Add Wireguard VPN integration

[Dav-11]

Description

This PR adds the possibility to create wireguard VPNs as an alternative to the currently available L2TP-IPsec tunnels.

Changes in details:

• System VM template changes:
  • Install Wireguard (leave it disabled)
  • Add placeholder file /etc/wireguard/wg0.conf
  • Add systemd service to restart wg-quick@wg0 if /etc/wireguard/wg0.conf is edited

• DB changes: 2 new tables are introduced

  • wireguard_vpn-> contains details on each tunnel (similar to the remote_access_vpn table)
  • wireguard_vpn_peer -> contains details on each peer for the tunnel (similar to vpn_users table)
  • Preliminary DBML for the database:

    
    Table wireguard_vpn {
    id bigint [primary key]
    uuid varchar(40)
    domain_id bigint [Ref: > domain.id]
    account_id bigint [Ref: > account.id]
    display boolean
    state varchar(32)
    vpn_server_addr_ip bigint [Ref: > user_ip_address.id]
    vpn_server_addr_port bigint
    ip4_enabled boolean
    ip4_int_address varchar
    ip4_range varchar
    ip6_enabled boolean
    ip6_int_address varchar
    ip6_range varchar
    public_key varchar
    private_key varchar
    conf_file_name varchar
    }

  Table wireguard_vpn_peer { id bigint [primary key] vpn_id bigint [Ref: > wireguard_vpn.id] domain_id bigint [Ref: > domain.id] account_id bigint [Ref: > account.id] name string display boolean state varchar(32) uuid bigint ip4_address varchar ip6_address varchar public_key varchar allowed_ips text split_tunnel boolean }

  - API changes
  - Add {Create|List|Update|Delete}WgVpn
    - **CreateWgVpn**
      - params:
        - publicipid (required|int64):
        - ip4enable (bool): default is true
        - ip4range (string): IPv4 network to use internally for the vpn (CIDR notation)
        - ip6enable (bool): default is false
        - ip6range (string): IPv6 network to use internally for the vpn (CIDR notation)
        - openfirewall (bool): If firewall rule for source/end public port is automatically created , default= true
        - fordisplay (bool): default is true
        - accountid (int64):
        - domainid (int64):
      - flow:
      ```mermaid
      sequenceDiagram
  
        actor user
  
        participant mgmt as management server
  
        box VR
        participant uc as update_config.py
        participant conf as /etc/wireguard/wg0.conf
        participant iptables as /etc/iptables/rules.vX
        participant wg_srv as wg-quick@wg0.service
  
        end
  
        user ->> mgmt : (1) CreateWgVpn
        activate mgmt
        mgmt ->> mgmt: (2) gen server keys
        mgmt ->> mgmt: (3) save to DB
        mgmt ->> uc: (4) enable_wg(wg0.json)
        activate uc
        uc ->> conf: (5) generate
        uc ->> iptables: (6) regen
        uc ->> wg_srv: (7) systemctl start
        uc -->>- mgmt: (8) ok
        mgmt -->>- user: (9) ok

  • ListWgVpn:
    • params:
      • id (int64)
      • networkid (int64)
      • page (int)
      • pagesize (int)
      • publicipid (int64)
      • domainid (int64)
      • accountid (int64)
      • listall (bool): If set to false, list only resources belonging to the command's caller, default= false
    • response element values:
      • id (int64)
      • networkid (int64)
      • publicipid (int64)
      • publicip (int64)
      • publicport (int)
      • accountid (int64)
      • domainid (int64)
      • fordisplay (bool)
      • ip4enable (bool)
      • ip4range (bool)
      • ip6enable (bool)
      • ip6range (string)
      • state (string)
      • publickey (string)
  • DeleteWgVpn
    • params:
      • id (required|int64)
    • Add {Create|List|Update|Delete}WgPeer

  • CreateWgPeer

    • params:
      • wgvpnid (required|int64):
      • publickey (string): if not provided, the server will generate the keys for the user, but save only the public one in the DB
      • domainid (int64):
      • accountid (int64):
      • fordisplay (bool):
      • splittunnel (bool): if false, the config file will be generated to pass all the peer traffic (0.0.0.0/0) through the vpn

    • flow:

      sequenceDiagram
      
      actor user
      
      participant mgmt as management server
      
      box VR
      participant uc as update_config.py
      participant conf as /etc/wireguard/wg0.conf
      participant wg_srv as wg-quick@wg0.service
      
      end
      
      user ->> mgmt : (1) CreateWgPeer
      activate mgmt
      mgmt ->> mgmt: (2) [OPT] gen keys
      mgmt ->> mgmt: (3) gen addresses 
      mgmt ->> mgmt: (4) save to DB 
      mgmt ->> uc: (5) add_wg_user(wg0_user.json)
      activate uc
      uc ->> conf: (6) regenerate 
      uc ->> wg_srv: (7) systemctl restart 
      uc -->>- mgmt: (8) ok
      mgmt -->>- user: (9) wg0.conf

  • ListWgPeer
    • params:
      • id (int64)
      • vpnid (int64)
      • page (int)
      • pagesize (int)
      • domainid (int64)
      • accountid (int64)
      • listall (bool): If set to false, list only resources belonging to the command's caller, default=false
    • response element values:
      • id (int64)
      • vpnid (int64)
      • state (string)
      • publickey (string)
      • splittunnel(bool)
      • accountid (int64)
      • domainid (int64)
      • fordisplay (bool)
      • ip4address (string)
      • ip6address (string)
  • DeleteWgPeer
    • params:
      • id (required|int64)
  • GetWgConfigForPeer
    • params:
      • peerid (required|int64)
    • response values:
      • configfile (string): file .config for the peer (private key is omitted)
      • qrcode
• UI changes
  • Add "Enable Wireguard VPN" button in VPN tab of IP address
  • Add peer management page.

Types of changes

• [ ] Breaking change (fix or feature that would cause existing functionality to change)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] Enhancement (improves an existing feature and functionality)
• [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
• [ ] build/CI
• [ ] test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• [ ] Major
• [x] Minor

Bug Severity

• [ ] BLOCKER
• [ ] Critical
• [ ] Major
• [ ] Minor
• [x] Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[boring-cyborg[bot]]

Congratulations on your first Pull Request and welcome to the Apache CloudStack community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/cloudstack/blob/main/CONTRIBUTING.md) Here are some useful points:

• In case of a new feature add useful documentation (raise doc PR at https://github.com/apache/cloudstack-documentation)
• Be patient and persistent. It might take some time to get a review or get the final approval from the committers.
• Pay attention to the quality of your code, ensure tests are passing and your PR doesn't have conflicts.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Issues, Mailing list and Slack.
• Be sure to read the CloudStack Coding Conventions. Apache CloudStack is a community-driven project and together we are making it better 🚀. In case of doubts contact the developers at: Mailing List: dev@cloudstack.apache.org (https://cloudstack.apache.org/mailing-lists.html) Slack: https://apachecloudstack.slack.com/

[weizhouapache]

added to 4.21.0 milestone

@Dav-11 please let us know when it is ready for review

[Dav-11]

Ok thank you

[GutoVeronezi]

@Dav-11 Thanks for the PR

We already have APIs to manage VPN and introducing more APIs would increase the complexity of the system. Have you checked/considered the existent APIs?