Commit Graph

18 Commits

Author SHA1 Message Date
Maciej Krüger
4318048aed
firewall: switch to nftables 2023-05-01 19:47:41 +02:00
lemoer
7c81897b4c gluon-mesh-vpn-*: make vpn MTU provider specific
If a community uses different vpn providers, they typically
assume the same MTU for the wan device underneath the VPN. As
different VPN providers however have different overhead, the MTU
of the VPN device differs for each provider. Therefore this
commit makes the MTU of the VPN device provider specific.

This has two advantages:
1. The same site.conf can used to bake firmwares for different
   VPN providers (only by selecting a diferent vpn feature in the
   site.mk).
2. We are coming closer to the option of integrating multiple VPN
   providers into one firmware.
2022-05-21 18:12:49 +02:00
lemoer
3f7c0b3ae8
gluon-mesh-vpn-wireguard: add package (#2168)
The address of the vpn interface is calculated in the style of
modified EUI-64, based on a virtual mac address. This virtual mac
address consists of 0x00 as first byte and the other five bytes
are taken from the first bytes of md5sum(base64 encoded public key).

The algorithm was taken by the ffmuc, with a slight difference. ffmuc
calculated the result of md5sum(base64 encoded public key + '\n')
which was interpreted as accidential fault and therefore dropped.

Example:
- Public-Key: "gP3VJnTTvnQut+z4O+m0N9RgMyXbgyUbUkF3E3TKX2w="
- Address: "fe80::02ca:b8ff:fedc:2eb3"

The following interfaces are used for wireguard:
- wg_mesh  -> wireguard interface
- mesh-vpn -> vxlan iface on top of wg_mesh

If you use this new feature, make sure the NTP servers in your site
config are publicly reachable. This is necessary, since wireguard
requires correct time before the vpn connection is established.
Therefore gluon performs ntp time synchronisation via WAN before it
establishes the vpn connection. Therefore the NTP servers have to
be publicly reachable (and not only via mesh).
2021-09-15 01:25:59 +02:00
David Bauer
98a1c196ed mesh-vpn: fully abstract VPN methods
This fully abstracts VPN methods, making gluon-mesh-vpn-fastd and
gluon-mesh-vpn-tunneldigger completely self-contained.

Provide a LUA interface for generic interacting with VPN methods in
gluon-mesh-vpn-core and web packages.

This also adds the ability to install tunneldigger and fastd to the same
image, selecting the VPN method based on the selected domain.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-22 06:54:23 +02:00
Matthias Schiffer
fc7c8cb086
gluon-mesh-vpn-core: remove obsolete migration code
/etc/config/gluon-simple-tc was removed with Gluon 2016.1.
2019-06-16 18:40:10 +02:00
Matthias Schiffer
818c31afdd
gluon-mesh-vpn-core: move common VPN config to gluon UCI package
We now keep the VPN enable state, bandwidth limit enable and actual limits
in the core config to avoid having to recover "user intent" from different
config files when the used VPN packages change.

Fixes #1736
2019-06-16 18:40:10 +02:00
Matthias Schiffer
f6df3b0541
gluon-mesh-vpn-core: don't consider tunneldigger when fastd is installed
None of our scripts can handle fastd and tunneldigger running at the same
time. When both are installed, ignore tunneldigger.
2019-06-16 17:56:18 +02:00
bobcanthelpyou
9f4c393295 gluon-mesh-vpn-core: fix luacheck warnings
./gluon-wan:25:1: (W122) setting read-only field ? of global arg
./gluon-wan:29:1: (W311) value assigned to variable ok is unused
2019-06-16 17:31:53 +02:00
Matthias Schiffer
eda3aa3333
gluon-mesh-vpn-core: add gluon-wan exec wrapper
gluon-wan is a sudo-like exec wrapper that switches the process group to
gluon-mesh-vpn, making it use the WAN dnsmasq rather than resolving over
the mesh.

Note that this only affects DNS at the moment. Processes running under
gluon-wan will still use the regular mesh IPv6 routing table, and not the
WAN routing table. This is not a problem for IPv4, as there is only one
IPv4 routing table.

Fixes #1575
2018-11-21 12:09:10 +01:00
Tata
20d22f66dd gluon-mesh-vpn-core: add abstraction layer for VPN interface name (#1518) 2018-08-24 23:21:43 +02:00
Felix Kaechele
d87c4b521b gluon-mesh-vpn: support ingress bandwidth shaping with tunneldigger (#1460)
Signed-off-by: Felix Kaechele <felix@kaechele.ca>
2018-07-26 01:26:00 +02:00
Matthias Schiffer
32394dc694
gluon-mesh-vpn-core: replace nixio with luaposix 2018-07-17 20:08:15 +02:00
Matthias Schiffer
6ae1af9694
gluon-mesh-vpn-core: use OpenWrt's user/group management 2018-02-25 17:13:30 +01:00
Matthias Schiffer
ee6afaced9
treewide: use new gluon.site Lua library
Some files have received some additional refactoring.
2017-08-11 22:07:34 +02:00
Matthias Schiffer
952439885e
gluon-mesh-vpn: fix fastd <-> tunneldigger migration
The generic upgrade script is moved to run after the more specific scripts.
In addition, the script will now remove the configuration sections of
uninstalled VPN packages, so both positive and negative changes of the
default enable state can be migrated correctly.

Based-on-patch-by: Cyrus Fox <cyrus@lambdacore.de>
Fixes: #1187
2017-08-08 01:39:29 +02:00
Cyrus
540d0ff0a3 gluon-mesh-vpn-core: Fixed conditions for migration code (#1080)
VPN daemons were always disabled
2017-03-26 10:26:33 +02:00
Matthias Schiffer
b016cf18b4
gluon-mesh-vpn-core: add code for migration of enabled state between fastd and tunneldigger
Based-on-patch-by: Cyrus Fox <cyrus@lambdacore.de>
2017-03-10 19:45:35 +01:00
Matthias Schiffer
be88eba07f
Refactor common parts of gluon-mesh-vpn-fastd into a gluon-mesh-vpn-core package
The fastd_mesh_vpn site.conf section is renamed to mesh_vpn.fastd.
2017-03-10 19:45:34 +01:00