From patchwork Tue May 16 04:09:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 50033 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A351127BBE9; Tue, 16 May 2023 05:11:27 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id ABDFE27BBE2 for ; Tue, 16 May 2023 05:11:22 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pym1l-0008KP-3w; Tue, 16 May 2023 00:11:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pym1g-0008Iz-2d for guix-patches@gnu.org; Tue, 16 May 2023 00:11:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pym1f-0002pd-4r for guix-patches@gnu.org; Tue, 16 May 2023 00:11:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pym1f-00023D-0K for guix-patches@gnu.org; Tue, 16 May 2023 00:11:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63402] [PATCH v3 1/3] services: wireguard: Implement a dynamic IP monitoring feature. References: In-Reply-To: Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 May 2023 04:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63402 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63402@debbugs.gnu.org Cc: Maxim Cournoyer Received: via spool by 63402-submit@debbugs.gnu.org id=B63402.16842102457815 (code B ref 63402); Tue, 16 May 2023 04:11:02 +0000 Received: (at 63402) by debbugs.gnu.org; 16 May 2023 04:10:45 +0000 Received: from localhost ([127.0.0.1]:44870 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pym1M-00021y-5t for submit@debbugs.gnu.org; Tue, 16 May 2023 00:10:45 -0400 Received: from mail-qv1-f41.google.com ([209.85.219.41]:57430) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pym1J-00021i-6z for 63402@debbugs.gnu.org; Tue, 16 May 2023 00:10:42 -0400 Received: by mail-qv1-f41.google.com with SMTP id 6a1803df08f44-61d97ab176eso63486046d6.2 for <63402@debbugs.gnu.org>; Mon, 15 May 2023 21:10:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684210235; x=1686802235; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=gOYKLpYJZ8DjDgNtBykKf8sqQMfZNacugWijB7wPfDc=; b=PbVGMGb+WOt/kJP3yAUizC82AsbgrTI7P4yHw9W1evUUkkqbiObR9OHVdP93cO++CS BMmlq+5jqpe90LZcjSbd7plgfEAPBBqffTV/Hy0/S80ps+NMFjY1X5tGjx4YJWGOl7ui n2tnxrhTF5BHklRz1XSXTmJiRlYrrmvc6S5O2E6dF3e16Z2K5G9EyC8H8ixgiIFoFr0c w8+WH9Z2LZEL+6H55gLNCQz3TID4mlErjzeusZLCFNY8bykVaKNI5lvZTVk4/i3fBecB QnXecN2TWL8JMW+iIG41H2rIb1CLBX4u2gYGnHyXS7XR5Fx6RDOr1ZuWqorxjwC9XONo 5rHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684210235; x=1686802235; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gOYKLpYJZ8DjDgNtBykKf8sqQMfZNacugWijB7wPfDc=; b=UP1eJEPtDsGwHff/YitKFILnea0Jp5fymqR6nrh0ITs/uKxy77najIFe+d4YgxxzOl IIr5PrXAIuUblTEcBlB4/eaRpu+/69f8AuV8anrPlv3mhYjjL9FTIaPJCTRt1JkkdREp tap0SNI1XfWV7R+BXWOYRFGHpMnETQV6nULeaRdoSadsjK22+knXhqopR4aaaoVbbROa xf/W6FYavKgFrFJt18a/jLlFmeF0uCXyBTwFAxbWeDlZL81HEL38rH0BC3CYlvP0e7ON 2AM28sgWlBkdkUMI3JPAXOr2rvCkt9ASn8GFXaO5G0+QdkzXuTXjUMJ4Rxse3kKJlQ6R zksA== X-Gm-Message-State: AC+VfDzkCiG6E920D2QctBE97CGObjPq44WovVyx6xFQCEQnF+99HJkY ek905JHL1NoPUqeTRU7GDKf9oSd8Z9FJT0El X-Google-Smtp-Source: ACHHUZ4f0P1ktohmtev3mc6KdsCgyDGBrW9qhZj4smrQk1ejRKVuNsJ6fTmazSQ8lyanIk/5soeDfA== X-Received: by 2002:a05:6214:1cc4:b0:618:e1d9:75b8 with SMTP id g4-20020a0562141cc400b00618e1d975b8mr52530172qvd.34.1684210234926; Mon, 15 May 2023 21:10:34 -0700 (PDT) Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca. [205.236.230.106]) by smtp.gmail.com with ESMTPSA id f21-20020a0caa95000000b005f2dba7a5b0sm5367347qvb.132.2023.05.15.21.10.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 May 2023 21:10:34 -0700 (PDT) From: Maxim Cournoyer Date: Tue, 16 May 2023 00:09:06 -0400 Message-Id: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/vpn.scm () [monitor-ips?, monitor-ips-internal]: New fields. * gnu/services/vpn.scm (define-with-source): New syntax. (wireguard-service-name, strip-port/maybe) (ipv4-address?, ipv6-address?, host-name?) (peers->endpoint-host-names) (wireguard-monitoring-jobs): New procedures. (wireguard-service-type): Register it. * tests/services/vpn.scm: New file. * Makefile.am (SCM_TESTS): Register it. * doc/guix.texi (VPN Services): Update doc. --- Makefile.am | 1 + doc/guix.texi | 18 +++++- gnu/services/vpn.scm | 123 +++++++++++++++++++++++++++++++++++++++-- tests/services/vpn.scm | 80 +++++++++++++++++++++++++++ 4 files changed, 216 insertions(+), 6 deletions(-) create mode 100644 tests/services/vpn.scm base-commit: 242cc93438d67f5b35602d5add02e230850b0b43 diff --git a/Makefile.am b/Makefile.am index 13718e4353..fb6e4f57cd 100644 --- a/Makefile.am +++ b/Makefile.am @@ -553,6 +553,7 @@ SCM_TESTS = \ tests/services/lightdm.scm \ tests/services/linux.scm \ tests/services/telephony.scm \ + tests/services/vpn.scm \ tests/sets.scm \ tests/size.scm \ tests/status.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index 60972f408d..4499a911d6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32591,9 +32591,23 @@ VPN Services @item @code{dns} (default: @code{#f}) The DNS server(s) to announce to VPN clients via DHCP. +@item @code{monitor-ips?} (default: @code{#f}) +@cindex Dynamic IP, with Wireguard +@cindex dyndns, usage with Wireguard +Whether to monitor the resolved Internet addresses (IPs) of the +endpoints of the configured peers, restarting the service when there is +a mismatch between the endpoint IPs in actual use versus those freshly +resolved from their host names. Set this to @code{#t} if one or more +endpoints use host names provided by a dynamic DNS service to keep +connections working. + +@item @code{monitor-ips-internal} (default: @code{'(next-minute (range 0 60 5))}) +The time interval at which the IP monitoring job should run, provided as +an mcron time specification (@pxref{Guile Syntax,,,mcron}). + @item @code{private-key} (default: @code{"/etc/wireguard/private.key"}) -The private key file for the interface. It is automatically generated if -the file does not exist. +The private key file for the interface. It is automatically generated +if the file does not exist. @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index a884d71eb2..e21f999bc0 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -11,6 +11,7 @@ ;;; Copyright © 2021 Nathan Dehnel ;;; Copyright © 2022 Cameron V Chaparro ;;; Copyright © 2022 Timo Wilken +;;; Copyright © 2023 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -31,10 +32,12 @@ (define-module (gnu services vpn) #:use-module (gnu services) #:use-module (gnu services configuration) #:use-module (gnu services dbus) + #:use-module (gnu services mcron) #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) #:use-module (gnu packages vpn) + #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (guix gexp) @@ -73,6 +76,8 @@ (define-module (gnu services vpn) wireguard-configuration-addresses wireguard-configuration-port wireguard-configuration-dns + wireguard-configuration-monitor-ips? + wireguard-configuration-monitor-ips-interval wireguard-configuration-private-key wireguard-configuration-peers wireguard-configuration-pre-up @@ -741,6 +746,10 @@ (define-record-type* (default '())) (dns wireguard-configuration-dns ;list of strings (default #f)) + (monitor-ips? wireguard-configuration-monitor-ips? ;boolean + (default #f)) + (monitor-ips-interval wireguard-configuration-monitor-ips-interval + (default '(next-minute (range 0 60 5)))) ;string | list (pre-up wireguard-configuration-pre-up ;list of strings (default '())) (post-up wireguard-configuration-post-up ;list of strings @@ -871,6 +880,49 @@ (define (wireguard-activation config) (chmod #$private-key #o400) (close-pipe pipe)))))) +;;; XXX: Copied from (guix scripts pack), changing define to define*. +(define-syntax-rule (define-with-source (variable args ...) body body* ...) + "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting +its source property." + (begin + (define* (variable args ...) + body body* ...) + (eval-when (load eval) + (set-procedure-property! variable 'source + '(define* (variable args ...) body body* ...))))) + +(define (wireguard-service-name interface) + "Return the WireGuard service name (a symbol) configured to use INTERFACE." + (symbol-append 'wireguard- (string->symbol interface))) + +(define-with-source (strip-port/maybe endpoint #:key ipv6?) + "Strip the colon and port, if present in ENDPOINT, a string." + (if ipv6? + (if (string-prefix? "[" endpoint) + (first (string-split (string-drop endpoint 1) #\])) ;ipv6 + endpoint) + (first (string-split endpoint #\:)))) ;ipv4 + +(define (ipv4-address? str) + "Return true if STR denotes an IPv4 address." + (false-if-exception + (->bool (inet-pton AF_INET (strip-port/maybe str))))) + +(define (ipv6-address? str) + "Return true if STR denotes an IPv6 address." + (false-if-exception + (->bool (inet-pton AF_INET6 (strip-port/maybe str #:ipv6? #t))))) + +(define (host-name? name) + "Predicate to check whether NAME is a host name, i.e. not an IP address." + (not (or (ipv6-address? name) (ipv4-address? name)))) + +(define (peers->endpoint-host-names peers) + "Return host names used as the endpoints of PEERS, if any. Any \":PORT\" +suffixes are stripped." + (map strip-port/maybe + (filter host-name? (filter-map wireguard-peer-endpoint peers)))) + (define (wireguard-shepherd-service config) (match-record config (wireguard interface) @@ -878,9 +930,7 @@ (define (wireguard-shepherd-service config) (config (wireguard-configuration-file config))) (list (shepherd-service (requirement '(networking)) - (provision (list - (symbol-append 'wireguard- - (string->symbol interface)))) + (provision (list (wireguard-service-name interface))) (start #~(lambda _ (invoke #$wg-quick "up" #$config))) (stop #~(lambda _ @@ -888,6 +938,69 @@ (define (wireguard-shepherd-service config) #f)) ;stopped! (documentation "Run the Wireguard VPN tunnel")))))) +(define (wireguard-monitoring-jobs config) + (match-record config + (interface monitor-ips? monitor-ips-interval peers) + (let ((host-names (peers->endpoint-host-names peers))) + (if monitor-ips? + (if (null? host-names) + (begin + (warn "monitor-ips? is #t but no host name to monitor") + '()) + ;; The mcron monitor job may be a string or a list; ungexp strips + ;; one quote level, which must be added back when a list is + ;; provided. + (list + #~(job + (if (string? #$monitor-ips-interval) + #$monitor-ips-interval + '#$monitor-ips-interval) + #$(program-file + (format #f "wireguard-~a-monitoring" interface) + (with-imported-modules (source-module-closure + '((gnu services herd))) + #~(begin + (use-modules (gnu services herd) + (ice-9 popen) + (ice-9 textual-ports) + (srfi srfi-1) + (srfi srfi-26)) + + (define (host-name->ip name) + "Return the IP address resolved from NAME." + (let* ((ai (car (getaddrinfo name))) + (sa (addrinfo:addr ai))) + (inet-ntop (sockaddr:fam sa) + (sockaddr:addr sa)))) + + #$(procedure-source strip-port/maybe) + + (define service-name '#$(wireguard-service-name + interface)) + + (when (start-service service-name) + (let* ((resolved-ips (map host-name->ip + '#$host-names)) + (pipe (open-pipe* + OPEN_READ + #$(file-append wireguard-tools + "/bin/wg") + "show" #$interface "endpoints")) + (lines (string-split (get-string-all pipe) + #\newline)) + (used-ips (map (compose + strip-port/maybe + last + (cut string-split <> #\tab)) + lines))) + (close-pipe pipe) + (unless (every (cut member <> used-ips) + resolved-ips) + (format #t "restarting ~a service due to \ +stale endpoint IPs~%" service-name) + (restart-service service-name)))))))))) + '())))) ;monitor-ips? is #f + (define wireguard-service-type (service-type (name 'wireguard) @@ -898,6 +1011,8 @@ (define wireguard-service-type wireguard-activation) (service-extension profile-service-type (compose list - wireguard-configuration-wireguard)))) + wireguard-configuration-wireguard)) + (service-extension mcron-service-type + wireguard-monitoring-jobs))) (description "Set up Wireguard @acronym{VPN, Virtual Private Network} tunnels."))) diff --git a/tests/services/vpn.scm b/tests/services/vpn.scm new file mode 100644 index 0000000000..9c6fa65df6 --- /dev/null +++ b/tests/services/vpn.scm @@ -0,0 +1,80 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2023 Maxim Cournoyer +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (tests services vpn) + #:use-module (gnu packages vpn) + #:use-module (gnu services vpn) + #:use-module (guix gexp) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-64)) + +;;; Commentary: +;;; +;;; Unit tests for the (gnu services vpn) module. +;;; +;;; Code: + +;;; Access some internals for whitebox testing. +(define ipv4-address? (@@ (gnu services vpn) ipv4-address?)) +(define ipv6-address? (@@ (gnu services vpn) ipv6-address?)) +(define host-name? (@@ (gnu services vpn) host-name?)) +(define peers->endpoint-host-names + (@@ (gnu services vpn) peers->endpoint-host-names)) + +(test-begin "vpn-services") + +(test-assert "ipv4-address?" + (every ipv4-address? + (list "192.95.5.67:1234" + "10.0.0.1"))) + +(test-assert "ipv6-address?" + (every ipv6-address? + (list "[2607:5300:60:6b0::c05f:543]:2468" + "2607:5300:60:6b0::c05f:543" + "2345:0425:2CA1:0000:0000:0567:5673:23b5" + "2345:0425:2CA1::0567:5673:23b5"))) + +(define %wireguard-peers + (list (wireguard-peer + (name "dummy1") + (public-key "VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=") + (endpoint "some.dynamic-dns.service:53281") + (allowed-ips '())) + (wireguard-peer + (name "dummy2") + (public-key "AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=") + (endpoint "example.org") + (allowed-ips '())) + (wireguard-peer + (name "dummy3") + (public-key "BlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC7=") + (endpoint "10.0.0.7:7777") + (allowed-ips '())) + (wireguard-peer + (name "dummy4") + (public-key "ClesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC6=") + (endpoint "[2345:0425:2CA1::0567:5673:23b5]:44444") + (allowed-ips '())))) + +(test-equal "peers->endpoint-host-names" + '("some.dynamic-dns.service" "example.org") + (peers->endpoint-host-names %wireguard-peers)) + +(test-end "vpn-services") From patchwork Tue May 16 04:09:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 50034 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A818627BBEA; Tue, 16 May 2023 05:11:43 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 5A96227BBE2 for ; Tue, 16 May 2023 05:11:42 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pym1i-0008JV-5E; Tue, 16 May 2023 00:11:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pym1g-0008J0-2k for guix-patches@gnu.org; Tue, 16 May 2023 00:11:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pym1f-0002pe-I6 for guix-patches@gnu.org; Tue, 16 May 2023 00:11:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pym1f-00023L-DR for guix-patches@gnu.org; Tue, 16 May 2023 00:11:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63402] [PATCH v3 2/3] services: wireguard: Clean-up configuration file serializer. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 May 2023 04:11:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63402 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63402@debbugs.gnu.org Cc: Maxim Cournoyer Received: via spool by 63402-submit@debbugs.gnu.org id=B63402.16842102557846 (code B ref 63402); Tue, 16 May 2023 04:11:03 +0000 Received: (at 63402) by debbugs.gnu.org; 16 May 2023 04:10:55 +0000 Received: from localhost ([127.0.0.1]:44874 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pym1W-00022O-7Q for submit@debbugs.gnu.org; Tue, 16 May 2023 00:10:55 -0400 Received: from mail-qk1-f178.google.com ([209.85.222.178]:60717) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pym1T-000227-D8 for 63402@debbugs.gnu.org; Tue, 16 May 2023 00:10:52 -0400 Received: by mail-qk1-f178.google.com with SMTP id af79cd13be357-75773a7bd66so1055306585a.1 for <63402@debbugs.gnu.org>; Mon, 15 May 2023 21:10:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684210245; x=1686802245; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jpQwKmoBpnx+YxEEHaVPQfQrfFXNaLnDWAMgJbg8Ry0=; b=VVKeaGT+EzTqaRhzmg7buDIHUYnwJplU/FjJWhv0ccYJH7duR1wmkQpP+r6iB8s29i W4ZmVT0g10skBQNgXkQ/TVxU20ufupu+C1De/30mKLLx/38Hgc8atbPi9jkRiwQLQmd/ TOMKZM/v2Vvx8bvBVQ8MAzSGjSe49uLVdD1/gBT3ryYP4w9+nG9nmyqIJNs78hr4hufG IcFa3q+9f3++ze9jJY7bg8qeax2n0OEu8d3rp9E+xeuSWzpekXv2TnDOl4nyWRnUUoAP antl2faGPfLpxcdWLBSCzxclsP46TQHqSzxLBx3EjIVWtRv/3pnicXuaSR+eAnDkxbVI fPkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684210245; x=1686802245; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jpQwKmoBpnx+YxEEHaVPQfQrfFXNaLnDWAMgJbg8Ry0=; b=i9pEjTBO2df+FcrzQQcGBgAdc9rsRcM2xrAP4mJ/HYlYW2TwoCZQ13Sla9ES6uIzVi fE9aCXI9L3FDERnPMTHGNzxEgofBohqf6ZoNjo6DhL3zGzl7C0UuYY/DdjRB0Ck+STf/ SlmkFa0g17FaSLFulgo5MmJP3a2m39qmBesnsHYFVl8PHRSYzytWLTZavkNsy4buKXv/ 8aqiKAwnk0Xe72hlS1A5F31NPLSD9gELpdIXDE7MWnUWVxsxCQyIrBDlryhTYwCEN5Tl Vnout531rLbvDhFH9pq9FMaxfqkw7gP7N3jrb7wpBN9QMrvD7jiqS8L8kgd+AT7H4eFC h4Ug== X-Gm-Message-State: AC+VfDxOoyQY7i8BW0gnsistQ0IGjQGzhPkFQDZUb/bU2OH3S1orD4yA nvKHR+fErmTicMrUnwW2FxchRpbDexjVxDY1 X-Google-Smtp-Source: ACHHUZ5ZnzZmp2b8+bPrWl5RH2JB9WDWm/fwhzg1z8ljCqmBtHKPi14eNLMm/GIkVXnojSOLLqU4Aw== X-Received: by 2002:ad4:5cce:0:b0:5e8:979f:2e49 with SMTP id iu14-20020ad45cce000000b005e8979f2e49mr54008527qvb.41.1684210245515; Mon, 15 May 2023 21:10:45 -0700 (PDT) Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca. [205.236.230.106]) by smtp.gmail.com with ESMTPSA id f21-20020a0caa95000000b005f2dba7a5b0sm5367347qvb.132.2023.05.15.21.10.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 May 2023 21:10:45 -0700 (PDT) From: Maxim Cournoyer Date: Tue, 16 May 2023 00:09:07 -0400 Message-Id: X-Mailer: git-send-email 2.39.2 In-Reply-To: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@gmail.com> References: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@gmail.com> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Previously, the generated config file would contain arbitrary whitespace that made it look ugly. * gnu/services/vpn.scm () [dns]: Change default value from #f to '(). (wireguard-configuration-file): Use match-record. Format each line individually, assembling the lines at the end to avoid extraneous white space. * doc/guix.texi (VPN Services): Update doc. --- doc/guix.texi | 2 +- gnu/services/vpn.scm | 119 ++++++++++++++++--------------------------- 2 files changed, 46 insertions(+), 75 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 4499a911d6..51c75a7dfc 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -32588,7 +32588,7 @@ VPN Services @item @code{port} (default: @code{51820}) The port on which to listen for incoming connections. -@item @code{dns} (default: @code{#f}) +@item @code{dns} (default: @code{'())}) The DNS server(s) to announce to VPN clients via DHCP. @item @code{monitor-ips?} (default: @code{#f}) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index e21f999bc0..3f66db79de 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -44,6 +44,7 @@ (define-module (gnu services vpn) #:use-module (guix i18n) #:use-module (guix deprecation) #:use-module (srfi srfi-1) + #:use-module (ice-9 format) #:use-module (ice-9 match) #:use-module (ice-9 regex) #:export (openvpn-client-service ; deprecated @@ -745,7 +746,7 @@ (define-record-type* (peers wireguard-configuration-peers ;list of (default '())) (dns wireguard-configuration-dns ;list of strings - (default #f)) + (default '())) (monitor-ips? wireguard-configuration-monitor-ips? ;boolean (default #f)) (monitor-ips-interval wireguard-configuration-monitor-ips-interval @@ -763,24 +764,15 @@ (define-record-type* (define (wireguard-configuration-file config) (define (peer->config peer) - (let ((name (wireguard-peer-name peer)) - (public-key (wireguard-peer-public-key peer)) - (endpoint (wireguard-peer-endpoint peer)) - (allowed-ips (wireguard-peer-allowed-ips peer)) - (keep-alive (wireguard-peer-keep-alive peer))) - (format #f "[Peer] #~a -PublicKey = ~a -AllowedIPs = ~a -~a~a" - name - public-key - (string-join allowed-ips ",") - (if endpoint - (format #f "Endpoint = ~a\n" endpoint) - "") - (if keep-alive - (format #f "PersistentKeepalive = ~a\n" keep-alive) - "\n")))) + (match-record peer + (name public-key endpoint allowed-ips keep-alive) + (let ((lines (list + (format #f "[Peer] #~a" name) + (format #f "PublicKey = ~a" public-key) + (format #f "AllowedIPs = ~{~a~^, ~}" allowed-ips) + (format #f "~@[Endpoint = ~a~]" endpoint) + (format #f "~@[PersistentKeepalive = ~a~]" keep-alive)))) + (string-join (remove string-null? lines) "\n")))) (define (peers->preshared-keys peer keys) (let ((public-key (wireguard-peer-public-key peer)) @@ -799,65 +791,44 @@ (define (wireguard-configuration-file config) (computed-file "wireguard-config" #~(begin + (use-modules (ice-9 format) + (srfi srfi-1)) + + (define lines + (list + "[Interface]" + #$@(if (null? addresses) + '() + (list (format #f "Address = ~{~a~^, ~}" + addresses))) + (format #f "~@[Table = ~a~]" #$table) + #$@(if (null? pre-up) + '() + (list (format #f "~{PreUp = ~a~%~}" pre-up))) + (format #f "PostUp = ~a set %i private-key ~a\ +~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") +#$private-key '#$peer-keys) + #$@(if (null? post-up) + '() + (list (format #f "~{PostUp = ~a~%~}" post-up))) + #$@(if (null? pre-down) + '() + (list (format #f "~{PreDown = ~a~%~}" pre-down))) + #$@(if (null? post-down) + '() + (list (format #f "~{PostDown = ~a~%~}" post-down))) + (format #f "~@[ListenPort = ~a~]" #$port) + #$@(if (null? dns) + '() + (list (format #f "~{DNS = ~{~a~^, ~}" dns))))) + (mkdir #$output) (chdir #$output) (call-with-output-file #$config-file (lambda (port) - (let ((format (@ (ice-9 format) format))) - (format port "[Interface] -Address = ~a -~a -~a -PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~} -~a -~a -~a -~a -~a -~{~a~^~%~}" - #$(string-join addresses ",") - #$(if table - (format #f "Table = ~a" table) - "") - #$(if (null? pre-up) - "" - (string-join - (map (lambda (command) - (format #f "PreUp = ~a" command)) - pre-up) - "\n")) - #$(file-append wireguard "/bin/wg") - #$private-key - '#$peer-keys - #$(if (null? post-up) - "" - (string-join - (map (lambda (command) - (format #f "PostUp = ~a" command)) - post-up) - "\n")) - #$(if (null? pre-down) - "" - (string-join - (map (lambda (command) - (format #f "PreDown = ~a" command)) - pre-down) - "\n")) - #$(if (null? post-down) - "" - (string-join - (map (lambda (command) - (format #f "PostDown = ~a" command)) - post-down) - "\n")) - #$(if port - (format #f "ListenPort = ~a" port) - "") - #$(if dns - (format #f "DNS = ~a" - (string-join dns ",")) - "") - (list #$@peers))))))))) + (format port "~a~%~%~{~a~%~^~%~}" + (string-join (remove string-null? lines) "\n") + '#$peers))))))) (file-append config "/" config-file)))) (define (wireguard-activation config) From patchwork Tue May 16 04:09:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 50035 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C384027BBE9; Tue, 16 May 2023 05:11:47 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id F41A327BBE2 for ; Tue, 16 May 2023 05:11:46 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pym1j-0008KK-Mm; Tue, 16 May 2023 00:11:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pym1g-0008JJ-UU for guix-patches@gnu.org; Tue, 16 May 2023 00:11:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pym1g-0002pu-13 for guix-patches@gnu.org; Tue, 16 May 2023 00:11:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pym1f-00023S-SN for guix-patches@gnu.org; Tue, 16 May 2023 00:11:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63402] [PATCH v3 3/3] services: wireguard: Workaround keep-alives bug. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 16 May 2023 04:11:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63402 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63402@debbugs.gnu.org Cc: Maxim Cournoyer Received: via spool by 63402-submit@debbugs.gnu.org id=B63402.16842102577858 (code B ref 63402); Tue, 16 May 2023 04:11:03 +0000 Received: (at 63402) by debbugs.gnu.org; 16 May 2023 04:10:57 +0000 Received: from localhost ([127.0.0.1]:44876 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pym1Y-00022g-OE for submit@debbugs.gnu.org; Tue, 16 May 2023 00:10:57 -0400 Received: from mail-qv1-f54.google.com ([209.85.219.54]:60648) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pym1V-00022C-CR for 63402@debbugs.gnu.org; Tue, 16 May 2023 00:10:54 -0400 Received: by mail-qv1-f54.google.com with SMTP id 6a1803df08f44-61b5a653df7so118446576d6.0 for <63402@debbugs.gnu.org>; Mon, 15 May 2023 21:10:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684210248; x=1686802248; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JcTcv/Aw7Vjf3SttVzvHv8nhjL8pJjQ48Rsechc2B1I=; b=FMmFe/NNU8KdQYJ9flEiGmUrF5CZiIb/Fyj08Op7FYk9gbU501pX+ynxAalTPuYtq+ LvsWKKEUBuHVUQ2qhCAHegWAGbJLzhC/hY1QJ8zARG+qIs6uF01pixWiv4YgrWceEyQu dVRaovajCRXz23tJyZk7rMezlmm6DunA88UAPnolQXzxKRjqd71AWHoXRDHLocZEYCPb ETA6s4ImT1TjqKd1A3e+mM4xYAUt98UN0EjVp9LEmYVflsKja8D9wcK+koRUb6A0yxiz w/CRcNRe5UOTmPSPd8Gg7EorN7GUiioL1Efss7205e9z0+5SC6soI3gFzMZEbhfwB4lt 9zJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684210248; x=1686802248; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JcTcv/Aw7Vjf3SttVzvHv8nhjL8pJjQ48Rsechc2B1I=; b=VPRxegiuPdMMzGQde8X4gpHZZvBTTmTjU7FVr2B6O3PQvC32Z2LmKSiEuoDOyTHSUd whJpp58BPTZxnmAD3WBSevgQUv13fthptd+M2EfRu0L8N7dQBWJNblVsYambWz7ngSE2 Sa0TZD9uY8sniYsTmvbfQErjyq1oCfjZP2sp1WIK+C4S0o3ztaYOSUA0Uo6QKH/cq8Uh qzyphY9oEjEnka2s9zLhIC6d3P8yH4ObnV8dX2Y3SK/mPYp+hhjQ2GzNFXJ4maK0Hc4A eBOZH4tIn41fO3hESdUjojbObJFJmUgm5TVTEoEBBPLT7+pQI4tXHcidINfbBkueUHY7 v9xA== X-Gm-Message-State: AC+VfDwyPcBRN7gfsDu4CvbWpFIBloK0Ck52A5JILt6irrZCFeSljiJF 7HNRXy+h0YcmulcuTqwxEUxzBuPzrCBp2MeU X-Google-Smtp-Source: ACHHUZ7rAYV1XDvJ0b4bfXhRLX5nLCFgsnUTc4YBo7CV8H0RGJ5JHIcgj2MFSrN3EYnv3FVYpyYYMw== X-Received: by 2002:a05:6214:4118:b0:622:7b7f:ed2f with SMTP id kc24-20020a056214411800b006227b7fed2fmr21521992qvb.18.1684210247767; Mon, 15 May 2023 21:10:47 -0700 (PDT) Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca. [205.236.230.106]) by smtp.gmail.com with ESMTPSA id f21-20020a0caa95000000b005f2dba7a5b0sm5367347qvb.132.2023.05.15.21.10.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 May 2023 21:10:47 -0700 (PDT) From: Maxim Cournoyer Date: Tue, 16 May 2023 00:09:08 -0400 Message-Id: <7ae336651ea9af2aa191e99b8f046bfbc24a1335.1684210148.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@gmail.com> References: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@gmail.com> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/vpn.scm (wireguard-configuration-file): Add the 'persistent-keepalive' option to the PostUp script to workaround a bug. --- gnu/services/vpn.scm | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 3f66db79de..587bfcfc0e 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -774,18 +774,19 @@ (define (wireguard-configuration-file config) (format #f "~@[PersistentKeepalive = ~a~]" keep-alive)))) (string-join (remove string-null? lines) "\n")))) - (define (peers->preshared-keys peer keys) - (let ((public-key (wireguard-peer-public-key peer)) - (preshared-key (wireguard-peer-preshared-key peer))) - (if preshared-key - (cons* public-key preshared-key keys) - keys))) + (define (peers->preshared-keys+keep-alive peer data) + (match-record peer + (public-key preshared-key keep-alive) + (if (or preshared-key keep-alive) + (cons* public-key preshared-key keep-alive data) + data))) (match-record config (wireguard interface addresses port private-key peers dns pre-up post-up pre-down post-down table) (let* ((config-file (string-append interface ".conf")) - (peer-keys (fold peers->preshared-keys (list) peers)) + (peer-keys+keep-alive (fold peers->preshared-keys+keep-alive + '() peers)) (peers (map peer->config peers)) (config (computed-file @@ -805,9 +806,14 @@ (define (wireguard-configuration-file config) #$@(if (null? pre-up) '() (list (format #f "~{PreUp = ~a~%~}" pre-up))) + ;; Duplicate the persistent-keepalive setting here, to + ;; workaround a bug in WireGuard where keep-alives are not + ;; sent when an interface is initially brought up without + ;; a private key. (format #f "PostUp = ~a set %i private-key ~a\ -~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") -#$private-key '#$peer-keys) +~{ peer ~a~@[ preshared-key ~a~]~@[ persistent-keepalive ~a~]~}" + #$(file-append wireguard "/bin/wg") + #$private-key '#$peer-keys+keep-alive) #$@(if (null? post-up) '() (list (format #f "~{PostUp = ~a~%~}" post-up)))