mirror of https://github.com/Kiritow/wg-ops
1123 lines
50 KiB
Python
1123 lines
50 KiB
Python
import os
|
|
import copy
|
|
import sys
|
|
import time
|
|
import uuid
|
|
import json
|
|
import base64
|
|
import traceback
|
|
import subprocess
|
|
from hashlib import sha256
|
|
|
|
import requests
|
|
from cryptography import x509
|
|
from cryptography.hazmat.primitives import serialization, hashes
|
|
from cryptography.hazmat.primitives.asymmetric import rsa, padding
|
|
|
|
|
|
def errprint(msg):
|
|
sys.stderr.write("{}\n".format(msg))
|
|
|
|
|
|
def get_subject_name_from_cert(cert_path):
|
|
try:
|
|
with open(cert_path, 'rb') as f:
|
|
cert = x509.load_pem_x509_certificate(f.read())
|
|
return cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
|
|
except Exception:
|
|
errprint(traceback.format_exc())
|
|
return ""
|
|
|
|
|
|
def generate_rsa_keypair():
|
|
private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
|
|
public_key = private_key.public_key()
|
|
return private_key, public_key
|
|
|
|
|
|
def get_pem_from_rsa_keypair(private_key, public_key):
|
|
if private_key:
|
|
pripem = private_key.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()).decode()
|
|
else:
|
|
pripem = None
|
|
|
|
if public_key:
|
|
pubpem = public_key.public_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PublicFormat.SubjectPublicKeyInfo,
|
|
).decode()
|
|
else:
|
|
pubpem = private_key.public_key().public_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PublicFormat.SubjectPublicKeyInfo,
|
|
).decode()
|
|
|
|
return pripem, pubpem
|
|
|
|
|
|
def get_rsa_keypair_from_private_pem(private_pem):
|
|
private_key = serialization.load_pem_private_key(private_pem.encode(), password=None)
|
|
public_key = private_key.public_key()
|
|
return private_key, public_key
|
|
|
|
|
|
def get_rsa_pubkey_from_public_pem(public_pem):
|
|
public_key = serialization.load_pem_public_key(public_pem.encode())
|
|
return public_key
|
|
|
|
|
|
def rsa_sign_base64(private_key, bytes_data):
|
|
signature = private_key.sign(bytes_data, padding.PSS(
|
|
mgf=padding.MGF1(hashes.SHA256()),
|
|
salt_length=padding.PSS.MAX_LENGTH,
|
|
), hashes.SHA256())
|
|
|
|
return base64.b64encode(signature).decode()
|
|
|
|
|
|
def rsa_encrypt_base64(public_key, bytes_data):
|
|
return base64.b64encode(public_key.encrypt(bytes_data, padding.OAEP(
|
|
mgf=padding.MGF1(algorithm=hashes.SHA256()),
|
|
algorithm=hashes.SHA256(),
|
|
label=None
|
|
))).decode()
|
|
|
|
|
|
def rsa_decrypt_base64(private_key, str_data):
|
|
return private_key.decrypt(base64.b64decode(str_data), padding.OAEP(
|
|
mgf=padding.MGF1(algorithm=hashes.SHA256()),
|
|
algorithm=hashes.SHA256(),
|
|
label=None
|
|
))
|
|
|
|
|
|
class Parser:
|
|
def __init__(self, wgop_basepath):
|
|
# paths
|
|
self._path_base = wgop_basepath
|
|
self.path_get_gateway = os.path.join(wgop_basepath, 'tools/get-gateway.py')
|
|
self.path_get_ip = os.path.join(wgop_basepath, 'tools/get-ip.py')
|
|
self.path_get_lan_ip = os.path.join(wgop_basepath, 'tools/get-lan-ip.py')
|
|
self.path_reload_dns = os.path.join(wgop_basepath, 'tools/reload-dns.py')
|
|
self.path_collect_metrics = os.path.join(wgop_basepath, 'tools/collect-metrics.py')
|
|
self.path_bin_dir = os.path.join(wgop_basepath, 'bin')
|
|
self.path_app_dir = os.path.join(wgop_basepath, 'app')
|
|
self.path_bin_mux = os.path.join(wgop_basepath, 'bin/mux')
|
|
self.path_bin_udp2raw = os.path.join(wgop_basepath, 'bin/udp2raw_amd64')
|
|
self.path_bin_gost = os.path.join(wgop_basepath, 'bin/gost')
|
|
self.path_bin_trojan = os.path.join(wgop_basepath, 'bin/trojan-go')
|
|
|
|
# opts
|
|
self.opt_source_path = ''
|
|
self.opt_allow_modify = False
|
|
self.opt_use_tmux = False
|
|
self.opt_use_systemd = False
|
|
|
|
# input parts
|
|
self.input_interface = []
|
|
self.input_peer = []
|
|
|
|
# output
|
|
self.result_interface = []
|
|
self.result_postup = []
|
|
self.result_postdown = []
|
|
self.result_peers = []
|
|
|
|
# container related output
|
|
self.result_container_prebootstrap = []
|
|
self.result_container_postbootstrap = []
|
|
|
|
# flags
|
|
self.flag_is_route_forward = False
|
|
self.flag_is_route_lookup = False
|
|
self.flag_container_must_host = False
|
|
self.flag_require_registry = False
|
|
self.flag_enable_dns_reload = False
|
|
self.flag_require_systemd_clean = False
|
|
self.flag_require_tmpfile_clean = False
|
|
self.flag_has_open_tmux = False
|
|
|
|
# vars
|
|
self.wg_name = '%i'
|
|
self.wg_port = 0
|
|
self.wg_mtu = 0
|
|
self.wg_pubkey = ''
|
|
self.wg_hash = ''
|
|
self.registry_domain = ''
|
|
self.registry_client_name = ''
|
|
self.local_private_key = None
|
|
self.local_public_key = None
|
|
self.local_autogen_nextport = 29100
|
|
self.pending_accepts = []
|
|
self.tunnel_local_endpoint = {}
|
|
self.tunnel_server_reports = {}
|
|
self.lookup_table = ''
|
|
self.container_expose_port = []
|
|
self.container_bootstrap = []
|
|
self.podman_user = ''
|
|
self.systemd_user = ''
|
|
|
|
def get_container_network_name(self):
|
|
if self.flag_container_must_host:
|
|
return "host"
|
|
else:
|
|
return "wgop-net-{}".format(self.wg_name)
|
|
|
|
def get_container_name(self):
|
|
return "wgop-runner-{}".format(self.wg_name)
|
|
|
|
def get_podman_cmd_with(self, command):
|
|
if self.podman_user:
|
|
return "su - {} -c '{}'".format(self.podman_user, command)
|
|
else:
|
|
return command
|
|
|
|
def get_systemd_run_cmd_with(self, command):
|
|
if self.systemd_user:
|
|
return command.replace('systemd-run', 'systemd-run --property User={}'.format(self.systemd_user), 1)
|
|
else:
|
|
return command
|
|
|
|
def get_metrics_db_filepath(self):
|
|
return os.path.join(self._path_base, 'local/{}.db'.format(self.wg_name))
|
|
|
|
def new_systemd_task_name(self, task_type='general'):
|
|
self.flag_require_systemd_clean = True
|
|
return "wg-ops-task-{}-{}-{}".format(self.wg_name, task_type, str(uuid.uuid4()))
|
|
|
|
def new_tmp_filepath(self, suffix=None):
|
|
self.flag_require_tmpfile_clean = True
|
|
return "/tmp/wg-ops-tmpfile-{}-{}{}".format(self.wg_name, str(uuid.uuid4()), suffix if suffix else "")
|
|
|
|
def add_write_tmpfile_bytes(self, data_bytes, suffix=None):
|
|
raw_code_str = base64.b64encode(data_bytes).decode()
|
|
raw_parts = []
|
|
|
|
while len(raw_code_str) > 1024:
|
|
raw_parts.append(raw_code_str[:1024])
|
|
raw_code_str = raw_code_str[1024:]
|
|
|
|
if raw_code_str:
|
|
raw_parts.append(raw_code_str)
|
|
|
|
temp_data_path = self.new_tmp_filepath('.data')
|
|
temp_output_path = self.new_tmp_filepath(suffix)
|
|
|
|
for this_line in raw_parts:
|
|
self.result_postup.append('echo {} >> {}'.format(this_line, temp_data_path))
|
|
self.result_postup.append('base64 -d {} > {}'.format(temp_data_path, temp_output_path))
|
|
|
|
return temp_output_path
|
|
|
|
def registry_resolve(self, client_name):
|
|
if not self.registry_domain:
|
|
errprint('[ERROR] Cannot query from registry, domain not specified')
|
|
exit(1)
|
|
if not self.registry_client_name:
|
|
errprint('[ERROR] No registry client name found.')
|
|
exit(1)
|
|
|
|
errprint('[REGISTRY] Resolving client {} from registry ({})...'.format(client_name, self.registry_domain))
|
|
try:
|
|
res = requests.get('{}/query'.format(self.registry_domain), params={
|
|
"name": client_name,
|
|
})
|
|
res = res.json()
|
|
errprint('[REGISTRY-SERVER] {}'.format(res['message']))
|
|
|
|
if res['code'] < 0:
|
|
return {}
|
|
|
|
remote_result = res['data']
|
|
remote_peers = remote_result['peers']
|
|
if self.registry_client_name not in remote_peers:
|
|
errprint('[REGISTRY-REMOTE] This client ({}) is not accepted by {}'.format(self.registry_client_name, client_name))
|
|
return {}
|
|
|
|
remote_config = rsa_decrypt_base64(self.local_private_key, remote_peers[self.registry_client_name])
|
|
remote_config = json.loads(remote_config)
|
|
|
|
remote_peers[self.registry_client_name] = remote_config
|
|
|
|
return remote_result
|
|
except Exception:
|
|
errprint(traceback.format_exc())
|
|
errprint('[REGISTRY] Exception happened during registry client resolve')
|
|
return {}
|
|
|
|
def registry_query(self, client_name):
|
|
if not self.registry_domain:
|
|
errprint('[ERROR] Cannot query from registry, domain not specified')
|
|
exit(1)
|
|
if not self.registry_client_name:
|
|
errprint('[ERROR] No registry client name found.')
|
|
exit(1)
|
|
|
|
errprint('[REGISTRY] Querying client {}...'.format(client_name))
|
|
try:
|
|
res = requests.get('{}/query'.format(self.registry_domain), params={
|
|
"name": client_name,
|
|
})
|
|
res = res.json()
|
|
errprint('[REGISTRY-SERVER] {}'.format(res['message']))
|
|
|
|
if res['code'] < 0:
|
|
return {}
|
|
|
|
remote_result = res['data']
|
|
return remote_result
|
|
except Exception:
|
|
errprint(traceback.format_exc())
|
|
errprint('[REGISTRY] Exception happened during registry client query')
|
|
return {}
|
|
|
|
def registry_upload(self, content):
|
|
if not self.registry_domain:
|
|
errprint('[ERROR] Cannot query from registry, domain not specified')
|
|
exit(1)
|
|
if not self.registry_client_name:
|
|
errprint('[ERROR] No registry client name found.')
|
|
exit(1)
|
|
|
|
errprint('[REGISTRY] Registering this client ({}) with registry ({})...'.format(self.registry_client_name, self.registry_domain))
|
|
try:
|
|
res = requests.post('{}/register'.format(self.registry_domain), json=content)
|
|
res = res.json()
|
|
|
|
errprint('[REGISTRY-SERVER] {}'.format(res['message']))
|
|
if res['code'] < 0:
|
|
return False
|
|
else:
|
|
return True
|
|
except Exception:
|
|
errprint(traceback.format_exc())
|
|
errprint('[REGISTRY] Exception happened during registry register')
|
|
return False
|
|
|
|
def registry_ensure(self, peers=None):
|
|
_, public_pem = get_pem_from_rsa_keypair(None, self.local_public_key)
|
|
can_ensure = self.registry_upload({
|
|
"name": self.registry_client_name,
|
|
"pubkey": public_pem,
|
|
"wgkey": self.wg_pubkey,
|
|
"peers": peers or {},
|
|
"sig": rsa_sign_base64(self.local_private_key, self.wg_pubkey.encode())
|
|
})
|
|
if not can_ensure:
|
|
errprint('[ERROR] registry ensure failed, please check your network.')
|
|
exit(1)
|
|
|
|
def add_expose(self, expose_port, mode='udp'):
|
|
self.container_expose_port.append({
|
|
"port": int(expose_port),
|
|
"mode": mode,
|
|
})
|
|
|
|
def append_input_peer_clientside(self, peer_wgkey, allowed_ip, tunnel_name):
|
|
this_peer = []
|
|
this_peer.append("PublicKey = {}".format(peer_wgkey))
|
|
this_peer.append("AllowedIPs = {}".format(allowed_ip))
|
|
this_peer.append("PersistentKeepalive = 5")
|
|
this_peer.append("#use-tunnel {}".format(tunnel_name))
|
|
self.input_peer.append(this_peer)
|
|
|
|
def append_input_peer_serverside(self, peer_wgkey, allowed_ip):
|
|
this_peer = []
|
|
this_peer.append("PublicKey = {}".format(peer_wgkey))
|
|
this_peer.append("AllowedIPs = {}".format(allowed_ip))
|
|
self.input_peer.append(this_peer)
|
|
|
|
def _ensure_open_tmux(self):
|
|
if not self.flag_has_open_tmux:
|
|
self.flag_has_open_tmux = True
|
|
self.result_postup.append('''tmux new-session -s tunnel-{} -d 'watch -n 1 --color WG_COLOR_MODE=always wg show {}' '''.format(self.wg_name, self.wg_name))
|
|
|
|
def _add_tunnel_local_endpoint(self, tunnel_name, listen_port):
|
|
if self.opt_use_tmux or self.opt_use_systemd:
|
|
self.tunnel_local_endpoint[tunnel_name] = "127.0.0.1:{}".format(listen_port)
|
|
elif self.podman_user:
|
|
self.add_expose(listen_port)
|
|
self.tunnel_local_endpoint[tunnel_name] = "127.0.0.1:{}".format(listen_port)
|
|
else:
|
|
self.tunnel_local_endpoint[tunnel_name] = "gateway:{}".format(listen_port)
|
|
|
|
def add_muxer(self, listen_port, forward_start, forward_size):
|
|
if self.opt_use_tmux:
|
|
self._ensure_open_tmux()
|
|
self.result_postup.append('''tmux new-window -t tunnel-{} -d '{} -l {} -t {} -s {}' '''.format(
|
|
self.wg_name, self.path_bin_mux, listen_port, forward_start, forward_size,
|
|
))
|
|
return
|
|
|
|
if self.opt_use_systemd:
|
|
self.result_postup.append('systemd-run --unit {} --collect --property Restart=always {} -l {} -t {} -s {}'.format(
|
|
self.new_systemd_task_name('muxer'), self.path_bin_mux, listen_port, forward_start, forward_size,
|
|
))
|
|
return
|
|
|
|
self.container_bootstrap.append({
|
|
"type": "mux",
|
|
"listen": int(listen_port),
|
|
"forward": int(forward_start),
|
|
"size": int(forward_size),
|
|
})
|
|
|
|
def add_gost_server(self, tunnel_name, listen_port):
|
|
self.tunnel_server_reports[tunnel_name] = {
|
|
"type": "gost",
|
|
"listen": int(listen_port),
|
|
}
|
|
|
|
if self.opt_use_tmux:
|
|
self._ensure_open_tmux()
|
|
self.result_postup.append('''tmux new-window -t tunnel-{} -d '{} -L=relay+tls://:{}/127.0.0.1:{}' '''.format(
|
|
self.wg_name, self.path_bin_gost, listen_port, self.wg_port,
|
|
))
|
|
return
|
|
|
|
if self.opt_use_systemd:
|
|
self.result_postup.append('systemd-run --unit {} --collect --property Restart=always {} -L=relay+tls://:{}/127.0.0.1:{}'.format(
|
|
self.new_systemd_task_name('gost-server'), self.path_bin_gost, listen_port, self.wg_port,
|
|
))
|
|
return
|
|
|
|
self.container_bootstrap.append({
|
|
"type": "gost-server",
|
|
"listen": int(listen_port),
|
|
})
|
|
|
|
def add_gost_client_with(self, remote_config, remote_peer_config):
|
|
self.local_autogen_nextport += 1
|
|
tunnel_name = "gen{}{}".format(self.wg_hash[:8], self.local_autogen_nextport)
|
|
self.add_gost_client(tunnel_name, self.local_autogen_nextport, "{}:{}".format(remote_config['ip'], remote_peer_config['listen']))
|
|
self.append_input_peer_clientside(remote_config["wgkey"], remote_peer_config["allowed"], tunnel_name)
|
|
|
|
def add_gost_client_mux(self, tunnel_name, mux_size, listen_port, tunnel_remote):
|
|
self._add_tunnel_local_endpoint(tunnel_name, listen_port)
|
|
|
|
self.add_muxer(listen_port, listen_port + 1, mux_size)
|
|
for mux_idx in range(mux_size):
|
|
self._do_add_gost_client(listen_port + 1 + mux_idx, tunnel_remote)
|
|
|
|
def add_gost_client(self, tunnel_name, listen_port, tunnel_remote):
|
|
self._add_tunnel_local_endpoint(tunnel_name, listen_port)
|
|
self._do_add_gost_client(listen_port, tunnel_remote)
|
|
|
|
def _do_add_gost_client(self, listen_port, tunnel_remote):
|
|
if self.opt_use_tmux:
|
|
self._ensure_open_tmux()
|
|
self.result_postup.append('''tmux new -t tunnel-{} -d '{} -L udp://:{} -F relay+tls://{}' '''.format(
|
|
self.wg_name, self.path_bin_gost, listen_port, tunnel_remote,
|
|
))
|
|
return
|
|
|
|
if self.opt_use_systemd:
|
|
self.result_postup.append('systemd-run --unit {} --collect --property Restart=always {} -L udp://:{} -F relay+tls://{}'.format(
|
|
self.new_systemd_task_name('gost-client'), self.path_bin_gost, listen_port, tunnel_remote,
|
|
))
|
|
return
|
|
|
|
self.container_bootstrap.append({
|
|
"type": "gost-client",
|
|
"listen": int(listen_port),
|
|
"remote": tunnel_remote,
|
|
})
|
|
|
|
def add_udp2raw_server(self, tunnel_name, listen_port, tunnel_password):
|
|
self.tunnel_server_reports[tunnel_name] = {
|
|
"type": "udp2raw",
|
|
"listen": int(listen_port),
|
|
"password": tunnel_password,
|
|
}
|
|
|
|
if self.opt_use_tmux or self.opt_use_systemd:
|
|
temp_config_path = self.new_tmp_filepath('.conf')
|
|
self.result_postup.append('''echo -e '-s\\n-l 0.0.0.0:{}\\n-r 127.0.0.1:{}\\n-k {}\\n--raw-mode faketcp\\n-a' > {}'''.format(
|
|
listen_port, self.wg_port, tunnel_password, temp_config_path
|
|
))
|
|
|
|
if self.opt_use_tmux:
|
|
self._ensure_open_tmux()
|
|
self.result_postup.append('''tmux new-window -t tunnel-{} -n win-{} -d '{} --conf-file {}'; sleep 2 '''.format(
|
|
self.wg_name, tunnel_name, self.path_bin_udp2raw, temp_config_path,
|
|
))
|
|
self.result_postdown.append('''sleep 1; tmux send-keys -t tunnel-{}:win-{} C-c'''.format(self.wg_name, tunnel_name))
|
|
return
|
|
|
|
if self.opt_use_systemd:
|
|
self.result_postup.append('systemd-run --unit {} --collect --property Restart=always --property KillSignal=SIGINT {} --conf-file {}; sleep 2'.format(
|
|
self.new_systemd_task_name('udp2raw-server'), self.path_bin_udp2raw, temp_config_path,
|
|
))
|
|
return
|
|
|
|
conf_uuid = str(uuid.uuid4())
|
|
self.container_bootstrap.append({
|
|
"type": "udp2raw-server",
|
|
"listen": int(listen_port),
|
|
"password": tunnel_password,
|
|
"id": conf_uuid,
|
|
})
|
|
|
|
ipt_filename_inside = "/root/conf/{}-ipt.conf".format(conf_uuid)
|
|
self.result_container_postbootstrap.append('IPT_COMMANDS=$({}); echo $IPT_COMMANDS; $IPT_COMMANDS'.format(
|
|
self.get_podman_cmd_with("podman exec {} /root/bin/udp2raw_amd64 --conf-file {} | grep ^iptables".format(self.get_container_name(), ipt_filename_inside))
|
|
))
|
|
self.result_postdown.append("IPT_COMMANDS=$({}); IPT_COMMANDS=$(echo $IPT_COMMANDS | sed -e 's/-I /-D /g'); echo $IPT_COMMANDS; $IPT_COMMANDS".format(
|
|
self.get_podman_cmd_with("podman exec {} /root/bin/udp2raw_amd64 --conf-file {} | grep ^iptables".format(self.get_container_name(), ipt_filename_inside))
|
|
))
|
|
|
|
def add_udp2raw_client_with(self, remote_config, remote_peer_config):
|
|
self.local_autogen_nextport += 1
|
|
tunnel_name = "gen{}{}".format(self.wg_hash[:8], self.local_autogen_nextport)
|
|
self.add_udp2raw_client(tunnel_name, self.local_autogen_nextport, remote_peer_config["password"], "{}:{}".format(remote_config['ip'], remote_peer_config['listen']))
|
|
self.append_input_peer_clientside(remote_config["wgkey"], remote_peer_config["allowed"], tunnel_name)
|
|
|
|
def add_udp2raw_client_mux(self, tunnel_name, mux_size, listen_port, tunnel_password, remote_addr):
|
|
self.tunnel_local_endpoint[tunnel_name] = "127.0.0.1:{}".format(listen_port)
|
|
self.flag_container_must_host = True
|
|
|
|
self.add_muxer(listen_port, listen_port+1, mux_size)
|
|
for mux_idx in range(mux_size):
|
|
self._do_add_udp2raw_client(tunnel_name, listen_port + 1 + mux_idx, tunnel_password, remote_addr)
|
|
|
|
def add_udp2raw_client(self, tunnel_name, listen_port, tunnel_password, remote_addr):
|
|
self.tunnel_local_endpoint[tunnel_name] = "127.0.0.1:{}".format(listen_port)
|
|
self.flag_container_must_host = True
|
|
|
|
self._do_add_udp2raw_client(tunnel_name, listen_port, tunnel_password, remote_addr)
|
|
|
|
def _do_add_udp2raw_client(self, tunnel_name, listen_port, tunnel_password, remote_addr):
|
|
if self.opt_use_tmux or self.opt_use_systemd:
|
|
temp_config_path = self.new_tmp_filepath('.conf')
|
|
self.result_postup.append('''echo -e '-c\\n-l 127.0.0.1:{}\\n-r {}\\n-k {}\\n--raw-mode faketcp\\n-a' > {}'''.format(
|
|
listen_port, remote_addr, tunnel_password, temp_config_path,
|
|
))
|
|
|
|
if self.opt_use_tmux:
|
|
self._ensure_open_tmux()
|
|
self.result_postup.append('''tmux new-window -t tunnel-{} -n win-{} -d '{} --conf-file {}'; sleep 2 '''.format(
|
|
self.wg_name, tunnel_name, self.path_bin_udp2raw, temp_config_path,
|
|
))
|
|
self.result_postdown.append('''sleep 1; tmux send-keys -t tunnel-{}:win-{} C-c'''.format(self.wg_name, tunnel_name))
|
|
return
|
|
|
|
if self.opt_use_systemd:
|
|
self.result_postup.append('systemd-run --unit {} --collect --property Restart=always --property KillSignal=SIGINT {} --conf-file {}; sleep 2'.format(
|
|
self.new_systemd_task_name('udp2raw-client'), self.path_bin_udp2raw, temp_config_path,
|
|
))
|
|
return
|
|
|
|
conf_uuid = str(uuid.uuid4())
|
|
self.container_bootstrap.append({
|
|
"type": "udp2raw-client",
|
|
"listen": int(listen_port),
|
|
"password": tunnel_password,
|
|
"remote": remote_addr,
|
|
"id": conf_uuid,
|
|
})
|
|
|
|
ipt_filename_inside = "/root/conf/{}-ipt.conf".format(conf_uuid)
|
|
self.result_container_postbootstrap.append('IPT_COMMANDS=$({}); echo $IPT_COMMANDS; $IPT_COMMANDS'.format(
|
|
self.get_podman_cmd_with("podman exec {} /root/bin/udp2raw_amd64 --conf-file {} | grep ^iptables".format(self.get_container_name(), ipt_filename_inside))
|
|
))
|
|
self.result_postdown.append("IPT_COMMANDS=$({}); IPT_COMMANDS=$(echo $IPT_COMMANDS | sed -e 's/-I /-D /g'); echo $IPT_COMMANDS; $IPT_COMMANDS".format(
|
|
self.get_podman_cmd_with("podman exec {} /root/bin/udp2raw_amd64 --conf-file {} | grep ^iptables".format(self.get_container_name(), ipt_filename_inside))
|
|
))
|
|
|
|
def add_trojan_server(self, tunnel_name, listen_port, tunnel_password, ssl_cert_path, ssl_key_path):
|
|
self.tunnel_server_reports[tunnel_name] = {
|
|
"type": "trojan",
|
|
"listen": int(listen_port),
|
|
"password": tunnel_password,
|
|
"target": int(self.wg_port),
|
|
"sni": get_subject_name_from_cert(ssl_cert_path),
|
|
}
|
|
|
|
if self.opt_use_tmux or self.opt_use_systemd:
|
|
errprint('[ERROR] Unable to create trojan-go server in tmux or systemd mode. Please use container mode.')
|
|
exit(1)
|
|
|
|
cert_uuid = str(uuid.uuid4())
|
|
cert_filepath = "/root/ssl/{}.cert".format(cert_uuid)
|
|
key_filepath = "/root/ssl/{}.key".format(cert_uuid)
|
|
|
|
self.result_container_prebootstrap.append(self.get_podman_cmd_with(
|
|
'podman cp {} {}:{}'.format(ssl_cert_path, self.get_container_name(), cert_filepath)
|
|
))
|
|
self.result_container_prebootstrap.append(self.get_podman_cmd_with(
|
|
'podman cp {} {}:{}'.format(ssl_key_path, self.get_container_name(), key_filepath)
|
|
))
|
|
|
|
self.container_bootstrap.append({
|
|
"type": "trojan-server",
|
|
"listen": int(listen_port),
|
|
"password": tunnel_password,
|
|
"cert": cert_uuid,
|
|
})
|
|
|
|
|
|
def add_trojan_client_with(self, remote_config, remote_peer_config):
|
|
self.local_autogen_nextport += 1
|
|
tunnel_name = "gen{}{}".format(self.wg_hash[:8], self.local_autogen_nextport)
|
|
self.add_trojan_client(tunnel_name, self.local_autogen_nextport, remote_peer_config["password"],
|
|
"{}:{}".format(remote_config["ip"], remote_peer_config["listen"]), remote_peer_config["target"], ssl_sni=remote_peer_config["sni"])
|
|
self.append_input_peer_clientside(remote_config["wgkey"], remote_peer_config["allowed"], tunnel_name)
|
|
|
|
def add_trojan_client_mux(self, tunnel_name, mux_size, listen_port, tunnel_password, remote_addr, target_port, ssl_sni=None):
|
|
self._add_tunnel_local_endpoint(tunnel_name, listen_port)
|
|
self.add_muxer(listen_port, listen_port+1, mux_size)
|
|
for mux_idx in range(mux_size):
|
|
self._do_add_trojan_client(tunnel_name, listen_port + 1 + mux_idx, tunnel_password, remote_addr, target_port, ssl_sni)
|
|
|
|
def add_trojan_client(self, tunnel_name, listen_port, tunnel_password, remote_addr, target_port, ssl_sni=None):
|
|
self._add_tunnel_local_endpoint(tunnel_name, listen_port)
|
|
self._do_add_trojan_client(tunnel_name, listen_port, tunnel_password, remote_addr, target_port, ssl_sni)
|
|
|
|
def _do_add_trojan_client(self, tunnel_name, listen_port, tunnel_password, remote_addr, target_port, ssl_sni):
|
|
if self.opt_use_tmux or self.opt_use_systemd:
|
|
if ':' in remote_addr:
|
|
remote_parts = remote_addr.split(':')
|
|
remote_host = remote_parts[0]
|
|
remote_port = int(remote_parts[1])
|
|
else:
|
|
remote_host = remote_addr
|
|
remote_port = 443
|
|
|
|
troj_config = {
|
|
"run_type": "forward",
|
|
"local_addr": "0.0.0.0",
|
|
"local_port": int(listen_port),
|
|
"remote_addr": remote_host,
|
|
"remote_port": remote_port,
|
|
"target_addr": "127.0.0.1",
|
|
"target_port": target_port,
|
|
"password": [tunnel_password],
|
|
"ssl": {
|
|
"sni": ssl_sni if ssl_sni else remote_host,
|
|
}
|
|
}
|
|
|
|
temp_config_path = self.add_write_tmpfile_bytes(json.dumps(troj_config, ensure_ascii=False).encode(), '.json')
|
|
|
|
if self.opt_use_tmux:
|
|
self.result_postup.append('''tmux new-window -t tunnel-{} -d '{} -config {}' '''.format(
|
|
self.wg_name, self.path_bin_trojan, temp_config_path,
|
|
))
|
|
return
|
|
|
|
if self.opt_use_systemd:
|
|
self.result_postup.append('systemd-run --unit {} --collect --property Restart=always {} -config {}'.format(
|
|
self.new_systemd_task_name('trojan-client'), self.path_bin_trojan, temp_config_path,
|
|
))
|
|
return
|
|
|
|
self.container_bootstrap.append({
|
|
"type": "trojan-client",
|
|
"listen": int(listen_port),
|
|
"password": tunnel_password,
|
|
"remote": remote_addr,
|
|
"target": int(target_port),
|
|
"sni": ssl_sni,
|
|
})
|
|
|
|
def parse(self, content):
|
|
self.wg_hash = sha256(content.encode()).hexdigest()
|
|
errprint('[INFO] config hash: {}'.format(self.wg_hash))
|
|
|
|
# parse input
|
|
input_mode = ''
|
|
current_peer = []
|
|
for line in content.split('\n'):
|
|
# tags to filter out (never enter compile module)
|
|
if line.startswith('#store:key'):
|
|
parts = line.split(' ')[1:]
|
|
private_pem = parts[0]
|
|
private_pem = base64.b64decode(private_pem).decode()
|
|
|
|
self.local_private_key, self.local_public_key = get_rsa_keypair_from_private_pem(private_pem)
|
|
errprint('Loaded 1 PEM private key')
|
|
continue
|
|
|
|
if line.startswith('[Interface]'):
|
|
input_mode = 'interface'
|
|
continue
|
|
|
|
if line.startswith('[Peer]'):
|
|
input_mode = 'peer'
|
|
if current_peer:
|
|
self.input_peer.append(current_peer)
|
|
current_peer = []
|
|
continue
|
|
|
|
if input_mode == 'interface':
|
|
self.input_interface.append(line)
|
|
elif input_mode == 'peer':
|
|
current_peer.append(line)
|
|
else:
|
|
errprint('[WARN] Unexpected line: {}'.format(line))
|
|
|
|
if current_peer:
|
|
self.input_peer.append(current_peer)
|
|
|
|
def compile_interface(self):
|
|
self.result_interface.append('[Interface]')
|
|
|
|
filtered_input_interface = []
|
|
unresolved_peers = []
|
|
|
|
# pre-compile registry-related
|
|
for line in self.input_interface:
|
|
if line.startswith('ListenPort'):
|
|
self.wg_port = int(line.split('=')[1])
|
|
if line.startswith('MTU'):
|
|
self.wg_mtu = int(line.split('=')[1])
|
|
if line.startswith('PrivateKey'):
|
|
wg_private_key = '='.join(line.split('=')[1:]).strip()
|
|
self.wg_pubkey = subprocess.check_output(["wg", "pubkey"], input=wg_private_key.encode()).decode().strip()
|
|
|
|
if line.startswith('#registry '):
|
|
parts = line.split(' ')[1:]
|
|
reg_name = parts[0]
|
|
|
|
self.registry_domain = "https://{}".format(reg_name)
|
|
elif line.startswith('#registry-insecure'):
|
|
parts = line.split(' ')[1:]
|
|
reg_name = parts[0]
|
|
|
|
self.registry_domain = "http://{}".format(reg_name)
|
|
errprint('[WARN] Insecure registry may have potential danger, only use for test purpose.')
|
|
elif line.startswith('#name'):
|
|
parts = line.split(' ')[1:]
|
|
client_name = parts[0]
|
|
|
|
self.registry_client_name = client_name
|
|
self.flag_require_registry = True
|
|
elif line.startswith('#connect-to'):
|
|
parts = line.split(' ')[1:]
|
|
target_name = parts[0]
|
|
|
|
unresolved_peers.append(target_name)
|
|
self.flag_require_registry = True
|
|
elif line.startswith('#accept-client'):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
client_name = parts[1]
|
|
client_ip = parts[2]
|
|
client_allowed = parts[3]
|
|
peer_allowed = parts[4]
|
|
|
|
self.pending_accepts.append({
|
|
"tunnel": tunnel_name,
|
|
"client": client_name,
|
|
"client_ip": client_ip,
|
|
"allowed": client_allowed,
|
|
"peer_allowed": peer_allowed,
|
|
})
|
|
self.flag_require_registry = True
|
|
else:
|
|
filtered_input_interface.append(line)
|
|
|
|
# registry init
|
|
if self.flag_require_registry:
|
|
if not self.local_private_key:
|
|
errprint('registry required but no existing private key found, generating new...')
|
|
|
|
self.local_private_key, self.local_public_key = generate_rsa_keypair()
|
|
private_pem, _ = get_pem_from_rsa_keypair(self.local_private_key, self.local_public_key)
|
|
|
|
if self.opt_allow_modify:
|
|
errprint('[MODIFY] appending to {}...'.format(self.opt_source_path))
|
|
with open(self.opt_source_path, 'a') as f:
|
|
f.write('\n#store:key {}\n'.format(base64.b64encode(private_pem.encode()).decode()))
|
|
errprint('[MODIFY] source file modifed, please re-run to continue.')
|
|
else:
|
|
errprint('[ERROR] cannot modify source file, please re-run with -i option.')
|
|
exit(1)
|
|
|
|
self.registry_ensure()
|
|
|
|
# registry fetch connect-to
|
|
for peer_client_name in unresolved_peers:
|
|
errprint('[REGISTRY-RESOLVE] Resolving connect-to {}...'.format(peer_client_name))
|
|
peer_client_config = self.registry_resolve(peer_client_name)
|
|
if not peer_client_config:
|
|
errprint('[WARN] Unable to resolve client: {}'.format(peer_client_name))
|
|
continue
|
|
|
|
peer_config = peer_client_config["peers"][self.registry_client_name]
|
|
{
|
|
"udp2raw": self.add_udp2raw_client_with,
|
|
"gost": self.add_gost_client_with,
|
|
"trojan": self.add_trojan_client_with,
|
|
}.get(peer_config["type"], lambda x, y: False)(peer_client_config, peer_config)
|
|
|
|
# compile interface
|
|
for line in filtered_input_interface:
|
|
if line.startswith('PostUp'):
|
|
self.result_postup.append(','.join(line.split('=')[1:]).strip())
|
|
continue
|
|
if line.startswith('PostDown'):
|
|
self.result_postdown.append(','.join(line.split('=')[1:]).strip())
|
|
continue
|
|
|
|
if not line.startswith('#'):
|
|
self.result_interface.append(line)
|
|
continue
|
|
|
|
elif line.startswith('#enable-bbr'):
|
|
self.result_postup.append('sysctl net.core.default_qdisc=fq')
|
|
self.result_postup.append('sysctl net.ipv4.tcp_congestion_control=bbr')
|
|
elif line.startswith('#enable-forward'):
|
|
self.result_postup.append('sysctl net.ipv4.ip_forward=1')
|
|
elif line.startswith('#iptables-forward'):
|
|
self.result_postup.append('iptables -A FORWARD -i {} -j ACCEPT'.format(self.wg_name))
|
|
self.result_postdown.append('iptables -D FORWARD -i {} -j ACCEPT'.format(self.wg_name))
|
|
elif line.startswith('#iptables-gateway'):
|
|
self.result_postup.append('iptables -t nat -A POSTROUTING -o {} -j MASQUERADE'.format(self.wg_name))
|
|
self.result_postdown.append('iptables -t nat -D POSTROUTING -o {} -j MASQUERADE'.format(self.wg_name))
|
|
elif line.startswith('#enable-dns-reload'):
|
|
self.flag_enable_dns_reload = True
|
|
elif line.startswith('#enable-collect-metrics'):
|
|
self.result_postup.append('systemd-run --unit {} --collect --timer-property AccuracySec=10 --on-calendar *:*:0/30 /usr/bin/python3 {} {} {}'.format(
|
|
self.new_systemd_task_name('metrics'), self.path_collect_metrics, self.wg_name, self.get_metrics_db_filepath()
|
|
))
|
|
elif line.startswith('#route-to'):
|
|
self.flag_is_route_forward = True
|
|
|
|
parts = line.split(' ')[1:]
|
|
table_name = parts[0]
|
|
|
|
self.result_postup.append('ip route add 0.0.0.0/0 dev {} table {}'.format(self.wg_name, table_name))
|
|
errprint('[WARN] Please ensure custom route table {} exists.'.format(table_name))
|
|
elif line.startswith('#route-from'):
|
|
self.flag_is_route_lookup = True
|
|
|
|
parts = line.split(' ')[1:]
|
|
table_name = parts[0]
|
|
|
|
self.lookup_table = table_name
|
|
errprint('[WARN] Please ensure custom route table {} exists.'.format(table_name))
|
|
elif line.startswith('#podman-user'):
|
|
parts = line.split(' ')[1:]
|
|
user_name = parts[0]
|
|
|
|
if user_name == "root":
|
|
errprint('[WARN] ignoring root as podman user.')
|
|
else:
|
|
self.podman_user = user_name
|
|
elif line.startswith('#systemd-user'):
|
|
parts = line.split(' ')[1:]
|
|
user_name = parts[0]
|
|
|
|
if user_name == "root":
|
|
errprint('[WARN] ignoring root as systemd-run user.')
|
|
else:
|
|
self.systemd_user = user_name
|
|
elif line.startswith('#udp2raw-server'):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_port = int(parts[1])
|
|
tunnel_passwd = parts[2]
|
|
|
|
if self.podman_user:
|
|
errprint('[Error] udp2raw tunnel need root as podman user, got {}'.format(self.podman_user))
|
|
exit(1)
|
|
|
|
self.add_udp2raw_server(tunnel_name, tunnel_port, tunnel_passwd)
|
|
self.flag_container_must_host = True
|
|
elif line.startswith('#udp2raw-client '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_port = int(parts[1])
|
|
tunnel_remote = parts[2]
|
|
tunnel_passwd = parts[3]
|
|
|
|
if self.podman_user:
|
|
errprint('[Error] udp2raw tunnel need root as podman user, got {}'.format(self.podman_user))
|
|
exit(1)
|
|
|
|
self.add_udp2raw_client(tunnel_name, tunnel_port, tunnel_passwd, tunnel_remote)
|
|
elif line.startswith('#udp2raw-client-mux '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_mux = int(parts[1])
|
|
tunnel_port = int(parts[2])
|
|
tunnel_remote = parts[3]
|
|
tunnel_passwd = parts[4]
|
|
|
|
if self.podman_user:
|
|
errprint('[Error] udp2raw tunnel need root as podman user, got {}'.format(self.podman_user))
|
|
exit(1)
|
|
|
|
self.add_udp2raw_client_mux(tunnel_name, tunnel_mux, tunnel_port + 1 + mux_idx, tunnel_passwd, tunnel_remote)
|
|
elif line.startswith('#gost-server '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_port = int(parts[1])
|
|
|
|
self.add_gost_server(tunnel_name, tunnel_port)
|
|
self.add_expose(tunnel_port, mode='tcp')
|
|
elif line.startswith('#gost-client '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_port = int(parts[1])
|
|
tunnel_remote = parts[2]
|
|
|
|
self.add_gost_client(tunnel_name, tunnel_port, tunnel_remote)
|
|
elif line.startswith('#gost-client-mux '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_mux = int(parts[1])
|
|
tunnel_port = int(parts[2])
|
|
tunnel_remote = parts[3]
|
|
|
|
self.add_gost_client_mux(tunnel_name, tunnel_mux, tunnel_port, tunnel_remote)
|
|
elif line.startswith('#trojan-server'):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_port = int(parts[1])
|
|
tunnel_passwd = parts[2]
|
|
tunnel_cert = parts[3]
|
|
tunnel_key = parts[4]
|
|
|
|
self.add_trojan_server(tunnel_name, tunnel_port, tunnel_passwd, tunnel_cert, tunnel_key)
|
|
self.add_expose(tunnel_port, mode='tcp')
|
|
elif line.startswith('#trojan-client '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_port = int(parts[1])
|
|
tunnel_passwd = parts[2]
|
|
tunnel_remote = parts[3]
|
|
tunnel_target = int(parts[4])
|
|
|
|
self.add_trojan_client(tunnel_name, tunnel_port, tunnel_passwd, tunnel_remote, tunnel_target)
|
|
elif line.startswith('#trojan-client-mux '):
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
tunnel_mux = int(parts[1])
|
|
tunnel_port = int(parts[2])
|
|
tunnel_passwd = parts[3]
|
|
tunnel_remote = parts[4]
|
|
tunnel_target = int(parts[5])
|
|
|
|
self.tunnel_local_endpoint[tunnel_name] = "gateway:{}".format(tunnel_port)
|
|
self.add_muxer(tunnel_port, tunnel_port+1, tunnel_mux)
|
|
for mux_idx in range(tunnel_mux):
|
|
self.add_trojan_client(tunnel_port + 1 + mux_idx, tunnel_passwd, tunnel_remote, tunnel_target)
|
|
|
|
if self.podman_user:
|
|
self.add_expose(tunnel_port)
|
|
self.tunnel_local_endpoint[tunnel_name] = "127.0.0.1:{}".format(tunnel_port)
|
|
else:
|
|
errprint('[WARN] comment or unknown hint: {}'.format(line))
|
|
|
|
if not self.wg_mtu and self.container_bootstrap:
|
|
errprint('[WARN] MTU not detected, using suggested mtu value (1280).')
|
|
self.result_interface.append('MTU=1280')
|
|
|
|
if self.opt_use_tmux:
|
|
self.result_postdown.append('''sleep 1; tmux kill-session -t tunnel-{}'''.format(self.wg_name))
|
|
|
|
if self.opt_use_tmux or self.opt_use_systemd:
|
|
self.container_bootstrap.clear()
|
|
self.result_container_prebootstrap.clear()
|
|
self.result_container_postbootstrap.clear()
|
|
|
|
if self.container_bootstrap:
|
|
tmp_filepath = self.add_write_tmpfile_bytes(json.dumps(self.container_bootstrap, ensure_ascii=False).encode(), '.json')
|
|
self.result_container_prebootstrap.append(self.get_podman_cmd_with(
|
|
'podman cp {} {}:/root/conf/bootstrap.json'.format(tmp_filepath, self.get_container_name())
|
|
))
|
|
|
|
if self.result_container_prebootstrap or self.result_container_postbootstrap:
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'podman container exists {} && podman stop {} && podman rm {}; $(exit 0)'.format(self.get_container_name(), self.get_container_name(), self.get_container_name())
|
|
))
|
|
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'podman network exists {} && podman network rm {}; $(exit 0)'.format(self.get_container_network_name(), self.get_container_network_name())
|
|
))
|
|
|
|
if not self.flag_container_must_host:
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'podman network create {}'.format(self.get_container_network_name())
|
|
))
|
|
|
|
if not self.flag_container_must_host and self.container_expose_port:
|
|
cmd_ports = ["-p {}:{}/{}".format(this_port['port'], this_port['port'], this_port['mode']) for this_port in self.container_expose_port]
|
|
cmd_ports = ' '.join(cmd_ports)
|
|
else:
|
|
cmd_ports = ''
|
|
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'podman run --cap-add NET_RAW -v {}:/root/bin -v {}:/root/app {} --name {} --network {} -d wg-ops-runenv'.format(
|
|
self.path_bin_dir, self.path_app_dir, cmd_ports, self.get_container_name(), self.get_container_network_name())
|
|
))
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'podman exec {} mkdir -p /root/ssl /root/runner /root/conf'.format(self.get_container_name())
|
|
))
|
|
|
|
if not self.flag_container_must_host and not self.podman_user:
|
|
self.result_postup.append("CT_IP=$({}); iptables -A FORWARD -d $CT_IP -j ACCEPT; iptables -A INPUT -s $CT_IP -j ACCEPT".format(
|
|
self.get_podman_cmd_with('/usr/bin/python3 {} {} {}'.format(self.path_get_ip, self.get_container_network_name(), self.get_container_name()))))
|
|
self.result_postdown.append("CT_IP=$({}); iptables -D FORWARD -d $CT_IP -j ACCEPT; iptables -D INPUT -s $CT_IP -j ACCEPT".format(
|
|
self.get_podman_cmd_with('/usr/bin/python3 {} {} {}'.format(self.path_get_ip, self.get_container_network_name(), self.get_container_name()))))
|
|
|
|
self.result_postdown.append(self.get_podman_cmd_with('podman stop {}'.format(self.get_container_name())))
|
|
self.result_postdown.append(self.get_podman_cmd_with('podman rm {}'.format(self.get_container_name())))
|
|
|
|
if not self.flag_container_must_host:
|
|
self.result_postdown.append(self.get_podman_cmd_with('podman network rm {}'.format(self.get_container_network_name())))
|
|
|
|
self.result_postup.extend(self.result_container_prebootstrap)
|
|
|
|
if self.flag_container_must_host:
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'podman exec -t -e GATEWAY_IP=127.0.0.1 -e WG_PORT={} {} /usr/bin/python3 /root/app/bootstrap.py'.format(self.wg_port, self.get_container_name())
|
|
))
|
|
elif self.podman_user:
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'CT_GATEWAY=$(/usr/bin/python3 {}); podman exec -t -e GATEWAY_IP=$CT_GATEWAY -e WG_PORT={} {} /usr/bin/python3 /root/app/bootstrap.py'.format(
|
|
self.path_get_lan_ip, self.wg_port, self.get_container_name())
|
|
))
|
|
else:
|
|
self.result_postup.append(self.get_podman_cmd_with(
|
|
'CT_GATEWAY=$(/usr/bin/python3 {} {}); podman exec -t -e GATEWAY_IP=$CT_GATEWAY -e WG_PORT={} {} /usr/bin/python3 /root/app/bootstrap.py'.format(
|
|
self.path_get_gateway, self.get_container_network_name(), self.wg_port, self.get_container_name())
|
|
))
|
|
|
|
self.result_postup.extend(self.result_container_postbootstrap)
|
|
|
|
# registry fetch accept-client
|
|
if self.flag_require_registry and self.pending_accepts:
|
|
resolved_upload_arr = {}
|
|
|
|
for accept_info in self.pending_accepts:
|
|
peer_client_name = accept_info["client"]
|
|
errprint('[REGISTRY-RESOLVE] Resolving accept-client {}...'.format(peer_client_name))
|
|
peer_client_config = self.registry_query(peer_client_name)
|
|
if not peer_client_config:
|
|
errprint('[WARN] Unable to resolve client: {}'.format(peer_client_name))
|
|
continue
|
|
|
|
self.append_input_peer_serverside(peer_client_config["wgkey"], accept_info["allowed"])
|
|
|
|
peer_tunnel_info = copy.copy(self.tunnel_server_reports[accept_info['tunnel']])
|
|
peer_tunnel_info["allowed"] = accept_info["peer_allowed"]
|
|
|
|
public_key = get_rsa_pubkey_from_public_pem(peer_client_config["pubkey"])
|
|
resolved_upload_arr[peer_client_name] = rsa_encrypt_base64(public_key, json.dumps(peer_tunnel_info, ensure_ascii=False).encode())
|
|
|
|
if resolved_upload_arr:
|
|
self.registry_ensure(peers=resolved_upload_arr)
|
|
|
|
def compile_peers(self):
|
|
if self.flag_is_route_forward and len(self.input_peer) > 1:
|
|
errprint('[WARN] route-forward should used with ONLY one peer.')
|
|
|
|
for this_peer_idx, this_peer_lines in enumerate(self.input_peer):
|
|
current_pubkey = ''
|
|
current_allowed = ''
|
|
current_endpoint = ''
|
|
if self.flag_is_route_lookup:
|
|
current_lookup = self.lookup_table
|
|
else:
|
|
current_lookup = ''
|
|
|
|
# pre-scan
|
|
for line in this_peer_lines:
|
|
if line.startswith('PublicKey'):
|
|
current_pubkey = '='.join(line.split('=')[1:]).strip()
|
|
if line.startswith('AllowedIPs'):
|
|
current_allowed = line.split('=')[1].strip().split(',')
|
|
if line.startswith('Endpoint'):
|
|
current_endpoint = line.split('=')[1].strip()
|
|
|
|
self.result_peers.append('[Peer]')
|
|
|
|
# compile peer
|
|
for line in this_peer_lines:
|
|
if not line.startswith('#'):
|
|
self.result_peers.append(line)
|
|
continue
|
|
|
|
if line.startswith('#use-tunnel'):
|
|
current_endpoint = ''
|
|
|
|
parts = line.split(' ')[1:]
|
|
tunnel_name = parts[0]
|
|
|
|
tunnel_addr = self.tunnel_local_endpoint[tunnel_name]
|
|
if ":" in tunnel_addr:
|
|
addr_parts = tunnel_addr.split(':')
|
|
addr_host = addr_parts[0]
|
|
addr_port = int(addr_parts[1])
|
|
|
|
if addr_host == "gateway":
|
|
tunnel_addr = ""
|
|
if self.flag_container_must_host or self.podman_user:
|
|
self.result_postup.append("wg set {} peer {} endpoint 127.0.0.1:{}".format(
|
|
self.wg_name, current_pubkey, addr_port))
|
|
else:
|
|
self.result_postup.append("CT_IP=$({}); wg set {} peer {} endpoint $CT_IP:{}".format(
|
|
self.get_podman_cmd_with('/usr/bin/python3 {} {} {}'.format(self.path_get_ip, self.get_container_network_name(), self.get_container_name())),
|
|
self.wg_name, current_pubkey, addr_port))
|
|
elif tunnel_addr:
|
|
tunnel_addr = "127.0.0.1:{}".format(tunnel_addr)
|
|
|
|
if tunnel_addr:
|
|
self.result_peers.append('Endpoint={}'.format(tunnel_addr))
|
|
elif line.startswith('#route-from'):
|
|
parts = line.split(' ')[1:]
|
|
table_name = parts[0]
|
|
|
|
if table_name != self.lookup_table:
|
|
current_lookup = table_name
|
|
errprint('[WARN] Please ensure custom route table {} exists.'.format(table_name))
|
|
elif line.startswith('#iptables-gateway'):
|
|
parts = line.split(' ')[1:]
|
|
interface_name = parts[0]
|
|
|
|
for ip_cidr in current_allowed:
|
|
self.result_postup.append('iptables -t nat -A POSTROUTING -s {} -o {} -j MASQUERADE'.format(ip_cidr, interface_name))
|
|
self.result_postdown.append('iptables -t nat -D POSTROUTING -s {} -o {} -j MASQUERADE'.format(ip_cidr, interface_name))
|
|
else:
|
|
errprint('[WARN] comment or unknown hint: {}'.format(line))
|
|
|
|
if self.flag_enable_dns_reload and current_endpoint:
|
|
self.result_postup.append('systemd-run --unit {} --collect --timer-property AccuracySec=10 --on-calendar *:*:0/30 /usr/bin/python3 {} {} {} {}'.format(
|
|
self.new_systemd_task_name('dnsreload'), self.path_reload_dns, self.wg_name, current_pubkey, current_endpoint))
|
|
self.flag_require_systemd_clean = True
|
|
|
|
if self.flag_is_route_forward and this_peer_idx == 0:
|
|
self.result_postup.insert(0, 'wg set {} peer {} allowed-ips 0.0.0.0/0'.format(self.wg_name, current_pubkey))
|
|
|
|
if current_lookup:
|
|
for ip_cidr in current_allowed:
|
|
self.result_postup.append('ip rule add from {} lookup {}'.format(ip_cidr, current_lookup))
|
|
self.result_postdown.append('ip rule del from {} lookup {}'.format(ip_cidr, current_lookup))
|
|
|
|
def compile_final(self):
|
|
if self.flag_require_tmpfile_clean:
|
|
self.result_postup.insert(0, 'rm -f /tmp/wg-ops-tmpfile-{}-*'.format(self.wg_name))
|
|
self.result_postup.append('rm -f /tmp/wg-ops-tmpfile-{}-*'.format(self.wg_name))
|
|
|
|
if self.flag_require_systemd_clean or self.opt_use_systemd:
|
|
self.result_postup.insert(0, 'systemctl stop wg-ops-task-{}-*'.format(self.wg_name))
|
|
self.result_postdown.insert(0, 'systemctl stop wg-ops-task-{}-*'.format(self.wg_name))
|
|
|
|
def get_result(self):
|
|
current_time = time.strftime("%Y-%m-%d %H:%M:%S")
|
|
gen_result_postup = ["PostUp={}".format(line) for line in self.result_postup]
|
|
gen_result_postdown = ["PostDown={}".format(line) for line in self.result_postdown]
|
|
|
|
return '''# Generated by wg-ops at {}. DO NOT EDIT.
|
|
{}
|
|
{}
|
|
{}
|
|
{}
|
|
'''.format(current_time, '\n'.join(self.result_interface), '\n'.join(gen_result_postup), '\n'.join(gen_result_postdown), '\n'.join(self.result_peers))
|