edit metadata (description,
|
|
// allowed_ips, etc.) without re-rolling the tunnel keypair.
|
|
type ifaceUpdateReq struct {
|
|
ifaceCreateReq
|
|
}
|
|
|
|
func (h *WireguardHandler) UpdateIface(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
var req ifaceUpdateReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
cur, err := h.Ifaces.Get(c.Request.Context(), id)
|
|
if err != nil {
|
|
if errors.Is(err, wireguard.ErrIfaceNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
|
|
encPriv := cur.PrivateKeyEnc
|
|
pub := cur.PublicKey
|
|
if req.GenerateKeypair {
|
|
kp, err := wireguard.GenerateKeypair()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
encPriv, err = h.Box.Seal([]byte(kp.Private))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
pub = kp.Public
|
|
} else if req.PrivateKey != "" {
|
|
p, err := wireguard.PublicFromPrivate(req.PrivateKey)
|
|
if err != nil {
|
|
response.BadRequest(c, fmt.Errorf("private_key: %w", err))
|
|
return
|
|
}
|
|
encPriv, err = h.Box.Seal([]byte(req.PrivateKey))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
pub = p
|
|
}
|
|
encPSK := cur.PeerPSKEnc
|
|
if req.PeerPSK != nil {
|
|
if *req.PeerPSK == "" {
|
|
encPSK = nil
|
|
} else {
|
|
encPSK, err = h.Box.Seal([]byte(*req.PeerPSK))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
ifc := models.WireguardInterface{
|
|
Name: req.Name, Mode: req.Mode, AddressCIDR: req.AddressCIDR,
|
|
ListenPort: req.ListenPort, PublicKey: pub, PrivateKeyEnc: encPriv,
|
|
PeerEndpoint: req.PeerEndpoint, PeerPublicKey: req.PeerPublicKey,
|
|
PeerPSKEnc: encPSK, AllowedIPs: req.AllowedIPs,
|
|
PersistentKeepalive: req.PersistentKeepalive, MTU: req.MTU,
|
|
Role: req.Role, Active: req.Active, Description: req.Description,
|
|
}
|
|
if ifc.Role == "" {
|
|
ifc.Role = cur.Role
|
|
}
|
|
out, err := h.Ifaces.Update(c.Request.Context(), id, ifc)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.iface.update", out.Name, out, h.NodeID)
|
|
response.OK(c, out)
|
|
h.reload(c.Request.Context(), "iface.update")
|
|
}
|
|
|
|
func (h *WireguardHandler) ListIfaces(c *gin.Context) {
|
|
out, err := h.Ifaces.List(c.Request.Context())
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, gin.H{"interfaces": out})
|
|
}
|
|
|
|
func (h *WireguardHandler) GetIface(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
x, err := h.Ifaces.Get(c.Request.Context(), id)
|
|
if err != nil {
|
|
if errors.Is(err, wireguard.ErrIfaceNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, x)
|
|
}
|
|
|
|
func (h *WireguardHandler) DeleteIface(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
if err := h.Ifaces.Delete(c.Request.Context(), id); err != nil {
|
|
if errors.Is(err, wireguard.ErrIfaceNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.iface.delete", strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
|
|
response.NoContent(c)
|
|
h.reload(c.Request.Context(), "iface.delete")
|
|
}
|
|
|
|
// ── Peers ─────────────────────────────────────────────────────────
|
|
|
|
func (h *WireguardHandler) ListPeers(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
out, err := h.Peers.ListForInterface(c.Request.Context(), id)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, gin.H{"peers": out})
|
|
}
|
|
|
|
type peerReq struct {
|
|
Name string `json:"name"`
|
|
PublicKey string `json:"public_key,omitempty"`
|
|
PrivateKey string `json:"private_key,omitempty"`
|
|
PSK *string `json:"psk,omitempty"`
|
|
AllowedIPs string `json:"allowed_ips"`
|
|
Keepalive *int `json:"keepalive,omitempty"`
|
|
Enabled bool `json:"enabled"`
|
|
Description *string `json:"description,omitempty"`
|
|
|
|
GenerateKeypair bool `json:"generate_keypair,omitempty"`
|
|
GeneratePSK bool `json:"generate_psk,omitempty"`
|
|
}
|
|
|
|
func (h *WireguardHandler) CreatePeer(c *gin.Context) {
|
|
ifaceID, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
var req peerReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
pub := req.PublicKey
|
|
var encPriv []byte
|
|
if req.GenerateKeypair || (req.PublicKey == "" && req.PrivateKey == "") {
|
|
kp, err := wireguard.GenerateKeypair()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
pub = kp.Public
|
|
encPriv, err = h.Box.Seal([]byte(kp.Private))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
} else if req.PrivateKey != "" {
|
|
p, err := wireguard.PublicFromPrivate(req.PrivateKey)
|
|
if err != nil {
|
|
response.BadRequest(c, fmt.Errorf("private_key: %w", err))
|
|
return
|
|
}
|
|
pub = p
|
|
encPriv, err = h.Box.Seal([]byte(req.PrivateKey))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
}
|
|
var encPSK []byte
|
|
switch {
|
|
case req.GeneratePSK:
|
|
psk, err := wireguard.GeneratePresharedKey()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
encPSK, err = h.Box.Seal([]byte(psk))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
case req.PSK != nil && *req.PSK != "":
|
|
var err error
|
|
encPSK, err = h.Box.Seal([]byte(*req.PSK))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
p := models.WireguardPeer{
|
|
InterfaceID: ifaceID,
|
|
Name: req.Name,
|
|
PublicKey: pub,
|
|
PrivateKeyEnc: encPriv,
|
|
PSKEnc: encPSK,
|
|
AllowedIPs: req.AllowedIPs,
|
|
Keepalive: req.Keepalive,
|
|
Enabled: req.Enabled,
|
|
Description: req.Description,
|
|
}
|
|
out, err := h.Peers.Create(c.Request.Context(), p)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.peer.create", out.Name, out, h.NodeID)
|
|
response.Created(c, out)
|
|
h.reload(c.Request.Context(), "peer.create")
|
|
}
|
|
|
|
func (h *WireguardHandler) UpdatePeer(c *gin.Context) {
|
|
id := parsePeerID(c)
|
|
if id == 0 {
|
|
return
|
|
}
|
|
var req peerReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
cur, err := h.Peers.Get(c.Request.Context(), id)
|
|
if err != nil {
|
|
if errors.Is(err, wireguard.ErrPeerNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
pub := cur.PublicKey
|
|
encPriv := cur.PrivateKeyEnc
|
|
if req.GenerateKeypair {
|
|
kp, err := wireguard.GenerateKeypair()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
pub = kp.Public
|
|
encPriv, err = h.Box.Seal([]byte(kp.Private))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
} else if req.PrivateKey != "" {
|
|
p, err := wireguard.PublicFromPrivate(req.PrivateKey)
|
|
if err != nil {
|
|
response.BadRequest(c, fmt.Errorf("private_key: %w", err))
|
|
return
|
|
}
|
|
pub = p
|
|
encPriv, err = h.Box.Seal([]byte(req.PrivateKey))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
} else if req.PublicKey != "" {
|
|
pub = req.PublicKey
|
|
encPriv = nil
|
|
}
|
|
encPSK := cur.PSKEnc
|
|
if req.GeneratePSK {
|
|
psk, err := wireguard.GeneratePresharedKey()
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
encPSK, err = h.Box.Seal([]byte(psk))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
} else if req.PSK != nil {
|
|
if *req.PSK == "" {
|
|
encPSK = nil
|
|
} else {
|
|
var err error
|
|
encPSK, err = h.Box.Seal([]byte(*req.PSK))
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
p := models.WireguardPeer{
|
|
Name: req.Name, PublicKey: pub, PrivateKeyEnc: encPriv, PSKEnc: encPSK,
|
|
AllowedIPs: req.AllowedIPs, Keepalive: req.Keepalive,
|
|
Enabled: req.Enabled, Description: req.Description,
|
|
}
|
|
out, err := h.Peers.Update(c.Request.Context(), id, p)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.peer.update", out.Name, out, h.NodeID)
|
|
response.OK(c, out)
|
|
h.reload(c.Request.Context(), "peer.update")
|
|
}
|
|
|
|
func (h *WireguardHandler) GetPeer(c *gin.Context) {
|
|
id := parsePeerID(c)
|
|
if id == 0 {
|
|
return
|
|
}
|
|
x, err := h.Peers.Get(c.Request.Context(), id)
|
|
if err != nil {
|
|
if errors.Is(err, wireguard.ErrPeerNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, x)
|
|
}
|
|
|
|
func (h *WireguardHandler) DeletePeer(c *gin.Context) {
|
|
id := parsePeerID(c)
|
|
if id == 0 {
|
|
return
|
|
}
|
|
if err := h.Peers.Delete(c.Request.Context(), id); err != nil {
|
|
if errors.Is(err, wireguard.ErrPeerNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "wireguard.peer.delete", strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
|
|
response.NoContent(c)
|
|
h.reload(c.Request.Context(), "peer.delete")
|
|
}
|
|
|
|
// ── Per-peer config download ──────────────────────────────────────
|
|
|
|
// peerConfigText assembles a wg-quick-style client config from a
|
|
// peer row + its parent interface. Requires the peer to have a
|
|
// stored private key (generated server-side); manual-pubkey rows
|
|
// can't have a config because we never knew their private half.
|
|
func (h *WireguardHandler) peerConfigText(ctx context.Context, peerID int64) (string, error) {
|
|
p, err := h.Peers.Get(ctx, peerID)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if len(p.PrivateKeyEnc) == 0 {
|
|
return "", errors.New("no private key stored for this peer — config download only works for peers whose keypair was generated by edgeguard")
|
|
}
|
|
priv, err := h.Box.Open(p.PrivateKeyEnc)
|
|
if err != nil {
|
|
return "", fmt.Errorf("decrypt: %w", err)
|
|
}
|
|
ifc, err := h.Ifaces.Get(ctx, p.InterfaceID)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if ifc.Mode != "server" {
|
|
return "", errors.New("config download only available for server-mode interfaces")
|
|
}
|
|
var b bytes.Buffer
|
|
b.WriteString("[Interface]\n")
|
|
fmt.Fprintf(&b, "PrivateKey = %s\n", string(priv))
|
|
fmt.Fprintf(&b, "Address = %s\n", p.AllowedIPs)
|
|
if p.Keepalive == nil || *p.Keepalive == 0 {
|
|
// PersistentKeepalive defaults to 25s for client side so
|
|
// NAT traversal stays alive.
|
|
b.WriteString("\n")
|
|
}
|
|
b.WriteString("\n[Peer]\n")
|
|
fmt.Fprintf(&b, "PublicKey = %s\n", ifc.PublicKey)
|
|
if len(p.PSKEnc) > 0 {
|
|
psk, err := h.Box.Open(p.PSKEnc)
|
|
if err != nil {
|
|
return "", fmt.Errorf("decrypt psk: %w", err)
|
|
}
|
|
fmt.Fprintf(&b, "PresharedKey = %s\n", string(psk))
|
|
}
|
|
// AllowedIPs on the client side is "everything that should go
|
|
// through the tunnel". For a server hosting an internal LAN
|
|
// this is typically 10.x/8 or the server's address range. We
|
|
// default to the iface address (so the client can at least
|
|
// reach the gateway) — operator can edit downloaded conf.
|
|
fmt.Fprintf(&b, "AllowedIPs = %s\n", ifc.AddressCIDR)
|
|
// Endpoint — the operator's public host:port that peers dial.
|
|
// We don't know this here (could be a CNAME or behind a load
|
|
// balancer); leave a placeholder the operator must fill in.
|
|
if ifc.ListenPort != nil {
|
|
fmt.Fprintf(&b, "Endpoint = REPLACE_WITH_PUBLIC_HOST:%d\n", *ifc.ListenPort)
|
|
}
|
|
if p.Keepalive != nil && *p.Keepalive > 0 {
|
|
fmt.Fprintf(&b, "PersistentKeepalive = %d\n", *p.Keepalive)
|
|
} else {
|
|
b.WriteString("PersistentKeepalive = 25\n")
|
|
}
|
|
return b.String(), nil
|
|
}
|
|
|
|
func (h *WireguardHandler) PeerConfig(c *gin.Context) {
|
|
id := parsePeerID(c)
|
|
if id == 0 {
|
|
return
|
|
}
|
|
conf, err := h.peerConfigText(c.Request.Context(), id)
|
|
if err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
c.Header("Content-Disposition", `attachment; filename="peer-`+strconv.FormatInt(id, 10)+`.conf"`)
|
|
c.Data(http.StatusOK, "text/plain; charset=utf-8", []byte(conf))
|
|
}
|
|
|
|
func (h *WireguardHandler) PeerQR(c *gin.Context) {
|
|
id := parsePeerID(c)
|
|
if id == 0 {
|
|
return
|
|
}
|
|
conf, err := h.peerConfigText(c.Request.Context(), id)
|
|
if err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
png, err := qrcode.Encode(conf, qrcode.Medium, 512)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
c.Data(http.StatusOK, "image/png", png)
|
|
}
|
|
|
|
// parsePeerID parses the :pid path param. Returns 0 on parse error
|
|
// after writing a 400 response.
|
|
func parsePeerID(c *gin.Context) int64 {
|
|
id, err := strconv.ParseInt(c.Param("pid"), 10, 64)
|
|
if err != nil {
|
|
response.BadRequest(c, errors.New("invalid peer id"))
|
|
return 0
|
|
}
|
|
return id
|
|
}
|