def create_new_wg_conf(): server_ip = (ipaddress.IPv4Network(wg_subnet).network_address + 1).__str__() server_private_key = wgexec.generate_privatekey() wg_conf = wgconfig.WGConfig('wg0') wg_conf.add_attr(None, 'PrivateKey', server_private_key) wg_conf.add_attr( None, 'Address', server_ip + "/" + str(ipaddress.IPv4Network(wg_subnet).prefixlen)) wg_conf.add_attr(None, 'ListenPort', wg_listen_port) # Construct internal dns server address vpc_dns_address = (ipaddress.IPv4Network('10.11.0.0/16').network_address + 2).__str__() # Following section needed to use internal AWS DNS, # this enable access to AWS resources by the names which doesn't have external resolution/IP wg_conf.add_attr( None, 'PostUp', 'iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; ' 'iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE; ' 'iptables -A PREROUTING -t nat -i %i -p udp --dport 53 -j DNAT --to-destination {0}; ' 'iptables -A PREROUTING -t nat -i %i -p tcp --dport 53 -j DNAT --to-destination {0}' .format(vpc_dns_address)) wg_conf.add_attr( None, 'PostDown', 'iptables -D FORWARD -i %.i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; ' 'iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE; ' 'iptables -D PREROUTING -t nat -i %i -p udp --dport 53 -j DNAT --to-destination {0}; ' 'iptables -D PREROUTING -t nat -i %i -p tcp --dport 53 -j DNAT --to-destination {0}' .format(vpc_dns_address)) return wg_conf
def setup_testconfig1(scope='module'): import wgconfig wc = wgconfig.WGConfig(file=TESTFILE1) wc.read_file() yield wc with contextlib.suppress(FileNotFoundError): os.unlink(TESTFILE1_SAVED)
def setup_testconfig1(scope='module'): import wgconfig wc = wgconfig.WGConfig(file=TESTFILE1) wc.read_file() yield wc #with contextlib.suppress(FileNotFoundError): # not used due to availability in newer Python versions only if os.path.exists(TESTFILE1_SAVED): os.unlink(TESTFILE1_SAVED)
def __init__(self, wg_interface): """Object initialization""" self.wg_interface = wg_interface self._wg_public = None self.wgconfig = wgconfig.WGConfig(self.wg_interface) try: self.wgconfig.read_file() except FileNotFoundError: self.ensure_configuration()
def read_wg_config(): wg_ssm_config = get_ssm_attrs(wg_config_ssm_path) if wg_ssm_config is not None: wc = wgconfig.WGConfig('wg0') wc.lines = wg_ssm_config wc.parse_lines() return wc else: # wg config not found, let create it return None
def add_users(iam_users, ssm_users, users2add, wg_conf): remaining_users = set(ssm_users).intersection(iam_users) available_ips = free_ip(remaining_users) print("Number of available IPs:{}".format(len(available_ips))) if len(available_ips) > 0: for user in users2add: private_key = wgexec.generate_privatekey() address = available_ips.pop() server_public_key = wgexec.get_publickey( wg_conf.interface['PrivateKey']) user_conf = { "address": address.__str__(), "private_key": private_key, "public_key": wgexec.get_publickey(private_key) } wg_conf_user = wgconfig.WGConfig(user) wg_conf_user.add_attr(None, 'PrivateKey', private_key) wg_conf_user.add_attr(None, 'Address', address.__str__() + "/32") wg_conf_user.add_attr( None, 'DNS', (ipaddress.IPv4Network(wg_subnet).network_address + 1).__str__()) wg_conf_user.add_peer(server_public_key) wg_conf_user.add_attr(server_public_key, 'AllowedIPs', "0.0.0.0/0") wg_conf_user.add_attr(server_public_key, 'Endpoint', str(wg_public_ip) + ":" + wg_listen_port) user_conf["ClientConf"] = "{}".format("\n".join( wg_conf_user.lines)) new_ssm_param = aws_ssm.put_parameter( Name=user_ssm_prefix + "/" + user, Description='Wireguard peer conf for user:{}'.format(user), Value=json.dumps(user_conf), Type='SecureString', Overwrite=True, Tier='Standard', DataType='text') if wg_is_send_client_conf: payload = { "user": user, "client_config": user_conf["ClientConf"] } try: aws_lambda.invoke( FunctionName=wg_send_lambda_name, InvocationType='Event', LogType='None', Payload=json.dumps(payload), ) except Exception as e: print("Can't invoke {} lambda function".format( wg_send_lambda_name)) else: return False return True
AllowedIPs = 0.0.0.0/0 Endpoint = {{ endpoint }} PersistentKeepalive = 15 """) return config.render(private=private, public=public, server_public=server_public, endpoint=endpoint, address=address) if __name__ == "__main__": ### Gather user input endpoint_port = sys.argv[1] wireguard_path = sys.argv[2] wireguard_interface = sys.argv[3] wireguard_cidr = sys.argv[4] user_name = sys.argv[5] ### Process information private, public = wgexec.generate_keypair() server_public = open(wireguard_path + "/pubkey", "r").read().strip("\n") wc_server = wgconfig.WGConfig(wireguard_interface) wc_server.read_file() latest_ip = get_latest_available_ip(wc_server, wireguard_cidr) ### Adjust server config wc_server.add_peer(public, '#{}'.format(user_name)) wc_server.add_attr(public, 'AllowedIPs', latest_ip, append_as_line=True) wc_server.write_file() ### Generate client config with open(wireguard_path + "/keys/" + user_name + ".conf", "w") as f: client = generate_client_conf(private, public, server_public, endpoint_port, latest_ip) f.write(client)