From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 43867c1e070fc96420a666b0bb21182eff16787b
Date: Sun, 27 Apr 2025 16:34:22 +0000 (UTC) [thread overview]
Message-ID: <4Zlsby6CJQz2xNP@people01.haj.ipfire.org> (raw)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 43867c1e070fc96420a666b0bb21182eff16787b (commit)
via 8b7f769451feade69f7a269387f67d3f95dcaa90 (commit)
via 5c71c87e88446bd42bdc3ec7143b8f032499aa06 (commit)
via d365234701bb68bbf8826c7b7b74248021393cfe (commit)
via ff566655f74bdbbba135520d7b29633b4d18fa6a (commit)
from 569a0a9d33e37c6967c47033bed75cdca8984fd1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 43867c1e070fc96420a666b0bb21182eff16787b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:30:59 2025 +0200
wireguard: Add a custom routing table for peers
This is a dirty hack to make connections to VPN providers actually work.
We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 8b7f769451feade69f7a269387f67d3f95dcaa90
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:01:44 2025 +0200
wireguard-functions.pl: Tolerate any IP addresses with subnet masks on import
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5c71c87e88446bd42bdc3ec7143b8f032499aa06
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 17:50:09 2025 +0200
wireguard-functions.pl: Don't strictly require a port in imported configurations
If importing a client configuration, there might not be a port. This is
quite likely to happen with VPN providers that don't create a connection
but are awaiting incoming connections only.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d365234701bb68bbf8826c7b7b74248021393cfe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 17:48:19 2025 +0200
wireguard.cgi: Show public key when hovering over a peer name
This is quite useful when debugging a client.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff566655f74bdbbba135520d7b29633b4d18fa6a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 17:47:39 2025 +0200
wireguard-functions.pl: Append /32 subnet mask to client address
Some clients seem to want this or otherwise refuse the import.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/wireguard-functions.pl | 24 ++++++++++++++++--------
config/rootfiles/core/195/filelists/files | 1 +
html/cgi-bin/wireguard.cgi | 2 +-
lfs/iproute2 | 1 +
src/initscripts/system/wireguard | 18 ++++++++++++++++++
5 files changed, 37 insertions(+), 9 deletions(-)
Difference in files:
diff --git a/config/cfgroot/wireguard-functions.pl b/config/cfgroot/wireguard-functions.pl
index 53e8f1a38..11451a615 100644
--- a/config/cfgroot/wireguard-functions.pl
+++ b/config/cfgroot/wireguard-functions.pl
@@ -429,7 +429,7 @@ sub generate_peer_configuration($$) {
push(@conf,
"[Interface]",
"PrivateKey = $private_key",
- "Address = @{ $peer->{'CLIENT_ADDRESS'} }",
+ "Address = @{ $peer->{'CLIENT_ADDRESS'} }/32",
);
# Optionally add DNS servers
@@ -506,12 +506,24 @@ sub parse_configuration($$) {
if ($section eq "Interface") {
# Address
if ($key eq "Address") {
- if (&Network::check_ip_address($val)) {
- $peer{'LOCAL_ADDRESS'} = $val;
- } else {
+ my $address = &Network::get_netaddress($val);
+ my $prefix = &Network::get_prefix($val);
+
+ # There must be an address
+ unless ($address) {
push(@errormessages, $Lang::tr{'invalid ip address'});
}
+ # If there was a prefix it must be /32
+ if (defined $prefix) {
+ unless ($prefix == 32) {
+ push(@errormessages, $Lang::tr{'invalid ip address'});
+ }
+ }
+
+ # Store the address
+ $peer{'LOCAL_ADDRESS'} = ${address};
+
# Port
} elsif ($key eq "Port") {
if (&General::validport($val)) {
@@ -613,10 +625,6 @@ sub parse_configuration($$) {
push(@errormessages, $Lang::tr{'wg missing allowed ips'});
}
- unless (exists $peer{"PORT"}) {
- push(@errormessages, $Lang::tr{'wg missing port'});
- }
-
unless (exists $peer{"ENDPOINT_ADDRESS"}) {
push(@errormessages, $Lang::tr{'wg missing endpoint address'});
}
diff --git a/config/rootfiles/core/195/filelists/files b/config/rootfiles/core/195/filelists/files
index 75d499f35..d8f95ae6c 100644
--- a/config/rootfiles/core/195/filelists/files
+++ b/config/rootfiles/core/195/filelists/files
@@ -1,4 +1,5 @@
etc/fcron.cyclic/wg-dynamic
+etc/iproute2/rt_tables
etc/rc.d/init.d/firewall
etc/rc.d/init.d/networking/functions.network
etc/rc.d/init.d/wireguard
diff --git a/html/cgi-bin/wireguard.cgi b/html/cgi-bin/wireguard.cgi
index a53016076..6fc01c404 100644
--- a/html/cgi-bin/wireguard.cgi
+++ b/html/cgi-bin/wireguard.cgi
@@ -944,7 +944,7 @@ EOF
print <<END;
<tr>
- <th scope="row">
+ <th scope="row" title="${pubkey}">
$name
</th>
diff --git a/lfs/iproute2 b/lfs/iproute2
index 6dd3d4c3b..2c813382d 100644
--- a/lfs/iproute2
+++ b/lfs/iproute2
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Add table for static routing
echo "200 static" >> /etc/iproute2/rt_tables
+ echo "201 wg" >> /etc/iproute2/rt_tables
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard
index ac7438a24..7decce223 100644
--- a/src/initscripts/system/wireguard
+++ b/src/initscripts/system/wireguard
@@ -25,6 +25,9 @@
eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings)
+# Mark all packets coming out of the WireGuard interfaces
+WG_MARK="0x00800000"
+
interfaces() {
local id
local enabled
@@ -218,6 +221,7 @@ generate_config() {
fi
echo "[Interface]"
+ echo "FwMark = ${WG_MARK}"
if [ -n "${privkey}" ]; then
echo "PrivateKey = ${privkey}"
@@ -267,6 +271,12 @@ generate_config() {
ip route add "${args[@]}"
done
+
+ # Add a direct host route to the endpoint
+ if [ -s "/var/ipfire/red/remote-ipaddress" ]; then
+ ip route add table wg \
+ "${endpoint_addr}" via "$(</var/ipfire/red/remote-ipaddress)"
+ fi
fi
# Set keepalive
@@ -306,6 +316,14 @@ reload_firewall() {
# Block all other traffic
iptables -A WGBLOCK -j REJECT --reject-with icmp-admin-prohibited
+
+ # Flush any custom routes
+ ip route flush table wg 2>/dev/null
+
+ # Ensure that the table is being looked up
+ if ! ip rule | grep -q "lookup wg"; then
+ ip rule add table wg fwmark "${WG_MARK}"
+ fi
}
wg_start() {
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2025-04-27 16:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4Zlsby6CJQz2xNP@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox