Added Gluon tunneldigger/L2TP related packages #978
Conversation
| local fastd_enabled = uci:get('fastd', 'mesh_vpn', 'enabled') | ||
|
|
||
| local tunneldigger_installed = util.exec('sh' , '-c', 'opkg list-installed | grep -e \'^tunneldigger\'') | ||
| local fastd_installed = util.exec('sh' , '-c', 'opkg list-installed | grep -e \'^fastd\'') |
There was a problem hiding this comment.
This will break on systems without opkg (for example the ar71xx-tiny target of the Gluon lede branch). I think testing for the existence of /usr/bin/fastd and /usr/bin/tunneldigger would be more robust.
| uci:section('network', 'interface', 'mesh_vpn', | ||
| { | ||
| ifname = 'mesh-vpn', | ||
| proto = 'batadv', |
There was a problem hiding this comment.
This is outdated, see https://github.com/freifunk-gluon/gluon/blob/master/package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd#L124 for the new mesh protocol agnostic configuration using proto gluon_mesh.
There was a problem hiding this comment.
Does this also support setting the MTU of the underlying Interface manually?
e.g.:
uci:section('network', 'interface', 'mesh_vpn',
{
ifname = 'mesh-vpn',
proto = 'gluon_mesh',
transitive = 1,
fixed_mtu = 1,
mtu = site.tunneldigger_mesh_vpn.mtu,
}
)
We set the MTU when creating the initial interface configuration and not by using the daemon.
Otherwise we would either need a patch for gluon to support this or patch tunneldigger to set the MTU based on opkg settings.
| proto = 'batadv', | ||
| mesh = 'bat0', | ||
| mesh_no_rebroadcast = 1, | ||
| mtu = site.tunneldigger_mesh_vpn.mtu, |
There was a problem hiding this comment.
How is the MAC address assigned for the tunneldigger interface?
As it can't be enabled at the same time as the fastd mesh VPN (as both use the interface name mesh-vpn), it could use the same MAC address, I think.
There was a problem hiding this comment.
L2TP uses random MAC adresses with each connection. The MAC can be changed manually but only with kernel version 3.18 and up as the support is missing in earlier kernel versions.
There is however a kernel patch which I didn't bother adding at the time:
https://www.mail-archive.com/openl2tp-users@lists.sourceforge.net/msg00060.html
| #!/bin/sh | ||
| PIDFILE=/var/run/tunneldigger.mesh-vpn.pid | ||
|
|
||
| if [ "$(uci get tunneldigger.@broker[0].enabled)" == "1" ]; then |
There was a problem hiding this comment.
== is invalid in [] expressions (but accepted by many implementations, sometimes with a warning), this should be =.
| if [ "$(pgrep tunneldigger | head -n 1)" != "$(cat $PIDFILE)" ]; then | ||
| /etc/init.d/tunneldigger restart | ||
| logger -t tunneldiger-watchdog "Daemon not running, restarted tunneldigger." | ||
| elif [ "$(batctl o |grep mesh-vpn |wc -l)" == "0" ]; then |
There was a problem hiding this comment.
Quite ugly, I wonder if we can find a nicer solution...
|
|
||
| section = uci:add('tunneldigger', 'broker') | ||
|
|
||
| uci:section('tunneldigger', 'broker', section, |
There was a problem hiding this comment.
It would be nicer to use a static section name like mesh_vpn for the broker instead of referring to it using @broker[0], so this can't collide with other tunneldigger configurations (that is, if the tunneldigger init script can handle multiple instances, which I didn't check)
There was a problem hiding this comment.
The init script only supports one instance at the time, I guess we could add the support later on but at the time I didn't want to derive too far from the original package.
| PIDFILE=/var/run/tunneldigger.mesh-vpn.pid | ||
|
|
||
| if [ "$(uci get tunneldigger.@broker[0].enabled)" == "1" ]; then | ||
| if [ "$(pgrep tunneldigger | head -n 1)" != "$(cat $PIDFILE)" ]; then |
There was a problem hiding this comment.
I guess this could be pidof tunneldigger? Again, this should probably learn to cope with multiple instances (but this can be done later).
| @@ -0,0 +1,61 @@ | |||
| #!/usr/bin/lua | |||
There was a problem hiding this comment.
All Lua scripts should be moved from files to luasrc, and GluonSrcDiet (and luadest CP) calls be added to the corresponding Makefiles, as seen in most Gluon packages.
|
I commented on a few items, I will fix the rest of the issues as soon as possible. |
|
I've updated the commit to address some of the issues. |
|
I probably missed something, but why do we need a watchdog? Is Tunneldigger that unstable? |
|
@jplitza Regarding the remaing issues:
|
|
@lcb01a Just use procd, which is able to restart a died process. |
|
@corny |
|
Hi, The PR has been updated:
I guess this should address all issues that have emerged. |
|
Hi, any update on this? :) |
| end | ||
| end | ||
|
|
||
| return M |
There was a problem hiding this comment.
This file will need to be updated for gluon-web. Doing so should be straightforward, as it is very similar to the fastd-mesh-vpn one.
|
|
||
| function M.section(form) | ||
| local msg = i18n.translate('Your internet connection can be used to establish a ' .. | ||
| 'L2TP VPN connection with other nodes. ' .. |
There was a problem hiding this comment.
I'm not sure if we want to explicitly mention "L2TP" here, as we're trying to avoid technical terms in the wizard. Unfortunately, I have no idea how to distinguish this from the fastd mesh VPN otherwise...
There was a problem hiding this comment.
I guess everyone in the freifunk community knows it by the term L2TP so sticking with it for now should be the best way. We could also use the daemon name instead but I don't know if that is any more meaningful
There was a problem hiding this comment.
i'm not sure whether there will be two vpn options or if it's even possible to build with both (fastd/l2tp)
if not, we gain nothing from mentioning the technical term L2TP (or fastd)
There was a problem hiding this comment.
thats true, but I rather not use the term "unencrypted" VPN since people falsely assume this means they are not safe from the receiving a law suit.
I can leave out the term completely and just call it VPN :)
| SECTION:=gluon | ||
| CATEGORY:=Gluon | ||
| TITLE:=Support for connecting batman-adv meshes via tunneltigger/l2tpv3 pseudowire | ||
| DEPENDS:=+gluon-core gluon-mesh-batman-adv +gluon-wan-dnsmasq +tunneldigger +iptables-mod-extra +simple-tc |
There was a problem hiding this comment.
Remove gluon-mesh-batman-adv from the depends, so the package is usable with Babel as well (as soon as we merge that).
| if need_table('tunneldigger_mesh_vpn.bandwidth_limit', nil, false) then | ||
| need_boolean('tunneldigger_mesh_vpn.bandwidth_limit.enabled', false) | ||
| need_number('tunneldigger_mesh_vpn.bandwidth_limit.ingress', false) | ||
| need_number('tunneldigger_mesh_vpn.bandwidth_limit.egress', false) |
There was a problem hiding this comment.
Please always use tabs for indentation (in the other files as well).
|
|
||
| section = uci:add('tunneldigger', 'broker') | ||
|
|
||
| uci:section('tunneldigger', 'broker', section, |
There was a problem hiding this comment.
It would be nicer to just explicitly name the section instead of using an anonymous section. You could just
uci:delete('tunneldigger', 'mesh_vpn')
uci:section('tunneldigger', 'broker', 'mesh_vpn', ...)instead of deleting all broker sections. Instead of uci:get_first you could use uci:get_bool, like we to in other scripts.
For migration from an older configuration using an anonymous section, you could use:
if not uci:get('tunneldigger', 'mesh_vpn') then
uci:delete_all('tunneldigger', 'broker')
end| ) | ||
|
|
||
| uci:save('firewall') | ||
| uci:commit('firewall') |
There was a problem hiding this comment.
Never commit UCI config in upgrade scripts, the last upgrade script will commit everything.
| if not uci:get('simple-tc', 'mesh_vpn') then | ||
| local config = { | ||
| ifname = 'mesh-vpn', | ||
| enabled = 0, |
There was a problem hiding this comment.
These 0 and 1 can be changed to false and true as well with simple-uci.
| local uci = require("simple-uci").cursor() | ||
|
|
||
|
|
||
| function file_exists(name) |
There was a problem hiding this comment.
Please use nixio.fs.access as in the other files instead of defining your own function.
| uci:set("fastd", "mesh_vpn", "enabled", enabled) | ||
| uci:save("fastd") | ||
| uci:commit("fastd") | ||
| end |
There was a problem hiding this comment.
Again, you can change enabled to use booleans, and don't commit UCI here.
| uci:save("fastd") | ||
| uci:commit("fastd") | ||
| end | ||
|
|
There was a problem hiding this comment.
One empty line too much here.
|
Hi The issues you mentioned have been adressed and verified by me. Only the terminology for the config mode isn't clear (Whether to use L2TP in the text or not). Cheers |
|
As we don't plan to support fastd and L2TP VPN in the same image (yet?), I think it's preferable to keep the texts the same and not to mention L2TP explcitly. |
|
I removed the mentioning of L2TP from the config mode package and updated the commit :) |
*gluon-config-mode-tunneldigger *gluon-mesh-vpn-tunneldigger *gluon-migrate-vpn
|
Thanks, I've just merged your changes. I ended up doing some refactoring to decrease duplication in the fastd and tunneldigger mesh VPN packages, and added the new site.conf options to the docs. I integerated the migrate-vpn script into a new gluon-mesh-vpn-core package and added support for tunneldigger to the existing gluon-config-mode-mesh-vpn package after adding your translation updates. It would be great if you could check that I didn't break anything when refactoring. |
Hi,
Recreated the PR as there were issues with empty commits.
To answer a previous question:
Tunneldigger is an alternative for Fastd without any encryption which uses Kernelspace L2TP and thus is way faster than Fastd.
gluon-config-mode-tunneldigger
gluon-mesh-vpn-tunneldigger
gluon-migrate-vpn
gluon-tunneldigger-watchdog
Cheers
Cyrus