--- rpms/smeserver-wireguard/contribs10/smeserver-wireguard-1.0-bz11721-init.patch 2021/10/28 01:34:43 1.3
+++ rpms/smeserver-wireguard/contribs10/smeserver-wireguard-1.0-bz11721-init.patch 2021/11/03 18:19:58 1.10
@@ -64,3 +64,379 @@ diff -Nur --no-dereference smeserver-wir
-
-}
-
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/createlink smeserver-wireguard-1.0/createlink
+--- smeserver-wireguard-1.0.old/createlink 2021-10-27 21:37:41.284000000 -0400
++++ smeserver-wireguard-1.0/createlink 2021-10-27 21:38:21.164000000 -0400
+@@ -33,7 +33,7 @@
+ ));
+ event_services($event, qw(
+ masq restart
+- 'wg-quick@wg0' restart
++ wg-quick@wg0 restart
+ ));
+ event_link("wireguard-network", $event, "30");
+
+@@ -44,7 +44,7 @@
+ /etc/wireguard/server_public.key
+ ));
+ event_services($event, qw(
+- 'wg-quick@wg0' restart
++ wg-quick@wg0 restart
+ ));
+
+ #wireguard-user-create
+@@ -65,7 +65,7 @@
+ /etc/wireguard/server_public.key
+ ));
+ event_services($event, qw(
+- 'wg-quick@wg0' restart
++ wg-quick@wg0 restart
+ ));
+
+
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard smeserver-wireguard-1.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard
+--- smeserver-wireguard-1.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard 2021-10-26 23:15:11.000000000 -0400
++++ smeserver-wireguard-1.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard 2021-10-27 21:41:45.296000000 -0400
+@@ -239,6 +239,10 @@
+ You can not alter the server ip, mask, private and public key as there are already some clients configured.
+
+
++
++ NO_CONF
++ No configured client
++
+
+
+
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/templates/etc/wireguard/wg0.conf/10interface smeserver-wireguard-1.0/root/etc/e-smith/templates/etc/wireguard/wg0.conf/10interface
+--- smeserver-wireguard-1.0.old/root/etc/e-smith/templates/etc/wireguard/wg0.conf/10interface 2021-06-28 04:41:57.000000000 -0400
++++ smeserver-wireguard-1.0/root/etc/e-smith/templates/etc/wireguard/wg0.conf/10interface 2021-10-27 17:41:12.223000000 -0400
+@@ -4,7 +4,6 @@
+ PrivateKey = {${'wg-quick@wg0'}{private}}
+
+ # this should be added to masq with correct interfaces
+-#eth0 should be rempalced by external interface if available or internal
+-#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+-#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
++PostUp = iptables -I FORWARD -i %i -j ACCEPT; iptables -I FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {$outernet = ($SystemMode eq "serveronly") ? $InternalInterface{Name} : $ExternalInterface{Name}; return $InternalInterface{Name} } -j MASQUERADE
++PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {$outernet = ($SystemMode eq "serveronly") ? $InternalInterface{Name} : $ExternalInterface{Name}; return $InternalInterface{Name} } -j MASQUERADE
+
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/templates/etc/wireguard/wg0.conf/50usersPeers smeserver-wireguard-1.0/root/etc/e-smith/templates/etc/wireguard/wg0.conf/50usersPeers
+--- smeserver-wireguard-1.0.old/root/etc/e-smith/templates/etc/wireguard/wg0.conf/50usersPeers 2021-06-28 04:46:01.000000000 -0400
++++ smeserver-wireguard-1.0/root/etc/e-smith/templates/etc/wireguard/wg0.conf/50usersPeers 2021-10-27 17:41:12.429000000 -0400
+@@ -1,33 +1,36 @@
+ {
+-$OUT = "";
++use esmith::AccountsDB;
+
+-return;
+-my $wg = esmith::ConfigDB->open_ro('/etc/e-smith/db/wireguard') or return "#no peers";
+-# for each user
++my $wg = esmith::ConfigDB->open_ro('/home/e-smith/db/wireguard');
+ my $accounts = esmith::AccountsDB->open_ro;
+-for my $user ( $accounts->get_all_by_prop(type => 'wg0') ) {
++
++# for each user
++my @users = ( $accounts->users );
++push(@users, $accounts->get('admin'));
++for my $user ( @users ) {
+ my $username = $user->key;
++ my $count = 0;
+ for my $cnx ( $wg->get_all_by_prop(user => $username) ) {
++ $count++;
+ my $public = $cnx->prop('public');
+- my $ip = $cnx->prop('ip');
++ my $ip = $cnx->key;
+ my $info = $cnx->prop('info');
++ my $status = $cnx->prop('status') || "enabled";
++ if ( $status eq "disabled" ) {
++ $OUT .= "\n# $username : $info DISABLED (PublicKey = $public ; AllowedIPs = $ip)\n";
++ next;
++ }
+
+-# wireguard
+-#private;public;ips;info#private;public;ips;info
+-#private and public is base64 : +/= could be in it
+-#ips can be v4 or v6 with subnet ./:,
+-#info could have letters, digit and space
+-# to separate multiple #
+-
+- $OUT .= "
++ $OUT .= "
+ [Peer]
+ # $username : $info
+ PublicKey = $public
+ AllowedIPs = $ip\n";
+- }
+
++
++ }
++ $OUT .= "# no entry for user $username\n" if $count <1;
+ }
+
+
+ }
+-
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/templates/etc/wireguard/wg0.conf/60serversPeers smeserver-wireguard-1.0/root/etc/e-smith/templates/etc/wireguard/wg0.conf/60serversPeers
+--- smeserver-wireguard-1.0.old/root/etc/e-smith/templates/etc/wireguard/wg0.conf/60serversPeers 2021-06-08 03:56:43.000000000 -0400
++++ smeserver-wireguard-1.0/root/etc/e-smith/templates/etc/wireguard/wg0.conf/60serversPeers 1969-12-31 19:00:00.000000000 -0500
+@@ -1,3 +0,0 @@
+-
+-#TODO
+-
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/createlink smeserver-wireguard-1.0/createlink
+--- smeserver-wireguard-1.0.old/createlink 2021-10-27 23:25:06.319000000 -0400
++++ smeserver-wireguard-1.0/createlink 2021-10-27 23:33:11.426000000 -0400
+@@ -16,7 +16,7 @@
+
+ event_services($event, qw(
+ masq restart
+- 'wg-quick@wg0' restart
++ wg-quick@wg0 restart
+ ));
+ event_link("wireguard-network", $event, "30");
+ templates2events("/etc/systemd/system-preset/49-koozali.preset", $event);
+@@ -54,7 +54,7 @@
+ /etc/wireguard/server_public.key
+ ));
+ event_services($event, qw(
+- 'wg-quick@wg0' restart
++ wg-quick@wg0 restart
+ ));
+ event_link("wireguard-user-create", $event, "03");
+
+@@ -67,6 +67,11 @@
+ event_services($event, qw(
+ wg-quick@wg0 restart
+ ));
++
++$event="remoteaccess-update";
++event_services($event, qw(
++ wg-quick@wg0 restart
++));
+
+
+ panel_link("wireguard", "manager");
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm
+--- smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2021-10-26 23:15:10.000000000 -0400
++++ smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2021-10-31 22:37:41.238000000 -0400
+@@ -224,6 +224,7 @@
+ my $wg0 = $cdb->get('wg-quick@wg0');
+ my $ServPublic = $wg0->prop('public');
+ my $Port = $wg0->prop('UDPPort');
++my $allowedips = $wg0->prop('allowedips') || "0.0.0.0/0";
+
+ #here we guess wan IP
+ # are we server-gateway mode ? so external lan, should do
+@@ -233,15 +234,20 @@
+ # dig @resolver4.opendns.com myip.opendns.com +short -4
+ # dig @resolver1.ipv6-sandbox.opendns.com AAAA myip.opendns.com +short -6
+
++#DNS
++my $IPAddress = $cdb->get('InternalInterface')->prop('IPAddress');
++my $dns = ($allowedips =~ /0.0.0.0\/0/)? "DNS = $IPAddress" : "" ;
++
+
+ my $fulltext ="#configuration for $key $info
+ [Interface]
+ PrivateKey = $private
+ Address = $key
++$dns
+
+ [Peer]
+ PublicKey = $ServPublic
+-AllowedIPs = 0.0.0.0/0
++AllowedIPs = $allowedips
+ Endpoint = $ExternalIP:$Port
+ ";
+ # we could add a DNS field in [Interface]
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/db/configuration/migrate/wireguard smeserver-wireguard-1.0/root/etc/e-smith/db/configuration/migrate/wireguard
+--- smeserver-wireguard-1.0.old/root/etc/e-smith/db/configuration/migrate/wireguard 2021-11-01 21:46:45.647000000 -0400
++++ smeserver-wireguard-1.0/root/etc/e-smith/db/configuration/migrate/wireguard 2021-11-01 21:50:17.661000000 -0400
+@@ -1,4 +1,6 @@
+ {
++my $wireguard = $DB->get('wg-quick@wg0') || $DB->new_record('wg-quick@wg0', {type => 'service'});
++
+ # add private and public key if not present
+ unless (defined ${'wg-quick@wg0'}{'private'}) {
+ $value= `/usr/bin/wg genkey`;
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard smeserver-wireguard-1.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard
+--- smeserver-wireguard-1.0.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard 2021-11-03 00:04:00.688000000 -0400
++++ smeserver-wireguard-1.0/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/wireguard 2021-11-03 00:24:10.217000000 -0400
+@@ -244,5 +244,10 @@
+ No configured client
+
+
++
++ INTERFACE
++ Interface
++
++
+
+
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm
+--- smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2021-11-03 00:04:00.691000000 -0400
++++ smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2021-11-03 00:06:45.195000000 -0400
+@@ -82,7 +82,7 @@
+ esmith::cgi::genSmallCell($q, $fm->localise('CONF_NAME'),"header"),
+ esmith::cgi::genSmallCell($q, $fm->localise('USER'),"header"),
+ esmith::cgi::genSmallCell($q, $fm->localise('INFO'),"header"),
+- esmith::cgi::genSmallCell($q, $fm->localise('STATUS'),"header"),
++ esmith::cgi::genSmallCell($q, $fm->localise('LABEL_STATUS'),"header"),
+ esmith::cgi::genSmallCell($q, $fm->localise('ACTION'),"header", 3),
+ ),
+ "\n";
+@@ -131,7 +131,12 @@
+ my $wgip = $wg->prop('ip');
+ my $wgmask = $wg->prop('mask');
+ my $wgport = $wg->prop('UDPPort');
++ my $sstatus = $wg->prop('status');
+
++ print $q->Tr (esmith::cgi::genSmallCell($q,$fm->localise('INTERFACE'),"header"),
++ esmith::cgi::genSmallCell($q, "wg0"),);
++ print $q->Tr (esmith::cgi::genSmallCell($q,$fm->localise('LABEL_STATUS'),"header"),
++ esmith::cgi::genSmallCell($q, $sstatus),);
+ print $q->Tr (esmith::cgi::genSmallCell($q,$fm->localise('PUBLIC_KEY'),"header"),
+ esmith::cgi::genSmallCell($q, $wgpub),);
+ print $q->Tr (esmith::cgi::genSmallCell($q,$fm->localise('IP'),"header"),
+@@ -228,11 +233,10 @@
+
+ #here we guess wan IP
+ # are we server-gateway mode ? so external lan, should do
+-my $ExternalIP = $cdb->get('ExternalInterface')->prop('IPAddress');
+ # else we should guess from an external service
+-# dig @resolver4.opendns.com myip.opendns.com +short
+-# dig @resolver4.opendns.com myip.opendns.com +short -4
+-# dig @resolver1.ipv6-sandbox.opendns.com AAAA myip.opendns.com +short -6
++#my $internet_ip_address = get_internet_ip_address();
++my $ExternalIP = $cdb->get('ExternalInterface')->prop('IPAddress');
++$ExternalIP=get_internet_ip_address() unless defined $ExternalIP;
+
+ #DNS
+ my $IPAddress = $cdb->get('InternalInterface')->prop('IPAddress');
+@@ -250,8 +254,6 @@
+ AllowedIPs = $allowedips
+ Endpoint = $ExternalIP:$Port
+ ";
+-# we could add a DNS field in [Interface]
+-# DNS = 1.1.1.1, 1.0.0.1
+
+ print "
";
+
+@@ -476,7 +478,7 @@
+ $fm->error('ERROR_OCCURED','FIRST_PAGE');
+ return undef;
+ }
+- unless (system ("/sbin/e-smith/signal-event", "wireguard-client-remove") == 0 ){
++ unless (system ("/sbin/e-smith/signal-event", "wireguard-user-delete") == 0 ){
+ $fm->error('ERROR_OCCURED','FIRST_PAGE');
+ return undef;
+ }
+@@ -539,4 +541,73 @@
+ }
+
+
++
++sub get_internet_ip_address {
++ #we could use DNS to do this faster but some provider will block DNS
++ #dig +short myip.opendns.com @resolver1.opendns.com
++ #also resolver1.opendns.com resolver2.opendns.com resolver3.opendns.com
++ #here a list of available site with https
++ use Net::DNS;
++ use LWP::Simple;
++ my $timeout=1;
++
++ my @httpslist=qw(
++checkip.amazonaws.com
++myexternalip.com/raw
++ifconfig.me/
++icanhazip.com/
++ident.me/
++tnx.nl/ip
++ipecho.net/plain
++wgetip.com/
++ip.tyk.nu/
++bot.whatismyipaddress.com/
++ipof.in/txt
++l2.io/ip
++eth0.me/ );
++ my @dns = (
++ ['myip.opendns.com', 'resolver1.opendns.com', 'A'],
++ ['myip.opendns.com', 'resolver2.opendns.com', 'A'],
++ ['myip.opendns.com', 'resolver3.opendns.com', 'A'],
++ ['myip.opendns.com', 'resolver4.opendns.com', 'A'],
++ ['whoami.akamai.net', 'ns1-1.akamaitech.net', 'A'],
++ ['o-o.myaddr.l.google.com', 'ns1.google.com', 'TXT']
++
++ );
++ my $ip;
++
++ #foreach my $i ( 0 .. $#dns) {
++ # dns calls; test only one random...
++ my $i = rand(@httpslist);
++ my $res = Net::DNS::Resolver->new(
++ nameservers => [ $dns[$i][1] ],
++ udp_timeout => $timeout,
++ tcp_timeout => $timeout
++ );
++ my $reply = $res->search($dns[$i][0], $dns[$i][2]);
++ if ($reply) {
++ foreach my $rr ($reply->answer) {
++ $ip= $rr->txtdata if $rr->can("txtdata");
++ $ip= $rr->address if $rr->can("address");
++ return $ip if $ip =~ /(\d+\.\d+\.\d+\.\d+)/;
++ }
++ } else {
++ warn "query failed: ", $res->errorstring, "\n";
++ }
++ #}
++
++ # https calls
++ my $ii=0;
++ my $service;
++ while ( $ii <5 ) {
++ $service=$httpslist[rand(@httpslist)];
++ $ip = (get "https://$service" );
++ chomp $ip;
++ $ii++;
++ last if $ip =~ /(\d+\.\d+\.\d+\.\d+)/;
++ }
++ return $ip;
++}
++
++
+ 1;
+diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm
+--- smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2021-11-03 14:18:15.780000000 -0400
++++ smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2021-11-03 14:18:39.640000000 -0400
+@@ -234,9 +234,8 @@
+ #here we guess wan IP
+ # are we server-gateway mode ? so external lan, should do
+ # else we should guess from an external service
+-#my $internet_ip_address = get_internet_ip_address();
+ my $ExternalIP = $cdb->get('ExternalInterface')->prop('IPAddress');
+-$ExternalIP=get_internet_ip_address() unless defined $ExternalIP;
++$ExternalIP = get_internet_ip_address() unless defined $ExternalIP;
+
+ #DNS
+ my $IPAddress = $cdb->get('InternalInterface')->prop('IPAddress');
+@@ -589,6 +588,8 @@
+ foreach my $rr ($reply->answer) {
+ $ip= $rr->txtdata if $rr->can("txtdata");
+ $ip= $rr->address if $rr->can("address");
++ # untaint, dns output is tainted
++ ($ip) = $ip =~ /(\d+\.\d+\.\d+\.\d+)/;
+ return $ip if $ip =~ /(\d+\.\d+\.\d+\.\d+)/;
+ }
+ } else {
+@@ -606,8 +607,9 @@
+ $ii++;
+ last if $ip =~ /(\d+\.\d+\.\d+\.\d+)/;
+ }
++ # not needed but in case, untaint
++ ($ip) = $ip =~ /(\d+\.\d+\.\d+\.\d+)/;
+ return $ip;
+ }
+
+-
+ 1;