From d099294aea3bada406f59b7463c514e4b0535956 Mon Sep 17 00:00:00 2001
From: Plamen Dimitrov <plamen.dimitrov@intra2net.com>
Date: Tue, 19 Aug 2025 21:36:38 +0800
Subject: [PATCH] extend the dynamic vpnconn cnfvar with proper wireguard support

TODO: From a TODO like:
```
\# TODO: perhaps the dynamic attributes from the template type above can be used to provide better template for WireGuard
if vpnparams["cnf_vpnconn_proto"] == "WIREGUARD":
```
---
 src/cnfvar/templates.py |   68 ++++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 64 insertions(+), 4 deletions(-)

diff --git a/src/cnfvar/templates.py b/src/cnfvar/templates.py
index 0bad943..d26b7a8 100644
--- a/src/cnfvar/templates.py
+++ b/src/cnfvar/templates.py
@@ -397,10 +397,70 @@ def vpnconn(name, instance=-1, **kwargs):
     log.info(f"Generating a vpn connection {name} cnfvar")
     vpnconn_cnf = template("vpnconn", name, instance=instance,
                            defaults=vpnconn_defaults, **kwargs)
-    if vpnconn_cnf.children.single_with_name("vpnconn_lan_type").value not in ["NIC", "CUSTOM"]:
+    
+    if vpnconn_cnf.children.single_with_name("vpnconn_proto").value == "IPSEC":
+        if vpnconn_cnf.children.single_with_name("vpnconn_lan_type").value not in ["NIC", "CUSTOM"]:
+            vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_lan_net")
+        if vpnconn_cnf.children.single_with_name("vpnconn_remote_type").value != "CUSTOM":
+            vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_remote_net")
+        if vpnconn_cnf.children.single_with_name("vpnconn_remote_type").value != "MODECONFIG":
+            vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_remote_modeconfig_ip")
+    elif vpnconn_cnf.children.single_with_name("vpnconn_proto").value == "WIREGUARD":
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_encryption_profile_ref"
+        )
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_ike_version")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_key_own_ref")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_key_type")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_lan_nat_ip")
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_lan_nat_mode"
+        )
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_lan_nat_network"
+        )
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_lan_nic_ref")
         vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_lan_net")
-    if vpnconn_cnf.children.single_with_name("vpnconn_remote_type").value != "CUSTOM":
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_lan_netmask")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_lan_type")
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_lifetime_ike"
+        )
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_lifetime_ipsecsa"
+        )
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_peer_dns")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_peer_ip")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_peer_type")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_psk")
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_psk_foreign_id"
+        )
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_psk_foreign_id_type"
+        )
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_psk_own_id")
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_psk_own_id_type"
+        )
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_remote_inet_nat"
+        )
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_remote_nat_enable"
+        )
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_remote_nat_network"
+        )
         vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_remote_net")
-    if vpnconn_cnf.children.single_with_name("vpnconn_remote_type").value != "MODECONFIG":
-        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_remote_modeconfig_ip")
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_remote_netmask"
+        )
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_remote_type")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_retries")
+        vpnconn_cnf.children.remove_where(lambda c: c.name == "vpnconn_secured")
+        vpnconn_cnf.children.remove_where(
+            lambda c: c.name == "vpnconn_xauth_server_enable"
+        )
+
     return vpnconn_cnf
-- 
1.7.1