From 32d90b67ce80f418082c8bccb6a6770d73da4de3 Mon Sep 17 00:00:00 2001
From: HeshamTB <hishaminv@gmail.com>
Date: Sun, 31 Mar 2024 00:30:33 +0300
Subject: [PATCH] WIP: feat: commands and tools to setup fw and system settings
 for VPN:

    This is scrapped for now. It may be outside the scope of
    this service to manage the fw...

    Let that be handled by automations such as Ansible or other tools
    during deployment-time.

Signed-off-by: HeshamTB <hishaminv@gmail.com>
---
 cmd/hvpn-node/hvpn-node.go | 126 +++++++++++++++++++++++++++++++++++++
 const.go                   |   1 +
 2 files changed, 127 insertions(+)

diff --git a/cmd/hvpn-node/hvpn-node.go b/cmd/hvpn-node/hvpn-node.go
index c02eeeb..732b4e5 100644
--- a/cmd/hvpn-node/hvpn-node.go
+++ b/cmd/hvpn-node/hvpn-node.go
@@ -20,6 +20,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3"
+	netcmd "gitea.hbanafa.com/HeshamTB/hvpn-node3/net"
 )
 
 /*
@@ -174,6 +175,13 @@ func createCliApp() *cli.App {
     }
     app.Flags = append(app.Flags, &wgInterfaceName)
 
+    uplinkName := cli.StringFlag{
+        Name: "uplink",
+        Usage: "Name of the interface to be used for Wireguard traffic",
+        Required: true,
+    }
+    app.Flags = append(app.Flags, &uplinkName)
+
     wgEndpoint := cli.StringFlag{
         Name: "endpoint",
         Usage: "Wireguard endpoint domain or address without the port",
@@ -276,6 +284,7 @@ func createCliApp() *cli.App {
     app.Flags = append(app.Flags, &TLSCertKey)
 
 
+    app.Commands = append(app.Commands, NetSetupCommand())
 
     app.Action = func(ctx *cli.Context) error {
         err := setup(ctx)
@@ -289,6 +298,123 @@ func createCliApp() *cli.App {
     return app
 }
 
+func NetSetupCommand() *cli.Command {
+    cmd := cli.Command{
+        Name: "nsetup",
+        Usage: "Tools to setup the host for routing VPN traffic\nGlobal flags have an effect on this commands behaviour",
+        Action: func(ctx *cli.Context) error {
+            err := preUpCommands(ctx)
+            if err != nil {
+                return err
+            }
+
+            return nil
+        },
+    }
+
+    return &cmd
+}
+
+func preUpCommands(ctx *cli.Context) error {
+
+    /* Make a Revertable Command Intrface to make this more general */
+    sysProcFile, err := os.OpenFile(
+        hvpnnode3.SYS_PROC_IPV4_IP_FORWARD,
+        os.O_RDWR, 0644,
+    )
+    defer sysProcFile.Close()
+    if err != nil {
+        return err
+    }
+    
+    uplinkIface := ctx.String("uplink")
+    wgIface := ctx.String("interface")
+    wgport := ctx.Int("port")
+    wgportStr := fmt.Sprint(wgport)
+
+    sysCtlAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, true)
+    ipTables1 := netcmd.IptablesForwardWGInAccept(true, uplinkIface, wgIface)
+    ipTables2 := netcmd.IptablesForwardWGOutAccept(true, uplinkIface, wgIface)
+    ipTables3 := netcmd.IptablesNatPostRoutingMasq(true, uplinkIface)
+    ipTablesAllowPort := netcmd.IptablesPort(true, uplinkIface, wgportStr, netcmd.UDP)
+    
+    sysCtlDisAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, false)
+    ipTables4 := netcmd.IptablesForwardWGInAccept(false, uplinkIface, wgIface)
+    ipTables5 := netcmd.IptablesForwardWGOutAccept(false, uplinkIface, wgIface)
+    ipTables6 := netcmd.IptablesNatPostRoutingMasq(false, uplinkIface)
+    ipTablesDisAllow := netcmd.IptablesPort(false, uplinkIface, wgportStr, netcmd.UDP)
+
+    slog.Debug(sysCtlAllowForward.String())
+    err = sysCtlAllowForward.Run()
+    if err != nil {
+        return err
+    }
+
+    slog.Debug(ipTables1.String())
+    err = ipTables1.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        return err
+    }
+
+    slog.Debug(ipTables2.String())
+    err = ipTables2.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        return err
+    }
+
+    slog.Debug(ipTables3.String())
+    err = ipTables3.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        ipTables5.Run()
+        return err
+    }
+
+    slog.Debug(ipTablesAllowPort.String())
+    err = ipTablesAllowPort.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        ipTables5.Run()
+        ipTables6.Run()
+        return err
+    }
+    
+    /* At this point all passed. revert.*/
+
+    err = sysCtlDisAllowForward.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables4.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables5.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables6.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTablesDisAllow.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+
+    return nil
+
+}
+
+func postDownCommands(ctx *cli.Context) error {
+    return nil
+}
+
 func setup(ctx *cli.Context) error {
     slog.Debug("Starting setup()")
         uid := os.Getuid()
diff --git a/const.go b/const.go
index e7da1a2..47821bb 100644
--- a/const.go
+++ b/const.go
@@ -7,6 +7,7 @@ const (
     CONTENT_OCTET = "application/octet-stream"
     CONTENT_PLAIN_TEXT = "text/plain"
     WG_CLIENT_MTU = 1380
+    SYS_PROC_IPV4_IP_FORWARD = "/proc/sys/net/ipv4/ip_forward"
 )
 
 var (