luci-proto-wireguard: WireGuard VPN Protocol (New)

WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
more useful than IPSec, while avoiding the massive headache. It intends to
be considerably more performant than OpenVPN.  WireGuard is designed as a
general purpose VPN for running on embedded interfaces and super computers
alike, fit for many different circumstances.
It runs over UDP.

Signed-off-by: Dan Lüdtke mail@danrl.com

protocols/luci-proto-wireguard/Makefile

@@ -0,0 +1,15 @@
+#
+# Copyright (C) 2008-2014 The LuCI Team <luci@lists.subsignal.org>
+#
+# This is free software, licensed under the Apache License, Version 2.0 .
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=Support for WireGuard VPN
+LUCI_DEPENDS:=+wireguard
+
+include ../../luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
+

protocols/luci-proto-wireguard/luasrc/model/cbi/admin_network/proto_wireguard.lua

@@ -0,0 +1,147 @@
+-- Copyright 2016 Dan Luedtke <mail@danrl.com>
+-- Licensed to the public under the Apache License 2.0.
+
+
+local map, section, net = ...
+local ifname = net:get_interface():name()
+local private_key, listen_port
+local metric, mtu, preshared_key
+local peers, public_key, allowed_ips, endpoint, persistent_keepalive
+
+
+-- general ---------------------------------------------------------------------
+
+private_key = section:taboption(
+  "general",
+  Value,
+  "private_key",
+  translate("Private Key"),
+  translate("Required. Base64-encoded private key for this interface.")
+)
+private_key.password = true
+private_key.datatype = "and(minlength(44),maxlength(44))"
+private_key.optional = false
+
+
+listen_port = section:taboption(
+  "general",
+  Value,
+  "listen_port",
+  translate("Listen Port"),
+  translate("Optional. UDP port used for outgoing and incoming packets.")
+)
+listen_port.datatype = "port"
+listen_port.placeholder = "51820"
+listen_port.optional = true
+
+
+-- advanced --------------------------------------------------------------------
+
+metric = section:taboption(
+  "advanced",
+  Value,
+  "metric",
+  translate("Metric"),
+  translate("Optional.")
+)
+metric.datatype = "uinteger"
+metric.placeholder = "0"
+metric.optional = true
+
+
+mtu = section:taboption(
+  "advanced",
+  Value,
+  "mtu",
+  translate("MTU"),
+  translate("Optional. Maximum Transmission Unit of tunnel interface.")
+)
+mtu.datatype = "range(1280,1423)"
+mtu.placeholder = "1423"
+mtu.optional = true
+
+
+preshared_key = section:taboption(
+  "advanced",
+  Value,
+  "preshared_key",
+  translate("Preshared Key"),
+  translate("Optional. Adds in an additional layer of symmetric-key " ..
+            "cryptography for post-quantum resistance.")
+)
+preshared_key.password = true
+preshared_key.datatype = "and(minlength(44),maxlength(44))"
+preshared_key.optional = true
+
+
+-- peers -----------------------------------------------------------------------
+
+peers = map:section(
+  TypedSection,
+  "wireguard_" .. ifname,
+  translate("Peers"),
+  translate("Further information about WireGuard interfaces and peers " ..
+            "at <a href=\"http://wireguard.io\">wireguard.io</a>.")
+)
+peers.template = "cbi/tsection"
+peers.anonymous = true
+peers.addremove = true
+
+
+public_key = peers:option(
+  Value,
+  "public_key",
+  translate("Public Key"),
+  translate("Required. Public key of peer.")
+)
+public_key.datatype = "and(minlength(44),maxlength(44))"
+public_key.optional = false
+
+
+allowed_ips = peers:option(
+  DynamicList,
+  "allowed_ips",
+  translate("Allowed IPs"),
+  translate("Required. IP addresses and prefixes that this peer is allowed " ..
+            "to use inside the tunnel. Routes will be added accordingly.")
+)
+allowed_ips.datatype = "or(ip6addr, ip4addr)"
+allowed_ips.optional = false
+
+
+route_allowed_ips = peers:option(
+  Flag,
+  "route_allowed_ips",
+  translate("Route Allowed IPs"),
+  translate("Optional. Create routes for Allowed IPs for this peer.")
+)
+
+
+endpoint_host = peers:option(
+  Value,
+  "endpoint_host",
+  translate("Endpoint Host"),
+  translate("Optional. Host of peer. Names are resolved " ..
+            "prior to bringing up the interface."))
+endpoint_host.placeholder = "vpn.example.com"
+endpoint_host.datatype = "host"
+
+
+endpoint_port = peers:option(
+  Value,
+  "endpoint_port",
+  translate("Endpoint Port"),
+  translate("Optional. Port of peer."))
+endpoint_port.placeholder = "51820"
+endpoint_port.datatype = "port"
+
+
+persistent_keepalive = peers:option(
+  Value,
+  "persistent_keepalive",
+  translate("Persistent Keep Alive"),
+  translate("Optional. Seconds between keep alive messages. " ..
+            "Default is 0 (disabled). Recommended value if " ..
+            "this device is behind a NAT is 25."))
+persistent_keepalive.datatype = "range(0, 65535)"
+persistent_keepalive.placeholder = "0"

protocols/luci-proto-wireguard/luasrc/model/network/proto_wireguard.lua

@@ -0,0 +1,42 @@
+-- Copyright 2016 Dan Luedtke <mail@danrl.com>
+-- Licensed to the public under the Apache License 2.0.
+
+local netmod = luci.model.network
+local interface = luci.model.network.interface
+local proto = netmod:register_protocol("wireguard")
+
+function proto.get_i18n(self)
+  return luci.i18n.translate("WireGuard VPN")
+end
+
+function proto.ifname(self)
+  return self.sid
+end
+
+function proto.get_interface(self)
+  return interface(self:ifname(), self)
+end
+
+function proto.opkg_package(self)
+  return "wireguard-tools"
+end
+
+function proto.is_installed(self)
+  return nixio.fs.access("/lib/netifd/proto/wireguard.sh")
+end
+
+function proto.is_floating(self)
+  return true
+end
+
+function proto.is_virtual(self)
+  return true
+end
+
+function proto.get_interfaces(self)
+  return nil
+end
+
+function proto.contains_interface(self, ifc)
+   return (netmod:ifnameof(ifc) == self:ifname())
+end