3f7c0b3ae8
The address of the vpn interface is calculated in the style of modified EUI-64, based on a virtual mac address. This virtual mac address consists of 0x00 as first byte and the other five bytes are taken from the first bytes of md5sum(base64 encoded public key). The algorithm was taken by the ffmuc, with a slight difference. ffmuc calculated the result of md5sum(base64 encoded public key + '\n') which was interpreted as accidential fault and therefore dropped. Example: - Public-Key: "gP3VJnTTvnQut+z4O+m0N9RgMyXbgyUbUkF3E3TKX2w=" - Address: "fe80::02ca:b8ff:fedc:2eb3" The following interfaces are used for wireguard: - wg_mesh -> wireguard interface - mesh-vpn -> vxlan iface on top of wg_mesh If you use this new feature, make sure the NTP servers in your site config are publicly reachable. This is necessary, since wireguard requires correct time before the vpn connection is established. Therefore gluon performs ntp time synchronisation via WAN before it establishes the vpn connection. Therefore the NTP servers have to be publicly reachable (and not only via mesh).
54 lines
1.9 KiB
Diff
54 lines
1.9 KiB
Diff
From: lemoer <git@irrelefant.net>
|
|
Date: Sat, 3 Jul 2021 22:50:29 +0200
|
|
Subject: wireguard-tools: allow generating private_key (v3)
|
|
|
|
When the uci configuration is created automatically during a very early
|
|
stage, where no entropy daemon is set up, generating the key directly is
|
|
not an option. Therefore we allow to set the private_key to "generate"
|
|
and generate the private key directly before the interface is taken up.
|
|
|
|
v3: Somebody has implemented another uci cli flag '-t' upstream to handle
|
|
this, before my patch to implement the new uci flag '-x' syntax was
|
|
accepted. So I dropped my suggestion of '-x'.
|
|
v2: We now use a new uci cli flag to commit only the private_key and do
|
|
not commit uncommited user changes. This is not yet upstream as of
|
|
now.
|
|
|
|
diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh b/package/network/utils/wireguard-tools/files/wireguard.sh
|
|
index 63261aea71daa058bf37014ba7d670a5e74a2e04..845f9eb902bf3655b631d52aa3ee69231366f657 100644
|
|
--- a/package/network/utils/wireguard-tools/files/wireguard.sh
|
|
+++ b/package/network/utils/wireguard-tools/files/wireguard.sh
|
|
@@ -95,6 +95,23 @@ proto_wireguard_setup_peer() {
|
|
fi
|
|
}
|
|
|
|
+ensure_key_is_generated() {
|
|
+ local private_key
|
|
+ private_key="$(uci get network."$1".private_key)"
|
|
+
|
|
+ if [ "$private_key" == "generate" ]; then
|
|
+ local ucitmp
|
|
+ oldmask="$(umask)"
|
|
+ umask 077
|
|
+ ucitmp="$(mktemp -d)"
|
|
+ private_key="$("${WG}" genkey)"
|
|
+ uci -q -t "$ucitmp" set network."$1".private_key="$private_key" && \
|
|
+ uci -q -t "$ucitmp" commit network
|
|
+ rm -rf "$ucitmp"
|
|
+ umask "$oldmask"
|
|
+ fi
|
|
+}
|
|
+
|
|
proto_wireguard_setup() {
|
|
local config="$1"
|
|
local wg_dir="/tmp/wireguard"
|
|
@@ -104,6 +121,8 @@ proto_wireguard_setup() {
|
|
local listen_port
|
|
local mtu
|
|
|
|
+ ensure_key_is_generated "${config}"
|
|
+
|
|
config_load network
|
|
config_get private_key "${config}" "private_key"
|
|
config_get listen_port "${config}" "listen_port"
|