Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
ffdd-server
Project overview
Project overview
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Git Issue Tracker
Git Issue Tracker
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Jobs
Commits
Open sidebar
Firmware-Developer
ffdd-server
Commits
c66a002d
Verified
Commit
c66a002d
authored
Jun 26, 2020
by
Sven enniK
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add wireguard-backbone sls
parent
8fcdaa2c
Pipeline
#1092
canceled with stages
in 2 minutes and 1 second
Changes
5
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
219 additions
and
1 deletion
+219
-1
salt/freifunk/base/top.sls
salt/freifunk/base/top.sls
+1
-0
salt/freifunk/base/uci/etc/config/ffdd
salt/freifunk/base/uci/etc/config/ffdd
+2
-1
salt/freifunk/base/wireguard/backbone.sls
salt/freifunk/base/wireguard/backbone.sls
+23
-0
salt/freifunk/base/wireguard/etc/wireguard/wg-backbone.sh
salt/freifunk/base/wireguard/etc/wireguard/wg-backbone.sh
+191
-0
salt/freifunk/base/wireguard/init.sls
salt/freifunk/base/wireguard/init.sls
+2
-0
No files found.
salt/freifunk/base/top.sls
View file @
c66a002d
...
...
@@ -59,6 +59,7 @@ base:
- ntp
- openvpn
- wireguard
- wireguard.backbone
- iperf3
- vnstat
...
...
salt/freifunk/base/uci/etc/config/ffdd
View file @
c66a002d
...
...
@@ -31,10 +31,11 @@ config 'ffdd' 'sys'
option 'fastd_secret' '-'
option 'fastd_public' '-'
# to accept all in comming
connection, set this to 0 or remove this line
.
# to accept all in comming
backbone connection, set this to 0
.
# When set to 1, only already known connections are accepted. this may be used
# to prevent overloading a server.
option 'fastd_restrict' '0'
option 'wireguard_restrict' '0'
# SSH Password-Authentification (0=off 1=on)
# To disable tunneled clear text passwords and allow only pub-key auth.
...
...
salt/freifunk/base/wireguard/backbone.sls
0 → 100644
View file @
c66a002d
{# Wireguard Backbone #}
{% from 'config.jinja' import kernel_pkg_check %}
{# install only than Kernel Package available #}
{% if kernel_pkg_check == '1' %}
/etc/wireguard/wg-backbone.sh:
file.managed:
- source: salt://wireguard/etc/wireguard/wg-backbone.sh
- user: root
- group: root
- mode: 755
- require:
- pkg: wireguard
/usr/local/bin/wg-backbone.sh:
file.symlink:
- target: /etc/wireguard/wg-backbone.sh
- force: True
- require:
- file: /etc/wireguard/wg-backbone.sh
{% endif %}
salt/freifunk/base/wireguard/etc/wireguard/wg-backbone.sh
0 → 100644
View file @
c66a002d
#!/bin/bash
VERSION
=
"uci V1.0"
wg_ifname
=
tbb_wg
port
=
5003
peers_dir
=
"/etc/wireguard-backbone/peers"
if
[
-z
"
$(
which uci
)
"
]
;
then
echo
"Error: command 'uci' not found"
exit
1
fi
local_node
=
$(
uci get ffdd.sys.ddmesh_node
)
eval
$(
ddmesh-ipcalc.sh
-n
$local_node
)
echo
"DEVEL: manuall calculation of _ddmesh_wireguard_ip"
local_wireguard_ip
=
${
_ddmesh_ip
/10\.200\./10.203.
}
local_wgX_ip
=
"
$_ddmesh_nonprimary_ip
/
$_ddmesh_netpre
"
start_wg
()
{
# create config section
if
[
-z
"
$(
uci
-q
get ffdd.wireguard
)
"
]
;
then
uci
-q
add ffdd wireguard
uci
-q
rename ffdd.@wireguard[-1]
=
'wireguard'
fi
# create key
secret
=
$(
uci
-q
get ffdd.wireguard.secret
)
if
[
-z
"
$secret
"
]
;
then
echo
"create wireguard key"
secret
=
$(
wg genkey
)
uci
-q
set
ffdd.wireguard.secret
=
"
$secret
"
fi
# store public
public
=
$(
echo
$secret
| wg pubkey
)
uci
-q
set
ffdd.wireguard.public
=
"
$public
"
# save config
uci commit
secret_file
=
$(
tempfile
)
echo
$secret
>
$secret_file
# create interface
echo
"create wireguard interface [
$wg_ifname
]"
echo
ip
link
add
$wg_ifname
type
wireguard
ip
link
add
$wg_ifname
type
wireguard
echo
ip addr add
"
$local_wireguard_ip
/32"
dev
$wg_ifname
ip addr add
"
$local_wireguard_ip
/32"
dev
$wg_ifname
echo
wg
set
$wg_ifname
private-key
$secret_file
wg
set
$wg_ifname
private-key
$secret_file
echo
wg
set
$wg_ifname
listen-port
$port
wg
set
$wg_ifname
listen-port
$port
echo
ip
link set
$wg_ifname
up
ip
link set
$wg_ifname
up
rm
$secret_file
ip rule add to 10.203.0.0/16 table main prio 304
ip route add 10.203.0.0/16 dev tbb_wg src
$local_wireguard_ip
WAN_DEV
=
"
$(
uci get ffdd.sys.ifname
)
"
iptables
-w
-D
INPUT
-i
$WAN_DEV
-p
udp
--dport
$port
-j
ACCEPT
iptables
-w
-I
INPUT
-i
$WAN_DEV
-p
udp
--dport
$port
-j
ACCEPT
iptables
-w
-D
INPUT
-i
tbb_wg+
-j
ACCEPT
iptables
-w
-I
INPUT
-i
tbb_wg+
-j
ACCEPT
}
stop_wg
()
{
LS
=
$(
which
ls
)
IFS
=
'
'
for
i
in
$(
$LS
-1d
/sys/class/net/
$wg_ifname
*
2>/dev/null |
sed
's#.*/##'
)
do
[
"
$i
"
!=
"
$wg_ifname
"
]
&&
bmxd
-c
dev
=
-
$i
ip
link
del
$i
2>/dev/null
done
unset
IFS
ip rule del to 10.203.0.0/16 table main prio 304
}
accept_peer
()
{
node
=
$1
key
=
$2
store
=
$3
# if 1 it will write config
eval
$(
ddmesh-ipcalc.sh
-n
$node
)
echo
"DEVEL: manuall calculation of _ddmesh_wireguard_ip"
remote_wireguard_ip
=
${
_ddmesh_ip
/10\.200\./10.203.
}
wg
set
$wg_ifname
peer
$key
persistent-keepalive 25 allowed-ips
$remote_wireguard_ip
/32
# add ipip tunnel
sub_ifname
=
"
$wg_ifname$node
"
#ip link add $sub_ifname type ipip remote $remote_wireguard_ip local $local_wireguard_ip
ip
link
add
$sub_ifname
type
ipip remote
$remote_wireguard_ip
local
$local_wireguard_ip
ip addr add
$local_wgX_ip
broadcast
$_ddmesh_broadcast
dev
$sub_ifname
ip
link set
$sub_ifname
up
bmxd
-c
dev
=
$sub_ifname
/linklayer 1
if
[
"
$store
"
=
"1"
]
;
then
echo
"node
$node
"
>
$peers_dir
/accept_
$node
echo
"key
$key
"
>>
$peers_dir
/accept_
$node
fi
}
remove_peer
()
{
node
=
$1
key
=
$2
wg
set
tbb_wg peer
"
$key
"
remove
rm
"
$peers_dir
/accept_
$node
"
}
load_accept_peers
()
{
for
peer
in
$(
ls
$peers_dir
/accept_
*
2>/dev/null
)
do
eval
"
$(
awk
'/^node/{printf("node=%s\n",$2)} /^key/{printf("key=%s\n",$2)}'
$peer
)
"
accept_peer
$node
$key
0
done
}
case
$1
in
start
)
mkdir
-p
$peers_dir
start_wg
load_accept_peers
;;
stop
)
stop_wg
;;
reload
)
load_accept_peers
;;
accept
)
node
=
$2
key
=
$3
if
[
-z
"
$3
"
]
;
then
echo
"missing parameters"
exit
1
fi
# check if we have already accepted for this node
# It prevents accidential overwriting working configs
if
[
-f
"
$peers_dir
/accept_
$node
"
]
;
then
echo
"Error: node already accepted"
exit
1
fi
accept_peer
$node
$key
1
;;
delete
)
node
=
$2
if
[
-z
"
$2
"
]
;
then
echo
"missing parameters"
exit
1
fi
eval
"
$(
awk
'/^node/{printf("node=%s\n",$2)} /^key/{printf("key=%s\n",$2)}'
$peers_dir
/accept_
$node
)
"
read
-s
-p
"delete
$node
[y/N]: "
-n
1
-a
input
&&
echo
${
input
[0]
}
if
[
"
${
input
[0]
}
"
=
"y"
]
;
then
remove_peer
$node
$key
echo
"peer
$node
deleted"
else
echo
"keep peer
$node
"
fi
;;
status
)
wg show
$wg_ifname
;;
*
)
echo
"
$(
basename
$0
)
Version
$VERSION
"
echo
"
$(
basename
$0
)
[start | stop | reload | status | accept <node> <pubkey> | delete <node> ]"
echo
""
;;
esac
salt/freifunk/base/wireguard/init.sls
View file @
c66a002d
...
...
@@ -50,6 +50,7 @@ wgvpn0_service:
- service: S40network
- service: S41firewall
- require:
- pkg: wireguard
- service: S40network
- service: S41firewall
- file: /etc/wireguard/vpn0.conf
...
...
@@ -78,6 +79,7 @@ wgvpn1_service:
- service: S40network
- service: S41firewall
- require:
- pkg: wireguard
- service: S40network
- service: S41firewall
- file: /etc/wireguard/vpn1.conf
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment