Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

networking: Add wireguard keepalive and preshared-key option in the gui #19521

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

networking: Add wireguard keepalive and preshared-key option in the gui #19521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 23 additions & 2 deletions pkg/networkmanager/interfaces.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,7 +591,8 @@ export function NetworkManagerModel() {
peers: get("wireguard", "peers", []).map(peer => ({
publicKey: peer['public-key'].v,
endpoint: peer.endpoint?.v, // enpoint of a peer is optional
allowedIps: peer['allowed-ips']?.v
allowedIps: peer['allowed-ips']?.v,
persistentKeepalive: peer['persistent-keepalive']?.v,
})),
};
}
Expand Down Expand Up @@ -730,7 +731,27 @@ export function NetworkManagerModel() {
"allowed-ips": {
t: "as",
v: peer.allowedIps
}
},
...peer.persistentKeepalive
? {
"persistent-keepalive": {
t: "u",
v: peer.persistentKeepalive
}
}
: {},
...peer.presharedKey
? {
"preshared-key": {
t: "s",
v: peer.presharedKey
},
'preshared-key-flags': {
t: "u",
v: 0
}
}
: {}
};
}));
} else {
Expand Down
50 changes: 45 additions & 5 deletions pkg/networkmanager/wireguard.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import { FormGroup, FormFieldGroup, FormFieldGroupHeader, FormHelperText } from
import { Flex, FlexItem } from "@patternfly/react-core/dist/esm/layouts/Flex/index.js";
import { Grid } from '@patternfly/react-core/dist/esm/layouts/Grid/index.js';
import { HelperText, HelperTextItem } from '@patternfly/react-core/dist/esm/components/HelperText/index';
import { InputGroup } from '@patternfly/react-core/dist/esm/components/InputGroup/index.js';
import { InputGroup, InputGroupItem, InputGroupText } from '@patternfly/react-core/dist/esm/components/InputGroup/index.js';
import { Popover } from '@patternfly/react-core/dist/esm/components/Popover/index.js';
import { Radio } from '@patternfly/react-core/dist/esm/components/Radio/index.js';
import { Text } from "@patternfly/react-core/dist/esm/components/Text/index.js";
Expand Down Expand Up @@ -73,7 +73,12 @@ export function WireGuardDialog({ settings, connection, dev }) {
const [listenPort, setListenPort] = useState(settings.wireguard.listen_port);
const [addresses, setAddresses] = useState(addressesToString(settings.ipv4.addresses));
const [dialogError, setDialogError] = useState("");
const [peers, setPeers] = useState(settings.wireguard.peers.map(peer => ({ ...peer, allowedIps: peer.allowedIps?.join(",") ?? '' })));
const [peers, setPeers] = useState(settings.wireguard.peers.map(peer => ({
...peer,
allowedIps: peer.allowedIps?.join(",") ?? '',
persistentKeepalive: peer.persistentKeepalive?.toString() ?? '',
presharedKey: peer.presharedKey ?? ''
})));

// Additional check for `wg` after install_dialog for non-packagekit and el8 environments
useEffect(() => {
Expand All @@ -98,6 +103,7 @@ export function WireGuardDialog({ settings, connection, dev }) {
const objpath = connection[" priv"].path;
const [result] = await model.client.call(objpath, "org.freedesktop.NetworkManager.Settings.Connection", "GetSecrets", ["wireguard"]);
setGeneratedPrivateKey(result.wireguard["private-key"].v);
setPeers(oldPeers => oldPeers.map((oldPeer, index) => ({ ...oldPeer, presharedKey: result.wireguard.peers?.v[index]["preshared-key"]?.v ?? '' })));
}

if (connection?.[" priv"].path) {
Expand Down Expand Up @@ -160,7 +166,11 @@ export function WireGuardDialog({ settings, connection, dev }) {
throw cockpit.format(_("Peer #$0 has invalid endpoint port. Port must be a number."), index + 1);
}
}
return ({ ...peer, allowedIps: peer.allowedIps.trim().split(',') });
if (peer.persistentKeepalive.trim()) {
if (isNaN(Number(peer.persistentKeepalive)))
throw cockpit.format(_("Peer #$0 has invalid persistent keepalive. It must be a number."), index + 1);
Comment on lines +169 to +171
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably it should also check for ≥ 1 and possibly some maximum? Also, can this be a float?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dbus type for Keepalive is 'u', so it has to be >=0. Passing negative or float shows an error in the UI. Like below:

image

I opened an issue for a better error message at #19645.

0 (zero) means "not set" as usual.

I couldn't find a documented maximum value, but little experiment shows it can be in the range 0 to 65535 (i.e. 2^16 possible values).. after that it overflows without any error.

}
return ({ ...peer, allowedIps: peer.allowedIps.trim().split(','), persistentKeepalive: Number(peer.persistentKeepalive) });
});
} catch (e) {
setDialogError(typeof e === 'string' ? e : e.message);
Expand Down Expand Up @@ -285,7 +295,7 @@ export function WireGuardDialog({ settings, connection, dev }) {
actions={
<Button
variant='secondary'
onClick={() => setPeers(peers => [...peers, { publicKey: '', endpoint: '', allowedIps: '' }])}
onClick={() => setPeers(peers => [...peers, { publicKey: '', endpoint: '', allowedIps: '', persistentKeepalive: '', presharedKey: '' }])}
>
{_("Add peer")}
</Button>
Expand Down Expand Up @@ -315,7 +325,21 @@ export function WireGuardDialog({ settings, connection, dev }) {
id={idPrefix + '-endpoint-peer-' + i}
/>
</FormGroup>
<FormGroup className='pf-m-3-col-on-md' label={_("Allowed IPs")} fieldId={idPrefix + '-allowedips-peer-' + i}>
<FormGroup className='pf-m-3-col-on-md' label={_("Keepalive")} fieldId={idPrefix + '-keepalive-peer-' + i}>
<InputGroup>
<InputGroupItem isFill>
<TextInput
value={peer.persistentKeepalive}
onChange={(_, val) => {
setPeers(peers => peers.map((peer, index) => i === index ? { ...peer, persistentKeepalive: val } : peer));
}}
id={idPrefix + '-keepalive-peer-' + i}
/>
</InputGroupItem>
<InputGroupText className='pf-v5-u-text-nowrap'>{_("seconds")}</InputGroupText>
</InputGroup>
</FormGroup>
<FormGroup className='pf-m-6-col-on-md' label={_("Allowed IPs")} fieldId={idPrefix + '-allowedips-peer-' + i}>
<TextInput
value={peer.allowedIps}
onChange={(_, val) => {
Expand All @@ -324,6 +348,22 @@ export function WireGuardDialog({ settings, connection, dev }) {
id={idPrefix + '-allowedips-peer-' + i}
/>
</FormGroup>
<FormGroup className='pf-m-6-col-on-md' label={_("Pre-shared key")} fieldId={idPrefix + '-presharedkey-peer-' + i} labelIcon={
<Popover
bodyContent={_("A base64 encoded string of 32 random bytes.")}
>
<Button variant='link' isInline><HelpIcon /></Button>
</Popover>
}>
<TextInput
value={peer.presharedKey}
onChange={(_, val) => {
setPeers(peers => peers.map((peer, index) => i === index ? { ...peer, presharedKey: val } : peer));
}}
placeholder={_("optional")}
id={idPrefix + '-presharedkey-peer-' + i}
/>
</FormGroup>
<FormGroup className='pf-m-1-col-on-md remove-button-group'>
<Button
variant='plain'
Expand Down
36 changes: 30 additions & 6 deletions test/verify/check-networkmanager-wireguard
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,19 +104,29 @@ class TestWireGuard(packagelib.PackageCase, netlib.NetworkCase):
# peer
b.click("button:contains('Add peer')")
b.wait_visible("#network-wireguard-settings-peer-0")
b.set_input_text("#network-wireguard-settings-publickey-peer-0", m2_pubkey)
b.click("button:contains('Add peer')")
b.wait_visible("#network-wireguard-settings-peer-1")
b.set_input_text("#network-wireguard-settings-publickey-peer-1", m2_pubkey)
b.set_input_text("#network-wireguard-settings-endpoint-peer-1", f"192.168.100.12:{m2_port}")
b.set_input_text("#network-wireguard-settings-allowedips-peer-1", m2_ip4)

test_pubkey = m1.execute("head -c 32 /dev/random | base64").strip()
b.set_input_text("#network-wireguard-settings-publickey-peer-0", test_pubkey)
b.set_input_text("#network-wireguard-settings-endpoint-peer-0", " 192.168.100.12 ") # test that the extra spaces are trimmed
b.set_input_text("#network-wireguard-settings-allowedips-peer-0", f" {m2_ip4} ") # test that the extra spaces are trimmed
b.click("#network-wireguard-settings-save")
b.wait_visible(".pf-v5-c-alert:contains('Peer #1 has invalid endpoint. It must be specified as host:port, e.g. 1.2.3.4:51820 or example.com:51820')")
b.set_input_text("#network-wireguard-settings-endpoint-peer-0", "192.168.100.12:somestring")
b.click("#network-wireguard-settings-save")
b.wait_visible(".pf-v5-c-alert:contains('Peer #1 has invalid endpoint port. Port must be a number.')")
b.click("button:contains('Add peer')")
b.wait_visible("#network-wireguard-settings-peer-1")
b.set_input_text("#network-wireguard-settings-publickey-peer-1", m2_pubkey)
b.set_input_text("#network-wireguard-settings-endpoint-peer-1", f"192.168.100.12:{m2_port}")
b.set_input_text("#network-wireguard-settings-allowedips-peer-1", m2_ip4)
b.set_input_text("#network-wireguard-settings-endpoint-peer-0", "192.168.100.12:51820")
b.set_input_text("#network-wireguard-settings-keepalive-peer-0", "asdf")
b.click("#network-wireguard-settings-save")
b.wait_visible(".pf-v5-c-alert:contains('Peer #1 has invalid persistent keepalive. It must be a number.')")
b.set_input_text("#network-wireguard-settings-keepalive-peer-0", "60")
b.set_input_text("#network-wireguard-settings-presharedkey-peer-0", "invalidpsk")
b.click("#network-wireguard-settings-save")
b.wait_visible(".pf-v5-c-alert:contains('invalid preshared-key for peer')")
b.click("button#network-wireguard-settings-btn-close-peer-0")
b.wait_not_present("#network-wireguard-settings-peer-1")
b.assert_pixels("#network-wireguard-settings-dialog", "networking-wireguard-add-generated",
Expand All @@ -127,10 +137,23 @@ class TestWireGuard(packagelib.PackageCase, netlib.NetworkCase):
b.wait_not_present("#network-wireguard-settings-dialog")
b.wait_in_text(f"#networking-interfaces th:contains('{iface_name}') + td", f"1.2.3.4/32, {m1_ip4}/24")

b.click(f"#networking-interfaces button:contains('{iface_name}')")
b.wait_visible("#network-interface")
b.click("#networking-edit-wg")
b.wait_visible("#network-wireguard-settings-dialog")
b.set_input_text("#network-wireguard-settings-keepalive-peer-0", "120")
psk = m1.execute("head -c 32 /dev/random | base64").strip()
b.set_input_text("#network-wireguard-settings-presharedkey-peer-0", psk)
Comment on lines +144 to +146
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also validate these settings in the API or with nmcli -- the UI doesn't reflect which key mode is being used, and which keepalive time.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good idea! Done, thanks!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did it with wg because nmcli doesn't show peer information.

b.click("#network-wireguard-settings-save")
b.wait_not_present("#network-wireguard-settings-dialog")
m1.execute(f"until wg showconf wg0 | grep -q 'PresharedKey.*{psk}'; do sleep 1; done")
m1.execute("until wg showconf wg0 | grep -q 'PersistentKeepalive.*120'; do sleep 1; done")

# if some wg properties are not valid, for example, if it was changed by some external tool, don't crash
m1.execute("sed -i '/allowed-ips/d' /etc/NetworkManager/system-connections/con-wg0.nmconnection")
m1.execute("systemctl restart NetworkManager")
b.reload()
b.go("/network")
b.enter_page("/network")
b.wait_visible("#networking")
b.click(f"#networking-interfaces button:contains('{iface_name}')")
Expand All @@ -149,6 +172,7 @@ class TestWireGuard(packagelib.PackageCase, netlib.NetworkCase):
b2.click("button:contains('Add peer')")
b2.set_input_text("#network-wireguard-settings-publickey-peer-0", m1_pubkey)
b2.set_input_text("#network-wireguard-settings-allowedips-peer-0", f"{m1_ip4}/32")
b2.set_input_text("#network-wireguard-settings-presharedkey-peer-0", psk)
b2.click("#network-wireguard-settings-save")
b2.wait_not_present("#network-wireguard-settings-dialog")
b2.wait_in_text(f"#networking-interfaces th:contains('{m2_iface_name}') + td", f"{m2_ip4}/24")
Expand Down