wireguard: use syncconf in newwanip event

fichtner · fichtner · commit 07545a94d5d2 · 2023-10-31T11:27:45.000+01:00
setconf can fail for DNS resolution reasons.  It is being considered
a configuration parsing error so nothing gets set on the instance.
However, our code remembers that the instance was fully set up although
that is not the case.  The newwanip event was handling DNS renew but
does not understand that the configuration is not complete.

Replacing reresolve-dns.py by doing syncconf works, but this is used
as a cron-based script and likely does the job it is intended for.

Instead rehook the newwanip event into a simple syncconf invoke which
takes "more" time (according to the man page) but won't touch existing
peers being connected while still fixing any configuration mismatch
in the (possibly stale) instance.
diff --git a/src/etc/inc/plugins.inc.d/wireguard.inc b/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -144,7 +144,7 @@ function wireguard_prepare($device)
 function wireguard_configure()
 {
     return [
-        'newwanip' => ['wireguard_renew:2'],
+        'newwanip' => ['wireguard_sync:2'],
         'vpn' => ['wireguard_configure_do:2'],
     ];
 }
@@ -162,15 +162,32 @@ function wireguard_configure_do($verbose = false, $unused = '')
     service_log("done.\n", $verbose);
 }
 
-function wireguard_renew($verbose = false, $unused = '')
+function wireguard_sync($verbose = false, $unused = '')
 {
     if (!wireguard_enabled()) {
         return;
     }
 
-    service_log('Renewing WireGuard VPN...', $verbose);
+    $instances = [];
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $node) {
+        if (!empty((string)$node->enabled)) {
+            $instances[(string)$node->interface] = (string)$node->cnfFilename;
+        }
+    }
+
+    if (!count($instances)) {
+        return;
+    }
+
+    service_log('Synchronizing WireGuard VPN...', $verbose);
+
+    openlog('wireguard', LOG_ODELAY, LOG_AUTH);
+
+    foreach ($instances as $device => $config) {
+        mwexecf('/usr/bin/wg syncconf %s %s', [$device, $config]);
+    }
 
-    configd_run('wireguard renew');
+    reopenlog();
 
     service_log("done.\n", $verbose);
 }
