e782db30e9
This introduces PostUp and PostDown in dsnet. PostUp and PostDown allow
the user to run arbitrary commands after the device is up or down. These
are typically used to change the firewall rules via iptables. A working
example would be
...
"PostUp" : "iptables -A FORWARD -i dsnet -j ACCEPT; iptables -A FORWARD -o dsnet -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE ",
"PostDown" : "iptables -D FORWARD -i dsnet -j ACCEPT; iptables -D FORWARD -o dsnet -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE ",
...
All commands are executed by `/bin/sh` and no filtering or sandboxing is
applied. Users of this should know what they are doing.
Fixes https://github.com/naggie/dsnet/issues/16
4.5 KiB
Explanation of each field:
{
"ExternalIP": "198.51.100.2",
"ExternalIP6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
This is the external IP that will be the value of Endpoint for the server peer in client configs. It is automatically detected by opening a socket or using an external IP discovery service -- the first to give a valid public IP will win.
"ListenPort": 51820,
The port wiregard should listen on.
"Domain": "dsnet",
The domain to copy to the report file. Not used for anything else; it's useful for DNS integration. At one site I have a script to add hosts to a zone upon connection by polling the report file.
"InterfaceName": "dsnet",
The wireguard interface name.
"Network": "10.164.236.0/22",
"Network6": "fd00:7b31:106a:ae00::/64",
The CIDR network to use when allocating IPs to peers. This subnet, a /22 in
the 10.0.0.0/16 block is generated randomly to (probably) avoid collisions
with other networks. There are 1022 addresses available. Addresses are
allocated to peers when peers are added with dsnet add using the lowest
available address.
A random ULA network with a subnet of 0 is generated for IPv6.
"IP": "10.164.236.1",
"IP6": "fd00:7b31:106a:ae00:44c3:29c3:53b1:a6f9",
This is the private VPN IP of the server peer. It is the first address in the above pool.
"DNS": "",
If defined, this IP address will be set in the generated peer wg-quick config files.
"Networks": [],
This is a list of additional CIDR-notated networks that can be routed through
the server peer. They will be added under the server peer under AllowedIPs in
addition to the private network defined in Network above. If you want to
route the whole internet through the server peer, add 0.0.0.0/0 to the list
before adding peers. For more advanced options and theory, see
https://www.wireguard.com/netns/.
"ReportFile": "/var/lib/dsnetreport.json",
This is the location of the report file generated with dsnet report. It is
suggested that this command is run via a cron job; the report can be safely
consumed by a web service or DNS integration script, for instance.
The report contains no sensitive information. At one site I use it together
with hugo
shortcodes to generate a
network overview page. The shortcode file is included in this repository under
etc/.
"PostUp": ""
"PostDown": ""
Allows a user to specify commands to run after the device is up or down. This is
typcially a collection of iptables invocations. The commands are executed by
/bin/sh. NOTE These commands run as root, so make sure you check that they
are secure.
"PrivateKey": "uC+xz3v1mfjWBHepwiCgAmPebZcY+EdhaHAvqX2r7U8=",
The server private key, automatically generated and very sensitive!
"Peers": []
The list of peers managed by dsnet add and dsnet remove. See below for format.
}
The configuration file can be manually/programatically managed outside of dsnet
if desired; dsnet sync will update wireguard.
Peer configuration, Peers: [] in dsnetconfig.json:
{
"Hostname": "test",
The hostname given via dsnet add <hostname>. It is used to identify the peer
in the report and for peer removal via dsnet remove <hostname>. It can also
be used to update a DNS zone via a custom script that operates on the report
file as mentioned above.
"Owner": "naggie",
The owner of the peer, copied to the report file.
"Description": "Home server",
A description of the peer, copied to the report file; the lack of which in
wq-quick is what inspired me to write dsnet in the first place.
"IP": "10.164.236.2",
The private VPN IP allocated by dsnet for this peer. It is the lowest available
IP in the pool from Network, above.
"Added": "2020-05-07T10:04:46.336286992+01:00",
The timestamp of when the peer was added by dsnet.
"Networks": [],
Any other CIDR networks that can be routed through this peer.
"PublicKey": "altJeQ/V52JZQrGcA9RiKcpZusYU6zMUJhl7Wbd9rX0=",
The public key derived from the private key generated by dsnet when the peer was added.
"PresharedKey": "GcUtlze0BMuxo3iVEjpOahKdTf8xVfF8hDW3Ylw5az0="
The pre-shared key for this peer. The peer has the same key defined as the pre-shared key for the server peer. This is optional in wireguard but not for dsnet due to the extra (post quantum!) security it provides.
}