diff options
author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2023-05-09 16:52:22 -0400 |
---|---|---|
committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2023-07-21 11:58:44 -0400 |
commit | 8d785c43bad05546cfe8e08a1bbe065a63215f9d (patch) | |
tree | 2542fdc0be99d94a4b54cd9bd5d3ccfc4e4e7e64 /gnu | |
parent | f15c5edb1a2423402b32a5262627eb2141becf65 (diff) |
services: wireguard: Implement a dynamic IP monitoring feature.
* gnu/services/vpn.scm (<wireguard-configuration>)
[monitor-ips?, monitor-ips-internal]: New fields.
* gnu/services/vpn.scm (define-with-source): New syntax.
(wireguard-service-name, strip-port/maybe)
(ipv4-address?, ipv6-address?, host-name?)
(endpoint-host-names): New procedure.
(wireguard-monitoring-jobs): Likewise.
(wireguard-service-type): Register it.
* tests/services/vpn.scm: New file.
* Makefile.am (SCM_TESTS): Register it.
* doc/guix.texi (VPN Services): Update doc.
Reviewed-by: Bruno Victal <mirai@makinata.eu>
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/services/vpn.scm | 150 |
1 files changed, 146 insertions, 4 deletions
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index a884d71eb2..17aed8b3b2 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -11,6 +11,7 @@ ;;; Copyright © 2021 Nathan Dehnel <ncdehnel@gmail.com> ;;; Copyright © 2022 Cameron V Chaparro <cameron@cameronchaparro.com> ;;; Copyright © 2022 Timo Wilken <guix@twilken.net> +;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -31,10 +32,12 @@ #:use-module (gnu services) #:use-module (gnu services configuration) #:use-module (gnu services dbus) + #:use-module (gnu services mcron) #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) #:use-module (gnu packages vpn) + #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (guix gexp) @@ -73,6 +76,8 @@ wireguard-configuration-addresses wireguard-configuration-port wireguard-configuration-dns + wireguard-configuration-monitor-ips? + wireguard-configuration-monitor-ips-interval wireguard-configuration-private-key wireguard-configuration-peers wireguard-configuration-pre-up @@ -741,6 +746,10 @@ strongSwan."))) (default '())) (dns wireguard-configuration-dns ;list of strings (default #f)) + (monitor-ips? wireguard-configuration-monitor-ips? ;boolean + (default #f)) + (monitor-ips-interval wireguard-configuration-monitor-ips-interval + (default '(next-minute (range 0 60 5)))) ;string | list (pre-up wireguard-configuration-pre-up ;list of strings (default '())) (post-up wireguard-configuration-post-up ;list of strings @@ -871,6 +880,58 @@ PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~} (chmod #$private-key #o400) (close-pipe pipe)))))) +;;; XXX: Copied from (guix scripts pack), changing define to define*. +(define-syntax-rule (define-with-source (variable args ...) body body* ...) + "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting +its source property." + (begin + (define* (variable args ...) + body body* ...) + (eval-when (load eval) + (set-procedure-property! variable 'source + '(define* (variable args ...) body body* ...))))) + +(define (wireguard-service-name interface) + "Return the WireGuard service name (a symbol) configured to use INTERFACE." + (symbol-append 'wireguard- (string->symbol interface))) + +(define-with-source (strip-port/maybe endpoint #:key ipv6?) + "Strip the colon and port, if present in ENDPOINT, a string." + (if ipv6? + (if (string-prefix? "[" endpoint) + (first (string-split (string-drop endpoint 1) #\])) ;ipv6 + endpoint) + (first (string-split endpoint #\:)))) ;ipv4 + +(define* (ipv4-address? address) + "Predicate to check whether ADDRESS is a valid IPv4 address." + (let ((address (strip-port/maybe address))) + (false-if-exception + (->bool (getaddrinfo address #f AI_NUMERICHOST AF_INET))))) + +(define* (ipv6-address? address) + "Predicate to check whether ADDRESS is a valid IPv6 address." + (let ((address (strip-port/maybe address #:ipv6? #t))) + (false-if-exception + (->bool (getaddrinfo address #f AI_NUMERICHOST AF_INET6))))) + +(define (host-name? name) + "Predicate to check whether NAME is a host name, i.e. not an IP address." + (not (or (ipv6-address? name) (ipv4-address? name)))) + +(define (endpoint-host-names peers) + "Return an association list of endpoint host names keyed by their peer +public key, if any." + (reverse + (fold (lambda (peer host-names) + (let ((public-key (wireguard-peer-public-key peer)) + (endpoint (wireguard-peer-endpoint peer))) + (if (and endpoint (host-name? endpoint)) + (cons (cons public-key endpoint) host-names) + host-names))) + '() + peers))) + (define (wireguard-shepherd-service config) (match-record config <wireguard-configuration> (wireguard interface) @@ -878,9 +939,7 @@ PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~} (config (wireguard-configuration-file config))) (list (shepherd-service (requirement '(networking)) - (provision (list - (symbol-append 'wireguard- - (string->symbol interface)))) + (provision (list (wireguard-service-name interface))) (start #~(lambda _ (invoke #$wg-quick "up" #$config))) (stop #~(lambda _ @@ -888,6 +947,87 @@ PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~} #f)) ;stopped! (documentation "Run the Wireguard VPN tunnel")))))) +(define (wireguard-monitoring-jobs config) + ;; Loosely based on WireGuard's own 'reresolve-dns.sh' shell script (see: + ;; https://raw.githubusercontent.com/WireGuard/wireguard-tools/ + ;; master/contrib/reresolve-dns/reresolve-dns.sh). + (match-record config <wireguard-configuration> + (interface monitor-ips? monitor-ips-interval peers) + (let ((host-names (endpoint-host-names peers))) + (if monitor-ips? + (if (null? host-names) + (begin + (warn "monitor-ips? is #t but no host name to monitor") + '()) + ;; The mcron monitor job may be a string or a list; ungexp strips + ;; one quote level, which must be added back when a list is + ;; provided. + (list + #~(job + (if (string? #$monitor-ips-interval) + #$monitor-ips-interval + '#$monitor-ips-interval) + #$(program-file + (format #f "wireguard-~a-monitoring" interface) + (with-imported-modules (source-module-closure + '((gnu services herd) + (guix build utils))) + #~(begin + (use-modules (gnu services herd) + (guix build utils) + (ice-9 popen) + (ice-9 match) + (ice-9 textual-ports) + (srfi srfi-1) + (srfi srfi-26)) + + (define (resolve-host name) + "Return the IP address resolved from NAME." + (let* ((ai (car (getaddrinfo name))) + (sa (addrinfo:addr ai))) + (inet-ntop (sockaddr:fam sa) + (sockaddr:addr sa)))) + + (define wg #$(file-append wireguard-tools "/bin/wg")) + + #$(procedure-source strip-port/maybe) + + (define service-name '#$(wireguard-service-name + interface)) + + (when (live-service-running + (current-service service-name)) + (let* ((pipe (open-pipe* OPEN_READ wg "show" + #$interface "endpoints")) + (lines (string-split (get-string-all pipe) + #\newline)) + ;; IPS is an association list mapping + ;; public keys to IP addresses. + (ips (map (match-lambda + ((public-key ip) + (cons public-key + (strip-port/maybe ip)))) + (map (cut string-split <> #\tab) + (remove string-null? + lines))))) + (close-pipe pipe) + (for-each + (match-lambda + ((key . host-name) + (let ((resolved-ip (resolve-host + (strip-port/maybe + host-name))) + (current-ip (assoc-ref ips key))) + (unless (string=? resolved-ip current-ip) + (format #t "resetting `~a' peer \ +endpoint to `~a' due to stale IP (`~a' instead of `~a')~%" + key host-name + current-ip resolved-ip) + (invoke wg "set" #$interface "peer" key + "endpoint" host-name))))) + '#$host-names))))))))) + '())))) ;monitor-ips? is #f + (define wireguard-service-type (service-type (name 'wireguard) @@ -898,6 +1038,8 @@ PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~} wireguard-activation) (service-extension profile-service-type (compose list - wireguard-configuration-wireguard)))) + wireguard-configuration-wireguard)) + (service-extension mcron-service-type + wireguard-monitoring-jobs))) (description "Set up Wireguard @acronym{VPN, Virtual Private Network} tunnels."))) |