wg-config: use ip rules instead of tungate

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2016-12-30 17:50:19 +01:00 · 2016-12-30 17:50:19 +01:00 · 87abf354f1
commit 87abf354f1
parent 09c726a72f
4 changed files with 58 additions and 108 deletions
--- a/contrib/wg-config/Makefile
+++ b/contrib/wg-config/Makefile
@ -2,12 +2,10 @@ PREFIX ?= /usr
 DESTDIR ?=
 SBINDIR ?= $(PREFIX)/sbin
 SCRIPTS := wg-config tungate
 all:
-	@echo "These are shell scripts, so there is nothing to do. Try \"make install\" instead."
+	@echo "This is a shell script, so there is nothing to do. Try \"make install\" instead."
 install:
-	@install -v -m0755 -D -t$(DESTDIR)$(SBINDIR) $(SCRIPTS)
+	@install -v -m0755 -D -t$(DESTDIR)$(SBINDIR) wg-config
 .PHONY: all install
--- a/contrib/wg-config/README
+++ b/contrib/wg-config/README
@ -43,17 +43,9 @@ options described above, and variables that may be declared in ENV_FILE:
 Additionally, ENV_FILE may define the bash functions pre_add, post_add,
 pre_del, and post_del, which will be called at their respective times.
 == Basic Example ==
-== Helper Tool ==
+This basic example might be used by a server.
 tungate is a separate utility, developed originally not explicitly for
 WireGuard, which acts as a poor man's way of ensuring 0/1 and 128/1 default
 route overrides still work with an endpoint going over the original default
 route. It's quite handy, and wg-config makes use of it for dealing with
 0.0.0.0/0 routes. At the moment it only supports IPv4, but adding IPv6
 should be pretty easy.
 == Example ==
 /etc/wireguard/wg-server.conf:
@ -83,36 +75,11 @@ Run at startup:
 Run at shutdown:
 # wg-config del wgserver0 --env-file=/etc/wireguard/wg-server.env
 == Advanced Example ==
 /etc/wireguard/wg-vpn-gateway.conf:
 	[Interface]
 	PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
 	[Peer]
 	PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
 	AllowedIPs = 0.0.0.0/0
 	Endpoint = demo.wireguard.io:29912
 /etc/wireguard/wg-vpn-gateway.env:
 	[[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true
 	ADDRESSES=( 10.200.100.2/32 )
 	post_add() {
 		printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
 	}
 	post_del() {
 		cmd resolvconf -d "$INTERFACE"
 	}
 Run to flip on the VPN:
 # wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
 The config file is not overwritten on shutdown, due to the conditional in the env file:
 # wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
 == Single File Advanced Example ==
 This type of configuration might be desirable for a personal access gateway
 VPN, connecting to a server like in the example above.
 /etc/wireguard/wg-vpn-gateway.env:
 	CONFIG_FILE_CONTENTS="
@ -138,3 +105,36 @@ Run to flip on the VPN:
 # wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
 Run to flip off the VPN:
 # wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
 == Advanced Example ==
 This achieves the same as the above, but with an external file. It only sets the
 configuration file when the subcommand is add, to prevent it from being overwritten.
 The above is much simpler and probably preferred, but this example shows how powerful
 the tool can be.
 /etc/wireguard/wg-vpn-gateway.conf:
 	[Interface]
 	PrivateKey = 6JiA3fa+NG+x5m6aq7+lxlVaVqVf1mxK6/pDOZdNuXc=
 	[Peer]
 	PublicKey = 6NagfTu+s8+TkEKpxX7pNjJuTf4zYtoJme7iQFYIw0A=
 	AllowedIPs = 0.0.0.0/0
 	Endpoint = demo.wireguard.io:29912
 /etc/wireguard/wg-vpn-gateway.env:
 	[[ $SUBCOMMAND == add ]] && CONFIG_FILE="$(dirname "${BASH_SOURCE[0]}")/demo-vpn.conf" || true
 	ADDRESSES=( 10.200.100.2/32 )
 	post_add() {
 		printf 'nameserver 10.200.100.1' | cmd resolvconf -a "$INTERFACE" -m 0
 	}
 	post_del() {
 		cmd resolvconf -d "$INTERFACE"
 	}
 Run to flip on the VPN:
 # wg-config add wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
 The config file is not overwritten on shutdown, due to the conditional in the env file:
 # wg-config del wgvpn0 --env-file=/etc/wireguard/wg-vpn-gateway.env
--- a/contrib/wg-config/tungate
+++ b/contrib/wg-config/tungate
@ -1,43 +0,0 @@
 #!/bin/bash
 unwind() {
 	ip route del "$1/32" 2>/dev/null
 	exit
 }
 short_route() {
 	ip route | sed -n "s/$1 \\(.* dev [^ ]\\+\\).*/\\1/p" | head -n 1
 }
 resolve_ip() {
 	local filter='/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$/{p;q;}'
 	[[ $(sed -n "$filter" <<<"$1") == "$1" ]] && echo "$1" ||
 		host -t a "$1" | cut -d ' ' -f 4 | sed -n "$filter"
 }
 set_route() {
 	local default_route="$(short_route default)"
 	[[ -n $default_route ]] || { echo "[-] Could not determine default route"; return; }
 	echo "[+] Adding route for $1 to be $default_route"
 	ip route del "$1/32" 2>/dev/null
 	ip route add "$1/32" $default_route
 }
 check_loop() {
 	local ip="$(resolve_ip "$1")"
 	[[ -n $ip ]] || { echo "[-] Could not determine IP of '$1'" && return 1; }
 	echo "[+] Making sure $ip goes over the default (non-0/1,128/1) route"
 	set_route "$ip"
 	trap unwind INT TERM EXIT
 	while read -r; do
 		[[ $(short_route "$ip") != "$(short_route default)" ]] && set_route "$ip"
 	done < <(exec ip monitor route)
 }
 [[ $# -ne 1 ]] && { echo "Usage: $0 IP|HOST" >&2; exit 1; }
 [[ $UID -ne 0 ]] && exec sudo "$(readlink -f "$0")" "$@"
 check_loop "$1"
 exit $?
--- a/contrib/wg-config/wg-config
+++ b/contrib/wg-config/wg-config
@ -15,7 +15,7 @@ auto_su() {
 unwind() {
 	set +e
-	[[ -n $INTERFACE && -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] && cmd ip link delete dev "$INTERFACE"
+	[[ -n $INTERFACE && -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] && del_if
 	exit
 }
@ -26,6 +26,9 @@ add_if() {
 del_if() {
 	[[ -n $(ip link show dev "$INTERFACE" type wireguard 2>/dev/null) ]] || { echo "$PROGRAM: \`$INTERFACE' is not a WireGuard interface" >&2; exit 1; }
 	if [[ $(ip route show table all) =~ .*\ dev\ $INTERFACE\ table\ ([0-9]+)\ .* ]]; then
 		cmd ip rule delete table ${BASH_REMATCH[1]}
 	fi
 	cmd ip link delete dev "$INTERFACE"
 }
@ -38,23 +41,20 @@ add_addr() {
 }
 add_route() {
-	cmd ip route add "$1" dev "$INTERFACE"
+	if [[ $1 == 0.0.0.0/0 || $1 == ::/0 ]]; then
 		add_default "$1"
 	else
 		cmd ip route add "$1" dev "$INTERFACE"
 	fi
 }
 add_default() {
-	if [[ $1 == ::/0 ]]; then
+	[[ $(join <(wg show "$INTERFACE" allowed-ips) <(wg show "$INTERFACE" endpoints)) =~ .*\ ${1//./\\.}\ ([0-9.:a-f]+):[0-9]+$ ]] && local endpoint="${BASH_REMATCH[1]}"
-		echo "tungate: does not yet support IPv6, skipping ::/0" >&2
+	[[ -n $endpoint ]] || return 0
-		return 0
+	local table=51820
-	elif [[ $1 == 0.0.0.0/0 ]]; then
+	while [[ -n $(ip route show table $table) ]]; do ((table++)); done
-		local endpoint="$(join <(wg show "$INTERFACE" allowed-ips) <(wg show "$INTERFACE" endpoints) | sed -n 's/.* 0\.0\.0\.0\/0.* \([0-9.:\/a-z]\+\):[0-9]\+$/\1/p')"
+	cmd ip route add "$1" dev "$INTERFACE" table $table
-		add_route 0/1
+	cmd ip rule add not to "$endpoint" table $table
 		add_route 128/1
 		killall tungate 2>/dev/null || true
 		echo "[&] Forking \`tungate' for $endpoint to background" >&2
 		tungate "$endpoint" >/dev/null 2>&1 & disown
 		return 0
 	fi
 	return 1
 }
 set_config() {
@ -130,16 +130,12 @@ cmd_add() {
 	done
 	up_if
 	if [[ $AUTO_ROUTE -eq 1 ]]; then
-		for i in $(wg show "$INTERFACE" allowed-ips | grep -Po '(?<=[\t ])[0-9.:/a-z]+' | sort -nr -k 2 -t /); do
+		for i in $(wg show "$INTERFACE" allowed-ips | grep -Po '(?<=[\t ])[0-9.:/a-f]+' | sort -nr -k 2 -t /); do
-			if ! add_default "$i" && [[ $(ip route get "$i") != *dev\ $INTERFACE\ * ]]; then
+			[[ $(ip route get "$i" 2>/dev/null) == *dev\ $INTERFACE\ * ]] || add_route "$i"
 				add_route "$i"
 			fi
 		done
 	fi
 	for i in "${ADDITIONAL_ROUTES[@]}"; do
-		if ! add_default "$i"; then
+		add_route "$i"
 			add_route "$i"
 		fi
 	done
 	[[ $(type -t post_add) != function ]] || post_add
 	trap - INT TERM EXIT
@ -148,7 +144,6 @@ cmd_add() {
 cmd_del() {
 	auto_su
 	[[ $(type -t pre_del) != function ]] || pre_del
 	killall tungate 2>/dev/null || true
 	[[ -n $CONFIG_FILE ]] && save_config
 	del_if
        [[ $(type -t post_del) != function ]] || post_del