WIP: feat: commands and tools to setup fw and system settings for VPN:

This is scrapped for now. It may be outside the scope of this service to manage the fw... Let that be handled by automations such as Ansible or other tools during deployment-time. Signed-off-by: HeshamTB <hishaminv@gmail.com>
2024-03-31 00:30:33 +03:00
2 changed files with 127 additions and 0 deletions
--- a/cmd/hvpn-node/hvpn-node.go
+++ b/cmd/hvpn-node/hvpn-node.go
@ -20,6 +20,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	hvpnnode3 "gitea.hbanafa.com/HeshamTB/hvpn-node3"
+	netcmd "gitea.hbanafa.com/HeshamTB/hvpn-node3/net"
 )

 /*
@ -174,6 +175,13 @@ func createCliApp() *cli.App {
    }
    app.Flags = append(app.Flags, &wgInterfaceName)

+    uplinkName := cli.StringFlag{
+        Name: "uplink",
+        Usage: "Name of the interface to be used for Wireguard traffic",
+        Required: true,
+    }
+    app.Flags = append(app.Flags, &uplinkName)
+
    wgEndpoint := cli.StringFlag{
        Name: "endpoint",
        Usage: "Wireguard endpoint domain or address without the port",
@ -276,6 +284,7 @@ func createCliApp() *cli.App {
    app.Flags = append(app.Flags, &TLSCertKey)


+    app.Commands = append(app.Commands, NetSetupCommand())

    app.Action = func(ctx *cli.Context) error {
        err := setup(ctx)
@ -289,6 +298,123 @@ func createCliApp() *cli.App {
    return app
 }

+func NetSetupCommand() *cli.Command {
+    cmd := cli.Command{
+        Name: "nsetup",
+        Usage: "Tools to setup the host for routing VPN traffic\nGlobal flags have an effect on this commands behaviour",
+        Action: func(ctx *cli.Context) error {
+            err := preUpCommands(ctx)
+            if err != nil {
+                return err
+            }
+
+            return nil
+        },
+    }
+
+    return &cmd
+}
+
+func preUpCommands(ctx *cli.Context) error {
+
+    /* Make a Revertable Command Intrface to make this more general */
+    sysProcFile, err := os.OpenFile(
+        hvpnnode3.SYS_PROC_IPV4_IP_FORWARD,
+        os.O_RDWR, 0644,
+    )
+    defer sysProcFile.Close()
+    if err != nil {
+        return err
+    }
+    
+    uplinkIface := ctx.String("uplink")
+    wgIface := ctx.String("interface")
+    wgport := ctx.Int("port")
+    wgportStr := fmt.Sprint(wgport)
+
+    sysCtlAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, true)
+    ipTables1 := netcmd.IptablesForwardWGInAccept(true, uplinkIface, wgIface)
+    ipTables2 := netcmd.IptablesForwardWGOutAccept(true, uplinkIface, wgIface)
+    ipTables3 := netcmd.IptablesNatPostRoutingMasq(true, uplinkIface)
+    ipTablesAllowPort := netcmd.IptablesPort(true, uplinkIface, wgportStr, netcmd.UDP)
+    
+    sysCtlDisAllowForward := netcmd.SysctlIpv4Forward(sysProcFile, false)
+    ipTables4 := netcmd.IptablesForwardWGInAccept(false, uplinkIface, wgIface)
+    ipTables5 := netcmd.IptablesForwardWGOutAccept(false, uplinkIface, wgIface)
+    ipTables6 := netcmd.IptablesNatPostRoutingMasq(false, uplinkIface)
+    ipTablesDisAllow := netcmd.IptablesPort(false, uplinkIface, wgportStr, netcmd.UDP)
+
+    slog.Debug(sysCtlAllowForward.String())
+    err = sysCtlAllowForward.Run()
+    if err != nil {
+        return err
+    }
+
+    slog.Debug(ipTables1.String())
+    err = ipTables1.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        return err
+    }
+
+    slog.Debug(ipTables2.String())
+    err = ipTables2.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        return err
+    }
+
+    slog.Debug(ipTables3.String())
+    err = ipTables3.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        ipTables5.Run()
+        return err
+    }
+
+    slog.Debug(ipTablesAllowPort.String())
+    err = ipTablesAllowPort.Run()
+    if err != nil {
+        sysCtlDisAllowForward.Run()
+        ipTables4.Run()
+        ipTables5.Run()
+        ipTables6.Run()
+        return err
+    }
+    
+    /* At this point all passed. revert.*/
+
+    err = sysCtlDisAllowForward.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables4.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables5.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTables6.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+    err = ipTablesDisAllow.Run()
+    if err != nil {
+        slog.Debug(err.Error())
+    }
+
+    return nil
+
+}
+
+func postDownCommands(ctx *cli.Context) error {
+    return nil
+}
+
 func setup(ctx *cli.Context) error {
    slog.Debug("Starting setup()")
        uid := os.Getuid()
--- a/const.go
+++ b/const.go
@ -7,6 +7,7 @@ const (
    CONTENT_OCTET = "application/octet-stream"
    CONTENT_PLAIN_TEXT = "text/plain"
    WG_CLIENT_MTU = 1380
+    SYS_PROC_IPV4_IP_FORWARD = "/proc/sys/net/ipv4/ip_forward"
 )

 var (