core195: Ship WireGuard

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'ms/wg' into next

firewall: Add support for WireGuard peers to groups

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core195: Ship functions.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

functions.pl: Fix Bug13842 - Add resolvedeps to pakfire Usage:.

- Add 'resolvedeps' command to pakfire 'Usage:'.

 - Break long lines in 'Usage:' so that they don't wrap.

 - Minor text and punctuation changes.

Signed-off-by: Stephen Cuka <stephen@firemypi.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Actually create WireGuard rules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Return subnets as an array reference

I don't know why, but otherwise Perl will try to expand everything
everywhere all of the time.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall-lib.pl: Fix whitespace issues

No functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Return a hash reference instead of a hash when loading a peer

Perl is so absolutely fucking broken and dealing with hashes is such a
massive pain in the rear. I don't want to see this any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall.cgi: Use "peer" for the WireGuard "hosts"

We don't distinguish between N2N and RW and therefore we should not use
the term "hosts" here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall.cgi: Highlight any deleted WireGuard peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall.cgi: Highlight WireGuard rules in the correct colour

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Run "./make.sh lang"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall.cgi: Add dropdown to add WireGuard peers to a firewall rule

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Build wireguard-tools later

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Remove function to show configuration

This code is no longer re-used

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Actually generate all configuration types

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: It is no longer possible to download the configuration again

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Merge both functions to generate a peer configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Unify fetching the endpoint

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Redirect back to the right place on error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Bring back the warning about showing config only once

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: No longer store the private keys for RW peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Send the N2N peer configuration to the client

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Change generate_peer_configuration to only generate RW stuff

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Don't offer to download the configuration for N2N

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Create a new simplified dialogue to create a new N2N connection

The former process was very complicated and required that many settings
were copied across both sides. It seems to be much more elegant to
generate a new connection in one place and import it on the other side.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Accept FQDNs as endpoints

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Install wg-dynamic

This is a script that checks if we are connected with the correct peer.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Transparently replace 0.0.0.0/0 with 0.0.0.0/1 and 128.0.0.0/1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Fix Perl syntax issue

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Fix connection status for RW connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Make it clear what peer is being edited

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Suggest a PSK for new N2N peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Show our own public key when creating N2N peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Don't show the public key

There is very little use now since we don't use this key for N2N
connections any more. RW clients will have the public key in their
configuration files.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Fix fetching connection status with multiple interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Store the connection name as an alias

This way it is easier to find the correct interface on the console.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Allow to edit the port and automatically chose one

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Add controls to download configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Store the private key for RW peers, too

We have so much key material stored that it does not make much sense to
drop a bit of it when it makes life so much harder.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Implement creating an extra interface per N2N peer

When importing a configuration, we will receive a new private key which
we cannot apply to the original interface. Therefore we need to create a
new one for each peer. RW peers will remain on wg0 which will always
exist.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Store networks in CIDR notation only

wg(8) does not accept anything else.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement a way to import a connection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Rename function to check keys

This function can check all types of keys and not only the public key.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Don't send DNS configuration to n2n peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Rename "generate_client_configuration" to "generate_peer_configuration"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Normalize filenames

This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Select the correct source IP address for N2N peers

This is so that the firewall chooses the correct IP address when trying
to establish connections to the remote networks.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

misc-progs: Fix compiling wireguardctrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Allow to configure a custom endpoint

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Permit empty client pool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Add WireGuard RW to the UI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Move functions into their own file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Allow WG traffic when the firewall is in permissive mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Only show the location if we have something

Otherwise the text won't be centered in the box which looks a little bit
wrong.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

services.cgi: Don't always try expand the status column unless asked

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Remove the large box to warn people that the configuration will only be shown once

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Add a button to return after creating a new connection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

AQM: Ignore WireGuard interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web UI: Add a menu entry

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

misc-progs: Update rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Don't allow creating RW connections if there is no address space

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Don't show an empty table if there are no peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Install empty configuration files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Fix typo in "iptables"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Rename local subnets to allowed subnets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

misc-progs: Add wireguardctrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-tools: New package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Block unauthorized traffic

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Rename routes to remote subnets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lang: Add translation for "remarks"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement toggle enable/disable peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Make the client configuration downloadable

I believe this is much better than copy & paste.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement DNS configuration for clients

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Correctly compose the FQDN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

general-functions.pl: Always load the main settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Call start instead of reload

I didn't implement reload in the helper.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Dynamically allocate a pool address for clients

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Ensure that AllowedIPs are in CIDR format

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Route the client pool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Show a QR code that contains the client configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Show client configuration after creating a client

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Check if the client pool is in use and prevent editing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Add client pool config option

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement creating host-to-net connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Move creating private keys into a separate function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Rename editor to edit-net

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Fix typo of %checked

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Fix disabling the service

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Allow the endpoint to be empty

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Fix saving empty PSKs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement option to configure keepalive

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Group keys together

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement helper functions to read/write subnets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard: Implement optional PSK for post-quantum stuff

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement deleting peers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Check for duplicate names

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Add helper functions to encode/decode remarks

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard.cgi: Implement launching the editor for editing a connection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>