Skip to content

Commit

Permalink
Update wg_manager.sh
Browse files Browse the repository at this point in the history 
Commits on May 4, 2021

    FIX: Suppress 'wg not installed' message when wg_manager 'init' function executes. Thanks SNB Forum member @Ubimo
    FIX: Don't append '/32' for 'peer ip=' command - user must now explicitly specify CIDR format either '/32' or '/24' etc.
    NEW: 'peer allowedips=' command 
    CHANGE: when using 'peer ip=' or peer allowedips='command to alter the IP address, restart 'client' Peer if it is UP, or for a 'device' Peer, undate its owner 'server' Peer 'wg2X.conf' and restart it if UP.
    FIX: Detection of Entware compatibility Thanks SNB Forums member @torson
    
Commits on May 17, 2021

    FIX: Do not allow 'device' Road-Warrior Peers 'auto=X' to be changed.
    FIX: 'peer wgxx dump' command selection typo to use correct SQL table 'client' rather 'clients'.
    FIX: Incorrect reporting of RPDB rules for 'client' Peers, and highlight situation where RPDB rules exist but are not currently ENABLED for Peer.
    CHANGE: to DISABLE RT-AX86U flow control if ENABLED - Thanks SNB Forum member @torson
    
Commits on May 19, 2021 

    CHANGE: wg_client and wg_sever will ignore IPv6 if 'NOPIPV6' is defined in '/jffs/addons/wireguard/WireguardVPN.conf'
    CHANGE: wg_client tag Selective IPSET firewall rule with comment, so 'wgm diag' will automatically include it in the firewall rule display. 
    
Commits on May 21, 2021 

    FIX: Creation of a new Road-Warrior 'device' may assign an existing VPN Pool IP already allocated to another Road-Warrior device.
    CHANGE: Display Road-Warrior 'device' SQL table by ascending IP address
    CHANGE: Creation of Road-Warrior LAN only 'device' Peer using 'createsplit xxxx' command now recognises 'peers' directive to explicitly allow any 'device' Peer to access ALL others. 

Commits on Jun 07, 2021 

    FIX: Suppress redundant 'Unable to access interface: No such device' when attempting to stop invalid Peer or category e.g. 'stop lients'
    FIX: 'wgm restart [Peer]' incorrectly calls 'wg_firewall' causing unnecessary connection disruption. Thanks SNB Forum member @torson
    
Commits on Jun 15, 2021
    
    [Test Fix: To prevent negative traffics stats, write "0,0" to SQL table 'traffic' when the 'client' Peer is terminated. (This is currently performed ONLY when the 'client' Peer is started) SNB Forum member @zebm]

Commits on Jun 16, 2021

    FIX: To prevent negative traffics stats, use expr to perform the maths operation. @ZebMcKayhan
    
Commits on Jun 22, 2021
    
    FIX: Incorrect metrics, i.e. wg_manager now creates/stores two additional values (rxtotal and txtotal) in the 'traffic' SQL table
         wg_client script now sets the rxtotal/txtotal values to '0' each time the 'client' Peer is initialised, and for temporary debugging now sets all 'traffic' table values to '*' when the client' Peer is terminated
    NEW: When using 'generatestats' command, rather than only silently writing the results to Syslog, also display direct to console for GUI feedback
    
Commits on Jun 25, 2021

    CHANGE: If Road-Warrior 'client' Peer has been dormant for more than 30mins then don't needlessly report obviously redundant RX=0/RX=0 metrics

Commits on Jul 25, 2021

    If a 'client' Peer is terminated before it has transferred any data, then the reported Period metrics produces errors
            expr: non-numeric argument
            [: 0: unknown operand
                                                                    - Thanks SNB Forum member @torson
                                                                    
Commits on Aug 15, 2021

	FIX: Screen-scraping www.snbforums.com [Experimental WireGuard] thread to retrieve the WireGuard Kernel/Userspace files created by odkrys now returns error 
		 curl: (22) The requested URL returned error: 403 Forbidden

		 As @odkrys now hosts the files on Github, it is appropriate to retrieve the file list direct from his current GitHub repository using @defung's pull request
	     see #3
		 
	CHANGE: Rather than identify the WireGuard Kernel files by position in the retrieved list (e.g. RT-AC86U assumed to be the first etc.) search retrieved list for exact router match.

Commits on Oct 9, 2021

	FIX: Allow 'auto=p' to be applied to a client if there are no Policy rules defined, but IPSET is defined - Thanks SNB Forum member @ZebMcKayhan/@the Chief
	
	CHANGE: Rather than rely on nat-start to globally set Selective Routing fwmarks (see WiKi), dynamically set them via wg_client start/stop request to preempt existing OpenVPN priority.
	
Commits on Oct 16, 2021	

	FIX: Move call to 'wg_firewall' from nat-start and move to firewall-start, as 3rd Party script destroys the firewall rules after boot.
	CHANGE: Retrieve RT-AC86U Wireguard modules from @ZebMcKayhan's Github repository rather than from @odkrys
  • Loading branch information
@MartineauUK
MartineauUK authored Oct 16, 2021
1 parent 689d6f1 commit 6ce2ff8
Showing 1 changed file with 48 additions and 32 deletions.
80 changes: 48 additions & 32 deletions wg_manager.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ VERSION="v4.11"
#

# Maintainer: Martineau
# Last Updated Date: 09-Oct-2021
# Last Updated Date: 16-Oct-2021
#
# Description:
#
Expand All @@ -35,6 +35,7 @@ VERSION="v4.11"
GIT_REPO="wireguard"
GITHUB_MARTINEAU="https://raw.githubusercontent.com/MartineauUK/$GIT_REPO/main"
GITHUB_MARTINEAU_DEV="https://raw.githubusercontent.com/MartineauUK/$GIT_REPO/dev"
GITHUB_ZEBMCKAYHAN="https://raw.githubusercontent.com/ZebMcKayhan/Wireguard/master" # v4.11
GITHUB_DIR=$GITHUB_MARTINEAU # default for script
CONFIG_DIR="/opt/etc/wireguard.d/" # Conform to "standards" # v2.03 @elorimer
IMPORT_DIR=$CONFIG_DIR # Allow custom Peer .config import directory v4.01
Expand Down Expand Up @@ -327,35 +328,45 @@ download_file() {
_Get_File() {

local WEBFILE=$1
local REPOSITORY_OWNER=$2
local REPOSITORY="https://github.com/odkrys/entware-makefile-for-merlin/raw/main/" # v4.11

[ "$REPOSITORY_OWNER" != "odkrys" ] && local REPOSITORY="https://github.com/ZebMcKayhan/Wireguard/raw/main/" # v4.11

[ -z "$(echo "$@" | grep "NOMSG")" ] && echo -e $cBCYA"\n\tDownloading WireGuard Kernel module ${cBWHT}'$WEBFILE'$cBCYA for $ROUTER (v$BUILDNO) @$REPOSITORY_OWNER"$cRESET

[ -z "$2" ] && echo -e $cBCYA"\n\tDownloading WireGuard Kernel module ${cBWHT}'$WEBFILE'$cBCYA for $ROUTER (v$BUILDNO)..."$cRESET
echo -e $cBGRA

curl -# -fL --retry 3 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/${WEBFILE} -o ${INSTALL_DIR}${WEBFILE}
curl -# -fL --retry 3 ${REPOSITORY}${WEBFILE} -o ${INSTALL_DIR}${WEBFILE} # v4.11

return $?
}
Download_Modules() {


local ROUTER=$1
local REPOSITORY_OWNER="odkrys" # v4.11

#[ ! -d "${INSTALL_DIR}" ] && mkdir -p "${INSTALL_DIR}"

rm ${INSTALL_DIR}/*.ipk

#local WEBFILE_NAMES=$(curl -${SILENT}fL https://www.snbforums.com/threads/experimental-wireguard-for-hnd-platform-4-1-x-kernels.46164/ | grep "<a href=.*odkrys.*wireguard" | grep -oE "wireguard.*" | sed 's/\"//g' | tr '\n' ' ')
local WEBFILE_NAMES=$(curl -${SILENT}fL https://api.github.com/repos/odkrys/entware-makefile-for-merlin/git/trees/main | grep "\"path\": \"wireguard-.*\.ipk\"," | cut -d'"' -f 4 | tr '\r\n' ' ') # v4.11 @defung pull request https://github.com/MartineauUK/wireguard/pull/3

# The file list MAY NOT ALWAYS be in the correct Router Model order for the following 'case' statement?
case "$ROUTER" in

RT-AC86U|GT-AC2900) # RT-AC86U, GT-AC2900 - 4.1.27 e.g. wireguard-kernel_1.0.20210219-k27_1_aarch64-3.10.ipk
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $1}')" # k27_1
RT-AC86U|GT-AC2900) # RT-AC86U, GT-AC2900 - 4.1.27 e.g. wireguard-kernel_1.0.20210606-k27_1_aarch64-3.10.ipk
local WEBFILE_NAMES=$(curl -${SILENT}fL https://api.github.com/repos/ZebMcKayhan/Wireguard/git/trees/main | grep "\"path\": \"wireguard-.*\.ipk\"," | cut -d'"' -f 4 | tr '\r\n' ' ') # v4.11
local REPOSITORY_OWNER="ZebMcKayhan"
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $1}')" "$REPOSITORY_OWNER" # k27_1
;;
RT-AX88U|GT-AX11000) # RT-AX88U, GT-AX11000 - 4.1.51 e.g. wireguard-kernel_1.0.20210219-k52_1_aarch64-3.10.ipk
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $2}')" # k51_1
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $2}')" "$REPOSITORY_OWNER" # k51_1
;;
RT-AX68U|RT-AX86U) # RT-AX68U, RT-AX86U - 4.1.52 e.g. wireguard-kernel_1.0.20210219-k52_1_aarch64-3.10.ipk
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $3}')" # k52_1
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $3}')" "$REPOSITORY_OWNER" # k52_1
;;
*)
echo -e $cBRED"\a\n\t***ERROR: Unable to find WireGuard Kernel module for $ROUTER (v$BUILDNO)\n"$cRESET
Expand All @@ -367,16 +378,16 @@ Download_Modules() {
# * opkg_install_cmd: Cannot install package wireguard-kernel.
#
#
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $1}')"
_Get_File "$(echo "$WEBFILE_NAMES" | awk '{print $1}')" "$REPOSITORY_OWNER"

ROUTER_COMPATIBLE="N"
;;
esac

# User Space Tools
WEBFILE=$(echo "$WEBFILE_NAMES" | awk '{print $4}')
echo -e $cBCYA"\n\tDownloading WireGuard User space Tool$cBWHT '$WEBFILE'$cBCYA for $ROUTER (v$BUILDNO)"$cRESET
_Get_File "$WEBFILE" "NOMSG"
WEBFILE=$(echo "$WEBFILE_NAMES" | awk '{print $NF}')
echo -e $cBCYA"\n\tDownloading WireGuard User space Tool$cBWHT '$WEBFILE'$cBCYA for $ROUTER (v$BUILDNO) @$REPOSITORY_OWNER"$cRESET # v4.11
_Get_File "$WEBFILE" "$REPOSITORY_OWNER" "NOMSG" # v4.11

}
Load_UserspaceTool() {
Expand Down Expand Up @@ -1873,17 +1884,18 @@ Display_QRCode() {
[ "$ANS" == "y" ] && { clear; qrencode -t ANSIUTF8 < $FN; } # v1.05
fi
}
Edit_nat_start() {
# v4.11 'nat'-start references changed to 'firewall'-start
Edit_firewall_start() {

if [ "$1" != "del" ];then

[ ! -f /jffs/scripts/nat-start ] && { echo -e "#!/bin/sh\n\n" > /jffs/scripts/nat-start; chmod +x /jffs/scripts/nat-start; }
if [ -z "$(grep "WireGuard" /jffs/scripts/nat-start)" ];then
echo -e "/jffs/addons/wireguard/wg_firewall # WireGuard" >> /jffs/scripts/nat-start
[ ! -f /jffs/scripts/firewall-start ] && { echo -e "#!/bin/sh\n\n" > /jffs/scripts/firewall-start; chmod +x /jffs/scripts/firewall-start; }
if [ -z "$(grep "WireGuard" /jffs/scripts/firewall-start)" ];then
echo -e "/jffs/addons/wireguard/wg_firewall # WireGuard" >> /jffs/scripts/firewall-start
cat > /jffs/addons/wireguard/wg_firewall << EOF # v2.04
#!/bin/sh
VERSION="$TS"
# Reinstate WireGuard firewall rules by restarting WireGuard as nat-start has executed
# Reinstate WireGuard firewall rules by restarting WireGuard as firewall-start has executed
#
Get_WAN_IF_Name() {
Expand All @@ -1901,10 +1913,12 @@ Get_WAN_IF_Name() {
echo \$IF_NAME
}
WAN_IF=\$(Get_WAN_IF_Name)
logger -st "(\$(basename "\$0"))" \$\$ "Checking if WireGuard VPN Peer KILL-Switch is required....."
if [ -n "\$(grep -E "^KILLSWITCH" /jffs/addons/wireguard/WireguardVPN.conf)" ];then
iptables -D FORWARD -i br0 -o \$(nvram get wan0_ifname) -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null
iptables -I FORWARD -i br0 -o \$(nvram get wan0_ifname) -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null
iptables -D FORWARD -i br0 -o \$WAN_IF -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null
iptables -I FORWARD -i br0 -o \$WAN_IF -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null
logger -st "(\$(basename "\$0"))" \$\$ "WireGuard VPN Peer KILL-Switch ENABLED"
fi
Expand All @@ -1918,12 +1932,12 @@ EOF

chmod +x /jffs/addons/wireguard/wg_firewall
fi
echo -e $cBCYA"\n\tnat-start updated to protect WireGuard firewall rules"$cRESET
SayT "nat-start updated to protect WireGuard firewall rules"
echo -e $cBCYA"\n\tfirewall-start updated to protect WireGuard firewall rules"$cRESET
SayT "firewall-start updated to protect WireGuard firewall rules"
else
sed -i '/WireGuard/d' /jffs/scripts/nat-start
echo -e $cBCYA"\n\tnat-start updated - no longer protecting WireGuard firewall rules"$cRESET
SayT "nat-start updated - no longer protecting WireGuard firewall rules"
sed -i '/WireGuard/d' /jffs/scripts/firewall-start # v4.11
echo -e $cBCYA"\n\tfirewall-start updated - no longer protecting WireGuard firewall rules"$cRESET
SayT "firewall-start updated - no longer protecting WireGuard firewall rules"
fi

}
Expand Down Expand Up @@ -2362,7 +2376,7 @@ EOF
echo -e $cBRED"\a\n\t***ERROR: WireGuard install FAILED!\n"$cRESETd
fi

Edit_nat_start # v1.07
Edit_firewall_start # v1.07

Edit_DNSMasq # v1.12

Expand Down Expand Up @@ -2429,7 +2443,8 @@ Uninstall_WireGuard() {

Manage_Stats "DISABLE" "disable"

Edit_nat_start "del"
[ -n "$(grep -o "WireGuard" /jffs/scripts/nat-start)" ] && sed -i '/WireGuard/d' /jffs/scripts/nat-start # v4.11 Legacy use of nat-start
Edit_firewall_start "del"

Manage_alias "del" # v1.11

Expand Down Expand Up @@ -3020,7 +3035,7 @@ Display_SplashBox() {
printf '| 1 = Install WireGuard |\n'
fi
local YES_NO=" " # v2.07
[ "$EASYMENU" == "Y" ] && local YES_NO="${cBGRE} "; printf '| o1. Enable nat-start protection for Firewall rules %b %b |\n' "$YES_NO" "$cRESET"
[ "$EASYMENU" == "Y" ] && local YES_NO="${cBGRE} "; printf '| o1. Enable firewall-start protection for Firewall rules %b %b |\n' "$YES_NO" "$cRESET"
[ "$EASYMENU" == "Y" ] && local YES_NO="${cBGRE} "; printf '| o2. Enable DNS %b %b |\n' "$YES_NO" "$cRESET"
printf '| |\n'

Expand Down Expand Up @@ -3344,7 +3359,7 @@ Validate_User_Choice() {
getmod*) ;;
loadmod*) ;;
dns*) ;; # v2.01
natstart*) ;;
firewallstart*) ;; # v4.11
alias*) ;;
diag*) ;;
debug) ;;
Expand Down Expand Up @@ -3501,10 +3516,10 @@ Process_User_Choice() {
echo -e $cRESET
DNSmasq_Listening_WireGuard_Status

if [ -z "$(grep -i "wireguard" /jffs/scripts/nat-start)" ];then # v1.11
echo -e $cBRED"\t[✖]${cBWHT} nat-start$${cBRED} is NOT monitoring WireGuard Firewall rules - ${cBWHT}use 'wgm natstart' to ENABLE\n"$cRESET
if [ -z "$(grep -i "wireguard" /jffs/scripts/firewall-start)" ];then # v1.11
echo -e $cBRED"\t[✖]${cBWHT} firewall-start$${cBRED} is NOT monitoring WireGuard Firewall rules - ${cBWHT}use 'wgm natstart' to ENABLE\n"$cRESET
else
echo -e $cBGRE"\t[✔]${cBWHT} nat-start ${cBGRE}is monitoring WireGuard Firewall rules\n"$cRESET
echo -e $cBGRE"\t[✔]${cBWHT} firewall-start ${cBGRE}is monitoring WireGuard Firewall rules\n"$cRESET
fi

if [ "$(Manage_KILL_Switch)" == "Y" ];then
Expand Down Expand Up @@ -3557,14 +3572,15 @@ Process_User_Choice() {
;;
esac
;;
natstart*)
firewallstart*)

local ARG=
if [ "$(echo "$menu1" | wc -w)" -ge 2 ];then
local ARG="$(printf "%s" "$menu1" | cut -d' ' -f2)"
fi

Edit_nat_start "$ARG"
[ -n "$(grep -o "WireGuard" /jffs/scripts/nat-start)" ] && sed -i '/WireGuard/d' /jffs/scripts/nat-start # v4.11 Legacy use of nat-start
Edit_firewall_start "$ARG" # v4.11

;;
"-h"|help)
Expand Down

0 comments on commit 6ce2ff8

Please sign in to comment.