friwall/web/vpn.py

import datetime
import ipaddress
import json
import re
import subprocess

import flask
import flask_login

from . import db
from . import ipsets
from . import system

blueprint = flask.Blueprint('vpn', __name__)
wgkey_regex = re.compile(r'^[A-Za-z0-9/+=]{44}$')

@blueprint.route('/')
@flask_login.login_required
def index():
    return flask.render_template('vpn/index.html')

@blueprint.route('/custom')
@flask_login.login_required
def custom():
    if not flask_login.current_user.is_admin:
        return flask.Response('forbidden', status=403, mimetype='text/plain')
    with db.locked():
        keys = {ip: data for ip, data in db.read('wireguard').items() if data.get('networks') and not data.get('user')}
        return flask.render_template('vpn/custom.html', keys=keys, ipsets=ipsets.read().keys())

@blueprint.route('/list')
@flask_login.login_required
def list():
    # Return logged-in user’s keys, marking the key used for current connection (if any).
    user = flask_login.current_user.get_id()
    return flask.jsonify([
        data | {'ip': ip, 'active': flask.request.remote_addr in (ip, data.get('ip6'))}
            for ip, data in db.load('wireguard').items() if data.get('user') == user
    ])

@blueprint.route('/list-custom')
@flask_login.login_required
def list_custom():
    # Return all custom keys.
    if not flask_login.current_user.is_admin:
        return flask.Response('forbidden', status=403, mimetype='text/plain')
    return flask.jsonify([
        data | {'ip': ip, 'active': flask.request.remote_addr in (ip, data.get('ip6'))}
            for ip, data in db.load('wireguard').items() if data.get('networks') and not data.get('user')
    ])

@blueprint.route('/new', methods=('POST',))
@flask_login.login_required
def new():
    # Each key is assigned a new IPv4 address from the pool settings['wg_net'].
    # Each key is then assigned a corresponding IPv6 subnet, depending on the amount of surplus addresses available.
    # For wg_net 10.10.0.0/18 and wg_net6 1234:5678:90ab:cdef::/64,
    # the key for 10.10.0.10/32 would get 1234:5678:90ab:cdef:a::/80.
    def ipv4to6(net4, ip4, net6):
        # Calculate the address and prefix length for the IPv6 network that can be assigned to this key.
        len4 = (net4.max_prefixlen - net4.prefixlen)
        len6 = (net6.max_prefixlen - net6.prefixlen)
        # Make sure the network address ends at a colon. Wastes some addresses but IPv6.
        assigned = (len6 - len4) - (len6 - len4) % 16
        ip6 = (net6.network_address + (index<<assigned)).compressed
        return ip6 + '/' + str(net6.max_prefixlen - assigned)

    pubkey = flask.request.json.get('pubkey', '')
    options = flask.request.json.get('options', {})
    if not re.match(wgkey_regex, pubkey):
        return flask.Response('invalid key', status=400, mimetype='text/plain')

    # Read server’s private key and find the corresponding public key.
    settings = db.load('settings')
    server_pubkey = subprocess.run([f'wg pubkey'], input=settings.get('wg_key'),
            text=True, capture_output=True, shell=True).stdout.strip()

    now = datetime.datetime.utcnow()
    key = {
        'key': pubkey,
        'time': now.timestamp(),
        'name': re.sub('[^-._A-Za-z0-9]', '', options.get('name', '')),
    }

    # Determine IPv4 and IPv6 addresses for the new key.
    host = ipaddress.ip_interface(settings.get('wg_net') or '10.0.0.1/24')
    key['ip6'] = None
    with db.locked():
        # Find a free address for the new key.
        keys = db.read('wireguard')
        for index, ip in enumerate(host.network.hosts(), start=1):
            if ip != host.ip and str(ip) not in keys:
                if wg_net6 := settings.get('wg_net6'):
                    key['ip6'] = ipv4to6(host.network, ip, ipaddress.ip_interface(wg_net6).network)
                break
        else:
            return flask.Response('no more available IP addresses', status=500, mimetype='text/plain')

        # Add remaining attributes to new key and update key database.
        if flask_login.current_user.is_admin and flask.request.json.get('networks'):
            key['networks'] = flask.request.json.get('networks')
        else:
            key['user'] = flask_login.current_user.get_id()
        keys[str(ip)] = key
        db.write('wireguard', keys)

    # Generate a new config archive for firewall nodes.
    system.run(system.save_config)

    # Template arguments.
    args = {
        'server': settings.get('wg_endpoint'),
        'port': settings.get('wg_port') or '51820',
        'server_key': server_pubkey,
        'pubkey': pubkey,
        'timestamp': now,
        'ip': str(ip),
        'ip6': key['ip6'],
        'name': key['name'],
        'user': key.get('user', 'custom'),
        'dns': settings.get('wg_dns', '') if options.get('use-dns', True) else False,
        'allowed_nets': settings.get('wg_allowed_nets', ''),
        'add_default': options.get('add-default', False),
    }
    return flask.render_template('vpn/wg-fri.conf', **args)

@blueprint.route('/del', methods=('POST',))
@flask_login.login_required
def delete():
    pubkey = flask.request.json.get('pubkey', '')
    if not wgkey_regex.match(pubkey):
        return flask.Response('invalid key', status=400, mimetype='text/plain')

    with db.locked():
        user = flask_login.current_user.get_id()
        keys = {
            ip: data for ip, data in db.read('wireguard').items()
                if not (data.get('key') == pubkey and (data.get('user') == user or flask_login.current_user.is_admin))
        }
        db.write('wireguard', keys)

    system.run(system.save_config)

    return flask.Response(f'deleted key {pubkey}', status=200, mimetype='text/plain')
Make a squash 2022-01-03 10:33:02 +00:00			`import datetime`
			`import ipaddress`
			`import json`
			`import re`
			`import subprocess`

			`import flask`
			`import flask_login`

			`from . import db`
Always combine IP set data with static network definitions from NetBox Before we relied on the combined data being present in ipsets.json when generating a new config, but ipsets.json is only updated through the form at /ipsets. So submitting any other form after changing NetBox definitions might crash when trying to find an entry from networks.json in ipsets.json. Now we introduce a helper functon to always read both files and combine the prefixes fron networks.json with ipsets.json. This way it is not necessary to save a new ipsets.json before other changes. Also don’t crash when enumerating networks for each VPN group. 2024-08-14 09:25:07 +00:00			`from . import ipsets`
Clean up imports 2023-01-26 15:22:05 +00:00			`from . import system`
Make a squash 2022-01-03 10:33:02 +00:00
Set blueprint paths in main app Make blueprints more self-contained for no apparent reason. 2023-12-04 08:46:37 +00:00			`blueprint = flask.Blueprint('vpn', __name__)`
Make a squash 2022-01-03 10:33:02 +00:00			`wgkey_regex = re.compile(r'^[A-Za-z0-9/+=]{44}$')`

			`@blueprint.route('/')`
			`@flask_login.login_required`
			`def index():`
			`return flask.render_template('vpn/index.html')`

vpn: add support for custom keys Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly. 2024-07-30 08:53:57 +00:00			`@blueprint.route('/custom')`
			`@flask_login.login_required`
			`def custom():`
			`if not flask_login.current_user.is_admin:`
			`return flask.Response('forbidden', status=403, mimetype='text/plain')`
			`with db.locked():`
			`keys = {ip: data for ip, data in db.read('wireguard').items() if data.get('networks') and not data.get('user')}`
Always combine IP set data with static network definitions from NetBox Before we relied on the combined data being present in ipsets.json when generating a new config, but ipsets.json is only updated through the form at /ipsets. So submitting any other form after changing NetBox definitions might crash when trying to find an entry from networks.json in ipsets.json. Now we introduce a helper functon to always read both files and combine the prefixes fron networks.json with ipsets.json. This way it is not necessary to save a new ipsets.json before other changes. Also don’t crash when enumerating networks for each VPN group. 2024-08-14 09:25:07 +00:00			`return flask.render_template('vpn/custom.html', keys=keys, ipsets=ipsets.read().keys())`
vpn: add support for custom keys Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly. 2024-07-30 08:53:57 +00:00
Make a squash 2022-01-03 10:33:02 +00:00			`@blueprint.route('/list')`
			`@flask_login.login_required`
			`def list():`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`# Return logged-in user’s keys, marking the key used for current connection (if any).`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`user = flask_login.current_user.get_id()`
vpn: add support for custom keys Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly. 2024-07-30 08:53:57 +00:00			`return flask.jsonify([`
			`data \| {'ip': ip, 'active': flask.request.remote_addr in (ip, data.get('ip6'))}`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`for ip, data in db.load('wireguard').items() if data.get('user') == user`
vpn: add support for custom keys Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly. 2024-07-30 08:53:57 +00:00			`])`

			`@blueprint.route('/list-custom')`
			`@flask_login.login_required`
			`def list_custom():`
			`# Return all custom keys.`
			`if not flask_login.current_user.is_admin:`
			`return flask.Response('forbidden', status=403, mimetype='text/plain')`
			`return flask.jsonify([`
			`data \| {'ip': ip, 'active': flask.request.remote_addr in (ip, data.get('ip6'))}`
			`for ip, data in db.load('wireguard').items() if data.get('networks') and not data.get('user')`
			`])`
Make a squash 2022-01-03 10:33:02 +00:00
			`@blueprint.route('/new', methods=('POST',))`
			`@flask_login.login_required`
			`def new():`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`# Each key is assigned a new IPv4 address from the pool settings['wg_net'].`
			`# Each key is then assigned a corresponding IPv6 subnet, depending on the amount of surplus addresses available.`
vpn: assign an IPv6 subnet instead of a single address We are limited by the size of IPv4 pool (/18), so why not give everyone an IPv4-internetful of IPv6 addresses. 2023-12-12 18:26:55 +00:00			`# For wg_net 10.10.0.0/18 and wg_net6 1234:5678:90ab:cdef::/64,`
			`# the key for 10.10.0.10/32 would get 1234:5678:90ab:cdef:a::/80.`
			`def ipv4to6(net4, ip4, net6):`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`# Calculate the address and prefix length for the IPv6 network that can be assigned to this key.`
vpn: assign an IPv6 subnet instead of a single address We are limited by the size of IPv4 pool (/18), so why not give everyone an IPv4-internetful of IPv6 addresses. 2023-12-12 18:26:55 +00:00			`len4 = (net4.max_prefixlen - net4.prefixlen)`
			`len6 = (net6.max_prefixlen - net6.prefixlen)`
			`# Make sure the network address ends at a colon. Wastes some addresses but IPv6.`
			`assigned = (len6 - len4) - (len6 - len4) % 16`
			`ip6 = (net6.network_address + (index<<assigned)).compressed`
			`return ip6 + '/' + str(net6.max_prefixlen - assigned)`

Make a squash 2022-01-03 10:33:02 +00:00			`pubkey = flask.request.json.get('pubkey', '')`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`options = flask.request.json.get('options', {})`
Make a squash 2022-01-03 10:33:02 +00:00			`if not re.match(wgkey_regex, pubkey):`
			`return flask.Response('invalid key', status=400, mimetype='text/plain')`

vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`# Read server’s private key and find the corresponding public key.`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`settings = db.load('settings')`
			`server_pubkey = subprocess.run([f'wg pubkey'], input=settings.get('wg_key'),`
			`text=True, capture_output=True, shell=True).stdout.strip()`
Make a squash 2022-01-03 10:33:02 +00:00
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`now = datetime.datetime.utcnow()`
			`key = {`
			`'key': pubkey,`
			`'time': now.timestamp(),`
			`'name': re.sub('[^-._A-Za-z0-9]', '', options.get('name', '')),`
			`}`

			`# Determine IPv4 and IPv6 addresses for the new key.`
Fix handling default settings If a setting has ben set to empty string, dict.get will return it and not default argument. This is wrong when default is something else. 2024-04-30 07:38:14 +00:00			`host = ipaddress.ip_interface(settings.get('wg_net') or '10.0.0.1/24')`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`key['ip6'] = None`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`with db.locked():`
			`# Find a free address for the new key.`
Rename a variable 2023-09-15 11:58:21 +00:00			`keys = db.read('wireguard')`
vpn: configure IPv6 addresses for WG clients 2023-12-04 09:23:41 +00:00			`for index, ip in enumerate(host.network.hosts(), start=1):`
Rename a variable 2023-09-15 11:58:21 +00:00			`if ip != host.ip and str(ip) not in keys:`
vpn: configure IPv6 addresses for WG clients 2023-12-04 09:23:41 +00:00			`if wg_net6 := settings.get('wg_net6'):`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`key['ip6'] = ipv4to6(host.network, ip, ipaddress.ip_interface(wg_net6).network)`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`break`
			`else:`
			`return flask.Response('no more available IP addresses', status=500, mimetype='text/plain')`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00
			`# Add remaining attributes to new key and update key database.`
vpn: add support for custom keys Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly. 2024-07-30 08:53:57 +00:00			`if flask_login.current_user.is_admin and flask.request.json.get('networks'):`
			`key['networks'] = flask.request.json.get('networks')`
			`else:`
			`key['user'] = flask_login.current_user.get_id()`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`keys[str(ip)] = key`
Rename a variable 2023-09-15 11:58:21 +00:00			`db.write('wireguard', keys)`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00
			`# Generate a new config archive for firewall nodes.`
			`system.run(system.save_config)`

			`# Template arguments.`
			`args = {`
Simplify 2023-09-15 12:26:11 +00:00			`'server': settings.get('wg_endpoint'),`
Fix handling default settings If a setting has ben set to empty string, dict.get will return it and not default argument. This is wrong when default is something else. 2024-04-30 07:38:14 +00:00			`'port': settings.get('wg_port') or '51820',`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`'server_key': server_pubkey,`
			`'pubkey': pubkey,`
			`'timestamp': now,`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`'ip': str(ip),`
			`'ip6': key['ip6'],`
			`'name': key['name'],`
vpn: add support for custom keys Custom keys are created by admin and specify networks directly, bypassing AD permissions. They are intended to join managed devices into networks where users are not allowed to create keys themselves. Also comprehend a set directly. 2024-07-30 08:53:57 +00:00			`'user': key.get('user', 'custom'),`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`'dns': settings.get('wg_dns', '') if options.get('use-dns', True) else False,`
Fix handling default settings If a setting has ben set to empty string, dict.get will return it and not default argument. This is wrong when default is something else. 2024-04-30 07:38:14 +00:00			`'allowed_nets': settings.get('wg_allowed_nets', ''),`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`'add_default': options.get('add-default', False),`
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`}`
			`return flask.render_template('vpn/wg-fri.conf', **args)`
Make a squash 2022-01-03 10:33:02 +00:00
			`@blueprint.route('/del', methods=('POST',))`
			`@flask_login.login_required`
			`def delete():`
			`pubkey = flask.request.json.get('pubkey', '')`
			`if not wgkey_regex.match(pubkey):`
			`return flask.Response('invalid key', status=400, mimetype='text/plain')`

Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`with db.locked():`
			`user = flask_login.current_user.get_id()`
vpn: refactor key handling code Move JS code for listing, creating and deleting WG keys into a separate file and improve it somewhat. Also the related Python code. 2024-07-27 11:40:02 +00:00			`keys = {`
			`ip: data for ip, data in db.read('wireguard').items()`
			`if not (data.get('key') == pubkey and (data.get('user') == user or flask_login.current_user.is_admin))`
			`}`
Rename a variable 2023-09-15 11:58:21 +00:00			`db.write('wireguard', keys)`
Make a squash 2022-01-03 10:33:02 +00:00
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`system.run(system.save_config)`
Make a squash 2022-01-03 10:33:02 +00:00
Consolidate error handling Do or do not; there is no try. With some exceptions. 2023-07-12 12:18:31 +00:00			`return flask.Response(f'deleted key {pubkey}', status=200, mimetype='text/plain')`