Skip to content

Commit

Permalink
Merge branch 'dev' (version 0.3.0)
Browse files Browse the repository at this point in the history 
* add function to restore default network interface
* restrict default allowed ip to device's own address
  • Loading branch information
@droscy
droscy committed Jun 1, 2023
2 parents 9b7a576 + 4c232a6 commit f2c116a
Show file tree
Hide file tree
Showing 4 changed files with 64 additions and 29 deletions.
7 changes: 5 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ wireguard:
peer_preshared_key: shared_key=

# optional keepalive in seconds (disabled by default)
peer_persistent_keepalive: 25
peer_persistent_keepalive: 25s

# optional list of allowed ip/mask (the default is to allow any host if omitted)
peer_allowed_ips:
Expand Down Expand Up @@ -112,10 +112,13 @@ sensor:
For additional information see:

* the original feature-request [esphome/esphome#1444](https://github.com/esphome/feature-requests/issues/1444)
(starting from [my comment](https://github.com/esphome/feature-requests/issues/1444#issuecomment-1502960116))
(starting from [this comment](https://github.com/esphome/feature-requests/issues/1444#issuecomment-1556090095))

* the original component proposed by [@lhoracek](https://github.com/lhoracek) in his PR [esphome/esphome#4256](https://github.com/esphome/esphome/pull/4256)

* the proposed documentation [esphome/esphome-docs#2948](https://github.com/esphome/esphome-docs/pull/2948), here
you can find the link to preview the latest version


## License

Expand Down
30 changes: 21 additions & 9 deletions include/esp_wireguard.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@ extern "C" {
.fw_mark = 0, \
.public_key = NULL, \
.preshared_key = NULL, \
.allowed_ip = NULL, \
.allowed_ip_mask = NULL, \
.address = NULL, \
.netmask = NULL, \
.endpoint = NULL, \
.port = 51820, \
.persistent_keepalive = 0, \
Expand All @@ -63,16 +63,16 @@ extern "C" {
typedef struct {
/* interface config */
const char* private_key; /**< a base64 private key generated by wg genkey. Required. */
int listen_port; /**< a 16-bit port for listening */
uint16_t listen_port; /**< a 16-bit port for listening */
uint32_t fw_mark; /**< a 32-bit fwmark for outgoing packets */
/* peer config */
const char* public_key; /**< a base64 public key calculated by wg pubkey from a private key. Required. */
const char* preshared_key; /**< a base64 preshared key generated by wg genpsk. */
const char* allowed_ip; /**< a local IP address. */
const char* allowed_ip_mask; /**< a subnet mask of the local IP address. */
const char* address; /**< a local IP address. */
const char* netmask; /**< a subnet mask of the local IP address. */
const char* endpoint; /**< an endpoint IP address or hostname. */
int port; /**< a port number of remote endpoint. Default is 51820. */
int persistent_keepalive; /**< a seconds interval, between 1 and 65535 inclusive, of how often to send an
uint16_t port; /**< a port number of remote endpoint. Default is 51820. */
uint16_t persistent_keepalive; /**< a seconds interval, between 1 and 65535 inclusive, of how often to send an
authenticated empty packet to the peer for the purpose of keeping a stateful
firewall or NAT mapping valid persistently. Set zero to disable the feature.
Default is zero. */
Expand Down Expand Up @@ -122,12 +122,24 @@ esp_err_t esp_wireguard_init(wireguard_config_t *config, wireguard_ctx_t *ctx);
esp_err_t esp_wireguard_connect(wireguard_ctx_t *ctx);

/**
* @brief Set the default gateway to the peer.
* @brief Set the WireGuard network interface as the default.
* @param ctx Context of WireGuard
* @return
* - ESP_OK on success.
* - ESP_ERR_INVALID_ARG if ctx is NULL
* - ESP_ERR_INVALID_STATE if WireGuard interface is NULL
*/
esp_err_t esp_wireguard_set_default(const wireguard_ctx_t *ctx);

/**
* @brief Restore the default network interface.
* @param ctx Context of WireGuard
* @return
* - ESP_OK on success.
* - ESP_ERR_INVALID_ARG if ctx is NULL
* - ESP_ERR_INVALID_STATE if the previous default interface is NULL
*/
esp_err_t esp_wireguard_set_default(wireguard_ctx_t *ctx);
esp_err_t esp_wireguard_restore_default(const wireguard_ctx_t *ctx);

/**
* @brief Test if the peer is up.
Expand Down
6 changes: 3 additions & 3 deletions library.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "esp_wireguard",
"version": "0.2.0",
"version": "0.3.0",
"description": "WireGuard implementation for ESPHome",
"keywords":[
"communication",
Expand Down Expand Up @@ -49,12 +49,12 @@
"headers":[
"esp_wireguard.h"
],
"export":{
"export":{
"include":[
"include/*",
"src/*"
]
},
},
"build":{
"includeDir": "include",
"srcDir": "src"
Expand Down
50 changes: 35 additions & 15 deletions src/esp_wireguard.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,21 +100,22 @@ static esp_err_t esp_wireguard_peer_init(const wireguard_config_t *config, struc
}
peer->keep_alive = config->persistent_keepalive;

/* Allow device address/netmask through tunnel */
/* Allow device's own address through tunnel */
{
if(ipaddr_aton(config->allowed_ip, &(peer->allowed_ip)) != 1) {
ESP_LOGE(TAG, "peer_init: invalid allowed_ip: `%s`", config->allowed_ip);
if(ipaddr_aton(config->address, &(peer->allowed_ip)) != 1) {
ESP_LOGE(TAG, "peer_init: invalid address: `%s`", config->address);
err = ESP_ERR_INVALID_ARG;
goto fail;
}

if(ipaddr_aton(config->allowed_ip_mask, &(peer->allowed_mask)) != 1) {
ESP_LOGE(TAG, "peer_init: invalid allowed_ip_mask: `%s`", config->allowed_ip_mask);
err = ESP_ERR_INVALID_ARG;
goto fail;
}
// Only the single IP is allowed, thus /32 netmask, leaving to the user
// the responsibility to set the appropriate list of other allowed IPs.
ip_addr_t allowed_mask = IPADDR4_INIT_BYTES(255, 255, 255, 255);
peer->allowed_mask = allowed_mask;
}

ESP_LOGI(TAG, "default allowed_ip: %s/%s", config->address, ipaddr_ntoa(&(peer->allowed_mask)));

/* resolve peer name or IP address */
{
ip_addr_t endpoint_ip;
Expand Down Expand Up @@ -175,19 +176,17 @@ static esp_err_t esp_wireguard_netif_create(const wireguard_config_t *config)
wg.listen_port = config->listen_port;
wg.bind_netif = NULL;

if (ipaddr_aton(config->allowed_ip, &ip_addr) != 1) {
ESP_LOGE(TAG, "netif_create: invalid allowed_ip: `%s`", config->allowed_ip);
if (ipaddr_aton(config->address, &ip_addr) != 1) {
ESP_LOGE(TAG, "netif_create: invalid address: `%s`", config->address);
err = ESP_ERR_INVALID_ARG;
goto fail;
}
if (ipaddr_aton(config->allowed_ip_mask, &netmask) != 1) {
ESP_LOGE(TAG, "netif_create: invalid allowed_ip_mask: `%s`", config->allowed_ip_mask);
if (ipaddr_aton(config->netmask, &netmask) != 1) {
ESP_LOGE(TAG, "netif_create: invalid netmask: `%s`", config->netmask);
err = ESP_ERR_INVALID_ARG;
goto fail;
}

ESP_LOGI(TAG, "default allowed_ip: %s/%s", config->allowed_ip, config->allowed_ip_mask);

/* Register the new WireGuard network interface with lwIP */
wg_netif = netif_add(
&wg_netif_struct,
Expand Down Expand Up @@ -283,19 +282,40 @@ esp_err_t esp_wireguard_connect(wireguard_ctx_t *ctx)
return err;
}

esp_err_t esp_wireguard_set_default(wireguard_ctx_t *ctx)
esp_err_t esp_wireguard_set_default(const wireguard_ctx_t *ctx)
{
esp_err_t err;
if (!ctx) {
err = ESP_ERR_INVALID_ARG;
goto fail;
}
if(!ctx->netif) {
err = ESP_ERR_INVALID_STATE;
goto fail;
}
netif_set_default(ctx->netif);
err = ESP_OK;
fail:
return err;
}

esp_err_t esp_wireguard_restore_default(const wireguard_ctx_t *ctx)
{
esp_err_t err;
if (!ctx) {
err = ESP_ERR_INVALID_ARG;
goto fail;
}
if(!ctx->netif_default) {
err = ESP_ERR_INVALID_STATE;
goto fail;
}
netif_set_default(ctx->netif_default);
err = ESP_OK;
fail:
return err;
}

esp_err_t esp_wireguard_disconnect(wireguard_ctx_t *ctx)
{
esp_err_t err;
Expand Down

0 comments on commit f2c116a

Please sign in to comment.