From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zlsbz4qvhz32dy for ; Sun, 27 Apr 2025 16:34:23 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zlsbz4XHlz307R for ; Sun, 27 Apr 2025 16:34:23 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Zlsbz0HNvz1Vr for ; Sun, 27 Apr 2025 16:34:23 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1745771663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=uvOd3YqNyShNKLusgjuktnLxEg/Ud5aMoYK4TjljeN4=; b=N3sennYCZEWEknmONvV2rrJyzsl1djmgYnVG32WMZjmM/uTcjRtROgVKv7am1US4V8uAOC ykSvisfeL4tXTpCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1745771663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=uvOd3YqNyShNKLusgjuktnLxEg/Ud5aMoYK4TjljeN4=; b=wRm2rKzXIRgBjSSFm1hsKmuCaSWADOnRMLg1A3EB/yaTgAN1t6yuVp62ruqseQgN45WLI1 4gTO287KUAeG1GoKU2hXt5iq0AducrfBEPDfJw4MDzhb3e5i2s3X0YqfAIFD8nDPUEYIqg 3FAPmprKaGkeiuDZ8iBUEcMMiV2Xtu2qnhmFNH9rEUWCA3Uc0nBvWrEdUry0H16IkQQoeJ WHWJjV6AMqQVctG3nIAOYdRz9OpA5UaLi4X80M7sRlVgX044jEAoiSD6wn9ionx6NV6kNy BVKapZGN3eWQlqhwaXOQfXuhHUanPAMKpPdeWl/RE3dTxf+hvCyNUF4Ywg1jgQ== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4Zlsby6CJQz2xNP; Sun, 27 Apr 2025 16:34:22 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 43867c1e070fc96420a666b0bb21182eff16787b X-Git-Refname: refs/heads/next X-Git-Reftype: branch X-Git-Oldrev: 569a0a9d33e37c6967c47033bed75cdca8984fd1 X-Git-Newrev: 43867c1e070fc96420a666b0bb21182eff16787b Message-Id: <4Zlsby6CJQz2xNP@people01.haj.ipfire.org> Date: Sun, 27 Apr 2025 16:34:22 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 43867c1e070fc96420a666b0bb21182eff16787b (commit) via 8b7f769451feade69f7a269387f67d3f95dcaa90 (commit) via 5c71c87e88446bd42bdc3ec7143b8f032499aa06 (commit) via d365234701bb68bbf8826c7b7b74248021393cfe (commit) via ff566655f74bdbbba135520d7b29633b4d18fa6a (commit) from 569a0a9d33e37c6967c47033bed75cdca8984fd1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 43867c1e070fc96420a666b0bb21182eff16787b Author: Michael Tremer Date: Sun Apr 27 18:30:59 2025 +0200 wireguard: Add a custom routing table for peers This is a dirty hack to make connections to VPN providers actually work. We mark all WG packets after encryption and use a secondary routing table to look up any routes to the peers. That way, we can replace the default route in the main routing table without having to care about the special routes there. Signed-off-by: Michael Tremer commit 8b7f769451feade69f7a269387f67d3f95dcaa90 Author: Michael Tremer Date: Sun Apr 27 18:01:44 2025 +0200 wireguard-functions.pl: Tolerate any IP addresses with subnet masks on import Signed-off-by: Michael Tremer commit 5c71c87e88446bd42bdc3ec7143b8f032499aa06 Author: Michael Tremer Date: Sun Apr 27 17:50:09 2025 +0200 wireguard-functions.pl: Don't strictly require a port in imported configurations If importing a client configuration, there might not be a port. This is quite likely to happen with VPN providers that don't create a connection but are awaiting incoming connections only. Signed-off-by: Michael Tremer commit d365234701bb68bbf8826c7b7b74248021393cfe Author: Michael Tremer Date: Sun Apr 27 17:48:19 2025 +0200 wireguard.cgi: Show public key when hovering over a peer name This is quite useful when debugging a client. Signed-off-by: Michael Tremer commit ff566655f74bdbbba135520d7b29633b4d18fa6a Author: Michael Tremer Date: Sun Apr 27 17:47:39 2025 +0200 wireguard-functions.pl: Append /32 subnet mask to client address Some clients seem to want this or otherwise refuse the import. Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/cfgroot/wireguard-functions.pl | 24 ++++++++++++++++-------- config/rootfiles/core/195/filelists/files | 1 + html/cgi-bin/wireguard.cgi | 2 +- lfs/iproute2 | 1 + src/initscripts/system/wireguard | 18 ++++++++++++++++++ 5 files changed, 37 insertions(+), 9 deletions(-) Difference in files: diff --git a/config/cfgroot/wireguard-functions.pl b/config/cfgroot/wireguard-functions.pl index 53e8f1a38..11451a615 100644 --- a/config/cfgroot/wireguard-functions.pl +++ b/config/cfgroot/wireguard-functions.pl @@ -429,7 +429,7 @@ sub generate_peer_configuration($$) { push(@conf, "[Interface]", "PrivateKey = $private_key", - "Address = @{ $peer->{'CLIENT_ADDRESS'} }", + "Address = @{ $peer->{'CLIENT_ADDRESS'} }/32", ); # Optionally add DNS servers @@ -506,12 +506,24 @@ sub parse_configuration($$) { if ($section eq "Interface") { # Address if ($key eq "Address") { - if (&Network::check_ip_address($val)) { - $peer{'LOCAL_ADDRESS'} = $val; - } else { + my $address = &Network::get_netaddress($val); + my $prefix = &Network::get_prefix($val); + + # There must be an address + unless ($address) { push(@errormessages, $Lang::tr{'invalid ip address'}); } + # If there was a prefix it must be /32 + if (defined $prefix) { + unless ($prefix == 32) { + push(@errormessages, $Lang::tr{'invalid ip address'}); + } + } + + # Store the address + $peer{'LOCAL_ADDRESS'} = ${address}; + # Port } elsif ($key eq "Port") { if (&General::validport($val)) { @@ -613,10 +625,6 @@ sub parse_configuration($$) { push(@errormessages, $Lang::tr{'wg missing allowed ips'}); } - unless (exists $peer{"PORT"}) { - push(@errormessages, $Lang::tr{'wg missing port'}); - } - unless (exists $peer{"ENDPOINT_ADDRESS"}) { push(@errormessages, $Lang::tr{'wg missing endpoint address'}); } diff --git a/config/rootfiles/core/195/filelists/files b/config/rootfiles/core/195/filelists/files index 75d499f35..d8f95ae6c 100644 --- a/config/rootfiles/core/195/filelists/files +++ b/config/rootfiles/core/195/filelists/files @@ -1,4 +1,5 @@ etc/fcron.cyclic/wg-dynamic +etc/iproute2/rt_tables etc/rc.d/init.d/firewall etc/rc.d/init.d/networking/functions.network etc/rc.d/init.d/wireguard diff --git a/html/cgi-bin/wireguard.cgi b/html/cgi-bin/wireguard.cgi index a53016076..6fc01c404 100644 --- a/html/cgi-bin/wireguard.cgi +++ b/html/cgi-bin/wireguard.cgi @@ -944,7 +944,7 @@ EOF print < - + $name diff --git a/lfs/iproute2 b/lfs/iproute2 index 6dd3d4c3b..2c813382d 100644 --- a/lfs/iproute2 +++ b/lfs/iproute2 @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Add table for static routing echo "200 static" >> /etc/iproute2/rt_tables + echo "201 wg" >> /etc/iproute2/rt_tables @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/system/wireguard b/src/initscripts/system/wireguard index ac7438a24..7decce223 100644 --- a/src/initscripts/system/wireguard +++ b/src/initscripts/system/wireguard @@ -25,6 +25,9 @@ eval $(/usr/local/bin/readhash /var/ipfire/wireguard/settings) +# Mark all packets coming out of the WireGuard interfaces +WG_MARK="0x00800000" + interfaces() { local id local enabled @@ -218,6 +221,7 @@ generate_config() { fi echo "[Interface]" + echo "FwMark = ${WG_MARK}" if [ -n "${privkey}" ]; then echo "PrivateKey = ${privkey}" @@ -267,6 +271,12 @@ generate_config() { ip route add "${args[@]}" done + + # Add a direct host route to the endpoint + if [ -s "/var/ipfire/red/remote-ipaddress" ]; then + ip route add table wg \ + "${endpoint_addr}" via "$(/dev/null + + # Ensure that the table is being looked up + if ! ip rule | grep -q "lookup wg"; then + ip rule add table wg fwmark "${WG_MARK}" + fi } wg_start() { hooks/post-receive -- IPFire 2.x development tree