new file mode 100644
@@ -0,0 +1,41 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-wireguard
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/fff-wireguard
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-wireguard
+ SECTION:=base
+ CATEGORY:=Freifunk
+ TITLE:=Freifunk-Franken wireguard
+ URL:=https://www.freifunk-franken.de
+ DEPENDS:=+wireguard \
+ +fff-network \
+ +fff-babeld
+endef
+
+define Package/fff-wireguard/description
+ This is the Freifunk Franken Firmware wireguard package.
+ This package provides configuration scripts for wireguard tunnels.
+endef
+
+define Build/Prepare
+ echo "all: " > $(PKG_BUILD_DIR)/Makefile
+endef
+
+define Build/Configure
+ # nothing
+endef
+
+define Build/Compile
+ # nothing
+endef
+
+define Package/fff-wireguard/install
+ $(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-wireguard))
new file mode 100644
@@ -0,0 +1,146 @@
+. /lib/functions.sh
+. /lib/functions/fff/network
+. /lib/functions/fff/babel
+
+#load board specific properties
+BOARD="$(uci get board.model.name)"
+. /etc/network.$BOARD
+
+configure() {
+ # remove peers missing in gateway config
+ remove_wgpeer() {
+ local name="$1"
+
+ # check prefix
+ if [ "$name" = "${name#wg_}" ]; then
+ return
+ fi
+
+ if ! uci -q get gateway.${name#wg_} > /dev/null; then
+ # remove interface
+ uci -q del network.$name
+ # remove wireguard config
+ uci -q del network.@wireguard_$name[0]
+
+ # remove iif-rules
+ babel_delete_iifrules "$name"
+ # remove babel interface
+ babel_delete_interface "$name"
+ fi
+ }
+
+ config_load babeld
+ config_foreach remove_wgpeer interface
+
+
+ # add new peers
+ add_wgpeer() {
+ local name="$1"
+ local prefixname="wg_$name"
+
+ # ensure name length
+ if [ ${#name} -gt 12 ]; then
+ echo "ERROR: name $name is too long!"
+ exit 1
+ fi
+
+ # get rxcost
+ if rxcost=$(uci -q get gateway.$name.rxcost); then
+ rxcost="$rxcost"
+ else
+ rxcost=16384
+ fi
+
+ # get wireguard properties
+ local privkey
+ local pubkey
+ local endpoint_host
+ local endpoint_port
+ local persistent_keepalive
+ local mtu
+
+ if ! privkey=$(uci -q get gateway.$name.private_key); then
+ privkey=$(wg genkey)
+ uci set gateway.$name.private_key="$privkey"
+ fi
+
+ if ! pubkey=$(uci get gateway.$name.public_key); then
+ echo "ERROR: publickey for ${name} missing!"
+ exit 1
+ fi
+
+ if ! endpoint_host=$(uci get gateway.$name.endpoint_host); then
+ echo "ERROR: endpoint_host for ${name} missing!"
+ exit 1
+ fi
+
+ if ! endpoint_port=$(uci get gateway.$name.endpoint_port); then
+ echo "ERROR: endpoint_port for ${name} missing!"
+ exit 1
+ fi
+
+ persistent_keepalive=$(uci -q get gateway.$name.persistent_keepalive)
+ mtu=$(uci -q get gateway.$name.mtu)
+
+
+ # add interface
+ uci set network.$prefixname=interface
+ uci set network.$prefixname.proto=wireguard
+ uci set network.$prefixname.nohostroute='1'
+ uci set network.$prefixname.fwmark='0xc8'
+ uci set network.$prefixname.mtu="${mtu:-1420}"
+
+ uci set network.$prefixname.private_key="$privkey"
+ echo "INFO: publickey for wireguardpeer ${name}: $(uci get gateway.$name.private_key | wg pubkey)"
+
+
+ # add wireguard properties
+ if uci -q get network.@wireguard_$prefixname[0] > /dev/null; then
+ #config already exists
+ cfg="@wireguard_$prefixname[0]"
+ else
+ #create new config
+ cfg=$(uci add network wireguard_$prefixname)
+ fi
+
+ uci set network.$cfg.public_key="$pubkey"
+ uci set network.$cfg.endpoint_host="$endpoint_host"
+ uci set network.$cfg.endpoint_port="$endpoint_port"
+ uci set network.$cfg.persistent_keepalive="$persistent_keepalive"
+ uci -q delete network.$cfg.allowed_ips
+ uci add_list network.$cfg.allowed_ips='::/0'
+ uci add_list network.$cfg.allowed_ips='0.0.0.0/0'
+
+
+ # remove old addresses
+ uci -q del network.$prefixname.addresses
+
+ # add link local address
+ uci add_list network.$prefixname.addresses="$(ipEUIAssemble "fe80::/64" "$ROUTERMAC")"
+
+ # add peer_ip
+ babel_add_peeraddr "network.$prefixname.addresses"
+ babel_add_peer6addr "network.$prefixname.addresses"
+
+ # add iif-rules
+ babel_add_iifrules "$prefixname" || { echo "ERROR: Could not add iif-rules for wgpeer $name"; exit 1; }
+
+ # add babel interface
+ babel_add_interface "$prefixname" "$prefixname" 'tunnel' "$rxcost" || { echo "ERROR: Could not add babeld interface for wgpeer $name"; exit 1; }
+ }
+
+ config_load gateway
+ config_foreach add_wgpeer wireguardpeer
+}
+
+commit() {
+ uci commit network
+ uci commit babeld
+ uci commit gateway
+}
+
+revert() {
+ uci revert network
+ uci revert babeld
+ uci revert gateway
+}
new file mode 100644
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+uci batch <<EOF
+ set network.wireguard_main=rule6
+ set network.wireguard_main.mark='0xc8'
+ set network.wireguard_main.lookup='main'
+ set network.wireguard_main.priority='5000'
+ set network.wireguard_main4=rule
+ set network.wireguard_main4.mark='0xc8'
+ set network.wireguard_main4.lookup='main'
+ set network.wireguard_main4.priority='5000'
+ set network.wireguard_blackhole=rule6
+ set network.wireguard_blackhole.mark='0xc8'
+ set network.wireguard_blackhole.action='blackhole'
+ set network.wireguard_blackhole.priority='5001'
+ set network.wireguard_blackhole4=rule
+ set network.wireguard_blackhole4.mark='0xc8'
+ set network.wireguard_blackhole4.action='blackhole'
+ set network.wireguard_blackhole4.priority='5001'
+EOF
+
+uci commit network
+
+exit 0
@@ -53,6 +53,7 @@ define Package/fff-layer3
+fff-dhcp \
+fff-babeld \
+fff-ra \
+ +fff-wireguard \
+iperf3 \
+tcpdump \
+arptables \
This package adds gateway.d scripts which create peering interfaces using wireguard. Signed-off-by: Fabian Bläse <fabian@blaese.de> --- This patch has to be applied after the fff-babeld patches currently under review --- src/packages/fff/fff-wireguard/Makefile | 41 +++++ .../files/etc/gateway.d/50-wireguard | 146 ++++++++++++++++++ .../files/etc/uci-defaults/05-wireguard-rules | 24 +++ src/packages/fff/fff/Makefile | 1 + 4 files changed, 212 insertions(+) create mode 100644 src/packages/fff/fff-wireguard/Makefile create mode 100644 src/packages/fff/fff-wireguard/files/etc/gateway.d/50-wireguard create mode 100644 src/packages/fff/fff-wireguard/files/etc/uci-defaults/05-wireguard-rules