diff --git a/apps/fz_http/lib/fz_http/devices.ex b/apps/fz_http/lib/fz_http/devices.ex index 11169fc2f..ba1c3d413 100644 --- a/apps/fz_http/lib/fz_http/devices.ex +++ b/apps/fz_http/lib/fz_http/devices.ex @@ -138,7 +138,8 @@ defmodule FzHttp.Devices do def allowed_ips(device) do if device.use_default_allowed_ips do - Settings.default_device_allowed_ips() + Settings.default_device_allowed_ips() || + Application.fetch_env!(:fz_http, :wireguard_allowed_ips) else device.allowed_ips end @@ -146,7 +147,7 @@ defmodule FzHttp.Devices do def dns_servers(device) do if device.use_default_dns_servers do - Settings.default_device_dns_servers() + Settings.default_device_dns_servers() || Application.fetch_env!(:fz_http, :wireguard_dns) else device.dns_servers end @@ -172,11 +173,12 @@ defmodule FzHttp.Devices do end end - def persistent_keepalives(device) do - if device.use_default_persistent_keepalives do - Settings.default_device_persistent_keepalives() + def persistent_keepalive(device) do + if device.use_default_persistent_keepalive do + Settings.default_device_persistent_keepalive() || + Application.fetch_env!(:fz_http, :persistent_keepalive) else - device.persistent_keepalives + device.persistent_keepalive end end @@ -186,7 +188,7 @@ defmodule FzHttp.Devices do use_default_dns_servers use_default_endpoint use_default_mtu - use_default_persistent_keepalives + use_default_persistent_keepalive )a |> Enum.map(fn field -> {field, Device.field(changeset, field)} end) |> Map.new() @@ -206,7 +208,7 @@ defmodule FzHttp.Devices do PublicKey = #{device.server_public_key} AllowedIPs = #{allowed_ips(device)} Endpoint = #{endpoint(device)}:#{wireguard_port} - #{persistent_keepalives_config(device)} + #{persistent_keepalive_config(device)} """ end @@ -231,8 +233,8 @@ defmodule FzHttp.Devices do end end - defp persistent_keepalives_config(device) do - pk = persistent_keepalives(device) + defp persistent_keepalive_config(device) do + pk = persistent_keepalive(device) if is_nil(pk) do "" diff --git a/apps/fz_http/lib/fz_http/devices/device.ex b/apps/fz_http/lib/fz_http/devices/device.ex index 841672ce1..b3a97e78c 100644 --- a/apps/fz_http/lib/fz_http/devices/device.ex +++ b/apps/fz_http/lib/fz_http/devices/device.ex @@ -28,10 +28,10 @@ defmodule FzHttp.Devices.Device do field :use_default_dns_servers, :boolean, read_after_writes: true, default: true field :use_default_endpoint, :boolean, read_after_writes: true, default: true field :use_default_mtu, :boolean, read_after_writes: true, default: true - field :use_default_persistent_keepalives, :boolean, read_after_writes: true, default: true + field :use_default_persistent_keepalive, :boolean, read_after_writes: true, default: true field :endpoint, :string field :mtu, :integer - field :persistent_keepalives, :integer + field :persistent_keepalive, :integer field :allowed_ips, :string field :dns_servers, :string field :private_key, FzHttp.Encrypted.Binary @@ -73,12 +73,12 @@ defmodule FzHttp.Devices.Device do :use_default_dns_servers, :use_default_endpoint, :use_default_mtu, - :use_default_persistent_keepalives, + :use_default_persistent_keepalive, :allowed_ips, :dns_servers, :endpoint, :mtu, - :persistent_keepalives, + :persistent_keepalive, :remote_ip, :ipv4, :ipv6, @@ -106,20 +106,20 @@ defmodule FzHttp.Devices.Device do :dns_servers, :endpoint, :mtu, - :persistent_keepalives + :persistent_keepalive ]) |> validate_omitted_if_default([ :allowed_ips, :dns_servers, :endpoint, - :persistent_keepalives, + :persistent_keepalive, :mtu ]) |> validate_list_of_ips_or_cidrs(:allowed_ips) |> validate_list_of_ips(:dns_servers) |> validate_no_duplicates(:dns_servers) |> validate_fqdn_or_ip(:endpoint) - |> validate_number(:persistent_keepalives, + |> validate_number(:persistent_keepalive, greater_than_or_equal_to: 0, less_than_or_equal_to: 120 ) diff --git a/apps/fz_http/lib/fz_http/settings.ex b/apps/fz_http/lib/fz_http/settings.ex index 2b1342df5..a1f8f0219 100644 --- a/apps/fz_http/lib/fz_http/settings.ex +++ b/apps/fz_http/lib/fz_http/settings.ex @@ -15,7 +15,7 @@ defmodule FzHttp.Settings do default.device.dns_servers default.device.endpoint default.device.mtu - default.device.persistent_keepalives + default.device.persistent_keepalive security.require_auth_for_vpn_frequency )) diff --git a/apps/fz_http/lib/fz_http/settings/setting.ex b/apps/fz_http/lib/fz_http/settings/setting.ex index 2526cbc6f..a0175d2d1 100644 --- a/apps/fz_http/lib/fz_http/settings/setting.ex +++ b/apps/fz_http/lib/fz_http/settings/setting.ex @@ -23,7 +23,7 @@ defmodule FzHttp.Settings.Setting do ] @mtu_range 576..1500 - @persistent_keepalives_range 0..120 + @persistent_keepalive_range 0..120 schema "settings" do field :key, :string @@ -69,8 +69,8 @@ defmodule FzHttp.Settings.Setting do validate_range(changeset, @mtu_range) end - defp validate_kv_pair(changeset, "default.device.persistent_keepalives") do - validate_range(changeset, @persistent_keepalives_range) + defp validate_kv_pair(changeset, "default.device.persistent_keepalive") do + validate_range(changeset, @persistent_keepalive_range) end defp validate_kv_pair(changeset, "security.require_auth_for_vpn_frequency") do diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/form_component.ex b/apps/fz_http/lib/fz_http_web/live/device_live/form_component.ex index 3c2f2d617..4a20a97f3 100644 --- a/apps/fz_http/lib/fz_http_web/live/device_live/form_component.ex +++ b/apps/fz_http/lib/fz_http_web/live/device_live/form_component.ex @@ -23,8 +23,8 @@ defmodule FzHttpWeb.DeviceLive.FormComponent do |> assign(:default_device_endpoint, default_device_endpoint) |> assign(:default_device_mtu, default_device_mtu) |> assign( - :default_device_persistent_keepalives, - Settings.default_device_persistent_keepalives() + :default_device_persistent_keepalive, + Settings.default_device_persistent_keepalive() ) |> assign(:changeset, changeset)} end diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/form_component.html.heex b/apps/fz_http/lib/fz_http_web/live/device_live/form_component.html.heex index ed9c95c43..57f843205 100644 --- a/apps/fz_http/lib/fz_http_web/live/device_live/form_component.html.heex +++ b/apps/fz_http/lib/fz_http_web/live/device_live/form_component.html.heex @@ -121,35 +121,35 @@
- <%= label f, :use_default_persistent_keepalives, "Use Default Persistent Keepalives", class: "label" %> + <%= label f, :use_default_persistent_keepalive, "Use Default Persistent Keepalive", class: "label" %>

- Default: <%= @default_device_persistent_keepalives %> + Default: <%= @default_device_persistent_keepalive %>

- <%= label f, :persistent_keepalives, "Persistent Keepalives", class: "label" %> + <%= label f, :persistent_keepalive, "Persistent Keepalive", class: "label" %>

Interval for WireGuard - persistent keepalives. A value of 0 disables this. Leave this disabled + persistent keepalive. A value of 0 disables this. Leave this disabled unless you're experiencing NAT or firewall traversal problems.

- <%= text_input f, :persistent_keepalives, class: "input", disabled: @use_default_persistent_keepalives %> + <%= text_input f, :persistent_keepalive, class: "input", disabled: @use_default_persistent_keepalive %>

- <%= error_tag f, :persistent_keepalives %> + <%= error_tag f, :persistent_keepalive %>

diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/show.html.heex b/apps/fz_http/lib/fz_http_web/live/device_live/show.html.heex index 10d0d623d..e17e51e57 100644 --- a/apps/fz_http/lib/fz_http_web/live/device_live/show.html.heex +++ b/apps/fz_http/lib/fz_http_web/live/device_live/show.html.heex @@ -69,12 +69,12 @@ - Persistent Keepalives + Persistent Keepalive - <%= if @persistent_keepalives == 0 do %> + <%= if @persistent_keepalive == 0 do %> Disabled <% else %> - Every <%= @persistent_keepalives %> seconds + Every <%= @persistent_keepalive %> seconds <% end %> diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/show_live.ex b/apps/fz_http/lib/fz_http_web/live/device_live/show_live.ex index 36eb51faf..d719cad29 100644 --- a/apps/fz_http/lib/fz_http_web/live/device_live/show_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/device_live/show_live.ex @@ -88,7 +88,7 @@ defmodule FzHttpWeb.DeviceLive.Show do dns_servers: Devices.dns_servers(device), endpoint: Devices.endpoint(device), mtu: Devices.mtu(device), - persistent_keepalives: Devices.persistent_keepalives(device), + persistent_keepalive: Devices.persistent_keepalive(device), config: Devices.as_config(device) ) else diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/default.html.heex b/apps/fz_http/lib/fz_http_web/live/setting_live/default.html.heex index 84bf80b42..5b3f319be 100644 --- a/apps/fz_http/lib/fz_http_web/live/setting_live/default.html.heex +++ b/apps/fz_http/lib/fz_http_web/live/setting_live/default.html.heex @@ -38,11 +38,11 @@ <%= live_component( FzHttpWeb.SettingLive.DefaultFormComponent, - label_text: "Persistent Keepalives", + label_text: "Persistent Keepalive", placeholder: "0", - changeset: @changesets["default.device.persistent_keepalives"], - help_text: @help_texts.persistent_keepalives, - id: :persistent_keepalives_form_component) %> + changeset: @changesets["default.device.persistent_keepalive"], + help_text: @help_texts.persistent_keepalive, + id: :persistent_keepalive_form_component) %> <%= live_component( FzHttpWeb.SettingLive.DefaultFormComponent, diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex b/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex index e6468134b..bd73855d6 100644 --- a/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex +++ b/apps/fz_http/lib/fz_http_web/live/setting_live/default_live.ex @@ -22,7 +22,7 @@ defmodule FzHttpWeb.SettingLive.Default do IPv4 or IPv6 address that devices will be configured to connect to. Defaults to this server's public IP if not set. """, - persistent_keepalives: """ + persistent_keepalive: """ Interval in seconds to send persistent keepalive packets. Most users won't need to change this. Set to 0 or leave blank to disable. Leave this blank if you're unsure what this means. """, @@ -47,6 +47,18 @@ defmodule FzHttpWeb.SettingLive.Default do Application.fetch_env!(:fz_http, :wireguard_mtu) end + defp dns_placeholder do + Application.fetch_env!(:fz_http, :wireguard_dns) + end + + defp allowed_ips_placeholder do + Application.fetch_env!(:fz_http, :wireguard_allowed_ips) + end + + defp persistent_keepalive_placeholder do + Application.fetch_env!(:fz_http, :wireguard_persistent_keepalive) + end + defp load_changesets do Settings.to_list("default.") |> Map.new(fn setting -> {setting.key, Settings.change_setting(setting)} end) @@ -61,6 +73,9 @@ defmodule FzHttpWeb.SettingLive.Default do |> assign(:help_texts, @help_texts) |> assign(:endpoint_placeholder, endpoint_placeholder()) |> assign(:mtu_placeholder, mtu_placeholder()) + |> assign(:dns_placeholder, dns_placeholder()) + |> assign(:allowed_ips_placeholder, allowed_ips_placeholder()) + |> assign(:persistent_keepalive_placeholder, persistent_keepalive_placeholder()) |> assign(:page_title, "Default Settings") else not_authorized(socket) diff --git a/apps/fz_http/priv/repo/migrations/20211116173236_create_settings.exs b/apps/fz_http/priv/repo/migrations/20211116173236_create_settings.exs index b3c06bb3b..a6be559d7 100644 --- a/apps/fz_http/priv/repo/migrations/20211116173236_create_settings.exs +++ b/apps/fz_http/priv/repo/migrations/20211116173236_create_settings.exs @@ -17,8 +17,8 @@ defmodule FzHttp.Repo.Migrations.CreateSettings do execute """ INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \ - ('default.device.dns_servers', '1.1.1.1, 1.0.0.1', '#{now}', '#{now}'), - ('default.device.allowed_ips', '0.0.0.0/0, ::/0', '#{now}', '#{now}'), + ('default.device.dns_servers', null, '#{now}', '#{now}'), + ('default.device.allowed_ips', null, '#{now}', '#{now}'), ('default.device.endpoint', null, '#{now}', '#{now}') """ end diff --git a/apps/fz_http/priv/repo/migrations/20211217003247_add_persistent_keepalives.exs b/apps/fz_http/priv/repo/migrations/20211217003247_add_persistent_keepalives.exs index 909e7a122..bcb9b4a84 100644 --- a/apps/fz_http/priv/repo/migrations/20211217003247_add_persistent_keepalives.exs +++ b/apps/fz_http/priv/repo/migrations/20211217003247_add_persistent_keepalives.exs @@ -11,7 +11,7 @@ defmodule FzHttp.Repo.Migrations.AddPersistentKeepalives do execute """ INSERT INTO settings (key, value, inserted_at, updated_at) VALUES \ - ('default.device.persistent_keepalives', 0, '#{now}', '#{now}') + ('default.device.persistent_keepalives', null, '#{now}', '#{now}') """ end end diff --git a/apps/fz_http/priv/repo/migrations/20220127021835_rename_persistent_keepalives.exs b/apps/fz_http/priv/repo/migrations/20220127021835_rename_persistent_keepalives.exs new file mode 100644 index 000000000..9c116badd --- /dev/null +++ b/apps/fz_http/priv/repo/migrations/20220127021835_rename_persistent_keepalives.exs @@ -0,0 +1,23 @@ +defmodule FzHttp.Repo.Migrations.RenamePersistentKeepalives do + use Ecto.Migration + + def change do + execute( + """ + UPDATE settings + SET key = 'default.device.persistent_keepalive' + WHERE key = 'default.device.persistent_keepalives' + """, + """ + UPDATE settings + SET key = 'default.device.persistent_keepalives' + WHERE key = 'default.device.persistent_keepalive' + """ + ) + + rename table(:devices), :persistent_keepalives, to: :persistent_keepalive + + rename table(:devices), :use_default_persistent_keepalives, + to: :use_default_persistent_keepalive + end +end diff --git a/apps/fz_http/test/fz_http/settings_test.exs b/apps/fz_http/test/fz_http/settings_test.exs index 630c89f3d..40dae5ef4 100644 --- a/apps/fz_http/test/fz_http/settings_test.exs +++ b/apps/fz_http/test/fz_http/settings_test.exs @@ -20,14 +20,14 @@ defmodule FzHttp.SettingsTest do "default.device.dns_servers" => "8.8.8.8", "default.device.allowed_ips" => "::/0", "default.device.endpoint" => "172.10.10.10", - "default.device.persistent_keepalives" => "20", + "default.device.persistent_keepalive" => "20", "default.device.mtu" => "1280" }, %{ "default.device.dns_servers" => "8.8.8.8", "default.device.allowed_ips" => "::/0", "default.device.endpoint" => "foobar.example.com", - "default.device.persistent_keepalives" => "15", + "default.device.persistent_keepalive" => "15", "default.device.mtu" => "1420" } ] @@ -35,7 +35,7 @@ defmodule FzHttp.SettingsTest do "default.device.dns_servers" => "foobar", "default.device.allowed_ips" => nil, "default.device.endpoint" => "foobar", - "default.device.persistent_keepalives" => "-120", + "default.device.persistent_keepalive" => "-120", "default.device.mtu" => "1501" } diff --git a/apps/fz_http/test/fz_http_web/live/device_live/show_test.exs b/apps/fz_http/test/fz_http_web/live/device_live/show_test.exs index 0a0c01e53..558705838 100644 --- a/apps/fz_http/test/fz_http_web/live/device_live/show_test.exs +++ b/apps/fz_http/test/fz_http_web/live/device_live/show_test.exs @@ -33,14 +33,14 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do @mtu_unchanged %{ "device" => %{"use_default_mtu" => "true", "mtu" => "1280"} } - @persistent_keepalives_change %{ + @persistent_keepalive_change %{ "device" => %{ - "use_default_persistent_keepalives" => "false", - "persistent_keepalives" => "120" + "use_default_persistent_keepalive" => "false", + "persistent_keepalive" => "120" } } - @persistent_keepalives_unchanged %{ - "device" => %{"use_default_persistent_keepalives" => "true", "persistent_keepalives" => "5"} + @persistent_keepalive_unchanged %{ + "device" => %{"use_default_persistent_keepalive" => "true", "persistent_keepalive" => "5"} } @default_allowed_ips_change %{ "device" => %{"use_default_allowed_ips" => "false"} @@ -54,8 +54,8 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do @default_mtu_change %{ "device" => %{"use_default_mtu" => "false"} } - @default_persistent_keepalives_change %{ - "device" => %{"use_default_persistent_keepalives" => "false"} + @default_persistent_keepalive_change %{ + "device" => %{"use_default_persistent_keepalive" => "false"} } test "shows device details", %{authed_conn: conn, device: device} do @@ -148,7 +148,7 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do assert test_view =~ "must not be present" end - test "prevents persistent_keepalives changes when use_default_persistent_keepalives is true", + test "prevents persistent_keepalive changes when use_default_persistent_keepalive is true", %{ authed_conn: conn, device: device @@ -159,7 +159,7 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do test_view = view |> form("#edit-device") - |> render_submit(@persistent_keepalives_unchanged) + |> render_submit(@persistent_keepalive_unchanged) assert test_view =~ "must not be present" end @@ -224,13 +224,13 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do assert html =~ "MTU = 1280" end - test "allows persistent_keepalives changes", %{authed_conn: conn, device: device} do + test "allows persistent_keepalive changes", %{authed_conn: conn, device: device} do path = Routes.device_show_path(conn, :edit, device) {:ok, view, _html} = live(conn, path) view |> form("#edit-device") - |> render_submit(@persistent_keepalives_change) + |> render_submit(@persistent_keepalive_change) flash = assert_redirected(view, Routes.device_show_path(conn, :show, device)) assert flash["info"] == "Device updated successfully." @@ -307,17 +307,17 @@ defmodule FzHttpWeb.DeviceLive.ShowTest do """ end - test "on use_default_persistent_keepalives change", %{authed_conn: conn, device: device} do + test "on use_default_persistent_keepalive change", %{authed_conn: conn, device: device} do path = Routes.device_show_path(conn, :edit, device) {:ok, view, _html} = live(conn, path) test_view = view |> form("#edit-device") - |> render_change(@default_persistent_keepalives_change) + |> render_change(@default_persistent_keepalive_change) assert test_view =~ """ - \ + \ """ end end diff --git a/apps/fz_http/test/fz_http_web/live/setting_live/default_test.exs b/apps/fz_http/test/fz_http_web/live/setting_live/default_test.exs index dc9fb6755..10ce46909 100644 --- a/apps/fz_http/test/fz_http_web/live/setting_live/default_test.exs +++ b/apps/fz_http/test/fz_http_web/live/setting_live/default_test.exs @@ -40,7 +40,7 @@ defmodule FzHttpWeb.SettingLive.DefaultTest do """ assert html =~ """ - id="persistent_keepalives_form_component"\ + id="persistent_keepalive_form_component"\ """ end diff --git a/apps/fz_vpn/lib/fz_vpn/cli/live.ex b/apps/fz_vpn/lib/fz_vpn/cli/live.ex index 4c56591c0..3fc8cd460 100644 --- a/apps/fz_vpn/lib/fz_vpn/cli/live.ex +++ b/apps/fz_vpn/lib/fz_vpn/cli/live.ex @@ -63,8 +63,8 @@ defmodule FzVpn.CLI.Live do show("latest-handshakes") end - def show_persistent_keepalives do - show("persistent-keepalives") + def show_persistent_keepalive do + show("persistent-keepalive") end def show_transfer do diff --git a/apps/fz_vpn/lib/fz_vpn/cli/sandbox.ex b/apps/fz_vpn/lib/fz_vpn/cli/sandbox.ex index 3516214b9..ca57d9d95 100644 --- a/apps/fz_vpn/lib/fz_vpn/cli/sandbox.ex +++ b/apps/fz_vpn/lib/fz_vpn/cli/sandbox.ex @@ -18,7 +18,7 @@ defmodule FzVpn.CLI.Sandbox do transfer: 1.21 MiB received, 39.30 MiB sent """ @show_latest_handshakes "4 seconds ago" - @show_persistent_keepalives "every 25 seconds" + @show_persistent_keepalive "every 25 seconds" @show_transfer "4.60 MiB received, 59.21 MiB sent" @default_returned "" @@ -63,7 +63,7 @@ defmodule FzVpn.CLI.Sandbox do end def show_latest_handshakes, do: @show_latest_handshakes - def show_persistent_keepalives, do: @show_persistent_keepalives + def show_persistent_keepalive, do: @show_persistent_keepalive def show_transfer, do: @show_transfer # Generate extremely fake keys in Sandbox mode diff --git a/apps/fz_vpn/test/fz_vpn/cli/sandbox_test.exs b/apps/fz_vpn/test/fz_vpn/cli/sandbox_test.exs index 33f49589c..d50fd91c9 100644 --- a/apps/fz_vpn/test/fz_vpn/cli/sandbox_test.exs +++ b/apps/fz_vpn/test/fz_vpn/cli/sandbox_test.exs @@ -40,8 +40,8 @@ defmodule FzVpn.CLI.SandboxTest do assert cli().show_latest_handshakes() == "4 seconds ago" end - test "show_persistent_keepalives" do - assert cli().show_persistent_keepalives() == "every 25 seconds" + test "show_persistent_keepalive" do + assert cli().show_persistent_keepalive() == "every 25 seconds" end test "show_transfer" do diff --git a/config/config.exs b/config/config.exs index 4ef37fe23..dab7ccffe 100644 --- a/config/config.exs +++ b/config/config.exs @@ -43,6 +43,9 @@ config :posthog, config :fz_http, url_host: "firezone.dev", + wireguard_dns: "1.1.1.1, 1.0.0.1", + wireguard_allowed_ips: "0.0.0.0/0, ::/0", + wireguard_persistent_keepalive: 0, wireguard_ipv4_enabled: true, wireguard_ipv4_network: "10.3.2.0/24", wireguard_ipv4_address: "10.3.2.1", diff --git a/config/releases.exs b/config/releases.exs index 94f05ea9f..6050600da 100644 --- a/config/releases.exs +++ b/config/releases.exs @@ -21,6 +21,9 @@ nft_path = System.fetch_env!("NFT_PATH") wg_path = System.fetch_env!("WG_PATH") egress_interface = System.fetch_env!("EGRESS_INTERFACE") wireguard_public_key = System.fetch_env!("WIREGUARD_PUBLIC_KEY") +wireguard_dns = System.fetch_env!("WIREGUARD_DNS") +wireguard_allowed_ips = System.fetch_env!("WIREGUARD_ALLOWED_IPS") +wireguard_persistent_keepalive = System.fetch_env!("WIREGUARD_PERSISTENT_KEEPALIVE") wireguard_ipv4_enabled = FzString.to_boolean(System.fetch_env!("WIREGUARD_IPV4_ENABLED")) wireguard_ipv4_network = System.fetch_env!("WIREGUARD_IPV4_NETWORK") wireguard_ipv4_address = System.fetch_env!("WIREGUARD_IPV4_ADDRESS") @@ -107,6 +110,9 @@ config :fz_vpn, cli: FzVpn.CLI.Live config :fz_http, + wireguard_dns: wireguard_dns, + wireguard_allowed_ips: wireguard_allowed_ips, + wireguard_persistent_keepalive: wireguard_persistent_keepalive, wireguard_ipv4_enabled: wireguard_ipv4_enabled, wireguard_ipv4_network: wireguard_ipv4_network, wireguard_ipv4_address: wireguard_ipv4_address, diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md index 026f1738f..024f9f59f 100644 --- a/docs/docs/reference/configuration-file.md +++ b/docs/docs/reference/configuration-file.md @@ -113,6 +113,9 @@ Shown below is a complete listing of the configuration options available in | `default['firezone']['wireguard']['interface_name']` | WireGuard interface name. | `'wg-firezone'` | | `default['firezone']['wireguard']['port']` | WireGuard listen port. | `51820` | | `default['firezone']['wireguard']['mtu']` | WireGuard interface MTU. | `1420` | +| `default['firezone']['wireguard']['dns']` | Default DNS servers to use for generated device configurations. | `'1.1.1.1, 1.0.0.1'` | +| `default['firezone']['wireguard']['allowed_ips']` | Default AllowedIPs to use for generated device configurations. | `'0.0.0.0/0, ::/0'` | +| `default['firezone']['wireguard']['persistent_keepalive']` | Default PersistentKeepalive setting for generated device configurations. A value of 0 disables. | `0` | | `default['firezone']['wireguard']['ipv4']['enabled']` | Enable or disable IPv4 for WireGuard network. | `true` | | `default['firezone']['wireguard']['ipv4']['network']` | WireGuard network IPv4 address pool. | `'10.3.2.0/24'` | | `default['firezone']['wireguard']['ipv4']['address']` | WireGuard interface IPv4 address. Must be within WireGuard address pool. | `'10.3.2.1'` | diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb index 293bfaad6..112c6ae21 100644 --- a/omnibus/cookbooks/firezone/attributes/default.rb +++ b/omnibus/cookbooks/firezone/attributes/default.rb @@ -214,6 +214,19 @@ default['firezone']['wireguard']['port'] = 51820 # WireGuard interface MTU default['firezone']['wireguard']['mtu'] = 1420 +# Default AllowedIPs to use for generated device configs. Default is to +# route all traffic through the tunnel: '0.0.0.0/0, ::/0' +default['firezone']['wireguard']['allowed_ips'] = '0.0.0.0/0, ::/0' + +# Default DNS servers to use for generated device configs. Default is +# CloudFlare DNS, '1.1.1.1, 1.0.0.1' +default['firezone']['wireguard']['dns'] = '1.1.1.1, 1.0.0.1' + +# Default PersistentKeepalive setting to use for generated device configs. +# See https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence +# Default is 0 which disables PersistentKeepalive. +default['firezone']['wireguard']['persistent_keepalive'] = 0 + # Enable or disable IPv4 connectivity in your WireGuard network. Default enabled. default['firezone']['wireguard']['ipv4']['enabled'] = true diff --git a/omnibus/cookbooks/firezone/libraries/config.rb b/omnibus/cookbooks/firezone/libraries/config.rb index 85acd3f65..be7867adf 100644 --- a/omnibus/cookbooks/firezone/libraries/config.rb +++ b/omnibus/cookbooks/firezone/libraries/config.rb @@ -238,6 +238,9 @@ class Firezone 'WIREGUARD_INTERFACE_NAME' => attributes['wireguard']['interface_name'], 'WIREGUARD_PORT' => attributes['wireguard']['port'].to_s, 'WIREGUARD_MTU' => attributes['wireguard']['mtu'].to_s, + 'WIREGUARD_DNS' => attributes['wireguard']['dns'].to_s, + 'WIREGUARD_ALLOWED_IPS' => attributes['wireguard']['allowed_ips'].to_s, + 'WIREGUARD_PERSISTENT_KEEPALIVE' => attributes['wireguard']['persistent_keepalive'].to_s, 'WIREGUARD_PUBLIC_KEY' => attributes['wireguard_public_key'], 'WIREGUARD_IPV4_ENABLED' => attributes['wireguard']['ipv4']['enabled'].to_s, 'WIREGUARD_IPV4_NETWORK' => attributes['wireguard']['ipv4']['network'],