2022-04-04 08:29:28 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"log"
|
|
|
|
"net"
|
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
|
|
|
|
"golang.zx2c4.com/wireguard/wgctrl"
|
|
|
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
|
|
|
|
|
|
|
"novit.tech/direktil/pkg/config"
|
|
|
|
)
|
|
|
|
|
|
|
|
func setupVPN(vpn config.VPNDef, localGenDir string) {
|
|
|
|
log.Printf("setting up VPN %s", vpn.Name)
|
|
|
|
|
|
|
|
vpnDir := filepath.Join(localGenDir, vpn.Name)
|
|
|
|
os.MkdirAll(vpnDir, 0750)
|
|
|
|
|
|
|
|
// public/private key
|
|
|
|
keyFile := filepath.Join(vpnDir, "key")
|
2023-11-27 13:08:44 +00:00
|
|
|
keyBytes, err := os.ReadFile(keyFile)
|
2022-04-04 08:29:28 +00:00
|
|
|
if os.IsNotExist(err) {
|
|
|
|
key, err := wgtypes.GeneratePrivateKey()
|
|
|
|
if err != nil {
|
|
|
|
fatalf("failed to generate VPN key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
keyBytes = []byte(key.String())
|
|
|
|
|
2023-11-27 13:08:44 +00:00
|
|
|
os.WriteFile(keyFile, keyBytes, 0600)
|
2022-04-04 08:29:28 +00:00
|
|
|
} else if err != nil {
|
|
|
|
fatalf("failed to read VPN key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
key, err := wgtypes.ParseKey(string(keyBytes))
|
|
|
|
if err != nil {
|
|
|
|
fatalf("bad VPN key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Printf("VPN %s public key is %s", vpn.Name, key.PublicKey().String())
|
|
|
|
|
|
|
|
// pre-shared key
|
|
|
|
pskeyFile := filepath.Join(vpnDir, "pskey")
|
2023-11-27 13:08:44 +00:00
|
|
|
pskeyBytes, err := os.ReadFile(pskeyFile)
|
2022-04-04 08:29:28 +00:00
|
|
|
if os.IsNotExist(err) {
|
|
|
|
key, err := wgtypes.GenerateKey()
|
|
|
|
if err != nil {
|
|
|
|
fatalf("failed to generate VPN pre-shared key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
pskeyBytes = []byte(key.String())
|
|
|
|
|
2023-11-27 13:08:44 +00:00
|
|
|
os.WriteFile(pskeyFile, pskeyBytes, 0600)
|
2022-04-04 08:29:28 +00:00
|
|
|
} else if err != nil {
|
|
|
|
fatalf("failed to read VPN pre-shared key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
pskey, err := wgtypes.ParseKey(string(pskeyBytes))
|
|
|
|
if err != nil {
|
|
|
|
fatalf("bad VPN pre-shared key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
log.Printf("VPN %s pre-shared key is %s", vpn.Name, key.String())
|
|
|
|
|
|
|
|
// setup interface
|
|
|
|
cfg := wgtypes.Config{
|
|
|
|
PrivateKey: &key,
|
|
|
|
ListenPort: vpn.ListenPort,
|
|
|
|
Peers: make([]wgtypes.PeerConfig, 0, len(vpn.Peers)),
|
|
|
|
}
|
|
|
|
|
|
|
|
for idx, vpnPeer := range vpn.Peers {
|
|
|
|
vpnPeer := vpnPeer
|
|
|
|
|
|
|
|
wgPeer := wgtypes.PeerConfig{
|
|
|
|
Endpoint: vpnPeer.Endpoint,
|
|
|
|
AllowedIPs: make([]net.IPNet, 0, len(vpnPeer.AllowedIPs)),
|
|
|
|
|
|
|
|
PersistentKeepaliveInterval: &vpnPeer.KeepAlive,
|
|
|
|
}
|
|
|
|
|
|
|
|
if vpnPeer.WithPreSharedKey {
|
|
|
|
wgPeer.PresharedKey = &pskey
|
|
|
|
}
|
|
|
|
|
|
|
|
pubkey, err := wgtypes.ParseKey(vpnPeer.PublicKey)
|
|
|
|
if err != nil {
|
|
|
|
fatalf("bad VPN peer[%d] public key: %v", idx, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
wgPeer.PublicKey = pubkey
|
|
|
|
|
|
|
|
for _, ipnetStr := range vpnPeer.AllowedIPs {
|
|
|
|
_, ipnet, err := net.ParseCIDR(ipnetStr)
|
|
|
|
if err != nil {
|
|
|
|
fatalf("bad IP/net: %q: %v", ipnetStr, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
wgPeer.AllowedIPs = append(wgPeer.AllowedIPs, *ipnet)
|
|
|
|
}
|
|
|
|
|
|
|
|
cfg.Peers = append(cfg.Peers, wgPeer)
|
|
|
|
}
|
|
|
|
|
|
|
|
wg, err := wgctrl.New()
|
|
|
|
if err != nil {
|
|
|
|
fatalf("failed to setup WireGuard client: %v", err)
|
|
|
|
}
|
|
|
|
defer wg.Close()
|
|
|
|
|
|
|
|
run("ip", "link", "add", vpn.Name, "type", "wireguard")
|
|
|
|
|
|
|
|
for _, ip := range vpn.IPs {
|
|
|
|
run("ip", "addr", "add", ip, "dev", vpn.Name)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = wg.ConfigureDevice(vpn.Name, cfg)
|
|
|
|
if err != nil {
|
|
|
|
fatalf("failed to setup VPN %s: %v", vpn.Name, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
run("ip", "link", "set", vpn.Name, "up")
|
|
|
|
}
|