From 07545a94d5d2cb2f4473f63008a1328cbe0c104e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 31 Oct 2023 11:23:08 +0100
Subject: [PATCH] wireguard: use syncconf in newwanip event

setconf can fail for DNS resolution reasons.  It is being considered
a configuration parsing error so nothing gets set on the instance.
However, our code remembers that the instance was fully set up although
that is not the case.  The newwanip event was handling DNS renew but
does not understand that the configuration is not complete.

Replacing reresolve-dns.py by doing syncconf works, but this is used
as a cron-based script and likely does the job it is intended for.

Instead rehook the newwanip event into a simple syncconf invoke which
takes "more" time (according to the man page) but won't touch existing
peers being connected while still fixing any configuration mismatch
in the (possibly stale) instance.
---
 src/etc/inc/plugins.inc.d/wireguard.inc | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/wireguard.inc b/src/etc/inc/plugins.inc.d/wireguard.inc
index 69ce633e8..5021101d5 100644
--- a/src/etc/inc/plugins.inc.d/wireguard.inc
+++ b/src/etc/inc/plugins.inc.d/wireguard.inc
@@ -144,7 +144,7 @@ function wireguard_prepare($device)
 function wireguard_configure()
 {
     return [
-        'newwanip' => ['wireguard_renew:2'],
+        'newwanip' => ['wireguard_sync:2'],
         'vpn' => ['wireguard_configure_do:2'],
     ];
 }
@@ -162,15 +162,32 @@ function wireguard_configure_do($verbose = false, $unused = '')
     service_log("done.\n", $verbose);
 }
 
-function wireguard_renew($verbose = false, $unused = '')
+function wireguard_sync($verbose = false, $unused = '')
 {
     if (!wireguard_enabled()) {
         return;
     }
 
-    service_log('Renewing WireGuard VPN...', $verbose);
+    $instances = [];
+    foreach ((new OPNsense\Wireguard\Server())->servers->server->iterateItems() as $node) {
+        if (!empty((string)$node->enabled)) {
+            $instances[(string)$node->interface] = (string)$node->cnfFilename;
+        }
+    }
 
-    configd_run('wireguard renew');
+    if (!count($instances)) {
+        return;
+    }
+
+    service_log('Synchronizing WireGuard VPN...', $verbose);
+
+    openlog('wireguard', LOG_ODELAY, LOG_AUTH);
+
+    foreach ($instances as $device => $config) {
+        mwexecf('/usr/bin/wg syncconf %s %s', [$device, $config]);
+    }
+
+    reopenlog();
 
     service_log("done.\n", $verbose);
 }