raspap-webgui-mirror/includes/wireguard.php

314 lines
12 KiB
PHP
Raw Normal View History

2020-04-20 11:53:46 +00:00
<?php
require_once 'config.php';
/**
2021-03-04 23:06:27 +00:00
* Displays wireguard server & peer configuration
2020-04-20 11:53:46 +00:00
*/
function DisplayWireGuardConfig()
{
$status = new \RaspAP\Messages\StatusMessage;
2023-11-09 15:39:43 +00:00
$parseFlag = true;
2020-04-20 11:53:46 +00:00
if (!RASPI_MONITOR_ENABLED) {
2021-07-08 10:22:17 +00:00
$optRules = $_POST['wgRules'];
$optConf = $_POST['wgCnfOpt'];
$optSrvEnable = $_POST['wgSrvEnable'];
2021-12-31 13:10:27 +00:00
$optLogEnable = $_POST['wgLogEnable'];
2021-07-08 10:22:17 +00:00
if (isset($_POST['savewgsettings']) && $optConf == 'manual' && $optSrvEnable == 1 ) {
2021-03-04 23:06:27 +00:00
SaveWireGuardConfig($status);
2021-07-08 10:22:17 +00:00
} elseif (isset($_POST['savewgsettings']) && $optConf == 'upload' && is_uploaded_file($_FILES["wgFile"]["tmp_name"])) {
SaveWireGuardUpload($status, $_FILES['wgFile'], $optRules);
2022-01-25 08:36:14 +00:00
} elseif (isset($_POST['savewgsettings']) && isset($_POST['wg_penabled']) ) {
SaveWireGuardConfig($status);
2020-04-20 11:53:46 +00:00
} elseif (isset($_POST['startwg'])) {
$status->addMessage('Attempting to start WireGuard', 'info');
2021-03-07 13:22:26 +00:00
exec('sudo /bin/systemctl start wg-quick@wg0', $return);
2020-04-20 11:53:46 +00:00
foreach ($return as $line) {
$status->addMessage($line, 'info');
}
} elseif (isset($_POST['stopwg'])) {
$status->addMessage('Attempting to stop WireGuard', 'info');
2021-03-07 13:22:26 +00:00
exec('sudo /bin/systemctl stop wg-quick@wg0', $return);
2020-04-20 11:53:46 +00:00
foreach ($return as $line) {
$status->addMessage($line, 'info');
}
}
2021-12-31 13:10:27 +00:00
CheckWireGuardLog( $optLogEnable, $status );
2020-04-20 11:53:46 +00:00
}
2021-07-08 10:22:17 +00:00
// fetch server config
2020-08-26 22:54:49 +00:00
exec('sudo cat '. RASPI_WIREGUARD_CONFIG, $return);
2023-11-09 15:39:43 +00:00
$conf = ParseConfig($return, $parseFlag);
2021-02-24 18:07:19 +00:00
$wg_srvpubkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-public.key', $return);
2021-02-24 08:48:07 +00:00
$wg_srvport = ($conf['ListenPort'] == '') ? getDefaultNetValue('wireguard','server','ListenPort') : $conf['ListenPort'];
$wg_srvipaddress = ($conf['Address'] == '') ? getDefaultNetValue('wireguard','server','Address') : $conf['Address'];
$wg_srvdns = ($conf['DNS'] == '') ? getDefaultNetValue('wireguard','server','DNS') : $conf['DNS'];
if (is_array($wg_srvdns)) {
$wg_srvdns = implode(', ', $wg_srvdns);
}
2021-03-09 15:35:48 +00:00
$wg_peerpubkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return);
if (sizeof($conf) >0) {
$wg_senabled = true;
}
2021-07-08 10:22:17 +00:00
// fetch client config
exec('sudo cat '. RASPI_WIREGUARD_PATH.'client.conf', $preturn);
2023-11-09 15:39:43 +00:00
$conf = ParseConfig($preturn, $parseFlag);
$wg_pipaddress = ($conf['Address'] == '') ? getDefaultNetValue('wireguard','peer','Address') : $conf['Address'];
$wg_plistenport = ($conf['ListenPort'] == '') ? getDefaultNetValue('wireguard','peer','ListenPort') : $conf['ListenPort'];
2021-02-24 09:12:31 +00:00
$wg_pendpoint = ($conf['Endpoint'] == '') ? getDefaultNetValue('wireguard','peer','Endpoint') : $conf['Endpoint'];
$wg_pallowedips = ($conf['AllowedIPs'] == '') ? getDefaultNetValue('wireguard','peer','AllowedIPs') : $conf['AllowedIPs'];
$wg_pkeepalive = ($conf['PersistentKeepalive'] == '') ? getDefaultNetValue('wireguard','peer','PersistentKeepalive') : $conf['PersistentKeepalive'];
if (sizeof($conf) >0) {
$wg_penabled = true;
}
2020-08-26 22:54:49 +00:00
// fetch service status
exec('systemctl is-active wg-quick@wg0', $wgstatus);
$serviceStatus = $wgstatus[0] == 'inactive' ? "down" : "up";
$wg_state = ($wgstatus[0] == 'active' ? true : false );
2021-07-07 22:25:23 +00:00
$public_ip = get_public_ip();
2020-04-20 11:53:46 +00:00
echo renderTemplate(
"wireguard", compact(
"status",
2020-04-22 09:01:31 +00:00
"wg_state",
2020-08-25 21:11:27 +00:00
"serviceStatus",
2021-07-07 22:25:23 +00:00
"public_ip",
"optRules",
2021-12-31 13:10:27 +00:00
"optLogEnable",
2020-08-25 21:11:27 +00:00
"peer_id",
2021-02-24 18:07:19 +00:00
"wg_srvpubkey",
2021-02-24 08:48:07 +00:00
"wg_srvport",
"wg_srvipaddress",
"wg_srvdns",
2021-03-09 15:35:48 +00:00
"wg_senabled",
"wg_penabled",
"wg_pipaddress",
"wg_plistenport",
2021-02-24 18:07:19 +00:00
"wg_peerpubkey",
2021-02-24 09:12:31 +00:00
"wg_pendpoint",
"wg_pallowedips",
2020-08-26 22:54:49 +00:00
"wg_pkeepalive"
2020-04-20 11:53:46 +00:00
)
);
}
/**
* Validates uploaded .conf file, adds iptables post-up and
* post-down rules.
*
* @param object $status
* @param object $file
* @param boolean $optRules
* @return object $status
*/
function SaveWireGuardUpload($status, $file, $optRules)
{
define('KB', 1024);
$tmp_destdir = '/tmp/';
$auth_flag = 0;
try {
// If undefined or multiple files, treat as invalid
if (!isset($file['error']) || is_array($file['error'])) {
throw new RuntimeException('Invalid parameters');
}
$upload = \RaspAP\Uploader\FileUpload::factory('wg',$tmp_destdir);
$upload->set_max_file_size(64*KB);
$upload->set_allowed_mime_types(array('text/plain'));
$upload->file($file);
$validation = new validation;
$upload->callbacks($validation, array('check_name_length'));
$results = $upload->upload();
if (!empty($results['errors'])) {
throw new RuntimeException($results['errors'][0]);
}
// Valid upload, get file contents
$tmp_wgconfig = $results['full_path'];
$tmp_contents = file_get_contents($tmp_wgconfig);
// Set iptables rules
if (isset($optRules) && !preg_match('/PostUp|PostDown/m',$tmp_contents)) {
$rules[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp');
$rules[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown');
$rules[] = '';
$rules = join(PHP_EOL, $rules);
$rules = preg_replace('/wlan0/m', $_SESSION['ap_interface'], $rules);
$tmp_contents = preg_replace('/^\s*$/ms', $rules, $tmp_contents, 1);
file_put_contents($tmp_wgconfig, $tmp_contents);
}
2021-07-07 22:25:23 +00:00
// Move processed file from tmp to destination
system("sudo mv $tmp_wgconfig ". RASPI_WIREGUARD_CONFIG, $return);
if ($return ==0) {
$status->addMessage('WireGuard configuration uploaded successfully', 'info');
} else {
$status->addMessage('Unable to save WireGuard configuration', 'danger');
}
return $status;
} catch (RuntimeException $e) {
$status->addMessage($e->getMessage(), 'danger');
return $status;
}
}
2021-03-04 23:06:27 +00:00
/**
* Validate user input, save wireguard configuration
*
* @param object $status
* @return boolean
*/
function SaveWireGuardConfig($status)
{
// Set defaults
$good_input = true;
$peer_id = 1;
2021-03-09 15:35:48 +00:00
// Validate server input
2022-01-25 08:36:14 +00:00
if ($_POST['wgSrvEnable'] == 1) {
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_srvport'])) {
if (strlen($_POST['wg_srvport']) > 5 || !is_numeric($_POST['wg_srvport'])) {
$status->addMessage('Invalid value for server local port', 'danger');
$good_input = false;
}
}
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_plistenport'])) {
if (strlen($_POST['wg_plistenport']) > 5 || !is_numeric($_POST['wg_plistenport'])) {
$status->addMessage('Invalid value for peer local port', 'danger');
$good_input = false;
}
2021-03-04 23:06:27 +00:00
}
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_srvipaddress'])) {
if (!validateCidr($_POST['wg_srvipaddress'])) {
$status->addMessage('Invalid value for server IP address', 'danger');
$good_input = false;
}
}
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_srvdns'])) {
if (!filter_var($_POST['wg_srvdns'],FILTER_VALIDATE_IP)) {
$status->addMessage('Invalid value for DNS', 'danger');
$good_input = false;
}
}
}
2021-03-09 15:35:48 +00:00
// Validate peer input
if ($_POST['wg_penabled'] == 1) {
if (isset($_POST['wg_pipaddress'])) {
if (!validateCidr($_POST['wg_pipaddress'])) {
$status->addMessage('Invalid value for peer IP address', 'danger');
$good_input = false;
}
2021-03-04 23:06:27 +00:00
}
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_pendpoint']) && strlen(trim($_POST['wg_pendpoint']) >0 )) {
$wg_pendpoint_seg = substr($_POST['wg_pendpoint'],0,strpos($_POST['wg_pendpoint'],':'));
if (!filter_var($wg_pendpoint_seg,FILTER_VALIDATE_IP)) {
$status->addMessage('Invalid value for endpoint address', 'danger');
$good_input = false;
}
2021-03-04 23:06:27 +00:00
}
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_pallowedips']) && strlen(trim($_POST['wg_pallowedips']) >0)) {
if (!validateCidr($_POST['wg_pallowedips'])) {
$status->addMessage('Invalid value for allowed IPs', 'danger');
$good_input = false;
}
2021-03-04 23:06:27 +00:00
}
2021-03-09 15:35:48 +00:00
if (isset($_POST['wg_pkeepalive']) && strlen(trim($_POST['wg_pkeepalive']) >0 )) {
if (strlen($_POST['wg_pkeepalive']) > 4 || !is_numeric($_POST['wg_pkeepalive'])) {
$status->addMessage('Invalid value for persistent keepalive', 'danger');
$good_input = false;
}
2021-03-04 23:06:27 +00:00
}
}
2021-12-31 13:10:27 +00:00
2021-03-04 23:06:27 +00:00
// Save settings
if ($good_input) {
// server (wg0.conf)
2022-01-25 08:36:14 +00:00
if ($_POST['wgSrvEnable'] == 1) {
2021-03-09 15:35:48 +00:00
// fetch server private key from filesytem
$wg_srvprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
$config[] = '[Interface]';
$config[] = 'Address = '.$_POST['wg_srvipaddress'];
$config[] = 'ListenPort = '.$_POST['wg_srvport'];
$config[] = 'DNS = '.$_POST['wg_srvdns'];
$config[] = 'PrivateKey = '.$wg_srvprivkey;
$config[] = 'PostUp = '.getDefaultNetValue('wireguard','server','PostUp');
$config[] = 'PostDown = '.getDefaultNetValue('wireguard','server','PostDown');
$config[] = '';
$config[] = '[Peer]';
$config[] = 'PublicKey = '.$_POST['wg-peer'];
$config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
if ($_POST['wg_pkeepalive'] !== '') {
$config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
}
$config[] = '';
$config = join(PHP_EOL, $config);
2021-03-04 23:06:27 +00:00
2021-03-09 15:35:48 +00:00
file_put_contents("/tmp/wgdata", $config);
system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_CONFIG, $return);
} else {
# remove selected conf + keys
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-private.key', $return);
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-server-public.key', $return);
system('sudo rm '. RASPI_WIREGUARD_CONFIG, $return);
}
2021-03-09 15:35:48 +00:00
// client1 (client.conf)
if ($_POST['wg_penabled'] == 1) {
// fetch peer private key from filesystem
$wg_peerprivkey = exec('sudo cat '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
$config = [];
$config[] = '[Interface]';
$config[] = 'Address = '.trim($_POST['wg_pipaddress']);
$config[] = 'PrivateKey = '.$wg_peerprivkey;
$config[] = 'ListenPort = '.$_POST['wg_plistenport'];
$config[] = '';
$config[] = '[Peer]';
$config[] = 'PublicKey = '.$_POST['wg-server'];
$config[] = 'AllowedIPs = '.$_POST['wg_pallowedips'];
$config[] = 'Endpoint = '.$_POST['wg_pendpoint'];
if ($_POST['wg_pkeepalive'] !== '') {
$config[] = 'PersistentKeepalive = '.trim($_POST['wg_pkeepalive']);
}
$config[] = '';
$config = join(PHP_EOL, $config);
2021-03-04 23:06:27 +00:00
2021-03-09 15:35:48 +00:00
file_put_contents("/tmp/wgdata", $config);
system('sudo cp /tmp/wgdata '.RASPI_WIREGUARD_PATH.'client.conf', $return);
} else {
# remove selected conf + keys
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-private.key', $return);
system('sudo rm '. RASPI_WIREGUARD_PATH .'wg-peer-public.key', $return);
system('sudo rm '. RASPI_WIREGUARD_PATH.'client.conf', $return);
}
2021-03-04 23:06:27 +00:00
foreach ($return as $line) {
$status->addMessage($line, 'info');
}
if ($return == 0) {
2021-03-08 08:44:17 +00:00
$status->addMessage('WireGuard configuration updated successfully', 'success');
2021-03-04 23:06:27 +00:00
} else {
2021-03-08 08:44:17 +00:00
$status->addMessage('WireGuard configuration failed to be updated', 'danger');
2021-03-04 23:06:27 +00:00
}
}
}
2021-12-31 13:10:27 +00:00
/**
*
* @return object $status
*/
function CheckWireGuardLog( $opt, $status )
{
// handle log option
if ( $opt == "1") {
exec("sudo journalctl --identifier wg-quick > /tmp/wireguard.log");
$status->addMessage('WireGuard debug log updated', 'success');
}
return $status;
}