net/wireguard - remove wg-quick dependency and drop go support (#3556)

net/wireguard - removing wg-quick and go support.

This commits adds the following:

* Remove wireguard-go support and cleanup some go specific code as it's not being used anymore anyway
* Service control handler similar to OpenVPN, which offers control per instance/interface and keeps track of changed interfaces (configure only restarts the changed ones).
* Add some basic logging for the service handling and a view to inspect it.
* Configuration logs are being flushed to the correct log automatically as mwexecf() sends errors to syslog (which in this scope sends to wireguard)
* Reimplement https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns using Python in reresolve-dns.py
* Enforce wireguard-tools rc script to be disabled when still installed, this should prevent bootup issues
* Move 'interface' calculated field to model for easy reusability
* Change plugin maintainer


---------

Co-authored-by: Franco Fichtner <franco@opnsense.org>

net/wireguard/Makefile

@@ -1,9 +1,8 @@
 PLUGIN_NAME=		wireguard
-PLUGIN_VERSION=		1.13
-PLUGIN_REVISION=	7
+PLUGIN_VERSION=		2.0.d
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
-PLUGIN_DEPENDS=		wireguard-kmod wireguard-tools
+PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
-PLUGIN_MAINTAINER=	m.muenz@gmail.com
+PLUGIN_MAINTAINER=	ad@opnsense.org
 
 .include "../../Mk/plugins.mk"

net/wireguard/pkg-descr

@@ -16,6 +16,17 @@ WWW: https://www.wireguard.com/
 Changelog
 ---------
 
+2.0
+
+* Remove wireguard-go support and cleanup some go specific code as it's not being used anymore anyway
+* Service control handler similar to OpenVPN, which offers control per instance/interface and keeps track of changed interfaces (configure only restarts the changed ones).
+* Add some basic logging for the service handling and a view to inspect it.
+* Configuration logs are being flushed to the correct log automatically as mwexecf() sends errors to syslog (which in this scope sends to wireguard)
+* Reimplement https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns using Python in reresolve-dns.py
+* Enforce wireguard-tools rc script to be disabled when still installed, this should prevent bootup issues
+* Move 'interface' calculated field to model for easy reusability
+* Change plugin maintainer
+
 1.13
 
 * Reworked widget and assorted cleanups (contributed by Patrik Kernstock)

net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc

@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
@@ -28,8 +29,7 @@
 
 function wireguard_enabled()
 {
-    $model = new \OPNsense\Wireguard\General();
-    return (string)$model->enabled == '1';
+    return (string)(new \OPNsense\Wireguard\General())->enabled == '1';
 }
 
 function wireguard_services()
@@ -40,26 +40,32 @@ function wireguard_services()
         return $services;
     }
 
-    $service = [
-        'description' => gettext('WireGuard VPN'),
-        'configd' => [
-            'restart' => ['wireguard restart'],
-            'start' => ['wireguard start'],
-            'stop' => ['wireguard stop'],
-        ],
-        'name' => 'wireguard-go',
-    ];
-
-    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
-        $service['name'] = 'wireguard';
-        $service['nocheck'] = true;
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $key => $node) {
+        if (!empty((string)$node->enabled)) {
+            $services[] = [
+                'description' => "Wireguard " . htmlspecialchars($node->name),
+                'configd' => [
+                    'start' => ["wireguard start {$key}"],
+                    'restart' => ["wireguard restart {$key}"],
+                    'stop' => ["wireguard stop {$key}"],
+                ],
+                'nocheck' => true, /* no daemon to check */
+                'id' => $key,
+                'name' => "wireguard"
+            ];
+        }
     }
 
-    $services[] = $service;
-
     return $services;
 }
 
+function wireguard_syslog()
+{
+    return [
+        'wireguard' => ['facility' => ['wireguard']]
+    ];
+}
+
 function wireguard_interfaces()
 {
     $interfaces = [];
@@ -87,11 +93,7 @@ function wireguard_xmlrpc_sync()
     $result['id'] = 'wireguard';
     $result['section'] = 'OPNsense.wireguard';
     $result['description'] = gettext('WireGuard');
-    $result['services'] = ['wireguard-go'];
-
-    if (file_exists('/boot/modules/if_wg.ko') || file_exists('/boot/kernel/if_wg.ko')) {
-        $result['services'] = ['wireguard'];
-    }
+    $result['services'] = ['wireguard'];
 
     return [$result];
 }

net/wireguard/src/etc/rc.syshook.d/start/50-wireguard

@@ -1,4 +1,2 @@
 #!/bin/sh
-
-# start again to fix problems with failed name resolution (no need to restart)
-configctl -dq wireguard start
+configctl -dq wireguard configure

net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ClientController.php

@@ -1,6 +1,7 @@
 <?php
 
 /**
+ *    Copyright (C) 2023 Deciso B.V.
  *    Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  *
  *    All rights reserved.
@@ -39,12 +40,14 @@ class ClientController extends ApiMutableModelControllerBase
 
     public function searchClientAction()
     {
-        return $this->searchBase('clients.client', array("enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"));
+        return $this->searchBase(
+            'clients.client',
+            ["enabled", "name", "pubkey", "tunneladdress", "serveraddress", "serverport"]
+        );
     }
 
     public function getClientAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('client', 'clients.client', $uuid);
     }
 

net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServerController.php

@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
@@ -38,17 +39,15 @@ class ServerController extends ApiMutableModelControllerBase
 
     public function searchServerAction()
     {
-        $search = $this->searchBase('servers.server', array("enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress"));
-        // prepend "wg" to all instance IDs to use as interface name
-        foreach ($search["rows"] as $key => $server) {
-            $search["rows"][$key]["interface"] = "wg" . $server["instance"];
-        }
+        $search = $this->searchBase(
+            'servers.server',
+            ["enabled", "instance", "peers", "name", "networks", "pubkey", "port", "tunneladdress", 'interface']
+        );
         return $search;
     }
 
     public function getServerAction($uuid = null)
     {
-        $this->sessionClose();
         return $this->getBase('server', 'servers.server', $uuid);
     }
 

net/wireguard/src/opnsense/mvc/app/controllers/OPNsense/Wireguard/Api/ServiceController.php

@@ -1,6 +1,7 @@
 <?php
 
 /*
+ * Copyright (C) 2023 Deciso B.V.
  * Copyright (C) 2018 Michael Muenz <m.muenz@gmail.com>
  * All rights reserved.
  *
@@ -52,14 +53,30 @@ protected function invokeInterfaceRegistration()
         return true;
     }
 
+    /**
+     * @return array
+     */
+    public function reconfigureAction()
+    {
+        if (!$this->request->isPost()) {
+            return ['result' => 'failed'];
+        }
+
+        $this->sessionClose();
+        $backend = new Backend();
+        $backend->configdRun('template reload ' . escapeshellarg(static::$internalServiceTemplate));
+        $backend->configdpRun('wireguard configure');
+
+        return ['result' => 'ok'];
+    }
+
     /**
      * show wireguard config
      * @return array
      */
     public function showconfAction()
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("wireguard showconf");
+        $response = (new Backend())->configdRun("wireguard showconf");
         return array("response" => $response);
     }
 
@@ -69,8 +86,7 @@ public function showconfAction()
      */
     public function showhandshakeAction()
     {
-        $backend = new Backend();
-        $response = $backend->configdRun("wireguard showhandshake");
+        $response = (new Backend())->configdRun("wireguard showhandshake");
         return array("response" => $response);
     }
 }

net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/FieldTypes/ServerField.php

@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * Copyright (C) 2023 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Wireguard\FieldTypes;
+
+use OPNsense\Base\FieldTypes\ArrayField;
+use OPNsense\Base\FieldTypes\TextField;
+
+class ServerField extends ArrayField
+{
+    /**
+     * push internal reusable properties as virtuals
+     */
+    protected function actionPostLoadingEvent()
+    {
+        foreach ($this->internalChildnodes as $node) {
+            if (!$node->getInternalIsVirtual()) {
+                $files = [
+                    'cnfFilename' => "/usr/local/etc/wireguard/wg{$node->instance}.conf",
+                    'statFilename' => "/usr/local/etc/wireguard/wg{$node->instance}.stat",
+                    'interface' => "wg{$node->instance}",
+                ];
+                foreach ($files as $name => $payload) {
+                    $new_item = new TextField();
+                    $new_item->setInternalIsVirtual();
+                    $new_item->setValue($payload);
+                    $node->addChildNode($name, $new_item);
+                }
+            }
+        }
+        return parent::actionPostLoadingEvent();
+    }
+}

net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Menu/Menu.xml

@@ -1,5 +1,8 @@
 <menu>
     <VPN>
-      <WireGuard cssClass="fa fa-lock fa-fw" url="/ui/wireguard/general/index" order="150" />
+      <WireGuard cssClass="fa fa-lock fa-fw" order="150">
+          <Settings order="10" url="/ui/wireguard/general/index"/>
+          <LogFile order="70" VisibleName="Log File" url="/ui/diagnostics/log/core/wireguard"/>
+      </WireGuard>
     </VPN>
 </menu>

net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/Server.xml

@@ -4,7 +4,7 @@
     <version>0.0.4</version>
     <items>
         <servers>
-            <server type="ArrayField">
+            <server type=".\ServerField">
                 <enabled type="BooleanField">
                     <default>1</default>
                     <Required>Y</Required>