unetd: add WireGuard based VPN connection manager for OpenWrt

This package simplifies setting up wireguard networks on OpenWrt by a wireguard network as a JSON file, which can be shared across all participating nodes. It can be signed with an authentication key and automatically kept in sync. unetd also supports deterministically generating ipv6 addresses for each host based on the public key and storing those in a hosts file that can be used with dnsmasq. It also supports automatically creating VXLAN tunnels between multiple endpoints. Signed-off-by: Felix Fietkau <nbd@nbd.name>
2025-01-12 18:00:55 +00:00 · 2022-08-23 23:29:52 +02:00 · 2022-08-23 23:29:52 +02:00 · 104de8abe4
commit 104de8abe4
parent 09b086eeca
3 changed files with 187 additions and 0 deletions
--- a/package/network/services/unetd/Makefile
+++ b/package/network/services/unetd/Makefile
@ -0,0 +1,83 @@
+#
+# Copyright (C) 2022 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=unetd
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/unetd.git
+PKG_SOURCE_DATE:=2022-08-25
+PKG_SOURCE_VERSION:=d8220b098010041232374761fee258a8deff0865
+PKG_MIRROR_HASH:=6efced0eb451f6ac5d7facec3f45ce7f6928fae4481650ffcebf3b6434478550
+
+PKG_LICENSE:=GPL-2.0
+PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+
+PKG_BUILD_DEPENDS:=bpf-headers
+
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+include $(INCLUDE_DIR)/bpf.mk
+include $(INCLUDE_DIR)/nls.mk
+
+define Package/unetd
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=WireGuard based VPN connection manager for OpenWrt
+  DEPENDS:=+libubox +libubus +libblobmsg-json +libnl-tiny +kmod-wireguard +libbpf $(BPF_DEPENDS)
+endef
+
+define Package/unet-cli
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=unetd +ucode +ucode-mod-fs
+  TITLE:=unetd administration command line utility
+endef
+
+TARGET_CFLAGS += \
+	-I$(STAGING_DIR)/usr/include/libnl-tiny \
+	-I$(STAGING_DIR)/usr/include
+
+CMAKE_OPTIONS += \
+	-DLIBNL_LIBS=-lnl-tiny
+
+define Build/Compile
+	$(call CompileBPF,$(PKG_BUILD_DIR)/mss-bpf.c)
+	$(call Build/Compile/Default,)
+endef
+
+define Package/unetd/conffiles
+/etc/unetd
+endef
+
+define Package/unetd/install
+	$(INSTALL_DIR) \
+		$(1)/etc/unetd \
+		$(1)/lib/bpf \
+		$(1)/etc/init.d \
+		$(1)/lib/netifd/proto \
+		$(1)/usr/sbin \
+		$(1)/usr/lib
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libunet.so* $(1)/usr/lib/
+	$(INSTALL_BIN) \
+		$(PKG_INSTALL_DIR)/usr/sbin/unetd \
+		$(PKG_INSTALL_DIR)/usr/sbin/unet-tool \
+		$(1)/usr/sbin/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/mss-bpf.o $(1)/lib/bpf/mss.o
+	$(INSTALL_BIN) ./files/unetd.init $(1)/etc/init.d/unetd
+	$(INSTALL_BIN) ./files/unetd.sh $(1)/lib/netifd/proto
+endef
+
+define Package/unet-cli/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/scripts/unet-cli $(1)/usr/sbin
+endef
+
+$(eval $(call BuildPackage,unetd))
+$(eval $(call BuildPackage,unet-cli))
--- a/package/network/services/unetd/files/unetd.init
+++ b/package/network/services/unetd/files/unetd.init
@ -0,0 +1,17 @@
+#!/bin/sh /etc/rc.common
+# Copyright (c) 2022 OpenWrt.org
+
+START=19
+
+USE_PROCD=1
+PROG=/usr/sbin/unetd
+
+start_service() {
+	mkdir -p /var/run/unetd /etc/unetd
+
+	procd_open_instance
+	procd_set_param command "$PROG" -h /var/run/unetd/hosts
+	procd_set_param respawn
+	procd_set_param limits core="unlimited"
+	procd_close_instance
+}
--- a/package/network/services/unetd/files/unetd.sh
+++ b/package/network/services/unetd/files/unetd.sh
@ -0,0 +1,87 @@
+#!/bin/sh
+
+[ -x /usr/sbin/unetd ] || exit 0
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+. ../netifd-proto.sh
+
+init_proto "$@"
+
+proto_unet_init_config() {
+	proto_config_add_string device
+	proto_config_add_string type
+	proto_config_add_string auth_key
+	proto_config_add_string key
+	proto_config_add_string file
+	proto_config_add_int keepalive
+	proto_config_add_string domain
+	proto_config_add_string "tunnels:list(string)"
+	proto_config_add_string "connect:list(string)"
+	no_device=1
+	available=1
+	no_proto_task=1
+}
+
+proto_unet_setup() {
+	local config="$1"
+
+	local device type key file keepalive domain tunnels
+	json_get_vars device type auth_key key file keepalive domain tunnels connect
+	device="${device:-$config}"
+
+	[ -n "$auth_key" ] && type="${type:-dynamic}"
+	[ -n "$file" ] && type="${type:-file}"
+
+	json_init
+	json_add_string name "$device"
+	json_add_string type "$type"
+	json_add_string interface "$config"
+	json_add_string auth_key "$auth_key"
+	json_add_string key "$key"
+	json_add_string file "$file"
+	[ -n "$keepalive" ] && json_add_int keepalive "$keepalive"
+	json_add_string domain "$domain"
+
+	json_add_object tunnels
+	for t in $tunnels; do
+		local ifname="${t%%=*}"
+		local service="${t#*=}"
+		[ -n "$ifname" -a -n "$service" -a "$ifname" != "$t" ] || continue
+		json_add_string "$ifname" "$service"
+	done
+	json_close_object
+
+	json_add_array auth_connect
+	for c in $connect; do
+		json_add_string "" "$c"
+	done
+	json_close_array
+
+	ip link del dev "$device" >/dev/null 2>&1
+	ip link add dev "$device" type wireguard || {
+		echo "Could not create wireguard device $device"
+		proto_setup_failed "$config"
+		exit 1
+	}
+
+	ubus call unetd network_add "$(json_dump)"
+}
+
+proto_unet_teardown() {
+	local config="$1"
+	local iface="$2"
+
+	local device
+	json_get_vars device
+	device="${device:-$iface}"
+
+	json_init
+	json_add_string name "$device"
+
+	ip link del dev "$device"
+
+	ubus call unetd network_del "$(json_dump)"
+}
+
+add_protocol unet