From 09073df3090189c79240428ba10814a339977550 Mon Sep 17 00:00:00 2001 From: Vincent Li Date: Tue, 24 Jun 2025 21:37:17 -0700 Subject: [PATCH] wireguard-tools: add wireguard tools backport IPFire wireguard-tools to loongfire Signed-off-by: Vincent Li --- config/rootfiles/common/wireguard-tools | 4 + config/wireguard/wg-dynamic | 122 ++++++++++++++++++++++++ lfs/wireguard-tools | 84 ++++++++++++++++ make.sh | 1 + 4 files changed, 211 insertions(+) create mode 100644 config/rootfiles/common/wireguard-tools create mode 100644 config/wireguard/wg-dynamic create mode 100644 lfs/wireguard-tools diff --git a/config/rootfiles/common/wireguard-tools b/config/rootfiles/common/wireguard-tools new file mode 100644 index 000000000..46225828d --- /dev/null +++ b/config/rootfiles/common/wireguard-tools @@ -0,0 +1,4 @@ +etc/fcron.cyclic/wg-dynamic +usr/bin/wg +#usr/share/bash-completion/completions/wg +#usr/share/man/man8/wg.8 diff --git a/config/wireguard/wg-dynamic b/config/wireguard/wg-dynamic new file mode 100644 index 000000000..d67abbca2 --- /dev/null +++ b/config/wireguard/wg-dynamic @@ -0,0 +1,122 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2024 Michael Tremer # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +# # +# This script tries to keep WireGuard connections with dynamic peers alive # +# # +# It resolves the endpoint if it is an FQDN, and if so, will check if the # +# currently connected endpoint matches any of the resolved IP addresses. If # +# not it will reload the WireGuard configuration in the hope that wg will # +# update the kernel with the new IP address and the connection comes back up # +# again. # +# # +############################################################################### + +. /etc/sysconfig/rc +. ${rc_functions} + +# Fetches the first endpoint that is currently active on the given interface +current_endpoint() { + local intf="${1}" + + local pubkey + local endpoint + + # List the first endpoint (are there even more than one?) + wg show "${intf}" endpoints | while read -r pubkey endpoint; do + echo "${endpoint%:*}" + break + done + + return 0 +} + +# Resolves a hostname +resolve() { + local endpoint="${1}" + + dig +short "A" "${endpoint}" 2>/dev/null +} + +main() { + local -A settings=() + + # Read WireGuard settings + readhash settings /var/ipfire/wireguard/settings + + # Do nothing if WireGuard is not enabled + if [ "${settings[ENABLED]}" != "on" ]; then + return 0 + fi + + local line + while IFS=',' read -r -a line; do + local id="${line[0]}" + local enabled="${line[1]}" + local type="${line[2]}" + local name="${line[3]}" + local endpoint="${line[7]}" + + # Only process enabled net-to-net connections + case "${enabled},${type}" in + on,net) + ;; + *) + continue + ;; + esac + + # The endpoint must be an FQDN + case "${endpoint}" in + # Ignore IP addresses + [0-9]*.[0-9]*.[0-9]*.[0-9]*) + continue + ;; + + # Ignore if we don't know the endpoint + "") + continue + ;; + esac + + local address + local match=0 + + # Fetch the current endpoint address + local current_address="$(current_endpoint "wg${id}")" + + # Walk through all IP addresses the FQDN resolves to + for address in $(resolve "${endpoint}"); do + if [ "${current_address}" = "${address}" ]; then + match=1 + break + fi + done + + # If there has been no match, we have to reload everything + if [ "${match}" -eq 0 ]; then + exec /etc/init.d/wireguard reload + fi + done < /var/ipfire/wireguard/peers + + return 0 +} + +main "$@" || exit $? diff --git a/lfs/wireguard-tools b/lfs/wireguard-tools new file mode 100644 index 000000000..32c04a45e --- /dev/null +++ b/lfs/wireguard-tools @@ -0,0 +1,84 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2024 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.0.20210914 + +THISAPP = wireguard-tools-$(VER) +DL_FILE = $(THISAPP).tar.xz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +# Disable wg-quick +export WITH_WGQUICK = no + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_BLAKE2 = 89e7d79ae57f26c05b9d56752c4a8e34d2e121f6e9a3b80dace3858f62a130bab5e968e172af2aebdb1dc501dfc6b29eb1c50f728da4fc733a46c473784515b3 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +b2 : $(subst %,%_BLAKE2,$(objects)) + +############################################################################### +# Downloading, checking, b2sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_BLAKE2,$(objects)) : + @$(B2SUM) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP)/src && make $(MAKETUNING) + cd $(DIR_APP)/src && make install + + # Install wg-dynamic + install -v -m 755 $(DIR_SRC)/config/wireguard/wg-dynamic \ + /etc/fcron.cyclic/wg-dynamic + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 08a428493..46d16ec3f 100755 --- a/make.sh +++ b/make.sh @@ -2100,6 +2100,7 @@ build_system() { lfsmake2 xdp-tools lfsmake2 loxilb lfsmake2 loxicmd + lfsmake2 wireguard-tools lfsmake2 linux lfsmake2 yt6801