11 var generateKey
= rpc
.declare({
12 object
: 'luci.wireguard',
13 method
: 'generateKeyPair',
17 var getPublicAndPrivateKeyFromPrivate
= rpc
.declare({
18 object
: 'luci.wireguard',
19 method
: 'getPublicAndPrivateKeyFromPrivate',
24 var generatePsk
= rpc
.declare({
25 object
: 'luci.wireguard',
26 method
: 'generatePsk',
30 var qrIcon
= '<svg viewBox="0 0 29 29" xmlns="http://www.w3.org/2000/svg"><path fill="#fff" d="M0 0h29v29H0z"/><path d="M4 4h1v1H4zM5 4h1v1H5zM6 4h1v1H6zM7 4h1v1H7zM8 4h1v1H8zM9 4h1v1H9zM10 4h1v1h-1zM12 4h1v1h-1zM13 4h1v1h-1zM14 4h1v1h-1zM15 4h1v1h-1zM16 4h1v1h-1zM18 4h1v1h-1zM19 4h1v1h-1zM20 4h1v1h-1zM21 4h1v1h-1zM22 4h1v1h-1zM23 4h1v1h-1zM24 4h1v1h-1zM4 5h1v1H4zM10 5h1v1h-1zM12 5h1v1h-1zM14 5h1v1h-1zM16 5h1v1h-1zM18 5h1v1h-1zM24 5h1v1h-1zM4 6h1v1H4zM6 6h1v1H6zM7 6h1v1H7zM8 6h1v1H8zM10 6h1v1h-1zM12 6h1v1h-1zM18 6h1v1h-1zM20 6h1v1h-1zM21 6h1v1h-1zM22 6h1v1h-1zM24 6h1v1h-1zM4 7h1v1H4zM6 7h1v1H6zM7 7h1v1H7zM8 7h1v1H8zM10 7h1v1h-1zM12 7h1v1h-1zM13 7h1v1h-1zM14 7h1v1h-1zM15 7h1v1h-1zM18 7h1v1h-1zM20 7h1v1h-1zM21 7h1v1h-1zM22 7h1v1h-1zM24 7h1v1h-1zM4 8h1v1H4zM6 8h1v1H6zM7 8h1v1H7zM8 8h1v1H8zM10 8h1v1h-1zM16 8h1v1h-1zM18 8h1v1h-1zM20 8h1v1h-1zM21 8h1v1h-1zM22 8h1v1h-1zM24 8h1v1h-1zM4 9h1v1H4zM10 9h1v1h-1zM12 9h1v1h-1zM13 9h1v1h-1zM15 9h1v1h-1zM18 9h1v1h-1zM24 9h1v1h-1zM4 10h1v1H4zM5 10h1v1H5zM6 10h1v1H6zM7 10h1v1H7zM8 10h1v1H8zM9 10h1v1H9zM10 10h1v1h-1zM12 10h1v1h-1zM14 10h1v1h-1zM16 10h1v1h-1zM18 10h1v1h-1zM19 10h1v1h-1zM20 10h1v1h-1zM21 10h1v1h-1zM22 10h1v1h-1zM23 10h1v1h-1zM24 10h1v1h-1zM13 11h1v1h-1zM14 11h1v1h-1zM15 11h1v1h-1zM16 11h1v1h-1zM4 12h1v1H4zM5 12h1v1H5zM8 12h1v1H8zM9 12h1v1H9zM10 12h1v1h-1zM13 12h1v1h-1zM15 12h1v1h-1zM19 12h1v1h-1zM21 12h1v1h-1zM22 12h1v1h-1zM23 12h1v1h-1zM24 12h1v1h-1zM5 13h1v1H5zM6 13h1v1H6zM8 13h1v1H8zM11 13h1v1h-1zM13 13h1v1h-1zM14 13h1v1h-1zM15 13h1v1h-1zM16 13h1v1h-1zM19 13h1v1h-1zM22 13h1v1h-1zM4 14h1v1H4zM5 14h1v1H5zM9 14h1v1H9zM10 14h1v1h-1zM11 14h1v1h-1zM15 14h1v1h-1zM18 14h1v1h-1zM19 14h1v1h-1zM20 14h1v1h-1zM21 14h1v1h-1zM22 14h1v1h-1zM23 14h1v1h-1zM7 15h1v1H7zM8 15h1v1H8zM9 15h1v1H9zM11 15h1v1h-1zM12 15h1v1h-1zM13 15h1v1h-1zM17 15h1v1h-1zM18 15h1v1h-1zM20 15h1v1h-1zM21 15h1v1h-1zM23 15h1v1h-1zM4 16h1v1H4zM6 16h1v1H6zM10 16h1v1h-1zM11 16h1v1h-1zM13 16h1v1h-1zM14 16h1v1h-1zM16 16h1v1h-1zM17 16h1v1h-1zM18 16h1v1h-1zM22 16h1v1h-1zM23 16h1v1h-1zM24 16h1v1h-1zM12 17h1v1h-1zM16 17h1v1h-1zM17 17h1v1h-1zM18 17h1v1h-1zM4 18h1v1H4zM5 18h1v1H5zM6 18h1v1H6zM7 18h1v1H7zM8 18h1v1H8zM9 18h1v1H9zM10 18h1v1h-1zM14 18h1v1h-1zM16 18h1v1h-1zM17 18h1v1h-1zM21 18h1v1h-1zM22 18h1v1h-1zM23 18h1v1h-1zM4 19h1v1H4zM10 19h1v1h-1zM12 19h1v1h-1zM13 19h1v1h-1zM15 19h1v1h-1zM16 19h1v1h-1zM19 19h1v1h-1zM21 19h1v1h-1zM23 19h1v1h-1zM24 19h1v1h-1zM4 20h1v1H4zM6 20h1v1H6zM7 20h1v1H7zM8 20h1v1H8zM10 20h1v1h-1zM12 20h1v1h-1zM13 20h1v1h-1zM15 20h1v1h-1zM18 20h1v1h-1zM19 20h1v1h-1zM20 20h1v1h-1zM22 20h1v1h-1zM23 20h1v1h-1zM24 20h1v1h-1zM4 21h1v1H4zM6 21h1v1H6zM7 21h1v1H7zM8 21h1v1H8zM10 21h1v1h-1zM13 21h1v1h-1zM15 21h1v1h-1zM16 21h1v1h-1zM19 21h1v1h-1zM21 21h1v1h-1zM23 21h1v1h-1zM24 21h1v1h-1zM4 22h1v1H4zM6 22h1v1H6zM7 22h1v1H7zM8 22h1v1H8zM10 22h1v1h-1zM13 22h1v1h-1zM15 22h1v1h-1zM18 22h1v1h-1zM19 22h1v1h-1zM20 22h1v1h-1zM21 22h1v1h-1zM22 22h1v1h-1zM4 23h1v1H4zM10 23h1v1h-1zM12 23h1v1h-1zM13 23h1v1h-1zM14 23h1v1h-1zM17 23h1v1h-1zM18 23h1v1h-1zM20 23h1v1h-1zM22 23h1v1h-1zM4 24h1v1H4zM5 24h1v1H5zM6 24h1v1H6zM7 24h1v1H7zM8 24h1v1H8zM9 24h1v1H9zM10 24h1v1h-1zM12 24h1v1h-1zM13 24h1v1h-1zM14 24h1v1h-1zM16 24h1v1h-1zM17 24h1v1h-1zM18 24h1v1h-1zM22 24h1v1h-1zM24 24h1v1h-1z"/></svg>';
32 function validateBase64(section_id
, value
) {
33 if (value
.length
== 0)
36 if (value
.length
!= 44 || !value
.match(/^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$/))
37 return _('Invalid Base64 key string');
39 if (value
[43] != "=" )
40 return _('Invalid Base64 key string');
47 apply: function(type
, value
, args
) {
51 return validation
.types
[type
].apply(this, args
);
53 assert: function(condition
) {
58 function generateDescription(name
, texts
) {
59 return E('li', { 'style': 'color: inherit;' }, [
61 E('ul', texts
.map(function (text
) {
62 return E('li', { 'style': 'color: inherit;' }, text
);
67 function invokeQREncode(data
, code
) {
68 return fs
.exec_direct('/usr/bin/qrencode', [
69 '--inline', '--8bit', '--type=SVG',
70 '--output=-', '--', data
71 ]).then(function(svg
) {
72 code
.style
.opacity
= '';
73 dom
.content(code
, Object
.assign(E(svg
), { style
: 'width:100%;height:auto' }));
74 }).catch(function(error
) {
75 code
.style
.opacity
= '';
77 if (L
.isObject(error
) && error
.name
== 'NotFoundError') {
79 Object
.assign(E(qrIcon
), { style
: 'width:32px;height:32px;opacity:.2' }),
80 E('p', _('The <em>qrencode</em> package is required for generating an QR code image of the configuration.'))
85 _('Unable to generate QR code: %s').format(L
.isObject(error
) ? error
.message
: error
)
91 var cbiKeyPairGenerate
= form
.DummyValue
.extend({
92 cfgvalue: function(section_id
, value
) {
95 'click': ui
.createHandlerFn(this, function(section_id
, ev
) {
96 var prv
= this.section
.getUIElement(section_id
, 'private_key'),
97 pub
= this.section
.getUIElement(section_id
, 'public_key'),
100 if ((prv
.getValue() || pub
.getValue()) && !confirm(_('Do you want to replace the current keys?')))
103 return generateKey().then(function(keypair
) {
104 prv
.setValue(keypair
.priv
);
105 pub
.setValue(keypair
.pub
);
106 map
.save(null, true);
109 }, [ _('Generate new key pair') ]);
113 function handleWindowDragDropIgnore(ev
) {
117 return network
.registerProtocol('wireguard', {
118 getI18n: function() {
119 return _('WireGuard VPN');
122 getIfname: function() {
123 return this._ubus('l3_device') || this.sid
;
126 getOpkgPackage: function() {
127 return 'wireguard-tools';
130 isFloating: function() {
134 isVirtual: function() {
138 getDevices: function() {
142 containsDevice: function(ifname
) {
143 return (network
.getIfnameOf(ifname
) == this.getIfname());
146 renderFormOptions: function(s
) {
149 // -- general ---------------------------------------------------------------------
151 o
= s
.taboption('general', form
.Value
, 'private_key', _('Private Key'), _('Required. Base64-encoded private key for this interface.'));
153 o
.validate
= validateBase64
;
156 var serverName
= this.getIfname();
158 o
= s
.taboption('general', form
.Value
, 'public_key', _('Public Key'), _('Base64-encoded public key of this interface for sharing.'));
160 o
.write = function() {/* write nothing */};
162 o
.load = function(section_id
) {
163 var privKey
= s
.formvalue(section_id
, 'private_key') || uci
.get('network', section_id
, 'private_key');
165 return getPublicAndPrivateKeyFromPrivate(privKey
).then(
167 return keypair
.pub
|| '';
170 return _('Error getting PublicKey');
174 s
.taboption('general', cbiKeyPairGenerate
, '_gen_server_keypair', ' ');
176 o
= s
.taboption('general', form
.Value
, 'listen_port', _('Listen Port'), _('Optional. UDP port used for outgoing and incoming packets.'));
178 o
.placeholder
= _('random');
181 o
= s
.taboption('general', form
.DynamicList
, 'addresses', _('IP Addresses'), _('Recommended. IP addresses of the WireGuard interface.'));
182 o
.datatype
= 'ipaddr';
185 o
= s
.taboption('general', form
.Flag
, 'nohostroute', _('No Host Routes'), _('Optional. Do not create host routes to peers.'));
188 o
= s
.taboption('general', form
.Button
, '_import', _('Import configuration'), _('Imports settings from an existing WireGuard configuration file'));
189 o
.inputtitle
= _('Load configuration…');
190 o
.onclick = function() {
191 return ss
.handleConfigImport('full');
194 // -- advanced --------------------------------------------------------------------
196 o
= s
.taboption('advanced', form
.Value
, 'mtu', _('MTU'), _('Optional. Maximum Transmission Unit of tunnel interface.'));
197 o
.datatype
= 'range(0,8940)';
198 o
.placeholder
= '1420';
201 o
= s
.taboption('advanced', form
.Value
, 'fwmark', _('Firewall Mark'), _('Optional. 32-bit mark for outgoing encrypted packets. Enter value in hex, starting with <code>0x</code>.'));
203 o
.validate = function(section_id
, value
) {
204 if (value
.length
> 0 && !value
.match(/^0x[a-fA-F0-9]{1,8}$/))
205 return _('Invalid hexadecimal value');
211 // -- peers -----------------------------------------------------------------------
214 s
.tab('peers', _('Peers'), _('Further information about WireGuard interfaces and peers at <a href=\'http://wireguard.com\'>wireguard.com</a>.'));
218 o
= s
.taboption('peers', form
.SectionValue
, '_peers', form
.GridSection
, 'wireguard_%s'.format(s
.section
));
219 o
.depends('proto', 'wireguard');
224 ss
.addbtntitle
= _('Add peer');
225 ss
.nodescriptions
= true;
226 ss
.modaltitle
= _('Edit peer');
228 ss
.handleDragConfig = function(ev
) {
229 ev
.stopPropagation();
231 ev
.dataTransfer
.dropEffect
= 'copy';
234 ss
.handleDropConfig = function(mode
, ev
) {
235 var file
= ev
.dataTransfer
.files
[0],
236 nodes
= ev
.currentTarget
,
237 input
= nodes
.querySelector('textarea'),
238 reader
= new FileReader();
241 reader
.onload = function(rev
) {
242 input
.value
= rev
.target
.result
.trim();
243 ss
.handleApplyConfig(mode
, nodes
, file
.name
, ev
);
246 reader
.readAsText(file
);
249 ev
.stopPropagation();
253 ss
.parseConfig = function(data
) {
254 var lines
= String(data
).split(/(\r?\n)+/),
256 config
= { peers
: [] },
259 for (var i
= 0; i
< lines
.length
; i
++) {
260 var line
= lines
[i
].replace(/#.*$/, '').trim();
262 if (line
.match(/^\[(\w+)\]$/)) {
263 section
= RegExp
.$1.toLowerCase();
265 if (section
== 'peer')
266 config
.peers
.push(s
= {});
270 else if (section
&& line
.match(/^(\w+)\s*=\s*(.+)$/)) {
272 val
= RegExp
.$2.trim();
275 s
[section
+ '_' + key
.toLowerCase()] = val
;
279 if (config
.interface_address
) {
280 config
.interface_address
= config
.interface_address
.split(/[, ]+/);
282 for (var i
= 0; i
< config
.interface_address
.length
; i
++)
283 if (!stubValidator
.apply('ipaddr', config
.interface_address
[i
]))
284 return _('Address setting is invalid');
287 if (config
.interface_dns
) {
288 config
.interface_dns
= config
.interface_dns
.split(/[, ]+/);
290 for (var i
= 0; i
< config
.interface_dns
.length
; i
++)
291 if (!stubValidator
.apply('ipaddr', config
.interface_dns
[i
], ['nomask']))
292 return _('DNS setting is invalid');
295 if (!config
.interface_privatekey
|| validateBase64(null, config
.interface_privatekey
) !== true)
296 return _('PrivateKey setting is missing or invalid');
298 if (!stubValidator
.apply('port', config
.interface_listenport
|| '0'))
299 return _('ListenPort setting is invalid');
301 for (var i
= 0; i
< config
.peers
.length
; i
++) {
302 var pconf
= config
.peers
[i
];
304 if (pconf
.peer_publickey
!= null && validateBase64(null, pconf
.peer_publickey
) !== true)
305 return _('PublicKey setting is invalid');
307 if (pconf
.peer_presharedkey
!= null && validateBase64(null, pconf
.peer_presharedkey
) !== true)
308 return _('PresharedKey setting is invalid');
310 if (pconf
.peer_allowedips
) {
311 pconf
.peer_allowedips
= pconf
.peer_allowedips
.split(/[, ]+/);
313 for (var j
= 0; j
< pconf
.peer_allowedips
.length
; j
++)
314 if (!stubValidator
.apply('ipaddr', pconf
.peer_allowedips
[j
]))
315 return _('AllowedIPs setting is invalid');
318 pconf
.peer_allowedips
= [ '0.0.0.0/0', '::/0' ];
321 if (pconf
.peer_endpoint
) {
322 var host_port
= pconf
.peer_endpoint
.match(/^\[([a-fA-F0-9:]+)\]:(\d+)$/) || pconf
.peer_endpoint
.match(/^(.+):(\d+)$/);
324 if (!host_port
|| !stubValidator
.apply('host', host_port
[1]) || !stubValidator
.apply('port', host_port
[2]))
325 return _('Endpoint setting is invalid');
327 pconf
.peer_endpoint
= [ host_port
[1], host_port
[2] ];
330 if (pconf
.peer_persistentkeepalive
== 'off' || pconf
.peer_persistentkeepalive
== '0')
331 delete pconf
.peer_persistentkeepalive
;
333 if (!stubValidator
.apply('port', pconf
.peer_persistentkeepalive
|| '0'))
334 return _('PersistentKeepAlive setting is invalid');
340 ss
.handleApplyConfig = function(mode
, nodes
, comment
, ev
) {
341 var input
= nodes
.querySelector('textarea').value
,
342 error
= nodes
.querySelector('.alert-message'),
343 cancel
= nodes
.nextElementSibling
.querySelector('.btn'),
344 config
= this.parseConfig(input
);
346 if (typeof(config
) == 'string') {
347 error
.firstChild
.data
= _('Cannot parse configuration: %s').format(config
);
348 error
.style
.display
= 'block';
352 if (mode
== 'full') {
353 var prv
= s
.formvalue(s
.section
, 'private_key');
355 if (prv
&& prv
!= config
.interface_privatekey
&& !confirm(_('Overwrite the current settings with the imported configuration?')))
358 return getPublicAndPrivateKeyFromPrivate(config
.interface_privatekey
).then(function(keypair
) {
359 s
.getOption('private_key').getUIElement(s
.section
).setValue(keypair
.priv
);
360 s
.getOption('public_key').getUIElement(s
.section
).setValue(keypair
.pub
);
361 s
.getOption('listen_port').getUIElement(s
.section
).setValue(config
.interface_listenport
|| '');
362 s
.getOption('addresses').getUIElement(s
.section
).setValue(config
.interface_address
);
364 if (config
.interface_dns
)
365 s
.getOption('dns').getUIElement(s
.section
).setValue(config
.interface_dns
);
367 for (var i
= 0; i
< config
.peers
.length
; i
++) {
368 var pconf
= config
.peers
[i
];
369 var sid
= uci
.add('network', 'wireguard_' + s
.section
);
371 uci
.sections('network', 'wireguard_' + s
.section
, function(peer
) {
372 if (peer
.public_key
== pconf
.peer_publickey
)
373 uci
.remove('network', peer
['.name']);
376 uci
.set('network', sid
, 'description', comment
|| _('Imported peer configuration'));
377 uci
.set('network', sid
, 'public_key', pconf
.peer_publickey
);
378 uci
.set('network', sid
, 'preshared_key', pconf
.peer_presharedkey
);
379 uci
.set('network', sid
, 'allowed_ips', pconf
.peer_allowedips
);
380 uci
.set('network', sid
, 'persistent_keepalive', pconf
.peer_persistentkeepalive
);
382 if (pconf
.peer_endpoint
) {
383 uci
.set('network', sid
, 'endpoint_host', pconf
.peer_endpoint
[0]);
384 uci
.set('network', sid
, 'endpoint_port', pconf
.peer_endpoint
[1]);
388 return s
.map
.save(null, true);
394 return getPublicAndPrivateKeyFromPrivate(config
.interface_privatekey
).then(function(keypair
) {
395 var sid
= uci
.add('network', 'wireguard_' + s
.section
);
396 var pub
= s
.formvalue(s
.section
, 'public_key');
398 uci
.sections('network', 'wireguard_' + s
.section
, function(peer
) {
399 if (peer
.public_key
== keypair
.pub
)
400 uci
.remove('network', peer
['.name']);
403 uci
.set('network', sid
, 'description', comment
|| _('Imported peer configuration'));
404 uci
.set('network', sid
, 'public_key', keypair
.pub
);
405 uci
.set('network', sid
, 'private_key', keypair
.priv
);
407 for (var i
= 0; i
< config
.peers
.length
; i
++) {
408 var pconf
= config
.peers
[i
];
410 if (pconf
.peer_publickey
== pub
) {
411 uci
.set('network', sid
, 'preshared_key', pconf
.peer_presharedkey
);
412 uci
.set('network', sid
, 'allowed_ips', pconf
.peer_allowedips
);
413 uci
.set('network', sid
, 'persistent_keepalive', pconf
.peer_persistentkeepalive
);
418 return s
.map
.save(null, true);
425 ss
.handleConfigImport = function(mode
) {
426 var mapNode
= ss
.getActiveModalMap(),
427 headNode
= mapNode
.parentNode
.querySelector('h4'),
430 var nodes
= E('div', {
431 'dragover': this.handleDragConfig
,
432 'drop': this.handleDropConfig
.bind(this, mode
)
434 E([], (mode
== 'full') ? [
435 E('p', _('Drag or paste a valid <em>*.conf</em> file below to configure the local WireGuard interface.'))
437 E('p', _('Paste or drag a WireGuard configuration (commonly <em>wg0.conf</em>) from another system below to create a matching peer entry allowing that system to connect to the local WireGuard interface.')),
438 E('p', _('To fully configure the local WireGuard interface from an existing (e.g. provider supplied) configuration file, use the <strong><a class="full-import" href="#">configuration import</a></strong> instead.'))
442 'placeholder': (mode
== 'full')
443 ? _('Paste or drag supplied WireGuard configuration file…')
444 : _('Paste or drag WireGuard peer configuration (wg0.conf) file…'),
445 'style': 'height:5em;width:100%; white-space:pre'
449 'class': 'alert-message',
450 'style': 'display:none'
454 var cancelFn = function() {
455 nodes
.parentNode
.removeChild(nodes
.nextSibling
);
456 nodes
.parentNode
.removeChild(nodes
);
457 mapNode
.classList
.remove('hidden');
458 mapNode
.nextSibling
.classList
.remove('hidden');
459 headNode
.removeChild(headNode
.lastChild
);
460 window
.removeEventListener('dragover', handleWindowDragDropIgnore
);
461 window
.removeEventListener('drop', handleWindowDragDropIgnore
);
464 var a
= nodes
.querySelector('a.full-import');
467 a
.addEventListener('click', ui
.createHandlerFn(this, function(mode
) {
469 this.handleConfigImport('full');
473 mapNode
.classList
.add('hidden');
474 mapNode
.nextElementSibling
.classList
.add('hidden');
476 headNode
.appendChild(E('span', [ ' » ', (mode
== 'full') ? _('Import configuration') : _('Import as peer') ]));
477 mapNode
.parentNode
.appendChild(E([], [
488 'class': 'btn primary',
489 'click': ui
.createHandlerFn(this, 'handleApplyConfig', mode
, nodes
, null)
490 }, [ _('Import settings') ])
494 window
.addEventListener('dragover', handleWindowDragDropIgnore
);
495 window
.addEventListener('drop', handleWindowDragDropIgnore
);
498 ss
.renderSectionAdd = function(/* ... */) {
499 var nodes
= this.super('renderSectionAdd', arguments
);
501 nodes
.appendChild(E('button', {
503 'click': ui
.createHandlerFn(this, 'handleConfigImport', 'peer')
504 }, [ _('Import configuration as peer…') ]));
509 ss
.renderSectionPlaceholder = function() {
510 return E('em', _('No peers defined yet.'));
513 o
= ss
.option(form
.Flag
, 'disabled', _('Peer disabled'), _('Enable / Disable peer. Restart wireguard interface to apply changes.'));
517 o
= ss
.option(form
.Value
, 'description', _('Description'), _('Optional. Description of peer.'));
518 o
.placeholder
= 'My Peer';
519 o
.datatype
= 'string';
522 o
.textvalue = function(section_id
) {
523 var dis
= ss
.getOption('disabled'),
524 pub
= ss
.getOption('public_key'),
525 prv
= ss
.getOption('private_key'),
526 psk
= ss
.getOption('preshared_key'),
527 name
= this.cfgvalue(section_id
),
528 key
= pub
.cfgvalue(section_id
);
532 name
? E('span', [ name
]) : E('em', [ _('Untitled peer') ])
536 if (dis
.cfgvalue(section_id
) == '1')
537 desc
.push(E('span', {
538 'class': 'ifacebadge',
539 'data-tooltip': _('WireGuard peer is disabled')
541 E('em', [ _('Disabled', 'Label indicating that WireGuard peer is disabled') ])
544 if (!key
|| !pub
.isValid(section_id
)) {
545 desc
.push(E('span', {
546 'class': 'ifacebadge',
547 'data-tooltip': _('Public key is missing')
549 E('em', [ _('Key missing', 'Label indicating that WireGuard peer lacks public key') ])
555 'class': 'ifacebadge',
556 'data-tooltip': _('Public key: %h', 'Tooltip displaying full WireGuard peer public key').format(key
)
558 E('code', [ key
.replace(/^(.{5}).+(.{6})$/, '$1…$2') ])
561 (prv
.cfgvalue(section_id
) && prv
.isValid(section_id
))
563 'class': 'ifacebadge',
564 'data-tooltip': _('Private key present')
565 }, [ _('Private', 'Label indicating that WireGuard peer private key is stored') ]) : '',
567 (psk
.cfgvalue(section_id
) && psk
.isValid(section_id
))
569 'class': 'ifacebadge',
570 'data-tooltip': _('Preshared key in use')
571 }, [ _('PSK', 'Label indicating that WireGuard peer uses a PSK') ]) : ''
578 function handleKeyChange(ev
, section_id
, value
) {
579 var prv
= this.section
.getUIElement(section_id
, 'private_key'),
580 btn
= this.map
.findElement('.btn.qr-code');
582 btn
.disabled
= (!prv
.isValid() || !prv
.getValue());
585 o
= ss
.option(form
.Value
, 'public_key', _('Public Key'), _('Required. Public key of the WireGuard peer.'));
587 o
.validate
= validateBase64
;
588 o
.onchange
= handleKeyChange
;
590 o
= ss
.option(form
.Value
, 'private_key', _('Private Key'), _('Optional. Private key of the WireGuard peer. The key is not required for establishing a connection but allows generating a peer configuration or QR code if available. It can be removed after the configuration has been exported.'));
592 o
.validate
= validateBase64
;
593 o
.onchange
= handleKeyChange
;
596 o
= ss
.option(cbiKeyPairGenerate
, '_gen_peer_keypair', ' ');
599 o
= ss
.option(form
.Value
, 'preshared_key', _('Preshared Key'), _('Optional. Base64-encoded preshared key. Adds in an additional layer of symmetric-key cryptography for post-quantum resistance.'));
601 o
.validate
= validateBase64
;
604 o
= ss
.option(form
.DummyValue
, '_gen_psk', ' ');
606 o
.cfgvalue = function(section_id
, value
) {
609 'click': ui
.createHandlerFn(this, function(section_id
, ev
) {
610 var psk
= this.section
.getUIElement(section_id
, 'preshared_key'),
613 if (psk
.getValue() && !confirm(_('Do you want to replace the current PSK?')))
616 return generatePsk().then(function(key
) {
618 map
.save(null, true);
621 }, [ _('Generate preshared key') ]);
624 o
= ss
.option(form
.DynamicList
, 'allowed_ips', _('Allowed IPs'), _("Optional. IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel."));
625 o
.datatype
= 'ipaddr';
626 o
.textvalue = function(section_id
) {
627 var ips
= L
.toArray(this.cfgvalue(section_id
)),
630 for (var i
= 0; i
< ips
.length
; i
++) {
633 'class': 'ifacebadge cbi-tooltip-container'
635 _('+ %d more', 'Label indicating further amount of allowed ips').format(ips
.length
- i
),
637 'class': 'cbi-tooltip'
639 E('ul', ips
.map(function(ip
) {
641 E('span', { 'class': 'ifacebadge' }, [ ip
])
650 list
.push(E('span', { 'class': 'ifacebadge' }, [ ips
[i
] ]));
656 return E('span', { 'style': 'display:inline-flex;flex-wrap:wrap;gap:.125em' }, list
);
659 o
= ss
.option(form
.Flag
, 'route_allowed_ips', _('Route Allowed IPs'), _('Optional. Create routes for Allowed IPs for this peer.'));
662 o
= ss
.option(form
.Value
, 'endpoint_host', _('Endpoint Host'), _('Optional. Host of peer. Names are resolved prior to bringing up the interface.'));
663 o
.placeholder
= 'vpn.example.com';
665 o
.textvalue = function(section_id
) {
666 var host
= this.cfgvalue(section_id
),
667 port
= this.section
.cfgvalue(section_id
, 'endpoint_port');
669 return (host
&& port
)
670 ? '%h:%d'.format(host
, port
)
672 ? '%h:*'.format(host
)
674 ? '*:%d'.format(port
)
678 o
= ss
.option(form
.Value
, 'endpoint_port', _('Endpoint Port'), _('Optional. Port of peer.'));
680 o
.placeholder
= '51820';
683 o
= ss
.option(form
.Value
, 'persistent_keepalive', _('Persistent Keep Alive'), _('Optional. Seconds between keep alive messages. Default is 0 (disabled). Recommended value if this device is behind a NAT is 25.'));
685 o
.datatype
= 'range(0,65535)';
690 o
= ss
.option(form
.DummyValue
, '_keyops', _('Configuration Export'),
691 _('Generates a configuration suitable for import on a WireGuard peer'));
695 o
.createPeerConfig = function(section_id
, endpoint
, ips
) {
696 var pub
= s
.formvalue(s
.section
, 'public_key'),
697 port
= s
.formvalue(s
.section
, 'listen_port') || '51820',
698 prv
= this.section
.formvalue(section_id
, 'private_key'),
699 psk
= this.section
.formvalue(section_id
, 'preshared_key'),
700 eport
= this.section
.formvalue(section_id
, 'endpoint_port'),
701 keep
= this.section
.formvalue(section_id
, 'persistent_keepalive');
705 'PrivateKey = ' + prv
,
706 eport
? 'ListenPort = ' + eport
: '# ListenPort not defined',
709 'PublicKey = ' + pub
,
710 psk
? 'PresharedKey = ' + psk
: '# PresharedKey not used',
711 ips
&& ips
.length
? 'AllowedIPs = ' + ips
.join(', ') : '# AllowedIPs not defined',
712 endpoint
? 'Endpoint = ' + endpoint
+ ':' + port
: '# Endpoint not defined',
713 keep
? 'PersistentKeepAlive = ' + keep
: '# PersistentKeepAlive not defined'
717 o
.handleGenerateQR = function(section_id
, ev
) {
718 var mapNode
= ss
.getActiveModalMap(),
719 headNode
= mapNode
.parentNode
.querySelector('h4'),
720 configGenerator
= this.createPeerConfig
.bind(this, section_id
),
724 network
.getWANNetworks(),
725 network
.getWAN6Networks(),
726 L
.resolveDefault(uci
.load('ddns')),
727 L
.resolveDefault(uci
.load('system')),
728 parent
.save(null, true)
729 ]).then(function(data
) {
732 uci
.sections('ddns', 'service', function(s
) {
733 if (typeof(s
.lookup_host
) == 'string' && s
.enabled
== '1')
734 hostnames
.push(s
.lookup_host
);
737 uci
.sections('system', 'system', function(s
) {
738 if (typeof(s
.hostname
) == 'string' && s
.hostname
.indexOf('.') > 0)
739 hostnames
.push(s
.hostname
);
742 for (var i
= 0; i
< data
[0].length
; i
++)
743 hostnames
.push
.apply(hostnames
, data
[0][i
].getIPAddrs().map(function(ip
) { return ip
.split('/')[0] }));
745 for (var i
= 0; i
< data
[1].length
; i
++)
746 hostnames
.push
.apply(hostnames
, data
[1][i
].getIP6Addrs().map(function(ip
) { return ip
.split('/')[0] }));
748 var ips
= [ '0.0.0.0/0', '::/0' ];
752 qrm
= new form
.JSONMap({ config
: { endpoint
: hostnames
[0], allowed_ips
: ips
} }, null, _('The generated configuration can be imported into a WireGuard client application to set up a connection towards this device.'));
755 qrs
= qrm
.section(form
.NamedSection
, 'config');
757 function handleConfigChange(ev
, section_id
, value
) {
758 var code
= this.map
.findElement('.qr-code'),
759 conf
= this.map
.findElement('.client-config'),
760 endpoint
= this.section
.getUIElement(section_id
, 'endpoint'),
761 ips
= this.section
.getUIElement(section_id
, 'allowed_ips');
763 if (this.isValid(section_id
)) {
764 conf
.firstChild
.data
= configGenerator(endpoint
.getValue(), ips
.getValue());
765 code
.style
.opacity
= '.5';
767 invokeQREncode(conf
.firstChild
.data
, code
);
771 qro
= qrs
.option(form
.Value
, 'endpoint', _('Connection endpoint'), _('The public hostname or IP address of this system the peer should connect to. This usually is a static public IP address, a static hostname or a DDNS domain.'));
772 qro
.datatype
= 'or(ipaddr,hostname)';
773 hostnames
.forEach(function(hostname
) { qro
.value(hostname
) });
774 qro
.onchange
= handleConfigChange
;
776 qro
= qrs
.option(form
.DynamicList
, 'allowed_ips', _('Allowed IPs'), _('IP addresses that are allowed inside the tunnel. The peer will accept tunnelled packets with source IP addresses matching this list and route back packets with matching destination IP.'));
777 qro
.datatype
= 'ipaddr';
779 ips
.forEach(function(ip
) { qro
.value(ip
) });
780 qro
.onchange
= handleConfigChange
;
782 qro
= qrs
.option(form
.DummyValue
, 'output');
783 qro
.renderWidget = function() {
784 var peer_config
= configGenerator(hostnames
[0], ips
);
786 var node
= E('div', {
787 'style': 'display:flex;flex-wrap:wrap;align-items:center;gap:.5em;width:100%'
791 'style': 'width:320px;flex:0 1 320px;text-align:center'
793 E('em', { 'class': 'spinning' }, [ _('Generating QR code…') ])
796 'class': 'client-config',
797 'style': 'flex:1;white-space:pre;overflow:auto',
798 'click': function(ev
) {
799 var sel
= window
.getSelection(),
800 range
= document
.createRange();
802 range
.selectNodeContents(ev
.currentTarget
);
804 sel
.removeAllRanges();
810 invokeQREncode(peer_config
, node
.firstChild
);
815 return qrm
.render().then(function(nodes
) {
816 mapNode
.classList
.add('hidden');
817 mapNode
.nextElementSibling
.classList
.add('hidden');
819 headNode
.appendChild(E('span', [ ' » ', _('Generate configuration') ]));
820 mapNode
.parentNode
.appendChild(E([], [
827 'click': function() {
828 nodes
.parentNode
.removeChild(nodes
.nextSibling
);
829 nodes
.parentNode
.removeChild(nodes
);
830 mapNode
.classList
.remove('hidden');
831 mapNode
.nextSibling
.classList
.remove('hidden');
832 headNode
.removeChild(headNode
.lastChild
);
834 }, [ _('Back to peer configuration') ])
838 if (!s
.formvalue(s
.section
, 'listen_port')) {
839 nodes
.appendChild(E('div', { 'class': 'alert-message' }, [
841 _('No fixed interface listening port defined, peers might not be able to initiate connections to this WireGuard instance!')
849 o
.cfgvalue = function(section_id
, value
) {
850 var privkey
= this.section
.cfgvalue(section_id
, 'private_key');
853 'class': 'btn qr-code',
854 'style': 'display:inline-flex;align-items:center;gap:.5em',
855 'click': ui
.createHandlerFn(this, 'handleGenerateQR', section_id
),
856 'disabled': privkey
? null : ''
858 Object
.assign(E(qrIcon
), { style
: 'width:22px;height:22px' }),
859 _('Generate configuration…')
864 deleteConfiguration: function() {
865 uci
.sections('network', 'wireguard_%s'.format(this.sid
), function(s
) {
866 uci
.remove('network', s
['.name']);