Merge branch 'master' into add_mqtt_broker

Author: awlx

README.md

@@ -28,3 +28,7 @@ $ wget -q  -O- --post-data='{"domain": "ffmuc_welt","public_key": "o52Ge+Rpj4CUS
   "Message": "OK"
 }
 ```
+
+## Contact
+
+#wgkex - IRCNet

pyproject.toml

@@ -15,6 +15,7 @@ python = "^3.6"
 PyYAML = "^5.3.1"
 Flask = "^1.1.2"
 flask-mqtt = "^1.1.1"
+pyroute2 = "^0.5.14"
 voluptuous = "^0.12.0"
 
 [tool.poetry.dev-dependencies]

wgkex/worker/__init__.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+
+
+from wgkex.config import load_config
+from wgkex.worker.mqtt import connect as mqtt
+
+config = load_config()
+
+
+def main():
+
+    mqtt(config.get("domains"))
+
+
+if __name__ == "__main__":
+    main()

wgkex/worker/app.py

@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+import paho.mqtt.client as mqtt
+import socket
+import time
+import re
+from wgkex.worker.netlink import (
+    find_stale_wireguard_clients,
+    link_handler,
+    WireGuardClient,
+    generate_lladdr,
+    generate_interface_names,
+)
+
+
+def connect(domains: str):
+    broker_address = "broker.ov.ffmuc.net"
+    client = mqtt.Client(socket.gethostname())
+    client.on_message = on_message
+    print("connecting to broker " + broker_address)
+    client.connect(broker_address)
+    for domain in domains:
+        print("Subscribing to topic", "wireguard/" + domain + "/+")
+        client.subscribe("wireguard/" + domain + "/+")
+    client.loop_forever()
+
+
+def on_message(client, userdata, message):
+
+    domain = re.search("/.*ffmuc_(\w+)/", message.topic).group(1)
+
+    client = WireGuardClient(
+        public_key=str(message.payload.decode("utf-8")),
+        lladdr=b"",
+        domain=domain,
+        wg_interface="",
+        vx_interface="",
+        remove=False,
+    )
+
+    client.lladdr = generate_lladdr(client.public_key)
+
+    client = generate_interface_names(client)
+
+    print("Received node create message for key " + client.public_key)
+
+    print(link_handler(client))

wgkex/worker/mqtt.py

@@ -0,0 +1,137 @@
+#!/usr/bin/env python3
+import re
+import hashlib
+
+from salt.utils.network import mac2eui64
+from textwrap import wrap
+from typing import Dict, List
+from pyroute2 import WireGuard, IPRoute
+from pyroute2.netlink.rtnl import ndmsg
+from typing import Dict, List
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+
+
+@dataclass
+class WireGuardClient:
+    """WireGuardClient describes complete configuration for a specific WireGuard client
+
+    Attributes:
+        public_key: WireGuard Public key
+        domain: Domain Name of the WireGuard peer
+        lladdr: IPv6 lladdr of the WireGuard peer
+        wg_interface: Name of the WireGuard interface this peer will use
+        vx_interface: Name of the VXLAN interface we set a route for the lladdr to
+        remove: Are we removing this peer or not?
+    """
+
+    public_key: str
+    domain: str
+    lladdr: str
+    wg_interface: str
+    vx_interface: str
+    remove: bool
+
+
+# we receive stuff from wgkex-broker
+def generate_lladdr(public_key: str) -> str:
+    m = hashlib.md5()
+
+    m.update(public_key.encode("ascii") + b"\n")
+    hashed_key = m.hexdigest()
+    hash_as_list = wrap(hashed_key, 2)
+    temp_mac = ":".join(["02"] + hash_as_list[:5])
+
+    lladdr = re.sub(r"/\d+$", "/128", mac2eui64(mac=temp_mac, prefix="fe80::/10"))
+    return lladdr
+
+
+def generate_ifname(peer: WireGuardClient) -> WireGuardClient:
+    peer.wg_interface = "wg-" + peer.domain
+    peer.vx_interface = "vx-" + peer.domain
+
+    return peer
+
+
+def wg_flush_stale_peers(domain: str) -> List[Dict]:
+    stale_clients = find_stale_wireguard_clients("wg-" + domain)
+    result = []
+    for stale_client in stale_clients:
+        stale_wireguard_client = WireGuardClient(
+            public_key=stale_client,
+            lladdr=generate_lladdr(stale_client),
+            domain=domain,
+            wg_interface="",
+            vx_interface="",
+            remove=True,
+        )
+        stale_wireguard_client = generate_ifname(stale_wireguard_client)
+        result = link_handler(stale_wireguard_client)
+    return result
+
+
+# pyroute2 stuff
+def link_handler(client: WireGuardClient) -> Dict:
+    results = {}
+
+    results.update({"Wireguard": wireguard_handler(client)})
+    try:
+        results.update({"Route": route_handler(client)})
+    except Exception as e:
+        results.update({"Route": e})
+    results.update({"Bridge FDB": bridge_fdb_handler(client)})
+
+    return results
+
+
+def bridge_fdb_handler(client: WireGuardClient) -> Dict:
+
+    action = "append"
+    if client.remove:
+        action = "del"
+
+    with IPRoute() as ip:
+        return ip.fdb(
+            action,
+            ifindex=ip.link_lookup(ifname=client.vx_interface)[0],
+            lladdr="00:00:00:00:00:00",
+            dst=re.sub("\/\d+$", "", client.lladdr),
+        )
+
+
+def wireguard_handler(client: WireGuardClient) -> Dict:
+    wg = WireGuard()
+
+    wg_peer = {
+        "public_key": client.public_key,
+        "persistent_keepalive": 15,
+        "allowed_ips": [client.lladdr],
+        "remove": client.remove,
+    }
+
+    return wg.set(client.wg_interface, peer=wg_peer)
+
+
+def route_handler(client: WireGuardClient) -> Dict:
+    with IPRoute() as ip:
+        return ip.route(
+            "del" if client.remove else "add",
+            dst=client.lladdr,
+            oif=ip.link_lookup(ifname=client.wg_interface)[0],
+        )
+
+
+def find_stale_wireguard_clients(wg_interface: str) -> List:
+    wg = WireGuard()
+
+    clients = wg.info(wg_interface)[0].WGDEVICE_A_PEERS.value
+
+    three_hours_ago = (datetime.now() - timedelta(hours=3)).timestamp()
+
+    stale_clients = []
+    for client in clients:
+        latest_handshake = client.WGPEER_A_LAST_HANDSHAKE_TIME["tv_sec"]
+        if latest_handshake < int(three_hours_ago):
+            stale_clients.append(client.WGPEER_A_PUBLIC_KEY["value"].decode("utf-8"))
+
+    return stale_clients