# WireGuard-tools
Pure Python reimplementation of wireguard-tools with an aim to provide easily
reusable library functions to handle reading and writing of
[WireGuard®](https://www.wireguard.com/) configuration files as well as
interacting with WireGuard devices, both in-kernel through the Netlink API and
userspace implementations through the cross-platform UAPI API.
## Installation/Usage
```sh
pipx install wireguard-tools
wg-py --help
```
Implemented `wg` command line functionality,
- [x] show - Show configuration and device information
- [x] showconf - Dump current device configuration
- [ ] set - Change current configuration, add/remove/change peers
- [x] setconf - Apply configuration to device
- [ ] addconf - Append configuration to device
- [x] syncconf - Synchronizes configuration with device
- [x] genkey, genpsk, pubkey - Key generation
Also includes some `wg-quick` functions,
- [ ] up, down - Create and configure WireGuard device and interface
- [ ] save - Dump device and interface configuration
- [x] strip - Filter wg-quick settings from configuration
Needs root (sudo) access to query and configure the WireGuard devices through
netlink. But root doesn't know about the currently active virtualenv, you may
have to pass the full path to the script in the virtualenv, or use
`python3 -m wireguard_tools`
```sh
sudo `which wg-py` showconf <interface>
sudo /path/to/venv/python3 -m wireguard_tools showconf <interface>
```
## Library usage
### Parsing WireGuard keys
The WireguardKey class will parse base64-encoded keys, the default base64
encoded string, but also an urlsafe base64 encoded variant. It also exposes
both private key generating and public key deriving functions. Be sure to pass
any base64 or hex encoded keys as 'str' and not 'bytes', otherwise it will
assume the key was already decoded to its raw form.
```python
from wireguard_tools import WireguardKey
private_key = WireguardKey.generate()
public_key = private_key.public_key()
# print base64 encoded key
print(public_key)
# print urlsafe encoded key
print(public_key.urlsafe)
# print hexadecimal encoded key
print(public_key.hex())
```
### Working with WireGuard configuration files
The WireGuard configuration file is similar to, but not quite, the INI format
because it has duplicate keys for both section names (i.e. [Peer]) as well as
configuration keys within a section. According to the format description,
AllowedIPs, Address, and DNS configuration keys 'may be specified multiple
times'.
```python
from wireguard_tools import WireguardConfig
with open("wg0.conf") as fh:
config = WireguardConfig.from_wgconfig(fh)
```
Also supported are the "Friendly Tags" comments as introduced by
prometheus-wireguard-exporter, where a `[Peer]` section can contain
comments which add a user friendly description and/or additional attributes.
```
[Peer]
# friendly_name = Peer description for end users
# friendly_json = {"flat"="json", "dictionary"=1, "attribute"=2}
...
```
These will show up as additional `friendly_name` and `friendly_json` attributes
on the WireguardPeer object.
We can also serialize and deserialize from a simple dict-based format which
uses only basic JSON datatypes and, as such, can be used to convert to various
formats (i.e. json, yaml, toml, pickle) either to disk or to pass over a
network.
```python
from wireguard_tools import WireguardConfig
from pprint import pprint
dict_config = dict(
private_key="...",
peers=[
dict(
public_key="...",
preshared_key=None,
endpoint_host="remote_host",
endpoint_port=5120,
persistent_keepalive=30,
allowed_ips=["0.0.0.0/0"],
friendly_name="Awesome Peer",
),
],
)
config = WireguardConfig.from_dict(dict_config)
dict_config = config.asdict()
pprint(dict_config)
```
Finally, there is a `to_qrcode` function that returns a segno.QRCode object
which contains the configuration. This can be printed and scanned with the
wireguard-android application. Careful with these because the QRcode exposes
an easily captured copy of the private key as part of the configuration file.
It is convenient, but definitely not secure.
```python
from wireguard_tools import WireguardConfig
from pprint import pprint
dict_config = dict(
private_key="...",
peers=[
dict(
public_key="...",
preshared_key=None,
endpoint_host="remote_host",
endpoint_port=5120,
persistent_keepalive=30,
allowed_ips=["0.0.0.0/0"],
),
],
)
config = WireguardConfig.from_dict(dict_config)
qr = config.to_qrcode()
qr.save("wgconfig.png")
qr.terminal(compact=True)
```
### Working with WireGuard devices
```python
from wireguard_tools import WireguardDevice
ifnames = [device.interface for device in WireguardDevice.list()]
device = WireguardDevice.get("wg0")
wgconfig = device.get_config()
device.set_config(wgconfig)
```
## Bugs
The setconf/syncconf implementation is not quite correct. They currently use
the same underlying set of operations but netlink-api's `set_config`
implementation actually does something closer to syncconf, while the uapi-api
implementation matches setconf.
This implementation has only been tested on Linux where we've only actively
used a subset of the available functionality, i.e. the common scenario is
configuring an interface only once with just a single peer.
## Licenses
wireguard-tools is MIT licensed
Copyright (c) 2022-2024 Carnegie Mellon University
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
`wireguard_tools/curve25519.py` was released in the public domain
Copyright Nicko van Someren, 2021. This code is released into the public domain.
https://gist.github.com/nickovs/cc3c22d15f239a2640c185035c06f8a3
"WireGuard" is a registered trademark of Jason A. Donenfeld.
Raw data
{
"_id": null,
"home_page": "https://github.com/cmusatyalab/wireguard-tools",
"name": "wireguard-tools",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.7",
"maintainer_email": null,
"keywords": null,
"author": "Carnegie Mellon University",
"author_email": "satya+group@cs.cmu.edu",
"download_url": "https://files.pythonhosted.org/packages/6a/a7/b5cbcd1053009f09921448a0358b2df5ef2fd6c24c70096d24a74a5b27ab/wireguard_tools-0.4.8.tar.gz",
"platform": null,
"description": "# WireGuard-tools\n\nPure Python reimplementation of wireguard-tools with an aim to provide easily\nreusable library functions to handle reading and writing of\n[WireGuard\u00ae](https://www.wireguard.com/) configuration files as well as\ninteracting with WireGuard devices, both in-kernel through the Netlink API and\nuserspace implementations through the cross-platform UAPI API.\n\n\n## Installation/Usage\n\n```sh\n pipx install wireguard-tools\n wg-py --help\n```\n\nImplemented `wg` command line functionality,\n\n- [x] show - Show configuration and device information\n- [x] showconf - Dump current device configuration\n- [ ] set - Change current configuration, add/remove/change peers\n- [x] setconf - Apply configuration to device\n- [ ] addconf - Append configuration to device\n- [x] syncconf - Synchronizes configuration with device\n- [x] genkey, genpsk, pubkey - Key generation\n\n\nAlso includes some `wg-quick` functions,\n\n- [ ] up, down - Create and configure WireGuard device and interface\n- [ ] save - Dump device and interface configuration\n- [x] strip - Filter wg-quick settings from configuration\n\n\nNeeds root (sudo) access to query and configure the WireGuard devices through\nnetlink. But root doesn't know about the currently active virtualenv, you may\nhave to pass the full path to the script in the virtualenv, or use\n`python3 -m wireguard_tools`\n\n```sh\n sudo `which wg-py` showconf <interface>\n sudo /path/to/venv/python3 -m wireguard_tools showconf <interface>\n```\n\n\n## Library usage\n\n### Parsing WireGuard keys\n\nThe WireguardKey class will parse base64-encoded keys, the default base64\nencoded string, but also an urlsafe base64 encoded variant. It also exposes\nboth private key generating and public key deriving functions. Be sure to pass\nany base64 or hex encoded keys as 'str' and not 'bytes', otherwise it will\nassume the key was already decoded to its raw form.\n\n```python\nfrom wireguard_tools import WireguardKey\n\nprivate_key = WireguardKey.generate()\npublic_key = private_key.public_key()\n\n# print base64 encoded key\nprint(public_key)\n\n# print urlsafe encoded key\nprint(public_key.urlsafe)\n\n# print hexadecimal encoded key\nprint(public_key.hex())\n```\n\n### Working with WireGuard configuration files\n\nThe WireGuard configuration file is similar to, but not quite, the INI format\nbecause it has duplicate keys for both section names (i.e. [Peer]) as well as\nconfiguration keys within a section. According to the format description,\nAllowedIPs, Address, and DNS configuration keys 'may be specified multiple\ntimes'.\n\n```python\nfrom wireguard_tools import WireguardConfig\n\nwith open(\"wg0.conf\") as fh:\n config = WireguardConfig.from_wgconfig(fh)\n```\n\nAlso supported are the \"Friendly Tags\" comments as introduced by\nprometheus-wireguard-exporter, where a `[Peer]` section can contain\ncomments which add a user friendly description and/or additional attributes.\n\n```\n[Peer]\n# friendly_name = Peer description for end users\n# friendly_json = {\"flat\"=\"json\", \"dictionary\"=1, \"attribute\"=2}\n...\n```\n\nThese will show up as additional `friendly_name` and `friendly_json` attributes\non the WireguardPeer object.\n\nWe can also serialize and deserialize from a simple dict-based format which\nuses only basic JSON datatypes and, as such, can be used to convert to various\nformats (i.e. json, yaml, toml, pickle) either to disk or to pass over a\nnetwork.\n\n```python\nfrom wireguard_tools import WireguardConfig\nfrom pprint import pprint\n\ndict_config = dict(\n private_key=\"...\",\n peers=[\n dict(\n public_key=\"...\",\n preshared_key=None,\n endpoint_host=\"remote_host\",\n endpoint_port=5120,\n persistent_keepalive=30,\n allowed_ips=[\"0.0.0.0/0\"],\n friendly_name=\"Awesome Peer\",\n ),\n ],\n)\nconfig = WireguardConfig.from_dict(dict_config)\n\ndict_config = config.asdict()\npprint(dict_config)\n```\n\nFinally, there is a `to_qrcode` function that returns a segno.QRCode object\nwhich contains the configuration. This can be printed and scanned with the\nwireguard-android application. Careful with these because the QRcode exposes\nan easily captured copy of the private key as part of the configuration file.\nIt is convenient, but definitely not secure.\n\n```python\nfrom wireguard_tools import WireguardConfig\nfrom pprint import pprint\n\ndict_config = dict(\n private_key=\"...\",\n peers=[\n dict(\n public_key=\"...\",\n preshared_key=None,\n endpoint_host=\"remote_host\",\n endpoint_port=5120,\n persistent_keepalive=30,\n allowed_ips=[\"0.0.0.0/0\"],\n ),\n ],\n)\nconfig = WireguardConfig.from_dict(dict_config)\n\nqr = config.to_qrcode()\nqr.save(\"wgconfig.png\")\nqr.terminal(compact=True)\n```\n\n\n### Working with WireGuard devices\n\n```python\nfrom wireguard_tools import WireguardDevice\n\nifnames = [device.interface for device in WireguardDevice.list()]\n\ndevice = WireguardDevice.get(\"wg0\")\n\nwgconfig = device.get_config()\n\ndevice.set_config(wgconfig)\n```\n\n## Bugs\n\nThe setconf/syncconf implementation is not quite correct. They currently use\nthe same underlying set of operations but netlink-api's `set_config`\nimplementation actually does something closer to syncconf, while the uapi-api\nimplementation matches setconf.\n\nThis implementation has only been tested on Linux where we've only actively\nused a subset of the available functionality, i.e. the common scenario is\nconfiguring an interface only once with just a single peer.\n\n\n## Licenses\n\nwireguard-tools is MIT licensed\n\n Copyright (c) 2022-2024 Carnegie Mellon University\n\n Permission is hereby granted, free of charge, to any person obtaining a copy of\n this software and associated documentation files (the \"Software\"), to deal in\n the Software without restriction, including without limitation the rights to\n use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\n of the Software, and to permit persons to whom the Software is furnished to do\n so, subject to the following conditions:\n\n The above copyright notice and this permission notice shall be included in all\n copies or substantial portions of the Software.\n\n THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n SOFTWARE.\n\n`wireguard_tools/curve25519.py` was released in the public domain\n\n Copyright Nicko van Someren, 2021. This code is released into the public domain.\n https://gist.github.com/nickovs/cc3c22d15f239a2640c185035c06f8a3\n\n\"WireGuard\" is a registered trademark of Jason A. Donenfeld.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Pure python reimplementation of wireguard-tools",
"version": "0.4.8",
"project_urls": {
"Homepage": "https://github.com/cmusatyalab/wireguard-tools",
"Repository": "https://github.com/cmusatyalab/wireguard-tools"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "8889cc1358f6b06b09c619880c0b3797cf8a16e3c5878aa13f185e6033672b54",
"md5": "49ec6353b91ff87768fed542a8409299",
"sha256": "a07905624b103331cc0e9fd80ba0510f2c90436d103b6a9013e612139681a325"
},
"downloads": -1,
"filename": "wireguard_tools-0.4.8-py3-none-any.whl",
"has_sig": false,
"md5_digest": "49ec6353b91ff87768fed542a8409299",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.7",
"size": 21491,
"upload_time": "2024-07-23T20:07:31",
"upload_time_iso_8601": "2024-07-23T20:07:31.022764Z",
"url": "https://files.pythonhosted.org/packages/88/89/cc1358f6b06b09c619880c0b3797cf8a16e3c5878aa13f185e6033672b54/wireguard_tools-0.4.8-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6aa7b5cbcd1053009f09921448a0358b2df5ef2fd6c24c70096d24a74a5b27ab",
"md5": "607cfa3d57717b78afdf957671012a5a",
"sha256": "d55df4488668bda25f842860f10ca22961a5703c408778a6f1362f7a2a960c4a"
},
"downloads": -1,
"filename": "wireguard_tools-0.4.8.tar.gz",
"has_sig": false,
"md5_digest": "607cfa3d57717b78afdf957671012a5a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.7",
"size": 22345,
"upload_time": "2024-07-23T20:07:35",
"upload_time_iso_8601": "2024-07-23T20:07:35.896923Z",
"url": "https://files.pythonhosted.org/packages/6a/a7/b5cbcd1053009f09921448a0358b2df5ef2fd6c24c70096d24a74a5b27ab/wireguard_tools-0.4.8.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-07-23 20:07:35",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "cmusatyalab",
"github_project": "wireguard-tools",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "wireguard-tools"
}
JSON
