diff --git a/includes/wireguard.php b/includes/wireguard.php index 34d56ce2..d2ec1088 100644 --- a/includes/wireguard.php +++ b/includes/wireguard.php @@ -11,25 +11,47 @@ function DisplayWireGuardConfig() $status = new StatusMessages(); if (!RASPI_MONITOR_ENABLED) { if (isset($_POST['savewgettings'])) { - # Todo: validate input - if (isset($_POST['authUser'])) { - $peer_id = strip_tags(trim($_POST'peer_id'])); + // Validate input + $good_input = true; + $peer_id = 1; + if (isset($_POST['peer_id'])) { + $peer_id = escapeshellarg($_POST['peer_id']); } if (isset($_POST['wg_endpoint'])) { - $wg_endpoint = strip_tags(trim($_POST['wg_endpoint'])); + if (!filter_var($_POST['wg_endpoint'], FILTER_VALIDATE_IP)) { + $status->addMessage('Invalid value for endpoint address', 'danger'); + $good_input = false; + } else { + $wg_endpoint = escapeshellarg($_POST['wg_endpoint']); + } } if (isset($_POST['wg_allowedips'])) { - $wg_allowedips = strip_tags(trim($_POST['wg_allowedips'])); + if (!filter_var($_POST['wg_allowedips'], FILTER_VALIDATE_IP)) { + $status->addMessage('Invalid value for allowed IPs', 'danger'); + $good_input = false; + } else { + $wg_allowedips = escapeshellarg($_POST['wg_allowedips']); + } } if (isset($_POST['wg_pkeepalive'])) { - $wg_pkeepalive = strip_tags(trim($_POST['wg_pkeepalive'])); + if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) { + $status->addMessage('Invalid value for persistent keepalive', 'danger'); + $good_input = false; + } else { + $wg_pkeepalive = escapeshellarg($_POST['wg_pkeepalive']); + } } if (isset($_POST['wg_peerpubkey'])) { $wg_endpoint = strip_tags(trim($_POST['wg_peerpubkey'])); } - file_put_contents("/tmp/wgdata", $config); - system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return); - + // Save settings + if ($good_input) { + file_put_contents("/tmp/wgdata", $config); + system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return); + foreach ($return as $line) { + $status->addMessage($line, 'info'); + } + } if ($return == 0) { $status->addMessage('Wireguard configuration updated successfully', 'success'); } else { @@ -51,8 +73,18 @@ function DisplayWireGuardConfig() } } - exec('pidof wg-crypt-wg0 | wc -l', $wgstatus); + // fetch wg config + exec('sudo cat '. RASPI_WIREGUARD_CONFIG, $return); + $conf = ParseConfig($return); + $wg_port = $conf['ListenPort']; + $wg_ipaddress = $conf['Address']; + $wg_pubkey = $conf['PublicKey']; + $wg_endpoint = $conf['Endpoint']; + $wg_allowedips = $conf['AllowedIPs']; + $wg_pkeepalive = $conf['PersistentKeepalive']; + // fetch service status + exec('pidof wg-crypt-wg0 | wc -l', $wgstatus); $serviceStatus = $wgstatus[0] == 0 ? "down" : "up"; $wg_state = ($wgstatus[0] > 0); @@ -63,10 +95,12 @@ function DisplayWireGuardConfig() "serviceStatus", "endpoint_enable", "peer_id", + "wg_port", + "wg_ipaddress", + "wg_pubkey", "wg_endpoint", "wg_allowedips", - "wg_pkeepalive", - "wg_peerpubkey" + "wg_pkeepalive" ) ); } diff --git a/installers/raspap.sudoers b/installers/raspap.sudoers index 2d6ed495..517b6233 100644 --- a/installers/raspap.sudoers +++ b/installers/raspap.sudoers @@ -41,5 +41,7 @@ www-data ALL=(ALL) NOPASSWD:/etc/raspap/adblock/update_blocklist.sh www-data ALL=(ALL) NOPASSWD:/usr/bin/wg-quick up wg0 www-data ALL=(ALL) NOPASSWD:/usr/bin/wg-quick down wg0 www-data ALL=(ALL) NOPASSWD:/usr/bin/wg +www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/wg0.conf + diff --git a/templates/wg/general.php b/templates/wg/general.php index 686949bb..b9763555 100644 --- a/templates/wg/general.php +++ b/templates/wg/general.php @@ -36,7 +36,7 @@
- +