Upstream vpn package again (#38)

* Updated: checkout action

* Update Makefile

* Updated: checkout action

ffka-gluon-web-usb-wan-hotplug: i18n/de.po: fix typo (#13)

ffmuc-gluon-mesh-vpn-wireguard-vxlan: add package (#6)

Co-authored-by: Annika Wickert <[email protected]>
Co-authored-by: krombel <[email protected]>
Co-authored-by: Martin Weinelt <[email protected]>
Co-authored-by: lqb <[email protected]>
Co-authored-by: lqb <[email protected]>
Co-authored-by: Julian Labus <[email protected]>
Co-authored-by: Tristan Helmich <[email protected]>
Co-authored-by: goligo <[email protected]>

Update Makefile

* Wonder how that worked

* Remove reverse synchronization of gluon.mesh_vpn.enabled

* Renamed ffmuc-gluon-mesh-vpn-wireguard-vxlan to ffmuc-mesh-vpn-wireguard-vxlan

* Only add ip6tables rule, if not set already

For each reconnection checkuplink was adding an additional entry to the INPUT chain in ip6tables. In case a node does not have WAN connection, but accidentally enabled mesh over VPN, this adding 1440 rules per day or about 40k rules within a month.

* Adapted checkuplink for changes nslookup output in OpenWrt 22.03

In OpenWrt 22.03 the output of nslookup as a colon after "Address", so it was not matched correctly by our regular expression.

* Add mesh-vpn to BATMAN, as Gluon does not do it anymore

Gluon v2022.1 has been refactored in a way, that a mesh-vpn interface is no longer in the network configuration and no longer added to BATMAN automatically, so we now add it explicitly in our script.

* Revert "Add mesh-vpn to BATMAN, as Gluon does not do it anymore"

This reverts commit fd5f1c7.

* Add mtu() to wireguard provider API

Required by recent upstream changes:
freifunk-gluon/gluon@7c81897

* Add compatibility variable for enabling mesh vpn

* Add wireguard_pubkey.sh to be more compatible

Required as part of gluon-mesh-vpn-core:
https://github.com/freifunk-gluon/gluon/blob/v2022.1/package/gluon-mesh-vpn-core/files/lib/netifd/proto/gluon_wireguard.sh#L32

* Fix broken grep

This fixes the broken grep to find the batctl gw

---------

Co-authored-by: Felix Golatofski <[email protected]>
Co-authored-by: goligo <[email protected]>
Co-authored-by: Grische <[email protected]>

Author: 4 people

.github/workflows/lint.yml

@@ -8,7 +8,7 @@ jobs:
     name: Lua
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - name: Install Dependencies
         run: sudo apt-get install lua-check
       - name: Lint Lua

ffmuc-mesh-vpn-wireguard-vxlan/files/lib/gluon/gluon-mesh-wireguard-vxlan/checkuplink

@@ -25,10 +25,10 @@ check_address_family() {
 	# Check if we have a default route for v6 if not fallback to v4
 	defgw=$(ip -6 route show table 1 | grep 'default via')
 	if [ "$?" -eq "0" ]; then
-		local ipv6="$(gluon-wan nslookup $gateway | grep 'Address [0-9]' | egrep -o '([a-f0-9:]+:+)+[a-f0-9]+')"
+		local ipv6="$(gluon-wan nslookup $gateway | grep 'Address:\? [0-9]' | egrep -o '([a-f0-9:]+:+)+[a-f0-9]+')"
 		echo [$ipv6]$(echo $peer_endpoint | egrep -oe :[0-9]+$)
 	else
-		local ipv4="$(gluon-wan nslookup $gateway | grep 'Address [0-9]' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")"
+		local ipv4="$(gluon-wan nslookup $gateway | grep 'Address:\? [0-9]' | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b")"
 		echo $ipv4$(echo $peer_endpoint | egrep -oe :[0-9]+$)
 	fi
 
@@ -52,7 +52,7 @@ if [ "$(uci get wireguard.mesh_vpn.enabled)" == "true" ] || [ "$(uci get wiregua
 	# Check connectivity to supernode
 	wget http://[$(wg  | grep fe80 | awk '{split($3,A,"/")};{print A[1]}')%$MESH_VPN_IFACE]/  --timeout=5 -O/dev/null -q
 	if [ "$?" -eq "0" ]; then
-		GWMAC=$(batctl gwl | grep \* | awk '{print $2}')
+		GWMAC=$(batctl gwl | awk '/[*]/{print $2}')
 		batctl ping -c 5 $GWMAC &> /dev/null
 		if [ "$?" -eq "0" ]; then
 			CONNECTED=1
@@ -107,7 +107,11 @@ if [ "$(uci get wireguard.mesh_vpn.enabled)" == "true" ] || [ "$(uci get wiregua
 
 		# We need to allow incoming vxlan traffic on mesh iface
 		sleep 10
-		ip6tables -I INPUT 1 -i $MESH_VPN_IFACE -m udp -p udp --dport 8472 -j ACCEPT
+                RULE="-i $MESH_VPN_IFACE -m udp -p udp --dport 8472 -j ACCEPT"
+                ip6tables -C INPUT $RULE                                                                                
+                if [ $? -ne 0 ]; then                                  
+                        ip6tables -I INPUT 1 $RULE
+                fi                                                                                                             
 
 		# Bring up VXLAN
 		ip link add mesh-vpn type vxlan id "$(lua -e 'print(tonumber(require("gluon.util").domain_seed_bytes("gluon-mesh-vpn-vxlan", 3), 16))')" local $(interface_linklocal "$MESH_VPN_IFACE") remote $(uci get wireguard.peer_$PEER.link_address) dstport 8472 dev $MESH_VPN_IFACE

ffmuc-mesh-vpn-wireguard-vxlan/files/lib/gluon/mesh-vpn/wireguard_pubkey.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/bin/wg show wg_mesh_vpn public-key

ffmuc-mesh-vpn-wireguard-vxlan/luasrc/lib/gluon/upgrade/400-mesh-vpn-wireguard

@@ -17,6 +17,7 @@ end)
 
 local mesh_enabled = uci:get_bool('gluon', 'mesh_vpn', 'enabled') -- default
 	or uci:get_bool('fastd', 'mesh_vpn', 'enabled') --migration
+	or not uci:get_bool('network', 'wg_mesh', 'disabled') --compatiblity with upstream
 	or wg_enabled -- specific config
 
 uci:section("wireguard", "wireguard", "mesh_vpn", {

ffmuc-mesh-vpn-wireguard-vxlan/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/wireguard.lua

@@ -7,7 +7,13 @@ local vpn_core = require 'gluon.mesh-vpn'
 local M = {}
 
 function M.public_key()
-        return util.trim(util.exec('/usr/bin/wg show wg_mesh_vpn public-key'))
+        local key = util.trim(util.exec("/lib/gluon/mesh-vpn/wireguard_pubkey.sh"))
+
+        if key == '' then
+                key = nil
+        end
+
+        return key
 end
 
 function M.enable(val)
@@ -33,4 +39,8 @@ function M.set_limit(ingress_limit, egress_limit)
         uci:save('simple-tc')
 end
 
+function M.mtu()
+        return site.mesh_vpn.wireguard.mtu()
+end
+
 return M