From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH proxmox-ve-rs v4 13/31] ve-config: fabrics: implement wireguard config generation
Date: Thu, 7 May 2026 14:39:48 +0200 [thread overview]
Message-ID: <20260507124008.417223-14-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20260507124008.417223-1-s.hanreich@proxmox.com>
Introduce a ConfigBuilder for WireGuard, analogous to the existing
configuration builder for FRR. It uses the proxmox-wireguard crate for
generating WireGuard configuration files, compatible with the `wg(8)`
tool contained in the wireguard-tools package. The
WireGuardConfigBuilder utilizes a loader callback for tests, so the
private key loading can be mocked by test functions.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
proxmox-ve-config/Cargo.toml | 1 +
proxmox-ve-config/debian/control | 2 +
proxmox-ve-config/src/sdn/mod.rs | 1 +
proxmox-ve-config/src/sdn/wireguard.rs | 309 +++++++++++++++++++++++++
4 files changed, 313 insertions(+)
create mode 100644 proxmox-ve-config/src/sdn/wireguard.rs
diff --git a/proxmox-ve-config/Cargo.toml b/proxmox-ve-config/Cargo.toml
index 8485a0f..8e5e333 100644
--- a/proxmox-ve-config/Cargo.toml
+++ b/proxmox-ve-config/Cargo.toml
@@ -18,6 +18,7 @@ tracing = "0.1.37"
serde = { workspace = true, features = [ "derive" ] }
serde_json = "1"
+proxmox-base64 = "1"
proxmox-frr = { workspace = true, optional = true }
proxmox-network-types = { workspace = true, features = [ "api-types" ] }
proxmox-schema = { workspace = true, features = [ "api-types" ] }
diff --git a/proxmox-ve-config/debian/control b/proxmox-ve-config/debian/control
index d86c79e..eae7fcd 100644
--- a/proxmox-ve-config/debian/control
+++ b/proxmox-ve-config/debian/control
@@ -10,6 +10,7 @@ Build-Depends-Arch: cargo:native <!nocheck>,
librust-const-format-0.2+default-dev <!nocheck>,
librust-log-0.4+default-dev <!nocheck>,
librust-nix-0.29+default-dev <!nocheck>,
+ librust-proxmox-base64-1+default-dev <!nocheck>,
librust-proxmox-network-types-1+api-types-dev (>= 1.0.1-~~) <!nocheck>,
librust-proxmox-network-types-1+default-dev (>= 1.0.1-~~) <!nocheck>,
librust-proxmox-schema-5+api-types-dev <!nocheck>,
@@ -43,6 +44,7 @@ Depends:
librust-const-format-0.2+default-dev,
librust-log-0.4+default-dev,
librust-nix-0.29+default-dev,
+ librust-proxmox-base64-1+default-dev,
librust-proxmox-network-types-1+api-types-dev (>= 1.0.1-~~),
librust-proxmox-network-types-1+default-dev (>= 1.0.1-~~),
librust-proxmox-schema-5+api-types-dev,
diff --git a/proxmox-ve-config/src/sdn/mod.rs b/proxmox-ve-config/src/sdn/mod.rs
index 24069ad..2133396 100644
--- a/proxmox-ve-config/src/sdn/mod.rs
+++ b/proxmox-ve-config/src/sdn/mod.rs
@@ -3,6 +3,7 @@ pub mod fabric;
pub mod ipam;
pub mod prefix_list;
pub mod route_map;
+pub mod wireguard;
use std::{error::Error, fmt::Display, str::FromStr};
diff --git a/proxmox-ve-config/src/sdn/wireguard.rs b/proxmox-ve-config/src/sdn/wireguard.rs
new file mode 100644
index 0000000..61be336
--- /dev/null
+++ b/proxmox-ve-config/src/sdn/wireguard.rs
@@ -0,0 +1,309 @@
+use std::collections::HashMap;
+use std::ops::Deref;
+
+use anyhow::bail;
+
+use proxmox_network_types::endpoint::ServiceEndpoint;
+use proxmox_network_types::ip_address::{Ipv4Cidr, Ipv6Cidr};
+use proxmox_sdn_types::wireguard::PersistentKeepalive;
+use proxmox_wireguard::{WireGuardConfig, WireGuardInterface, WireGuardPeer};
+
+use crate::common::valid::Valid;
+use crate::sdn::fabric::section_config::fabric::Fabric;
+use crate::sdn::fabric::section_config::node::Node;
+use crate::sdn::fabric::section_config::protocol::wireguard::private_keys::WireGuardPrivateKeys;
+use crate::sdn::fabric::section_config::protocol::wireguard::{WireGuardNode, WireGuardNodePeer};
+use crate::sdn::fabric::{section_config::node::NodeId, FabricConfig};
+
+pub struct WireGuardConfigBuilder {
+ fabrics: Valid<FabricConfig>,
+ private_keys: WireGuardPrivateKeys,
+}
+
+impl WireGuardConfigBuilder {
+ pub fn new(fabrics: Valid<FabricConfig>, private_keys: WireGuardPrivateKeys) -> Self {
+ Self {
+ fabrics,
+ private_keys,
+ }
+ }
+
+ pub fn build(
+ self,
+ current_node: NodeId,
+ ) -> Result<HashMap<String, WireGuardConfig>, anyhow::Error> {
+ let mut wireguard_config = HashMap::new();
+
+ for fabric_entry in self.fabrics.values() {
+ let Fabric::WireGuard(fabric_config) = fabric_entry.fabric() else {
+ continue;
+ };
+
+ let Ok(Node::WireGuard(node_config)) = fabric_entry.get_node(¤t_node) else {
+ continue;
+ };
+
+ let WireGuardNode::Internal(node_properties) = node_config.properties() else {
+ continue;
+ };
+
+ for interface in node_properties.interfaces() {
+ let private_key = self
+ .private_keys
+ .get(¤t_node, interface.name())
+ .ok_or_else(|| anyhow::anyhow!("could not find private key for node"))?;
+
+ let wireguard_interface = WireGuardInterface {
+ private_key: *private_key,
+ listen_port: Some(interface.listen_port),
+ fw_mark: None,
+ };
+
+ let mut wireguard_peers = Vec::new();
+
+ for peer in &node_properties.peers {
+ let peer = peer.deref();
+
+ let Ok(Node::WireGuard(referenced_node)) = fabric_entry.get_node(peer.node())
+ else {
+ bail!(
+ "could not find node referenced in peer definition: {}",
+ peer.node()
+ )
+ };
+
+ let peer_config = match (referenced_node.properties(), peer) {
+ (
+ WireGuardNode::Internal(wireguard_node),
+ WireGuardNodePeer::Internal(peer),
+ ) => {
+ if peer.iface != interface.name {
+ continue;
+ }
+
+ let peer_interface = wireguard_node
+ .interfaces()
+ .find(|interface| interface.name == peer.node_iface)
+ .ok_or_else(|| {
+ anyhow::format_err!("could not find referenced iface")
+ })?;
+
+ let endpoint = peer
+ .endpoint
+ .as_ref()
+ .or(wireguard_node.endpoint.as_ref())
+ .map(|endpoint| {
+ ServiceEndpoint::new(
+ endpoint.to_string(),
+ peer_interface.listen_port,
+ )
+ });
+
+ let mut allowed_ips = Vec::new();
+
+ if let Some(ip) = referenced_node.ip() {
+ allowed_ips.push(Ipv4Cidr::from(ip).into())
+ }
+
+ if let Some(ip) = peer_interface.ip() {
+ allowed_ips.push(Ipv4Cidr::new(*ip.address(), 32)?.into())
+ }
+
+ if let Some(ip) = peer_interface.ip6() {
+ allowed_ips.push(Ipv6Cidr::new(*ip.address(), 128)?.into())
+ }
+
+ allowed_ips.extend(&wireguard_node.allowed_ips);
+ allowed_ips.extend(&peer.allowed_ips);
+
+ WireGuardPeer {
+ public_key: peer_interface.public_key,
+ preshared_key: None,
+ allowed_ips,
+ endpoint,
+ persistent_keepalive: fabric_config
+ .properties()
+ .persistent_keepalive
+ .as_ref()
+ .map(PersistentKeepalive::raw),
+ }
+ }
+ (
+ WireGuardNode::External(referenced_node),
+ WireGuardNodePeer::External(peer),
+ ) => {
+ if peer.iface != interface.name {
+ continue;
+ }
+
+ let mut allowed_ips = Vec::new();
+ allowed_ips.extend(&referenced_node.allowed_ips);
+ allowed_ips.extend(&peer.allowed_ips);
+
+ let endpoint = peer
+ .endpoint
+ .clone()
+ .unwrap_or_else(|| referenced_node.endpoint.clone());
+
+ WireGuardPeer {
+ public_key: referenced_node.public_key,
+ preshared_key: None,
+ allowed_ips,
+ endpoint: Some(endpoint),
+ persistent_keepalive: fabric_config
+ .properties()
+ .persistent_keepalive
+ .as_ref()
+ .map(PersistentKeepalive::raw),
+ }
+ }
+ _ => {
+ bail!("invalid combination of peer / node types")
+ }
+ };
+
+ wireguard_peers.push(peer_config);
+ }
+
+ wireguard_config.insert(
+ interface.name.to_string(),
+ WireGuardConfig {
+ interface: wireguard_interface,
+ peers: wireguard_peers,
+ },
+ );
+ }
+ }
+
+ Ok(wireguard_config)
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use std::{collections::BTreeMap, str::FromStr};
+
+ use proxmox_section_config::typed::ApiSectionDataEntry;
+ use proxmox_wireguard::PrivateKey;
+
+ use crate::sdn::fabric::{
+ section_config::{protocol::wireguard::WireGuardInterfaceName, Section},
+ FabricConfig,
+ };
+
+ use super::*;
+
+ fn mock_private_key() -> PrivateKey {
+ let bytes: [u8; 32] =
+ proxmox_base64::decode("qGXl+84iE1teMyQeL1DgkuLivKKYasx6fOYqBfr3QEI=")
+ .expect("valid base64")
+ .try_into()
+ .expect("is 32 byte array");
+
+ PrivateKey::from(bytes)
+ }
+
+ fn mock_private_key_data(interfaces: &[&(&str, &str)]) -> WireGuardPrivateKeys {
+ let mut private_keys = BTreeMap::new();
+
+ for (node_id, interface_name) in interfaces {
+ let interfaces: &mut BTreeMap<WireGuardInterfaceName, PrivateKey> = private_keys
+ .entry(NodeId::from_str(node_id).unwrap())
+ .or_default();
+
+ interfaces.insert(
+ WireGuardInterfaceName::from_str(interface_name).unwrap(),
+ mock_private_key(),
+ );
+ }
+
+ WireGuardPrivateKeys(private_keys)
+ }
+
+ #[test]
+ fn test_wireguard_config_generation() -> Result<(), anyhow::Error> {
+ let section_config = r#"
+wireguard_fabric: wireg
+
+wireguard_node: wireg_external
+ role external
+ endpoint 192.0.2.1:123
+ allowed_ips 198.51.0.123/32
+ public_key O+Kzrochm6klMILjSKVw83xb3YyXXLpmZj9n/ICM5xE=
+
+wireguard_node: wireg_pve1
+ role internal
+ endpoint 192.0.2.2
+ allowed_ips 203.0.113.0/25
+ interfaces name=wg0,listen_port=51111,public_key=GDPUAnPOY5xGIjYXmcGyXZXbocjBr21dGQ5vwnjmdzA=,ip=198.51.100.1/24
+ peers type=internal,node=pve2,node_iface=wg0,iface=wg0
+
+wireguard_node: wireg_pve2
+ role internal
+ endpoint 192.0.2.3
+ interfaces name=wg0,listen_port=51111,public_key=y0kOpXfo9ff4KoUwO3H1cRuwObbKwsK8mAkwXxNvKUc=
+ peers type=internal,node=pve1,node_iface=wg0,iface=wg0
+ peers type=external,node=external,iface=wg0
+"#;
+ let mut parsed_config = Section::parse_section_config("fabrics.cfg", section_config)?;
+
+ let mut fabric_config = FabricConfig::from_section_config(parsed_config)
+ .expect("valid wireguard configuration");
+
+ let private_keys = mock_private_key_data(&[&("pve1", "wg0"), &("pve2", "wg0")]);
+
+ let mut builder = WireGuardConfigBuilder::new(fabric_config, private_keys.clone());
+
+ let pve1_wg0_config = r#"[Interface]
+PrivateKey = qGXl+84iE1teMyQeL1DgkuLivKKYasx6fOYqBfr3QEI=
+ListenPort = 51111
+
+[Peer]
+PublicKey = y0kOpXfo9ff4KoUwO3H1cRuwObbKwsK8mAkwXxNvKUc=
+Endpoint = 192.0.2.3:51111
+"#;
+
+ pretty_assertions::assert_eq!(
+ pve1_wg0_config,
+ builder
+ .build("pve1".parse()?)?
+ .remove("wg0")
+ .expect("wg0 config has been generated")
+ .to_raw_config()
+ .expect("wireguard config can be serialized")
+ );
+
+ parsed_config = Section::parse_section_config("fabrics.cfg", section_config)?;
+ fabric_config = FabricConfig::from_section_config(parsed_config)
+ .expect("valid wireguard configuration");
+
+ builder = WireGuardConfigBuilder::new(fabric_config, private_keys);
+
+ let pve2_wg0_config = r#"[Interface]
+PrivateKey = qGXl+84iE1teMyQeL1DgkuLivKKYasx6fOYqBfr3QEI=
+ListenPort = 51111
+
+[Peer]
+PublicKey = GDPUAnPOY5xGIjYXmcGyXZXbocjBr21dGQ5vwnjmdzA=
+AllowedIPs = 198.51.100.1/32, 203.0.113.0/25
+Endpoint = 192.0.2.2:51111
+
+[Peer]
+PublicKey = O+Kzrochm6klMILjSKVw83xb3YyXXLpmZj9n/ICM5xE=
+AllowedIPs = 198.51.0.123/32
+Endpoint = 192.0.2.1:123
+"#;
+
+ pretty_assertions::assert_eq!(
+ pve2_wg0_config,
+ builder
+ .build("pve2".parse()?)?
+ .remove("wg0")
+ .expect("wg0 config has been generated")
+ .to_raw_config()
+ .expect("wireguard config can be serialized")
+ );
+
+ Ok(())
+ }
+}
--
2.47.3
next prev parent reply other threads:[~2026-05-07 12:41 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 12:39 [PATCH cluster/manager/network/proxmox{,-ve-rs,-perl-rs} v4 00/31] Add WireGuard as protocol to SDN fabrics Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-cluster v4 01/31] cfs: add 'priv/wg-keys.cfg' to observed files Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 02/31] wireguard: utilize x25519 for public key generation Stefan Hanreich
2026-05-07 12:40 ` Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 03/31] wireguard: skip serializing preshared_key if unset Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 04/31] wireguard: implement ApiType for private key Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox v4 05/31] network-types: implement ApiType for endpoints and hostnames Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 06/31] sdn-types: add wireguard-specific PersistentKeepalive api type Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 07/31] ve-config: fabrics: split interface name regex into two parts Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 08/31] ve-config: fabric: refactor fabric config entry impl using macro Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 09/31] ve-config: fabrics: add protocol-specific properties for wireguard Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 10/31] ve-config: wireguard: add private keys section config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 11/31] ve-config: sdn: fabrics: add wireguard to the fabric config Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-ve-rs v4 12/31] ve-config: fabrics: wireguard add validation for wireguard config Stefan Hanreich
2026-05-07 12:39 ` Stefan Hanreich [this message]
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 14/31] pve-rs: fabrics: wireguard: generate ifupdown2 configuration Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 15/31] pve-rs: fabrics: add helpers for parsing interface property strings Stefan Hanreich
2026-05-07 12:39 ` [PATCH proxmox-perl-rs v4 16/31] pve-rs: sdn: wireguard: add private keys module Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 17/31] sdn: add wireguard helper module Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 18/31] fabrics: wireguard: add schema definitions for wireguard Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-network v4 19/31] fabrics: wireguard: implement wireguard key auto-generation Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 20/31] network: sdn: generate wireguard configuration on apply Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 21/31] ui: fix parsing of property-strings when values contain = Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 22/31] ui: fabrics: i18n: make node loading string translatable Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 23/31] ui: fabrics: split node selector creation and config Stefan Hanreich
2026-05-07 12:39 ` [PATCH pve-manager v4 24/31] ui: fabrics: edit: make ipv4/6 support generic over fabric panels Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 25/31] ui: fabrics: node: make ipv4/6 support generic over edit panels Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 26/31] ui: fabrics: interface: " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 27/31] ui: fabrics: wireguard: add interface edit panel Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 28/31] ui: fabrics: wireguard: add node " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 29/31] ui: fabrics: wireguard: add fabric " Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 30/31] ui: fabrics: hook up wireguard components Stefan Hanreich
2026-05-07 12:40 ` [PATCH pve-manager v4 31/31] fabrics: node edit: add option to include wireguard interfaces Stefan Hanreich
2026-05-07 14:08 ` partially-applied: [PATCH cluster/manager/network/proxmox{,-ve-rs,-perl-rs} v4 00/31] Add WireGuard as protocol to SDN fabrics Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507124008.417223-14-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.