Merge pull request #422 from firezone/391/device_default_config

Expose more device defaults in config file

apps/fz_http/lib/fz_http/devices.ex

@@ -136,57 +136,63 @@ defmodule FzHttp.Devices do
     end)
   end
 
-  def allowed_ips(device) do
-    if device.use_default_allowed_ips do
-      Settings.default_device_allowed_ips()
-    else
-      device.allowed_ips
-    end
-  end
-
-  def dns_servers(device) do
-    if device.use_default_dns_servers do
-      Settings.default_device_dns_servers()
-    else
-      device.dns_servers
-    end
-  end
-
   def new_device do
     change_device(%Device{})
   end
 
   def endpoint(device) do
     if device.use_default_endpoint do
-      Settings.default_device_endpoint() || ConnectivityChecks.endpoint()
+      Settings.default_device_endpoint() ||
+        Application.fetch_env!(:fz_http, :wireguard_endpoint) ||
+        ConnectivityChecks.endpoint()
     else
       device.endpoint
     end
   end
 
+  def allowed_ips(device) do
+    if device.use_default_allowed_ips do
+      Settings.default_device_allowed_ips() ||
+        Application.fetch_env!(:fz_http, :wireguard_allowed_ips)
+    else
+      device.allowed_ips
+    end
+  end
+
+  def dns(device) do
+    if device.use_default_dns do
+      Settings.default_device_dns() ||
+        Application.fetch_env!(:fz_http, :wireguard_dns)
+    else
+      device.dns
+    end
+  end
+
   def mtu(device) do
     if device.use_default_mtu do
-      Settings.default_device_mtu()
+      Settings.default_device_mtu() ||
+        Application.fetch_env!(:fz_http, :wireguard_mtu)
     else
       device.mtu
     end
   end
 
-  def persistent_keepalives(device) do
-    if device.use_default_persistent_keepalives do
-      Settings.default_device_persistent_keepalives()
+  def persistent_keepalive(device) do
+    if device.use_default_persistent_keepalive do
+      Settings.default_device_persistent_keepalive() ||
+        Application.fetch_env!(:fz_http, :wireguard_persistent_keepalive)
     else
-      device.persistent_keepalives
+      device.persistent_keepalive
     end
   end
 
   def defaults(changeset) do
     ~w(
       use_default_allowed_ips
-      use_default_dns_servers
+      use_default_dns
       use_default_endpoint
       use_default_mtu
-      use_default_persistent_keepalives
+      use_default_persistent_keepalive
     )a
     |> Enum.map(fn field -> {field, Device.field(changeset, field)} end)
     |> Map.new()
@@ -200,13 +206,13 @@ defmodule FzHttp.Devices do
     PrivateKey = #{device.private_key}
     Address = #{inet(device)}
     #{mtu_config(device)}
-    #{dns_servers_config(device)}
+    #{dns_config(device)}
 
     [Peer]
     PublicKey = #{device.server_public_key}
-    AllowedIPs = #{allowed_ips(device)}
+    #{allowed_ips_config(device)}
     Endpoint = #{endpoint(device)}:#{wireguard_port}
-    #{persistent_keepalives_config(device)}
+    #{persistent_keepalive_config(device)}
     """
   end
 
@@ -224,44 +230,58 @@ defmodule FzHttp.Devices do
   defp mtu_config(device) do
     m = mtu(device)
 
-    if is_nil(m) do
+    if field_empty?(m) do
       ""
     else
       "MTU = #{m}"
     end
   end
 
-  defp persistent_keepalives_config(device) do
-    pk = persistent_keepalives(device)
+  defp allowed_ips_config(device) do
+    a = allowed_ips(device)
 
-    if is_nil(pk) do
+    if field_empty?(a) do
+      ""
+    else
+      "AllowedIPs = #{a}"
+    end
+  end
+
+  defp persistent_keepalive_config(device) do
+    pk = persistent_keepalive(device)
+
+    if field_empty?(pk) do
       ""
     else
       "PersistentKeepalive = #{pk}"
     end
   end
 
-  defp dns_servers_config(device) when is_struct(device) do
-    dns_servers = dns_servers(device)
+  defp dns_config(device) when is_struct(device) do
+    dns = dns(device)
 
-    if dns_servers_empty?(dns_servers) do
+    if field_empty?(dns) do
       ""
     else
-      "DNS = #{dns_servers}"
+      "DNS = #{dns}"
     end
   end
 
-  defp dns_servers_empty?(nil), do: true
+  defp field_empty?(nil), do: true
 
-  defp dns_servers_empty?(dns_servers) when is_binary(dns_servers) do
+  defp field_empty?(0), do: true
+
+  defp field_empty?(field) when is_binary(field) do
     len =
-      dns_servers
+      field
       |> String.trim()
       |> String.length()
 
     len == 0
   end
 
+  defp field_empty?(_), do: false
+
   defp ipv4? do
     Application.fetch_env!(:fz_http, :wireguard_ipv4_enabled)
   end

apps/fz_http/lib/fz_http/devices/device.ex

@@ -25,15 +25,15 @@ defmodule FzHttp.Devices.Device do
     field :name, :string
     field :public_key, :string
     field :use_default_allowed_ips, :boolean, read_after_writes: true, default: true
-    field :use_default_dns_servers, :boolean, read_after_writes: true, default: true
+    field :use_default_dns, :boolean, read_after_writes: true, default: true
     field :use_default_endpoint, :boolean, read_after_writes: true, default: true
     field :use_default_mtu, :boolean, read_after_writes: true, default: true
-    field :use_default_persistent_keepalives, :boolean, read_after_writes: true, default: true
+    field :use_default_persistent_keepalive, :boolean, read_after_writes: true, default: true
     field :endpoint, :string
     field :mtu, :integer
-    field :persistent_keepalives, :integer
+    field :persistent_keepalive, :integer
     field :allowed_ips, :string
-    field :dns_servers, :string
+    field :dns, :string
     field :private_key, FzHttp.Encrypted.Binary
     field :server_public_key, :string
     field :remote_ip, EctoNetwork.INET
@@ -70,15 +70,15 @@ defmodule FzHttp.Devices.Device do
     device
     |> cast(attrs, [
       :use_default_allowed_ips,
-      :use_default_dns_servers,
+      :use_default_dns,
       :use_default_endpoint,
       :use_default_mtu,
-      :use_default_persistent_keepalives,
+      :use_default_persistent_keepalive,
       :allowed_ips,
-      :dns_servers,
+      :dns,
       :endpoint,
       :mtu,
-      :persistent_keepalives,
+      :persistent_keepalive,
       :remote_ip,
       :ipv4,
       :ipv6,
@@ -103,23 +103,23 @@ defmodule FzHttp.Devices.Device do
     ])
     |> validate_required_unless_default([
       :allowed_ips,
-      :dns_servers,
+      :dns,
       :endpoint,
       :mtu,
-      :persistent_keepalives
+      :persistent_keepalive
     ])
     |> validate_omitted_if_default([
       :allowed_ips,
-      :dns_servers,
+      :dns,
       :endpoint,
-      :persistent_keepalives,
+      :persistent_keepalive,
       :mtu
     ])
     |> validate_list_of_ips_or_cidrs(:allowed_ips)
-    |> validate_list_of_ips(:dns_servers)
-    |> validate_no_duplicates(:dns_servers)
+    |> validate_list_of_ips(:dns)
+    |> validate_no_duplicates(:dns)
     |> validate_fqdn_or_ip(:endpoint)
-    |> validate_number(:persistent_keepalives,
+    |> validate_number(:persistent_keepalive,
       greater_than_or_equal_to: 0,
       less_than_or_equal_to: 120
     )

apps/fz_http/lib/fz_http/settings.ex

@@ -12,10 +12,10 @@ defmodule FzHttp.Settings do
 
   def_settings(~w(
     default.device.allowed_ips
-    default.device.dns_servers
+    default.device.dns
     default.device.endpoint
     default.device.mtu
-    default.device.persistent_keepalives
+    default.device.persistent_keepalive
     security.require_auth_for_vpn_frequency
   ))
 

apps/fz_http/lib/fz_http/settings/setting.ex

@@ -23,7 +23,7 @@ defmodule FzHttp.Settings.Setting do
     ]
 
   @mtu_range 576..1500
-  @persistent_keepalives_range 0..120
+  @persistent_keepalive_range 0..120
 
   schema "settings" do
     field :key, :string
@@ -47,7 +47,7 @@ defmodule FzHttp.Settings.Setting do
 
   defp validate_setting(changeset), do: changeset
 
-  defp validate_kv_pair(changeset, "default.device.dns_servers") do
+  defp validate_kv_pair(changeset, "default.device.dns") do
     changeset
     |> validate_list_of_ips(:value)
     |> validate_no_duplicates(:value)
@@ -55,7 +55,6 @@ defmodule FzHttp.Settings.Setting do
 
   defp validate_kv_pair(changeset, "default.device.allowed_ips") do
     changeset
-    |> validate_required(:value)
     |> validate_list_of_ips_or_cidrs(:value)
     |> validate_no_duplicates(:value)
   end
@@ -69,8 +68,8 @@ defmodule FzHttp.Settings.Setting do
     validate_range(changeset, @mtu_range)
   end
 
-  defp validate_kv_pair(changeset, "default.device.persistent_keepalives") do
-    validate_range(changeset, @persistent_keepalives_range)
+  defp validate_kv_pair(changeset, "default.device.persistent_keepalive") do
+    validate_range(changeset, @persistent_keepalive_range)
   end
 
   defp validate_kv_pair(changeset, "security.require_auth_for_vpn_frequency") do

apps/fz_http/lib/fz_http_web/live/device_live/form_component.ex

@@ -19,12 +19,12 @@ defmodule FzHttpWeb.DeviceLive.FormComponent do
      |> assign(assigns)
      |> assign(Devices.defaults(changeset))
      |> assign(:default_device_allowed_ips, Settings.default_device_allowed_ips())
-     |> assign(:default_device_dns_servers, Settings.default_device_dns_servers())
+     |> assign(:default_device_dns, Settings.default_device_dns())
      |> assign(:default_device_endpoint, default_device_endpoint)
      |> assign(:default_device_mtu, default_device_mtu)
      |> assign(
-       :default_device_persistent_keepalives,
-       Settings.default_device_persistent_keepalives()
+       :default_device_persistent_keepalive,
+       Settings.default_device_persistent_keepalive()
      )
      |> assign(:changeset, changeset)}
   end

apps/fz_http/lib/fz_http_web/live/device_live/form_component.html.heex

@@ -38,29 +38,29 @@
     </div>
 
     <div class="field">
-      <%= label f, :use_default_dns_servers, "Use Default DNS Servers", class: "label" %>
+      <%= label f, :use_default_dns, "Use Default DNS Servers", class: "label" %>
       <div class="control">
         <label class="radio">
-          <%= radio_button f, :use_default_dns_servers, true %>
+          <%= radio_button f, :use_default_dns, true %>
           Yes
         </label>
         <label class="radio">
-          <%= radio_button f, :use_default_dns_servers, false %>
+          <%= radio_button f, :use_default_dns, false %>
           No
         </label>
       </div>
       <p class="help">
-        Default: <%= @default_device_dns_servers %>
+        Default: <%= @default_device_dns %>
       </p>
     </div>
 
     <div class="field">
-      <%= label f, :dns_servers, "DNS Servers", class: "label" %>
+      <%= label f, :dns, "DNS Servers", class: "label" %>
       <div class="control">
-        <%= text_input f, :dns_servers, class: "input", disabled: @use_default_dns_servers %>
+        <%= text_input f, :dns, class: "input", disabled: @use_default_dns %>
       </div>
       <p class="help is-danger">
-        <%= error_tag f, :dns_servers %>
+        <%= error_tag f, :dns %>
       </p>
     </div>
 
@@ -121,35 +121,35 @@
     </div>
 
     <div class="field">
-      <%= label f, :use_default_persistent_keepalives, "Use Default Persistent Keepalives", class: "label" %>
+      <%= label f, :use_default_persistent_keepalive, "Use Default Persistent Keepalive", class: "label" %>
       <div class="control">
         <label class="radio">
-          <%= radio_button f, :use_default_persistent_keepalives, true %>
+          <%= radio_button f, :use_default_persistent_keepalive, true %>
           Yes
         </label>
         <label class="radio">
-          <%= radio_button f, :use_default_persistent_keepalives, false %>
+          <%= radio_button f, :use_default_persistent_keepalive, false %>
           No
         </label>
       </div>
       <p class="help">
-        Default: <%= @default_device_persistent_keepalives %>
+        Default: <%= @default_device_persistent_keepalive %>
       </p>
     </div>
 
     <div class="field">
-      <%= label f, :persistent_keepalives, "Persistent Keepalives", class: "label" %>
+      <%= label f, :persistent_keepalive, "Persistent Keepalive", class: "label" %>
       <p>
         Interval for WireGuard
         <a href="https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence">
-          persistent keepalives</a>. A value of 0 disables this. Leave this disabled
+          persistent keepalive</a>. A value of 0 disables this. Leave this disabled
           unless you're experiencing NAT or firewall traversal problems.
       </p>
       <div class="control">
-        <%= text_input f, :persistent_keepalives, class: "input", disabled: @use_default_persistent_keepalives %>
+        <%= text_input f, :persistent_keepalive, class: "input", disabled: @use_default_persistent_keepalive %>
       </div>
       <p class="help is-danger">
-        <%= error_tag f, :persistent_keepalives %>
+        <%= error_tag f, :persistent_keepalive %>
       </p>
     </div>
 

apps/fz_http/lib/fz_http_web/live/device_live/show.html.heex

@@ -60,7 +60,7 @@
 
       <tr>
         <td><strong>DNS Servers</strong></td>
-        <td><%= @dns_servers || "None" %></td>
+        <td><%= @dns || "None" %></td>
       </tr>
 
       <tr>
@@ -69,12 +69,12 @@
       </tr>
 
       <tr>
-        <td><strong>Persistent Keepalives</strong></td>
+        <td><strong>Persistent Keepalive</strong></td>
         <td>
-          <%= if @persistent_keepalives == 0 do %>
+          <%= if @persistent_keepalive == 0 do %>
             Disabled
           <% else %>
-            Every <%= @persistent_keepalives %> seconds
+            Every <%= @persistent_keepalive %> seconds
           <% end %>
         </td>
       </tr>

apps/fz_http/lib/fz_http_web/live/device_live/show_live.ex

@@ -85,10 +85,10 @@ defmodule FzHttpWeb.DeviceLive.Show do
         user: Users.get_user!(device.user_id),
         page_title: device.name,
         allowed_ips: Devices.allowed_ips(device),
-        dns_servers: Devices.dns_servers(device),
+        dns: Devices.dns(device),
         endpoint: Devices.endpoint(device),
         mtu: Devices.mtu(device),
-        persistent_keepalives: Devices.persistent_keepalives(device),
+        persistent_keepalive: Devices.persistent_keepalive(device),
         config: Devices.as_config(device)
       )
     else

apps/fz_http/lib/fz_http_web/live/setting_live/default.html.heex

@@ -15,7 +15,7 @@
     <%= live_component(
         FzHttpWeb.SettingLive.DefaultFormComponent,
         label_text: "Allowed IPs",
-        placeholder: nil,
+        placeholder: @allowed_ips_placeholder,
         changeset: @changesets["default.device.allowed_ips"],
         help_text: @help_texts.allowed_ips,
         id: :allowed_ips_form_component) %>
@@ -23,10 +23,10 @@
     <%= live_component(
         FzHttpWeb.SettingLive.DefaultFormComponent,
         label_text: "DNS Servers",
-        placeholder: nil,
-        changeset: @changesets["default.device.dns_servers"],
-        help_text: @help_texts.dns_servers,
-        id: :dns_servers_form_component) %>
+        placeholder: @dns_placeholder,
+        changeset: @changesets["default.device.dns"],
+        help_text: @help_texts.dns,
+        id: :dns_form_component) %>
 
     <%= live_component(
         FzHttpWeb.SettingLive.DefaultFormComponent,
@@ -38,11 +38,11 @@
 
     <%= live_component(
         FzHttpWeb.SettingLive.DefaultFormComponent,
-        label_text: "Persistent Keepalives",
-        placeholder: "0",
-        changeset: @changesets["default.device.persistent_keepalives"],
-        help_text: @help_texts.persistent_keepalives,
-        id: :persistent_keepalives_form_component) %>
+        label_text: "Persistent Keepalive",
+        placeholder: @persistent_keepalive_placeholder,
+        changeset: @changesets["default.device.persistent_keepalive"],
+        help_text: @help_texts.persistent_keepalive,
+        id: :persistent_keepalive_form_component) %>
 
     <%= live_component(
         FzHttpWeb.SettingLive.DefaultFormComponent,

apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex

@@ -13,7 +13,7 @@ defmodule FzHttpWeb.SettingLive.Default do
       Firezone. Specify a comma-separated list of IPs or CIDRs here to achieve split tunneling, or use
       <code>0.0.0.0/0, ::/0</code> to route all device traffic through this Firezone server.
     """,
-    dns_servers: """
+    dns: """
       Comma-separated list of DNS servers to use for devices.
       Leaving this blank will omit the <code>DNS</code> section in
       generated device configs.
@@ -22,7 +22,7 @@ defmodule FzHttpWeb.SettingLive.Default do
       IPv4 or IPv6 address that devices will be configured to connect
       to. Defaults to this server's public IP if not set.
     """,
-    persistent_keepalives: """
+    persistent_keepalive: """
       Interval in seconds to send persistent keepalive packets. Most users won't need to change
       this. Set to 0 or leave blank to disable. Leave this blank if you're unsure what this means.
     """,
@@ -47,6 +47,18 @@ defmodule FzHttpWeb.SettingLive.Default do
     Application.fetch_env!(:fz_http, :wireguard_mtu)
   end
 
+  defp dns_placeholder do
+    Application.fetch_env!(:fz_http, :wireguard_dns)
+  end
+
+  defp allowed_ips_placeholder do
+    Application.fetch_env!(:fz_http, :wireguard_allowed_ips)
+  end
+
+  defp persistent_keepalive_placeholder do
+    Application.fetch_env!(:fz_http, :wireguard_persistent_keepalive)
+  end
+
   defp load_changesets do
     Settings.to_list("default.")
     |> Map.new(fn setting -> {setting.key, Settings.change_setting(setting)} end)
@@ -61,6 +73,9 @@ defmodule FzHttpWeb.SettingLive.Default do
       |> assign(:help_texts, @help_texts)
       |> assign(:endpoint_placeholder, endpoint_placeholder())
       |> assign(:mtu_placeholder, mtu_placeholder())
+      |> assign(:dns_placeholder, dns_placeholder())
+      |> assign(:allowed_ips_placeholder, allowed_ips_placeholder())
+      |> assign(:persistent_keepalive_placeholder, persistent_keepalive_placeholder())
       |> assign(:page_title, "Default Settings")
     else
       not_authorized(socket)

apps/fz_http/priv/repo/migrations/20211116173236_create_settings.exs

@@ -15,11 +15,20 @@ defmodule FzHttp.Repo.Migrations.CreateSettings do
 
     now = DateTime.utc_now()
 
-    execute """
-    INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \
-    ('default.device.dns_servers', '1.1.1.1, 1.0.0.1', '#{now}', '#{now}'),
-    ('default.device.allowed_ips', '0.0.0.0/0, ::/0', '#{now}', '#{now}'),
-    ('default.device.endpoint', null, '#{now}', '#{now}')
-    """
+    execute(
+      """
+      INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \
+      ('default.device.dns_servers', null, '#{now}', '#{now}'),
+      ('default.device.allowed_ips', null, '#{now}', '#{now}'),
+      ('default.device.endpoint', null, '#{now}', '#{now}')
+      """,
+      """
+      DELETE FROM settings WHERE key IN (
+        'default.device.dns_servers',
+        'default.device.allowed_ips',
+        'default.device.endpoint'
+      )
+      """
+    )
   end
 end

apps/fz_http/priv/repo/migrations/20211217003247_add_persistent_keepalives.exs

@@ -9,9 +9,14 @@ defmodule FzHttp.Repo.Migrations.AddPersistentKeepalives do
 
     now = DateTime.utc_now()
 
-    execute """
-    INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \
-    ('default.device.persistent_keepalives', 0, '#{now}', '#{now}')
-    """
+    execute(
+      """
+      INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \
+      ('default.device.persistent_keepalives', null, '#{now}', '#{now}')
+      """,
+      """
+      DELETE FROM settings WHERE key = 'default.device.persistent_keepalives'
+      """
+    )
   end
 end

apps/fz_http/priv/repo/migrations/20220111004847_add_mtu_to_devices.exs

@@ -9,9 +9,14 @@ defmodule FzHttp.Repo.Migrations.AddMtuToDevices do
 
     now = DateTime.utc_now()
 
-    execute """
-    INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \
-    ('default.device.mtu', null, '#{now}', '#{now}')
-    """
+    execute(
+      """
+      INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \
+      ('default.device.mtu', null, '#{now}', '#{now}')
+      """,
+      """
+      DELETE FROM settings WHERE key = 'default.device.mtu'
+      """
+    )
   end
 end

apps/fz_http/priv/repo/migrations/20220127021835_rename_persistent_keepalives.exs

@@ -0,0 +1,23 @@
+defmodule FzHttp.Repo.Migrations.RenamePersistentKeepalives do
+  use Ecto.Migration
+
+  def change do
+    execute(
+      """
+      UPDATE settings
+      SET key = 'default.device.persistent_keepalive'
+      WHERE key = 'default.device.persistent_keepalives'
+      """,
+      """
+      UPDATE settings
+      SET key = 'default.device.persistent_keepalives'
+      WHERE key = 'default.device.persistent_keepalive'
+      """
+    )
+
+    rename table(:devices), :persistent_keepalives, to: :persistent_keepalive
+
+    rename table(:devices), :use_default_persistent_keepalives,
+      to: :use_default_persistent_keepalive
+  end
+end

apps/fz_http/priv/repo/migrations/20220127191440_rename_dns_servers_to_dns.exs

@@ -0,0 +1,21 @@
+defmodule FzHttp.Repo.Migrations.RenameDnsServersToDns do
+  use Ecto.Migration
+
+  def change do
+    execute(
+      """
+      UPDATE settings
+      SET key = 'default.device.dns'
+      WHERE key = 'default.device.dns_servers'
+      """,
+      """
+      UPDATE settings
+      SET key = 'default.device.dns_servers'
+      WHERE key = 'default.device.dns'
+      """
+    )
+
+    rename table(:devices), :dns_servers, to: :dns
+    rename table(:devices), :use_default_dns_servers, to: :use_default_dns
+  end
+end

apps/fz_http/test/fz_http/devices_test.exs

@@ -110,17 +110,17 @@ defmodule FzHttp.DevicesTest do
       use_default_allowed_ips: false
     }
 
-    @valid_dns_servers_attrs %{
-      use_default_dns_servers: false,
-      dns_servers: "1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001"
+    @valid_dns_attrs %{
+      use_default_dns: false,
+      dns: "1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001"
     }
 
-    @invalid_dns_servers_attrs %{
-      dns_servers: "8.8.8.8, 1.1.1, 1.0.0, 1.1.1."
+    @invalid_dns_attrs %{
+      dns: "8.8.8.8, 1.1.1, 1.0.0, 1.1.1."
     }
 
-    @duplicate_dns_servers_attrs %{
-      dns_servers: "8.8.8.8, 1.1.1.1, 1.1.1.1, ::1, ::1, ::1, ::1, ::1, 8.8.8.8"
+    @duplicate_dns_attrs %{
+      dns: "8.8.8.8, 1.1.1.1, 1.1.1.1, ::1, ::1, ::1, ::1, ::1, 8.8.8.8"
     }
 
     @valid_allowed_ips_attrs %{
@@ -167,9 +167,9 @@ defmodule FzHttp.DevicesTest do
       assert @attrs = test_device
     end
 
-    test "updates device with valid dns_servers", %{device: device} do
-      {:ok, test_device} = Devices.update_device(device, @valid_dns_servers_attrs)
-      assert @valid_dns_servers_attrs = test_device
+    test "updates device with valid dns", %{device: device} do
+      {:ok, test_device} = Devices.update_device(device, @valid_dns_attrs)
+      assert @valid_dns_attrs = test_device
     end
 
     test "updates device with valid ipv4 endpoint", %{device: device} do
@@ -214,19 +214,19 @@ defmodule FzHttp.DevicesTest do
              }
     end
 
-    test "prevents updating device with invalid dns_servers", %{device: device} do
-      {:error, changeset} = Devices.update_device(device, @invalid_dns_servers_attrs)
+    test "prevents updating device with invalid dns", %{device: device} do
+      {:error, changeset} = Devices.update_device(device, @invalid_dns_attrs)
 
-      assert changeset.errors[:dns_servers] == {
+      assert changeset.errors[:dns] == {
                "is invalid: 1.1.1 is not a valid IPv4 / IPv6 address",
                []
              }
     end
 
     test "prevents assigning duplicate DNS servers", %{device: device} do
-      {:error, changeset} = Devices.update_device(device, @duplicate_dns_servers_attrs)
+      {:error, changeset} = Devices.update_device(device, @duplicate_dns_attrs)
 
-      assert changeset.errors[:dns_servers] == {
+      assert changeset.errors[:dns] == {
                "is invalid: duplicate DNS servers are not allowed: 1.1.1.1, ::1, 8.8.8.8",
                []
              }

apps/fz_http/test/fz_http/settings_test.exs

@@ -4,7 +4,7 @@ defmodule FzHttp.SettingsTest do
   alias FzHttp.Settings
 
   @setting_keys ~w(
-    default.device.dns_servers
+    default.device.dns
     default.device.allowed_ips
     default.device.endpoint
     default.device.mtu
@@ -17,25 +17,25 @@ defmodule FzHttp.SettingsTest do
 
     @valid_settings [
       %{
-        "default.device.dns_servers" => "8.8.8.8",
+        "default.device.dns" => "8.8.8.8",
         "default.device.allowed_ips" => "::/0",
         "default.device.endpoint" => "172.10.10.10",
-        "default.device.persistent_keepalives" => "20",
+        "default.device.persistent_keepalive" => "20",
         "default.device.mtu" => "1280"
       },
       %{
-        "default.device.dns_servers" => "8.8.8.8",
+        "default.device.dns" => "8.8.8.8",
         "default.device.allowed_ips" => "::/0",
         "default.device.endpoint" => "foobar.example.com",
-        "default.device.persistent_keepalives" => "15",
+        "default.device.persistent_keepalive" => "15",
         "default.device.mtu" => "1420"
       }
     ]
     @invalid_settings %{
-      "default.device.dns_servers" => "foobar",
-      "default.device.allowed_ips" => nil,
+      "default.device.dns" => "foobar",
+      "default.device.allowed_ips" => "foobar",
       "default.device.endpoint" => "foobar",
-      "default.device.persistent_keepalives" => "-120",
+      "default.device.persistent_keepalive" => "-120",
       "default.device.mtu" => "1501"
     }
 

apps/fz_http/test/fz_http_web/live/device_live/show_test.exs

@@ -13,12 +13,12 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
     @allowed_ips_unchanged %{
       "device" => %{"use_default_allowed_ips" => "true", "allowed_ips" => @allowed_ips}
     }
-    @dns_servers "8.8.8.8, 8.8.4.4"
-    @dns_servers_change %{
-      "device" => %{"use_default_dns_servers" => "false", "dns_servers" => @dns_servers}
+    @dns "8.8.8.8, 8.8.4.4"
+    @dns_change %{
+      "device" => %{"use_default_dns" => "false", "dns" => @dns}
     }
-    @dns_servers_unchanged %{
-      "device" => %{"use_default_dns_servers" => "true", "dns_servers" => @dns_servers}
+    @dns_unchanged %{
+      "device" => %{"use_default_dns" => "true", "dns" => @dns}
     }
     @wireguard_endpoint "6.6.6.6"
     @endpoint_change %{
@@ -33,20 +33,20 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
     @mtu_unchanged %{
       "device" => %{"use_default_mtu" => "true", "mtu" => "1280"}
     }
-    @persistent_keepalives_change %{
+    @persistent_keepalive_change %{
       "device" => %{
-        "use_default_persistent_keepalives" => "false",
-        "persistent_keepalives" => "120"
+        "use_default_persistent_keepalive" => "false",
+        "persistent_keepalive" => "120"
       }
     }
-    @persistent_keepalives_unchanged %{
-      "device" => %{"use_default_persistent_keepalives" => "true", "persistent_keepalives" => "5"}
+    @persistent_keepalive_unchanged %{
+      "device" => %{"use_default_persistent_keepalive" => "true", "persistent_keepalive" => "5"}
     }
     @default_allowed_ips_change %{
       "device" => %{"use_default_allowed_ips" => "false"}
     }
-    @default_dns_servers_change %{
-      "device" => %{"use_default_dns_servers" => "false"}
+    @default_dns_change %{
+      "device" => %{"use_default_dns" => "false"}
     }
     @default_endpoint_change %{
       "device" => %{"use_default_endpoint" => "false"}
@@ -54,8 +54,8 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
     @default_mtu_change %{
       "device" => %{"use_default_mtu" => "false"}
     }
-    @default_persistent_keepalives_change %{
-      "device" => %{"use_default_persistent_keepalives" => "false"}
+    @default_persistent_keepalive_change %{
+      "device" => %{"use_default_persistent_keepalive" => "false"}
     }
 
     test "shows device details", %{authed_conn: conn, device: device} do
@@ -103,7 +103,7 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
       assert test_view =~ "must not be present"
     end
 
-    test "prevents dns_servers changes when use_default_dns_servers is true", %{
+    test "prevents dns changes when use_default_dns is true", %{
       authed_conn: conn,
       device: device
     } do
@@ -113,7 +113,7 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
       test_view =
         view
         |> form("#edit-device")
-        |> render_submit(@dns_servers_unchanged)
+        |> render_submit(@dns_unchanged)
 
       assert test_view =~ "must not be present"
     end
@@ -148,7 +148,7 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
       assert test_view =~ "must not be present"
     end
 
-    test "prevents persistent_keepalives changes when use_default_persistent_keepalives is true",
+    test "prevents persistent_keepalive changes when use_default_persistent_keepalive is true",
          %{
            authed_conn: conn,
            device: device
@@ -159,7 +159,7 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
       test_view =
         view
         |> form("#edit-device")
-        |> render_submit(@persistent_keepalives_unchanged)
+        |> render_submit(@persistent_keepalive_unchanged)
 
       assert test_view =~ "must not be present"
     end
@@ -179,19 +179,19 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
       assert html =~ "AllowedIPs = #{@allowed_ips}"
     end
 
-    test "allows dns_servers changes", %{authed_conn: conn, device: device} do
+    test "allows dns changes", %{authed_conn: conn, device: device} do
       path = Routes.device_show_path(conn, :edit, device)
       {:ok, view, _html} = live(conn, path)
 
       view
       |> form("#edit-device")
-      |> render_submit(@dns_servers_change)
+      |> render_submit(@dns_change)
 
       flash = assert_redirected(view, Routes.device_show_path(conn, :show, device))
       assert flash["info"] == "Device updated successfully."
 
       {:ok, _view, html} = live(conn, path)
-      assert html =~ "DNS = #{@dns_servers}"
+      assert html =~ "DNS = #{@dns}"
     end
 
     test "allows endpoint changes", %{authed_conn: conn, device: device} do
@@ -224,13 +224,13 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
       assert html =~ "MTU = 1280"
     end
 
-    test "allows persistent_keepalives changes", %{authed_conn: conn, device: device} do
+    test "allows persistent_keepalive changes", %{authed_conn: conn, device: device} do
       path = Routes.device_show_path(conn, :edit, device)
       {:ok, view, _html} = live(conn, path)
 
       view
       |> form("#edit-device")
-      |> render_submit(@persistent_keepalives_change)
+      |> render_submit(@persistent_keepalive_change)
 
       flash = assert_redirected(view, Routes.device_show_path(conn, :show, device))
       assert flash["info"] == "Device updated successfully."
@@ -265,17 +265,17 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
              """
     end
 
-    test "on use_default_dns_servers change", %{authed_conn: conn, device: device} do
+    test "on use_default_dns change", %{authed_conn: conn, device: device} do
       path = Routes.device_show_path(conn, :edit, device)
       {:ok, view, _html} = live(conn, path)
 
       test_view =
         view
         |> form("#edit-device")
-        |> render_change(@default_dns_servers_change)
+        |> render_change(@default_dns_change)
 
       assert test_view =~ """
-             <input class="input" id="edit-device_dns_servers" name="device[dns_servers]" type="text"/>\
+             <input class="input" id="edit-device_dns" name="device[dns]" type="text"/>\
              """
     end
 
@@ -307,17 +307,17 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do
              """
     end
 
-    test "on use_default_persistent_keepalives change", %{authed_conn: conn, device: device} do
+    test "on use_default_persistent_keepalive change", %{authed_conn: conn, device: device} do
       path = Routes.device_show_path(conn, :edit, device)
       {:ok, view, _html} = live(conn, path)
 
       test_view =
         view
         |> form("#edit-device")
-        |> render_change(@default_persistent_keepalives_change)
+        |> render_change(@default_persistent_keepalive_change)
 
       assert test_view =~ """
-             <input class="input" id="edit-device_persistent_keepalives" name="device[persistent_keepalives]" type="text"/>\
+             <input class="input" id="edit-device_persistent_keepalive" name="device[persistent_keepalive]" type="text"/>\
              """
     end
   end

apps/fz_http/test/fz_http_web/live/setting_live/default_test.exs

@@ -7,7 +7,7 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do
     @valid_allowed_ips %{
       "setting" => %{"value" => "1.1.1.1"}
     }
-    @valid_dns_servers %{
+    @valid_dns %{
       "setting" => %{"value" => "1.1.1.1"}
     }
     @valid_endpoint %{
@@ -17,7 +17,7 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do
     @invalid_allowed_ips %{
       "setting" => %{"value" => "foobar"}
     }
-    @invalid_dns_servers %{
+    @invalid_dns %{
       "setting" => %{"value" => "foobar"}
     }
     @invalid_endpoint %{
@@ -32,15 +32,19 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do
     end
 
     test "renders current settings", %{html: html} do
-      assert html =~ Settings.default_device_allowed_ips()
-      assert html =~ Settings.default_device_dns_servers()
+      assert html =~
+               (Settings.default_device_allowed_ips() ||
+                  Application.fetch_env!(:fz_http, :wireguard_allowed_ips))
+
+      assert html =~
+               (Settings.default_device_dns() || Application.fetch_env!(:fz_http, :wireguard_dns))
 
       assert html =~ """
              id="endpoint_form_component"\
              """
 
       assert html =~ """
-             id="persistent_keepalives_form_component"\
+             id="persistent_keepalive_form_component"\
              """
     end
 
@@ -61,11 +65,11 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do
              """
     end
 
-    test "shows Save button after dns_servers form is changed", %{view: view} do
+    test "shows Save button after dns form is changed", %{view: view} do
       test_view =
         view
-        |> element("#dns_servers_form_component")
-        |> render_change(@valid_dns_servers)
+        |> element("#dns_form_component")
+        |> render_change(@valid_dns)
 
       assert test_view =~ """
              <button class="button is-primary" type="submit">Save</button>\
@@ -92,20 +96,20 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do
       refute test_view =~ "is invalid"
 
       assert test_view =~ """
-             <input class="input is-success" id="allowed_ips_form_component_value" name="setting[value]" type="text" value="1.1.1.1"/>\
+             <input class="input is-success" id="allowed_ips_form_component_value" name="setting[value]" placeholder="0.0.0.0/0, ::/0" type="text" value="1.1.1.1"/>\
              """
     end
 
-    test "updates default dns_servers", %{view: view} do
+    test "updates default dns", %{view: view} do
       test_view =
         view
-        |> element("#dns_servers_form_component")
-        |> render_submit(@valid_dns_servers)
+        |> element("#dns_form_component")
+        |> render_submit(@valid_dns)
 
       refute test_view =~ "is invalid"
 
       assert test_view =~ """
-             <input class="input is-success" id="dns_servers_form_component_value" name="setting[value]" type="text" value="1.1.1.1"/>\
+             <input class="input is-success" id="dns_form_component_value" name="setting[value]" placeholder="1.1.1.1, 1.0.0.1" type="text" value="1.1.1.1"/>\
              """
     end
 
@@ -135,16 +139,16 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do
              """
     end
 
-    test "prevents invalid dns_servers", %{view: view} do
+    test "prevents invalid dns", %{view: view} do
       test_view =
         view
-        |> element("#dns_servers_form_component")
-        |> render_submit(@invalid_dns_servers)
+        |> element("#dns_form_component")
+        |> render_submit(@invalid_dns)
 
       assert test_view =~ "is invalid"
 
       refute test_view =~ """
-             <input id="dns_servers_form_component" class="input is-success"\
+             <input id="dns_form_component" class="input is-success"\
              """
     end
 

apps/fz_http/test/support/fixtures/settings_fixtures.ex

@@ -9,7 +9,7 @@ defmodule FzHttp.SettingsFixtures do
   @doc """
   Generate a setting.
   """
-  def setting_fixture(key \\ "default.device.dns_servers") do
+  def setting_fixture(key \\ "default.device.dns") do
     Settings.get_setting!(key: key)
   end
 end

apps/fz_vpn/lib/fz_vpn/cli/live.ex

@@ -63,8 +63,8 @@ defmodule FzVpn.CLI.Live do
     show("latest-handshakes")
   end
 
-  def show_persistent_keepalives do
-    show("persistent-keepalives")
+  def show_persistent_keepalive do
+    show("persistent-keepalive")
   end
 
   def show_transfer do

apps/fz_vpn/lib/fz_vpn/cli/sandbox.ex

@@ -18,7 +18,7 @@ defmodule FzVpn.CLI.Sandbox do
     transfer: 1.21 MiB received, 39.30 MiB sent
   """
   @show_latest_handshakes "4 seconds ago"
-  @show_persistent_keepalives "every 25 seconds"
+  @show_persistent_keepalive "every 25 seconds"
   @show_transfer "4.60 MiB received, 59.21 MiB sent"
   @default_returned ""
 
@@ -63,7 +63,7 @@ defmodule FzVpn.CLI.Sandbox do
   end
 
   def show_latest_handshakes, do: @show_latest_handshakes
-  def show_persistent_keepalives, do: @show_persistent_keepalives
+  def show_persistent_keepalive, do: @show_persistent_keepalive
   def show_transfer, do: @show_transfer
 
   # Generate extremely fake keys in Sandbox mode

apps/fz_vpn/test/fz_vpn/cli/sandbox_test.exs

@@ -40,8 +40,8 @@ defmodule FzVpn.CLI.SandboxTest do
     assert cli().show_latest_handshakes() == "4 seconds ago"
   end
 
-  test "show_persistent_keepalives" do
-    assert cli().show_persistent_keepalives() == "every 25 seconds"
+  test "show_persistent_keepalive" do
+    assert cli().show_persistent_keepalive() == "every 25 seconds"
   end
 
   test "show_transfer" do

config/config.exs

@@ -43,6 +43,10 @@ config :posthog,
 
 config :fz_http,
   url_host: "firezone.dev",
+  wireguard_endpoint: nil,
+  wireguard_dns: "1.1.1.1, 1.0.0.1",
+  wireguard_allowed_ips: "0.0.0.0/0, ::/0",
+  wireguard_persistent_keepalive: 0,
   wireguard_ipv4_enabled: true,
   wireguard_ipv4_network: "10.3.2.0/24",
   wireguard_ipv4_address: "10.3.2.1",

config/releases.exs

@@ -24,6 +24,9 @@ nft_path = System.fetch_env!("NFT_PATH")
 wg_path = System.fetch_env!("WG_PATH")
 egress_interface = System.fetch_env!("EGRESS_INTERFACE")
 wireguard_public_key = System.fetch_env!("WIREGUARD_PUBLIC_KEY")
+wireguard_dns = System.fetch_env!("WIREGUARD_DNS")
+wireguard_allowed_ips = System.fetch_env!("WIREGUARD_ALLOWED_IPS")
+wireguard_persistent_keepalive = System.fetch_env!("WIREGUARD_PERSISTENT_KEEPALIVE")
 wireguard_ipv4_enabled = FzString.to_boolean(System.fetch_env!("WIREGUARD_IPV4_ENABLED"))
 wireguard_ipv4_network = System.fetch_env!("WIREGUARD_IPV4_NETWORK")
 wireguard_ipv4_address = System.fetch_env!("WIREGUARD_IPV4_ADDRESS")
@@ -31,6 +34,7 @@ wireguard_ipv6_enabled = FzString.to_boolean(System.fetch_env!("WIREGUARD_IPV6_E
 wireguard_ipv6_network = System.fetch_env!("WIREGUARD_IPV6_NETWORK")
 wireguard_ipv6_address = System.fetch_env!("WIREGUARD_IPV6_ADDRESS")
 wireguard_mtu = System.fetch_env!("WIREGUARD_MTU")
+wireguard_endpoint = System.fetch_env!("WIREGUARD_ENDPOINT")
 telemetry_enabled = FzString.to_boolean(System.fetch_env!("TELEMETRY_ENABLED"))
 
 telemetry_module =
@@ -118,6 +122,9 @@ config :fz_vpn,
   cli: FzVpn.CLI.Live
 
 config :fz_http,
+  wireguard_dns: wireguard_dns,
+  wireguard_allowed_ips: wireguard_allowed_ips,
+  wireguard_persistent_keepalive: wireguard_persistent_keepalive,
   wireguard_ipv4_enabled: wireguard_ipv4_enabled,
   wireguard_ipv4_network: wireguard_ipv4_network,
   wireguard_ipv4_address: wireguard_ipv4_address,

docs/docs/reference/configuration-file.md

@@ -115,7 +115,11 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['wireguard']['log_rotation']['num_to_keep']`             | Number of WireGuard log files to keep.                                                                       | `10`                                                                   |
 | `default['firezone']['wireguard']['interface_name']`                          | WireGuard interface name.                                                                                    | `'wg-firezone'`                                                        |
 | `default['firezone']['wireguard']['port']`                                    | WireGuard listen port.                                                                                       | `51820`                                                                |
-| `default['firezone']['wireguard']['mtu']`                                     | WireGuard interface MTU.                                                                                     | `1420`                                                                 |
+| `default['firezone']['wireguard']['mtu']`                                     | WireGuard interface MTU for this server and for device configurations.                                       | `1420`                                                                 |
+| `default['firezone']['wireguard']['endpoint']`                                | WireGuard `Endpoint` to use for generating device configurations. If `nil`, defaults to the server's public IP address. | `nil`                                                       |
+| `default['firezone']['wireguard']['dns']`                                     | WireGuard `DNS` to use for generated device configurations.                                                  | `'1.1.1.1, 1.0.0.1'`                                                   |
+| `default['firezone']['wireguard']['allowed_ips']`                             | WireGuard `AllowedIPs` to use for generated device configurations.                                           | `'0.0.0.0/0, ::/0'`                                                    |
+| `default['firezone']['wireguard']['persistent_keepalive']`                    | Default PersistentKeepalive setting for generated device configurations. A value of 0 disables.              | `0`                                                                    |
 | `default['firezone']['wireguard']['ipv4']['enabled']`                         | Enable or disable IPv4 for WireGuard network.                                                                | `true`                                                                 |
 | `default['firezone']['wireguard']['ipv4']['network']`                         | WireGuard network IPv4 address pool.                                                                         | `'10.3.2.0/24'`                                                        |
 | `default['firezone']['wireguard']['ipv4']['address']`                         | WireGuard interface IPv4 address. Must be within WireGuard address pool.                                     | `'10.3.2.1'`                                                           |

omnibus/cookbooks/firezone/attributes/default.rb

@@ -216,11 +216,33 @@ default['firezone']['wireguard']['log_rotation']['num_to_keep'] = 10
 
 # The WireGuard interface name Firezone will apply configuration settings to.
 default['firezone']['wireguard']['interface_name'] = 'wg-firezone'
+
 # WireGuard listen port
 default['firezone']['wireguard']['port'] = 51820
+
 # WireGuard interface MTU
 default['firezone']['wireguard']['mtu'] = 1420
 
+# WireGuard endpoint
+# By default, the public IP address of this server is used as the Endpoint
+# field for generating Device configs. Override this if you wish to change.
+default['firezone']['wireguard']['endpoint'] = nil
+
+# Default AllowedIPs to use for generated device configs specified as a comma-separated
+# list of IPv4 / IPv6 CIDRs.
+# Default is to tunnel all IPv4 and IPv6 traffic with '0.0.0.0/0, ::/0'
+default['firezone']['wireguard']['allowed_ips'] = '0.0.0.0/0, ::/0'
+
+# Default DNS servers to use for generated device configs.
+# Defaults to CloudFlare's public DNS. Set to nil to omit DNS from  generated
+# device configurations.
+default['firezone']['wireguard']['dns'] = '1.1.1.1, 1.0.0.1'
+
+# Default PersistentKeepalive setting to use for generated device configs.
+# See https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
+# Set to 0 or nil to disable. Default 0.
+default['firezone']['wireguard']['persistent_keepalive'] = 0
+
 # Enable or disable IPv4 connectivity in your WireGuard network. Default enabled.
 default['firezone']['wireguard']['ipv4']['enabled'] = true
 

omnibus/cookbooks/firezone/libraries/config.rb

@@ -242,6 +242,10 @@ class Firezone
         'WIREGUARD_INTERFACE_NAME' => attributes['wireguard']['interface_name'],
         'WIREGUARD_PORT' => attributes['wireguard']['port'].to_s,
         'WIREGUARD_MTU' => attributes['wireguard']['mtu'].to_s,
+        'WIREGUARD_ENDPOINT' => attributes['wireguard']['endpoint'].to_s,
+        'WIREGUARD_DNS' => attributes['wireguard']['dns'].to_s,
+        'WIREGUARD_ALLOWED_IPS' => attributes['wireguard']['allowed_ips'].to_s,
+        'WIREGUARD_PERSISTENT_KEEPALIVE' => attributes['wireguard']['persistent_keepalive'].to_s,
         'WIREGUARD_PUBLIC_KEY' => attributes['wireguard_public_key'],
         'WIREGUARD_IPV4_ENABLED' => attributes['wireguard']['ipv4']['enabled'].to_s,
         'WIREGUARD_IPV4_NETWORK' => attributes['wireguard']['ipv4']['network'],