[PATCH] Add fff-wireguard package
Fabian Bläse
fabian at blaese.de
Sa Jul 6 23:52:40 CEST 2019
This package adds gateway.d scripts which create
peering interfaces using wireguard.
Signed-off-by: Fabian Bläse <fabian at blaese.de>
---
This patch has to be applied after the fff-babeld patches currently under review
---
src/packages/fff/fff-wireguard/Makefile | 41 +++++
.../files/etc/gateway.d/50-wireguard | 146 ++++++++++++++++++
.../files/etc/uci-defaults/05-wireguard-rules | 24 +++
src/packages/fff/fff/Makefile | 1 +
4 files changed, 212 insertions(+)
create mode 100644 src/packages/fff/fff-wireguard/Makefile
create mode 100644 src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard
create mode 100644 src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules
diff --git a/src/packages/fff/fff-wireguard/Makefile b/src/packages/fff/fff-wireguard/Makefile
new file mode 100644
index 0000000..f14373c
--- /dev/null
+++ b/src/packages/fff/fff-wireguard/Makefile
@@ -0,0 +1,41 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-wireguard
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-wireguard
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-wireguard
+ SECTION:=base
+ CATEGORY:=Freifunk
+ TITLE:=Freifunk-Franken wireguard
+ URL:=https://www.freifunk-franken.de
+ DEPENDS:=+wireguard \
+ +fff-network \
+ +fff-babeld
+endef
+
+define Package/fff-wireguard/description
+ This is the Freifunk Franken Firmware wireguard package.
+ This package provides configuration scripts for wireguard tunnels.
+endef
+
+define Build/Prepare
+ echo "all: " > $(PKG_BUILD_DIR)/Makefile
+endef
+
+define Build/Configure
+ # nothing
+endef
+
+define Build/Compile
+ # nothing
+endef
+
+define Package/fff-wireguard/install
+ $(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-wireguard))
diff --git a/src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard b/src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard
new file mode 100644
index 0000000..b2e876d
--- /dev/null
+++ b/src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard
@@ -0,0 +1,146 @@
+. /lib/functions.sh
+. /lib/functions/fff/network
+. /lib/functions/fff/babel
+
+#load board specific properties
+BOARD="$(uci get board.model.name)"
+. /etc/network.$BOARD
+
+configure() {
+ # remove peers missing in gateway config
+ remove_wgpeer() {
+ local name="$1"
+
+ # check prefix
+ if [ "$name" = "${name#wg_}" ]; then
+ return
+ fi
+
+ if ! uci -q get gateway.${name#wg_} > /dev/null; then
+ # remove interface
+ uci -q del network.$name
+ # remove wireguard config
+ uci -q del network. at wireguard_$name[0]
+
+ # remove iif-rules
+ babel_delete_iifrules "$name"
+ # remove babel interface
+ babel_delete_interface "$name"
+ fi
+ }
+
+ config_load babeld
+ config_foreach remove_wgpeer interface
+
+
+ # add new peers
+ add_wgpeer() {
+ local name="$1"
+ local prefixname="wg_$name"
+
+ # ensure name length
+ if [ ${#name} -gt 12 ]; then
+ echo "ERROR: name $name is too long!"
+ exit 1
+ fi
+
+ # get rxcost
+ if rxcost=$(uci -q get gateway.$name.rxcost); then
+ rxcost="$rxcost"
+ else
+ rxcost=16384
+ fi
+
+ # get wireguard properties
+ local privkey
+ local pubkey
+ local endpoint_host
+ local endpoint_port
+ local persistent_keepalive
+ local mtu
+
+ if ! privkey=$(uci -q get gateway.$name.private_key); then
+ privkey=$(wg genkey)
+ uci set gateway.$name.private_key="$privkey"
+ fi
+
+ if ! pubkey=$(uci get gateway.$name.public_key); then
+ echo "ERROR: publickey for ${name} missing!"
+ exit 1
+ fi
+
+ if ! endpoint_host=$(uci get gateway.$name.endpoint_host); then
+ echo "ERROR: endpoint_host for ${name} missing!"
+ exit 1
+ fi
+
+ if ! endpoint_port=$(uci get gateway.$name.endpoint_port); then
+ echo "ERROR: endpoint_port for ${name} missing!"
+ exit 1
+ fi
+
+ persistent_keepalive=$(uci -q get gateway.$name.persistent_keepalive)
+ mtu=$(uci -q get gateway.$name.mtu)
+
+
+ # add interface
+ uci set network.$prefixname=interface
+ uci set network.$prefixname.proto=wireguard
+ uci set network.$prefixname.nohostroute='1'
+ uci set network.$prefixname.fwmark='0xc8'
+ uci set network.$prefixname.mtu="${mtu:-1420}"
+
+ uci set network.$prefixname.private_key="$privkey"
+ echo "INFO: publickey for wireguardpeer ${name}: $(uci get gateway.$name.private_key | wg pubkey)"
+
+
+ # add wireguard properties
+ if uci -q get network. at wireguard_$prefixname[0] > /dev/null; then
+ #config already exists
+ cfg="@wireguard_$prefixname[0]"
+ else
+ #create new config
+ cfg=$(uci add network wireguard_$prefixname)
+ fi
+
+ uci set network.$cfg.public_key="$pubkey"
+ uci set network.$cfg.endpoint_host="$endpoint_host"
+ uci set network.$cfg.endpoint_port="$endpoint_port"
+ uci set network.$cfg.persistent_keepalive="$persistent_keepalive"
+ uci -q delete network.$cfg.allowed_ips
+ uci add_list network.$cfg.allowed_ips='::/0'
+ uci add_list network.$cfg.allowed_ips='0.0.0.0/0'
+
+
+ # remove old addresses
+ uci -q del network.$prefixname.addresses
+
+ # add link local address
+ uci add_list network.$prefixname.addresses="$(ipEUIAssemble "fe80::/64" "$ROUTERMAC")"
+
+ # add peer_ip
+ babel_add_peeraddr "network.$prefixname.addresses"
+ babel_add_peer6addr "network.$prefixname.addresses"
+
+ # add iif-rules
+ babel_add_iifrules "$prefixname" || { echo "ERROR: Could not add iif-rules for wgpeer $name"; exit 1; }
+
+ # add babel interface
+ babel_add_interface "$prefixname" "$prefixname" 'tunnel' "$rxcost" || { echo "ERROR: Could not add babeld interface for wgpeer $name"; exit 1; }
+ }
+
+ config_load gateway
+ config_foreach add_wgpeer wireguardpeer
+}
+
+commit() {
+ uci commit network
+ uci commit babeld
+ uci commit gateway
+}
+
+revert() {
+ uci revert network
+ uci revert babeld
+ uci revert gateway
+}
diff --git a/src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules b/src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules
new file mode 100644
index 0000000..4ffce09
--- /dev/null
+++ b/src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+uci batch <<EOF
+ set network.wireguard_main=rule6
+ set network.wireguard_main.mark='0xc8'
+ set network.wireguard_main.lookup='main'
+ set network.wireguard_main.priority='5000'
+ set network.wireguard_main4=rule
+ set network.wireguard_main4.mark='0xc8'
+ set network.wireguard_main4.lookup='main'
+ set network.wireguard_main4.priority='5000'
+ set network.wireguard_blackhole=rule6
+ set network.wireguard_blackhole.mark='0xc8'
+ set network.wireguard_blackhole.action='blackhole'
+ set network.wireguard_blackhole.priority='5001'
+ set network.wireguard_blackhole4=rule
+ set network.wireguard_blackhole4.mark='0xc8'
+ set network.wireguard_blackhole4.action='blackhole'
+ set network.wireguard_blackhole4.priority='5001'
+EOF
+
+uci commit network
+
+exit 0
diff --git a/src/packages/fff/fff/Makefile b/src/packages/fff/fff/Makefile
index 8f5ffca..9ed7173 100644
--- a/src/packages/fff/fff/Makefile
+++ b/src/packages/fff/fff/Makefile
@@ -53,6 +53,7 @@ define Package/fff-layer3
+fff-dhcp \
+fff-babeld \
+fff-ra \
+ +fff-wireguard \
+iperf3 \
+tcpdump \
+arptables \
--
2.22.0
Mehr Informationen über die Mailingliste franken-dev