networking: Add wireguard keepalive and preshared-key option in the gui #19521
Conversation
subhoghoshX
force-pushed
the
wireguard-keepalive
branch
6 times, most recently
from
30ae48d
to
e161d67
Compare
|
Finally green! Either the flakes introduced were bad or my brain is dead. It took far too long.. |
|
This flake is too common to ignore.. |
subhoghoshX
force-pushed
the
wireguard-keepalive
branch
4 times, most recently
from
6f34fa7
to
9c11660
Compare
| if (peer.persistentKeepalive.trim()) { | ||
| if (isNaN(Number(peer.persistentKeepalive))) | ||
| throw cockpit.format(_("Peer #$0 has invalid persistent keepalive. It must be a number."), index + 1); |
There was a problem hiding this comment.
Probably it should also check for ≥ 1 and possibly some maximum? Also, can this be a float?
There was a problem hiding this comment.
The dbus type for Keepalive is 'u', so it has to be >=0. Passing negative or float shows an error in the UI. Like below:
I opened an issue for a better error message at #19645.
0 (zero) means "not set" as usual.
I couldn't find a documented maximum value, but little experiment shows it can be in the range 0 to 65535 (i.e. 2^16 possible values).. after that it overflows without any error.
pkg/networkmanager/wireguard.jsx
Outdated
| @@ -324,6 +348,22 @@ export function WireGuardDialog({ settings, connection, dev }) { | |||
| id={idPrefix + '-allowedips-peer-' + i} | |||
| /> | |||
| </FormGroup> | |||
| <FormGroup className='pf-m-6-col-on-md' label={_("Preshared key")} fieldId={idPrefix + '-presharedkey-peer-' + i} labelIcon={ | |||
There was a problem hiding this comment.
I think the usual spelling is "pre-shared key"
pkg/networkmanager/wireguard.jsx
Outdated
| @@ -324,6 +348,22 @@ export function WireGuardDialog({ settings, connection, dev }) { | |||
| id={idPrefix + '-allowedips-peer-' + i} | |||
| /> | |||
| </FormGroup> | |||
| <FormGroup className='pf-m-6-col-on-md' label={_("Preshared key")} fieldId={idPrefix + '-presharedkey-peer-' + i} labelIcon={ | |||
| <Popover | |||
| bodyContent={_("Preshared key should be a random 32 byte bas64 encoded.")} | |||
There was a problem hiding this comment.
| bodyContent={_("Preshared key should be a random 32 byte bas64 encoded.")} | |
| bodyContent={_("A base64 encoded string of 32 random bytes.")} |
pkg/networkmanager/wireguard.jsx
Outdated
| @@ -324,6 +348,22 @@ export function WireGuardDialog({ settings, connection, dev }) { | |||
| id={idPrefix + '-allowedips-peer-' + i} | |||
| /> | |||
| </FormGroup> | |||
| <FormGroup className='pf-m-6-col-on-md' label={_("Preshared key")} fieldId={idPrefix + '-presharedkey-peer-' + i} labelIcon={ | |||
There was a problem hiding this comment.
I think this needs some UI work: I suppose it doesn't make sense to specify both a public/private key pair and a PSK? So perhaps there should either be a "key mode" selector at the top (symmetric or asymmetric), or one field should be disabled if the other has a value.
There was a problem hiding this comment.
Both public/private key pair and PSK is used to make it more secure and quantum computer resistant. It is mentioned here https://www.wireguard.com/papers/wireguard.pdf.
There was a problem hiding this comment.
Found this in the docs (https://www.wireguard.com/protocol/#key-exchange-and-data-packets), I think this is more accessible than the pdf above.
If an additional layer of symmetric-key crypto is required (for, say, post-quantum resistance), WireGuard also supports an optional pre-shared key that is mixed into the public key cryptography. When pre-shared key mode is not in use, the pre-shared key value used below is assumed to be an all-zero string of 32 bytes.
| b.set_input_text("#network-wireguard-settings-keepalive-peer-0", "120") | ||
| psk = m1.execute("head -c 32 /dev/random | base64").strip() | ||
| b.set_input_text("#network-wireguard-settings-presharedkey-peer-0", psk) |
There was a problem hiding this comment.
Please also validate these settings in the API or with nmcli -- the UI doesn't reflect which key mode is being used, and which keepalive time.
There was a problem hiding this comment.
Yes, good idea! Done, thanks!
There was a problem hiding this comment.
I did it with wg because nmcli doesn't show peer information.
subhoghoshX
force-pushed
the
wireguard-keepalive
branch
from
9c11660
to
ede03ff
Compare
|
Removed the pixels to fix branch conflict. I'll get to the reviews tomorrow. |
subhoghoshX
added
the
no-test
subhoghoshX
force-pushed
the
wireguard-keepalive
branch
from
ede03ff
to
a96c1c5
Compare
Update the tests accordingly. fixes cockpit-project#19491
subhoghoshX
force-pushed
the
wireguard-keepalive
branch
from
a96c1c5
to
4a0865b
Compare
It may indeed need some design discussion because adding another row makes it tall too quick and the separation between the peer fields gets confusing:
@garrett any suggestions? |
|
A few thoughts about the latest screenshot:
|
Keepalive and Pre-shared key is completely optional and Endpoint is also (kind of) optional.
No strong reason, it's just Public key is required so it's the first one, and Pre-shared key is optional, so it's one of the last.
The default value is 0, which means "not set". Pre-filling it sounds better!
They're separate. It's just out of the 5 fields these two only take 1/4 of the width. So they're together. Everything else takes 1/2 of the horizontal space.
Yes, that's the issue it looks a little overloaded with the new row. |
fixes #19491