diff --git a/docs/user/site.rst b/docs/user/site.rst index 45f7d7ed..19d4fb3f 100644 --- a/docs/user/site.rst +++ b/docs/user/site.rst @@ -198,6 +198,12 @@ mesh_vpn defines the MTU of the VPN interface, determining a proper MTU value is described in the :ref:`FAQ `. + By default information that could be used to associate client traffic with a nodes + IP address is not advertised to protect the nodes privacy. This usually requires + the attacker to be able to observe the link over which the tunnel flows. + If this is of no concern in your threat-model this behaviour can be disabled by + setting *pubkey_privacy* to `false`. + The `fastd` section configures settings specific to the *fastd* VPN implementation. diff --git a/package/gluon-mesh-vpn-core/check_site.lua b/package/gluon-mesh-vpn-core/check_site.lua index 6cead517..04ff3c84 100644 --- a/package/gluon-mesh-vpn-core/check_site.lua +++ b/package/gluon-mesh-vpn-core/check_site.lua @@ -1,5 +1,6 @@ need_boolean(in_site({'mesh_vpn', 'enabled'}), false) need_number({'mesh_vpn', 'mtu'}) +need_boolean(in_site({'mesh_vpn', 'pubkey_privacy'}), false) need_boolean(in_site({'mesh_vpn', 'bandwidth_limit', 'enabled'}), false) need_number(in_site({'mesh_vpn', 'bandwidth_limit', 'ingress'}), false) diff --git a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd index 83eff0c7..1d791f35 100755 --- a/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd +++ b/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd @@ -44,6 +44,7 @@ uci:section('fastd', 'fastd', 'mesh_vpn', { method = methods, packet_mark = 1, status_socket = '/var/run/fastd.mesh_vpn.socket', + pubkey_privacy = site.mesh_vpn.pubkey_privacy(true), }) uci:delete('fastd', 'mesh_vpn', 'user') diff --git a/package/gluon-mesh-vpn-fastd/src/respondd.c b/package/gluon-mesh-vpn-fastd/src/respondd.c index a2d87b3a..544187c0 100644 --- a/package/gluon-mesh-vpn-fastd/src/respondd.c +++ b/package/gluon-mesh-vpn-fastd/src/respondd.c @@ -73,8 +73,37 @@ static struct json_object * get_fastd_version(void) { return ret; } +static struct json_object * get_fastd_public_key(void) { + FILE *f = popen("/etc/init.d/fastd show_key mesh_vpn", "r"); + if (!f) + return NULL; + + char *line = NULL; + size_t len = 0; + + ssize_t r= getline(&line, &len, f); + + pclose(f); + + if (r >= 0) { + len = strlen(line); /* The len given by getline is the buffer size, not the string length */ + + if (len && line[len-1] == '\n') + line[len-1] = 0; + } + else { + free(line); + line = NULL; + } + + struct json_objcet *ret = gluonutil_wrap_string(line); + free(line); + return ret; +} + static struct json_object * get_fastd(void) { bool enabled = false; + bool pubkey_privacy = true; struct json_object *ret = json_object_new_object(); struct uci_context *ctx = uci_alloc_context(); @@ -94,12 +123,18 @@ static struct json_object * get_fastd(void) { if (!enabled_str || !strcmp(enabled_str, "1")) enabled = true; + const char *pubkey_privacy_str = uci_lookup_option_string(ctx, s, "pubkey_privacy"); + if (pubkey_privacy_str && !strcmp(pubkey_privacy_str, "0")) + pubkey_privacy = false; + disabled: uci_free_context(ctx); disabled_nofree: json_object_object_add(ret, "version", get_fastd_version()); json_object_object_add(ret, "enabled", json_object_new_boolean(enabled)); + if (enabled && !pubkey_privacy) + json_object_object_add(ret, "public_key", get_fastd_public_key()); return ret; }