From b78ba3624f0a11c060ad06dbd65741b82684d93e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 16 Apr 2024 16:17:59 +0200
Subject: [PATCH] wireguard: Add initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/aarch64/initscripts |   4 +
 config/rootfiles/common/riscv64/initscripts |   4 +
 config/rootfiles/common/x86_64/initscripts  |   4 +
 lfs/initscripts                             |   3 +
 src/initscripts/system/wireguard            | 137 ++++++++++++++++++++
 5 files changed, 152 insertions(+)
 create mode 100644 src/initscripts/system/wireguard

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index cc7833a18..12898701a 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -92,6 +92,7 @@ etc/rc.d/init.d/udev_retry
 etc/rc.d/init.d/unbound
 etc/rc.d/init.d/vnstat
 etc/rc.d/init.d/waitdrives
+etc/rc.d/init.d/wireguard
 etc/rc.d/init.d/wlanclient
 #etc/rc.d/rc0.d
 etc/rc.d/rc0.d/K01grub-btrfsd
@@ -102,6 +103,7 @@ etc/rc.d/rc0.d/K30sshd
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
+etc/rc.d/rc0.d/K70wireguard
 etc/rc.d/rc0.d/K77conntrackd
 etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
@@ -133,6 +135,7 @@ etc/rc.d/rc3.d/S24cyrus-sasl
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
+etc/rc.d/rc3.d/S50wireguard
 etc/rc.d/rc3.d/S98rc.local
 etc/rc.d/rc3.d/S99grub-btrfsd
 #etc/rc.d/rc3.d/S99vdradmin
@@ -145,6 +148,7 @@ etc/rc.d/rc6.d/K30sshd
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
+etc/rc.d/rc6.d/K70wireguard
 etc/rc.d/rc6.d/K77conntrackd
 etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
diff --git a/config/rootfiles/common/riscv64/initscripts b/config/rootfiles/common/riscv64/initscripts
index 4ee77ba21..11cfaf2be 100644
--- a/config/rootfiles/common/riscv64/initscripts
+++ b/config/rootfiles/common/riscv64/initscripts
@@ -91,6 +91,7 @@ etc/rc.d/init.d/udev_retry
 etc/rc.d/init.d/unbound
 etc/rc.d/init.d/vnstat
 etc/rc.d/init.d/waitdrives
+etc/rc.d/init.d/wireguard
 etc/rc.d/init.d/wlanclient
 #etc/rc.d/rc0.d
 etc/rc.d/rc0.d/K01grub-btrfsd
@@ -101,6 +102,7 @@ etc/rc.d/rc0.d/K30sshd
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
+etc/rc.d/rc0.d/K70wireguard
 etc/rc.d/rc0.d/K77conntrackd
 etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
@@ -132,6 +134,7 @@ etc/rc.d/rc3.d/S24cyrus-sasl
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
+etc/rc.d/rc3.d/S50wireguard
 etc/rc.d/rc3.d/S98rc.local
 etc/rc.d/rc3.d/S99grub-btrfsd
 #etc/rc.d/rc3.d/S99vdradmin
@@ -144,6 +147,7 @@ etc/rc.d/rc6.d/K30sshd
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
+etc/rc.d/rc6.d/K70wireguard
 etc/rc.d/rc6.d/K77conntrackd
 etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 4ee77ba21..11cfaf2be 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -91,6 +91,7 @@ etc/rc.d/init.d/udev_retry
 etc/rc.d/init.d/unbound
 etc/rc.d/init.d/vnstat
 etc/rc.d/init.d/waitdrives
+etc/rc.d/init.d/wireguard
 etc/rc.d/init.d/wlanclient
 #etc/rc.d/rc0.d
 etc/rc.d/rc0.d/K01grub-btrfsd
@@ -101,6 +102,7 @@ etc/rc.d/rc0.d/K30sshd
 etc/rc.d/rc0.d/K47setclock
 etc/rc.d/rc0.d/K49cyrus-sasl
 etc/rc.d/rc0.d/K51vnstat
+etc/rc.d/rc0.d/K70wireguard
 etc/rc.d/rc0.d/K77conntrackd
 etc/rc.d/rc0.d/K78suricata
 etc/rc.d/rc0.d/K79leds
@@ -132,6 +134,7 @@ etc/rc.d/rc3.d/S24cyrus-sasl
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron
+etc/rc.d/rc3.d/S50wireguard
 etc/rc.d/rc3.d/S98rc.local
 etc/rc.d/rc3.d/S99grub-btrfsd
 #etc/rc.d/rc3.d/S99vdradmin
@@ -144,6 +147,7 @@ etc/rc.d/rc6.d/K30sshd
 etc/rc.d/rc6.d/K47setclock
 etc/rc.d/rc6.d/K49cyrus-sasl
 etc/rc.d/rc6.d/K51vnstat
+etc/rc.d/rc6.d/K70wireguard
 etc/rc.d/rc6.d/K77conntrackd
 etc/rc.d/rc6.d/K78suricata
 etc/rc.d/rc6.d/K79leds
diff --git a/lfs/initscripts b/lfs/initscripts
index 82e20bfa7..700e91244 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -99,6 +99,7 @@ $(TARGET) :
 	ln -sf ../init.d/setclock		/etc/rc.d/rc0.d/K47setclock
 	ln -sf  ../init.d/cyrus-sasl		/etc/rc.d/rc0.d/K49cyrus-sasl
 	ln -sf ../init.d/vnstat			/etc/rc.d/rc0.d/K51vnstat
+	ln -sf ../init.d/wireguard		/etc/rc.d/rc0.d/K70wireguard
 	ln -sf ../init.d/conntrackd		/etc/rc.d/rc0.d/K77conntrackd
 	ln -sf ../init.d/suricata		/etc/rc.d/rc0.d/K78suricata
 	ln -sf ../init.d/leds			/etc/rc.d/rc0.d/K79leds
@@ -128,6 +129,7 @@ $(TARGET) :
 	ln -sf ../init.d/sshd			/etc/rc.d/rc3.d/S30sshd
 	ln -sf ../init.d/apache			/etc/rc.d/rc3.d/S32apache
 	ln -sf ../init.d/fcron			/etc/rc.d/rc3.d/S40fcron
+	ln -sf ../init.d/wireguard		/etc/rc.d/rc3.d/S50wireguard
 	ln -sf ../../sysconfig/rc.local		/etc/rc.d/rc3.d/S98rc.local
 	ln -sf ../init.d/grub-btrfsd		/etc/rc.d/rc3.d/S99grub-btrfsd
 	ln -sf ../init.d/vdradmin		/etc/rc.d/rc3.d/S99vdradmin
@@ -140,6 +142,7 @@ $(TARGET) :
 	ln -sf ../init.d/setclock		/etc/rc.d/rc6.d/K47setclock
 	ln -sf  ../init.d/cyrus-sasl		/etc/rc.d/rc6.d/K49cyrus-sasl
 	ln -sf ../init.d/vnstat			/etc/rc.d/rc6.d/K51vnstat
+	ln -sf ../init.d/wireguard		/etc/rc.d/rc6.d/K70wireguard
 	ln -sf ../init.d/conntrackd		/etc/rc.d/rc6.d/K77conntrackd
 	ln -sf ../init.d/suricata		/etc/rc.d/rc6.d/K78suricata
 	ln -sf ../init.d/leds			/etc/rc.d/rc6.d/K79leds
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
new file mode 100644
index 000000000..42428aee0
--- /dev/null
+++ b/src/initscripts/system/wireguard
@@ -0,0 +1,137 @@
+#!/bin/sh
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2024 Michael Tremer <michael.tremer@ipfire.org>               #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+INTF="wg0"
+
+eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
+
+generate_config() {
+	echo "[Interface]"
+	echo "PrivateKey = ${PRIVATE_KEY}"
+
+	# Optionally set the port
+	if [ -n "${PORT}" ]; then
+		echo "ListenPort = ${PORT}"
+	fi
+
+	local IFS=','
+
+	local id
+	local enabled
+	local type
+	local name
+	local pubkey
+	local endpoint
+	local port
+	local routes
+	local _rest
+
+	local route
+
+	# Flush all previously set routes
+	ip route flush dev "${INTF}"
+
+	while read -r id enabled type name pubkey endpoint port routes _rest; do
+		# Skip peers that are not enabled
+		[ "${enabled}" = "on" ] || continue
+
+		echo "[Peer]"
+		echo "PublicKey = ${pubkey}"
+
+		# Set endpoint
+		if [ -n "${endpoint}" ]; then
+			echo "Endpoint = ${endpoint}${port:+:}${port}"
+		fi
+
+		# Set routes
+		if [ -n "${routes}" ]; then
+			echo "AllowedIPs = ${routes//|/, }"
+
+			# Apply the routes
+			if [ "${type}" = "net" ]; then
+				for route in ${routes//|/,}; do
+					ip route add "${route}" dev "${INTF}"
+				done
+			fi
+		fi
+	done < /var/ipfire/wireguard/peers
+}
+
+wg_start() {
+	# Create the interface if it does not exist
+	if [ ! -d "/sys/class/net/${INTF}" ]; then
+		ip link add "${INTF}" type wireguard || return $?
+	fi
+
+	# Set up the interface
+	ip link set "${INTF}" up
+
+	# Set the MTU
+	if [ -n "${MTU}" ]; then
+		ip link set "${INTF}" mtu "${MTU}" || return $?
+	fi
+
+	# Load the configuration into the kernel
+	wg syncconf "${INTF}" <(generate_config) || return $?
+
+	return 0
+}
+
+wg_stop() {
+	if [ -d "/sys/class/net/${INTF}" ]; then
+		ip link del "${INTF}" || return $?
+	fi
+}
+
+case "${1}" in
+	start)
+		if [ "${ENABLED}" != "on" ]; then
+			exit 0
+		fi
+
+		boot_mesg "Starting WireGuard VPN..."
+		wg_start; evaluate_retval
+		;;
+
+	stop)
+		boot_mesg "Stopping WireGuard VPN..."
+		wg_stop; evaluate_retval
+		;;
+
+	reload)
+		boot_mesg "Reloading WireGuard VPN..."
+		wg_start; evaluate_retval
+		;;
+
+	restart)
+		${0} stop
+		sleep 1
+		${0} start
+		;;
+
+	*)
+		echo "Usage: ${0} {start|stop|reload|restart}"
+		exit 1
+		;;
+esac
-- 
2.39.5