openwisp
diff --git a/‎README.rst‎
Lines changed: 2 additions & 1 deletion b/‎README.rst‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/source/backends/openwrt.rst‎
Lines changed: 283 additions & 0 deletions b/‎docs/source/backends/openwrt.rst‎
Lines changed: 283 additions & 0 deletions
diff --git a/‎docs/source/backends/vpn.rst‎
Lines changed: 14 additions & 0 deletions b/‎docs/source/backends/vpn.rst‎
Lines changed: 14 additions & 0 deletions
@@ -16,7 +16,7 @@ netjsonconfig
 
 .. image:: https://badge.fury.io/py/netjsonconfig.svg
    :target: http://badge.fury.io/py/netjsonconfig
-   
+
 .. image:: https://pepy.tech/badge/netjsonconfig
    :target: https://pepy.tech/project/netjsonconfig
    :alt: downloads
@@ -43,6 +43,7 @@ Its main features are listed below for your reference:
 * `OpenWRT <http://openwrt.org>`_ / `LEDE <https://www.lede-project.org/>`_ support
 * `OpenWisp Firmware <https://github.com/openwisp/OpenWISP-Firmware>`_ support
 * `OpenVPN <https://openvpn.net>`_ support
+* `WireGuard <https://www.wireguard.com/>`_ support
 * Possibility to support more firmwares via custom backends
 * Based on the `NetJSON RFC <http://netjson.org/rfc.html>`_
 * **Validation** based on `JSON-Schema <http://json-schema.org/>`_
 
@@ -2285,6 +2285,289 @@ Will be rendered as follows::
             option proto 'udp'
             option tls_server '1'
 
+WireGuard
+---------
+
+This backend includes the schema of the ``Wireguard`` backend, inheriting its features.
+
+For details regarding the **WireGuard** schema please see :ref:`wireguard_backend_schema`.
+
+Schema additions
+~~~~~~~~~~~~~~~~
+
+The ``OpenWrt`` backend adds a few properties to the WireGuard schema, see below.
+
++-----------------+---------+--------------+-------------------------------------------------------------+
+| key name        | type    | default      | description                                                 |
++=================+=========+==============+=============================================================+
+| ``network``     | string  | ``None``     | logical interface name (UCI specific),                      |
+|                 |         |              |                                                             |
+|                 |         |              | 2 to 15 alphanumeric characters, dashes and underscores     |
++-----------------+---------+--------------+-------------------------------------------------------------+
+| ``nohostroute`` | boolean | ``False``    | do not add routes to ensure the tunnel endpoints are routed |
+|                 |         |              | via non-tunnel device                                       |
++-----------------+---------+--------------+-------------------------------------------------------------+
+| ``fwmark``      | string  | ``None``     | firewall mark to apply to tunnel endpoint packets           |
++-----------------+---------+--------------+-------------------------------------------------------------+
+| ``ip6prefix``   | list    | ``[]``       | IPv6 prefixes to delegate to other interfaces               |
++-----------------+---------+--------------+-------------------------------------------------------------+
+| ``addresses``   | list    | ``[]``       | list of unique IPv4 or IPv6 addresses                       |
++-----------------+---------+--------------+-------------------------------------------------------------+
+
+The ``OpenWrt`` backend also adds ``wireguard_peers`` option for sepecifying a list of
+WireGuard Peers. It add the following properties to the ``wireguard_peers`` property of
+WireGuard schema.
+
++-----------------------+---------+-----------+------------------------------------------------------------------------+
+| key name              | type    | default   | description                                                            |
++=======================+=========+===========+========================================================================+
+| ``interface``         | string  | ``None``  | name of the wireguard interface,                                       |
+|                       |         |           |                                                                        |
+|                       |         |           | 2 to 15 alphanumeric characters, dashes and underscores                |
++-----------------------+---------+-----------+------------------------------------------------------------------------+
+| ``route_allowed_ips`` | boolean | ``False`` | automatically create a route for each of the Allowed IPs for this peer |
++-----------------------+---------+-----------+------------------------------------------------------------------------+
+
+WireGuard example
+~~~~~~~~~~~~~~~~~
+
+The following *configuration dictionary*:
+
+.. code-block:: python
+
+    {
+        "interfaces": [
+            {
+                "name": "wg",
+                "type": "wireguard",
+                "private_key": "QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI=",
+                "port": 51820,
+                "mtu": 1420,
+                "nohostroute": False,
+                "fwmark": "",
+                "ip6prefix": [],
+                "addresses": [
+                    {
+                        "proto": "static",
+                        "family": "ipv4",
+                        "address": "10.0.0.5/32",
+                        "mask": 32,
+                    }
+                ],
+                "network": "",
+            }
+        ],
+        "wireguard_peers": [
+            {
+                "interface": "wg",
+                "public_key": "94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE=",
+                "allowed_ips": ["10.0.0.1/32"],
+                "endpoint_host": "wireguard.test.com",
+                "endpoint_port": 51820,
+                "preshared_key": "",
+                "persistent_keepalive": 60,
+                "route_allowed_ips": True,
+            }
+        ]
+    }
+
+Will be rendered as follows:
+
+.. code-block:: text
+
+    package network
+
+    config interface 'wg'
+            list addresses '10.0.0.5/32/32'
+            option listen_port '51820'
+            option mtu '1420'
+            option nohostroute '0'
+            option private_key 'QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI='
+            option proto 'wireguard'
+
+    config wireguard_wg 'wgpeer'
+            list allowed_ips '10.0.0.1/32'
+            option endpoint_host 'wireguard.test.com'
+            option endpoint_port '51820'
+            option persistent_keepalive '60'
+            option public_key '94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE='
+            option route_allowed_ips '1'
+
+VXLAN
+-----
+
+``OpenWrt`` backend includes the schema requied for generating VXLAN
+interface configouration. This is useful of setting up layer 2 tunnels.
+
+
+VXLAN Settings
+~~~~~~~~~~~~~~
+
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| key name    | type              | default      | description                                                 |
++=============+===================+==============+=============================================================+
+| ``network`` | string            |  ``None``    | name of interface,                                          |
+|             |                   |              |                                                             |
+|             |                   |              | 2 to 15 alphanumeric characters, dashes and underscores     |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``vtep``    | string            | ``False``    | VXLAN tunnel endpoint                                       |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``port``    | integer           | ``4789``     | port for VXLAN connection                                   |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``vni``     | integer or string |  ``None``    | VXLAN Network Identifier                                    |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``tunlink`` | list              | ``[]``       | interface to which the VXLAN tunnel will be bound           |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``rxcsum``  | boolean           | ``True``     | use checksum validation in RX direction                     |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``txcsum``  | boolean           | ``True``     | use checksum validation in TX direction                     |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``mtu``     | integer           | ``1280``     | MTU for route, only numbers are allowed                     |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+| ``ttl``     | integer           | ``64``       | TTL of the encapsulation packets                            |
++-------------+-------------------+--------------+-------------------------------------------------------------+
+
+VXLAN example
+~~~~~~~~~~~~~
+
+The following *configuration dictionary*:
+
+.. code-block:: python
+
+    {
+        "interfaces": [
+            {
+                "name": "vxlan",
+                "type": "vxlan",
+                "vtep": "10.0.0.1",
+                "port": 4789,
+                "vni": 1,
+                "tunlink": "",
+                "rxcsum": True,
+                "txcsum": True,
+                "mtu": 1280,
+                "ttl": 64,
+                "mac": "",
+                "disabled": False,
+                "network": "",
+            },
+        ]
+    }
+
+Will be rendered as follows:
+
+.. code-block:: text
+
+    package network
+
+    config interface 'vxlan'
+            option enabled '0'
+            option ifname 'vxlan'
+            option mtu '1280'
+            option peeraddr '10.0.0.1'
+            option port '4789'
+            option proto 'vxlan'
+            option rxcsum '1'
+            option ttl '64'
+            option txcsum '1'
+            option vid '1'
+
+VXLAN over WireGuard example
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Since a layer 2 tunnel can be encapsulated in a layer 3 tunnel, here is an
+example configuration for setting up a VXLAN tunnel over WireGuard.
+
+The following *configuration dictionary*:
+
+.. code-block:: python
+
+    {
+        "interfaces": [
+            {
+                "name": "wgvxlan",
+                "type": "wireguard",
+                "private_key": "QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI=",
+                "port": 51820,
+                "mtu": 1420,
+                "nohostroute": False,
+                "fwmark": "",
+                "ip6prefix": [],
+                "addresses": [
+                    {
+                        "proto": "static",
+                        "family": "ipv4",
+                        "address": "10.0.0.5/32",
+                        "mask": 32,
+                    }
+                ],
+                "network": "",
+            },
+            {
+                "name": "vxlan",
+                "type": "vxlan",
+                "vtep": "10.0.0.1",
+                "port": 4789,
+                "vni": 1,
+                "tunlink": "wgvxlan",
+                "rxcsum": True,
+                "txcsum": True,
+                "mtu": 1280,
+                "ttl": 64,
+                "mac": "",
+                "disabled": False,
+                "network": "",
+            },
+        ],
+        "wireguard_peers": [
+            {
+                "interface": "wgvxlan",
+                "public_key": "94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE=",
+                "allowed_ips": ["10.0.0.1/32"],
+                "endpoint_host": "wireguard.test.com",
+                "endpoint_port": 51820,
+                "preshared_key": "",
+                "persistent_keepalive": 60,
+                "route_allowed_ips": True,
+            }
+        ]
+    }
+
+Will be rendered as follows:
+
+.. code-block:: text
+
+    package network
+
+    config interface 'wgvxlan'
+            list addresses '10.0.0.5/32/32'
+            option listen_port '51820'
+            option mtu '1420'
+            option nohostroute '0'
+            option private_key 'QFdbnuYr7rrF4eONCAs7FhZwP7BXX/jD/jq2LXCpaXI='
+            option proto 'wireguard'
+
+    config interface 'vxlan'
+            option enabled '1'
+            option ifname 'vxlan'
+            option mtu '1280'
+            option peeraddr '10.0.0.1'
+            option port '4789'
+            option proto 'vxlan'
+            option rxcsum '1'
+            option ttl '64'
+            option tunlink 'wgvxlan'
+            option txcsum '1'
+            option vid '1'
+
+    config wireguard_wgvxlan 'wgpeer'
+            list allowed_ips '10.0.0.1/32'
+            option endpoint_host 'wireguard.test.com'
+            option endpoint_port '51820'
+            option persistent_keepalive '60'
+            option public_key '94a+MnZSdzHCzOy5y2K+0+Xe7lQzaa4v7lEiBZ7elVE='
+            option route_allowed_ips '1'
+
 All the other settings
 ----------------------
 
 
@@ -0,0 +1,14 @@
+============
+VPN Backends
+============
+
+.. include:: ../_github.rst
+
+``netjsonconfig`` currently supports three VPN backends:
+
+.. toctree::
+    :maxdepth: 2
+
+    /backends/openvpn
+    /backends/wireguard
+    /backends/vxlan_over_wireguard