Commit a1ce496d authored by Sven enniK's avatar Sven enniK

move wg-backbone script to separately directory

parent c66a002d
Pipeline #1093 canceled with stages
in 31 seconds
......@@ -4,9 +4,9 @@
{# install only than Kernel Package available #}
{% if kernel_pkg_check == '1' %}
/etc/wireguard/wg-backbone.sh:
/etc/wireguard-backbone/wg-backbone.sh:
file.managed:
- source: salt://wireguard/etc/wireguard/wg-backbone.sh
- source: salt://wireguard/etc/wireguard-backbone/wg-backbone.sh
- user: root
- group: root
- mode: 755
......@@ -15,9 +15,9 @@
/usr/local/bin/wg-backbone.sh:
file.symlink:
- target: /etc/wireguard/wg-backbone.sh
- target: /etc/wireguard-backbone/wg-backbone.sh
- force: True
- require:
- file: /etc/wireguard/wg-backbone.sh
- file: /etc/wireguard-backbone/wg-backbone.sh
{% endif %}
#!/bin/bash
#!/usr/bin/env bash
VERSION="uci V1.0"
VERSION='uci V1.0'
wg_ifname=tbb_wg
port=5003
peers_dir="/etc/wireguard-backbone/peers"
wg_ifname='tbb_wg'
port='5003'
peers_dir='/etc/wireguard-backbone/peers'
if [ -z "$(which uci)" ]; then
echo "Error: command 'uci' not found"
printf "Error: command 'uci' not found\n"
exit 1
fi
local_node=$(uci get ffdd.sys.ddmesh_node)
local_node="$(uci get ffdd.sys.ddmesh_node)"
eval $(ddmesh-ipcalc.sh -n $local_node)
echo "DEVEL: manuall calculation of _ddmesh_wireguard_ip"
local_wireguard_ip=${_ddmesh_ip/10\.200\./10.203.}
printf 'DEVEL: manuall calculation of _ddmesh_wireguard_ip\n'
local_wireguard_ip="${_ddmesh_ip/10\.200\./10.203.}"
local_wgX_ip="$_ddmesh_nonprimary_ip/$_ddmesh_netpre"
start_wg()
......@@ -28,43 +28,43 @@ start_wg()
fi
# create key
secret=$(uci -q get ffdd.wireguard.secret)
secret="$(uci -q get ffdd.wireguard.secret)"
if [ -z "$secret" ]; then
echo "create wireguard key"
secret=$(wg genkey)
printf 'create wireguard key\n'
secret="$(wg genkey)"
uci -q set ffdd.wireguard.secret="$secret"
fi
# store public
public=$(echo $secret | wg pubkey)
public=$(echo "$secret" | wg pubkey)
uci -q set ffdd.wireguard.public="$public"
# save config
uci commit
secret_file=$(tempfile)
echo $secret > $secret_file
secret_file="$(tempfile)"
echo "$secret" > "$secret_file"
# create interface
echo "create wireguard interface [$wg_ifname]"
echo ip link add $wg_ifname type wireguard
ip link add $wg_ifname type wireguard
echo ip addr add "$local_wireguard_ip/32" dev $wg_ifname
ip addr add "$local_wireguard_ip/32" dev $wg_ifname
echo wg set $wg_ifname private-key $secret_file
wg set $wg_ifname private-key $secret_file
echo wg set $wg_ifname listen-port $port
wg set $wg_ifname listen-port $port
echo ip link set $wg_ifname up
ip link set $wg_ifname up
rm $secret_file
printf 'create wireguard interface [%s]\n' "$wg_ifname"
echo ip link add "$wg_ifname" type wireguard
ip link add "$wg_ifname" type wireguard
echo ip addr add "$local_wireguard_ip/32" dev "$wg_ifname"
ip addr add "$local_wireguard_ip/32" dev "$wg_ifname"
echo wg set "$wg_ifname" private-key "$secret_file"
wg set "$wg_ifname" private-key "$secret_file"
echo wg set "$wg_ifname" listen-port "$port"
wg set "$wg_ifname" listen-port "$port"
echo ip link set "$wg_ifname" up
ip link set "$wg_ifname" up
rm "$secret_file"
ip rule add to 10.203.0.0/16 table main prio 304
ip route add 10.203.0.0/16 dev tbb_wg src $local_wireguard_ip
ip route add 10.203.0.0/16 dev tbb_wg src "$local_wireguard_ip"
WAN_DEV="$(uci get ffdd.sys.ifname)"
iptables -w -D INPUT -i $WAN_DEV -p udp --dport $port -j ACCEPT
iptables -w -I INPUT -i $WAN_DEV -p udp --dport $port -j ACCEPT
iptables -w -D INPUT -i "$WAN_DEV" -p udp --dport "$port" -j ACCEPT
iptables -w -I INPUT -i "$WAN_DEV" -p udp --dport "$port" -j ACCEPT
iptables -w -D INPUT -i tbb_wg+ -j ACCEPT
iptables -w -I INPUT -i tbb_wg+ -j ACCEPT
}
......@@ -72,13 +72,13 @@ echo ip link set $wg_ifname up
stop_wg()
{
LS=$(which ls)
LS="$(which ls)"
IFS='
'
for i in $($LS -1d /sys/class/net/$wg_ifname* 2>/dev/null | sed 's#.*/##')
do
[ "$i" != "$wg_ifname" ] && bmxd -c dev=-$i
ip link del $i 2>/dev/null
[ "$i" != "$wg_ifname" ] && bmxd -c dev=-"$i"
ip link del "$i" 2>/dev/null
done
unset IFS
......@@ -87,38 +87,37 @@ stop_wg()
accept_peer()
{
node=$1
key=$2
store=$3 # if 1 it will write config
node="$1"
key="$2"
store="$3" # if 1 it will write config
eval $(ddmesh-ipcalc.sh -n $node)
echo "DEVEL: manuall calculation of _ddmesh_wireguard_ip"
remote_wireguard_ip=${_ddmesh_ip/10\.200\./10.203.}
remote_wireguard_ip="${_ddmesh_ip/10\.200\./10.203.}"
wg set $wg_ifname peer $key persistent-keepalive 25 allowed-ips $remote_wireguard_ip/32
wg set "$wg_ifname" peer "$key" persistent-keepalive 25 allowed-ips "$remote_wireguard_ip"/32
# add ipip tunnel
sub_ifname="$wg_ifname$node"
#ip link add $sub_ifname type ipip remote $remote_wireguard_ip local $local_wireguard_ip
ip link add $sub_ifname type ipip remote $remote_wireguard_ip local $local_wireguard_ip
ip addr add $local_wgX_ip broadcast $_ddmesh_broadcast dev $sub_ifname
ip link set $sub_ifname up
ip link add "$sub_ifname" type ipip remote "$remote_wireguard_ip" local "$local_wireguard_ip"
ip addr add "$local_wgX_ip" broadcast "$_ddmesh_broadcast" dev "$sub_ifname"
ip link set "$sub_ifname" up
bmxd -c dev=$sub_ifname /linklayer 1
bmxd -c dev="$sub_ifname" /linklayer 1
if [ "$store" = "1" ]; then
echo "node $node" > $peers_dir/accept_$node
echo "key $key" >> $peers_dir/accept_$node
echo "node $node" > "$peers_dir"/accept_$node
echo "key $key" >> "$peers_dir"/accept_$node
fi
}
remove_peer()
{
node=$1
key=$2
node="$1"
key="$2"
wg set tbb_wg peer "$key" remove
rm "$peers_dir/accept_$node"
rm "$peers_dir"/accept_"$node"
}
load_accept_peers()
......@@ -126,13 +125,13 @@ load_accept_peers()
for peer in $(ls $peers_dir/accept_* 2>/dev/null)
do
eval "$(awk '/^node/{printf("node=%s\n",$2)} /^key/{printf("key=%s\n",$2)}' $peer)"
accept_peer $node $key 0
accept_peer "$node" "$key" 0
done
}
case $1 in
start)
mkdir -p $peers_dir
test ! -d "$peers_dir" && mkdir -p "$peers_dir"
start_wg
load_accept_peers
;;
......@@ -146,25 +145,25 @@ case $1 in
;;
accept)
node=$2
key=$3
node="$2"
key="$3"
if [ -z "$3" ]; then
echo "missing parameters"
printf 'missing parameters\n'
exit 1
fi
# check if we have already accepted for this node
# It prevents accidential overwriting working configs
if [ -f "$peers_dir/accept_$node" ]; then
echo "Error: node already accepted"
printf 'Error: node already accepted\n'
exit 1
fi
accept_peer $node $key 1
accept_peer "$node" "$key" 1
;;
delete)
node=$2
if [ -z "$2" ]; then
echo "missing parameters"
printf 'missing parameters\n'
exit 1
fi
......@@ -173,19 +172,18 @@ case $1 in
read -s -p "delete $node [y/N]: " -n 1 -a input && echo ${input[0]}
if [ "${input[0]}" = "y" ]; then
remove_peer $node $key
echo "peer $node deleted"
printf 'peer %s deleted\n' "$node"
else
echo "keep peer $node"
printf 'keep peer %s\n' "$node"
fi
;;
status)
wg show $wg_ifname
wg show "$wg_ifname"
;;
*)
echo "$(basename $0) Version $VERSION"
echo "$(basename $0) [start | stop | reload | status | accept <node> <pubkey> | delete <node> ]"
echo ""
printf '%s Version %s\n' "$(basename $0)" "$VERSION"
printf '%s [start | stop | reload | status | accept <node> <pubkey> | delete <node> ]\n\n' "$(basename $0)"
;;
esac
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment