add wireguard-backbone sls

salt/freifunk/base/top.sls

@@ -59,6 +59,7 @@ base:
     - ntp
     - openvpn
     - wireguard
+    - wireguard.backbone
 
     - iperf3
     - vnstat

salt/freifunk/base/uci/etc/config/ffdd

@@ -31,10 +31,11 @@ config 'ffdd' 'sys'
 	option 'fastd_secret' '-'
 	option 'fastd_public' '-'
 
-	# to accept all in comming connection, set this to 0 or remove this line.
+	# to accept all in comming backbone connection, set this to 0.
 	# When set to 1, only already known connections are accepted. this may be used
 	# to prevent overloading a server.
 	option 'fastd_restrict' '0'
+	option 'wireguard_restrict' '0'
 
 	# SSH Password-Authentification (0=off 1=on)
 	# To disable tunneled clear text passwords and allow only pub-key auth.

salt/freifunk/base/wireguard/backbone.sls

+{# Wireguard Backbone #}
+{% from 'config.jinja' import kernel_pkg_check %}
+
+{# install only than Kernel Package available #}
+{% if kernel_pkg_check == '1' %}
+
+/etc/wireguard/wg-backbone.sh:
+  file.managed:
+    - source: salt://wireguard/etc/wireguard/wg-backbone.sh
+    - user: root
+    - group: root
+    - mode: 755
+    - require:
+      - pkg: wireguard
+
+/usr/local/bin/wg-backbone.sh:
+  file.symlink:
+    - target: /etc/wireguard/wg-backbone.sh
+    - force: True
+    - require:
+      - file: /etc/wireguard/wg-backbone.sh
+
+{% endif %}

salt/freifunk/base/wireguard/etc/wireguard/wg-backbone.sh

+#!/bin/bash
+
+VERSION="uci V1.0"
+
+wg_ifname=tbb_wg
+port=5003
+peers_dir="/etc/wireguard-backbone/peers"
+
+if [ -z "$(which uci)" ]; then
+	echo "Error: command 'uci' not found"
+	exit 1
+fi
+
+
+local_node=$(uci get ffdd.sys.ddmesh_node)
+eval $(ddmesh-ipcalc.sh -n $local_node)
+
+echo "DEVEL: manuall calculation of _ddmesh_wireguard_ip"
+local_wireguard_ip=${_ddmesh_ip/10\.200\./10.203.}
+local_wgX_ip="$_ddmesh_nonprimary_ip/$_ddmesh_netpre"
+
+start_wg()
+{
+	# create config section
+	if [ -z "$(uci -q get ffdd.wireguard)" ]; then
+		uci -q add ffdd wireguard
+		uci -q rename ffdd.@wireguard[-1]='wireguard'
+	fi
+
+	# create key
+	secret=$(uci -q get ffdd.wireguard.secret)
+	if [ -z "$secret" ]; then
+		echo "create wireguard key"
+		secret=$(wg genkey)
+		uci -q set ffdd.wireguard.secret="$secret"
+	fi
+
+	# store public
+	public=$(echo $secret | wg pubkey)
+	uci -q set ffdd.wireguard.public="$public"
+
+	# save config
+	uci commit
+
+	secret_file=$(tempfile)
+	echo $secret > $secret_file
+
+	# create interface
+	echo "create wireguard interface [$wg_ifname]"
+
+echo	ip link add $wg_ifname type wireguard
+	ip link add $wg_ifname type wireguard
+echo	ip addr add "$local_wireguard_ip/32" dev $wg_ifname
+	ip addr add "$local_wireguard_ip/32" dev $wg_ifname
+echo	wg set $wg_ifname private-key $secret_file
+	wg set $wg_ifname private-key $secret_file
+echo	wg set $wg_ifname listen-port $port
+	wg set $wg_ifname listen-port $port
+echo	ip link set $wg_ifname up
+	ip link set $wg_ifname up
+	rm $secret_file
+
+	ip rule add to 10.203.0.0/16 table main prio 304
+	ip route add 10.203.0.0/16 dev tbb_wg src $local_wireguard_ip
+	WAN_DEV="$(uci get ffdd.sys.ifname)"
+	iptables -w -D INPUT -i $WAN_DEV -p udp --dport $port -j ACCEPT
+	iptables -w -I INPUT -i $WAN_DEV -p udp --dport $port -j ACCEPT
+	iptables -w -D INPUT -i tbb_wg+ -j ACCEPT
+	iptables -w -I INPUT -i tbb_wg+ -j ACCEPT
+}
+
+
+stop_wg()
+{
+	LS=$(which ls)
+	IFS='
+'
+	for i in $($LS -1d  /sys/class/net/$wg_ifname* 2>/dev/null | sed 's#.*/##')
+	do
+		[ "$i" != "$wg_ifname" ] && bmxd -c dev=-$i
+		ip link del $i 2>/dev/null
+	done
+	unset IFS
+
+	ip rule del to 10.203.0.0/16 table main prio 304
+}
+
+accept_peer()
+{
+	node=$1
+	key=$2
+	store=$3	# if 1 it will write config
+
+
+	eval $(ddmesh-ipcalc.sh -n $node)
+	echo "DEVEL: manuall calculation of _ddmesh_wireguard_ip"
+	remote_wireguard_ip=${_ddmesh_ip/10\.200\./10.203.}
+
+	wg set $wg_ifname  peer $key persistent-keepalive 25 allowed-ips $remote_wireguard_ip/32
+
+	# add ipip tunnel
+	sub_ifname="$wg_ifname$node"
+	#ip link add $sub_ifname type ipip remote $remote_wireguard_ip local $local_wireguard_ip
+	ip link add $sub_ifname type ipip remote $remote_wireguard_ip local $local_wireguard_ip
+	ip addr add $local_wgX_ip broadcast $_ddmesh_broadcast dev $sub_ifname
+	ip link set $sub_ifname up
+
+	bmxd -c dev=$sub_ifname /linklayer 1
+
+	if [ "$store" = "1" ]; then
+		echo "node $node" > $peers_dir/accept_$node
+		echo "key $key" >> $peers_dir/accept_$node
+	fi
+}
+
+remove_peer()
+{
+	node=$1
+	key=$2
+	wg set tbb_wg peer "$key" remove
+	rm "$peers_dir/accept_$node"
+}
+
+load_accept_peers()
+{
+	for peer in $(ls $peers_dir/accept_* 2>/dev/null)
+	do
+		eval "$(awk '/^node/{printf("node=%s\n",$2)} /^key/{printf("key=%s\n",$2)}' $peer)"
+		accept_peer $node $key 0
+	done
+}
+
+case $1 in
+	start)
+		mkdir -p $peers_dir
+		start_wg
+		load_accept_peers
+		;;
+
+	stop)
+		stop_wg
+		;;
+
+	reload)
+		load_accept_peers
+		;;
+
+	accept)
+		node=$2
+		key=$3
+		if [ -z "$3" ]; then
+			echo "missing parameters"
+			exit 1
+		fi
+		# check if we have already accepted for this node
+		# It prevents accidential overwriting working configs
+		if [ -f "$peers_dir/accept_$node" ]; then
+			echo "Error: node already accepted"
+			exit 1
+		fi
+		accept_peer $node $key 1
+		;;
+
+	delete)
+		node=$2
+		if [ -z "$2" ]; then
+			echo "missing parameters"
+			exit 1
+		fi
+
+		eval "$(awk '/^node/{printf("node=%s\n",$2)} /^key/{printf("key=%s\n",$2)}' $peers_dir/accept_$node )"
+
+		read -s -p "delete $node [y/N]: " -n 1 -a input && echo ${input[0]}
+		if [ "${input[0]}" = "y" ]; then
+			remove_peer $node $key
+			echo "peer $node deleted"
+		else
+			echo "keep peer $node"
+		fi
+		;;
+
+	status)
+		wg show $wg_ifname
+		;;
+
+	*)
+		echo "$(basename $0) Version $VERSION"
+		echo "$(basename $0) [start | stop | reload | status | accept <node> <pubkey> | delete <node> ]"
+		echo ""
+		;;
+esac

salt/freifunk/base/wireguard/init.sls

@@ -50,6 +50,7 @@ wgvpn0_service:
       - service: S40network
       - service: S41firewall
     - require:
+      - pkg: wireguard
       - service: S40network
       - service: S41firewall
       - file: /etc/wireguard/vpn0.conf
@@ -78,6 +79,7 @@ wgvpn1_service:
       - service: S40network
       - service: S41firewall
     - require:
+      - pkg: wireguard
       - service: S40network
       - service: S41firewall
       - file: /etc/wireguard/vpn1.conf