bugfix: prevent same PSK for all peers
This commit is contained in:
Callan Bryant
parent
8fd1114f01
commit
882643185b
@ -179,11 +179,15 @@ func (conf DsnetConfig) GetWgPeerConfigs() []wgtypes.PeerConfig {
|
|||||||
wgPeers := make([]wgtypes.PeerConfig, 0, len(conf.Peers))
|
wgPeers := make([]wgtypes.PeerConfig, 0, len(conf.Peers))
|
||||||
|
|
||||||
for _, peer := range conf.Peers {
|
for _, peer := range conf.Peers {
|
||||||
|
// create a new PSK in memory to avoid passing the same value by
|
||||||
|
// pointer to each peer (d'oh)
|
||||||
|
presharedKey := peer.PresharedKey.Key
|
||||||
|
|
||||||
wgPeers = append(wgPeers, wgtypes.PeerConfig{
|
wgPeers = append(wgPeers, wgtypes.PeerConfig{
|
||||||
PublicKey: peer.PublicKey.Key,
|
PublicKey: peer.PublicKey.Key,
|
||||||
Remove: false,
|
Remove: false,
|
||||||
UpdateOnly: false,
|
UpdateOnly: false,
|
||||||
PresharedKey: &peer.PresharedKey.Key,
|
PresharedKey: &presharedKey,
|
||||||
Endpoint: nil,
|
Endpoint: nil,
|
||||||
ReplaceAllowedIPs: true,
|
ReplaceAllowedIPs: true,
|
||||||
AllowedIPs: []net.IPNet{
|
AllowedIPs: []net.IPNet{
|
||||||
|
|||||||
39
sync.go
39
sync.go
@ -12,48 +12,19 @@ func Sync() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func ConfigureDevice(conf *DsnetConfig) {
|
func ConfigureDevice(conf *DsnetConfig) {
|
||||||
wg, err := wgctrl.New()
|
|
||||||
check(err)
|
|
||||||
defer wg.Close()
|
|
||||||
|
|
||||||
dev, err := wg.Device(conf.InterfaceName)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
ExitFail("Could not retrieve device '%s' (%v)", conf.InterfaceName, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
peers := conf.GetWgPeerConfigs()
|
peers := conf.GetWgPeerConfigs()
|
||||||
|
|
||||||
// compare peers to see if any exist on the device and not the config. If
|
|
||||||
// so, they should be removed by appending a dummy peer with Remove:true + pubkey.
|
|
||||||
knownKeys := make(map[wgtypes.Key]bool)
|
|
||||||
|
|
||||||
for _, peer := range peers {
|
|
||||||
knownKeys[peer.PublicKey] = true
|
|
||||||
}
|
|
||||||
|
|
||||||
// find deleted peers, and append dummy "remove" peers
|
|
||||||
for _, peer := range dev.Peers {
|
|
||||||
if !knownKeys[peer.PublicKey] {
|
|
||||||
peers = append(peers, wgtypes.PeerConfig{
|
|
||||||
PublicKey: peer.PublicKey,
|
|
||||||
Remove: true,
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
wgConfig := wgtypes.Config{
|
wgConfig := wgtypes.Config{
|
||||||
PrivateKey: &conf.PrivateKey.Key,
|
PrivateKey: &conf.PrivateKey.Key,
|
||||||
ListenPort: &conf.ListenPort,
|
ListenPort: &conf.ListenPort,
|
||||||
// ReplacePeers with the same peers results in those peers losing
|
ReplacePeers: true,
|
||||||
// connection, so it's not possible to do declarative configuration
|
|
||||||
// idempotently with ReplacePeers like I had assumed. Instead, peers
|
|
||||||
// must be removed imperatively with Remove:true. Peers can still be
|
|
||||||
// added/updated with ConfigureDevice declaratively.
|
|
||||||
ReplacePeers: false,
|
|
||||||
Peers: peers,
|
Peers: peers,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
wg, err := wgctrl.New()
|
||||||
|
check(err)
|
||||||
|
defer wg.Close()
|
||||||
|
|
||||||
err = wg.ConfigureDevice(conf.InterfaceName, wgConfig)
|
err = wg.ConfigureDevice(conf.InterfaceName, wgConfig)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user