frodovdr
/
raspap-webgui
mirror of https://github.com/billz/raspap-webgui.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Handle server/peer enable states

This commit is contained in:
billz 2021-03-09 15:35:48 +00:00
parent 6d9eaceef7
commit cb58e31089
4 changed files with 117 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
includes/wireguard.php
View File

@ -34,7 +34,10 @@ function DisplayWireGuardConfig()
$wg_srvport = ($conf['ListenPort'] == '') ? getDefaultNetValue('wireguard','server','ListenPort') : $conf['ListenPort']; $wg_srvport = ($conf['ListenPort'] == '') ? getDefaultNetValue('wireguard','server','ListenPort') : $conf['ListenPort'];
$wg_srvipaddress = ($conf['Address'] == '') ? getDefaultNetValue('wireguard','server','Address') : $conf['Address']; $wg_srvipaddress = ($conf['Address'] == '') ? getDefaultNetValue('wireguard','server','Address') : $conf['Address'];
$wg_srvdns = ($conf['DNS'] == '') ? getDefaultNetValue('wireguard','server','DNS') : $conf['DNS']; $wg_srvdns = ($conf['DNS'] == '') ? getDefaultNetValue('wireguard','server','DNS') : $conf['DNS'];
$wg_peerpubkey = $conf['PublicKey']; $wg_peerpubkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return);
if (sizeof($conf) >0) {
$wg_senabled = true;
}
// todo: iterate multiple peer configs // todo: iterate multiple peer configs
exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $preturn); exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $preturn);
@ -64,6 +67,7 @@ function DisplayWireGuardConfig()
"wg_srvport", "wg_srvport",
"wg_srvipaddress", "wg_srvipaddress",
"wg_srvdns", "wg_srvdns",
"wg_senabled",
"wg_penabled", "wg_penabled",
"wg_pipaddress", "wg_pipaddress",
"wg_plistenport", "wg_plistenport",
@ -86,102 +90,120 @@ function SaveWireGuardConfig($status)
// Set defaults // Set defaults
$good_input = true; $good_input = true;
$peer_id = 1; $peer_id = 1;
// Validate input // Validate server input
if (isset($_POST['wg_srvport'])) { if ($_POST['wg_senabled'] == 1) {
if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) { if (isset($_POST['wg_srvport'])) {
$status->addMessage('Invalid value for server local port', 'danger'); if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) {
$good_input = false; $status->addMessage('Invalid value for server local port', 'danger');
$good_input = false;
}
}
if (isset($_POST['wg_plistenport'])) {
if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) {
$status->addMessage('Invalid value for peer local port', 'danger');
$good_input = false;
}
}
if (isset($_POST['wg_srvipaddress'])) {
if (!validateCidr($_POST['wg_srvipaddress'])) {
$status->addMessage('Invalid value for server IP address', 'danger');
$good_input = false;
}
}
if (isset($_POST['wg_srvdns'])) {
if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) {
$status->addMessage('Invalid value for DNS', 'danger');
$good_input = false;
}
} }
} }
if (isset($_POST['wg_plistenport'])) { // Validate peer input
if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) { if ($_POST['wg_penabled'] == 1) {
$status->addMessage('Invalid value for peer local port', 'danger'); if (isset($_POST['wg_pipaddress'])) {
$good_input = false; if (!validateCidr($_POST['wg_pipaddress'])) {
$status->addMessage('Invalid value for peer IP address', 'danger');
$good_input = false;
}
} }
} if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) {
if (isset($_POST['wg_srvipaddress'])) { $wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':'));
if (!validateCidr($_POST['wg_srvipaddress'])) { if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) {
$status->addMessage('Invalid value for server IP address', 'danger'); $status->addMessage('Invalid value for endpoint address', 'danger');
$good_input = false; $good_input = false;
}
} }
} if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) {
if (isset($_POST['wg_pipaddress'])) { if (!validateCidr($_POST['wg_pallowedips'])) {
if (!validateCidr($_POST['wg_pipaddress'])) { $status->addMessage('Invalid value for allowed IPs', 'danger');
$status->addMessage('Invalid value for peer IP address', 'danger'); $good_input = false;
$good_input = false; }
} }
} if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) {
if (isset($_POST['wg_srvdns'])) { if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) {
if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) { $status->addMessage('Invalid value for persistent keepalive', 'danger');
$status->addMessage('Invalid value for DNS', 'danger'); $good_input = false;
$good_input = false; }
}
}
if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) {
$wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':'));
if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) {
$status->addMessage('Invalid value for endpoint address', 'danger');
$good_input = false;
}
}
if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) {
if (!validateCidr($_POST['wg_pallowedips'])) {
$status->addMessage('Invalid value for allowed IPs', 'danger');
$good_input = false;
}
}
if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) {
if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) {
$status->addMessage('Invalid value for persistent keepalive', 'danger');
$good_input = false;
} }
} }
// Save settings // Save settings
if ($good_input) { if ($good_input) {
// fetch private keys from filesytem
$wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
$wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
// server (wg0.conf) // server (wg0.conf)
$config[] = '[Interface]'; if ($_POST['wg_senabled'] == 1) {
$config[] = 'Address = '.$_POST['wg_srvipaddress']; // fetch server private key from filesytem
$config[] = 'ListenPort = '.$_POST['wg_srvport']; $wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
$config[] = 'DNS = '.$_POST['wg_srvdns']; $config[] = '[Interface]';
$config[] = 'PrivateKey = '.$wg_srvprivkey; $config[] = 'Address = '.$_POST['wg_srvipaddress'];
$config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp'); $config[] = 'ListenPort = '.$_POST['wg_srvport'];
$config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown'); $config[] = 'DNS = '.$_POST['wg_srvdns'];
$config[] = ''; $config[] = 'PrivateKey = '.$wg_srvprivkey;
$config[] = '[Peer]'; $config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp');
$config[] = 'PublicKey = '.$_POST['wg-peer']; $config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown');
$config[] = 'AllowedIPs = '.$_POST['wg_pallowedips']; $config[] = '';
if ($_POST['wg_pkeepalive'] !== '') { $config[] = '[Peer]';
$config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']); $config[] = 'PublicKey = '.$_POST['wg-peer'];
$config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
if ($_POST['wg_pkeepalive'] !== '') {
$config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
}
$config[] = '';
$config = join(PHP_EOL, $config);
file_put_contents("/tmp/wgdata", $config);
system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return);
} else {
# remove selected conf + keys
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-public.key', $return);
system('sudo rm '. RASPI_WIREGUARD_CONFIG, $return);
} }
$config[] = '';
$config = join(PHP_EOL, $config);
file_put_contents("/tmp/wgdata", $config);
system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return);
// client1 (client.conf) // client1 (client.conf)
$config = []; if ($_POST['wg_penabled'] == 1) {
$config[] = '[Interface]'; // fetch peer private key from filesystem
$config[] = 'Address = '.trim($_POST['wg_pipaddress']); $wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
$config[] = 'PrivateKey = '.$wg_peerprivkey; $config = [];
$config[] = 'ListenPort = '.$_POST['wg_plistenport']; $config[] = '[Interface]';
$config[] = ''; $config[] = 'Address = '.trim($_POST['wg_pipaddress']);
$config[] = '[Peer]'; $config[] = 'PrivateKey = '.$wg_peerprivkey;
$config[] = 'PublicKey = '.$_POST['wg-server']; $config[] = 'ListenPort = '.$_POST['wg_plistenport'];
$config[] = 'AllowedIPs = '.$_POST['wg_pallowedips']; $config[] = '';
$config[] = 'Endpoint = '.$_POST['wg_pendpoint']; $config[] = '[Peer]';
if ($_POST['wg_pkeepalive'] !== '') { $config[] = 'PublicKey = '.$_POST['wg-server'];
$config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']); $config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
} $config[] = 'Endpoint = '.$_POST['wg_pendpoint'];
$config[] = ''; if ($_POST['wg_pkeepalive'] !== '') {
$config = join(PHP_EOL, $config); $config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
}
$config[] = '';
$config = join(PHP_EOL, $config);
file_put_contents("/tmp/wgdata", $config); file_put_contents("/tmp/wgdata", $config);
system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return); system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return);
} else {
# remove selected conf + keys
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return);
system('sudo rm '. RASPI_WIREGUARD_PATH.'client.conf', $return);
}
// handle log option // handle log option
if ($_POST['wg_log'] == "1") { if ($_POST['wg_log'] == "1") {

2
installers/raspap.sudoers
View File

@ -50,4 +50,6 @@ www-data ALL=(ALL) NOPASSWD:/bin/systemctl * wg-quick@wg0
www-data ALL=(ALL) NOPASSWD:/usr/bin/wg www-data ALL=(ALL) NOPASSWD:/usr/bin/wg
www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/*.conf www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/*.conf
www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/wg-*.key www-data ALL=(ALL) NOPASSWD:/bin/cat /etc/wireguard/wg-*.key
www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/*.conf
www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/wg-*.key

6
templates/wg/general.php
View File

@ -4,13 +4,13 @@
<div class="col-md-6"> <div class="col-md-6">
<h4 class="mt-3"><?php echo _("Tunnel settings"); ?></h4> <h4 class="mt-3"><?php echo _("Tunnel settings"); ?></h4>
<div class="input-group"> <div class="input-group">
<input type="hidden" name="tunnel-enable" value="0">
<div class="custom-control custom-switch"> <div class="custom-control custom-switch">
<input class="custom-control-input" id="tunnel-enable" type="checkbox" name="tunnel-enable" value="1" <?php echo $enabled ? ' checked="checked"' : "" ?> aria-describedby="tunnel-description"> <input class="custom-control-input" id="server_enabled" type="checkbox" name="wg_senabled" value="1" <?php echo $wg_senabled ? ' checked="checked"' : "" ?> aria-describedby="server-description">
<label class="custom-control-label" for="tunnel-enable"><?php echo _("Enable tunnel") ?></label> <label class="custom-control-label" for="server_enabled"><?php echo _("Enable server") ?></label>
</div> </div>
<p id="wg-description"> <p id="wg-description">
<small><?php echo _("Enable this option to encrypt traffic by creating a tunnel between RaspAP and configured peers.") ?></small> <small><?php echo _("Enable this option to encrypt traffic by creating a tunnel between RaspAP and configured peers.") ?></small>
<small><?php echo _("This option adds <code>wg0.conf</code> to the WireGuard configuration.") ?></small>
</p> </p>
</div> </div>

9
templates/wg/peers.php
View File

@ -4,12 +4,15 @@
<div class="col-md-6"> <div class="col-md-6">
<h4 class="mt-3"><?php echo _("Peer"); ?></h4> <h4 class="mt-3"><?php echo _("Peer"); ?></h4>
<div class="input-group"> <div class="input-group">
<input type="hidden" name="endpoint-enable" value="0">
<input type="hidden" name="peer_id" value="1"> <input type="hidden" name="peer_id" value="1">
<div class="custom-control custom-switch"> <div class="custom-control custom-switch">
<input class="custom-control-input" id="endpoint_enable" type="checkbox" name="endpoint-enable" value="1" <?php echo $enabled ? ' checked="checked"' : "" ?> aria-describedby="endpoint-description"> <input class="custom-control-input" id="peer_enabled" type="checkbox" name="wg_penabled" value="1" <?php echo $wg_penabled ? ' checked="checked"' : "" ?> aria-describedby="endpoint-description">
<label class="custom-control-label" for="endpoint_enable"><?php echo _("Enable endpoint") ?></label> <label class="custom-control-label" for="peer_enabled"><?php echo _("Enable peer") ?></label>
</div> </div>
<p id="wg-description">
<small><?php echo _("Enable this option to encrypt traffic by creating a tunnel between RaspAP and this peer.") ?></small>
<small><?php echo _("This option adds <code>client.conf</code> to the WireGuard configuration.") ?></small>
</p>
</div> </div>
<div class="row"> <div class="row">