diff --git a/includes/wireguard.php b/includes/wireguard.php index 00b4e962..c7f56cdd 100644 --- a/includes/wireguard.php +++ b/includes/wireguard.php @@ -34,7 +34,10 @@ function DisplayWireGuardConfig() $wg_srvport = ($conf['ListenPort'] == '') ? getDefaultNetValue('wireguard','server','ListenPort') : $conf['ListenPort']; $wg_srvipaddress = ($conf['Address'] == '') ? getDefaultNetValue('wireguard','server','Address') : $conf['Address']; $wg_srvdns = ($conf['DNS'] == '') ? getDefaultNetValue('wireguard','server','DNS') : $conf['DNS']; - $wg_peerpubkey = $conf['PublicKey']; + $wg_peerpubkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return); + if (sizeof($conf) >0) { + $wg_senabled = true; + } // todo: iterate multiple peer configs exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $preturn); @@ -64,6 +67,7 @@ function DisplayWireGuardConfig() "wg_srvport", "wg_srvipaddress", "wg_srvdns", + "wg_senabled", "wg_penabled", "wg_pipaddress", "wg_plistenport", @@ -86,102 +90,120 @@ function SaveWireGuardConfig($status) // Set defaults $good_input = true; $peer_id = 1; - // Validate input - if (isset($_POST['wg_srvport'])) { - if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) { - $status->addMessage('Invalid value for server local port', 'danger'); - $good_input = false; + // Validate server input + if ($_POST['wg_senabled'] == 1) { + if (isset($_POST['wg_srvport'])) { + if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) { + $status->addMessage('Invalid value for server local port', 'danger'); + $good_input = false; + } + } + if (isset($_POST['wg_plistenport'])) { + if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) { + $status->addMessage('Invalid value for peer local port', 'danger'); + $good_input = false; + } + } + if (isset($_POST['wg_srvipaddress'])) { + if (!validateCidr($_POST['wg_srvipaddress'])) { + $status->addMessage('Invalid value for server IP address', 'danger'); + $good_input = false; + } + } + if (isset($_POST['wg_srvdns'])) { + if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) { + $status->addMessage('Invalid value for DNS', 'danger'); + $good_input = false; + } } } - if (isset($_POST['wg_plistenport'])) { - if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) { - $status->addMessage('Invalid value for peer local port', 'danger'); - $good_input = false; + // Validate peer input + if ($_POST['wg_penabled'] == 1) { + if (isset($_POST['wg_pipaddress'])) { + if (!validateCidr($_POST['wg_pipaddress'])) { + $status->addMessage('Invalid value for peer IP address', 'danger'); + $good_input = false; + } } - } - if (isset($_POST['wg_srvipaddress'])) { - if (!validateCidr($_POST['wg_srvipaddress'])) { - $status->addMessage('Invalid value for server IP address', 'danger'); - $good_input = false; + if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) { + $wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':')); + if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) { + $status->addMessage('Invalid value for endpoint address', 'danger'); + $good_input = false; + } } - } - if (isset($_POST['wg_pipaddress'])) { - if (!validateCidr($_POST['wg_pipaddress'])) { - $status->addMessage('Invalid value for peer IP address', 'danger'); - $good_input = false; + if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) { + if (!validateCidr($_POST['wg_pallowedips'])) { + $status->addMessage('Invalid value for allowed IPs', 'danger'); + $good_input = false; + } } - } - if (isset($_POST['wg_srvdns'])) { - if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) { - $status->addMessage('Invalid value for DNS', 'danger'); - $good_input = false; - } - } - if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) { - $wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':')); - if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) { - $status->addMessage('Invalid value for endpoint address', 'danger'); - $good_input = false; - } - } - if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) { - if (!validateCidr($_POST['wg_pallowedips'])) { - $status->addMessage('Invalid value for allowed IPs', 'danger'); - $good_input = false; - } - } - if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) { - if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) { - $status->addMessage('Invalid value for persistent keepalive', 'danger'); - $good_input = false; + if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) { + if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) { + $status->addMessage('Invalid value for persistent keepalive', 'danger'); + $good_input = false; + } } } // Save settings if ($good_input) { - // fetch private keys from filesytem - $wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return); - $wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return); - // server (wg0.conf) - $config[] = '[Interface]'; - $config[] = 'Address = '.$_POST['wg_srvipaddress']; - $config[] = 'ListenPort = '.$_POST['wg_srvport']; - $config[] = 'DNS = '.$_POST['wg_srvdns']; - $config[] = 'PrivateKey = '.$wg_srvprivkey; - $config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp'); - $config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown'); - $config[] = ''; - $config[] = '[Peer]'; - $config[] = 'PublicKey = '.$_POST['wg-peer']; - $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips']; - if ($_POST['wg_pkeepalive'] !== '') { - $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']); + if ($_POST['wg_senabled'] == 1) { + // fetch server private key from filesytem + $wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return); + $config[] = '[Interface]'; + $config[] = 'Address = '.$_POST['wg_srvipaddress']; + $config[] = 'ListenPort = '.$_POST['wg_srvport']; + $config[] = 'DNS = '.$_POST['wg_srvdns']; + $config[] = 'PrivateKey = '.$wg_srvprivkey; + $config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp'); + $config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown'); + $config[] = ''; + $config[] = '[Peer]'; + $config[] = 'PublicKey = '.$_POST['wg-peer']; + $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips']; + if ($_POST['wg_pkeepalive'] !== '') { + $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']); + } + $config[] = ''; + $config = join(PHP_EOL, $config); + + file_put_contents("/tmp/wgdata", $config); + system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return); + } else { + # remove selected conf + keys + system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return); + system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-public.key', $return); + system('sudo rm '. RASPI_WIREGUARD_CONFIG, $return); } - $config[] = ''; - $config = join(PHP_EOL, $config); - - file_put_contents("/tmp/wgdata", $config); - system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return); - // client1 (client.conf) - $config = []; - $config[] = '[Interface]'; - $config[] = 'Address = '.trim($_POST['wg_pipaddress']); - $config[] = 'PrivateKey = '.$wg_peerprivkey; - $config[] = 'ListenPort = '.$_POST['wg_plistenport']; - $config[] = ''; - $config[] = '[Peer]'; - $config[] = 'PublicKey = '.$_POST['wg-server']; - $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips']; - $config[] = 'Endpoint = '.$_POST['wg_pendpoint']; - if ($_POST['wg_pkeepalive'] !== '') { - $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']); - } - $config[] = ''; - $config = join(PHP_EOL, $config); + if ($_POST['wg_penabled'] == 1) { + // fetch peer private key from filesystem + $wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return); + $config = []; + $config[] = '[Interface]'; + $config[] = 'Address = '.trim($_POST['wg_pipaddress']); + $config[] = 'PrivateKey = '.$wg_peerprivkey; + $config[] = 'ListenPort = '.$_POST['wg_plistenport']; + $config[] = ''; + $config[] = '[Peer]'; + $config[] = 'PublicKey = '.$_POST['wg-server']; + $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips']; + $config[] = 'Endpoint = '.$_POST['wg_pendpoint']; + if ($_POST['wg_pkeepalive'] !== '') { + $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']); + } + $config[] = ''; + $config = join(PHP_EOL, $config); - file_put_contents("/tmp/wgdata", $config); - system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return); + file_put_contents("/tmp/wgdata", $config); + system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return); + } else { + # remove selected conf + keys + system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return); + system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return); + system('sudo rm '. RASPI_WIREGUARD_PATH.'client.conf', $return); + } // handle log option if ($_POST['wg_log'] == "1") { diff --git a/installers/raspap.sudoers b/installers/raspap.sudoers index 9aded5a3..18e4ddf8 100644 --- a/installers/raspap.sudoers +++ b/installers/raspap.sudoers @@ -50,4 +50,6 @@ www-data ALL=(ALL) NOPASSWD:/bin/systemctl * wg-quick@wg0 www-data ALL=(ALL) NOPASSWD:/usr/bin/wg www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/*.conf www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/wg-*.key +www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/*.conf +www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/wg-*.key diff --git a/templates/wg/general.php b/templates/wg/general.php index b3235e88..06d09811 100644 --- a/templates/wg/general.php +++ b/templates/wg/general.php @@ -4,13 +4,13 @@
+ wg0.conf to the WireGuard configuration.") ?>
+ + client.conf to the WireGuard configuration.") ?> +