Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ffuplink-package to use the routers-wan connection #125

Merged
merged 13 commits into from
Jan 30, 2018
Merged

add ffuplink-package to use the routers-wan connection #125

merged 13 commits into from
Jan 30, 2018

Conversation

SvenRoederer
Copy link
Contributor

add a package to use the wan-connection directly (w/o VPN)

This was referenced Oct 29, 2017
Closed
Closed
@bobster-galore
Copy link
Contributor

It would be nice to have an underhood construction which can be used by any wizard or sthg. to configure the system. Much more which kind of connection could be used.

@SvenRoederer
Copy link
Contributor Author

at the moment branch "packages/notunnel" of the firmware gets build an can then be tested.

@SvenRoederer
Copy link
Contributor Author

one issue with this code is, that the veth-link to the ffuplink interface is setup via a hotplugscript. this should be converted to a uci-setting, as we have patched the lede-17.01 netifd to support this.

@SvenRoederer SvenRoederer force-pushed the feature/notunnel branch 2 times, most recently from 56466b2 to f363ea3 Compare November 8, 2017 14:10
@SvenRoederer SvenRoederer force-pushed the feature/notunnel branch 3 times, most recently from 95a577d to 55aa54a Compare December 17, 2017 21:12
@SvenRoederer SvenRoederer added this to the Hedy 1.0.0 milestone Dec 17, 2017
@SvenRoederer
Copy link
Contributor Author

This code has been tested and verified to work with

Probably it's morre elegant to put the uci-setting ffberlin-uplink.uplink.auth directly into network.ffuplink.authtype.

@SvenRoederer SvenRoederer mentioned this pull request Dec 21, 2017
Merged
@SvenRoederer
Copy link
Contributor Author

merged into Hedy-1.0.0-rc1

@SvenRoederer
uplink-notunnel: initial commit
6916fe2 
this is some uplink-type to directly route the freifunk-
traffic via the uplink on the wan-interface. So there
will be no tunnel at all.

include both setup-stages inside the hotplug-script
stage 1: WAN
* setup up veth-pair
* add one end of veth-pair to br-wan
* enable interface "ffuplink"

stage 2: ffuplink
* set default-route for ff-clients via gateway over
  "ffuplink"-device
* via policy-routing in table "olsr-tunnel"
@SvenRoederer
wizard, uplink-files: add uci-setting to request different auth-types
6398ab9 
add uci "ffberlin-uplink.uplink.auth"to give each uplink-provider
a way to have the assistent asking for different kinds of
authentication. Following types are supported:
- none: the uplink-type don't need additional parameters
- x509: the uplink-type requires a set of X.509 certificate
        (stored in /etc/openvpn/, as for VPN03 and tunnel-berlin)
- pass: todo - just ask for a simple password / psk
- userpass: todo - ask for username and password
@SvenRoederer
uplink-notunnel: setup masquerading
0279ec3
@SvenRoederer
openvpn: recreate OpenVPN settings everytime
733a56c 
to ensure current settings and do not interfer with any previous setup
or tunnel-type of ffuplink
@SvenRoederer
uplink-notunnel: configure veth-dev via uci network
fa29877 
- this requires a recent enough netifd (was implemented in 2017-02-11)
- also take care of reconfiguring alternative uplink-types and
  don't have them relying on any assumption of "ffuplink"
@SvenRoederer
uplink: prepare routing to deny access to uplink-lan
09b2227 
implement dedicated ip-rule to manage traffic for ffuplink-interface
@SvenRoederer
network-defaults: prohibit traffic to net on ffuplink
8416296 
this hotplug-script probibits all traffic to nodes on the
upstream-network of ffuplink-interface. Only traffic to not
directly attached networks is accepted.
This script also sets up the default route for all traffic
reaching the "ffuplink" routing-table.

this all honors the settings of
* ffwizard.sharenet
* freifunk-policyrouting.enable
@SvenRoederer
network-defaults: setup the ip rules at runtime
a0e442b 
On every setup of ffuplink add some ip-rules to route
all traffic received on interfaces of zone freifunk
out via ffuplink.
When shutting down the interface we remove the manually
created rules, to not create the same rules over and
over again.
@SvenRoederer
network-defaults: removing setup of default-gw for ffuplink
86abd65 
as this is done by the tunnel-provider scripts
@SvenRoederer
network-defaults: blocking of ffuplink-net needs to be before default…
d38589b 
…-route

so add prohibit with prio 19989
@SvenRoederer
openvpn-defaults: also put default-route in ip-rule "ffuplink"
1795512 
to keep it in sync with a "no-tunnel" uplink.
As we had no separate ip-rules for ffuplink before, it was
put into "olsr-tunnel", which did not made sense at all.
@SvenRoederer
network-defaults: adapt ffuplink-policyrouting for OpenVPN
96f5897 
As OpenVPN networkparameters are not configured via UCI,
"network_get_subnet" returns noting. In this case we query
the IP-config directly.
If this also returns nothing valid, we will not setup a
policy to protect the uplink-lan and give an error-log.
@SvenRoederer
network-defaults: quieten grep
e7c0f03
@SvenRoederer SvenRoederer merged commit 8664d2c into master Jan 30, 2018
@SvenRoederer SvenRoederer deleted the feature/notunnel branch March 12, 2018 17:45
@SvenRoederer
Copy link
Contributor Author

btw: a similar feature seems to be on the way for gluon (freifunk-gluon/gluon#1094)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Hedy 1.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@SvenRoederer @bobster-galore