[feature] Added support for WireGuard #225

.env

@@ -5,6 +5,7 @@
 DASHBOARD_DOMAIN=dashboard.openwisp.org
 API_DOMAIN=api.openwisp.org
 VPN_DOMAIN=openvpn.openwisp.org
+WIREGUARD_UPDATER_DOMAIN=wireguard-updater.openwisp.org
 [email protected]
 DB_USER=admin
 DB_PASS=admin
@@ -42,6 +43,11 @@ X509_COMMON_NAME=OpenWISP
 # VPN
 VPN_NAME=default
 VPN_CLIENT_NAME=default-management-vpn
+# WireGuard
+WIREGUARD_UPDATER_PORT=8081
+WIREGUARD_UPDATER_ENDPOINT=/trigger-update
+WIREGUARD_UPDATER_KEY=openwisp-wireguard-updater-auth-key
+WIREGUARD_UPDATER_PUBLIC=False
 # Developer
 DEBUG_MODE=False
 DJANGO_LOG_LEVEL=INFO

.github/workflows/branch.yml

@@ -30,7 +30,8 @@ jobs:
 
       - name: Setup
         run: |
-          echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org" | sudo tee -a /etc/hosts
+          echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org wireguard-updater.openwisp.org" |
+          sudo tee -a /etc/hosts
 
       - name: Build & Publish
         run: make publish TAG=edge || (docker-compose logs && exit 1)

Makefile

@@ -91,7 +91,8 @@ TAG  = latest
 publish: compose-build runtests nfs-build
 	for image in 'openwisp-base' 'openwisp-nfs' 'openwisp-api' 'openwisp-dashboard' \
 				 'openwisp-freeradius' 'openwisp-nginx' 'openwisp-openvpn' 'openwisp-postfix' \
-				 'openwisp-websocket' ; do \
+				 'openwisp-celery' 'openwisp-websocket' 'openwisp-wireguard' \
+				 'openwisp-wireguard-updater' ; do \
 		docker tag openwisp/$${image}:latest $(USER)/$${image}:$(TAG); \
 		docker push $(USER)/$${image}:$(TAG); \
 		docker rmi $(USER)/$${image}:$(TAG); \

README.md

@@ -21,6 +21,7 @@ The sample files for deployment on kubernetes are available in the `deploy/examp
     - [Quick Setup](#quick-setup)
     - [Compose](#compose)
     - [Kubernetes](#kubernetes)
+    - [Deploying WireGuard VPN](#deploying-wireguard-vpn)
   - [Customization](#customization)
     - [Custom Django Settings](#custom-django-settings)
     - [Custom Styles and JavaScript](#custom-styles-and-javascript)
@@ -30,6 +31,7 @@ The sample files for deployment on kubernetes are available in the `deploy/examp
   - [Development](#development)
     - [Workbench setup](#workbench-setup)
     - [Runtests](#runtests)
+    - [Run Quality Assurance Checks](#run-quality-assurance-checks)
   - [Usage](#usage)
     - [Makefile Options](#makefile-options)
 
@@ -112,6 +114,10 @@ by the images:
 - startup probe example: `test $(ps aux | grep -c uwsgi) -ge 2`
 - readiness probe example: `python services.py uwsgi_status "127.0.0.1:8001"`
 
+### Deploying WireGuard VPN
+
+Follow this detailed [step-by-step guide for deploying the WireGuard VPN](docs/tutorials/deploying-wireguard-vpn.md).
+
 ## Customization
 
 The following commands will create the directory structure required for
@@ -244,7 +250,7 @@ If you want to disable a service, you can simply remove the container for that s
 - Default username & password are `admin`.
 - Default domains are: `dashboard.openwisp.org` and `api.openwisp.org`.
 - To reach the dashboard you may need to add the openwisp domains set in your `.env` to your `hosts` file,
-  example: `bash -c 'echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org" >> /etc/hosts'`
+  example: `bash -c 'echo "127.0.0.1 dashboard.openwisp.org api.openwisp.org wireguard-updater.openwisp.org" >> /etc/hosts'`
 - Now you'll need to do steps (2) everytime you make a changes and want to build the images again.
 - If you want to perform actions like cleaning everything produced by `docker-openwisp`,
   please use the [makefile options](#makefile-options).
@@ -257,15 +263,15 @@ You can run tests either with `geckodriver` (firefox) or `chromedriver` (chromiu
 
    - Setup chromedriver
 
-     1. Install chromium: 
-     
+     1. Install chromium:
+
      ```bash
-     # On debian 
+     # On debian
      sudo apt --yes install chromium
-     # On ubuntu 
+     # On ubuntu
      sudo apt --yes install chromium-browser
      ```
-     
+
      3. Check version: `chromium --version`
      4. Install Driver for your version: [`https://chromedriver.chromium.org/downloads`](https://chromedriver.chromium.org/downloads)
      5. Extract chromedriver to one of directories from your `$PATH`. (example: `/usr/bin/`)

docker-compose.yml

@@ -57,8 +57,11 @@ services:
       - dashboard
 
   celery:
-    image: openwisp/openwisp-dashboard:latest
+    image: openwisp/openwisp-celery:latest
     restart: always
+    build:
+      context: images
+      dockerfile: openwisp_celery/Dockerfile
     environment:
       - MODULE_NAME=celery
     volumes:
@@ -72,8 +75,11 @@ services:
       - dashboard
 
   celery_monitoring:
-    image: openwisp/openwisp-dashboard:latest
+    image: openwisp/openwisp-celery:latest
     restart: always
+    build:
+      context: images
+      dockerfile: openwisp_celery/Dockerfile
     environment:
       - MODULE_NAME=celery_monitoring
     volumes:
@@ -87,8 +93,8 @@ services:
       - dashboard
 
   celerybeat:
-    image: openwisp/openwisp-dashboard:latest
     restart: always
+    image: openwisp/openwisp-celery:latest
     environment:
       - MODULE_NAME=celerybeat
     env_file:
@@ -118,13 +124,15 @@ services:
         aliases:
          - dashboard.internal
          - api.internal
+         - wireguard_updater.internal
     ports:
       - "80:80"
       - "443:443"
     depends_on:
       - dashboard
       - api
       - websocket
+      - wireguard_updater
 
   freeradius:
     image: openwisp/openwisp-freeradius:latest
@@ -168,6 +176,47 @@ services:
     cap_add:
       - NET_ADMIN
 
+  wireguard:
+    image: openwisp/openwisp-wireguard:latest
+    build:
+      context: images
+      dockerfile: openwisp_wireguard/Dockerfile
+    env_file:
+      - .env
+    environment:
+      # Substitute the placeholder values with the UUID and Key
+      # of the VPN server.
+      # These variables needs to be configured on individual
+      # container to avoid conflicts between multiple VPN servers.
+      - WIREGUARD_VPN_UUID=ENTER_WIREGUARD_VPN_UUID
+      - WIREGUARD_VPN_KEY=ENTER_WIREGUARD_VPN_KEY
+    # Maps the default UDP port (51820) for WireGuard VPN traffic.
+    # Update this this if you are using different port for WireGuard.
+    ports:
+      - 51820:51820/udp
+    # Following properties allow WireGuard to manage network on the
+    # machine while running in a container.
+    volumes:
+      - /lib/modules:/lib/modules
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+
+  wireguard_updater:
+    image: openwisp/openwisp-wireguard-updater:latest
+    build:
+      context: images
+      dockerfile: openwisp_wireguard_updater/Dockerfile
+      args:
+        WIREGUARD_UPDATER_APP_PORT: 8081
+    env_file:
+      - .env
+    environment:
+      # Create an authentication token consisting alphanumeric
+      # characters. This token will be used by OpenWISP for
+      # triggering configuration updates.
+      - WIREGUARD_UPDATER_KEY=openwisp-wireguard-updater-auth-key
+
   postgres:
     image: mdillon/postgis:11-alpine
     restart: always

docs/ENV.md

@@ -25,6 +25,8 @@ Following are the options that can be changed. The list is divided in following
 - [uWSGI](#uWSGI): uWSGI configurations.
 - [Nginx](#Nginx): Nginx configurations.
 - [VPN](#VPN): Default VPN and VPN template related configurations.
+- [WireGuard](#WireGuard): WireGuard VPN configurations.
+- [WireGuard Updater](#WireGuard-Updater): WireGuard Updater app configurations.
 - [X509](#X509): Default certificate & certicate Authority configuration options.
 - [Host](#Hosts): Want to change the host of a particular service? Like pointing all the containers to a different database service.
 - [Developer](#Developer): DON'T change these values unless you know what you are doing.
@@ -661,6 +663,63 @@ Any OpenWISP Configuration of type `string`. `int`, `bool` or `json` is supporte
 - **Valid Values:** STRING
 - **Default:** default-management-vpn
 
+## WireGuard
+
+**Note:** If you have more that one WireGuard container, then these
+settings should be configured on individual container.
+
+### `WIREGUARD_VPN_UUID`
+
+- **Explanation:** ``UUID`` of the WireGuard VPN server object created on the OpenWISP dashboard.
+- **Valid Values:** STRING
+
+### `WIREGUARD_VPN_KEY`
+
+- **Explanation:** ``Key`` of the WireGuard VPN server object created on the OpenWISP dashboard.
+- **Valid Values:** STRING
+
+## WireGuard Updater
+
+### `WIREGUARD_UPDATER_KEY`
+
+- **Explanation:** The authentication token required to trigger the configuration
+  updater. It is strongly recommended to change this before deploying the container.
+- **Valid Values:** STRING
+- **Default:** openwisp-wireguard-updater-auth-key
+
+### `WIREGUARD_UPDATER_DOMAIN`
+
+- **Explanation:** Valid domain / IP address to reach the WireGuard updater application.
+- **Valid Values:** Domain
+- **Default:** wireguard-updater.openwisp.org
+
+### `WIREGUARD_UPDATER_APP_PORT`
+
+- **Explanation:** Change the port on which NGINX connects to the updater app on the WireGuard updater container. Don't change unless you know what you are doing.
+- **Valid Values:** INTEGER
+- **Default:** 8081
+
+### `WIREGUARD_UPDATER_ENDPOINT`
+
+- **Explanation:** The endpoint used for triggering updates to configuration of
+  WireGuard tunnels. It should lead with a slash (`/`). Don't change unless
+  you know what you are doing.
+- **Valid Values:** STRING
+- **Default:** /trigger-update
+
+### `WIREGUARD_UPDATER_APP_SERVICE`
+
+- **Explanation:** Host to establish WireGuard updater connection.
+- **Valid Values:** Domain | IP address
+- **Default:** wireguard_updater
+
+### `WIREGUARD_UPDATER_PUBLIC`
+
+- **Explanation:** Whether the WireGuard Updater should be exposed to the
+  public traffic on [`WIREGUARD_UPDATER_DOMAIN`](#wireguard_updater_domain).
+- **Valid Values:** True | False
+- **Default:** False
+
 ## X509
 
 ### `X509_NAME_CA`
@@ -788,6 +847,13 @@ Any OpenWISP Configuration of type `string`. `int`, `bool` or `json` is supporte
 - **Valid Values:** STRING
 - **Default:** api.internal
 
+### `WIREGUARD_UPDATER_INTERNAL`
+
+- **Explanation:** Internal domain to reach the WireGuard updater app
+  from other containers.
+- **Valid Values:** STRING
+- **Default:** wireguard_updater.internal
+
 ### `POSTFIX_DEBUG_MYNETWORKS`
 
 - **Explanation:** Set debug_peer_list for given list of networks.