forked from Tunnelsats/tunnelsats
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setupv2.sh
1369 lines (1182 loc) · 43.9 KB
/
setupv2.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#!/bin/bash
# This script setup the environment needed for VPN usage on lightning network nodes
# Use with care
#
# Usage: sudo bash setup.sh
#VERSION NUMBER of setupv2.sh
#Update if your make a significant change
##########UPDATE IF YOU MAKE A NEW RELEASE#############
major=0
minor=1
patch=32
#Helper
function valid_ipv4() {
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 &&
${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
# check if sudo
if [ "$EUID" -ne 0 ]; then
echo "Please run as root (with sudo)"
exit 1
fi
# intro
echo -e "
###############################
TunnelSats v2
Setup Script
Version:
v$major.$minor.$patch
###############################"
echo
# Check if docker / non-docker
isDocker=0
killswitchRaspi=0
while true; do
read -p "What lightning node package are you running?:
1) RaspiBlitz
2) Umbrel
3) myNode
4) RaspiBolt / Bare Metal
> " answer
case $answer in
1)
echo "> RaspiBlitz"
echo
killswitchRaspi=1
isDocker=0
break
;;
2)
echo "> Umbrel"
echo
isDocker=1
isUmbrel=1
break
;;
3)
echo "> myNode"
echo
isDocker=0
break
;;
4)
echo "> RaspiBolt / Bare Metal"
echo
isDocker=0
break
;;
*) echo "Please enter a number from 1 to 4." ;;
esac
done
# Check which implementation the user wants to tunnel
lnImplementation=""
while true; do
read -p "Which lightning implementation do you want to tunnel?:
1) LND
2) CLN
> " answer
case $answer in
1)
echo "> Setting up Tunneling for LND on port 9735"
echo
lnImplementation="lnd"
break
;;
2)
echo "> Setting up Tunneling for CLN on port 9735"
echo
lnImplementation="cln"
break
;;
*) echo "Please choose by entering a number either 1 or 2." ;;
esac
done
# check for downloaded tunnelsatsv2.conf, exit if not available
# get current directory
directory=$(dirname -- "$(readlink -fn -- "$0")")
echo "Looking for WireGuard config file..."
if [ ! -f "$directory"/tunnelsatsv2.conf ] || [ $(grep -c "Endpoint" "$directory"/tunnelsatsv2.conf) -eq 0 ]; then
echo "> ERR: tunnelsatsv2.conf not found or missing Endpoint."
echo "> Please place it in this script's location and check original tunnelsatsv2.conf for \"Endpoint\" entry"
echo
exit 1
else
echo "> tunnelsatsv2.conf found, proceeding."
echo
fi
# security check - exit if nonDocker and no systemd service found
if [ $isDocker -eq 0 ]; then
echo "Looking for systemd service..."
if [ "$lnImplementation" == "lnd" ] && [ ! -f /etc/systemd/system/lnd.service ]; then
echo "> /etc/systemd/system/lnd.service not found. Setup aborted."
echo
exit 1
fi
if [ "$lnImplementation" == "cln" ] && [ ! -f /etc/systemd/system/lightningd.service ]; then
echo "> /etc/systemd/system/lightningd.service not found. Setup aborted."
echo
exit 1
fi
fi
# RaspiBlitz: deactivate config checks
if [ "$lnImplementation" == "lnd" ]; then
if [ -f /home/admin/config.scripts/lnd.check.sh ]; then
mv /home/admin/config.scripts/lnd.check.sh /home/admin/config.scripts/lnd.check.bak
echo "RaspiBlitz detected, lnd conf safety check removed"
echo
fi
elif [ "$lnImplementation" == "cln" ]; then
if [ -f /home/admin/config.scripts/cl.check.sh ]; then
mv /home/admin/config.scripts/cl.check.sh /home/admin/config.scripts/cl.check.bak
echo "RaspiBlitz detected, cln conf safety check removed"
echo
fi
fi
# check requirements and update repos
echo "Checking and installing requirements..."
echo "Updating the package repositories..."
apt-get update >/dev/null
echo
# only non-docker
if [ $isDocker -eq 0 ]; then
# check cgroup-tools only necessary when lightning runs as systemd service
if [ -f /etc/systemd/system/lnd.service ] ||
[ -f /etc/systemd/system/lightningd.service ]; then
echo "Checking cgroup-tools..."
checkcgroup=$(cgcreate -h 2>/dev/null | grep -c "Usage")
if [ $checkcgroup -eq 0 ]; then
echo "Installing cgroup-tools..."
if apt-get install -y cgroup-tools >/dev/null; then
echo "> cgroup-tools installed"
echo
else
echo "> failed to install cgroup-tools"
echo
exit 1
fi
else
echo "> cgroup-tools found"
echo
fi
fi
fi
sleep 2
# check nftables
echo "Checking nftables installation..."
checknft=$(nft -v 2>/dev/null | grep -c "nftables")
if [ $checknft -eq 0 ]; then
echo "Installing nftables..."
if apt-get install -y nftables >/dev/null; then
echo "> nftables installed"
echo
else
echo "> failed to install nftables"
echo
exit 1
fi
else
echo "> nftables found"
echo
fi
sleep 2
#Check if system is virtualized
virtualized=0
#Only modprobe in unvirtualized system
modprobe=""
systemd-detect-virt -c --quiet
if [ $? -eq 0 ]; then
echo "> Virtualized setup"
virtualized=1
echo
fi
echo "Checking wireguard installation..."
checkwg=$(wg -v 2>/dev/null | grep -c "wireguard-tools")
if [ $checkwg -eq 0 ]; then
echo "Installing wireguard..."
if apt-get install -y wireguard >/dev/null; then
echo "> wireguard installed"
echo
else
# try Debian 10 Buster workaround / myNode
codename=$(lsb_release -c 2>/dev/null | awk '{print $2}')
if [ "$codename" == "buster" ] && [ "$(hostname)" != "umbrel" ]; then
if apt-get install -y -t buster-backports wireguard >/dev/null; then
echo "> wireguard installed"
echo
else
echo "> failed to install wireguard"
echo
exit 1
fi
fi
fi
else
echo "> wireguard found"
echo
fi
# Install wireguard-go because we need a wireguard which runs in userspace
# because we are virtualized
# Check for a go installation first
if [ $virtualized -eq 1 ]; then
echo "> Your system is virtualized, you need to download userspace wireguard implementation"
echo "> wireguard-go is such a userspace wireguard implementation, therefore we check in the"
echo "> following whether its installed on your system."
echo
goinstalled=$(go version 2>/dev/null | grep -c "go version")
if [ $goinstalled -eq 0 ]; then
echo "> failed to find golang on your system (go version)"
echo
exit 1
fi
wireguard-go --version 2>/dev/null
if [ $? -ne 0 ]; then
echo "> failed to find wireguard-go on your system (wireguard-go --version)"
echo "> make sure you install wireguard-go on your system"
echo "> see https://github.com/WireGuard/wireguard-go"
echo "> make sure you edit the following line after installing wireguard-go"
echo "> in /lib/systemd/system/wg-quick@.service edit"
echo "> Environment=WG_I_PREFER_BUGGY_USERSPACE_TO_POLISHED_KMOD=1 below the entry"
echo "> Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity"
echo
exit 1
fi
else
modprobe="modprobe cls_cgroup"
fi
sleep 2
# add resolvconf package to docker systems for DNS resolving
if [ $isDocker -eq 1 ]; then
echo "Checking resolvconf installation..."
checkResolv=$(resolvconf 2>/dev/null | grep -c "^Usage")
if [ $checkResolv -eq 0 ]; then
echo "Installing resolvconf..."
if apt-get install -y resolvconf >/dev/null; then
echo "> resolvconf installed"
echo
else
echo "> failed to install resolvconf"
echo
exit 1
fi
else
echo "> resolvconf found"
echo
fi
sleep 2
fi
#Create Docker Tunnelsat Network
if [ $isDocker -eq 1 ]; then
echo "Creating TunnelSats Docker Network..."
checkdockernetwork=$(docker network ls 2>/dev/null | grep -c "docker-tunnelsats")
#the subnet needs a bigger subnetmask (25) than the normal umbrel_mainet subnetmask of 24
#otherwise the network will not be chosen as the gateway for outside connection
dockersubnet="10.9.9.0/25"
if [ $checkdockernetwork -eq 0 ]; then
docker network create "docker-tunnelsats" --subnet $dockersubnet -o "com.docker.network.driver.mtu"="1420" &>/dev/null
if [ $? -eq 0 ]; then
echo "> docker-tunnelsats created successfully"
echo
else
echo "> failed to create docker-tunnelsats network"
echo
exit 1
fi
else
echo "> docker-tunnelsats already created"
echo
fi
#Clean Routing Tables from prior failed wg-quick starts
delrule1=$(ip rule | grep -c "from all lookup main suppress_prefixlength 0")
delrule2=$(ip rule | grep -c "from $dockersubnet lookup 51820")
for i in $(seq 1 $delrule1); do
ip rule del from all table main suppress_prefixlength 0
done
for i in $(seq 1 $delrule2); do
ip rule del from $dockersubnet table 51820
done
#Flush any rules which are still present from failed interface starts
ip route flush table 51820 &>/dev/null
else
#Delete Rules for non-docker setup
#Clean Routing Tables from prior failed wg-quick starts
delrule1=$(ip rule | grep -c "from all lookup main suppress_prefixlength 0")
delrule2=$(ip rule | grep -c "from all fwmark 0x1000000/0xff000000 lookup 51820")
for i in $(seq 1 $delrule1); do
ip rule del from all table main suppress_prefixlength 0
done
for i in $(seq 1 $delrule2); do
ip rule del from all fwmark 0x1000000/0xff000000 table 51820
done
#Flush any rules which are still present from failed interface starts
ip route flush table 51820 &>/dev/null
fi
sleep 2
# Fetch all local networks and exclude them from kill switch
localNetworks=$(ip route | awk '{print $1}' | grep -v default | sed -z 's/\n/, /g')
if [ -z "$localNetworks" ]; then
# add default networks according to RFC 1918
localNetworks="10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16"
fi
if [ $killswitchRaspi -eq 1 ]; then
killswitchNonDocker="PostUp = nft insert rule ip %i nat skuid bitcoin fib daddr type != local ip daddr != {$localNetworks} meta oifname != %i meta l4proto { tcp, udp } th dport != { 51820 } counter drop\n"
else
# only implemented for RaspiBlitz
killswitchNonDocker=""
fi
# edit tunnelsats.conf, add PostUp/Down rules
# and copy to destination folder
echo "Copy wireguard conf file to /etc/wireguard and apply network rules..."
inputDocker="\n
#Tunnelsats-Setupv2-Docker\n
[Interface]\n
DNS = 8.8.8.8\n
Table = off\n
\n
PostUp = while [ \$(ip rule | grep -c suppress_prefixlength) -gt 0 ]; do ip rule del from all table main suppress_prefixlength 0;done\n
PostUp = while [ \$(ip rule | grep -c 0x1000000) -gt 0 ]; do ip rule del from all fwmark 0x1000000/0xff000000 table 51820;done\n
PostUp = if [ \$(ip route show table 51820 2>/dev/null | grep -c blackhole) -gt 0 ]; then echo \$?; ip route del blackhole default metric 3 table 51820; ip rule flush table 51820 ;fi\n
PostUp = ip rule add from \$(docker network inspect \"docker-tunnelsats\" | grep Subnet | awk '{print \$2}' | sed 's/[\",]//g') table 51820\n
PostUp = ip rule add from all table main suppress_prefixlength 0\n
PostUp = ip route add blackhole default metric 3 table 51820\n
PostUp = ip route add default dev %i metric 2 table 51820\n
PostUp = ip route add 10.9.0.0/24 dev %i proto kernel scope link; ping -c1 10.9.0.1\n
\n
PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0\n
PostUp = sysctl -w net.ipv6.conf.all.disable_ipv6=1\n
PostUp = sysctl -w net.ipv6.conf.default.disable_ipv6=1\n
\n
PostDown = ip rule del from \$(docker network inspect \"docker-tunnelsats\" | grep Subnet | awk '{print \$2}' | sed 's/[\",]//g') table 51820\n
PostDown = ip rule del from all table main suppress_prefixlength 0\n
PostDown = ip route flush table 51820\n
PostDown = sysctl -w net.ipv4.conf.all.rp_filter=1\n
"
inputNonDocker="\n
#Tunnelsats-Setupv2-Non-Docker\n
[Interface]\n
FwMark = 0x2000000\n
Table = off\n
\n
PostUp = while [ \$(ip rule | grep -c suppress_prefixlength) -gt 0 ]; do ip rule del from all table main suppress_prefixlength 0;done\n
PostUp = while [ \$(ip rule | grep -c 0x1000000) -gt 0 ]; do ip rule del from all fwmark 0x1000000/0xff000000 table 51820;done\n
PostUp = ip rule add from all fwmark 0x1000000/0xff000000 table 51820;ip rule add from all table main suppress_prefixlength 0\n
PostUp = ip route add default dev %i table 51820;\n
PostUp = ip route add 10.9.0.0/24 dev %i proto kernel scope link; ping -c1 10.9.0.1\n
PostUp = sysctl -w net.ipv4.conf.all.rp_filter=0\n
PostUp = sysctl -w net.ipv6.conf.all.disable_ipv6=1\n
PostUp = sysctl -w net.ipv6.conf.default.disable_ipv6=1\n
\n
PostUp = nft add table ip %i\n
PostUp = nft add chain ip %i prerouting '{type filter hook prerouting priority mangle -1; policy accept;}'; nft add rule ip %i prerouting meta mark set ct mark\n
PostUp = nft add chain ip %i mangle '{type route hook output priority mangle -1; policy accept;}'; nft add rule ip %i mangle tcp sport != { 8080, 10009 } meta mark and 0xff000000 != 0x2000000 meta cgroup 1118498 meta mark set mark and 0x00ffffff xor 0x1000000\n
PostUp = nft add chain ip %i nat'{type nat hook postrouting priority srcnat -1; policy accept;}'; nft insert rule ip %i nat fib daddr type != local ip daddr != {$localNetworks} oifname != %i ct mark and 0xff000000 == 0x1000000 drop;nft add rule ip %i nat oifname %i ct mark and 0xff000000 == 0x1000000 masquerade\n
$killswitchNonDocker
PostUp = nft add chain ip %i postroutingmangle'{type filter hook postrouting priority mangle -1; policy accept;}'; nft add rule ip %i postroutingmangle meta mark and 0xff000000 == 0x1000000 ct mark set meta mark and 0x00ffffff xor 0x1000000 \n
PostUp = nft add chain ip %i input'{type filter hook input priority filter -1; policy accept;}'; nft add rule ip %i input iifname %i ct state established,related counter accept; nft add rule ip %i input iifname %i tcp dport != 9735 counter drop; nft add rule ip %i input iifname %i udp dport != 9735 counter drop\n
\n
PostDown = nft delete table ip %i\n
PostDown = ip rule del from all table main suppress_prefixlength 0; ip rule del from all fwmark 0x1000000/0xff000000 table 51820\n
PostDown = ip route flush table 51820\n
PostDown = sysctl -w net.ipv4.conf.all.rp_filter=1\n
"
directory=$(dirname -- "$(readlink -fn -- "$0")")
if [ -f "$directory"/tunnelsatsv2.conf ]; then
cp "$directory"/tunnelsatsv2.conf /etc/wireguard/
if [ -f /etc/wireguard/tunnelsatsv2.conf ]; then
echo "> tunnelsatsv2.conf copied to /etc/wireguard/"
else
echo "> ERR: tunnelsatsv2.conf not found in /etc/wireguard/. Please check for errors."
echo
fi
# Don't paste content if user already has something in there
check=$(grep -c "Tunnelsats-Setupv2" /etc/wireguard/tunnelsatsv2.conf)
if [ $isDocker -eq 1 ] && [ $check -eq 0 ]; then
echo -e $inputDocker 2>/dev/null >>/etc/wireguard/tunnelsatsv2.conf
elif [ $isDocker -eq 0 ] && [ $check -eq 0 ]; then
echo -e $inputNonDocker 2>/dev/null >>/etc/wireguard/tunnelsatsv2.conf
fi
# check after pasting in the content
check=$(grep -c "Tunnelsats-Setupv2" /etc/wireguard/tunnelsatsv2.conf)
if [ $check -eq 1 ]; then
echo "> network rules applied"
echo
else
echo "> ERR: network rules not applied"
echo
exit 1
fi
fi
sleep 2
if [ $isDocker -eq 0 ]; then
# setup for cgroup
# create file
echo "Creating cgroup tunnelsats-create-cgroup.sh file in /etc/wireguard/..."
echo "#!/bin/sh
set -e
dir_netcls=\"/sys/fs/cgroup/net_cls\"
splitted_processes=\"/sys/fs/cgroup/net_cls/splitted_processes\"
$modprobe
if [ ! -d \"\$dir_netcls\" ]; then
mkdir \$dir_netcls
mount -t cgroup -o net_cls none \$dir_netcls
echo \"> Successfully added cgroup net_cls subsystem\"
fi
if [ ! -d \"\$splitted_processes\" ]; then
mkdir /sys/fs/cgroup/net_cls/splitted_processes
echo 1118498 > /sys/fs/cgroup/net_cls/splitted_processes/net_cls.classid
chmod 666 /sys/fs/cgroup/net_cls/splitted_processes/tasks
echo \"> Successfully added Mark for net_cls subsystem\"
else
echo \"> Mark for net_cls subsystem already present\"
fi
" >/etc/wireguard/tunnelsats-create-cgroup.sh
chmod +x /etc/wireguard/tunnelsats-create-cgroup.sh
if [ -f /etc/wireguard/tunnelsats-create-cgroup.sh ]; then
echo "> /etc/wireguard/tunnelsats-create-cgroup.sh created."
echo
else
echo "> ERR: /etc/wireguard/tunnelsats-create-cgroup.sh was not created. Please check for errors."
exit 1
fi
# run it once
if [ -f /etc/wireguard/tunnelsats-create-cgroup.sh ]; then
echo "> tunnelsats-create-cgroup.sh created, executing..."
# run
if /etc/wireguard/tunnelsats-create-cgroup.sh; then
echo "> Created tunnelsats cgroup successfully"
echo
else
echo "> ERR: tunnelsats-create-cgroup.sh execution failed. Please check for errors."
echo
exit 1
fi
fi
# enable systemd service
# create systemd file
echo "Creating cgroup systemd service..."
echo "[Unit]
Description=Creating cgroup for Splitting lightning traffic
StartLimitInterval=200
StartLimitBurst=5
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/wireguard/tunnelsats-create-cgroup.sh
[Install]
WantedBy=multi-user.target
" >/etc/systemd/system/tunnelsats-create-cgroup.service
# enable and start tunnelsats-create-cgroup.service
if [ -f /etc/systemd/system/tunnelsats-create-cgroup.service ]; then
systemctl daemon-reload >/dev/null
if systemctl enable tunnelsats-create-cgroup.service >/dev/null &&
systemctl start tunnelsats-create-cgroup.service >/dev/null; then
echo "> tunnelsats-create-cgroup.service: systemd service enabled and started"
echo
else
echo "> ERR: tunnelsats-create-cgroup.service could not be enabled or started. Please check for errors."
echo
fi
else
echo "> ERR: tunnelsats-create-cgroup.service was not created. Please check for errors."
echo
exit 1
fi
#Adding tunnelsats-create-cgroup requirement to lnd/cln
if [ "$lnImplementation" == "lnd" ]; then
if [ ! -d /etc/systemd/system/lnd.service.d ]; then
mkdir /etc/systemd/system/lnd.service.d >/dev/null
fi
echo "#Don't edit this file its generated by tunnelsats scripts
[Unit]
Description=lnd service - powered by tunnelsats
Requires=tunnelsats-create-cgroup.service
After=tunnelsats-create-cgroup.service
Requires=wg-quick@tunnelsatsv2.service
After=wg-quick@tunnelsatsv2.service
" >/etc/systemd/system/lnd.service.d/tunnelsats-cgroup.conf
systemctl daemon-reload >/dev/null
elif [ "$lnImplementation" == "cln" ]; then
if [ ! -d /etc/systemd/system/lightningd.service.d ]; then
mkdir /etc/systemd/system/lightningd.service.d >/dev/null
fi
echo "#Don't edit this file its generated by tunnelsats scripts
[Unit]
Description=lightningd needs cgroup before it can start
Requires=tunnelsats-create-cgroup.service
After=tunnelsats-create-cgroup.service
Requires=wg-quick@tunnelsatsv2.service
After=wg-quick@tunnelsatsv2.service
" >/etc/systemd/system/lightningd.service.d/tunnelsats-cgroup.conf
systemctl daemon-reload >/dev/null
fi
#Create lightning splitting.service
# create file
echo "Creating tunnelsats-splitting-processes.sh file in /etc/wireguard/..."
echo "#!/bin/sh
# add Lightning pid(s) to cgroup
pgrep -x lnd | xargs -I % sh -c 'echo % >> /sys/fs/cgroup/net_cls/splitted_processes/tasks' &> /dev/null
pgrep -x lightningd | xargs -I % sh -c 'echo % >> /sys/fs/cgroup/net_cls/splitted_processes/tasks' &> /dev/null
count=\$(cat /sys/fs/cgroup/net_cls/splitted_processes/tasks | wc -l)
if [ \$count -eq 0 ];then
echo \"> no available lightning processes available for tunneling\"
else
echo \"> \${count} Process(es) successfully excluded\"
fi
" >/etc/wireguard/tunnelsats-splitting-processes.sh
if [ -f /etc/wireguard/tunnelsats-splitting-processes.sh ]; then
echo "> /etc/wireguard/tunnelsats-splitting-processes.sh created"
chmod +x /etc/wireguard/tunnelsats-splitting-processes.sh
else
echo "> ERR: /etc/wireguard/tunnelsats-splitting-processes.sh was not created. Please check for errors."
exit 1
fi
# run it once
if [ -f /etc/wireguard/tunnelsats-splitting-processes.sh ]; then
echo "> tunnelsats-splitting-processes.sh created, executing..."
# run
bash /etc/wireguard/tunnelsats-splitting-processes.sh
echo "> tunnelsats-splitting-processes.sh successfully executed"
echo
else
echo "> ERR: tunnelsats-splitting-processes.sh execution failed"
echo
exit 1
fi
# enable systemd service
# create systemd file
echo "Creating tunnelsats-splitting-processes systemd service..."
if [ ! -f /etc/systemd/system/tunnelsats-splitting-processes.sh ]; then
echo "[Unit]
Description=Adding Lightning Process to the tunnel
[Service]
Type=oneshot
ExecStart=/bin/bash /etc/wireguard/tunnelsats-splitting-processes.sh
[Install]
WantedBy=multi-user.target
" >/etc/systemd/system/tunnelsats-splitting-processes.service
echo "[Unit]
Description=1min timer for tunnelsats-splitting-processes.service
[Timer]
OnBootSec=10
OnUnitActiveSec=10
Persistent=true
[Install]
WantedBy=timers.target
" >/etc/systemd/system/tunnelsats-splitting-processes.timer
if [ -f /etc/systemd/system/tunnelsats-splitting-processes.service ]; then
echo "> tunnelsats-splitting-processes.service created"
else
echo "> ERR: tunnelsats-splitting-processes.service not created. Please check for errors."
echo
exit 1
fi
if [ -f /etc/systemd/system/tunnelsats-splitting-processes.timer ]; then
echo "> tunnelsats-splitting-processes.timer created"
else
echo "> ERR: tunnelsats-splitting-processes.timer not created. Please check for errors."
echo
exit 1
fi
fi
# enable and start tunnelsats-splitting-processes.service
if [ -f /etc/systemd/system/tunnelsats-splitting-processes.service ]; then
systemctl daemon-reload >/dev/null
if systemctl enable tunnelsats-splitting-processes.service >/dev/null &&
systemctl start tunnelsats-splitting-processes.service >/dev/null; then
echo "> tunnelsats-splitting-processes.service: systemd service enabled and started"
else
echo "> ERR: tunnelsats-splitting-processes.service could not be enabled or started. Please check for errors."
echo
exit 1
fi
# enable timer
if [ -f /etc/systemd/system/tunnelsats-splitting-processes.timer ]; then
if systemctl enable tunnelsats-splitting-processes.timer >/dev/null &&
systemctl start tunnelsats-splitting-processes.timer >/dev/null; then
echo "> tunnelsats-splitting-processes.timer: systemd timer enabled and started"
echo
else
echo "> ERR: tunnelsats-splitting-processes.timer: systemd timer could not be enabled or started. Please check for errors."
echo
exit 1
fi
fi
else
echo "> ERR: tunnelsats-splitting-processes.service was not created. Please check for errors."
echo
exit 1
fi
# Raspiblitz new API breaks with tunnelsats and needs a new dependency to the wg tunnelsats interface
if [ -f /etc/systemd/system/blitzapi.service ]; then
if [ ! -d /etc/systemd/system/blitzapi.service.d ]; then
mkdir /etc/systemd/system/blitzapi.service.d >/dev/null
fi
echo "#Don't edit this file its generated by tunnelsats scripts
[Unit]
Description=blitzapi needs the wg service before it can start successfully
Requires=wg-quick@tunnelsatsv2.service
After=wg-quick@tunnelsatsv2.service
" >/etc/systemd/system/blitzapi.service.d/tunnelsats-wg.conf
systemctl daemon-reload >/dev/null
fi
fi
sleep 2
#Start lightning implementation in cggroup when non docker
#changing respective .service file
if [ $isDocker -eq 0 ]; then
if [ "$lnImplementation" == "lnd" ]; then
if [ ! -f /etc/systemd/system/lnd.service.bak ]; then
cp /etc/systemd/system/lnd.service /etc/systemd/system/lnd.service.bak
fi
#Check if lnd.service already has cgexec command included
check=$(grep -c "cgexec" /etc/systemd/system/lnd.service)
if [ $check -eq 0 ]; then
if sed -i 's/ExecStart=/ExecStart=\/usr\/bin\/cgexec -g net_cls:splitted_processes /g' /etc/systemd/system/lnd.service; then
echo "> lnd.service updated now starts in cgroup tunnelsats"
echo
echo "> backup saved under /etc/systemd/system/lnd.service.bak"
echo
systemctl daemon-reload >/dev/null
else
echo "> ERR: not able to change /etc/systemd/system/lnd.service. Please check for errors."
echo
fi
else
echo "> /etc/systemd/system/lnd.service already starts in cgroup tunnelsats"
echo
fi
elif [ "$lnImplementation" == "cln" ]; then
if [ ! -f /etc/systemd/system/lightningd.service.bak ]; then
cp /etc/systemd/system/lightningd.service /etc/systemd/system/lightningd.service.bak
fi
#Check if lightningd.service already has cgexec command included
check=$(grep -c "cgexec" /etc/systemd/system/lightningd.service)
if [ $check -eq 0 ]; then
if sed -i 's/ExecStart=/ExecStart=\/usr\/bin\/cgexec -g net_cls:splitted_processes /g' /etc/systemd/system/lightningd.service; then
echo "> lightningd.service updated now starts in cgroup tunnelsats"
echo
echo "> backup saved under /etc/systemd/system/lightningd.service.bak"
echo
systemctl daemon-reload >/dev/null
else
echo "> ERR: not able to change /etc/systemd/system/lightningd.service. Please check for errors."
echo
fi
else
echo "> /etc/systemd/system/lightningd.service already starts in cgroup tunnelsats"
echo
fi
fi
fi
sleep 2
#Creating Killswitch to prevent any leakage
if [ $isDocker -eq 1 ]; then
echo "Applying KillSwitch to Docker setup..."
#Get main interface
mainif=$(ip route | grep default | cut -d' ' -f5)
localsubnet="$(hostname -I | awk '{print $1}' | cut -d"." -f1-3)".0/24
#Get docker umbrel lnd/cln ip address
dockerlndip=$(grep LND_IP "$HOME"/umbrel/.env 2>/dev/null | cut -d= -f2)
dockerlndip=${dockerlndip:-"10.21.21.9"}
if [ -d "$HOME"/umbrel/app-data/core-lightning ]; then
dockerclnip=$(grep APP_CORE_LIGHTNING_DAEMON_IP "$HOME"/umbrel/app-data/core-lightning/exports.sh | cut -d "\"" -f2)
else
dockerclnip=""
fi
result=""
dockertunnelsatsip="10.9.9.9"
if [ -z "$dockerclnip" ]; then
result="$dockerlndip"
else
result="${dockerlndip}, ${dockerclnip}"
fi
if [ -n "$mainif" ]; then
if [ -f /etc/nftables.conf ] && [ ! -f /etc/nftablespriortunnelsats.backup ]; then
echo "> Info: tunnelsats replaces the whole /etc/nftables.conf, backup was saved to /etc/nftablespriortunnelsats.backup"
mv /etc/nftables.conf /etc/nftablespriortunnelsats.backup
fi
#Flush table if exist to avoid redundant rules
if nft list table ip tunnelsatsv2 &>/dev/null; then
nft flush table ip tunnelsatsv2
fi
echo "#!/sbin/nft -f
table ip tunnelsatsv2 {
set killswitch_tunnelsats {
type ipv4_addr
elements = { ${dockertunnelsatsip}, ${result} }
}
#block traffic from lighting containers
chain forward {
type filter hook forward priority filter -1; policy accept;
oifname ${mainif} ip daddr != ${localsubnet} ip saddr @killswitch_tunnelsats meta mark != 0x00001111 counter drop
}
#restrict traffic from the tunnelsats network other than the lightning traffic
chain input {
type filter hook input priority filter - 1; policy accept;
iifname tunnelsatsv2 ct state established,related counter accept
iifname tunnelsatsv2 tcp dport != 9735 counter drop
iifname tunnelsatsv2 udp dport != 9735 counter drop
}
#Allow Access via tailscale/zerotier
chain prerouting {
type filter hook prerouting priority dstnat - 10; policy accept;
ip saddr ${dockertunnelsatsip} tcp sport { 8080, 10009 } fib daddr type != local meta mark set 0x00001111 counter
}
}" >/etc/nftables.conf
# check application
check=$(grep -c "tunnelsatsv2" /etc/nftables.conf)
if [ $check -ne 0 ]; then
echo "> KillSwitch applied"
echo
else
echo "> ERR: KillSwitch not applied. Please check /etc/nftables.conf"
echo
exit 1
fi
else
echo "> ERR: not able to get default routing interface. Please check for errors."
echo
exit 1
fi
## create and enable nftables service
echo "Initializing nftables..."
systemctl daemon-reload >/dev/null
if systemctl enable nftables >/dev/null && systemctl start nftables >/dev/null; then
if [ -f /etc/systemd/system/umbrel.service ]; then
if [ ! -d /etc/systemd/system/umbrel.service.d ]; then
mkdir /etc/systemd/system/umbrel.service.d >/dev/null
fi
echo "[Unit]
Description=Forcing wg-quick to start after umbrel startup scripts
# Make sure kill switch is in place before starting umbrel containers
Requires=nftables.service
After=nftables.service
" >/etc/systemd/system/umbrel.service.d/tunnelsats_killswitch.conf
fi
if [ -f /etc/systemd/system/umbrel-startup.service ]; then
if [ ! -d /etc/systemd/system/umbrel-startup.service.d ]; then
mkdir /etc/systemd/system/umbrel-startup.service.d >/dev/null
fi
echo "[Unit]
Description=Forcing wg-quick to start after umbrel startup scripts
# Make sure kill switch is in place before starting umbrel containers
Requires=nftables.service
After=nftables.service
" >/etc/systemd/system/umbrel-startup.service.d/tunnelsats_killswitch.conf
fi
#Start nftables service
systemctl daemon-reload >/dev/null
systemctl reload nftables >/dev/null
if [ $? -eq 0 ]; then
echo "> nftables systemd service started"
else
echo "> ERR: nftables service could not be started. Please check for errors."
echo
#We exit here to prevent potential ip leakage
exit 1
fi
else
echo "> ERR: nftables service could not be enabled. Please check for errors."
echo
exit 1
fi
#Check if kill switch is in place
checkKillSwitch=$(nft list chain ip tunnelsatsv2 forward | grep -c "oifname")
if [ $checkKillSwitch -eq 0 ]; then
echo "> ERR: Killswitch failed to activate. Please check for errors."
echo
exit 1
else
echo "> Killswitch successfully activated"
echo
fi
fi
sleep 2
#Add Monitor which connects the docker-tunnelsats network to the lightning container
if [ $isDocker -eq 1 ]; then
# create file
echo "Creating tunnelsats-docker-network.sh file in /etc/wireguard/..."
echo "#!/bin/sh
#set -e
lightningcontainer=\$(docker ps --format 'table {{.Image}} {{.Names}} {{.Ports}}' | grep 0.0.0.0:9735 | awk '{print \$2}')
checkdockernetwork=\$(docker network ls 2> /dev/null | grep -c \"docker-tunnelsats\")
if [ \$checkdockernetwork -eq 0 ]; then
if ! docker network create \"docker-tunnelsats\" --subnet \"10.9.9.0/25\" -o \"com.docker.network.driver.mtu\"=\"1420\" >/dev/null; then
exit 1
fi
fi
if [ ! -z \$lightningcontainer ]; then
inspectlncontainer=\$(docker inspect \$lightningcontainer | grep -c \"tunnelsats\")
if [ \$inspectlncontainer -eq 0 ]; then
if ! docker network connect --ip 10.9.9.9 docker-tunnelsats \$lightningcontainer >/dev/null; then
exit 1
fi
fi
fi
exit 0" >/etc/wireguard/tunnelsats-docker-network.sh
if [ -f /etc/wireguard/tunnelsats-docker-network.sh ]; then
echo "> /etc/wireguard/tunnelsats-docker-network.sh created"
chmod +x /etc/wireguard/tunnelsats-docker-network.sh
else
echo "> ERR: /etc/wireguard/tunnelsats-docker-network.sh was not created. Please check for errors."
exit 1
fi
# run it once
if [ -f /etc/wireguard/tunnelsats-docker-network.sh ]; then
echo "> tunnelsats-docker-network.sh created, executing..."
# run
bash /etc/wireguard/tunnelsats-docker-network.sh
echo "> tunnelsats-docker-network.sh successfully executed"
echo
else
echo "> ERR: tunnelsats-docker-network.sh execution failed"
echo
exit 1
fi
# enable systemd service
# create systemd file
echo "Creating tunnelsats-docker-network.sh systemd service..."
if [ ! -f /etc/systemd/system/tunnelsats-docker-network.sh ]; then
echo "[Unit]
Description=Adding Lightning Container to the tunnel
StartLimitInterval=200
StartLimitBurst=5
[Service]
Type=oneshot
ExecStart=/bin/bash /etc/wireguard/tunnelsats-docker-network.sh
[Install]
WantedBy=multi-user.target
" >/etc/systemd/system/tunnelsats-docker-network.service
echo "[Unit]
Description=5min timer for tunnelsats-docker-network.service
[Timer]
OnBootSec=60
OnUnitActiveSec=60
Persistent=true
[Install]