forked from freifunk-franken/firmware
Add fff-wireguard package
This package adds gateway.d scripts which create peering interfaces using wireguard. Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Robert Langhammer <rlanghammer@web.de>
This commit is contained in:
parent
104a260843
commit
2978cbeb4e
|
@ -0,0 +1,41 @@
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=fff-wireguard
|
||||||
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
|
PKG_BUILD_DIR:=$(BUILD_DIR)/fff-wireguard
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/fff-wireguard
|
||||||
|
SECTION:=base
|
||||||
|
CATEGORY:=Freifunk
|
||||||
|
TITLE:=Freifunk-Franken wireguard
|
||||||
|
URL:=https://www.freifunk-franken.de
|
||||||
|
DEPENDS:=+wireguard \
|
||||||
|
+fff-network \
|
||||||
|
+fff-babeld
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/fff-wireguard/description
|
||||||
|
This is the Freifunk Franken Firmware wireguard package.
|
||||||
|
This package provides configuration scripts for wireguard tunnels.
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Prepare
|
||||||
|
echo "all: " > $(PKG_BUILD_DIR)/Makefile
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Configure
|
||||||
|
# nothing
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Compile
|
||||||
|
# nothing
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/fff-wireguard/install
|
||||||
|
$(CP) ./files/* $(1)/
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,fff-wireguard))
|
|
@ -0,0 +1,146 @@
|
||||||
|
. /lib/functions.sh
|
||||||
|
. /lib/functions/fff/network
|
||||||
|
. /lib/functions/fff/babel
|
||||||
|
|
||||||
|
#load board specific properties
|
||||||
|
BOARD="$(uci get board.model.name)"
|
||||||
|
. /etc/network.$BOARD
|
||||||
|
|
||||||
|
configure() {
|
||||||
|
# remove peers missing in gateway config
|
||||||
|
remove_wgpeer() {
|
||||||
|
local name="$1"
|
||||||
|
|
||||||
|
# check prefix
|
||||||
|
if [ "$name" = "${name#wg_}" ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! uci -q get gateway.${name#wg_} > /dev/null; then
|
||||||
|
# remove interface
|
||||||
|
uci -q del network.$name
|
||||||
|
# remove wireguard config
|
||||||
|
uci -q del network.@wireguard_$name[0]
|
||||||
|
|
||||||
|
# remove iif-rules
|
||||||
|
babel_delete_iifrules "$name"
|
||||||
|
# remove babel interface
|
||||||
|
babel_delete_interface "$name"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
config_load babeld
|
||||||
|
config_foreach remove_wgpeer interface
|
||||||
|
|
||||||
|
|
||||||
|
# add new peers
|
||||||
|
add_wgpeer() {
|
||||||
|
local name="$1"
|
||||||
|
local prefixname="wg_$name"
|
||||||
|
|
||||||
|
# ensure name length
|
||||||
|
if [ ${#name} -gt 12 ]; then
|
||||||
|
echo "ERROR: name $name is too long!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# get rxcost
|
||||||
|
if rxcost=$(uci -q get gateway.$name.rxcost); then
|
||||||
|
rxcost="$rxcost"
|
||||||
|
else
|
||||||
|
rxcost=16384
|
||||||
|
fi
|
||||||
|
|
||||||
|
# get wireguard properties
|
||||||
|
local privkey
|
||||||
|
local pubkey
|
||||||
|
local endpoint_host
|
||||||
|
local endpoint_port
|
||||||
|
local persistent_keepalive
|
||||||
|
local mtu
|
||||||
|
|
||||||
|
if ! privkey=$(uci -q get gateway.$name.private_key); then
|
||||||
|
privkey=$(wg genkey)
|
||||||
|
uci set gateway.$name.private_key="$privkey"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! pubkey=$(uci get gateway.$name.public_key); then
|
||||||
|
echo "ERROR: publickey for ${name} missing!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! endpoint_host=$(uci get gateway.$name.endpoint_host); then
|
||||||
|
echo "ERROR: endpoint_host for ${name} missing!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! endpoint_port=$(uci get gateway.$name.endpoint_port); then
|
||||||
|
echo "ERROR: endpoint_port for ${name} missing!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
persistent_keepalive=$(uci -q get gateway.$name.persistent_keepalive)
|
||||||
|
mtu=$(uci -q get gateway.$name.mtu)
|
||||||
|
|
||||||
|
|
||||||
|
# add interface
|
||||||
|
uci set network.$prefixname=interface
|
||||||
|
uci set network.$prefixname.proto=wireguard
|
||||||
|
uci set network.$prefixname.nohostroute='1'
|
||||||
|
uci set network.$prefixname.fwmark='0xc8'
|
||||||
|
uci set network.$prefixname.mtu="${mtu:-1420}"
|
||||||
|
|
||||||
|
uci set network.$prefixname.private_key="$privkey"
|
||||||
|
echo "INFO: publickey for wireguardpeer ${name}: $(uci get gateway.$name.private_key | wg pubkey)"
|
||||||
|
|
||||||
|
|
||||||
|
# add wireguard properties
|
||||||
|
if uci -q get network.@wireguard_$prefixname[0] > /dev/null; then
|
||||||
|
#config already exists
|
||||||
|
cfg="@wireguard_$prefixname[0]"
|
||||||
|
else
|
||||||
|
#create new config
|
||||||
|
cfg=$(uci add network wireguard_$prefixname)
|
||||||
|
fi
|
||||||
|
|
||||||
|
uci set network.$cfg.public_key="$pubkey"
|
||||||
|
uci set network.$cfg.endpoint_host="$endpoint_host"
|
||||||
|
uci set network.$cfg.endpoint_port="$endpoint_port"
|
||||||
|
uci set network.$cfg.persistent_keepalive="$persistent_keepalive"
|
||||||
|
uci -q delete network.$cfg.allowed_ips
|
||||||
|
uci add_list network.$cfg.allowed_ips='::/0'
|
||||||
|
uci add_list network.$cfg.allowed_ips='0.0.0.0/0'
|
||||||
|
|
||||||
|
|
||||||
|
# remove old addresses
|
||||||
|
uci -q del network.$prefixname.addresses
|
||||||
|
|
||||||
|
# add link local address
|
||||||
|
uci add_list network.$prefixname.addresses="$(ipEUIAssemble "fe80::/64" "$ROUTERMAC")"
|
||||||
|
|
||||||
|
# add peer_ip
|
||||||
|
babel_add_peeraddr "network.$prefixname.addresses"
|
||||||
|
babel_add_peer6addr "network.$prefixname.addresses"
|
||||||
|
|
||||||
|
# add iif-rules
|
||||||
|
babel_add_iifrules "$prefixname" || { echo "ERROR: Could not add iif-rules for wgpeer $name"; exit 1; }
|
||||||
|
|
||||||
|
# add babel interface
|
||||||
|
babel_add_interface "$prefixname" "$prefixname" 'tunnel' "$rxcost" || { echo "ERROR: Could not add babeld interface for wgpeer $name"; exit 1; }
|
||||||
|
}
|
||||||
|
|
||||||
|
config_load gateway
|
||||||
|
config_foreach add_wgpeer wireguardpeer
|
||||||
|
}
|
||||||
|
|
||||||
|
commit() {
|
||||||
|
uci commit network
|
||||||
|
uci commit babeld
|
||||||
|
uci commit gateway
|
||||||
|
}
|
||||||
|
|
||||||
|
revert() {
|
||||||
|
uci revert network
|
||||||
|
uci revert babeld
|
||||||
|
uci revert gateway
|
||||||
|
}
|
|
@ -0,0 +1,24 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
uci batch <<EOF
|
||||||
|
set network.wireguard_main=rule6
|
||||||
|
set network.wireguard_main.mark='0xc8'
|
||||||
|
set network.wireguard_main.lookup='main'
|
||||||
|
set network.wireguard_main.priority='5000'
|
||||||
|
set network.wireguard_main4=rule
|
||||||
|
set network.wireguard_main4.mark='0xc8'
|
||||||
|
set network.wireguard_main4.lookup='main'
|
||||||
|
set network.wireguard_main4.priority='5000'
|
||||||
|
set network.wireguard_blackhole=rule6
|
||||||
|
set network.wireguard_blackhole.mark='0xc8'
|
||||||
|
set network.wireguard_blackhole.action='blackhole'
|
||||||
|
set network.wireguard_blackhole.priority='5001'
|
||||||
|
set network.wireguard_blackhole4=rule
|
||||||
|
set network.wireguard_blackhole4.mark='0xc8'
|
||||||
|
set network.wireguard_blackhole4.action='blackhole'
|
||||||
|
set network.wireguard_blackhole4.priority='5001'
|
||||||
|
EOF
|
||||||
|
|
||||||
|
uci commit network
|
||||||
|
|
||||||
|
exit 0
|
|
@ -53,6 +53,7 @@ define Package/fff-layer3
|
||||||
+fff-dhcp \
|
+fff-dhcp \
|
||||||
+fff-babeld \
|
+fff-babeld \
|
||||||
+fff-ra \
|
+fff-ra \
|
||||||
|
+fff-wireguard \
|
||||||
+iperf3 \
|
+iperf3 \
|
||||||
+tcpdump \
|
+tcpdump \
|
||||||
+arptables \
|
+arptables \
|
||||||
|
|
Loading…
Reference in New Issue