bundles/wireguard: use one wireguard connection per peer instead of one for all

2021-09-29 19:27:13 +02:00 · 2021-09-29 19:27:13 +02:00 · 902840ee7f
commit 902840ee7f
parent 8110ec508e
5 changed files with 110 additions and 94 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -102,22 +102,56 @@ def peer_pubkeys(metadata):
@metadata_reactor.provides(
    'wireguard/peers',
 )
-def peer_ips_and_endpoints(metadata):
+def peer_ips_and_ports(metadata):
    peers = {}
+    base_port = 51820

-    for peer_name in metadata.get('wireguard/peers', {}):
+    for number, peer_name in enumerate(sorted(metadata.get('wireguard/peers', {}).keys())):
        try:
            rnode = repo.get_node(peer_name)
        except NoSuchNode:
            continue

-        ips = rnode.metadata.get('wireguard/subnets', set())
-        ips.add(rnode.metadata.get('wireguard/my_ip').split('/')[0])
-        ips = repo.libs.tools.remove_more_specific_subnets(ips)
+        ip_a, ip_b = repo.libs.s2s.get_subnet_for_connection(repo, *sorted({node.name, peer_name}))
+
+        if peer_name < node.name:
+            my_ip = ip_a
+            their_ip = ip_b
+        else:
+            my_ip = ip_b
+            their_ip = ip_a

        peers[rnode.name] = {
-            'endpoint': '{}:51820'.format(rnode.metadata.get('wireguard/external_hostname', rnode.hostname)),
-            'ips': ips,
+            'my_ip': str(my_ip),
+            'my_port': base_port + number,
+            'their_ip': str(their_ip)
+        }
+
+    return {
+        'wireguard': {
+            'peers': peers,
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'wireguard/peers',
+)
+def peer_endpoints(metadata):
+    peers = {}
+
+    for name, config in metadata.get('wireguard/peers', {}).items():
+        try:
+            rnode = repo.get_node(name)
+        except NoSuchNode:
+            continue
+
+
+        peers[rnode.name] = {
+            'endpoint': '{}:{}'.format(
+                rnode.metadata.get('wireguard/external_hostname', rnode.hostname),
+                rnode.metadata.get(f'wireguard/peers/{node.name}/my_port', 51820),
+            ),
        }

    return {
@ -133,12 +167,12 @@ def peer_ips_and_endpoints(metadata):
 def icinga2(metadata):
    services = {}

-    for peer, config in metadata.get('wireguard/peers', {}).items():
+    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
        if config.get('exclude_from_monitoring', False):
            continue

        services[f'WIREGUARD CONNECTION {peer}'] = {
-            'command_on_monitored_host': config['pubkey'].format_into('sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg0 {}'),
+            'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg{number} {{}}'),
        }

    return {
@ -154,63 +188,33 @@ def icinga2(metadata):
    'firewall/port_rules',
 )
 def firewall(metadata):
-    sources = set(metadata.get('wireguard/restrict-to', set()))
-    for peer_name in metadata.get('wireguard/peers'):
+    ports = {}
+    for name, config in metadata.get('wireguard/peers').items():
        try:
-            rnode = repo.get_node(peer_name)
+            rnode = repo.get_node(name)
        except NoSuchNode:  # roadwarrior
-            continue
+            ports['{}/udp'.format(config['my_port'])] = atomic(set(metadata.get('wireguard/restrict-to', set())))
        else:
-            sources.add(peer_name)
+            ports['{}/udp'.format(config['my_port'])] = atomic({name})

    return {
        'firewall': {
-            'port_rules': {
-                '51820/udp': atomic(sources),
-            },
+            'port_rules': ports,
        },
    }


@metadata_reactor.provides(
-    'interfaces/wg0/ips',
+    'interfaces',
 )
 def interface_ips(metadata):
-    return {
-        'interfaces': {
-            'wg0': {
-                'ips': {
-                    metadata.get('wireguard/my_ip'),
-                },
+    interfaces = {}
+    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
+        interfaces[f'wg{number}'] = {
+            'ips': {
+                '{}/31'.format(config['my_ip']),
            },
-        },
-    }
-
-
-@metadata_reactor.provides(
-    'interfaces/wg0/routes',
-)
-def routes(metadata):
-    network = ip_network(metadata.get('wireguard/my_ip'), strict=False)
-    ips = {
-        f'{network.network_address}/{network.prefixlen}',
-    }
-    routes = {}
-
-    for _, peer_config in metadata.get('wireguard/peers', {}).items():
-        for ip in peer_config['ips']:
-            ips.add(ip)
-
-    if '0.0.0.0/0' in ips:
-        ips.remove('0.0.0.0/0')
-
-    for ip in repo.libs.tools.remove_more_specific_subnets(ips):
-        routes[ip] = {}
-
+        }
    return {
-        'interfaces': {
-            'wg0': {
-                'routes': routes,
-            },
-        },
+        'interfaces': interfaces,
    }