2025-08-10 14:42:02 +02:00
|
|
|
package config
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"time"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const LocalBackendName = "local"
|
|
|
|
|
|
|
|
|
|
type Backend struct {
|
|
|
|
|
Default string `yaml:"default"` // The default backend to use (defaults to the internal backend)
|
|
|
|
|
|
2025-09-09 21:43:16 +02:00
|
|
|
// Local Backend-specific configuration
|
|
|
|
|
|
|
|
|
|
IgnoredLocalInterfaces []string `yaml:"ignored_local_interfaces"` // A list of interface names that should be ignored by this backend (e.g., "wg0")
|
2025-10-12 14:31:19 +02:00
|
|
|
LocalResolvconfPrefix string `yaml:"local_resolvconf_prefix"` // The prefix to use for interface names when passing them to resolvconf.
|
2025-09-09 21:43:16 +02:00
|
|
|
|
|
|
|
|
// External Backend-specific configuration
|
|
|
|
|
|
2025-08-10 14:42:02 +02:00
|
|
|
Mikrotik []BackendMikrotik `yaml:"mikrotik"`
|
Add Pfsense backend (ALPHA) (#585)
* Add pfSense backend domain types and configuration
This adds the necessary domain types and configuration structures
for the pfSense backend support. Includes PfsenseInterfaceExtras and
PfsensePeerExtras structs, and the BackendPfsense configuration
with API URL, key, and timeout settings.
* Add low-level pfSense REST API client
Implements the HTTP client for interacting with the pfSense REST API.
Handles authentication via X-API-Key header, request/response parsing,
and error handling. Uses the pfSense REST API v2 endpoints as documented
at https://pfrest.org/.
* Implement pfSense WireGuard controller
This implements the InterfaceController interface for pfSense firewalls.
Handles WireGuard tunnel and peer management through the pfSense REST API.
Includes proper filtering of peers by interface (since API filtering doesn't
work) and parsing of the allowedips array structure with address/mask fields.
* Register pfSense controllers and update configuration
Registers the pfSense backend controllers in the controller manager
and adds example configuration to config.yml.sample. Also updates
README to mention pfSense backend support.
* Fix peer filtering and allowedips parsing for pfSense backend
The pfSense REST API doesn't support filtering peers by interface
via query parameters, so all peers are returned regardless of the
filter. This caused peers from all interfaces to be randomly assigned
to a single interface in wg-portal.
Additionally, the API returns allowedips as an array of objects with
"address" and "mask" fields instead of a comma-separated string,
which caused parsing failures.
Changes:
- Remove API filter from GetPeers() since it doesn't work
- Add client-side filtering by checking the "tun" field in peer responses
- Update convertWireGuardPeer() to parse allowedips array structure
- Add parseAddressArray() helper for parsing address objects
- Attempt to fetch interface addresses from /tunnel/{id}/address endpoint
(endpoint may not be available in all pfSense versions)
- Add debug logging for peer filtering and address loading operations
Note: Interface addresses may still be empty if the address endpoint
is not available. Public Endpoint and Default DNS Servers are typically
configured manually in wg-portal as the pfSense API doesn't provide
this information.
* Extract endpoint, DNS, and peer names from pfSense peer data
The pfSense API provides endpoint, port, and description (descr) fields
in peer responses that can be used to populate interface defaults and
peer display names.
Changes:
- Extract endpoint and port from peers and combine them properly
- Fix peer name/description extraction to check "descr" field first
(pfSense API uses "descr" instead of "description" or "comment")
- Add extractPfsenseDefaultsFromPeers() helper to extract common
endpoint and DNS from peers during interface import
- Set PeerDefEndpoint and PeerDefDnsStr from peer data for pfSense
backends during interface import
- Use most common endpoint/DNS values when multiple peers are present
* Fix interface display name to use descr field from pfSense API
The pfSense API uses "descr" field for tunnel descriptions, not
"description" or "comment". Updated convertWireGuardInterface()
to check "descr" first so that tunnel descriptions (e.g., "HQ VPN")
are displayed in the UI instead of just the tunnel name (e.g., "tun_wg0").
* Remove calls to non-working tunnel and peer detail endpoints
The pfSense REST API endpoints /api/v2/vpn/wireguard/tunnel/{id}
and /api/v2/vpn/wireguard/tunnel/{id}/address don't work and were
causing log spam. Removed these calls and use only the data from
the tunnel/peer list responses.
Also removed the peer detail endpoint call that was added for
statistics collection, as it likely doesn't work either.
* Fix unused variable compilation error
Removed unused deviceId variable that was causing build failure.
* Optimize tunnel address fetching to use /tunnel?id endpoint
Instead of using the separate /tunnel/address endpoint, now query
the specific tunnel endpoint /tunnel?id={id} which includes the
addresses array in the response. This avoids unnecessary API calls
and simplifies the code.
- GetInterface() now queries /tunnel?id={id} after getting tunnel ID
- loadInterfaceData() queries /tunnel?id={id} as fallback if addresses missing
- extractAddresses() properly parses addresses array from tunnel response
- Removed /tunnel/address endpoint calls
Signed-off-by: rwjack <jack@foss.family>
* Fix URL encoding issue in tunnel endpoint queries
Use Filters in PfsenseRequestOptions instead of passing query strings
directly in the path. This prevents the ? character from being encoded
as %3F, which was causing 404 errors.
- GetInterface() now uses Filters map for id parameter
- loadInterfaceData() now uses Filters map for id parameter
Signed-off-by: rwjack <jack@foss.family>
* update backend docs for pfsense
---------
Signed-off-by: rwjack <jack@foss.family>
2025-12-09 22:33:12 +01:00
|
|
|
Pfsense []BackendPfsense `yaml:"pfsense"`
|
2025-08-10 14:42:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate checks the backend configuration for errors.
|
|
|
|
|
func (b *Backend) Validate() error {
|
|
|
|
|
if b.Default == "" {
|
|
|
|
|
b.Default = LocalBackendName
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uniqueMap := make(map[string]struct{})
|
|
|
|
|
for _, backend := range b.Mikrotik {
|
|
|
|
|
if backend.Id == LocalBackendName {
|
|
|
|
|
return fmt.Errorf("backend ID %q is a reserved keyword", LocalBackendName)
|
|
|
|
|
}
|
|
|
|
|
if _, exists := uniqueMap[backend.Id]; exists {
|
|
|
|
|
return fmt.Errorf("backend ID %q is not unique", backend.Id)
|
|
|
|
|
}
|
|
|
|
|
uniqueMap[backend.Id] = struct{}{}
|
|
|
|
|
}
|
Add Pfsense backend (ALPHA) (#585)
* Add pfSense backend domain types and configuration
This adds the necessary domain types and configuration structures
for the pfSense backend support. Includes PfsenseInterfaceExtras and
PfsensePeerExtras structs, and the BackendPfsense configuration
with API URL, key, and timeout settings.
* Add low-level pfSense REST API client
Implements the HTTP client for interacting with the pfSense REST API.
Handles authentication via X-API-Key header, request/response parsing,
and error handling. Uses the pfSense REST API v2 endpoints as documented
at https://pfrest.org/.
* Implement pfSense WireGuard controller
This implements the InterfaceController interface for pfSense firewalls.
Handles WireGuard tunnel and peer management through the pfSense REST API.
Includes proper filtering of peers by interface (since API filtering doesn't
work) and parsing of the allowedips array structure with address/mask fields.
* Register pfSense controllers and update configuration
Registers the pfSense backend controllers in the controller manager
and adds example configuration to config.yml.sample. Also updates
README to mention pfSense backend support.
* Fix peer filtering and allowedips parsing for pfSense backend
The pfSense REST API doesn't support filtering peers by interface
via query parameters, so all peers are returned regardless of the
filter. This caused peers from all interfaces to be randomly assigned
to a single interface in wg-portal.
Additionally, the API returns allowedips as an array of objects with
"address" and "mask" fields instead of a comma-separated string,
which caused parsing failures.
Changes:
- Remove API filter from GetPeers() since it doesn't work
- Add client-side filtering by checking the "tun" field in peer responses
- Update convertWireGuardPeer() to parse allowedips array structure
- Add parseAddressArray() helper for parsing address objects
- Attempt to fetch interface addresses from /tunnel/{id}/address endpoint
(endpoint may not be available in all pfSense versions)
- Add debug logging for peer filtering and address loading operations
Note: Interface addresses may still be empty if the address endpoint
is not available. Public Endpoint and Default DNS Servers are typically
configured manually in wg-portal as the pfSense API doesn't provide
this information.
* Extract endpoint, DNS, and peer names from pfSense peer data
The pfSense API provides endpoint, port, and description (descr) fields
in peer responses that can be used to populate interface defaults and
peer display names.
Changes:
- Extract endpoint and port from peers and combine them properly
- Fix peer name/description extraction to check "descr" field first
(pfSense API uses "descr" instead of "description" or "comment")
- Add extractPfsenseDefaultsFromPeers() helper to extract common
endpoint and DNS from peers during interface import
- Set PeerDefEndpoint and PeerDefDnsStr from peer data for pfSense
backends during interface import
- Use most common endpoint/DNS values when multiple peers are present
* Fix interface display name to use descr field from pfSense API
The pfSense API uses "descr" field for tunnel descriptions, not
"description" or "comment". Updated convertWireGuardInterface()
to check "descr" first so that tunnel descriptions (e.g., "HQ VPN")
are displayed in the UI instead of just the tunnel name (e.g., "tun_wg0").
* Remove calls to non-working tunnel and peer detail endpoints
The pfSense REST API endpoints /api/v2/vpn/wireguard/tunnel/{id}
and /api/v2/vpn/wireguard/tunnel/{id}/address don't work and were
causing log spam. Removed these calls and use only the data from
the tunnel/peer list responses.
Also removed the peer detail endpoint call that was added for
statistics collection, as it likely doesn't work either.
* Fix unused variable compilation error
Removed unused deviceId variable that was causing build failure.
* Optimize tunnel address fetching to use /tunnel?id endpoint
Instead of using the separate /tunnel/address endpoint, now query
the specific tunnel endpoint /tunnel?id={id} which includes the
addresses array in the response. This avoids unnecessary API calls
and simplifies the code.
- GetInterface() now queries /tunnel?id={id} after getting tunnel ID
- loadInterfaceData() queries /tunnel?id={id} as fallback if addresses missing
- extractAddresses() properly parses addresses array from tunnel response
- Removed /tunnel/address endpoint calls
Signed-off-by: rwjack <jack@foss.family>
* Fix URL encoding issue in tunnel endpoint queries
Use Filters in PfsenseRequestOptions instead of passing query strings
directly in the path. This prevents the ? character from being encoded
as %3F, which was causing 404 errors.
- GetInterface() now uses Filters map for id parameter
- loadInterfaceData() now uses Filters map for id parameter
Signed-off-by: rwjack <jack@foss.family>
* update backend docs for pfsense
---------
Signed-off-by: rwjack <jack@foss.family>
2025-12-09 22:33:12 +01:00
|
|
|
for _, backend := range b.Pfsense {
|
|
|
|
|
if backend.Id == LocalBackendName {
|
|
|
|
|
return fmt.Errorf("backend ID %q is a reserved keyword", LocalBackendName)
|
|
|
|
|
}
|
|
|
|
|
if _, exists := uniqueMap[backend.Id]; exists {
|
|
|
|
|
return fmt.Errorf("backend ID %q is not unique", backend.Id)
|
|
|
|
|
}
|
|
|
|
|
uniqueMap[backend.Id] = struct{}{}
|
|
|
|
|
}
|
2025-08-10 14:42:02 +02:00
|
|
|
|
|
|
|
|
if b.Default != LocalBackendName {
|
|
|
|
|
if _, ok := uniqueMap[b.Default]; !ok {
|
|
|
|
|
return fmt.Errorf("default backend %q is not defined in the configuration", b.Default)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type BackendBase struct {
|
|
|
|
|
Id string `yaml:"id"` // A unique id for the backend
|
|
|
|
|
DisplayName string `yaml:"display_name"` // A display name for the backend
|
2025-09-09 21:43:16 +02:00
|
|
|
|
|
|
|
|
IgnoredInterfaces []string `yaml:"ignored_interfaces"` // A list of interface names that should be ignored by this backend (e.g., "wg0")
|
2025-08-10 14:42:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetDisplayName returns the display name of the backend.
|
|
|
|
|
// If no display name is set, it falls back to the ID.
|
|
|
|
|
func (b BackendBase) GetDisplayName() string {
|
|
|
|
|
if b.DisplayName == "" {
|
|
|
|
|
return b.Id // Fallback to ID if no display name is set
|
|
|
|
|
}
|
|
|
|
|
return b.DisplayName
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type BackendMikrotik struct {
|
|
|
|
|
BackendBase `yaml:",inline"` // Embed the base fields
|
|
|
|
|
|
|
|
|
|
ApiUrl string `yaml:"api_url"` // The base URL of the Mikrotik API (e.g., "https://10.10.10.10:8729/rest")
|
|
|
|
|
ApiUser string `yaml:"api_user"`
|
|
|
|
|
ApiPassword string `yaml:"api_password"`
|
|
|
|
|
ApiVerifyTls bool `yaml:"api_verify_tls"` // Whether to verify the TLS certificate of the Mikrotik API
|
|
|
|
|
ApiTimeout time.Duration `yaml:"api_timeout"` // Timeout for API requests (default: 30 seconds)
|
|
|
|
|
|
|
|
|
|
// Concurrency controls the maximum number of concurrent API requests that this backend will issue
|
|
|
|
|
// when enumerating interfaces and their details. If 0 or negative, a default of 5 is used.
|
|
|
|
|
Concurrency int `yaml:"concurrency"`
|
|
|
|
|
|
|
|
|
|
Debug bool `yaml:"debug"` // Enable debug logging for the Mikrotik backend
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetConcurrency returns the configured concurrency for this backend or a sane default (5)
|
|
|
|
|
// when the configured value is zero or negative.
|
|
|
|
|
func (b *BackendMikrotik) GetConcurrency() int {
|
|
|
|
|
if b == nil {
|
|
|
|
|
return 5
|
|
|
|
|
}
|
|
|
|
|
if b.Concurrency <= 0 {
|
|
|
|
|
return 5
|
|
|
|
|
}
|
|
|
|
|
return b.Concurrency
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetApiTimeout returns the configured API timeout or a sane default (30 seconds)
|
|
|
|
|
// when the configured value is zero or negative.
|
|
|
|
|
func (b *BackendMikrotik) GetApiTimeout() time.Duration {
|
|
|
|
|
if b == nil {
|
|
|
|
|
return 30 * time.Second
|
|
|
|
|
}
|
|
|
|
|
if b.ApiTimeout <= 0 {
|
|
|
|
|
return 30 * time.Second
|
|
|
|
|
}
|
|
|
|
|
return b.ApiTimeout
|
|
|
|
|
}
|
Add Pfsense backend (ALPHA) (#585)
* Add pfSense backend domain types and configuration
This adds the necessary domain types and configuration structures
for the pfSense backend support. Includes PfsenseInterfaceExtras and
PfsensePeerExtras structs, and the BackendPfsense configuration
with API URL, key, and timeout settings.
* Add low-level pfSense REST API client
Implements the HTTP client for interacting with the pfSense REST API.
Handles authentication via X-API-Key header, request/response parsing,
and error handling. Uses the pfSense REST API v2 endpoints as documented
at https://pfrest.org/.
* Implement pfSense WireGuard controller
This implements the InterfaceController interface for pfSense firewalls.
Handles WireGuard tunnel and peer management through the pfSense REST API.
Includes proper filtering of peers by interface (since API filtering doesn't
work) and parsing of the allowedips array structure with address/mask fields.
* Register pfSense controllers and update configuration
Registers the pfSense backend controllers in the controller manager
and adds example configuration to config.yml.sample. Also updates
README to mention pfSense backend support.
* Fix peer filtering and allowedips parsing for pfSense backend
The pfSense REST API doesn't support filtering peers by interface
via query parameters, so all peers are returned regardless of the
filter. This caused peers from all interfaces to be randomly assigned
to a single interface in wg-portal.
Additionally, the API returns allowedips as an array of objects with
"address" and "mask" fields instead of a comma-separated string,
which caused parsing failures.
Changes:
- Remove API filter from GetPeers() since it doesn't work
- Add client-side filtering by checking the "tun" field in peer responses
- Update convertWireGuardPeer() to parse allowedips array structure
- Add parseAddressArray() helper for parsing address objects
- Attempt to fetch interface addresses from /tunnel/{id}/address endpoint
(endpoint may not be available in all pfSense versions)
- Add debug logging for peer filtering and address loading operations
Note: Interface addresses may still be empty if the address endpoint
is not available. Public Endpoint and Default DNS Servers are typically
configured manually in wg-portal as the pfSense API doesn't provide
this information.
* Extract endpoint, DNS, and peer names from pfSense peer data
The pfSense API provides endpoint, port, and description (descr) fields
in peer responses that can be used to populate interface defaults and
peer display names.
Changes:
- Extract endpoint and port from peers and combine them properly
- Fix peer name/description extraction to check "descr" field first
(pfSense API uses "descr" instead of "description" or "comment")
- Add extractPfsenseDefaultsFromPeers() helper to extract common
endpoint and DNS from peers during interface import
- Set PeerDefEndpoint and PeerDefDnsStr from peer data for pfSense
backends during interface import
- Use most common endpoint/DNS values when multiple peers are present
* Fix interface display name to use descr field from pfSense API
The pfSense API uses "descr" field for tunnel descriptions, not
"description" or "comment". Updated convertWireGuardInterface()
to check "descr" first so that tunnel descriptions (e.g., "HQ VPN")
are displayed in the UI instead of just the tunnel name (e.g., "tun_wg0").
* Remove calls to non-working tunnel and peer detail endpoints
The pfSense REST API endpoints /api/v2/vpn/wireguard/tunnel/{id}
and /api/v2/vpn/wireguard/tunnel/{id}/address don't work and were
causing log spam. Removed these calls and use only the data from
the tunnel/peer list responses.
Also removed the peer detail endpoint call that was added for
statistics collection, as it likely doesn't work either.
* Fix unused variable compilation error
Removed unused deviceId variable that was causing build failure.
* Optimize tunnel address fetching to use /tunnel?id endpoint
Instead of using the separate /tunnel/address endpoint, now query
the specific tunnel endpoint /tunnel?id={id} which includes the
addresses array in the response. This avoids unnecessary API calls
and simplifies the code.
- GetInterface() now queries /tunnel?id={id} after getting tunnel ID
- loadInterfaceData() queries /tunnel?id={id} as fallback if addresses missing
- extractAddresses() properly parses addresses array from tunnel response
- Removed /tunnel/address endpoint calls
Signed-off-by: rwjack <jack@foss.family>
* Fix URL encoding issue in tunnel endpoint queries
Use Filters in PfsenseRequestOptions instead of passing query strings
directly in the path. This prevents the ? character from being encoded
as %3F, which was causing 404 errors.
- GetInterface() now uses Filters map for id parameter
- loadInterfaceData() now uses Filters map for id parameter
Signed-off-by: rwjack <jack@foss.family>
* update backend docs for pfsense
---------
Signed-off-by: rwjack <jack@foss.family>
2025-12-09 22:33:12 +01:00
|
|
|
|
|
|
|
|
type BackendPfsense struct {
|
|
|
|
|
BackendBase `yaml:",inline"` // Embed the base fields
|
|
|
|
|
|
|
|
|
|
ApiUrl string `yaml:"api_url"` // The base URL of the pfSense REST API (e.g., "https://pfsense.example.com/api/v2")
|
|
|
|
|
ApiKey string `yaml:"api_key"` // API key for authentication (generated in pfSense under 'System' -> 'REST API' -> 'Keys')
|
|
|
|
|
ApiVerifyTls bool `yaml:"api_verify_tls"` // Whether to verify the TLS certificate of the pfSense API
|
|
|
|
|
ApiTimeout time.Duration `yaml:"api_timeout"` // Timeout for API requests (default: 30 seconds)
|
|
|
|
|
|
|
|
|
|
// Concurrency controls the maximum number of concurrent API requests that this backend will issue
|
|
|
|
|
// when enumerating interfaces and their details. If 0 or negative, a default of 5 is used.
|
|
|
|
|
Concurrency int `yaml:"concurrency"`
|
|
|
|
|
|
|
|
|
|
Debug bool `yaml:"debug"` // Enable debug logging for the pfSense backend
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetConcurrency returns the configured concurrency for this backend or a sane default (5)
|
|
|
|
|
// when the configured value is zero or negative.
|
|
|
|
|
func (b *BackendPfsense) GetConcurrency() int {
|
|
|
|
|
if b == nil {
|
|
|
|
|
return 5
|
|
|
|
|
}
|
|
|
|
|
if b.Concurrency <= 0 {
|
|
|
|
|
return 5
|
|
|
|
|
}
|
|
|
|
|
return b.Concurrency
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetApiTimeout returns the configured API timeout or a sane default (30 seconds)
|
|
|
|
|
// when the configured value is zero or negative.
|
|
|
|
|
func (b *BackendPfsense) GetApiTimeout() time.Duration {
|
|
|
|
|
if b == nil {
|
|
|
|
|
return 30 * time.Second
|
|
|
|
|
}
|
|
|
|
|
if b.ApiTimeout <= 0 {
|
|
|
|
|
return 30 * time.Second
|
|
|
|
|
}
|
|
|
|
|
return b.ApiTimeout
|
|
|
|
|
}
|