CaZzzer/vpgen
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

opnsense: add initial api to create new clients

Browse Source
This commit is contained in:
Yuri Tatishchev 2024-12-22 19:45:03 -08:00
parent 5015246a24
commit 3909281bc7
Signed by: CaZzzer
GPG Key ID: E0EBF441EA424369
5 changed files with 176 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.env.example
View File

@ -8,3 +8,9 @@ OPNSENSE_API_URL=https://opnsense.home
OPNSENSE_API_KEY= OPNSENSE_API_KEY=
OPNSENSE_API_SECRET= OPNSENSE_API_SECRET=
OPNSENSE_WG_IFNAME=wg2 OPNSENSE_WG_IFNAME=wg2
IPV4_STARTING_ADDR=10.18.11.100
IPV6_STARTING_ADDR=fd00:10:18:11::100:0
IPV6_CLIENT_PREFIX_SIZE=112
IP_MAX_INDEX=100
VPN_ENDPOINT=vpn.lab.cazzzer.com:51820

3
bruno/opnsense-api/Add Client Builder.bru
View File

@ -22,7 +22,6 @@ body:json {
"pubkey": "{{clientPubkey}}", "pubkey": "{{clientPubkey}}",
"psk": "{{psk}}", "psk": "{{psk}}",
"tunneladdress": "{{clientTunnelAddress}}", "tunneladdress": "{{clientTunnelAddress}}",
"keepalive": "",
"server": "{{serverUuid}}", "server": "{{serverUuid}}",
"endpoint": "{{vpn_endpoint}}" "endpoint": "{{vpn_endpoint}}"
} }
@ -30,7 +29,7 @@ body:json {
} }
vars:pre-request { vars:pre-request {
clientName: vpgen-test clientName: vpgen-CaZzzer
clientPubkey: BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM= clientPubkey: BJ5faPVJsDP4CCxNYilmKnwlQXOtXEOJjqIwb4U/CgM=
psk: 0LWopbrISXBNHUxr+WOhCSAg+0hD8j3TLmpyzHkBHCQ= psk: 0LWopbrISXBNHUxr+WOhCSAg+0hD8j3TLmpyzHkBHCQ=
clientTunnelAddress: 10.18.11.101/32,fd00::1/128 clientTunnelAddress: 10.18.11.101/32,fd00::1/128

BIN
bun.lockb
View File

Binary file not shown.

1
package.json
View File

@ -51,6 +51,7 @@
"@oslojs/encoding": "^1.1.0", "@oslojs/encoding": "^1.1.0",
"arctic": "^2.2.1", "arctic": "^2.2.1",
"drizzle-orm": "^0.38.2", "drizzle-orm": "^0.38.2",
"ip-address": "^10.0.1",
"lucide-svelte": "^0.454.0" "lucide-svelte": "^0.454.0"
} }
} }

174
src/routes/api/clients/+server.ts
View File

@ -1,7 +1,17 @@
import { error, type RequestHandler } from '@sveltejs/kit'; import { error } from '@sveltejs/kit';
import { wgClients } from '$lib/server/db/schema'; import { ipAllocations, wgClients } from '$lib/server/db/schema';
import { db } from '$lib/server/db'; import { db } from '$lib/server/db';
import { eq } from 'drizzle-orm'; import { eq, isNull } from 'drizzle-orm';
import {
IP_MAX_INDEX,
IPV4_STARTING_ADDR,
IPV6_CLIENT_PREFIX_SIZE,
IPV6_STARTING_ADDR,
VPN_ENDPOINT,
} from '$env/static/private';
import { opnsenseAuth, opnsenseUrl, serverUuid } from '$lib/server/opnsense';
import type { RequestHandler } from './$types';
import { Address4, Address6 } from 'ip-address';
export const GET: RequestHandler = async (event) => { export const GET: RequestHandler = async (event) => {
if (!event.locals.user) { if (!event.locals.user) {
@ -12,7 +22,7 @@ export const GET: RequestHandler = async (event) => {
return new Response( return new Response(
JSON.stringify({ JSON.stringify({
clients, clients,
}) }),
); );
}; };
@ -20,9 +30,161 @@ async function findClients(userId: string) {
return db.query.wgClients.findMany({ return db.query.wgClients.findMany({
where: eq(wgClients.userId, userId), where: eq(wgClients.userId, userId),
with: { with: {
ipAllocation: true ipAllocation: true,
} },
}); });
} }
export type Clients = Awaited<ReturnType<typeof findClients>>; export type Clients = Awaited<ReturnType<typeof findClients>>;
export const POST: RequestHandler = async (event) => {
if (!event.locals.user) {
return error(401, 'Unauthorized');
}
// this is going to be quite long
// 1. fetch params for new client from opnsense api
// 2.1 get an allocation for the client
// 2.2. insert new client into db
// 2.3. update the allocation with the client id
// 3. create the client in opnsense
// 4. reconfigure opnsense to enable the new client
const err: ReturnType<typeof error> | undefined = await db.transaction(async (tx) => {
// fetch params for new client from opnsense api
const keys = await getKeys();
// find first unallocated IP
const availableAllocation = await tx.query.ipAllocations.findFirst({
columns: {
id: true,
},
where: isNull(ipAllocations.clientId),
});
// find last allocation to check if we have any IPs left
const lastAllocation = await tx.query.ipAllocations.findFirst({
columns: {
id: true,
},
orderBy: (ipAllocations, { desc }) => desc(ipAllocations.id),
});
// check for existing allocation or if we have any IPs left
if (!availableAllocation && lastAllocation && lastAllocation.id >= parseInt(IP_MAX_INDEX)) {
return error(500, 'No more IP addresses available');
}
// use existing allocation or create a new one
const ipAllocationId =
availableAllocation?.id ??
(await tx.insert(ipAllocations).values({}).returning({ id: ipAllocations.id }))[0].id;
// transaction savepoint after creating a new IP allocation
// TODO: not sure if this is needed
return await tx.transaction(async (tx2) => {
// create client in opnsense
const opnsenseRes = await opnsenseCreateClient({
// @ts-expect-error event.locals.user is checked at the beginning of the function
username: event.locals.user.username,
pubkey: keys.pubkey,
psk: keys.psk,
allowedIps: getAllowedIps(ipAllocationId - 1),
});
const opnsenseResJson = await opnsenseRes.json();
if (opnsenseResJson['result'] !== 'saved') {
tx2.rollback();
console.error(`Error creating client in OPNsense: \n${opnsenseResJson}`);
return error(500, 'Error creating client in OPNsense');
}
// create new client in db
const [newClient] = await tx2
.insert(wgClients)
.values({
// @ts-expect-error event.locals.user is checked at the beginning of the function
userId: event.locals.user.id,
name: 'New Client',
publicKey: keys.pubkey,
privateKey: keys.privkey,
preSharedKey: keys.psk,
})
.returning({ id: wgClients.id });
// update IP allocation with client ID
await tx2
.update(ipAllocations)
.set({ clientId: newClient.id })
.where(eq(ipAllocations.id, ipAllocationId));
// reconfigure opnsense
await opnsenseReconfigure();
});
});
return err?? new Response(null, { status: 201 });
};
async function getKeys() {
// fetch key pair from opnsense
const options: RequestInit = {
method: 'GET',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
};
const resKeyPair = await fetch(`${opnsenseUrl}/api/wireguard/server/key_pair`, options);
const resPsk = await fetch(`${opnsenseUrl}/api/wireguard/client/psk`, options);
const keyPair = await resKeyPair.json();
const psk = await resPsk.json();
return {
pubkey: keyPair['pubkey'] as string,
privkey: keyPair['privkey'] as string,
psk: psk['psk'] as string,
};
}
function getAllowedIps(ipIndex: number) {
const v4StartingAddr = new Address4(IPV4_STARTING_ADDR);
const v6StartingAddr = new Address6(IPV6_STARTING_ADDR);
const v4Allowed = Address4.fromBigInt(v4StartingAddr.bigInt() + BigInt(ipIndex));
const v6Offset = BigInt(ipIndex) << (128n - BigInt(IPV6_CLIENT_PREFIX_SIZE));
const v6Allowed = Address6.fromBigInt(v6StartingAddr.bigInt() + v6Offset);
const v6AllowedShort = v6Allowed.parsedAddress.join(':');
return `${v4Allowed.address}/32,${v6AllowedShort}/${IPV6_CLIENT_PREFIX_SIZE}`;
}
async function opnsenseCreateClient(params: {
username: string;
pubkey: string;
psk: string;
allowedIps: string;
}) {
return fetch(`${opnsenseUrl}/api/wireguard/client/addClientBuilder`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
configbuilder: {
enabled: '1',
name: `vpgen-${params.username}`,
pubkey: params.pubkey,
psk: params.psk,
tunneladdress: params.allowedIps,
server: serverUuid,
endpoint: VPN_ENDPOINT,
},
}),
});
}
async function opnsenseReconfigure() {
return fetch(`${opnsenseUrl}/api/wireguard/service/reconfigure`, {
method: 'POST',
headers: {
Authorization: opnsenseAuth,
Accept: 'application/json',
},
});
}