WIP: feat: commands and tools to setup fw and system settings for VPN:

This is scrapped for now. It may be outside the scope of
    this service to manage the fw...

    Let that be handled by automations such as Ansible or other tools
    during deployment-time.

Signed-off-by: HeshamTB <hishaminv@gmail.com>
This commit is contained in:
HeshamTB 2024-03-31 00:30:33 +03:00
parent 489ecd65fb
commit 32d90b67ce
Signed by: Hesham
GPG Key ID: 74876157D199B09E
2 changed files with 127 additions and 0 deletions

View File

@ -20,6 +20,7 @@ import (
"golang.zx2c4.com/wireguard/wgctrl/wgtypes" "golang.zx2c4.com/wireguard/wgctrl/wgtypes"
hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3" hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3"
netcmd "gitea.hbanafa.com/HeshamTB/hvpn-node3/net"
) )
/* /*
@ -174,6 +175,13 @@ func createCliApp() *cli.App {
} }
app.Flags = append(app.Flags, &wgInterfaceName) app.Flags = append(app.Flags, &wgInterfaceName)
uplinkName := cli.StringFlag{
Name: "uplink",
Usage: "Name of the interface to be used for Wireguard traffic",
Required: true,
}
app.Flags = append(app.Flags, &uplinkName)
wgEndpoint := cli.StringFlag{ wgEndpoint := cli.StringFlag{
Name: "endpoint", Name: "endpoint",
Usage: "Wireguard endpoint domain or address without the port", Usage: "Wireguard endpoint domain or address without the port",
@ -276,6 +284,7 @@ func createCliApp() *cli.App {
app.Flags = append(app.Flags, &TLSCertKey) app.Flags = append(app.Flags, &TLSCertKey)
app.Commands = append(app.Commands, NetSetupCommand())
app.Action = func(ctx *cli.Context) error { app.Action = func(ctx *cli.Context) error {
err := setup(ctx) err := setup(ctx)
@ -289,6 +298,123 @@ func createCliApp() *cli.App {
return app return app
} }
func NetSetupCommand() *cli.Command {
cmd := cli.Command{
Name: "nsetup",
Usage: "Tools to setup the host for routing VPN traffic\nGlobal flags have an effect on this commands behaviour",
Action: func(ctx *cli.Context) error {
err := preUpCommands(ctx)
if err != nil {
return err
}
return nil
},
}
return &cmd
}
func preUpCommands(ctx *cli.Context) error {
/* Make a Revertable Command Intrface to make this more general */
sysProcFile, err := os.OpenFile(
hvpnnode3.SYS_PROC_IPV4_IP_FORWARD,
os.O_RDWR, 0644,
)
defer sysProcFile.Close()
if err != nil {
return err
}
uplinkIface := ctx.String("uplink")
wgIface := ctx.String("interface")
wgport := ctx.Int("port")
wgportStr := fmt.Sprint(wgport)
sysCtlAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, true)
ipTables1 := netcmd.IptablesForwardWGInAccept(true, uplinkIface, wgIface)
ipTables2 := netcmd.IptablesForwardWGOutAccept(true, uplinkIface, wgIface)
ipTables3 := netcmd.IptablesNatPostRoutingMasq(true, uplinkIface)
ipTablesAllowPort := netcmd.IptablesPort(true, uplinkIface, wgportStr, netcmd.UDP)
sysCtlDisAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, false)
ipTables4 := netcmd.IptablesForwardWGInAccept(false, uplinkIface, wgIface)
ipTables5 := netcmd.IptablesForwardWGOutAccept(false, uplinkIface, wgIface)
ipTables6 := netcmd.IptablesNatPostRoutingMasq(false, uplinkIface)
ipTablesDisAllow := netcmd.IptablesPort(false, uplinkIface, wgportStr, netcmd.UDP)
slog.Debug(sysCtlAllowForward.String())
err = sysCtlAllowForward.Run()
if err != nil {
return err
}
slog.Debug(ipTables1.String())
err = ipTables1.Run()
if err != nil {
sysCtlDisAllowForward.Run()
return err
}
slog.Debug(ipTables2.String())
err = ipTables2.Run()
if err != nil {
sysCtlDisAllowForward.Run()
ipTables4.Run()
return err
}
slog.Debug(ipTables3.String())
err = ipTables3.Run()
if err != nil {
sysCtlDisAllowForward.Run()
ipTables4.Run()
ipTables5.Run()
return err
}
slog.Debug(ipTablesAllowPort.String())
err = ipTablesAllowPort.Run()
if err != nil {
sysCtlDisAllowForward.Run()
ipTables4.Run()
ipTables5.Run()
ipTables6.Run()
return err
}
/* At this point all passed. revert.*/
err = sysCtlDisAllowForward.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTables4.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTables5.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTables6.Run()
if err != nil {
slog.Debug(err.Error())
}
err = ipTablesDisAllow.Run()
if err != nil {
slog.Debug(err.Error())
}
return nil
}
func postDownCommands(ctx *cli.Context) error {
return nil
}
func setup(ctx *cli.Context) error { func setup(ctx *cli.Context) error {
slog.Debug("Starting setup()") slog.Debug("Starting setup()")
uid := os.Getuid() uid := os.Getuid()

View File

@ -7,6 +7,7 @@ const (
CONTENT_OCTET = "application/octet-stream" CONTENT_OCTET = "application/octet-stream"
CONTENT_PLAIN_TEXT = "text/plain" CONTENT_PLAIN_TEXT = "text/plain"
WG_CLIENT_MTU = 1380 WG_CLIENT_MTU = 1380
SYS_PROC_IPV4_IP_FORWARD = "/proc/sys/net/ipv4/ip_forward"
) )
var ( var (