Merge pull request #16 from theonemcdonald/v0.0.4_1

Merge v0.0.4_1 into main

Author: rcmcdonald91

README.md

@@ -12,6 +12,7 @@ These changes include:
 2. Because assigned interfaces become a system dependency, this package includes several (clever) tricks to allow the system to be upgraded and rebooted with WireGuard tunnels assigned to pfSense interfaces (e.g. LAN, OPT#, etc...). There are now two `<earlyshellcmds>` that are installed. One is a bootstrapper and one is a reloader. The bootstrapper [here](https://github.com/theonemcdonald/pfSense-pkg-WireGuard/blob/main/src/files/usr/local/pkg/wireguard/etc/rc.bootstrap_wireguard) always runs first and is written to disk by the package internals instead of by `pkg(7)`. This means that this script will remain on your system by default even if the WireGuard package is uninstalled. There will be a configuration setting to change this behavior soon. This bootstrapper protects the system from interface mismatches on startup caused by WireGuard tunnels not being built (even though they are assigned) because the package is being updated or was removed for some reason. This is accomplishd by temporarily creating loopback interfaces of the same names, thus allowing the system to boot. However, if the WireGuard package is installed, the reloader [here](https://github.com/theonemcdonald/pfSense-pkg-WireGuard/blob/main/src/files/usr/local/etc/rc.reload_wireguard) will destroy these temporary loopbacks and replace them with true `wg(8)` tunnels early on system startup.
 3. Assigned interfaces are now configured under the traditional pfSense `interfaces.php` page. Unassigned tunnels are still configured through the WireGuard UI.
 4. Gateways are no longer automatically created for tunnels assigned to pfSense interfaces. Just like any other WAN, you will now be required to create your own gateway entries for the tunnel remote side if you intended to route traffic over the tunnel itself.
+5. There is now a proper status page at Status > WireGuard Status. This page includes various bits from `wg(8)`, `ifconfig(8)`, `pkg(7)`, and `kldstat(8)`. 
 
 Note: I have now moved development to the dev branch. Moving forward main will contain code that has been tested. If you want to run dev branch code, you will need to checkout the branch and `make package` yourself.
 

src/Makefile

@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-WireGuard
 PORTVERSION=	0.0.4
-PORREVISION=	0
+PORREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	# empty
 DISTFILES=	# empty

src/files/usr/local/pkg/wireguard/etc/rc.bootstrap_wireguard

@@ -31,6 +31,7 @@ function print_message($message) {
 
     $message = escapeshellarg($message);
 
+    // printf is a shell builtin 
 	exec("printf {$message} >&2");
 
 }
@@ -46,35 +47,21 @@ if (platform_booting()) {
 
 }
 
-// Iterate through each assigned interface looking for any wg interfaces to bootstrap
-$a_interfaces = $config['interfaces'];
+$verbose_pipe = ($run_verbose ? "" : " > /dev/null 2>&1");
 
-if (is_array($a_interfaces)) {
+$if_list = get_configured_interface_list_by_realif($disabled);
 
-    foreach ($a_interfaces as $interface) {
+foreach ($if_list as $realif => $name) {
 
-        $ifname = $interface['if'];
-        
-        // We found one, create a temporary loopback interface of the same name to allow booting if the package disappears
-        if (substr($ifname, 0, 2) == "wg") {
+    $ifname = escapeshellarg($realif);
 
-            // Create a wgX interface using lo driver, keeping track of any erroneous loifs created
-            exec("ifconfig lo create name {$ifname}" . ($run_verbose ? "" : " > /dev/null 2>&1"), $loifs);
+	if (substr($realif, 0, 2) == "wg") {
 
-        }
+		exec("/sbin/ifconfig {$ifname}" . $verbose_pipe . " || ifconfig lo create name {$ifname}");
 
-    }
+		exec("/sbin/ifconfig {$ifname} group wg");
 
-}
-
-// Need to clean up any erroneous loifs that might have been created
-if (isset($loifs) && is_array($loifs)) {
-
-    foreach ($loifs as $loif) {
-
-        exec("ifconfig {$loif} destroy" . ($run_verbose ? "" : " > /dev/null 2>&1"));
-
-    }
+	}
 
 }
 

src/files/usr/local/pkg/wireguard/wg.inc

@@ -39,8 +39,14 @@ require_once('wg_validate.inc');
 global $wgifgroup;
 $wgifgroup = 'WireGuard';
 
-global $wgearlyshellcmds;
+global $wgearlyshellcmds, $wgearlyshellcmds_pkg;
 $wgearlyshellcmds = array('/usr/local/etc/rc.bootstrap_wireguard', '/usr/local/etc/rc.reload_wireguard');
+$wgearlyshellcmds_pkg = array('/usr/local/etc/rc.reload_wireguard');
+
+// Full source path of extra scripts to install
+global $wg_scripts_to_install;
+$wg_scripts_to_install = array('/usr/local/pkg/wireguard/etc/rc.bootstrap_wireguard');
+
 
 // Setup all WireGuard tunnels
 function wg_configure() {
@@ -88,7 +94,7 @@ function wg_configure_if($tunnel, $destroyfirst = true, $verbose = false) {
 	exec_wg_quick_action($tunnel, "up", $verbose);
 
 	// Attempt to add the interface to interface group (i.e. WireGuard)
-	exec("ifconfig {$tunnel['name']} group {$wgifgroup}");
+	exec("/sbin/ifconfig {$tunnel['name']} group {$wgifgroup}");
 
 }
 
@@ -136,7 +142,7 @@ function deleteTunnel($tunidx) {
 		}
 		// Delete the tunnel configuration entry
 		unset($config['installedpackages']['wireguard']['tunnel'][$tunidx]);
-		write_config("WireGuard tunnel {$index} updated.");
+		write_config("[WireGuard] tunnel {$index} updated.");
 
 		// Delete the wg?.conf file
 		if (isset($conf_path) && is_file($conf_path)) {
@@ -179,69 +185,110 @@ function wg_ifgroup_install() {
 		$a_ifgroups[] = $ifgroupentry;
 	}
 
-	write_config("WireGuard interface group updated.");
+	write_config("[WireGuard] Interface group updated.");
 
 	unlink_if_exists("{$g['tmp_path']}/config.cache");
 
 }
 
-function wg_earlyshellcmd_deinstall($clean = true) {
+function wg_earlyshellcmd_deinstall($cmds_to_remove) {
+	global $config;
+
+	$a_earlyshellcmds = &$config['system']['earlyshellcmd'];
 
-	# TODO
+	$a_earlyshellcmds = array_diff($a_earlyshellcmds, $cmds_to_remove);
 
+	$cmds_to_remove = implode(',', $cmds_to_remove);
+	
+	write_config("[WireGuard] ( {$cmds_to_remove} ) earlyshellcmds deinstalled.");
+	
 }
 
-function wg_earlyshellcmd_install() {
-	global $config, $wgearlyshellcmds;
+function wg_extra_script_install($scripts_to_install, $install_dest = '/usr/local/etc', $verbose = false) {
+
+	foreach ($scripts_to_install as $script) {
 
-	// This ensures we are always starting clean
-	wg_earlyshellcmd_deinstall();
+		$script_name = basename($script);
 
-	// Need to generalize this and clean it up...
-	unlink_if_exists('/usr/local/etc/rc.bootstrap_wireguard');
-	copy('/usr/local/pkg/wireguard/etc/rc.bootstrap_wireguard', '/usr/local/etc/rc.bootstrap_wireguard');
-	chmod('/usr/local/etc/rc.bootstrap_wireguard', 0755);
+		$script_source_path = dirname($script);
 
-	$a_earlyshellcmd = &$config['system']['earlyshellcmd'];
+		update_status("\nInstalling {$script_name} to {$install_dest} ...");
 
-	// Unlikely the user already has earlyshellcmds configured
-	if (!is_array($a_earlyshellcmd)) {
+		unlink_if_exists("{$install_dest}/{$script_name}");
 
-		$a_earlyshellcmd = array();
+		copy("{$script}", "{$install_dest}/{$script_name}");
+
+		chmod("{$install_dest}/{$script_name}", 0755);
+
+		update_status(" done.\n");
 
 	}
 
-	// Make sure our WireGuard scripts always run first
-	$a_earlyshellcmd = array_merge($wgearlyshellcmds, $a_earlyshellcmd);
+}
+
+function wg_earlyshellcmd_install($cmds_to_install) {
+	global $config;
+
+	// Ensures we are always starting clean
+	wg_earlyshellcmd_deinstall($cmds_to_install);
+
+	$a_earlyshellcmds = &$config['system']['earlyshellcmd'];
 
-	write_config("WireGuard earlyshellcmds updated.");
+	// Unlikely the user already has earlyshellcmds configured, but maybe...
+	if (!is_array($a_earlyshellcmds)) {
+
+		$a_earlyshellcmds = array();
+
+	}
+
+	// Make sure our WireGuard scripts always run first, push everything else after us
+	$a_earlyshellcmds = array_merge($cmds_to_install, $a_earlyshellcmds);
+
+	write_config("[WireGuard] Earlyshellcmds installed.");
 
 }
 
 function wg_install() {
+	global $g, $wg_scripts_to_install, $wgearlyshellcmds;
+
+	$g['wireguard_install'] = true;
+
+	update_status("\nInstalling extra scripts... ");
 
-	update_status("Creating earlyshellcmds...\n");
+	// Installs any extra scripts
+	wg_extra_script_install($wg_scripts_to_install);
+
+	update_status("Finished installing extra scripts.\n"); 
+	
+	update_status("Setting up earlyshellcmds... ");
 
 	// Installs the earlyshellcmds
-	wg_earlyshellcmd_install();
+	wg_earlyshellcmd_install($wgearlyshellcmds);
 
-	update_status(" done.\nCreating WireGuard interface group...\n");
+	update_status(" done.\nCreating WireGuard interface group... ");
 
-	// Create the 'WireGuard' interface group
+	// Installs the 'WireGuard' interface group
 	wg_ifgroup_install();
 
-	update_status(" done.\nConfiguring any existing WireGuard interfaces...\n");
+	update_status(" done.\nConfiguring existing WireGuard interfaces... ");
 
 	// Configure any existing interfaces
 	wg_configure();
 
 	update_status(" done.\n");
 
+	unset($g['wireguard_install']);
+
 }
 
 function wg_deinstall() {
+	global $wgearlyshellcmds_pkg;
 
-	# TODO
+	update_status("Removing earlyshellcmds... ");
+
+	wg_earlyshellcmd_deinstall($wgearlyshellcmds_pkg);
+
+	update_status(" done.\n");
 
 }
 
@@ -308,7 +355,7 @@ function wg_do_post($post, $json = false) {
 
 	if (!$input_errors) {
 		$config['installedpackages']['wireguard']['tunnel'][$index] = $pconfig;
-		write_config("WireGuard tunnel {$index} updated.");
+		write_config("[WireGuard] Tunnel {$pconfig['name']} (Index {$index}) updated.");
 	}
 
 	return(array('input_errors' => $input_errors, 'pconfig' => $pconfig));

src/files/usr/local/pkg/wireguard/wg_validate.inc

@@ -173,12 +173,24 @@ function wg_defaultroute_check($peer) {
 
 // Check if wg tunnel is assigned to an interface
 function is_wg_tunnel_assigned($tunnel, $disabled = true) {
+	global $config;
+
+	// Assume we have an interface first
+	$wg_ifname = $tunnel;
 
-	$iflist = get_configured_interface_list_by_realif($disabled);
+	// Looks like we have a tunnel structure
+	if (is_array($tunnel)) {
 
-	$ifassigned = array_key_exists($tunnel['name'], $iflist);
+		$wg_ifname = $tunnel['name'];
+
+	}
 
-	return $ifassigned;
+	$if_list = get_configured_interface_list_by_realif($disabled);
+
+	$if_assigned = array_key_exists($wg_ifname, $if_list);
+
+	return $if_assigned;
+	
 }
 
 // Check if at least one tunnel is enabled

src/files/usr/local/www/shortcuts/pkg_wireguard.inc

@@ -24,7 +24,7 @@
 global $shortcuts;
 
 $shortcuts['wireguard'] = array();
-$shortcuts['wireguard']['main'] = "/wg/vpn_wg.php";
+$shortcuts['wireguard']['main'] = "/wg/vpn_wg_settings.php";
 $shortcuts['wireguard']['status'] = "/wg/status_wireguard.php";
 
 ?>

src/files/usr/local/www/wg/status_wireguard.php

@@ -56,7 +56,7 @@
 	</div>
 	<div class="panel-body">
 		<dl class="dl-horizontal">
-			<pre><?php echo wg_status(); ?></pre>
+			<pre><?=wg_status(); ?></pre>
 		</dl>
     </div>
 </div>
@@ -67,7 +67,7 @@
 	</div>
 	<div class="panel-body">
 		<dl class="dl-horizontal">
-			<pre><?php echo wg_interface_status(); ?></pre>
+			<pre><?=wg_interface_status(); ?></pre>
 		</dl>
     </div>
 </div>
@@ -78,7 +78,7 @@
 	</div>
 	<div class="panel-body">
 		<dl class="dl-horizontal">
-			<pre><?php echo wg_version(); ?></pre>
+			<pre><?=wg_version(); ?></pre>
 		</dl>
     </div>
 </div>
@@ -89,7 +89,7 @@
 	</div>
 	<div class="panel-body">
 		<dl class="dl-horizontal">
-			<pre><?php echo wg_kmod_status(); ?></pre>
+			<pre><?=wg_kmod_status(); ?></pre>
 		</dl>
     </div>
 </div>

src/files/usr/local/www/wg/vpn_wg_edit.php

@@ -131,14 +131,15 @@
 $section->addInput(new Form_Checkbox(
 	'enabled',
 	'Tunnel Enabled',
-	'',
+	gettext('Enable'),
 	$pconfig['enabled'] == 'yes'
-))->setHelp('Note: Tunnel must be enabled for interface assignment');
+))->setHelp('<span class="text-danger">Note: </span>'
+		. 'Tunnel must be enabled for interface assignment');
 
 $section->addInput(new Form_Input(
 	'descr',
 	'Description',
-	'text',
+	gettext('Description'),
 	$pconfig['descr']
 ))->setHelp('Tunnel description for administrative reference (not parsed)');
 
@@ -183,12 +184,12 @@
 
 	$section->addInput(new Form_StaticText(
 		'Assignment',
-		"Leave these fields blank to use <a href='../../interfaces_assign.php'>Interface Assignments</a>"
+		"<a href='../../interfaces_assign.php'>Interface Assignments</a>"
 	));
 
 	$section->addInput(new Form_StaticText(
 		'Firewall Rules',
-		"Configure firewall rules on unassigned tunnels using the <a href='../../firewall_rules.php?if={$wgifgroup}'>WireGuard Interface Group</a>"
+		"<a href='../../firewall_rules.php?if={$wgifgroup}'>WireGuard Interface Group</a>"
 	));
 
 	$section->addInput(new Form_Input(
@@ -349,7 +350,9 @@
 
 			<tbody>
 <?php
+
 				$peer_num = 0;
+
 				if (!empty($pconfig['peers']['wgpeer'])) {
 					foreach ($pconfig['peers']['wgpeer'] as $peer) {
 						print('<tr id="peer_row_' . $peer_num . '" class="peer_group_' . $peer_num . '">');
@@ -366,8 +369,6 @@
 						print("<td style=\"display:none;\">" . htmlspecialchars($peer['peerwgaddr']) . "</td>\n");
 ?>
 						<td style="cursor: pointer;">
-							<a class="fa fa-download" href="https://github.com/theonemcdonald/pfSense-pkg-WireGuard/issues/7" target="_blank" title="<?=gettext("Download Peer Configuration"); ?>"></a>
-							<a class="fa fa-qrcode" href="https://github.com/theonemcdonald/pfSense-pkg-WireGuard/issues/7" target="_blank" title="<?=gettext("View Peer Configuration QR code"); ?>"></a>
 							<a class="fa fa-pencil" href="#" id="editpeer_<?=$peer_num?>"title="<?=gettext("Edit peer"); ?>"></a>
 							<a class="fa fa-trash text-danger no-confirm" href="#" id="killpeer_<?=$peer_num?>" title="<?=gettext('Delete peer');?>"></a>
 						</td>