From 487d312d256a7a53f4cc56e3f20b814c82c2aaea Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 13:29:44 +0100 Subject: [PATCH 1/4] fastd: update and add L2TP variant This also drops the GMAC-based methods from gluon-mesh-vpn-fastd's check_site.lua, as they are not supported anymore. --- package/gluon-mesh-vpn-fastd/check_site.lua | 2 +- .../0001-fastd-simplify-Config.in.patch | 124 ++++++++++++++++++ ...isable-GMAC-based-methods-by-default.patch | 32 +++++ .../packages/0003-fastd-update-to-v22.patch | 59 +++++++++ .../0004-fastd-add-L2TP-variant.patch | 88 +++++++++++++ ...-fastd-fix-start-of-non-L2TP-variant.patch | 63 +++++++++ ...a-config-option-instead-of-a-variant.patch | 112 ++++++++++++++++ 7 files changed, 479 insertions(+), 1 deletion(-) create mode 100644 patches/packages/packages/0001-fastd-simplify-Config.in.patch create mode 100644 patches/packages/packages/0002-fastd-disable-GMAC-based-methods-by-default.patch create mode 100644 patches/packages/packages/0003-fastd-update-to-v22.patch create mode 100644 patches/packages/packages/0004-fastd-add-L2TP-variant.patch create mode 100644 patches/packages/packages/0005-fastd-fix-start-of-non-L2TP-variant.patch create mode 100644 patches/packages/packages/0006-fastd-make-L2TP-support-a-config-option-instead-of-a-variant.patch diff --git a/package/gluon-mesh-vpn-fastd/check_site.lua b/package/gluon-mesh-vpn-fastd/check_site.lua index 70c0d079..57cc7bb1 100644 --- a/package/gluon-mesh-vpn-fastd/check_site.lua +++ b/package/gluon-mesh-vpn-fastd/check_site.lua @@ -1,4 +1,4 @@ -local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'} +local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'} need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods) need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false) diff --git a/patches/packages/packages/0001-fastd-simplify-Config.in.patch b/patches/packages/packages/0001-fastd-simplify-Config.in.patch new file mode 100644 index 00000000..973342cf --- /dev/null +++ b/patches/packages/packages/0001-fastd-simplify-Config.in.patch @@ -0,0 +1,124 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:48:32 +0100 +Subject: fastd: simplify Config.in + +Signed-off-by: Matthias Schiffer +(cherry picked from commit 45976ff31a9894dec35fc4a077c9652f6cb59a54) + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 8302f7ee4dac874b1303ebeeb836551ef202c261..89ff6850aa5ab4ad0e762d8fb9473d5e5c820089 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,102 +1,79 @@ ++if PACKAGE_fastd ++ + menu "Configuration" +- depends on PACKAGE_fastd + + config FASTD_ENABLE_METHOD_CIPHER_TEST + bool "Enable cipher-test method provider" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_METHOD_COMPOSED_GMAC + bool "Enable composed-gmac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_GHASH + default y + + config FASTD_ENABLE_METHOD_COMPOSED_UMAC + bool "Enable composed-umac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_UHASH + default y + + config FASTD_ENABLE_METHOD_GENERIC_GMAC + bool "Enable generic-gmac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_GHASH + default y + + config FASTD_ENABLE_METHOD_GENERIC_POLY1305 + bool "Enable generic-poly1305 method provider" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_METHOD_GENERIC_UMAC + bool "Enable generic-umac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_UHASH + default y + + config FASTD_ENABLE_METHOD_NULL + bool "Enable null method" +- depends on PACKAGE_fastd + default y + + + config FASTD_ENABLE_CIPHER_NULL + bool "Enable the null cipher" +- depends on PACKAGE_fastd + default y + + config FASTD_ENABLE_CIPHER_SALSA20 + bool "Enable the Salsa20 cipher" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_CIPHER_SALSA2012 + bool "Enable the Salsa20/12 cipher" +- depends on PACKAGE_fastd + default y + + + config FASTD_ENABLE_MAC_GHASH +- bool "Enable the GHASH message authentication code" +- depends on PACKAGE_fastd +- default y ++ bool + + config FASTD_ENABLE_MAC_UHASH +- bool "Enable the UHASH message authentication code" +- depends on PACKAGE_fastd +- default y ++ bool + + + config FASTD_WITH_CAPABILITIES + bool "Enable POSIX capability support" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_USER + bool "Include support for setting user/group related options on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_LOGGING + bool "Include support for setting logging related options on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_OPERATION + bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_COMMANDS + bool "Include support for setting handler scripts (e.g. --on-up) on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_DYNAMIC_PEERS + bool "Include support for dynamic peers (using on-verify handlers)" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_STATUS_SOCKET + bool "Include support for status sockets" +- depends on PACKAGE_fastd + default y + + endmenu ++ ++endif diff --git a/patches/packages/packages/0002-fastd-disable-GMAC-based-methods-by-default.patch b/patches/packages/packages/0002-fastd-disable-GMAC-based-methods-by-default.patch new file mode 100644 index 00000000..a0075a0b --- /dev/null +++ b/patches/packages/packages/0002-fastd-disable-GMAC-based-methods-by-default.patch @@ -0,0 +1,32 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:50:04 +0100 +Subject: fastd: disable GMAC-based methods by default + +The UMAC-based methods provide higher performance than GMAC and aren't +suspectible to timing attacks when implemented in software (which is +always the case on OpenWrt, as OpenSSL support is disabled). Disable +GMAC by default to save a few KiB. + +Signed-off-by: Matthias Schiffer +(cherry picked from commit 916a65781829d93856bfb82cf78ba333b8fbc973) + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 89ff6850aa5ab4ad0e762d8fb9473d5e5c820089..b6d46246e53516cdb7fc6e4857ea62481b4e8276 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -8,7 +8,6 @@ config FASTD_ENABLE_METHOD_CIPHER_TEST + config FASTD_ENABLE_METHOD_COMPOSED_GMAC + bool "Enable composed-gmac method provider" + select FASTD_ENABLE_MAC_GHASH +- default y + + config FASTD_ENABLE_METHOD_COMPOSED_UMAC + bool "Enable composed-umac method provider" +@@ -18,7 +17,6 @@ config FASTD_ENABLE_METHOD_COMPOSED_UMAC + config FASTD_ENABLE_METHOD_GENERIC_GMAC + bool "Enable generic-gmac method provider" + select FASTD_ENABLE_MAC_GHASH +- default y + + config FASTD_ENABLE_METHOD_GENERIC_POLY1305 + bool "Enable generic-poly1305 method provider" diff --git a/patches/packages/packages/0003-fastd-update-to-v22.patch b/patches/packages/packages/0003-fastd-update-to-v22.patch new file mode 100644 index 00000000..4c1f8016 --- /dev/null +++ b/patches/packages/packages/0003-fastd-update-to-v22.patch @@ -0,0 +1,59 @@ +From: Matthias Schiffer +Date: Sun, 27 Jun 2021 13:07:49 +0200 +Subject: fastd: update to v22 + +Signed-off-by: Matthias Schiffer +(cherry picked from commit c8ca43865dcc7be0e3193f9b7d12f40d3441c258) + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index b6d46246e53516cdb7fc6e4857ea62481b4e8276..157d1e39931cc0163785212cb5eea7d8af4f46f2 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -30,6 +30,10 @@ config FASTD_ENABLE_METHOD_NULL + bool "Enable null method" + default y + ++config FASTD_ENABLE_METHOD_NULL_L2TP ++ bool "Enable null@l2tp method" ++ default y ++ + + config FASTD_ENABLE_CIPHER_NULL + bool "Enable the null cipher" +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index c7ab056a9ae005a75a75911658607e64d6228aac..d1ed4cf9afbe2faf11a0fa3b7b4d281848a8df2d 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -8,12 +8,12 @@ + include $(TOPDIR)/rules.mk + + PKG_NAME:=fastd +-PKG_VERSION:=21 ++PKG_VERSION:=22 + + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz + PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION) +-PKG_HASH:=942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c ++PKG_HASH:=19750b88705d66811b7c21b672537909c19ae6b21350688cbd1a3a54d08a8951 + + PKG_LICENSE:=BSD-2-Clause + PKG_LICENSE_FILES:=COPYRIGHT +@@ -26,6 +26,7 @@ PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \ + CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC \ + CONFIG_FASTD_ENABLE_METHOD_NULL \ ++ CONFIG_FASTD_ENABLE_METHOD_NULL_L2TP \ + CONFIG_FASTD_ENABLE_CIPHER_NULL \ + CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \ + CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \ +@@ -81,7 +82,9 @@ MESON_ARGS += \ + -Dmethod_generic-poly1305=$(call feature,ENABLE_METHOD_GENERIC_POLY1305) \ + -Dmethod_generic-umac=$(call feature,ENABLE_METHOD_GENERIC_UMAC) \ + -Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \ ++ -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ ++ -Doffload_l2tp=disabled \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ diff --git a/patches/packages/packages/0004-fastd-add-L2TP-variant.patch b/patches/packages/packages/0004-fastd-add-L2TP-variant.patch new file mode 100644 index 00000000..61948e3c --- /dev/null +++ b/patches/packages/packages/0004-fastd-add-L2TP-variant.patch @@ -0,0 +1,88 @@ +From: Matthias Schiffer +Date: Sun, 27 Jun 2021 13:26:26 +0200 +Subject: fastd: add L2TP variant + +Signed-off-by: Matthias Schiffer +(cherry picked from commit 7b9c04f95b5202d5eb75e4bf1c6831a667ac3d0f) + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 157d1e39931cc0163785212cb5eea7d8af4f46f2..3da5e1f183c5400cc38650efad39edf31c6f18d0 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,4 +1,4 @@ +-if PACKAGE_fastd ++if PACKAGE_fastd || PACKAGE_fastd-l2tp + + menu "Configuration" + +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index d1ed4cf9afbe2faf11a0fa3b7b4d281848a8df2d..58255cb0ba1a3b00fbca7cfdd44abd3a923603f3 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -15,8 +15,8 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz + PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION) + PKG_HASH:=19750b88705d66811b7c21b672537909c19ae6b21350688cbd1a3a54d08a8951 + +-PKG_LICENSE:=BSD-2-Clause +-PKG_LICENSE_FILES:=COPYRIGHT ++PKG_LICENSE:=BSD-2-Clause LGPL-2.1-or-later ++PKG_LICENSE_FILES:=COPYRIGHT src/dep/libmnl/COPYING + + PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \ +@@ -54,6 +54,14 @@ define Package/fastd + TITLE:=Fast and Secure Tunneling Daemon + URL:=https://github.com/NeoRaider/fastd/ + SUBMENU:=VPN ++ VARIANT:=default ++endef ++define Package/fastd-l2tp ++$(Package/fastd) ++ DEPENDS+=+kmod-l2tp +kmod-l2tp-eth ++ TITLE+=(L2TP kernel offloading) ++ VARIANT:=l2tp ++ PROVIDES:=fastd + endef + + define Package/fastd/config +@@ -85,18 +93,31 @@ MESON_ARGS += \ + -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ + -Doffload_l2tp=disabled \ ++ -Dlibmnl_builtin=true \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ + -Dprefix=/usr + ++ifeq ($(BUILD_VARIANT),l2tp) ++ MESON_ARGS += \ ++ -Dmethod_null_l2tp=enabled \ ++ -Doffload_l2tp=enabled ++endif ++ + define Package/fastd/description +- Fast and secure tunneling daemon, which is optimized on small code size and few dependencies ++Fast and secure tunneling daemon, which is optimized on small code size and few dependencies ++endef ++define Package/fastd-l2tp/description ++$(Package/fastd/description) ++ ++This variant enables L2TP kernel offloadig support. + endef + + define Package/fastd/conffiles + /etc/config/fastd + endef ++Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles) + + define Package/fastd/install + $(INSTALL_DIR) $(1)/usr/bin +@@ -110,5 +131,7 @@ define Package/fastd/install + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd + endef ++Package/fastd-l2tp/install = $(Package/fastd/install) + + $(eval $(call BuildPackage,fastd)) ++$(eval $(call BuildPackage,fastd-l2tp)) diff --git a/patches/packages/packages/0005-fastd-fix-start-of-non-L2TP-variant.patch b/patches/packages/packages/0005-fastd-fix-start-of-non-L2TP-variant.patch new file mode 100644 index 00000000..a34ce851 --- /dev/null +++ b/patches/packages/packages/0005-fastd-fix-start-of-non-L2TP-variant.patch @@ -0,0 +1,63 @@ +From: Matthias Schiffer +Date: Sun, 27 Jun 2021 14:48:48 +0200 +Subject: fastd: fix start of non-L2TP variant + +Signed-off-by: Matthias Schiffer +(cherry picked from commit 62742985d7cf15029b4d6027a7ccfa0e480278ca) + +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index 58255cb0ba1a3b00fbca7cfdd44abd3a923603f3..6fd316374d876834995f696fc63e7fbb98fb437c 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -9,6 +9,7 @@ include $(TOPDIR)/rules.mk + + PKG_NAME:=fastd + PKG_VERSION:=22 ++PKG_RELEASE=2 + + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +diff --git a/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch b/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..f2eabc95d61abf070907239b9d5d5935bd82966c +--- /dev/null ++++ b/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch +@@ -0,0 +1,38 @@ ++From d95ae843845760aecbbc62a734c2b93b401b1834 Mon Sep 17 00:00:00 2001 ++Message-Id: ++From: Matthias Schiffer ++Date: Sun, 27 Jun 2021 14:45:46 +0200 ++Subject: [PATCH] config: allow disabling L2TP offload when fastd doesn't ++ support it ++ ++Only attempting to enable the offloading should raise an error when it ++is not supported. ++--- ++ src/config.y | 8 +++++--- ++ 1 file changed, 5 insertions(+), 3 deletions(-) ++ ++diff --git a/src/config.y b/src/config.y ++index a107d7b9fda7..7a3ec6a32649 100644 ++--- a/src/config.y +++++ b/src/config.y ++@@ -282,12 +282,14 @@ offload: TOK_L2TP boolean { ++ #ifdef WITH_OFFLOAD_L2TP ++ conf.offload_l2tp = $2; ++ #else +++ if ($2) { ++ # ifdef __linux__ ++- fastd_config_error(&@$, state, "L2TP offload is not supported by this build of fastd"); +++ fastd_config_error(&@$, state, "L2TP offload is not supported by this build of fastd"); ++ # else ++- fastd_config_error(&@$, state, "L2TP offload is not supported on this platform"); +++ fastd_config_error(&@$, state, "L2TP offload is not supported on this platform"); ++ # endif ++- YYERROR; +++ YYERROR; +++ } ++ #endif ++ } ++ ; ++-- ++2.32.0 ++ diff --git a/patches/packages/packages/0006-fastd-make-L2TP-support-a-config-option-instead-of-a-variant.patch b/patches/packages/packages/0006-fastd-make-L2TP-support-a-config-option-instead-of-a-variant.patch new file mode 100644 index 00000000..7759d711 --- /dev/null +++ b/patches/packages/packages/0006-fastd-make-L2TP-support-a-config-option-instead-of-a-variant.patch @@ -0,0 +1,112 @@ +From: Matthias Schiffer +Date: Sun, 27 Jun 2021 16:46:38 +0200 +Subject: fastd: make L2TP support a config option instead of a variant + +We enable the option by default, but do not depend on the kernel modules +required for L2TP offloading to avoid wasting space when the feature is +not needed. To use offloading, kmod-l2tp-eth must be installed. + +Signed-off-by: Matthias Schiffer +(cherry picked from commit 03ff71d5ba955ad2d3f23de30e526ab6452297d4) + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 3da5e1f183c5400cc38650efad39edf31c6f18d0..67ae7c6b1390632735c5d26bade2cb2c570a9a43 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,4 +1,4 @@ +-if PACKAGE_fastd || PACKAGE_fastd-l2tp ++if PACKAGE_fastd + + menu "Configuration" + +@@ -76,6 +76,10 @@ config FASTD_WITH_STATUS_SOCKET + bool "Include support for status sockets" + default y + ++config FASTD_WITH_OFFLOAD_L2TP ++ bool "Enable L2TP offloading" ++ default y ++ + endmenu + + endif +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index 6fd316374d876834995f696fc63e7fbb98fb437c..9175227a5fe179bdb9d38d5e173f84908fb216ef 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk + + PKG_NAME:=fastd + PKG_VERSION:=22 +-PKG_RELEASE=2 ++PKG_RELEASE=3 + + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +@@ -39,7 +39,8 @@ PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_WITH_CMDLINE_OPERATION \ + CONFIG_FASTD_WITH_CMDLINE_COMMANDS \ + CONFIG_FASTD_WITH_DYNAMIC_PEERS \ +- CONFIG_FASTD_WITH_STATUS_SOCKET ++ CONFIG_FASTD_WITH_STATUS_SOCKET \ ++ CONFIG_FASTD_WITH_OFFLOAD_L2TP + + + PKG_BUILD_DEPENDS:=meson/host nacl +@@ -55,14 +56,6 @@ define Package/fastd + TITLE:=Fast and Secure Tunneling Daemon + URL:=https://github.com/NeoRaider/fastd/ + SUBMENU:=VPN +- VARIANT:=default +-endef +-define Package/fastd-l2tp +-$(Package/fastd) +- DEPENDS+=+kmod-l2tp +kmod-l2tp-eth +- TITLE+=(L2TP kernel offloading) +- VARIANT:=l2tp +- PROVIDES:=fastd + endef + + define Package/fastd/config +@@ -93,32 +86,20 @@ MESON_ARGS += \ + -Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \ + -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ +- -Doffload_l2tp=disabled \ ++ -Doffload_l2tp=$(call feature,WITH_OFFLOAD_L2TP) \ + -Dlibmnl_builtin=true \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ + -Dprefix=/usr + +-ifeq ($(BUILD_VARIANT),l2tp) +- MESON_ARGS += \ +- -Dmethod_null_l2tp=enabled \ +- -Doffload_l2tp=enabled +-endif +- + define Package/fastd/description + Fast and secure tunneling daemon, which is optimized on small code size and few dependencies + endef +-define Package/fastd-l2tp/description +-$(Package/fastd/description) +- +-This variant enables L2TP kernel offloadig support. +-endef + + define Package/fastd/conffiles + /etc/config/fastd + endef +-Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles) + + define Package/fastd/install + $(INSTALL_DIR) $(1)/usr/bin +@@ -132,7 +113,5 @@ define Package/fastd/install + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd + endef +-Package/fastd-l2tp/install = $(Package/fastd/install) + + $(eval $(call BuildPackage,fastd)) +-$(eval $(call BuildPackage,fastd-l2tp)) From 15eeb86f426c7d171f2a5f80c9ea8f50ee17fadd Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 20:13:41 +0100 Subject: [PATCH 2/4] gluon-{,web-}mesh-vpn-fastd: add support for null@l2tp method THe "null" and "null@l2tp" methods are considered equivalent and always added and removed together when the method list is "configurable". "null@l2tp" is added before "null", so it is preferred when the peer supports both. --- package/gluon-mesh-vpn-fastd/check_site.lua | 2 +- .../luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd | 10 ++++++---- .../gluon/config-mode/model/admin/mesh_vpn_fastd.lua | 5 +++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/package/gluon-mesh-vpn-fastd/check_site.lua b/package/gluon-mesh-vpn-fastd/check_site.lua index 57cc7bb1..6f3c0832 100644 --- a/package/gluon-mesh-vpn-fastd/check_site.lua +++ b/package/gluon-mesh-vpn-fastd/check_site.lua @@ -1,4 +1,4 @@ -local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'} +local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null@l2tp', 'null'} need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods) need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false) diff --git a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd index 5fed1e8c..1af8218e 100755 --- a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd +++ b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd @@ -17,20 +17,22 @@ end local methods if site.mesh_vpn.fastd.configurable(false) then - local has_null = util.contains(site.mesh_vpn.fastd.methods(), 'null') + local site_methods = site.mesh_vpn.fastd.methods() + local has_null = util.contains(site_methods, 'null@l2tp') or util.contains(site_methods, 'null') local old_methods = uci:get('fastd', 'mesh_vpn', 'method') if old_methods then - has_null = util.contains(old_methods, 'null') + has_null = util.contains(old_methods, 'null@l2tp') or util.contains(old_methods, 'null') end methods = {} if has_null then + table.insert(methods, 'null@l2tp') table.insert(methods, 'null') end - for _, method in ipairs(site.mesh_vpn.fastd.methods()) do - if method ~= 'null' then + for _, method in ipairs(site_methods) do + if method ~= 'null@l2tp' and method ~= 'null' then table.insert(methods, method) end end diff --git a/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua b/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua index ad890c31..9243ec92 100644 --- a/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua +++ b/package/gluon-web-mesh-vpn-fastd/luasrc/lib/gluon/config-mode/model/admin/mesh_vpn_fastd.lua @@ -10,7 +10,7 @@ mode.package = "gluon-web-mesh-vpn-fastd" mode.template = "mesh-vpn-fastd" local methods = uci:get('fastd', 'mesh_vpn', 'method') -if util.contains(methods, 'null') then +if util.contains(methods, 'null@l2tp') or util.contains(methods, 'null') then -- performance mode will only be used as default, if it is present in site.mesh_vpn.fastd.methods mode.default = 'performance' else @@ -24,11 +24,12 @@ function mode:write(data) -- if performance mode was selected, and the method 'null' was not present in the original table, it will be added local site_methods = {} if data == 'performance' then + table.insert(site_methods, 'null@l2tp') table.insert(site_methods, 'null') end for _, method in ipairs(site.mesh_vpn.fastd.methods()) do - if method ~= 'null' then + if method ~= 'null@l2tp' and method ~= 'null' then table.insert(site_methods, method) end end From 7c6befc7c3cae040c58f7d5d19b0276ec3d4e0cb Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 20:47:27 +0100 Subject: [PATCH 3/4] gluon-mesh-vpn-fastd: add L2TP offload support --- package/features | 7 ++++++- package/gluon-mesh-vpn-fastd-l2tp/Makefile | 13 +++++++++++++ .../files/lib/gluon/mesh-vpn/fastd/l2tp | 0 .../files/lib/gluon/mesh-vpn/fastd/.keep | 0 .../lib/gluon/upgrade/400-mesh-vpn-fastd | 18 ++++++++++++++++++ 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 package/gluon-mesh-vpn-fastd-l2tp/Makefile create mode 100644 package/gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp create mode 100644 package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep diff --git a/package/features b/package/features index c6e94a1a..da68b369 100644 --- a/package/features +++ b/package/features @@ -16,7 +16,12 @@ when(_'web-wizard' and _'autoupdater', { 'gluon-config-mode-autoupdater', }) -when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger' or _'mesh-vpn-wireguard'), { +when(_'web-wizard' and ( + _'mesh-vpn-fastd' or + _'mesh-vpn-fastd-l2tp' or + _'mesh-vpn-tunneldigger' or + _'mesh-vpn-wireguard' +), { 'gluon-config-mode-mesh-vpn', }) diff --git a/package/gluon-mesh-vpn-fastd-l2tp/Makefile b/package/gluon-mesh-vpn-fastd-l2tp/Makefile new file mode 100644 index 00000000..8eb5f6ec --- /dev/null +++ b/package/gluon-mesh-vpn-fastd-l2tp/Makefile @@ -0,0 +1,13 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-mesh-vpn-fastd-l2tp +PKG_VERSION:=1 + +include ../gluon.mk + +define Package/gluon-mesh-vpn-fastd-l2tp + TITLE:=Support for connecting meshes via fastd (with L2TP kernel offloading) + DEPENDS:=+gluon-core +gluon-mesh-vpn-fastd +kmod-l2tp-eth +@GLUON_SPECIALIZE_KERNEL:KERNEL_L2TP +endef + +$(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd-l2tp)) diff --git a/package/gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp b/package/gluon-mesh-vpn-fastd-l2tp/files/lib/gluon/mesh-vpn/fastd/l2tp new file mode 100644 index 00000000..e69de29b diff --git a/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep b/package/gluon-mesh-vpn-fastd/files/lib/gluon/mesh-vpn/fastd/.keep new file mode 100644 index 00000000..e69de29b diff --git a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd index 1af8218e..c8898755 100755 --- a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd +++ b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd @@ -5,6 +5,7 @@ local util = require 'gluon.util' local vpn_core = require 'gluon.mesh-vpn' local uci = require('simple-uci').cursor() +local unistd = require 'posix.unistd' local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose' @@ -52,9 +53,19 @@ uci:section('fastd', 'fastd', 'mesh_vpn', { secure_handshakes = true, method = methods, packet_mark = 1, + persist_interface = true, + offload_l2tp = false, status_socket = '/var/run/fastd.mesh_vpn.socket', }) +uci:delete('fastd', 'mesh_vpn', 'peer_limit') +-- L2TP offload support +if unistd.access('/lib/gluon/mesh-vpn/fastd/l2tp') then + uci:set('fastd', 'mesh_vpn', 'mode', 'multitap') + uci:set('fastd', 'mesh_vpn', 'persist_interface', false) + uci:set('fastd', 'mesh_vpn', 'offload_l2tp', true) + uci:set('fastd', 'mesh_vpn', 'peer_limit', 1) +end -- Collect list of groups that have peers with 'preserve' flag local preserve_groups = {} @@ -96,6 +107,7 @@ local function add_peer(group, name, config) enabled = true, net = 'mesh_vpn', group = group, + interface = 'mesh-vpn', key = config.key, remote = config.remotes, }) @@ -125,5 +137,11 @@ end add_groups('mesh_vpn', site.mesh_vpn.fastd.groups()) +-- Update preserved peers as well +uci:foreach('fastd', 'peer', function(peer) + if peer.net == 'mesh_vpn' then + uci:set('fastd', peer['.name'], 'interface', 'mesh-vpn') + end +end) uci:save('fastd') From a8c767621543c1277fe730095668a0c5a9b3215f Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Fri, 24 Dec 2021 17:50:26 +0100 Subject: [PATCH 4/4] docs: update Mesh VPN documentation - Restructure page - Add information on how to add L2TPv3 offloading support to a build using configurable ciphers. The null method is not reocmmended anymore. - Add notes and pointers regarding the gateway configuration to provide gateway admins with hints on how to modify their configuration to accommodate this new feature. - Mention wireguard support Based-on-patch-by: Felix Kaechele --- docs/features/vpn.rst | 132 +++++++++++++++++++++++++++++++----------- 1 file changed, 98 insertions(+), 34 deletions(-) diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst index c1ed9336..bc2bf733 100644 --- a/docs/features/vpn.rst +++ b/docs/features/vpn.rst @@ -1,57 +1,121 @@ -Mesh-VPN +Mesh VPN ======== -Gluon integrates several OSI-Layer 2 tunneling protocols to -enable interconnects between local meshes and provide -internetwork access. Available protocols currently are: +Gluon integrates several layer 2 tunneling protocols to +allow connections between local meshes through the internet. -- fastd -- L2TPv3 (via tunneldigger) +Protocol handlers +^^^^^^^^^^^^^^^^^ -fastd is a lightweight userspace tunneling daemon, that +There are currently three protocol handlers which can be selected +via ``GLUON_FEATURES`` in ``site.mk``: + +mesh-vpn-fastd +~~~~~~~~~~~~~~ + +fastd is a lightweight userspace tunneling daemon that implements cipher suites that are specifically designed to work well on embedded devices. It offers encryption -and authentication. Its primary drawback are the necessary -context-switches when forwarding packets. +and authentication. +The primary drawback of fastd's encrypted connection modes +is the necessary context switches when forwarding packets. +A kernel-supported L2TPv3 offloading option is available to +work around the context-switching bottleneck, but it comes +at the cost of losing the ability to protect tunnel connections +against eavesdropping or manipulation. -L2TPv3 is an in-kernel tunneling protocol that performs well, -but offers no security properties by itself. -The brokering of the tunnel happens through tunneldigger, -its primary drawback being the lack of IPv6 support. +mesh-vpn-tunneldigger +~~~~~~~~~~~~~~~~~~~~~ + +Tunneldigger always uses L2TPv3, generally achieving the same +performance as fastd with the ``null@l2tp`` method, but offering +no security. +Tunneldigger's primary drawback is the lack of IPv6 support. +It also provides less configurability than fastd. + +mesh-vpn-wireguard (experimental) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Wireguard is a new tunneling software that offers modern encryption +methods and is implemented in the kernel, resulting in high throughput. +It is implemented in Gluon using the *wgpeerselector* tool. fastd ------ +^^^^^ -Configurable Cipher -^^^^^^^^^^^^^^^^^^^ +Methods +~~~~~~~ +fastd offers various different connection "methods" with different +security properties that can be configured in the site configuration. -From the site configuration fastd can be allowed to offer +The following methods are currently recommended: + +- ``salsa2012+umac``: Encrypted + authenticated +- ``null+salsa2012+umac``: Unencrypted, authenticated +- ``null@l2tp``: Unencrypted, unauthenticated + +Multiple methods can be listed in ``site.conf``. The first listed method +supported by both the node and its peer will be used. + +The use of the ``null@l2tp`` method with offloading enabled can provide a +considerable performance gain, especially on weaker embedded hardware. +For L2TP offloading, the ``mesh-vpn-fastd-l2tp`` feature needs to be enabled in +``site.mk``. + +Configurable Method +~~~~~~~~~~~~~~~~~~~ + +From the site configuration, fastd can be allowed to offer toggleable encryption in the config mode with the intent to -increase throughput, although in practice the gain is minimal. +increase throughput. -**Site configuration:** +There is also an older unprotected method ``null``. Use of the newer +``null@l2tp`` method is generally recommended over ``null``, as the +performance gains provided by the latter (compared to the encrypted +and authenticated methods) are very small. -1) Add the feature ``web-mesh-vpn-fastd`` in ``site.mk`` -2) Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf`` -3) Optionally add ``null`` to the ``mesh_vpn.fastd.methods`` table if you want "Performance mode" as default (not recommended) +Site configuration +------------------ -**Gateway configuration:** +1) + Add the feature ``web-mesh-vpn-fastd`` in ``site.mk`` +2) + Set ``mesh_vpn.fastd.configurable = true`` in ``site.conf`` +3) + Optionally, add ``null@l2tp`` to the ``mesh_vpn.fastd.methods`` table if you want + "Performance mode" as default (not recommended) -1) Prepend the ``null`` cipher in fastd's method list +Gateway / Supernode Configuration +--------------------------------- +When only using the ``null`` or ``null@l2tp`` methods without offloading, +simply add these methods to the front of the method list. ``null@l2tp`` +should always appear before ``null`` in the configuration when both are enabled. +fastd v22 or newer is needed for the ``null@l2tp`` method. + +It is often not necessary to enable L2TP offloading on supernodes for +performance reasons. Nodes using offloading can communicate with supornodes that +don't use offloading as long as both use the ``null@l2tp`` method. + +To enable L2TP offloading on the supornodes as well, it is recommended to study +the fastd documentation section pertaining to the `offload configuration option +`_. + +Note that in ``multitap`` mode, which is required when using +L2TP offloading, fastd will create one interface per peer +on the supernode's side and it is the administrator's +responsibility to ensure that these interfaces are handled correctly. +In batman-adv-based setups this involves adding the dynamically created +interfaces to an batadv interface using fastd's ``on up`` scripts or some +network configuration daemon like systemd-networkd. + +Config Mode +----------- -**Config Mode:** The resulting firmware will allow users to choose between secure (encrypted) and fast (unencrypted) transport. .. image:: fastd_mode.gif -**Unix socket:** -To confirm whether the correct cipher is being used, fastd's unix -socket can be interrogated, after installing for example `socat`. - -:: - - opkg update - opkg install socat - socat - UNIX-CONNECT:/var/run/fastd.mesh_vpn.socket +To confirm whether the correct cipher is being used, the log output +of fastd can be checked using ``logread``.