gandc/awg-openwrt
1
0
Fork 0
mirror of https://github.com/Slava-Shchipunov/awg-openwrt.git synced 2026-03-14 01:13:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

sync up with the upstream

Browse Source
This commit is contained in:
Yury Sannikov
2024-02-19 00:20:35 +03:00
parent 9bbfb83ea4
commit 616b574f6b
5 changed files with 83 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
amneziawg-tools/Makefile → amnezia-wg-tools/Makefile
View File

@@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=amneziawg-tools PKG_NAME:=amnezia-wg-tools
PKG_VERSION:=0.0.1-kmod PKG_VERSION:=0.0.1-kmod
PKG_RELEASE:=$(AUTORELEASE) PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE:=v$(PKG_VERSION).tar.gz PKG_SOURCE:=v$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/amnezia-vpn/amneziawg-tools/archive/refs/tags/ PKG_SOURCE_URL:=https://github.com/amnezia-vpn/amnezia-wg-tools/archive/refs/tags/
PKG_HASH:=cc4f523f7ec171b7bb3bdd1bcf4ff2f6833364fab6cad309310a84f33eeafa9b PKG_HASH:=0d8cdf6d767700cb6d2cc895d45b1f94668663b00138627329766bb9e36d894e
PKG_LICENSE:=GPL-2.0 PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING PKG_LICENSE_FILES:=COPYING
@@ -26,7 +26,7 @@ include $(INCLUDE_DIR)/package.mk
MAKE_PATH:=src MAKE_PATH:=src
MAKE_VARS += PLATFORM=linux MAKE_VARS += PLATFORM=linux
define Package/amneziawg-tools define Package/amnezia-wg-tools
CATEGORY:=Network CATEGORY:=Network
URL:=https://www.wireguard.com URL:=https://www.wireguard.com
MAINTAINER:=Jason A. Donenfeld <Jason@zx2c4.com> MAINTAINER:=Jason A. Donenfeld <Jason@zx2c4.com>
@@ -36,7 +36,7 @@ define Package/amneziawg-tools
+@BUSYBOX_CONFIG_FEATURE_IP_LINK +@BUSYBOX_CONFIG_FEATURE_IP_LINK
endef endef
define Package/amneziawg-tools/description define Package/amnezia-wg-tools/description
WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
state-of-the-art cryptography. It aims to be faster, simpler, leaner, and state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
more useful than IPSec, while avoiding the massive headache. It intends to more useful than IPSec, while avoiding the massive headache. It intends to
@@ -48,7 +48,7 @@ define Package/amneziawg-tools/description
`wg(8)`, a netifd protocol helper, and a re-resolve watchdog script. `wg(8)`, a netifd protocol helper, and a re-resolve watchdog script.
endef endef
define Package/amneziawg-tools/install define Package/amnezia-wg-tools/install
$(INSTALL_DIR) $(1)/usr/bin/ $(INSTALL_DIR) $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wg $(1)/usr/bin/amneziawg $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wg $(1)/usr/bin/amneziawg
$(INSTALL_BIN) ./files/amneziawg_watchdog $(1)/usr/bin/ $(INSTALL_BIN) ./files/amneziawg_watchdog $(1)/usr/bin/
@@ -56,4 +56,4 @@ define Package/amneziawg-tools/install
$(INSTALL_BIN) ./files/amneziawg.sh $(1)/lib/netifd/proto/ $(INSTALL_BIN) ./files/amneziawg.sh $(1)/lib/netifd/proto/
endef endef
$(eval $(call BuildPackage,amneziawg-tools)) $(eval $(call BuildPackage,amnezia-wg-tools))

46
amneziawg-tools/files/amneziawg.sh → amnezia-wg-tools/files/amneziawg.sh
View File

@@ -33,23 +33,23 @@ proto_amneziawg_init_config() {
} }
proto_amneziawg_is_kernel_mode() { proto_amneziawg_is_kernel_mode() {
if [ ! -e /sys/module/amneziawg ]; then if [ ! -e /sys/module/amneziawg ]; then
modprobe amneziawg > /dev/null 2&>1 || true modprobe amneziawg > /dev/null 2&>1 || true
if [ -e /sys/module/amneziawg ]; then if [ -e /sys/module/amneziawg ]; then
return 0 return 0
else else
if [ ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null ]; then if [ ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null ]; then
ret=$? ret=$?
echo "Please install either kernel module (kmod-amneziawg package) or user-space implementation in /usr/bin/amneziawg-go." echo "Please install either kernel module (kmod-amneziawg package) or user-space implementation in /usr/bin/amneziawg-go."
exit $? exit $?
else else
return 1 return 1
fi fi
fi fi
else else
return 0 return 0
fi fi
} }
proto_amneziawg_setup_peer() { proto_amneziawg_setup_peer() {
@@ -190,13 +190,13 @@ proto_amneziawg_setup() {
config_get awg_h3 "${config}" "awg_h3" config_get awg_h3 "${config}" "awg_h3"
config_get awg_h4 "${config}" "awg_h4" config_get awg_h4 "${config}" "awg_h4"
ip link del dev "${config}" 2>/dev/null
if proto_amneziawg_is_kernel_mode; then if proto_amneziawg_is_kernel_mode; then
logger -t "amneziawg" "info: using kernel-space kmod-amneziawg for ${WG}" logger -t "amneziawg" "info: using kernel-space kmod-amneziawg for ${WG}"
ip link del dev "${config}" 2>/dev/null
ip link add dev "${config}" type amneziawg ip link add dev "${config}" type amneziawg
else else
logger -t "amneziawg" "info: using user-space amneziawg-go for ${WG}" logger -t "amneziawg" "info: using user-space amneziawg-go for ${WG}"
rm -f "/var/run/wireguard/${config}.sock"
amneziawg-go "${config}" amneziawg-go "${config}"
fi fi
@@ -245,7 +245,7 @@ proto_amneziawg_setup() {
echo "H4 = ${awg_h4}" >> "${wg_cfg}" echo "H4 = ${awg_h4}" >> "${wg_cfg}"
fi fi
config_foreach proto_amneziawg_setup_peer "wireguard_${config}" config_foreach proto_amneziawg_setup_peer "amneziawg_${config}"
# apply configuration file # apply configuration file
${WG} setconf ${config} "${wg_cfg}" ${WG} setconf ${config} "${wg_cfg}"
@@ -297,10 +297,10 @@ proto_amneziawg_teardown() {
local config="$1" local config="$1"
proto_amneziawg_check_installed proto_amneziawg_check_installed
if proto_amneziawg_is_kernel_mode; then if proto_amneziawg_is_kernel_mode; then
ip link del dev "${config}" >/dev/null 2>&1 ip link del dev "${config}" >/dev/null 2>&1
else else
rm -f /var/run/wireguard/${config}.sock rm -f /var/run/wireguard/${config}.sock
fi fi
} }
[ -n "$INCLUDE_ONLY" ] || { [ -n "$INCLUDE_ONLY" ] || {

0
amneziawg-tools/files/amneziawg_watchdog → amnezia-wg-tools/files/amneziawg_watchdog
View File

63
kmod-amneziawg/files/amnezia-sources.patch
View File

@@ -44,22 +44,24 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
pr_debug("%s: Interface created\n", dev->name); pr_debug("%s: Interface created\n", dev->name);
return ret; return ret;
@@ -475,4 +480,79 @@ @@ -475,4 +480,118 @@
unregister_random_vmfork_notifier(&vm_notifier); unregister_random_vmfork_notifier(&vm_notifier);
unregister_pm_notifier(&pm_notifier); unregister_pm_notifier(&pm_notifier);
rcu_barrier(); rcu_barrier();
+} +}
+ +
+void wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc) +int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
+{ +{
+ struct wg_device *wg = netdev_priv(dev); + struct wg_device *wg = netdev_priv(dev);
+ bool a_sec_on = false; + bool a_sec_on = false;
+ int ret = 0;
+ +
+ if (!asc->advanced_security_enabled) + if (!asc->advanced_security_enabled)
+ return; + goto out;
+ +
+ if (asc->junk_packet_count < 0) { + if (asc->junk_packet_count < 0) {
+ // TODO error + net_dbg_ratelimited("%s: JunkPacketCount should be non negative\n", dev->name);
+ ret = -EINVAL;
+ } + }
+ +
+ wg->advanced_security_config.junk_packet_count = asc->junk_packet_count; + wg->advanced_security_config.junk_packet_count = asc->junk_packet_count;
@@ -77,9 +79,15 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
+ wg->advanced_security_config.junk_packet_min_size = 0; + wg->advanced_security_config.junk_packet_min_size = 0;
+ wg->advanced_security_config.junk_packet_max_size = 1; + wg->advanced_security_config.junk_packet_max_size = 1;
+ +
+ // TODO error + net_dbg_ratelimited("%s: JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d\n",
+ dev->name, asc->junk_packet_max_size,
+ MESSAGE_MAX_SIZE);
+ ret = -EINVAL;
+ } else if (asc->junk_packet_max_size < asc->junk_packet_min_size) { + } else if (asc->junk_packet_max_size < asc->junk_packet_min_size) {
+ // TODO error + net_dbg_ratelimited("%s: maxSize: %d; should be greater than minSize: %d\n",
+ dev->name, asc->junk_packet_max_size,
+ asc->junk_packet_min_size);
+ ret = -EINVAL;
+ } else + } else
+ wg->advanced_security_config.junk_packet_max_size = asc->junk_packet_max_size; + wg->advanced_security_config.junk_packet_max_size = asc->junk_packet_max_size;
+ +
@@ -87,7 +95,10 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
+ a_sec_on = true; + a_sec_on = true;
+ +
+ if (asc->init_packet_junk_size + MESSAGE_INITIATION_SIZE >= MESSAGE_MAX_SIZE) { + if (asc->init_packet_junk_size + MESSAGE_INITIATION_SIZE >= MESSAGE_MAX_SIZE) {
+ // TODO error + net_dbg_ratelimited("%s: init header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
+ dev->name, MESSAGE_INITIATION_SIZE,
+ asc->init_packet_junk_size, MESSAGE_MAX_SIZE);
+ ret = -EINVAL;
+ } else + } else
+ wg->advanced_security_config.init_packet_junk_size = asc->init_packet_junk_size; + wg->advanced_security_config.init_packet_junk_size = asc->init_packet_junk_size;
+ +
@@ -95,7 +106,10 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
+ a_sec_on = true; + a_sec_on = true;
+ +
+ if (asc->response_packet_junk_size + MESSAGE_RESPONSE_SIZE >= MESSAGE_MAX_SIZE) { + if (asc->response_packet_junk_size + MESSAGE_RESPONSE_SIZE >= MESSAGE_MAX_SIZE) {
+ // TODO error + net_dbg_ratelimited("%s: response header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
+ dev->name, MESSAGE_RESPONSE_SIZE,
+ asc->response_packet_junk_size, MESSAGE_MAX_SIZE);
+ ret = -EINVAL;
+ } else + } else
+ wg->advanced_security_config.response_packet_junk_size = asc->response_packet_junk_size; + wg->advanced_security_config.response_packet_junk_size = asc->response_packet_junk_size;
+ +
@@ -122,7 +136,32 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
+ wg->advanced_security_config.transport_packet_magic_header = asc->transport_packet_magic_header; + wg->advanced_security_config.transport_packet_magic_header = asc->transport_packet_magic_header;
+ } + }
+ +
+ if (asc->init_packet_magic_header == asc->response_packet_magic_header ||
+ asc->init_packet_magic_header == asc->cookie_packet_magic_header ||
+ asc->init_packet_magic_header == asc->transport_packet_magic_header ||
+ asc->response_packet_magic_header == asc->cookie_packet_magic_header ||
+ asc->response_packet_magic_header == asc->transport_packet_magic_header ||
+ asc->cookie_packet_magic_header == asc->transport_packet_magic_header) {
+ net_dbg_ratelimited("%s: magic headers should differ; got: init:%d; recv:%d; unde:%d; tran:%d\n",
+ dev->name,
+ asc->init_packet_magic_header,
+ asc->response_packet_magic_header,
+ asc->cookie_packet_magic_header,
+ asc->transport_packet_magic_header);
+ ret = -EINVAL;
+ }
+
+ if (MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size == MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size) {
+ net_dbg_ratelimited("%s: new init size:%d; and new response size:%d; should differ\n",
+ dev->name,
+ MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size,
+ MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size);
+ ret = -EINVAL;
+ }
+
+ wg->advanced_security_config.advanced_security_enabled = a_sec_on; + wg->advanced_security_config.advanced_security_enabled = a_sec_on;
+out:
+ return ret;
} }
diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/device.h ./device.h diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/device.h ./device.h
--- ../../linux-source-6.2.0/drivers/net/wireguard/device.h 2023-11-10 18:10:29 --- ../../linux-source-6.2.0/drivers/net/wireguard/device.h 2023-11-10 18:10:29
@@ -159,7 +198,7 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
int wg_device_init(void); int wg_device_init(void);
void wg_device_uninit(void); void wg_device_uninit(void);
+void wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc); +int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
#endif /* _WG_DEVICE_H */ #endif /* _WG_DEVICE_H */
diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/main.c ./main.c diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/main.c ./main.c
@@ -334,11 +373,13 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
if (flags & WGDEVICE_F_REPLACE_PEERS) if (flags & WGDEVICE_F_REPLACE_PEERS)
wg_peer_remove_all(wg); wg_peer_remove_all(wg);
@@ -597,10 +670,12 @@ @@ -597,10 +670,14 @@
ret = 0; ret = 0;
out: out:
+ wg_device_handle_post_config(wg->dev, asc); + if (!ret)
+ ret = wg_device_handle_post_config(wg->dev, asc);
+
mutex_unlock(&wg->device_update_lock); mutex_unlock(&wg->device_update_lock);
rtnl_unlock(); rtnl_unlock();
dev_put(wg->dev); dev_put(wg->dev);

3
luci-app-amneziawg/htdocs/luci-static/resources/protocol/amneziawg.js
View File

@@ -385,8 +385,6 @@ return network.registerProtocol('amneziawg', {
cancel = nodes.nextElementSibling.querySelector('.btn'), cancel = nodes.nextElementSibling.querySelector('.btn'),
config = this.parseConfig(input); config = this.parseConfig(input);
console.log(input);
if (typeof(config) == 'string') { if (typeof(config) == 'string') {
error.firstChild.data = _('Cannot parse configuration: %s').format(config); error.firstChild.data = _('Cannot parse configuration: %s').format(config);
error.style.display = 'block'; error.style.display = 'block';
@@ -748,6 +746,7 @@ return network.registerProtocol('amneziawg', {
o.createPeerConfig = function(section_id, endpoint, ips) { o.createPeerConfig = function(section_id, endpoint, ips) {
var pub = s.formvalue(s.section, 'public_key'), var pub = s.formvalue(s.section, 'public_key'),
port = s.formvalue(s.section, 'listen_port') || '51820', port = s.formvalue(s.section, 'listen_port') || '51820',
jc = s.formvalue
prv = this.section.formvalue(section_id, 'private_key'), prv = this.section.formvalue(section_id, 'private_key'),
psk = this.section.formvalue(section_id, 'preshared_key'), psk = this.section.formvalue(section_id, 'preshared_key'),
eport = this.section.formvalue(section_id, 'endpoint_port'), eport = this.section.formvalue(section_id, 'endpoint_port'),