add asterisk to required fields, allow editing of device keys

fix default mtu handling
update raspi readme
2025-10-05 07:56:17 +00:00 · 2020-12-18 22:26:36 +01:00 · 2020-12-18 22:07:55 +01:00 · 2020-12-18 22:00:01 +01:00 · 2020-12-18 21:56:54 +01:00 · 2020-12-18 21:54:57 +01:00
13 changed files with 217 additions and 31 deletions
--- a/2
+++ b/2
@@ -37,7 +37,7 @@ RUN apt-get update && apt-get upgrade -y && \
        chmod +rx /usr/local/bin/goss && \
        goss --version

-COPY --from=builder /build/dist/wg-portal /app/wgportal
+COPY --from=builder /build/dist/wg-portal-amd64 /app/wgportal
 COPY --from=builder /build/dist/assets /app/assets
 COPY --from=builder /build/scripts /app/

--- a/README-RASPBERRYPI.md
+++ b/README-RASPBERRYPI.md
@@ -31,6 +31,8 @@ The compiled binary and all necessary assets will be located in the dist folder.
     - ExecStart
     - EnvironmentFile
   - Update environment variables in the `wg-portal.env` file to fit your needs
+ - Make sure that the binary application file is executable
+   - `sudo chmod +x /opt/wg-portal/wg-portal-*`
 - Link the system service file to the correct folder:
   - `sudo ln -s /opt/wg-portal/wg-portal.service /etc/systemd/system/wg-portal.service`
 - Reload the systemctl daemon:
--- a/README.md
+++ b/README.md
@@ -85,7 +85,7 @@ A detailed description for using this software with a raspberry pi can be found
 ## What is out of scope

 * Generation or application of any `iptables` or `nftables` rules
- * Setting up or changing IP-addresses of the WireGuard interface
+ * Setting up or changing IP-addresses of the WireGuard interface on operating systems other than linux
 
 ## Application stack

--- a/assets/css/custom.css
+++ b/assets/css/custom.css
@@ -65,4 +65,9 @@ pre{background:#f7f7f9}iframe{overflow:hidden;border:none}@media (min-width: 768
    background-color: #f7f7f9;
    margin: -4px 5px 5px 0;
    height: 22px;
+}
+
+.form-group.required label:after {
+    content:"*";
+    color:red;
 }
--- a/assets/tpl/admin_create_clients.html
+++ b/assets/tpl/admin_create_clients.html
@@ -21,13 +21,13 @@
        {{template "prt_flashes.html" .}}
        <form method="post" enctype="multipart/form-data">
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputEmail">Email Addresses</label>
                    <input type="text" name="email" class="form-control" id="inputEmail" value="{{.FormData.Emails}}">
                </div>
            </div>
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputIdentifier">Client Friendly Name (will be added as suffix to the name of the user)</label>
                    <input type="text" name="identifier" class="form-control" id="inputIdentifier" value="{{.FormData.Identifier}}">
                </div>
--- a/assets/tpl/admin_edit_client.html
+++ b/assets/tpl/admin_edit_client.html
@@ -31,7 +31,7 @@
                    </div>
                </div>
                <div class="form-row">
-                    <div class="form-group col-md-12">
+                    <div class="form-group required col-md-12">
                        <label for="inputServerPublicKey">Public Key</label>
                        <input type="text" name="pubkey" class="form-control" id="inputServerPublicKey" value="{{.Peer.PublicKey}}">
                    </div>
@@ -53,25 +53,25 @@
                </div>
            {{end}}
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputIdentifier">Client Friendly Name</label>
                    <input type="text" name="identifier" class="form-control" id="inputIdentifier" value="{{.Peer.Identifier}}">
                </div>
            </div>
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputEmail">Client Email Address</label>
                    <input type="email" name="mail" class="form-control" id="inputEmail" value="{{.Peer.Email}}">
                </div>
            </div>
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputIP">Client IP Address</label>
                    <input type="text" name="ip" class="form-control" id="inputIP" value="{{.Peer.IPsStr}}">
                </div>
            </div>
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputAllowedIP">Allowed IPs</label>
                    <input type="text" name="allowedip" class="form-control" id="inputAllowedIP" value="{{.Peer.AllowedIPsStr}}">
                </div>
--- a/assets/tpl/admin_edit_interface.html
+++ b/assets/tpl/admin_edit_interface.html
@@ -18,27 +18,42 @@

        <form method="post" enctype="multipart/form-data">
            <input type="hidden" name="device" value="{{.Device.DeviceName}}">
-            <input type="hidden" name="privkey" value="{{.Device.PrivateKey}}">
            <h3>Server's interface configuration</h3>
+            {{if .EditableKeys}}
+            <div class="form-row">
+                <div class="form-group required col-md-12">
+                    <label for="inputServerPrivateKey">Private Key</label>
+                    <input type="text" name="privkey" class="form-control" id="inputServerPrivateKey" value="{{.Device.PrivateKey}}">
+                </div>
+            </div>
+            <div class="form-row">
+                <div class="form-group required col-md-12">
+                    <label for="inputServerPublicKey">Public Key</label>
+                    <input type="text" name="pubkey" class="form-control" id="inputServerPublicKey" value="{{.Device.PublicKey}}">
+                </div>
+            </div>
+            {{else}}
+            <input type="hidden" name="privkey" value="{{.Device.PrivateKey}}">
            <div class="form-row">
                <div class="form-group col-md-12">
                    <label for="inputServerPublicKey">Public Key</label>
                    <input type="text" name="pubkey" readonly class="form-control" id="inputServerPublicKey" value="{{.Device.PublicKey}}">
                </div>
            </div>
+            {{end}}
            <div class="form-row">
-                <div class="form-group col-md-6">
+                <div class="form-group required col-md-6">
                    <label for="inputListenPort">Listen port</label>
                    <input type="number" name="port" class="form-control" id="inputListenPort" placeholder="51820" value="{{.Device.ListenPort}}">
                </div>
-                <div class="form-group col-md-6">
+                <div class="form-group required col-md-6">
                    <label for="inputIPs">Server IP address</label>
                    <input type="text" name="ip" class="form-control" id="inputIPs" placeholder="10.6.6.1/24" value="{{.Device.IPsStr}}">
                </div>
            </div>
            <h3>Client's global configuration</h3>
            <div class="form-row">
-                <div class="form-group col-md-12">
+                <div class="form-group required col-md-12">
                    <label for="inputPublicEndpoint">Public Enpoint for Clients</label>
                    <input type="text" name="endpoint" class="form-control" id="inputPublicEndpoint" placeholder="vpn.company.com:51820" value="{{.Device.Endpoint}}">
                </div>
--- a/go.mod
+++ b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/gorilla/sessions v1.2.1 // indirect
 	github.com/jordan-wright/email v4.0.1-0.20200917010138-e1c00e156980+incompatible
 	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/milosgajdos/tenus v0.0.3
 	github.com/sirupsen/logrus v1.7.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tatsushid/go-fastping v0.0.0-20160109021039-d7bb493dee3e
--- a/internal/common/configuration.go
+++ b/internal/common/configuration.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"os"
 	"reflect"
+	"runtime"

 	"github.com/h44z/wg-portal/internal/wireguard"

@@ -91,6 +92,7 @@ func NewConfig() *Config {
 	cfg.LDAP.BindPass = "SuperSecret"
 	cfg.WG.DeviceName = "wg0"
 	cfg.WG.WireGuardConfig = "/etc/wireguard/wg0.conf"
+	cfg.WG.ManageIPAddresses = true
 	cfg.AdminLdapGroup = "CN=WireGuardAdmins,OU=_O_IT,DC=COMPANY,DC=LOCAL"
 	cfg.Email.Host = "127.0.0.1"
 	cfg.Email.Port = 25
@@ -109,5 +111,10 @@ func NewConfig() *Config {
 		log.Warnf("unable to load environment config: %v", err)
 	}

+	if cfg.WG.ManageIPAddresses && runtime.GOOS != "linux" {
+		log.Warnf("Managing IP addresses only works on linux! Feature disabled.")
+		cfg.WG.ManageIPAddresses = false
+	}
+
 	return cfg
 }
--- a/internal/server/handlers_interface.go
+++ b/internal/server/handlers_interface.go
@@ -19,19 +19,21 @@ func (s *Server) GetAdminEditInterface(c *gin.Context) {
 	}

 	c.HTML(http.StatusOK, "admin_edit_interface.html", struct {
-		Route   string
-		Alerts  []FlashData
-		Session SessionData
-		Static  StaticData
-		Peers   []User
-		Device  Device
+		Route        string
+		Alerts       []FlashData
+		Session      SessionData
+		Static       StaticData
+		Peers        []User
+		Device       Device
+		EditableKeys bool
 	}{
-		Route:   c.Request.URL.Path,
-		Alerts:  s.getFlashes(c),
-		Session: currentSession,
-		Static:  s.getStaticData(),
-		Peers:   users,
-		Device:  currentSession.FormData.(Device),
+		Route:        c.Request.URL.Path,
+		Alerts:       s.getFlashes(c),
+		Session:      currentSession,
+		Static:       s.getStaticData(),
+		Peers:        users,
+		Device:       currentSession.FormData.(Device),
+		EditableKeys: s.config.Core.EditableKeys,
 	})
 }

@@ -82,8 +84,24 @@ func (s *Server) PostAdminEditInterface(c *gin.Context) {
 		return
 	}

+	// Update interface IP address
+	if s.config.WG.ManageIPAddresses {
+		if err := s.wg.SetIPAddress(formDevice.IPs); err != nil {
+			_ = s.updateFormInSession(c, formDevice)
+			s.setFlashMessage(c, "Failed to update ip address: "+err.Error(), "danger")
+			c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
+		}
+		if err := s.wg.SetMTU(formDevice.Mtu); err != nil {
+			_ = s.updateFormInSession(c, formDevice)
+			s.setFlashMessage(c, "Failed to update MTU: "+err.Error(), "danger")
+			c.Redirect(http.StatusSeeOther, "/admin/device/edit?formerr=update")
+		}
+	}
+
 	s.setFlashMessage(c, "Changes applied successfully!", "success")
-	s.setFlashMessage(c, "WireGuard must be restarted to apply ip changes.", "warning")
+	if !s.config.WG.ManageIPAddresses {
+		s.setFlashMessage(c, "WireGuard must be restarted to apply ip changes.", "warning")
+	}
 	c.Redirect(http.StatusSeeOther, "/admin/device/edit")
 }

--- a/internal/server/usermanager.go
+++ b/internal/server/usermanager.go
@@ -202,7 +202,7 @@ type Device struct {
 	Interface *wgtypes.Device `gorm:"-"`

 	DeviceName          string   `form:"device" gorm:"primaryKey" binding:"required,alphanum"`
-	PrivateKey          string   `form:"privkey" binding:"base64"`
+	PrivateKey          string   `form:"privkey" binding:"required,base64"`
 	PublicKey           string   `form:"pubkey" binding:"required,base64"`
 	PersistentKeepalive int      `form:"keepalive" binding:"gte=0"`
 	ListenPort          int      `form:"port" binding:"required,gt=0"`
@@ -319,6 +319,18 @@ func (u *UserManager) InitFromCurrentInterface() error {
 		log.Errorf("failed to init user-manager from device: %v", err)
 		return err
 	}
+	var ipAddresses []string
+	var mtu int
+	if u.wg.Cfg.ManageIPAddresses {
+		if ipAddresses, err = u.wg.GetIPAddress(); err != nil {
+			log.Errorf("failed to init user-manager from device: %v", err)
+			return err
+		}
+		if mtu, err = u.wg.GetMTU(); err != nil {
+			log.Errorf("failed to init user-manager from device: %v", err)
+			return err
+		}
+	}

 	// Check if entries already exist in database, if not create them
 	for _, peer := range peers {
@@ -326,7 +338,7 @@ func (u *UserManager) InitFromCurrentInterface() error {
 			return err
 		}
 	}
-	if err := u.validateOrCreateDevice(*device); err != nil {
+	if err := u.validateOrCreateDevice(*device, ipAddresses, mtu); err != nil {
 		return err
 	}

@@ -366,7 +378,7 @@ func (u *UserManager) validateOrCreateUserForPeer(peer wgtypes.Peer) error {
 	return nil
 }

-func (u *UserManager) validateOrCreateDevice(dev wgtypes.Device) error {
+func (u *UserManager) validateOrCreateDevice(dev wgtypes.Device, ipAddresses []string, mtu int) error {
 	device := Device{}
 	u.db.Where("device_name = ?", dev.Name).FirstOrInit(&device)

@@ -377,6 +389,11 @@ func (u *UserManager) validateOrCreateDevice(dev wgtypes.Device) error {
 		device.ListenPort = dev.ListenPort
 		device.Mtu = 0
 		device.PersistentKeepalive = 16 // Default
+		device.IPsStr = strings.Join(ipAddresses, ", ")
+		if mtu == wireguard.WireGuardDefaultMTU {
+			mtu = 0
+		}
+		device.Mtu = mtu

 		res := u.db.Create(&device)
 		if res.Error != nil {
--- a/internal/wireguard/config.go
+++ b/internal/wireguard/config.go
@@ -1,6 +1,7 @@
 package wireguard

 type Config struct {
-	DeviceName      string `yaml:"device" envconfig:"WG_DEVICE"`
-	WireGuardConfig string `yaml:"configFile" envconfig:"WG_CONFIG_FILE"` // optional, if set, updates will be written to this file
+	DeviceName        string `yaml:"device" envconfig:"WG_DEVICE"`
+	WireGuardConfig   string `yaml:"configFile" envconfig:"WG_CONFIG_FILE"`    // optional, if set, updates will be written to this file
+	ManageIPAddresses bool   `yaml:"manageIPAddresses" envconfig:"MANAGE_IPS"` // handle ip-address setup of interface
 }
--- a/internal/wireguard/net.go
+++ b/internal/wireguard/net.go
@@ -0,0 +1,120 @@
+package wireguard
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/milosgajdos/tenus"
+)
+
+const WireGuardDefaultMTU = 1420
+
+func (m *Manager) GetIPAddress() ([]string, error) {
+	wgInterface, err := tenus.NewLinkFrom(m.Cfg.DeviceName)
+	if err != nil {
+		return nil, fmt.Errorf("could not retrieve WireGuard interface %s: %w", m.Cfg.DeviceName, err)
+	}
+
+	// Get golang net.interface
+	iface := wgInterface.NetInterface()
+	if iface == nil { // Not sure if this check is really necessary
+		return nil, fmt.Errorf("could not retrieve WireGuard net.interface: %w", err)
+	}
+
+	addrs, err := iface.Addrs()
+	if err != nil {
+		return nil, fmt.Errorf("could not retrieve WireGuard ip addresses: %w", err)
+	}
+
+	ipAddresses := make([]string, 0, len(addrs))
+	for _, addr := range addrs {
+		var ip net.IP
+		var mask net.IPMask
+		switch v := addr.(type) {
+		case *net.IPNet:
+			ip = v.IP
+			mask = v.Mask
+		case *net.IPAddr:
+			ip = v.IP
+			mask = ip.DefaultMask()
+		}
+		if ip == nil {
+			continue // something is wrong?
+		}
+
+		maskSize, _ := mask.Size()
+		cidr := fmt.Sprintf("%s/%d", ip.String(), maskSize)
+		ipAddresses = append(ipAddresses, cidr)
+	}
+
+	return ipAddresses, nil
+}
+
+func (m *Manager) SetIPAddress(cidrs []string) error {
+	wgInterface, err := tenus.NewLinkFrom(m.Cfg.DeviceName)
+	if err != nil {
+		return fmt.Errorf("could not retrieve WireGuard interface %s: %w", m.Cfg.DeviceName, err)
+	}
+
+	// First remove existing IP addresses
+	existingIPs, err := m.GetIPAddress()
+	if err != nil {
+		return err
+	}
+	for _, cidr := range existingIPs {
+		wgIp, wgIpNet, err := net.ParseCIDR(cidr)
+		if err != nil {
+			return fmt.Errorf("unable to parse cidr %s: %w", cidr, err)
+		}
+
+		if err := wgInterface.UnsetLinkIp(wgIp, wgIpNet); err != nil {
+			return fmt.Errorf("failed to unset ip %s: %w", cidr, err)
+		}
+	}
+
+	// Next set new IP adrresses
+	for _, cidr := range cidrs {
+		wgIp, wgIpNet, err := net.ParseCIDR(cidr)
+		if err != nil {
+			return fmt.Errorf("unable to parse cidr %s: %w", cidr, err)
+		}
+
+		if err := wgInterface.SetLinkIp(wgIp, wgIpNet); err != nil {
+			return fmt.Errorf("failed to set ip %s: %w", cidr, err)
+		}
+	}
+
+	return nil
+}
+
+func (m *Manager) GetMTU() (int, error) {
+	wgInterface, err := tenus.NewLinkFrom(m.Cfg.DeviceName)
+	if err != nil {
+		return 0, fmt.Errorf("could not retrieve WireGuard interface %s: %w", m.Cfg.DeviceName, err)
+	}
+
+	// Get golang net.interface
+	iface := wgInterface.NetInterface()
+	if iface == nil { // Not sure if this check is really necessary
+		return 0, fmt.Errorf("could not retrieve WireGuard net.interface: %w", err)
+	}
+
+	return iface.MTU, nil
+}
+
+func (m *Manager) SetMTU(mtu int) error {
+	wgInterface, err := tenus.NewLinkFrom(m.Cfg.DeviceName)
+	if err != nil {
+		return fmt.Errorf("could not retrieve WireGuard interface %s: %w", m.Cfg.DeviceName, err)
+	}
+
+	if mtu == 0 {
+		mtu = WireGuardDefaultMTU
+	}
+
+	if err := wgInterface.SetLinkMTU(mtu); err != nil {
+		return fmt.Errorf("could not set MTU on interface %s: %w", m.Cfg.DeviceName, err)
+	}
+
+	return nil
+}
Author	SHA1	Message	Date
Christoph Haas	d978fd560d	add asterisk to required fields, allow editing of device keys	2020-12-18 22:26:36 +01:00
Christoph Haas	ec60dd136a	fix default mtu handling	2020-12-18 22:07:55 +01:00
Christoph Haas	6fd4089766	update raspi readme	2020-12-18 22:00:01 +01:00
Christoph Haas	4dd7f7b14b	fix Dockerfile	2020-12-18 21:56:54 +01:00
Christoph Haas	10defaa2ba	ip and mtu updates (linux only)	2020-12-18 21:54:57 +01:00