From 6ce2ff8c55f0164c5c36b3c10c104e07fa70a0e0 Mon Sep 17 00:00:00 2001 From: MartineauUK Date: Sat, 16 Oct 2021 10:45:48 +0100 Subject: [PATCH] Update wg_manager.sh Commits on May 4, 2021 FIX: Suppress 'wg not installed' message when wg_manager 'init' function executes. Thanks SNB Forum member @Ubimo FIX: Don't append '/32' for 'peer ip=' command - user must now explicitly specify CIDR format either '/32' or '/24' etc. NEW: 'peer allowedips=' command CHANGE: when using 'peer ip=' or peer allowedips='command to alter the IP address, restart 'client' Peer if it is UP, or for a 'device' Peer, undate its owner 'server' Peer 'wg2X.conf' and restart it if UP. FIX: Detection of Entware compatibility Thanks SNB Forums member @Torson Commits on May 17, 2021 FIX: Do not allow 'device' Road-Warrior Peers 'auto=X' to be changed. FIX: 'peer wgxx dump' command selection typo to use correct SQL table 'client' rather 'clients'. FIX: Incorrect reporting of RPDB rules for 'client' Peers, and highlight situation where RPDB rules exist but are not currently ENABLED for Peer. CHANGE: to DISABLE RT-AX86U flow control if ENABLED - Thanks SNB Forum member @Torson Commits on May 19, 2021 CHANGE: wg_client and wg_sever will ignore IPv6 if 'NOPIPV6' is defined in '/jffs/addons/wireguard/WireguardVPN.conf' CHANGE: wg_client tag Selective IPSET firewall rule with comment, so 'wgm diag' will automatically include it in the firewall rule display. Commits on May 21, 2021 FIX: Creation of a new Road-Warrior 'device' may assign an existing VPN Pool IP already allocated to another Road-Warrior device. CHANGE: Display Road-Warrior 'device' SQL table by ascending IP address CHANGE: Creation of Road-Warrior LAN only 'device' Peer using 'createsplit xxxx' command now recognises 'peers' directive to explicitly allow any 'device' Peer to access ALL others. Commits on Jun 07, 2021 FIX: Suppress redundant 'Unable to access interface: No such device' when attempting to stop invalid Peer or category e.g. 'stop lients' FIX: 'wgm restart [Peer]' incorrectly calls 'wg_firewall' causing unnecessary connection disruption. Thanks SNB Forum member @Torson Commits on Jun 15, 2021 [Test Fix: To prevent negative traffics stats, write "0,0" to SQL table 'traffic' when the 'client' Peer is terminated. (This is currently performed ONLY when the 'client' Peer is started) SNB Forum member @Zebm] Commits on Jun 16, 2021 FIX: To prevent negative traffics stats, use expr to perform the maths operation. @ZebMcKayhan Commits on Jun 22, 2021 FIX: Incorrect metrics, i.e. wg_manager now creates/stores two additional values (rxtotal and txtotal) in the 'traffic' SQL table wg_client script now sets the rxtotal/txtotal values to '0' each time the 'client' Peer is initialised, and for temporary debugging now sets all 'traffic' table values to '*' when the client' Peer is terminated NEW: When using 'generatestats' command, rather than only silently writing the results to Syslog, also display direct to console for GUI feedback Commits on Jun 25, 2021 CHANGE: If Road-Warrior 'client' Peer has been dormant for more than 30mins then don't needlessly report obviously redundant RX=0/RX=0 metrics Commits on Jul 25, 2021 If a 'client' Peer is terminated before it has transferred any data, then the reported Period metrics produces errors expr: non-numeric argument [: 0: unknown operand - Thanks SNB Forum member @Torson Commits on Aug 15, 2021 FIX: Screen-scraping www.snbforums.com [Experimental WireGuard] thread to retrieve the WireGuard Kernel/Userspace files created by odkrys now returns error curl: (22) The requested URL returned error: 403 Forbidden As @odkrys now hosts the files on Github, it is appropriate to retrieve the file list direct from his current GitHub repository using @defung's pull request see https://github.com/MartineauUK/wireguard/pull/3 CHANGE: Rather than identify the WireGuard Kernel files by position in the retrieved list (e.g. RT-AC86U assumed to be the first etc.) search retrieved list for exact router match. Commits on Oct 9, 2021 FIX: Allow 'auto=p' to be applied to a client if there are no Policy rules defined, but IPSET is defined - Thanks SNB Forum member @ZebMcKayhan/@The Chief CHANGE: Rather than rely on nat-start to globally set Selective Routing fwmarks (see WiKi), dynamically set them via wg_client start/stop request to preempt existing OpenVPN priority. Commits on Oct 16, 2021 FIX: Move call to 'wg_firewall' from nat-start and move to firewall-start, as 3rd Party script destroys the firewall rules after boot. CHANGE: Retrieve RT-AC86U Wireguard modules from @ZebMcKayhan's Github repository rather than from @odkrys --- wg_manager.sh | 80 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 48 insertions(+), 32 deletions(-) diff --git a/wg_manager.sh b/wg_manager.sh index f27e1dc..6b4fad9 100644 --- a/wg_manager.sh +++ b/wg_manager.sh @@ -24,7 +24,7 @@ VERSION="v4.11" # # Maintainer: Martineau -# Last Updated Date: 09-Oct-2021 +# Last Updated Date: 16-Oct-2021 # # Description: # @@ -35,6 +35,7 @@ VERSION="v4.11" GIT_REPO="wireguard" GITHUB_MARTINEAU="https://raw.githubusercontent.com/MartineauUK/$GIT_REPO/main" GITHUB_MARTINEAU_DEV="https://raw.githubusercontent.com/MartineauUK/$GIT_REPO/dev" +GITHUB_ZEBMCKAYHAN="https://raw.githubusercontent.com/ZebMcKayhan/Wireguard/master" # v4.11 GITHUB_DIR=$GITHUB_MARTINEAU # default for script CONFIG_DIR="/opt/etc/wireguard.d/" # Conform to "standards" # v2.03 @elorimer IMPORT_DIR=$CONFIG_DIR # Allow custom Peer .config import directory v4.01 @@ -327,11 +328,16 @@ download_file() { _Get_File() { local WEBFILE=$1 + local REPOSITORY_OWNER=$2 + local REPOSITORY="https://github.com/odkrys/entware-makefile-for-merlin/raw/main/" # v4.11 + + [ "$REPOSITORY_OWNER" != "odkrys" ] && local REPOSITORY="https://github.com/ZebMcKayhan/Wireguard/raw/main/" # v4.11 + + [ -z "$(echo "$@" | grep "NOMSG")" ] && echo -e $cBCYA"\n\tDownloading WireGuard Kernel module ${cBWHT}'$WEBFILE'$cBCYA for $ROUTER (v$BUILDNO) @$REPOSITORY_OWNER"$cRESET - [ -z "$2" ] && echo -e $cBCYA"\n\tDownloading WireGuard Kernel module ${cBWHT}'$WEBFILE'$cBCYA for $ROUTER (v$BUILDNO)..."$cRESET echo -e $cBGRA - curl -# -fL --retry 3 https://github.com/odkrys/entware-makefile-for-merlin/raw/main/${WEBFILE} -o ${INSTALL_DIR}${WEBFILE} + curl -# -fL --retry 3 ${REPOSITORY}${WEBFILE} -o ${INSTALL_DIR}${WEBFILE} # v4.11 return $? } @@ -339,23 +345,28 @@ Download_Modules() { local ROUTER=$1 + local REPOSITORY_OWNER="odkrys" # v4.11 #[ ! -d "${INSTALL_DIR}" ] && mkdir -p "${INSTALL_DIR}" + rm ${INSTALL_DIR}/*.ipk + #local WEBFILE_NAMES=$(curl -${SILENT}fL https://www.snbforums.com/threads/experimental-wireguard-for-hnd-platform-4-1-x-kernels.46164/ | grep " /jffs/scripts/nat-start; chmod +x /jffs/scripts/nat-start; } - if [ -z "$(grep "WireGuard" /jffs/scripts/nat-start)" ];then - echo -e "/jffs/addons/wireguard/wg_firewall # WireGuard" >> /jffs/scripts/nat-start + [ ! -f /jffs/scripts/firewall-start ] && { echo -e "#!/bin/sh\n\n" > /jffs/scripts/firewall-start; chmod +x /jffs/scripts/firewall-start; } + if [ -z "$(grep "WireGuard" /jffs/scripts/firewall-start)" ];then + echo -e "/jffs/addons/wireguard/wg_firewall # WireGuard" >> /jffs/scripts/firewall-start cat > /jffs/addons/wireguard/wg_firewall << EOF # v2.04 #!/bin/sh VERSION="$TS" -# Reinstate WireGuard firewall rules by restarting WireGuard as nat-start has executed +# Reinstate WireGuard firewall rules by restarting WireGuard as firewall-start has executed # Get_WAN_IF_Name() { @@ -1901,10 +1913,12 @@ Get_WAN_IF_Name() { echo \$IF_NAME } +WAN_IF=\$(Get_WAN_IF_Name) + logger -st "(\$(basename "\$0"))" \$\$ "Checking if WireGuard VPN Peer KILL-Switch is required....." if [ -n "\$(grep -E "^KILLSWITCH" /jffs/addons/wireguard/WireguardVPN.conf)" ];then - iptables -D FORWARD -i br0 -o \$(nvram get wan0_ifname) -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null - iptables -I FORWARD -i br0 -o \$(nvram get wan0_ifname) -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null + iptables -D FORWARD -i br0 -o \$WAN_IF -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null + iptables -I FORWARD -i br0 -o \$WAN_IF -j REJECT -m comment --comment "WireGuard KILL-Switch" 2>/dev/null logger -st "(\$(basename "\$0"))" \$\$ "WireGuard VPN Peer KILL-Switch ENABLED" fi @@ -1918,12 +1932,12 @@ EOF chmod +x /jffs/addons/wireguard/wg_firewall fi - echo -e $cBCYA"\n\tnat-start updated to protect WireGuard firewall rules"$cRESET - SayT "nat-start updated to protect WireGuard firewall rules" + echo -e $cBCYA"\n\tfirewall-start updated to protect WireGuard firewall rules"$cRESET + SayT "firewall-start updated to protect WireGuard firewall rules" else - sed -i '/WireGuard/d' /jffs/scripts/nat-start - echo -e $cBCYA"\n\tnat-start updated - no longer protecting WireGuard firewall rules"$cRESET - SayT "nat-start updated - no longer protecting WireGuard firewall rules" + sed -i '/WireGuard/d' /jffs/scripts/firewall-start # v4.11 + echo -e $cBCYA"\n\tfirewall-start updated - no longer protecting WireGuard firewall rules"$cRESET + SayT "firewall-start updated - no longer protecting WireGuard firewall rules" fi } @@ -2362,7 +2376,7 @@ EOF echo -e $cBRED"\a\n\t***ERROR: WireGuard install FAILED!\n"$cRESETd fi - Edit_nat_start # v1.07 + Edit_firewall_start # v1.07 Edit_DNSMasq # v1.12 @@ -2429,7 +2443,8 @@ Uninstall_WireGuard() { Manage_Stats "DISABLE" "disable" - Edit_nat_start "del" + [ -n "$(grep -o "WireGuard" /jffs/scripts/nat-start)" ] && sed -i '/WireGuard/d' /jffs/scripts/nat-start # v4.11 Legacy use of nat-start + Edit_firewall_start "del" Manage_alias "del" # v1.11 @@ -3020,7 +3035,7 @@ Display_SplashBox() { printf '| 1 = Install WireGuard |\n' fi local YES_NO=" " # v2.07 - [ "$EASYMENU" == "Y" ] && local YES_NO="${cBGRE} "; printf '| o1. Enable nat-start protection for Firewall rules %b %b |\n' "$YES_NO" "$cRESET" + [ "$EASYMENU" == "Y" ] && local YES_NO="${cBGRE} "; printf '| o1. Enable firewall-start protection for Firewall rules %b %b |\n' "$YES_NO" "$cRESET" [ "$EASYMENU" == "Y" ] && local YES_NO="${cBGRE} "; printf '| o2. Enable DNS %b %b |\n' "$YES_NO" "$cRESET" printf '| |\n' @@ -3344,7 +3359,7 @@ Validate_User_Choice() { getmod*) ;; loadmod*) ;; dns*) ;; # v2.01 - natstart*) ;; + firewallstart*) ;; # v4.11 alias*) ;; diag*) ;; debug) ;; @@ -3501,10 +3516,10 @@ Process_User_Choice() { echo -e $cRESET DNSmasq_Listening_WireGuard_Status - if [ -z "$(grep -i "wireguard" /jffs/scripts/nat-start)" ];then # v1.11 - echo -e $cBRED"\t[✖]${cBWHT} nat-start$${cBRED} is NOT monitoring WireGuard Firewall rules - ${cBWHT}use 'wgm natstart' to ENABLE\n"$cRESET + if [ -z "$(grep -i "wireguard" /jffs/scripts/firewall-start)" ];then # v1.11 + echo -e $cBRED"\t[✖]${cBWHT} firewall-start$${cBRED} is NOT monitoring WireGuard Firewall rules - ${cBWHT}use 'wgm natstart' to ENABLE\n"$cRESET else - echo -e $cBGRE"\t[✔]${cBWHT} nat-start ${cBGRE}is monitoring WireGuard Firewall rules\n"$cRESET + echo -e $cBGRE"\t[✔]${cBWHT} firewall-start ${cBGRE}is monitoring WireGuard Firewall rules\n"$cRESET fi if [ "$(Manage_KILL_Switch)" == "Y" ];then @@ -3557,14 +3572,15 @@ Process_User_Choice() { ;; esac ;; - natstart*) + firewallstart*) local ARG= if [ "$(echo "$menu1" | wc -w)" -ge 2 ];then local ARG="$(printf "%s" "$menu1" | cut -d' ' -f2)" fi - Edit_nat_start "$ARG" + [ -n "$(grep -o "WireGuard" /jffs/scripts/nat-start)" ] && sed -i '/WireGuard/d' /jffs/scripts/nat-start # v4.11 Legacy use of nat-start + Edit_firewall_start "$ARG" # v4.11 ;; "-h"|help)