Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature] Adding Wireguard and VXLAN support #187

Merged
merged 9 commits into from
Aug 20, 2021
Merged

[feature] Adding Wireguard and VXLAN support #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
dd3238e
[feature] Add Wireguard support #185
nemesifier Apr 3, 2021
d62ee4d
[feature] Added support for VXLAN interfaces #186
nemesifier Apr 3, 2021
1b0f260
[chores] Moved shared VPN backend logic to BaseVpnBackend
nemesifier Apr 3, 2021
d00dc95
[feature] Added wireguard interfaces and peers to OpenWRT
nemesifier Apr 3, 2021
8c40e97
[chores] Wireguard: public_key and allowed_ips shall not be empty
nemesifier Apr 3, 2021
be1f097
[fix] Updated modem-manager interface code
nemesifier Apr 3, 2021
e36d3fc
[feature] Added autoclient classmethods to Wireguard, VXLAN and Open…
pandafy Apr 14, 2021
8af254f
[docs] Added documentation for WireGuard and VXLAN VPN backend
pandafy May 20, 2021
6365223
[ci] Updated package install command
pandafy May 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
pip install -U -r requirements-test.txt

- name: Install netjsonconfig
run: python setup.py -q develop
run: pip install -U -e .

- name: QA checks
run: ./run-qa-checks
Expand Down
3 changes: 2 additions & 1 deletion README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ netjsonconfig

.. image:: https://badge.fury.io/py/netjsonconfig.svg
:target: http://badge.fury.io/py/netjsonconfig

.. image:: https://pepy.tech/badge/netjsonconfig
:target: https://pepy.tech/project/netjsonconfig
:alt: downloads
Expand All @@ -43,6 +43,7 @@ Its main features are listed below for your reference:
* `OpenWRT <http://openwrt.org>`_ / `LEDE <https://www.lede-project.org/>`_ support
* `OpenWisp Firmware <https://github.com/openwisp/OpenWISP-Firmware>`_ support
* `OpenVPN <https://openvpn.net>`_ support
* `WireGuard <https://www.wireguard.com/>`_ support
* Possibility to support more firmwares via custom backends
* Based on the `NetJSON RFC <http://netjson.org/rfc.html>`_
* **Validation** based on `JSON-Schema <http://json-schema.org/>`_
Expand Down
283 changes: 283 additions & 0 deletions docs/source/backends/openwrt.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2285,6 +2285,289 @@ Will be rendered as follows::
option proto 'udp'
option tls_server '1'

WireGuard
---------

This backend includes the schema of the ``Wireguard`` backend, inheriting its features.

For details regarding the **WireGuard** schema please see :ref:`wireguard_backend_schema`.

Schema additions
~~~~~~~~~~~~~~~~

The ``OpenWrt`` backend adds a few properties to the WireGuard schema, see below.

+-----------------+---------+--------------+-------------------------------------------------------------+
| key name | type | default | description |
+=================+=========+==============+=============================================================+
| ``network`` | string | ``None`` | logical interface name (UCI specific), |
| | | | |
| | | | 2 to 15 alphanumeric characters, dashes and underscores |
+-----------------+---------+--------------+-------------------------------------------------------------+
| ``nohostroute`` | boolean | ``False`` | do not add routes to ensure the tunnel endpoints are routed |
| | | | via non-tunnel device |
+-----------------+---------+--------------+-------------------------------------------------------------+
| ``fwmark`` | string | ``None`` | firewall mark to apply to tunnel endpoint packets |
+-----------------+---------+--------------+-------------------------------------------------------------+
| ``ip6prefix`` | list | ``[]`` | IPv6 prefixes to delegate to other interfaces |
+-----------------+---------+--------------+-------------------------------------------------------------+
| ``addresses`` | list | ``[]`` | list of unique IPv4 or IPv6 addresses |
+-----------------+---------+--------------+-------------------------------------------------------------+

The ``OpenWrt`` backend also adds ``wireguard_peers`` option for sepecifying a list of
WireGuard Peers. It add the following properties to the ``wireguard_peers`` property of
WireGuard schema.

+-----------------------+---------+-----------+------------------------------------------------------------------------+
| key name | type | default | description |
+=======================+=========+===========+========================================================================+
| ``interface`` | string | ``None`` | name of the wireguard interface, |
| | | | |
| | | | 2 to 15 alphanumeric characters, dashes and underscores |
+-----------------------+---------+-----------+------------------------------------------------------------------------+
| ``route_allowed_ips`` | boolean | ``False`` | automatically create a route for each of the Allowed IPs for this peer |
+-----------------------+---------+-----------+------------------------------------------------------------------------+

WireGuard example
~~~~~~~~~~~~~~~~~

The following *configuration dictionary*:

.. code-block:: python

{
"interfaces": [
{
"name": "wg",
"type": "wireguard",
"private_key": "QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI=",
"port": 51820,
"mtu": 1420,
"nohostroute": False,
"fwmark": "",
"ip6prefix": [],
"addresses": [
{
"proto": "static",
"family": "ipv4",
"address": "10.0.0.5/32",
"mask": 32,
}
],
"network": "",
}
],
"wireguard_peers": [
{
"interface": "wg",
"public_key": "94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE=",
"allowed_ips": ["10.0.0.1/32"],
"endpoint_host": "wireguard.test.com",
"endpoint_port": 51820,
"preshared_key": "",
"persistent_keepalive": 60,
"route_allowed_ips": True,
}
]
}

Will be rendered as follows:

.. code-block:: text

package network

config interface 'wg'
list addresses '10.0.0.5/32/32'
option listen_port '51820'
option mtu '1420'
option nohostroute '0'
option private_key 'QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI='
option proto 'wireguard'

config wireguard_wg 'wgpeer'
list allowed_ips '10.0.0.1/32'
option endpoint_host 'wireguard.test.com'
option endpoint_port '51820'
option persistent_keepalive '60'
option public_key '94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE='
option route_allowed_ips '1'

VXLAN
-----

``OpenWrt`` backend includes the schema requied for generating VXLAN
interface configouration. This is useful of setting up layer 2 tunnels.


VXLAN Settings
~~~~~~~~~~~~~~

+-------------+-------------------+--------------+-------------------------------------------------------------+
| key name | type | default | description |
+=============+===================+==============+=============================================================+
| ``network`` | string | ``None`` | name of interface, |
| | | | |
| | | | 2 to 15 alphanumeric characters, dashes and underscores |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``vtep`` | string | ``False`` | VXLAN tunnel endpoint |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``port`` | integer | ``4789`` | port for VXLAN connection |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``vni`` | integer or string | ``None`` | VXLAN Network Identifier |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``tunlink`` | list | ``[]`` | interface to which the VXLAN tunnel will be bound |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``rxcsum`` | boolean | ``True`` | use checksum validation in RX direction |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``txcsum`` | boolean | ``True`` | use checksum validation in TX direction |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``mtu`` | integer | ``1280`` | MTU for route, only numbers are allowed |
+-------------+-------------------+--------------+-------------------------------------------------------------+
| ``ttl`` | integer | ``64`` | TTL of the encapsulation packets |
+-------------+-------------------+--------------+-------------------------------------------------------------+

VXLAN example
~~~~~~~~~~~~~

The following *configuration dictionary*:

.. code-block:: python

{
"interfaces": [
{
"name": "vxlan",
"type": "vxlan",
"vtep": "10.0.0.1",
"port": 4789,
"vni": 1,
"tunlink": "",
"rxcsum": True,
"txcsum": True,
"mtu": 1280,
"ttl": 64,
"mac": "",
"disabled": False,
"network": "",
},
]
}

Will be rendered as follows:

.. code-block:: text

package network

config interface 'vxlan'
option enabled '0'
option ifname 'vxlan'
option mtu '1280'
option peeraddr '10.0.0.1'
option port '4789'
option proto 'vxlan'
option rxcsum '1'
option ttl '64'
option txcsum '1'
option vid '1'

VXLAN over WireGuard example
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Since a layer 2 tunnel can be encapsulated in a layer 3 tunnel, here is an
example configuration for setting up a VXLAN tunnel over WireGuard.

The following *configuration dictionary*:

.. code-block:: python

{
"interfaces": [
{
"name": "wgvxlan",
"type": "wireguard",
"private_key": "QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI=",
"port": 51820,
"mtu": 1420,
"nohostroute": False,
"fwmark": "",
"ip6prefix": [],
"addresses": [
{
"proto": "static",
"family": "ipv4",
"address": "10.0.0.5/32",
"mask": 32,
}
],
"network": "",
},
{
"name": "vxlan",
"type": "vxlan",
"vtep": "10.0.0.1",
"port": 4789,
"vni": 1,
"tunlink": "wgvxlan",
"rxcsum": True,
"txcsum": True,
"mtu": 1280,
"ttl": 64,
"mac": "",
"disabled": False,
"network": "",
},
],
"wireguard_peers": [
{
"interface": "wgvxlan",
"public_key": "94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE=",
"allowed_ips": ["10.0.0.1/32"],
"endpoint_host": "wireguard.test.com",
"endpoint_port": 51820,
"preshared_key": "",
"persistent_keepalive": 60,
"route_allowed_ips": True,
}
]
}

Will be rendered as follows:

.. code-block:: text

package network

config interface 'wgvxlan'
list addresses '10.0.0.5/32/32'
option listen_port '51820'
option mtu '1420'
option nohostroute '0'
option private_key 'QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI='
option proto 'wireguard'

config interface 'vxlan'
option enabled '1'
option ifname 'vxlan'
option mtu '1280'
option peeraddr '10.0.0.1'
option port '4789'
option proto 'vxlan'
option rxcsum '1'
option ttl '64'
option tunlink 'wgvxlan'
option txcsum '1'
option vid '1'

config wireguard_wgvxlan 'wgpeer'
list allowed_ips '10.0.0.1/32'
option endpoint_host 'wireguard.test.com'
option endpoint_port '51820'
option persistent_keepalive '60'
option public_key '94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE='
option route_allowed_ips '1'

All the other settings
----------------------

Expand Down
14 changes: 14 additions & 0 deletions docs/source/backends/vpn.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
============
VPN Backends
============

.. include:: ../_github.rst

``netjsonconfig`` currently supports three VPN backends:

.. toctree::
:maxdepth: 2

/backends/openvpn
/backends/wireguard
/backends/vxlan_over_wireguard
Loading