OPNsense plugin for Gateway 2.0 (#290)

Author: moubctez

Cargo.lock

@@ -7,9 +7,9 @@ edition = "2024"
 axum = "0.8"
 base64 = "0.22"
 chrono = "0.4"
-clap = { version = "4.5", features = ["derive", "env"] }
-defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "9c6cbd5108470f9c8dc9b4ee740a9a08f071468c" }
-defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "9c6cbd5108470f9c8dc9b4ee740a9a08f071468c" }
+clap = { version = "4.6", features = ["derive", "env"] }
+defguard_certs = { git = "https://github.com/DefGuard/defguard.git", rev = "b6921e0f510eae1114844c3df5f5a74c23a75e46" }
+defguard_version = { git = "https://github.com/DefGuard/defguard.git", rev = "b6921e0f510eae1114844c3df5f5a74c23a75e46" }
 defguard_wireguard_rs = "0.9"
 env_logger = "0.11"
 gethostname = "1.0"
@@ -56,7 +56,7 @@ x25519-dalek = { version = "2.0", features = ["getrandom", "static_secrets"] }
 
 [build-dependencies]
 tonic-prost-build = "0.14"
-vergen-git2 = { version = "9.1", features = ["build"] }
+vergen-git2 = "9.1"
 
 [profile.release]
 codegen-units = 1

Cargo.toml

@@ -2,7 +2,7 @@ use vergen_git2::{Emitter, Git2Builder};
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
     // set VERGEN_GIT_SHA env variable based on git commit hash
-    let git2 = Git2Builder::default().branch(true).sha(true).build()?;
+    let git2 = Git2Builder::default().sha(true).build()?;
     Emitter::default().add_instructions(&git2)?.emit()?;
 
     tonic_prost_build::configure()

build.rs

@@ -1,5 +1,5 @@
 PLUGIN_NAME=		defguard-gateway
-PLUGIN_VERSION=		1.0.1
+PLUGIN_VERSION=		2.0.0
 PLUGIN_COMMENT=		Gateway service for Defguard
 PLUGIN_MAINTAINER=	defguard@community.net
 

opnsense/Makefile

@@ -7,7 +7,7 @@ function defguardgateway_services()
 
     $pidfile = (string) (new OPNsense\DefguardGateway\DefguardGateway())->general->PidFile;
 
-    if (isset($config['OPNsense']['defguardgateway']['general']['enabled']) && $config['OPNsense']['defguardgateway']['general']['enabled'] == 1) {
+    if (isset($config['OPNsense']['defguardgateway']['general']['Enabled']) && $config['OPNsense']['defguardgateway']['general']['Enabled'] == 1) {
         $services[] = [
             "description" => "Defguard Gateway",
             "configd" => [
@@ -41,24 +41,23 @@ function defguardgateway_interfaces()
 
 function defguardgateway_devices()
 {
-    $names = [];
-
     $interface = (new OPNsense\DefguardGateway\DefguardGateway())->general
         ->IfName;
+    $interface = empty((string) $interface) ? 'wg0' : (string) $interface;
 
     $devices[] = [
         "configurable" => false,
-        "pattern" => "^wg",
+        "pattern" => sprintf("^%s$", preg_quote($interface, '/')),
         "type" => "wireguard",
         "volatile" => true,
         "names" => [
-            (string) $interface => [
+            $interface => [
                 "descr" => sprintf(
                     "%s (Defguard Gateway)",
-                    (string) $interface
+                    $interface
                 ),
                 "ifdescr" => "WireGuard interface used by Defguard Gateway",
-                "name" => (string) $interface,
+                "name" => $interface,
             ],
         ],
     ];

opnsense/src/etc/inc/plugins.inc.d/defguardgateway.inc

@@ -6,30 +6,26 @@
     <help>Check to enable Defguard Gateway service.</help>
   </field>
   <field>
-    <id>defguardgateway.general.Token</id>
-    <label>Defguard VPN Location Auth Token</label>
+    <id>defguardgateway.general.LogLevel</id>
+    <label>Log level</label>
     <type>text</type>
-    <help>Required: Token obtained from Defguard Core after network creation.</help>
-  </field>
-  <field>
-    <id>defguardgateway.general.GrpcUrl</id>
-    <label>Defguard Core gRPC URL</label>
-    <type>text</type>
-    <help>Required: URL of Defguard Core's gRPC service.</help>
-  </field>
-  <field>
-    <id>defguardgateway.general.GrpcCertPath</id>
-    <label>Path to custom SSL CA cerficiate</label>
-    <type>text</type>
-    <help>Required if custom SSL CA has been enabled in Defguard Core; more details here: https://docs.defguard.net/admin-and-features/setting-up-your-instance/grpc-ssl-communication#custom-ssl-ca-and-certificates.</help>
+    <help>Set the application log level used when syslog is disabled.</help>
+    <hint>Default value: info</hint>
   </field>
   <field>
     <id>defguardgateway.general.Name</id>
     <label>Gateway name</label>
     <type>text</type>
-    <help>Name that will be displayed in Defguard</help>
+    <help>Name that will be displayed in Defguard.</help>
     <hint>Gateway OPNsense</hint>
   </field>
+  <field>
+    <id>defguardgateway.general.GrpcPort</id>
+    <label>Gateway gRPC port</label>
+    <type>text</type>
+    <help>Port used by the gateway gRPC server.</help>
+    <hint>Default value: 50066</hint>
+  </field>
   <field>
     <id>defguardgateway.general.UseSyslog</id>
     <label>Use syslog</label>
@@ -61,15 +57,15 @@
     <id>defguardgateway.general.IfName</id>
     <label>Network interface</label>
     <type>text</type>
-    <help>Specify the WireGuard interface name</help>
+    <help>Specify the WireGuard interface name. It must start with wg.</help>
     <hint>Default value: wg0</hint>
   </field>
   <field>
     <id>defguardgateway.general.StatsPeriod</id>
     <label>Stats gathering period</label>
     <type>text</type>
-    <help>Specify the stats period in seconds</help>
-    <hint>Default value: 60.</hint>
+    <help>Specify how often interface statistics are sent, in seconds.</help>
+    <hint>Default value: 30</hint>
   </field>
   <field>
     <id>defguardgateway.general.Userspace</id>
@@ -101,4 +97,41 @@
     <type>text</type>
     <help>Command to run after bringing down the interface.</help>
   </field>
+  <field>
+    <id>defguardgateway.general.HealthPort</id>
+    <label>Health port</label>
+    <type>text</type>
+    <help>Optional HTTP port exposing the gateway health endpoint.</help>
+  </field>
+  <field>
+    <id>defguardgateway.general.Masquerade</id>
+    <label>Enable masquerade</label>
+    <type>checkbox</type>
+    <help>Automatically apply outbound masquerading rules in the firewall.</help>
+  </field>
+  <field>
+    <id>defguardgateway.general.FwPriority</id>
+    <label>Firewall priority</label>
+    <type>text</type>
+    <help>Optional priority for the Defguard forward chain.</help>
+  </field>
+  <field>
+    <id>defguardgateway.general.DisableFirewallManagement</id>
+    <label>Disable firewall management</label>
+    <type>checkbox</type>
+    <help>Disable Defguard-managed firewall changes for incompatible hardware or custom setups.</help>
+  </field>
+  <field>
+    <id>defguardgateway.general.HttpBindAddress</id>
+    <label>HTTP bind address</label>
+    <type>text</type>
+    <help>Optional IPv4 or IPv6 address used by the health endpoint.</help>
+  </field>
+  <field>
+    <id>defguardgateway.general.CertDir</id>
+    <label>Certificate directory</label>
+    <type>text</type>
+    <help>Directory where the gateway stores generated gRPC certificates.</help>
+    <hint>Default value: /etc/defguard/certs</hint>
+  </field>
 </form>

opnsense/src/opnsense/mvc/app/controllers/OPNsense/DefguardGateway/forms/general.xml

@@ -11,20 +11,20 @@
         <default>0</default>
         <Required>Y</Required>
       </Userspace>
-      <Token type="TextField">
+      <LogLevel type="TextField">
+        <default>info</default>
         <Required>Y</Required>
-        <ValidationMessage>please add authorization token</ValidationMessage>
-      </Token>
-      <GrpcUrl type="TextField">
-        <Required>Y</Required>
-        <ValidationMessage>please specify Defguard Core gRPC URL</ValidationMessage>
-      </GrpcUrl>
-      <GrpcCertPath type="TextField">
-        <Required>N</Required>
-      </GrpcCertPath>
+      </LogLevel>
       <Name type="TextField">
         <Required>N</Required>
       </Name>
+      <GrpcPort type="IntegerField">
+        <default>50066</default>
+        <Required>Y</Required>
+        <MinimumValue>1</MinimumValue>
+        <MaximumValue>65535</MaximumValue>
+        <ValidationMessage>please specify a valid TCP/UDP port between 1 and 65535</ValidationMessage>
+      </GrpcPort>
       <UseSyslog type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
@@ -44,10 +44,12 @@
       <IfName type="TextField">
         <Required>Y</Required>
         <default>wg0</default>
+        <Mask>/^wg[0-9]*$/</Mask>
+        <ValidationMessage>please specify a valid interface name starting with wg</ValidationMessage>
       </IfName>
       <StatsPeriod type="IntegerField">
         <Required>Y</Required>
-        <default>60</default>
+        <default>30</default>
       </StatsPeriod>
       <PreUp type="TextField">
         <Required>N</Required>
@@ -61,6 +63,33 @@
       <PostDown type="TextField">
         <Required>N</Required>
       </PostDown>
+      <HealthPort type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+        <MaximumValue>65535</MaximumValue>
+        <ValidationMessage>please specify a valid port number (1-65535)</ValidationMessage>
+      </HealthPort>
+      <Masquerade type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </Masquerade>
+      <FwPriority type="IntegerField">
+        <Required>N</Required>
+      </FwPriority>
+      <DisableFirewallManagement type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </DisableFirewallManagement>
+      <HttpBindAddress type="NetworkField">
+        <Required>N</Required>
+        <NetMaskAllowed>N</NetMaskAllowed>
+        <NetMaskRequired>N</NetMaskRequired>
+        <ValidationMessage>please specify a valid IP address</ValidationMessage>
+      </HttpBindAddress>
+      <CertDir type="TextField">
+        <default>/etc/defguard/certs</default>
+        <Required>Y</Required>
+      </CertDir>
     </general>
   </items>
 </model>