diff -Nur --no-dereference smeserver-wireguard-1.0.old/createlink smeserver-wireguard-1.0/createlink --- smeserver-wireguard-1.0.old/createlink 2022-05-29 02:43:17.319000000 -0400 +++ smeserver-wireguard-1.0/createlink 2022-05-29 02:46:12.907000000 -0400 @@ -24,7 +24,7 @@ masq restart wg-quick@wg0 restart )); -event_link("wireguard-network", $event, "30"); +event_link("wireguard-network", $event, "04"); templates2events("/etc/systemd/system-preset/49-koozali.preset", $event); event_link("systemd-reload", $event, "89"); event_link("systemd-default", $event, "88"); @@ -41,7 +41,7 @@ masq restart wg-quick@wg0 restart )); -event_link("wireguard-network", $event, "30"); +event_link("wireguard-network", $event, "04"); #wireguard-user-modify $event="wireguard-user-modify"; diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/etc/e-smith/events/actions/wireguard-network smeserver-wireguard-1.0/root/etc/e-smith/events/actions/wireguard-network --- smeserver-wireguard-1.0.old/root/etc/e-smith/events/actions/wireguard-network 2022-05-29 02:43:17.315000000 -0400 +++ smeserver-wireguard-1.0/root/etc/e-smith/events/actions/wireguard-network 2022-05-29 02:44:49.245000000 -0400 @@ -8,8 +8,9 @@ use esmith::AccountsDB; use NetAddr::IP; use Net::Netmask; +use NetAddr::IP; -my $conf = esmith::ConfigDB->open_ro; +my $conf = esmith::ConfigDB->open; my $netdb = esmith::ConfigDB->open('networks'); my $accounts = esmith::AccountsDB->open; esmith::ConfigDB->create('/home/e-smith/db/wireguard') unless (-f '/home/e-smith/db/wireguard'); @@ -24,14 +25,50 @@ my $ip = $block->base; my $mask = $block->mask; +#count clients +my @client = $wg->get_all_by_prop(type=>"wg0"); +my $clients = scalar @client; + +#check is_rfc1918 +#if yes proceed +my $skipme = 0; +my $rfc=NetAddr::IP->new($wgip,$wgmask); +unless ( $rfc->is_rfc1918() ) { + if ($clients == 0 ) { + #if not and no clients make it compliant 172.16.0.1/22 as default + my $minimum=16; + my $maximum=32; + my $x = $minimum + int(rand($maximum - $minimum)); + warn("$wgip/$wgmask is not considered as a LAN addressing, set default to 172.$x.0.1/22"); + $wgip="172.$x.0.1";$wgmask="22"; + $wg0->set_prop('ip',$wgip); $wg0->set_prop('mask',$wgmask); + $block = Net::Netmask->new("$wgip/$wgmask", shortnet => 1); + $ip = $block->base; + $mask = $block->mask; + } + else { + #if not and clients configured, disable service delete network + warn("$wgip/$wgmask is not considered as a LAN addressing, adding this network to SME trusted network could allow email relaying. Disabling service."); + warn("Please remove configured client and start your configuration from scratch"); + $wg0->set_prop('status','disabled'); + $skipme=1; $ip="nop"; + } +} + +#if yes proceed +#if not and no clients make it compliant 172.16.0.1/22 as default +#if not and clients configured, disable service delete network + #First delete any already there. my @wg = $netdb->get_all_by_prop(Wireguard=>"wg0"); foreach my $netwg (@wg) { + next if ($netwg->key eq $ip and $netwg->prop('Mask') eq $mask); + print "delete " . $netwg->key; $netwg->delete(); } # and then create one from the wireguard server ip my $iswg=$netdb->get($ip); -unless ($iswg) { +unless ($iswg or $skipme == 1) { $netdb->new_record("$ip",{ type => "network", Mask => "$mask", Wireguard => "wg0", diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm --- smeserver-wireguard-1.0.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2022-05-29 02:43:17.320000000 -0400 +++ smeserver-wireguard-1.0/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/wireguard.pm 2022-05-29 02:44:49.471000000 -0400 @@ -447,14 +447,18 @@ ,'status' => $status ); + # Test Ip is inside CIDR + if (!test_for_private_ip($ip,$mask)) { + $msg = "IP must be in private range"; + $fm->error($msg);return; + } + + $cdb->get('wg-quick@wg0')->merge_props(%props) or $msg = "Error occurred while modifying server details."; - # Test Ip is inside CIDR - if (!test_for_private_ip($ip,$mask)) {$msg = "IP must be in private range";} - #else {$msg = "Ip is inside range $ip / $mask";} - unless ($msg eq "OK"){ + if ($msg eq "OK"){ # Untaint before use in system() ($ip) = ($ip =~ /(\d+\.+\d+\.+\d+\.+\d+\.+\/\d+\.+)/); system( "/sbin/e-smith/signal-event", "wireguard-conf-modify", "$ip",) diff -Nur --no-dereference smeserver-wireguard-1.0.old/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm smeserver-wireguard-1.0/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm --- smeserver-wireguard-1.0.old/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm 2022-05-29 02:43:17.321000000 -0400 +++ smeserver-wireguard-1.0/root/usr/share/smanager/lib/SrvMngr/Controller/Wireguard.pm 2022-05-29 02:51:31.997000000 -0400 @@ -345,14 +345,17 @@ ,'status' => $status ); + # Test Ip is inside CIDR + if (!test_for_private_ip($ip,$mask)) { + $msg = "IP must be in private range"; + $fm->error($msg);return; + } + $cdb->get('wg-quick@wg0')->merge_props(%props) or $msg = "Error occurred while modifying server details."; - # Test Ip is inside CIDR - if ( ! test_for_private_ip( $ip,$mask ) ) { $msg = "IP must be in private range"; } - #else {$msg = "Ip is inside range $ip / $mask";} - unless ($msg eq "OK"){ + if ($msg eq "OK"){ # Untaint before use in system() ($ip) = ($ip =~ /(\d+\.+\d+\.+\d+\.+\d+\.+\/\d+\.+)/); system( "/sbin/e-smith/signal-event", "wireguard-conf-modify", "$ip",)