package/network/services/wireguard/files/wireguard.sh

   1 #!/bin/sh
   2 # Copyright 2016-2017 Dan Luedtke <mail@danrl.com>
   3 # Licensed to the public under the Apache License 2.0.
   4
   5 WG=/usr/bin/wg
   6 if [ ! -x $WG ]; then
   7         logger -t "wireguard" "error: missing wireguard-tools (${WG})"
   8         exit 0
   9 fi
  10
  11 [ -n "$INCLUDE_ONLY" ] || {
  12         . /lib/functions.sh
  13         . ../netifd-proto.sh
  14         init_proto "$@"
  15 }
  16
  17 proto_wireguard_init_config() {
  18         proto_config_add_string "private_key"
  19         proto_config_add_int "listen_port"
  20         proto_config_add_int "mtu"
  21         proto_config_add_string "fwmark"
  22         available=1
  23         no_proto_task=1
  24 }
  25
  26 proto_wireguard_setup_peer() {
  27         local peer_config="$1"
  28
  29         local public_key
  30         local preshared_key
  31         local allowed_ips
  32         local route_allowed_ips
  33         local endpoint_host
  34         local endpoint_port
  35         local persistent_keepalive
  36
  37         config_get public_key "${peer_config}" "public_key"
  38         config_get preshared_key "${peer_config}" "preshared_key"
  39         config_get allowed_ips "${peer_config}" "allowed_ips"
  40         config_get_bool route_allowed_ips "${peer_config}" "route_allowed_ips" 0
  41         config_get endpoint_host "${peer_config}" "endpoint_host"
  42         config_get endpoint_port "${peer_config}" "endpoint_port"
  43         config_get persistent_keepalive "${peer_config}" "persistent_keepalive"
  44
  45         echo "[Peer]" >> "${wg_cfg}"
  46         echo "PublicKey=${public_key}" >> "${wg_cfg}"
  47         if [ "${preshared_key}" ]; then
  48                 echo "PresharedKey=${preshared_key}" >> "${wg_cfg}"
  49         fi
  50         for allowed_ip in $allowed_ips; do
  51                 echo "AllowedIPs=${allowed_ip}" >> "${wg_cfg}"
  52         done
  53         if [ "${endpoint_host}" ]; then
  54                 case "${endpoint_host}" in
  55                         *:*)
  56                                 endpoint="[${endpoint_host}]"
  57                                 ;;
  58                         *)
  59                                 endpoint="${endpoint_host}"
  60                                 ;;
  61                 esac
  62                 if [ "${endpoint_port}" ]; then
  63                         endpoint="${endpoint}:${endpoint_port}"
  64                 else
  65                         endpoint="${endpoint}:51820"
  66                 fi
  67                 echo "Endpoint=${endpoint}" >> "${wg_cfg}"
  68         fi
  69         if [ "${persistent_keepalive}" ]; then
  70                 echo "PersistentKeepalive=${persistent_keepalive}" >> "${wg_cfg}"
  71         fi
  72
  73         if [ ${route_allowed_ips} -ne 0 ]; then
  74                 for allowed_ip in ${allowed_ips}; do
  75                         case "${allowed_ip}" in
  76                                 *:*/*)
  77                                         proto_add_ipv6_route "${allowed_ip%%/*}" "${allowed_ip##*/}"
  78                                         ;;
  79                                 *.*/*)
  80                                         proto_add_ipv4_route "${allowed_ip%%/*}" "${allowed_ip##*/}"
  81                                         ;;
  82                                 *:*)
  83                                         proto_add_ipv6_route "${allowed_ip%%/*}" "128"
  84                                         ;;
  85                                 *.*)
  86                                         proto_add_ipv4_route "${allowed_ip%%/*}" "32"
  87                                         ;;
  88                         esac
  89                 done
  90         fi
  91 }
  92
  93 proto_wireguard_setup() {
  94         local config="$1"
  95         local wg_dir="/tmp/wireguard"
  96         local wg_cfg="${wg_dir}/${config}"
  97
  98         local private_key
  99         local listen_port
 100         local mtu
 101
 102         config_load network
 103         config_get private_key "${config}" "private_key"
 104         config_get listen_port "${config}" "listen_port"
 105         config_get addresses "${config}" "addresses"
 106         config_get mtu "${config}" "mtu"
 107         config_get fwmark "${config}" "fwmark"
 108         config_get ip6prefix "${config}" "ip6prefix"
 109         config_get nohostroute "${config}" "nohostroute"
 110
 111         ip link del dev "${config}" 2>/dev/null
 112         ip link add dev "${config}" type wireguard
 113
 114         if [ "${mtu}" ]; then
 115                 ip link set mtu "${mtu}" dev "${config}"
 116         fi
 117
 118         proto_init_update "${config}" 1
 119
 120         umask 077
 121         mkdir -p "${wg_dir}"
 122         echo "[Interface]" > "${wg_cfg}"
 123         echo "PrivateKey=${private_key}" >> "${wg_cfg}"
 124         if [ "${listen_port}" ]; then
 125                 echo "ListenPort=${listen_port}" >> "${wg_cfg}"
 126         fi
 127         if [ "${fwmark}" ]; then
 128                 echo "FwMark=${fwmark}" >> "${wg_cfg}"
 129         fi
 130         config_foreach proto_wireguard_setup_peer "wireguard_${config}"
 131
 132         # apply configuration file
 133         ${WG} setconf ${config} "${wg_cfg}"
 134         WG_RETURN=$?
 135
 136         rm -f "${wg_cfg}"
 137
 138         if [ ${WG_RETURN} -ne 0 ]; then
 139                 sleep 5
 140                 proto_setup_failed "${config}"
 141                 exit 1
 142         fi
 143
 144         for address in ${addresses}; do
 145                 case "${address}" in
 146                         *:*/*)
 147                                 proto_add_ipv6_address "${address%%/*}" "${address##*/}"
 148                                 ;;
 149                         *.*/*)
 150                                 proto_add_ipv4_address "${address%%/*}" "${address##*/}"
 151                                 ;;
 152                         *:*)
 153                                 proto_add_ipv6_address "${address%%/*}" "128"
 154                                 ;;
 155                         *.*)
 156                                 proto_add_ipv4_address "${address%%/*}" "32"
 157                                 ;;
 158                 esac
 159         done
 160
 161         for prefix in ${ip6prefix}; do
 162                 proto_add_ipv6_prefix "$prefix"
 163         done
 164
 165         # endpoint dependency
 166         if [ "${nohostroute}" != "1" ]; then
 167                 wg show "${config}" endpoints | \
 168                 sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
 169                 while IFS=$'\t ' read -r key address port; do
 170                         [ -n "${port}" ] || continue
 171                         proto_add_host_dependency "${config}" "${address}"
 172                 done
 173         fi
 174
 175         proto_send_update "${config}"
 176 }
 177
 178 proto_wireguard_teardown() {
 179         local config="$1"
 180         ip link del dev "${config}" >/dev/null 2>&1
 181 }
 182
 183 [ -n "$INCLUDE_ONLY" ] || {
 184         add_protocol wireguard
 185 }