Last active
March 26, 2024 19:40
-
-
Save T0biii/a5171e0f9ce584851490bd6255ecd341 to your computer and use it in GitHub Desktop.
checkuplink and parse-wgkex-response.lua
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/busybox sh | |
# fail fast and abort early | |
set -eu | |
# set -o pipefail # TODO: pipefail needs more rework in the script | |
if { set -C; true 2>/dev/null >/var/lock/checkuplink.lock; }; then | |
trap "rm -f /var/lock/checkuplink.lock" EXIT | |
else | |
echo "Lock file exists... exiting" | |
exit | |
fi | |
get_site_string() { | |
local path="$1" | |
lua <<EOF | |
local site = require 'gluon.site' | |
print(site.${path}()) | |
EOF | |
} | |
get_site_bool() { | |
local path="$1" | |
lua <<EOF | |
local site = require 'gluon.site' | |
if site.${path}() then | |
print("true") | |
else | |
print("false") | |
end | |
EOF | |
} | |
interface_linklocal() { | |
# We generate a predictable v6 address | |
local macaddr oldIFS | |
macaddr="$(uci get wireguard.mesh_vpn.privatekey | wg pubkey | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')" | |
oldIFS="$IFS" | |
IFS=':' | |
# shellcheck disable=SC2086 # we need to split macaddr here using IFS | |
set -- $macaddr | |
IFS="$oldIFS" | |
echo "fe80::${1}${2}:${3}ff:fe${4}:${5}${6}" | |
} | |
clean_port() { | |
echo "$1" | sed -r 's/:[0-9]+$|\[|\]//g' | |
} | |
extract_port() { | |
echo "$1" | awk -F: '{print $NF}' | |
} | |
combine_ip_port() { | |
local ip="$1" | |
local port="$2" | |
# Add brackets in case the IP is an IPv6 | |
case $ip in | |
*":"*) | |
ip="[${ip}]" | |
;; | |
esac | |
echo "$ip:$port" | |
} | |
resolve_host() { | |
local gateway="$1" | |
# Check if we have a default route for v6 if not fallback to v4 | |
if ip -6 route show table 1 | grep -q 'default via' | |
then | |
local ipv6 | |
ipv6="$(gluon-wan nslookup "$gateway" | grep 'Address:\? [0-9]' | grep -oE '([a-f0-9:]+:+)+[a-f0-9]+')" | |
echo "$ipv6" | |
else | |
local ipv4 | |
ipv4="$(gluon-wan nslookup "$gateway" | grep 'Address:\? [0-9]' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')" | |
echo "$ipv4" | |
fi | |
} | |
force_wan_connection() { | |
LD_PRELOAD=libpacketmark.so LIBPACKETMARK_MARK=1 gluon-wan "$@" | |
} | |
is_loadbalancing_enabled() { | |
local lb_default | |
local lb_overwrite | |
lb_default=$(get_site_string mesh_vpn.wireguard.loadbalancing) | |
if [[ $lb_default == "on" ]]; then | |
return 0 # true | |
elif [[ $lb_default == "off" ]]; then | |
return 1 # false | |
fi | |
# check if an overwrite was specified | |
if lb_overwrite=$(uci -q get wireguard.mesh_vpn.loadbalancing); then | |
logger -p info -t checkuplink "Loadbalancing overwrite detected: ${lb_overwrite}" | |
if [[ $lb_overwrite == "1" ]]; then | |
return 0 # true | |
elif [[ $lb_overwrite == "0" ]]; then | |
return 1 # false | |
fi | |
fi | |
if [[ $lb_default == "on-by-default" ]]; then | |
return 0 # true | |
elif [[ $lb_default == "off-by-default" ]]; then | |
return 1 # false | |
fi | |
logger -p err -t checkuplink "Invalid loadbalancing parameter '${lb_default}', assuming 'off'" | |
return 0 | |
} | |
get_wgkex_data(){ | |
local version="$1" | |
WGKEX_BROKER="$PROTO://$WGKEX_BROKER_BASE_PATH/api/$version/wg/key/exchange" | |
logger -p info -t checkuplink "Contacting wgkex broker $WGKEX_BROKER" | |
if ! WGKEX_DATA=$(force_wan_connection wget -q -O- --post-data='{"domain": "'"$SEGMENT"'","public_key": "'"$PUBLICKEY"'"}' "$WGKEX_BROKER"); then | |
logger -p err -t checkuplink "Contacting wgkex broker failed, response: $WGKEX_DATA" | |
else | |
logger -p info -t checkuplink "Got data from wgkex broker: $WGKEX_DATA" | |
echo "$WGKEX_DATA" | |
fi | |
} | |
use_api_v1(){ | |
WGKEX_DATA=$(get_wgkex_data v1) | |
# Parse the returned JSON in a Lua script | |
if ! data=$(lua /lib/gluon/gluon-mesh-wireguard-vxlan/parse-wgkex-response.lua "$WGKEX_DATA"); then | |
logger -p err -t checkuplink "Parsing wgkex broker data failed" | |
return 1 | |
fi | |
# Get the number of configured peers and randomly select one | |
NUMBER_OF_PEERS=$(uci -q show wireguard | grep -E -ce "peer_[0-9]+.endpoint") | |
PEER="$(awk -v min=1 -v max="$NUMBER_OF_PEERS" 'BEGIN{srand(); print int(min+rand()*(max-min+1))}')" | |
logger -p info -t checkuplink "Selected peer $PEER" | |
PEER_HOSTPORT="$(uci get wireguard.peer_"$PEER".endpoint)" | |
PEER_HOST="$(clean_port "$PEER_HOSTPORT")" | |
PEER_ADDRESS="$(resolve_host "$PEER_HOST")" | |
PEER_PORT="$(extract_port "$PEER_HOSTPORT")" | |
PEER_ENDPOINT="$(combine_ip_port "$PEER_ADDRESS" "$PEER_PORT")" | |
PEER_PUBLICKEY="$(uci get wireguard.peer_"$PEER".publickey)" | |
PEER_LINKADDRESS="$(uci get wireguard.peer_"$PEER".link_address)" | |
} | |
use_api_v2() { | |
WGKEX_DATA=$(get_wgkex_data v2) | |
# Parse the returned JSON in a Lua script, returning the endpoint address, port, pubkey and first allowed IP, separated by newlines | |
if ! data=$(lua /lib/gluon/gluon-mesh-wireguard-vxlan/parse-wgkex-response.lua "$WGKEX_DATA"); then | |
logger -p err -t checkuplink "Parsing wgkex broker data failed" | |
logger -p info -t checkuplink "Falling back to API v1" | |
use_api_v1 | |
return 1 | |
fi | |
logger -p debug -t checkuplink "Successfully parsed wgkex broker data" | |
PEER_HOST="$(echo "$data" | sed -n 1p)" | |
PEER_PORT="$(echo "$data" | sed -n 2p)" | |
PEER_PUBLICKEY="$(echo "$data" | sed -n 3p)" | |
PEER_LINKADDRESS=$(echo "$data" | sed -n 4p) | |
PEER_ADDRESS="$(resolve_host "$PEER_HOST")" | |
PEER_ENDPOINT="$(combine_ip_port "$PEER_ADDRESS" "$PEER_PORT")" | |
} | |
mesh_vpn_enabled="$(uci get wireguard.mesh_vpn.enabled)" | |
# Some legacy code seem to have used "true" instead of the canonical "1". | |
# This should be overwritten by a gluon-reconfigure (see 400-mesh-vpn-wireguard) | |
if [[ "${mesh_vpn_enabled}" != "0" ]] && [[ "${mesh_vpn_enabled}" != "1" ]]; then | |
logger -p warn -t checkuplink "Invalid value for wireguard.mesh_vpn.enabled detected: '${mesh_vpn_enabled}'. Assuming enabled." | |
mesh_vpn_enabled="1" | |
fi | |
if [[ "${mesh_vpn_enabled}" == "0" ]]; then | |
# Stop the script if mesh_vpn is disabled | |
exit 0 | |
fi | |
# Do we already have a private-key? If not generate one | |
if ! uci -q get wireguard.mesh_vpn.privatekey > /dev/null | |
then | |
uci set wireguard.mesh_vpn.privatekey="$(wg genkey)" | |
uci commit wireguard | |
fi | |
#We assume we are not connected by default | |
CONNECTED=0 | |
MESH_VPN_IFACE=$(get_site_string mesh_vpn.wireguard.iface) | |
# Check connectivity to supernode | |
if wget "http://[$(wg | grep fe80 | awk '{split($3,A,"/")};{print A[1]}')%$MESH_VPN_IFACE]/" --timeout=5 -O/dev/null -q | |
then | |
GWMAC=$(batctl gwl | awk '/[*]/{print $2}') | |
if batctl ping -c 5 "$GWMAC" > /dev/null 2>&1 | |
then | |
CONNECTED=1 | |
fi | |
fi | |
if [[ "$CONNECTED" == 1 ]]; then | |
# We have a connection, we are done | |
exit 0 | |
fi | |
logger -t checkuplink "Reconnecting ..." | |
NTP_SERVERS=$(uci get system.ntp.server) | |
NTP_SERVERS_ADDRS="" | |
set -o pipefail # Enable pipefail: this script does not fully support pipefail yet, but required below | |
for NTP_SERVER in $NTP_SERVERS; do | |
all_ntp_ips="$(gluon-wan nslookup "$NTP_SERVER" | grep '^Address:\? ' | sed 's/^Address:\? //')" | |
if ip -6 route show table 1 | grep -q 'default via' | |
then | |
# We need to match a few special cases for IPv6 here: | |
# - IPs with trailing "::", like 2003:a:87f:c37c:: | |
# - IPs with leading "::", like ::1 | |
# - IPs not starting with a digit, like fd62:f45c:4d09:180:22b3:ff:: | |
# - IPs containing a zone identifier ("%"), like fe80::abcd%enp5s0 | |
# As all incoming IPs are already valid IPs, we just grep for all not-IPv4s | |
selected_ntp_ips="$(echo "${all_ntp_ips}" | grep -vE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')" | |
else | |
# We want to match IPv4s and not match RFC2765 2.1) IPs like "::ffff:255.255.255.255" | |
selected_ntp_ips="$(echo "${all_ntp_ips}" | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')" | |
fi | |
NTP_SERVERS_ADDRS="$(for ip in $selected_ntp_ips; do echo -n "-p $ip "; done)${NTP_SERVERS_ADDRS}" | |
done | |
set +o pipefail # Disable pipefail: this script does not fully support pipefail yet | |
# shellcheck disable=SC2086 # otherwise ntpd cries | |
if ! force_wan_connection /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug ${NTP_SERVERS_ADDRS} -q | |
then | |
logger -p err -t checkuplink "Unable to establish NTP connection to ${NTP_SERVERS}." | |
exit 3 | |
fi | |
# Delete Interfaces | |
{ | |
ip link set nomaster dev mesh-vpn >/dev/null 2>&1 | |
ip link delete dev mesh-vpn >/dev/null 2>&1 | |
} || true | |
ip link delete dev "${MESH_VPN_IFACE}" >/dev/null 2>&1 || true | |
PUBLICKEY=$(uci get wireguard.mesh_vpn.privatekey | wg pubkey) | |
SEGMENT=$(uci get gluon.core.domain) | |
# Push public key to broker and receive gateway data, test for https and use if supported | |
ret=0 | |
wget -q "https://[::1]" || ret=$? | |
# returns Network Failure =4 if https exists | |
# and Generic Error =1 if no ssl lib available | |
if [ "$ret" -eq 1 ]; then | |
PROTO=http | |
else | |
PROTO=https | |
fi | |
# Remove API path suffix if still present in config | |
WGKEX_BROKER_BASE_PATH="$(get_site_string mesh_vpn.wireguard.broker | sed 's|/api/v1/wg/key/exchange||')" | |
if is_loadbalancing_enabled; then | |
# Use /api/v2, get gateway peer details from broker response | |
logger -p info -t checkuplink "Loadbalancing enabled." | |
use_api_v2 | |
else | |
# Use /api/v1, get gateway peer details from config | |
logger -p info -t checkuplink "Loadbalancing disabled." | |
use_api_v1 | |
fi | |
logger -p info -t checkuplink "Connecting to $PEER_HOST($PEER_ENDPOINT)" | |
# Bring up the wireguard interface | |
ip link add dev "$MESH_VPN_IFACE" type wireguard | |
wg set "$MESH_VPN_IFACE" fwmark 1 | |
uci get wireguard.mesh_vpn.privatekey | wg set "$MESH_VPN_IFACE" private-key /proc/self/fd/0 | |
ip link set up dev "$MESH_VPN_IFACE" | |
LINKLOCAL="$(interface_linklocal)" | |
# Add link-address and Peer | |
ip address add "${LINKLOCAL}"/64 dev "$MESH_VPN_IFACE" | |
gluon-wan wg set "$MESH_VPN_IFACE" peer "$PEER_PUBLICKEY" persistent-keepalive 25 allowed-ips "$PEER_LINKADDRESS/128" endpoint "$PEER_ENDPOINT" | |
# We need to allow incoming vxlan traffic on mesh iface | |
sleep 10 | |
RULE="-i $MESH_VPN_IFACE -m udp -p udp --dport 8472 -j ACCEPT" | |
# shellcheck disable=SC2086 # we need to split RULE here twice | |
if ! ip6tables -C INPUT $RULE | |
then | |
ip6tables -I INPUT 1 $RULE | |
fi | |
# Bring up VXLAN | |
if ! ip link add mesh-vpn type vxlan id "$(lua -e 'print(tonumber(require("gluon.util").domain_seed_bytes("gluon-mesh-vpn-vxlan", 3), 16))')" local "${LINKLOCAL}" remote "$PEER_LINKADDRESS" dstport 8472 dev "$MESH_VPN_IFACE" | |
then | |
logger -p err -t checkuplink "Unable to create mesh-vpn interface" | |
exit 2 | |
fi | |
ip link set up dev mesh-vpn | |
sleep 5 | |
# If we have a BATMAN_V env we need to correct the throughput value now | |
batctl hardif mesh-vpn throughput_override 1000mbit; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
local json = require 'jsonc' | |
local input = assert(arg[1]) | |
local data = assert(json.parse(input)) | |
-- v1 | |
if data.Message == "OK" then | |
return | |
end | |
-- v2 | |
if not data.Endpoint or not data.Endpoint.Address or not data.Endpoint.Port | |
or not data.Endpoint.PublicKey or not data.Endpoint.AllowedIPs or not data.Endpoint.AllowedIPs[1] then | |
error("Malformed JSON response, missing required value") | |
end | |
print(data.Endpoint.Address) | |
print(data.Endpoint.Port) | |
print(data.Endpoint.PublicKey) | |
print(data.Endpoint.AllowedIPs[1]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment