From a99e775a1fa207d799212b79733cee0a9a902497 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 1 Mar 2021 09:45:04 +0100 Subject: [PATCH 01/10] Remove iperf3 to use upstream version --- iperf3/Makefile | 84 ------------------------------------------------- 1 file changed, 84 deletions(-) delete mode 100644 iperf3/Makefile diff --git a/iperf3/Makefile b/iperf3/Makefile deleted file mode 100644 index b1f7dc21d..000000000 --- a/iperf3/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# -# Copyright (C) 2007-2010 OpenWrt.org -# Copyright (C) 2019 Ycarus (Yannick Chabanois) -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=iperf -PKG_SOURCE_VERSION:=02a5f4755878b319f0db5ccd490daf61e6d76043 -PKG_VERSION:=3.7-$(PKG_SOURCE_VERSION) -PKG_RELEASE:=2 - -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://github.com/esnet/iperf.git - -PKG_MAINTAINER:=Yannick Chabanois -PKG_LICENSE:=BSD-3-Clause - -PKG_BUILD_PARALLEL:=1 -PKG_INSTALL:=1 - -PKG_FIXUP:=autoreconf - -include $(INCLUDE_DIR)/package.mk - -DISABLE_NLS:= - -define Package/iperf3/default - SECTION:=net - CATEGORY:=Network - TITLE:=Internet Protocol bandwidth measuring tool - URL:=https://github.com/esnet/iperf -endef - -define Package/iperf3 -$(call Package/iperf3/default) - VARIANT:=nossl -endef - -define Package/iperf3-ssl -$(call Package/iperf3/default) - TITLE+= with iperf_auth support - VARIANT:=ssl - DEPENDS:= +libopenssl -endef - -TARGET_CFLAGS += -D_GNU_SOURCE -CONFIGURE_ARGS += --disable-shared - -ifeq ($(BUILD_VARIANT),ssl) - CONFIGURE_ARGS += --with-openssl="$(STAGING_DIR)/usr" -else - CONFIGURE_ARGS += --without-openssl -endif - -MAKE_FLAGS += noinst_PROGRAMS= - -define Package/iperf3/description - Iperf is a modern alternative for measuring TCP and UDP bandwidth - performance, allowing the tuning of various parameters and - characteristics. -endef - -# autoreconf fails if the README file isn't present -define Build/Prepare - $(call Build/Prepare/Default) - touch $(PKG_BUILD_DIR)/README -endef - -define Package/iperf3/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/ -endef - -define Package/iperf3-ssl/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/iperf3 $(1)/usr/bin/ -endef - -$(eval $(call BuildPackage,iperf3)) -$(eval $(call BuildPackage,iperf3-ssl)) From 0e78dd8e1757555a97045bee3e4723b0f621beaa Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Mon, 1 Mar 2021 14:32:54 +0100 Subject: [PATCH 02/10] Remove whois to use upstream package --- whois/Makefile | 46 ---------------------------------------------- 1 file changed, 46 deletions(-) delete mode 100644 whois/Makefile diff --git a/whois/Makefile b/whois/Makefile deleted file mode 100644 index ae17cb7f7..000000000 --- a/whois/Makefile +++ /dev/null @@ -1,46 +0,0 @@ - -include $(TOPDIR)/rules.mk - -PKG_NAME:=whois -PKG_VERSION:=5.5.7 -PKG_RELEASE:=1 - -PKG_BUILD_DIR:=$(BUILD_DIR)/$(BUILD_VARIANT)/$(PKG_NAME) -PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/w/whois -PKG_HASH:=3efa700dbf38d127c31b21af3176cd6e5a69f96a056be60ac1dcd13df7717393 -PKG_CAT:=xzcat - -PKG_INSTALL:=1 -PKG_BUILD_PARALLEL:=1 - -include $(INCLUDE_DIR)/package.mk - -define Package/whois - SECTION:=net - CATEGORY:=Network - TITLE:=WHOIS commandline utility - URL:=http://ftp.debian.org/debian/pool/main/w/whois - MAINTAINER:=Kihamo -endef - -define Package/whois/description - Utility to display information from WHOIS servers -endef - -define Package/whois/conffiles -/etc/whois.conf -endef - -MAKE_FLAGS += \ - prefix=$(PKG_BUILD_DIR) - -define Package/whois/install - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/whois $(1)/usr/sbin - $(INSTALL_DIR) $(1)/etc - $(INSTALL_DATA) $(PKG_BUILD_DIR)/whois.conf $(1)/etc/whois.conf -endef - -$(eval $(call BuildPackage,whois)) - From 2045e47c77fe9d009c3a642e2fac843dcc20a3b1 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:12:55 +0100 Subject: [PATCH 03/10] Fix adding interface to bridge --- .../resources/view/network/interfaces.js | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/luci-mod-network/htdocs/luci-static/resources/view/network/interfaces.js b/luci-mod-network/htdocs/luci-static/resources/view/network/interfaces.js index 5cd091920..9d7a219ca 100644 --- a/luci-mod-network/htdocs/luci-static/resources/view/network/interfaces.js +++ b/luci-mod-network/htdocs/luci-static/resources/view/network/interfaces.js @@ -502,7 +502,35 @@ return view.extend({ ifname_multi.optional = true; ifname_multi.network = ifc.getName(); ifname_multi.display_size = 6; - ifname_multi.write = ifname_multi.remove = function() {}; + ifname_multi.write = ifname_multi.remove = function(section_id, value) { + var old_ifnames = [], + devs = ifc.getDevices() || L.toArray(ifc.getDevice()); + + for (var i = 0; i < devs.length; i++) + old_ifnames.push(devs[i].getName()); + + var new_ifnames = L.toArray(value); + + if (!value) + new_ifnames.length = Math.max(new_ifnames.length, 1); + + old_ifnames.sort(); + new_ifnames.sort(); + + for (var i = 0; i < Math.max(old_ifnames.length, new_ifnames.length); i++) { + if (old_ifnames[i] != new_ifnames[i]) { + // backup_ifnames() + for (var j = 0; j < old_ifnames.length; j++) + ifc.deleteDevice(old_ifnames[j]); + + for (var j = 0; j < new_ifnames.length; j++) + ifc.addDevice(new_ifnames[j]); + + break; + } + } + }; + ifname_single.cfgvalue = ifname_multi.cfgvalue = function(section_id) { var devs = ifc.getDevices() || L.toArray(ifc.getDevice()), @@ -839,7 +867,7 @@ return view.extend({ else if (ifname_master.isActive('_new_')) { uci.set('network', section_id, 'type', 'macvlan'); uci.set('network', section_id, 'ifname', section_id); - uci.set('network', section_id, 'masterintf', L.toArray(ifname_multi.formvalue('_new_')).join(' ')); + uci.set('network', section_id, 'masterintf', L.toArray(ifname_master.formvalue('_new_')).join(' ')); } }).then(L.bind(m.children[0].renderMoreOptionsModal, m.children[0], nameval)); From a33b571d7b80772e5869dfe346f5c4297b6e94f4 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:27:12 +0100 Subject: [PATCH 04/10] Update Shadowsocks --- shadowsocks-libev/Makefile | 6 +-- shadowsocks-libev/patches/020-NOCRYPTO.patch | 42 ++++++++++---------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile index a7b815c4f..25f8e750c 100644 --- a/shadowsocks-libev/Makefile +++ b/shadowsocks-libev/Makefile @@ -14,12 +14,12 @@ include $(TOPDIR)/rules.mk # - check if default mode has changed from being tcp_only # PKG_NAME:=shadowsocks-libev -PKG_VERSION:=3.3.4 -PKG_RELEASE:=1 +PKG_VERSION:=3.3.5 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) -PKG_HASH:=fce47a956fad0c30def9c71821bcec450a40d3f881548e31e66cedf262b89eb1 +PKG_HASH:=cfc8eded35360f4b67e18dc447b0c00cddb29cc57a3cec48b135e5fb87433488 PKG_MAINTAINER:=Ycarus (Yannick Chabanois) diff --git a/shadowsocks-libev/patches/020-NOCRYPTO.patch b/shadowsocks-libev/patches/020-NOCRYPTO.patch index ae64a50f0..fbe0cc883 100644 --- a/shadowsocks-libev/patches/020-NOCRYPTO.patch +++ b/shadowsocks-libev/patches/020-NOCRYPTO.patch @@ -40,8 +40,8 @@ index 0186ccc4..57fa318b 100644 { local cur prev opts ciphers opts='-s -p -l -k -m -a -f -t -c -n -i -b -u -U -v -h --reuse-port --fast-open --acl --mtu --mptcp --no-delay --key --plugin --plugin-opts --help' -- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' -+ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' +- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' ++ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' cur=${COMP_WORDS[COMP_CWORD]} prev="${COMP_WORDS[COMP_CWORD-1]}" case "$prev" in @@ -53,8 +53,8 @@ index d3168a3b..de13c9e9 100644 { local cur prev opts ciphers opts='-s -p -l -k -m -a -f -t -c -n -i -b -u -U -v -h --reuse-port --manager-address --executable --mtu --mptcp --plugin --plugin-opts --help' -- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' -+ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' +- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' ++ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' cur=${COMP_WORDS[COMP_CWORD]} prev="${COMP_WORDS[COMP_CWORD-1]}" case "$prev" in @@ -65,9 +65,9 @@ index 9a14efe8..fdc7b21e 100644 @@ -2,7 +2,7 @@ _ss_redir() { local cur prev opts ciphers - opts='-s -p -l -k -m -a -f -t -c -n -b -u -U -v -h --reuse-port --mtu --mptcp --key --plugin --plugin-opts --help' -- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' -+ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' + opts='-s -p -l -k -m -a -f -t -c -n -b -u -U -T -v -h --reuse-port --mtu --mptcp --key --plugin --plugin-opts --help' +- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' ++ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' cur=${COMP_WORDS[COMP_CWORD]} prev="${COMP_WORDS[COMP_CWORD-1]}" case "$prev" in @@ -80,9 +80,9 @@ index cec983ce..d8f3c298 100644 { local cur prev opts ciphers - opts='-s -p -l -k -m -a -f -t -c -n -i -b -u -U -6 -d -v -h --reuse-port --fast-open --acl --manager-address --mtu --mptcp --no-delay --key --plugin --plugin-opts --help' -- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' +- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' + opts='-s -p -l -k -m -a -f -t -c -n -i -b -u -U -6 -d -v -h --reuse-port --fast-open --acl --manager-address --mtu --mptcp --key --plugin --plugin-opts --help' -+ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' ++ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' COMPREPLY=() cur=${COMP_WORDS[COMP_CWORD]} prev="${COMP_WORDS[COMP_CWORD-1]}" @@ -94,8 +94,8 @@ index 707dc7a9..2e119098 100644 { local cur prev opts ciphers opts='-s -p -l -k -m -a -f -t -c -n -i -b -u -U -L -v -h --reuse-port --mtu --mptcp --key --plugin --plugin-opts --help' -- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' -+ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' +- ciphers='rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' ++ ciphers='none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf' cur=${COMP_WORDS[COMP_CWORD]} prev="${COMP_WORDS[COMP_CWORD-1]}" compopt +o nospace @@ -107,8 +107,8 @@ index c56ed521..8b12b767 100644 #compdef ss-local local ciphers --ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' -+ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' +-ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' ++ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' _arguments "-h::" \ "-s:server host:_hosts" \ @@ -120,8 +120,8 @@ index 3e65f6c8..66c101a1 100644 #compdef ss-manager local ciphers --ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' -+ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' +-ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' ++ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' _arguments "-h::" \ "-s:server host:_hosts" \ @@ -133,8 +133,8 @@ index 4f3b065e..6ef867f3 100644 #compdef ss-redir local ciphers --ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' -+ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' +-ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' ++ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' _arguments "-h::" \ "-s:server host:_hosts" \ @@ -146,8 +146,8 @@ index 8d9f4316..76bae33c 100644 #compdef ss-server local ciphers --ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' -+ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' +-ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' ++ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' _arguments "-h::" \ "-s:server host:_hosts" \ @@ -159,8 +159,8 @@ index 5a269900..248451f9 100644 #compdef ss-tunnel local ciphers --ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' -+ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' +-ciphers='(rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' ++ciphers='(none rc4-md5 aes-128-gcm aes-192-gcm aes-256-gcm aes-128-cfb aes-192-cfb aes-256-cfb aes-128-ctr aes-192-ctr aes-256-ctr camellia-128-cfb camellia-192-cfb camellia-256-cfb bf-cfb chacha20-ietf-poly1305 xchacha20-ietf-poly1305 salsa20 chacha20 chacha20-ietf)' _arguments "-h::" \ "-s:server host:_hosts" \ From b18f13c72114b5456159602e8470ea82756577cd Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:28:08 +0100 Subject: [PATCH 05/10] Remove masquerade --- .../files/etc/uci-defaults/1980-omr-firewall | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall b/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall index 2bd9ba5d3..a4483f94e 100755 --- a/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall +++ b/openmptcprouter/files/etc/uci-defaults/1980-omr-firewall @@ -105,14 +105,14 @@ if [ "$(uci -q show firewall | grep ICMPv6-Lan-to-OMR)" = "" ]; then commit firewall EOF fi -uci -q batch <<-EOF >/dev/null - del_list firewall.zone_wan.masq_dest='!10.0.0.0/8' - del_list firewall.zone_wan.masq_dest='!172.16.0.0/12' - del_list firewall.zone_wan.masq_dest='!192.168.0.0/16' - add_list firewall.zone_wan.masq_dest='!10.0.0.0/8' - add_list firewall.zone_wan.masq_dest='!172.16.0.0/12' - add_list firewall.zone_wan.masq_dest='!192.168.0.0/16' -EOF +#uci -q batch <<-EOF >/dev/null +# del_list firewall.zone_wan.masq_dest='!10.0.0.0/8' +# del_list firewall.zone_wan.masq_dest='!172.16.0.0/12' +# del_list firewall.zone_wan.masq_dest='!192.168.0.0/16' +# add_list firewall.zone_wan.masq_dest='!10.0.0.0/8' +# add_list firewall.zone_wan.masq_dest='!172.16.0.0/12' +# add_list firewall.zone_wan.masq_dest='!192.168.0.0/16' +#EOF if [ "$(ubus call system board | jsonfilter -e '@.board_name')" = "bananapi,bpi-r2" ] || [ "$(ubus call system board | jsonfilter -e '@.board_name' | grep -i wrt)" != "" ]; then uci -q batch <<-EOF >/dev/null set firewall.@defaults[0].flow_offloading='1' From 585a3ccfa73a9b41adb9c1fd900e322dcd4773e0 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:28:36 +0100 Subject: [PATCH 06/10] Enable DNSSEC by default --- openmptcprouter/files/etc/uci-defaults/1940-omr-dns | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openmptcprouter/files/etc/uci-defaults/1940-omr-dns b/openmptcprouter/files/etc/uci-defaults/1940-omr-dns index e66213732..7afa1e92e 100755 --- a/openmptcprouter/files/etc/uci-defaults/1940-omr-dns +++ b/openmptcprouter/files/etc/uci-defaults/1940-omr-dns @@ -6,6 +6,8 @@ if [ "$(uci -q get openmptcprouter.latest_versions)" = "" ]; then set unbound.@unbound[-1].protocol="ip4_only" set unbound.@unbound[-1].enabled=1 set unbound.@unbound[-1].recursion="aggressive" + set unbound.@unbound[-1].validator='1' + set unbound.@unbound[-1].validator_ntp='1' commit unbound EOF fi @@ -13,6 +15,7 @@ if [ "$(uci -q get openmptcprouter.latest_versions)" = "" ]; then uci -q batch <<-EOF >/dev/null add_list dhcp.@dnsmasq[-1].server="127.0.0.1#5353" add_list dhcp.@dnsmasq[-1].server="/lan/" + set dhcp.@dnsmasq[-1].dnssec='1' commit dhcp EOF fi From 4949749b557a43ba3b42563e25db39ef077298f6 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:30:23 +0100 Subject: [PATCH 07/10] Add MPTCP over Wireguard VPN support --- .../luasrc/controller/openmptcprouter.lua | 5 + .../luasrc/view/openmptcprouter/wizard.htm | 17 ++ openmptcprouter-full/Makefile | 3 +- openmptcprouter/files/etc/init.d/mptcpovervpn | 148 +++++++++++++----- .../files/etc/init.d/openmptcprouter-vps | 57 ++++++- 5 files changed, 189 insertions(+), 41 deletions(-) diff --git a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua index d67470a09..690045e88 100644 --- a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua +++ b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua @@ -497,6 +497,11 @@ function wizard_add() ucic:save("openmptcprouter") end + -- Get VPN used for MPTCP over VPN + local mptcpovervpn_vpn = luci.http.formvalue("mptcpovervpn_vpn") or "wireguard" + ucic:set("openmptcprouter","settings","mptcpovervpn",mptcpovervpn_vpn) + ucic:save("openmptcprouter") + -- Get Proxy set by default local default_proxy = luci.http.formvalue("default_proxy") or "shadowsocks" if default_proxy == "shadowsocks" and serversnb > 0 and serversnb > disablednb then diff --git a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm index 02e20ebad..f5f028568 100644 --- a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm +++ b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm @@ -365,6 +365,23 @@ +
+ <%:MPTCP over VPN settings%> +
<%:MPTCP over VPN should be used only when Multipath TCP is blocked on a connection.%>
+
+ +
+ +
+
+ <%:Set VPN to use for MPTCP over VPN.%> +
+
+
+
diff --git a/openmptcprouter-full/Makefile b/openmptcprouter-full/Makefile index f5b008643..2c844f62d 100644 --- a/openmptcprouter-full/Makefile +++ b/openmptcprouter-full/Makefile @@ -81,7 +81,8 @@ MY_DEPENDS := \ !TARGET_mvebu:luci-proto-qmi wpad-basic kmod-mt7601u kmod-rtl8187 \ luci-app-mlvpn mlvpn 464xlat !TARGET_mvebu:kmod-usb-net-smsc75xx kmod-zram kmod-swconfig swconfig kmod-ipt-nat kmod-ipt-nat6 luci-app-https-dns-proxy kmod-tcp-nanqinlang (TARGET_x86_64||aarch64):kmod-tcp-bbr2 iptables-mod-ipopt igmpproxy ss iptraf-ng \ luci-app-acl block-mount blockd fstools luci-app-shutdown libwebp luci-proto-gre tcptraceroute luci-proto-mbim kmod-rtl8xxxu kmod-ath9k-htc luci-app-ttyd luci-mod-dashboard (TARGET_x86||TARGET_x86_64):rtl8192eu-firmware kmod-usb2 libustream-wolfssl (TARGET_x86||TARGET_x86_64):kmod-ixgbevf \ - hwinfo (TARGET_x86||TARGET_x86_64):dmidecode luci-app-packet-capture kmod-bonding luci-proto-bonding luci-app-sysupgrade + hwinfo (TARGET_x86||TARGET_x86_64):dmidecode luci-app-packet-capture kmod-bonding luci-proto-bonding luci-app-sysupgrade \ + luci-theme-openwrt-2020 luci-proto-wireguard luci-app-wireguard # luci-theme-bootstrap luci-theme-openwrt-2020 luci-theme-openwrt luci-app-status # luci-proto-bonding luci-app-statistics luci-proto-gre # softethervpn5-client softethervpn5-server luci-app-nginx-ha diff --git a/openmptcprouter/files/etc/init.d/mptcpovervpn b/openmptcprouter/files/etc/init.d/mptcpovervpn index a2f7d97e4..4f2825e47 100755 --- a/openmptcprouter/files/etc/init.d/mptcpovervpn +++ b/openmptcprouter/files/etc/init.d/mptcpovervpn @@ -9,7 +9,10 @@ } _getremoteip() { - [ "$(uci -q get openmptcprouter.$1.master)" = "1" ] && remoteip=$(uci -q get openmptcprouter.$1.ip | awk '{print $1}') + [ "$(uci -q get openmptcprouter.$1.master)" = "1" ] && { + remoteip=$(uci -q get openmptcprouter.$1.ip | awk '{print $1}') + wg_server_key=$(uci -q get openmptcprouter.$1.wgkey) + } } mptcp_over_vpn() { @@ -20,19 +23,22 @@ mptcp_over_vpn() { uci -q batch <<-EOF >/dev/null delete openmptcprouter.${interface} delete network.ovpn${interface} + delete network.wg${interface} delete openvpn.${interface} commit openvpn delete openmptcprouter.${interface} delete openmptcprouter.ovpn${interface} + delete openmptcprouter.wg${interface} commit openmptcprouter commit network del_list firewall.zone_vpn.network="ovpn${interface}" + del_list firewall.zone_vpn.network="wg${interface}" commit firewall EOF return fi nbintfvpn=$(($nbintfvpn+1)) - if [ "$(uci -q get network.ovpn${interface})" = "" ]; then + if [ "$(uci -q get network.ovpn${interface})" = "" ] && [ "$vpn" = "openvpn" ]; then logger -t "MPTCPoverVPN" "Enable MPTCP over VPN for ${interface}" id=$(uci -q get network.${interface}.metric) remoteip="" @@ -43,42 +49,108 @@ mptcp_over_vpn() { [ -n "$(uci -q get openmptcprouter.ovpn${interface}.multipath)" ] && multipath=$(uci -q get openmptcprouter.ovpn${interface}.multipath) [ -z "$multipath" ] && multipath="on" uci -q batch <<-EOF >/dev/null - set network.ovpn${interface}=interface - set network.ovpn${interface}.ifname="tun${id}" - set network.ovpn${interface}.defaultroute='0' - set network.ovpn${interface}.peerdns='0' - set network.ovpn${interface}.proto='none' - set network.ovpn${interface}.ip4table='wan' - set network.ovpn${interface}.multipath="${multipath}" - set network.${interface}.multipath='off' - commit network - set openvpn.${interface}=openvpn - set openvpn.${interface}.dev="tun${id}" - set openvpn.${interface}.cipher='AES-256-CBC' - set openvpn.${interface}.port='65301' - set openvpn.${interface}.remote="${remoteip}" - set openvpn.${interface}.local="${localip}" - set openvpn.${interface}.lport='0' - set openvpn.${interface}.ncp_disable='1' - set openvpn.${interface}.auth_nocache='1' - set openvpn.${interface}.proto='udp' - set openvpn.${interface}.client='1' - set openvpn.${interface}.enabled='1' - set openvpn.${interface}.allow_recursive_routing='1' - set openvpn.${interface}.key='/etc/luci-uploads/client.key' - set openvpn.${interface}.cert='/etc/luci-uploads/client.crt' - set openvpn.${interface}.ca='/etc/luci-uploads/ca.crt' - commit openvpn - set openmptcprouter.${interface}.multipath="off" - set openmptcprouter.${interface}.multipathvpn="1" - set openmptcprouter.ovpn${interface}="interface" - set openmptcprouter.ovpn${interface}.multipath="${multipath}" - set openmptcprouter.ovpn${interface}.vpn="1" - set openmptcprouter.ovpn${interface}.baseintf="${interface}" + delete network.wg${interface} + delete openmptcprouter.wg${interface} commit openmptcprouter - add_list firewall.zone_vpn.network="ovpn${interface}" + commit network + del_list firewall.zone_vpn.network="wg${interface}" commit firewall EOF + + uci -q batch <<-EOF >/dev/null + set network.ovpn${interface}=interface + set network.ovpn${interface}.ifname="tun${id}" + set network.ovpn${interface}.defaultroute='0' + set network.ovpn${interface}.peerdns='0' + set network.ovpn${interface}.proto='none' + set network.ovpn${interface}.ip4table='wan' + set network.ovpn${interface}.multipath="${multipath}" + set network.${interface}.multipath='off' + commit network + set openvpn.${interface}=openvpn + set openvpn.${interface}.dev="tun${id}" + set openvpn.${interface}.cipher='AES-256-CBC' + set openvpn.${interface}.port='65301' + set openvpn.${interface}.remote="${remoteip}" + set openvpn.${interface}.local="${localip}" + set openvpn.${interface}.lport='0' + set openvpn.${interface}.ncp_disable='1' + set openvpn.${interface}.auth_nocache='1' + set openvpn.${interface}.proto='udp' + set openvpn.${interface}.client='1' + set openvpn.${interface}.enabled='1' + set openvpn.${interface}.allow_recursive_routing='1' + set openvpn.${interface}.key='/etc/luci-uploads/client.key' + set openvpn.${interface}.cert='/etc/luci-uploads/client.crt' + set openvpn.${interface}.ca='/etc/luci-uploads/ca.crt' + commit openvpn + set openmptcprouter.${interface}.multipath="off" + set openmptcprouter.${interface}.multipathvpn="1" + set openmptcprouter.ovpn${interface}="interface" + set openmptcprouter.ovpn${interface}.multipath="${multipath}" + set openmptcprouter.ovpn${interface}.vpn="1" + set openmptcprouter.ovpn${interface}.baseintf="${interface}" + commit openmptcprouter + add_list firewall.zone_vpn.network="ovpn${interface}" + commit firewall + EOF + elif [ "$(uci -q get network.wg${interface})" = "" ] && [ "$vpn" = "wireguard" ]; then + logger -t "MPTCPoverVPN" "Enable MPTCP over VPN for ${interface}" + id=$(uci -q get network.${interface}.metric) + remoteip="" + wg_server_key="" + config_load openmptcprouter + config_foreach _getremoteip server + metric=$(uci -q get network.${interface}.metric) + [ -z "$(uci -q get openmptcprouter.wg${interface}.multipath)" ] && multipath=$(uci -q get network.${interface}.multipath) + [ -n "$(uci -q get openmptcprouter.wg${interface}.multipath)" ] && multipath=$(uci -q get openmptcprouter.wg${interface}.multipath) + [ -z "$multipath" ] && multipath="on" + private_key=$(wg genkey | tr -d "\n") + public_key=$(echo $private_key | wg pubkey | tr -d "\n") + uci -q batch <<-EOF >/dev/null + delete network.ovpn${interface} + delete openvpn.${interface} + commit openvpn + delete openmptcprouter.ovpn${interface} + commit openmptcprouter + commit network + del_list firewall.zone_vpn.network="ovpn${interface}" + commit firewall + EOF + + uci -q batch <<-EOF >/dev/null + set network.wg${interface}=interface + set network.wg${interface}.nohostroute='1' + set network.wg${interface}.proto='wireguard' + set network.wg${interface}.fwmark="0x539${metric}" + del_list network.wg${interface}.addresses + add_list network.wg${interface}.addresses='10.255.247.${metric}/24' + set network.wg${interface}.private_key="${private_key}" + set network.wg${interface}.gateway="10.255.247.1" + set network.wg${interface}.public_key="${public_key}" + set network.wg${interface}.multipath="${multipath}" + set network.${interface}.multipath='off' + add network wireguard_wg${interface} + set network.@wireguard_wg${interface}[0]=wireguard_wg${interface} + set network.@wireguard_wg${interface}[0].description="Wireguard on ${interface}" + set network.@wireguard_wg${interface}[0].endpoint_host="${remoteip}" + set network.@wireguard_wg${interface}[0].endpoint_port="65311" + set network.@wireguard_wg${interface}[0].persistent_keepalive="28" + del_list network.@wireguard_wg${interface}[0].allowed_ips + add_list network.@wireguard_wg${interface}[0].allowed_ips="0.0.0.0/0" + set network.@wireguard_wg${interface}[0].public_key="${wg_server_key}" + commit network + set openmptcprouter.${interface}.multipath="off" + set openmptcprouter.${interface}.multipathvpn="1" + set openmptcprouter.wg${interface}="interface" + set openmptcprouter.wg${interface}.multipath="${multipath}" + set openmptcprouter.wg${interface}.vpn="1" + set openmptcprouter.wg${interface}.baseintf="${interface}" + commit openmptcprouter + add_list firewall.zone_vpn.network="wg${interface}" + commit firewall + EOF + ubus call network reload 2>&1 >/dev/null else uci -q batch <<-EOF >/dev/null set network.${interface}.multipath='off' @@ -92,6 +164,7 @@ mptcp_over_vpn() { multipath=$(uci -q get openmptcprouter.ovpn${interface}.multipath) [ -z "$multipath" ] && multipath="on" uci -q batch <<-EOF >/dev/null + delete network.wg${interface} delete network.ovpn${interface} delete openvpn.${interface} commit openvpn @@ -99,13 +172,16 @@ mptcp_over_vpn() { set network.${interface}.multipath="${multipath}" set openmptcprouter.${interface}.multipathvpn="0" delete openmptcprouter.ovpn${interface} + delete openmptcprouter.wg${interface} commit openmptcprouter commit network del_list firewall.zone_vpn.network="ovpn${interface}" + del_list firewall.zone_vpn.network="wg${interface}" commit firewall EOF elif [ "$(uci -q get openmptcprouter.${interface}.vpn)" = "1" ]; then intf="$(echo ${interface} | sed 's/ovpn//g')" + [ "$intf" = "$interface" ] && intf="$(echo ${interface} | sed 's/wg//g')" if [ -n "$intf" ] && [ "$intf" != "$interface" ] && [ "$(uci -q get network.${intf})" = "" ]; then uci -q batch <<-EOF >/dev/null delete network.${interface} @@ -126,6 +202,8 @@ start_service() { nbintf=0 nbintfvpn=0 + vpn="$(uci -q get openmptcprouter.settings.mptcpovervpn)" + [ -z "$vpn" ] && vpn="openvpn" config_load openmptcprouter config_foreach mptcp_over_vpn interface if [ "$nbintf" = "$nbintfvpn" ] && [ "$nbintf" != "0" ]; then diff --git a/openmptcprouter/files/etc/init.d/openmptcprouter-vps b/openmptcprouter/files/etc/init.d/openmptcprouter-vps index 265446b56..f5e2c977e 100755 --- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps +++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps @@ -140,6 +140,29 @@ _set_openvpn_vps() { fi } +_set_wireguard_vps() { + local enabled port key + ipskey="" + _get_wg_ipskey() { + local interface=$1 + proto=$(uci -q get network.${interface}.proto) + if [ "$proto" = "wireguard" ]; then + ip="$(uci -q get network.${interface}.addresses)" + key="$(uci -q get network.${interface}.public_key)" + if [ -z "$ipskey" ]; then + ipskey='{"ip": "'$ip'", "key": "'$key'"}' + else + ipskey=$ipskey',{"ip": "'$ip'", "key": "'$key'"}' + fi + fi + } + config_load network + config_foreach _get_wg_ipskey interface + local settings + settings='{"peers": ['$ipskey']}' + echo $(_set_json "wireguard" "$settings") +} + get_openvpn_key() { servername=$2 [ -z "$vps_config" ] && vps_config=$(_get_json "config") @@ -728,14 +751,28 @@ _set_wan_ip() { fi } +_get_lan_ip() { + local intf=$1 + if [ "$(uci -q get firewall.zone_lan.network | grep $intf)" != "" ]; then + lanip="$(uci -q get network.${intf}.ipaddr)/$(uci -q get network.${intf}.netmask)" + if [ "$lanip" != "/" ]; then + if [ -z "$lanips" ]; then + lanips='"'${lanip}'"' + else + lanips='"'$lanips'" "'${lanip}'"' + fi + fi + fi +} + _set_lan_ip() { local settings [ -z "$vps_config" ] && vps_config=$(_get_json "config") [ -z "$vps_config" ] && return - lanip_current="$(echo "$vps_config" | jsonfilter -q -e '@.lan.ips')" - lanips="$(uci -q get network.lan.ipaddr)/$(uci -q get network.lan.netmask)" - if [ "$lanips" != "/" ] && [ "$lanip_current" != "$lanips" ]; then - settings='{"lanips" : ["'$lanips'"]}' + #lanip_current="$(echo "$vps_config" | jsonfilter -q -e '@.lan.ips')" + #if [ "$lanips" != "" ] && [ "$lanip_current" != "$lanips" ]; then + if [ "$lanips" != "" ]; then + settings='{"lanips" : ['$lanips']}' result=$(_set_json "lan" "$settings") fi } @@ -814,6 +851,7 @@ _vps_firewall_redirect_port() { EOF src_dport='2-64999' fi + [ -n "$src_dport" ] && src_dport=$(echo $src_dport | sed 's/:/-/') if [ -n "$src_dport" ] && [ "$(echo $src_dport | cut -d'-' -f2)" -ge "65000" ]; then logger -t "OMR-VPS" "You can't redirect ports >= 65000, they are needed by OpenMPTCProuter Server part" enabled="0" @@ -1371,6 +1409,12 @@ _set_config_from_vps() { set openmptcprouter.${servername}.redirect_ports=$redirect EOF + # Wireguard settings + wireguard_key="$(echo "$vps_config" | jsonfilter -q -e '@.wireguard.key')" + uci -q batch <<-EOF >/dev/null + set openmptcprouter.${servername}.wgkey=$wireguard_key + EOF + # MPTCP settings mptcp_path_manager="$(echo "$vps_config" | jsonfilter -q -e '@.mptcp.path_manager')" mptcp_scheduler="$(echo "$vps_config" | jsonfilter -q -e '@.mptcp.scheduler')" @@ -1684,6 +1728,7 @@ _config_service() { [ -z "$(_set_glorytun_vps)" ] && error=1 [ -z "$(_set_openvpn_vps)" ] && error=1 _set_vps_firewall + _set_wireguard_vps fi _backup_list redirect_port="0" @@ -1700,9 +1745,11 @@ _config_service() { #_set_pihole [ -n "$wanips" ] && _set_wan_ip - _set_lan_ip _set_vpn_ip config_load network + lanips="" + config_foreach _get_lan_ip interface + _set_lan_ip config_foreach _delete_client2client route if [ "$(uci -q get openmptcprouter.settings.vpn)" != "openvpn" ] && [ "$(echo "$vps_config" | jsonfilter -q -e '@.client2client.enabled')" == "true" ]; then _set_client2client From 9b71441dfd68b31dd08ffc35d623bff31c1e44e3 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:30:52 +0100 Subject: [PATCH 08/10] Allow wildcard domain in omr-bypass --- .../root/etc/init.d/omr-bypass | 29 ++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/luci-app-omr-bypass/root/etc/init.d/omr-bypass b/luci-app-omr-bypass/root/etc/init.d/omr-bypass index d1e2d9592..128d42e2b 100755 --- a/luci-app-omr-bypass/root/etc/init.d/omr-bypass +++ b/luci-app-omr-bypass/root/etc/init.d/omr-bypass @@ -44,7 +44,34 @@ _bypass_domains() { config_get intf $1 interface config_get enabled $1 enabled [ "$enabled" = "0" ] && return - _bypass_domain $domain $intf + if [ "$(echo $domain | grep '\.$')" != "" ] || [ "$(echo $domain | grep '\.\*$')" != "" ]; then + tlds=`curl --max-time 4 -s -k https://data.iana.org/TLD/tlds-alpha-by-domain.txt` + domain="$(echo '"$domain"' | sed 's:*::')" + domainlist="" + # construct list of domains to query + for tld in $tlds; do + i=$((i+1)) + # trim off header + if [ "$i" -lt "12" ] || [ "$i" -gt "50" ]; then + continue + fi + # add to command + domainlist="${domainlist} ${domain}${tld}" + done + domainlist="$(echo $domainlist `# Get the list of valid domains, pass it to awk` \ + | awk '{print tolower($0)}' `# awk lowercases the whole string and passes it to ` \ + | xargs -n8 -P12 `# xargs sends 8 arguments at a time to` \ + dig a +timeout=1 +tries=1 +retry=1 +nocmd +noall +answer `# dig, which passes results (if any) to` \ + | awk '{print $1}' `# awk, which outputs queried domain to` \ + | sed -e 's/.$//' `# sed, which trims off the trailing dot (google.com. -> google.com)` to \ + | grep $domain `# grep, only keep wanted domain` \ + | awk '{for (i=1;i<=NF;i++) if (!a[$i]++) printf("%s%s",$i,FS)}{printf("\n")}')" # deduplicate + for validdomain in $domainlist; do + _bypass_domain $validdomain $intf + done + else + _bypass_domain $domain $intf + fi } _bypass_domain() { From c3d2e831d672c7b8407ced73ecef57443855cf18 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:31:47 +0100 Subject: [PATCH 09/10] Fix name change of shadowsocks tracker --- .../luasrc/view/openmptcprouter/settings.htm | 4 ++-- .../root/usr/libexec/rpcd/openmptcprouter | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/settings.htm b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/settings.htm index e9d4f52a8..941890008 100644 --- a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/settings.htm +++ b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/settings.htm @@ -108,8 +108,8 @@
diff --git a/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter b/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter index 0708e3f03..2a31616dc 100755 --- a/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter +++ b/luci-app-openmptcprouter/root/usr/libexec/rpcd/openmptcprouter @@ -810,9 +810,9 @@ function interfaces_status() -- shadowsocksaddr mArray.openmptcprouter["ss_addr"] = uci:get("openmptcprouter","omr","detected_ss_ipv4") or "" if mArray.openmptcprouter["ss_addr"] == "" and mArray.openmptcprouter["service_addr"] ~= "" then - tracker_ip = uci:get("shadowsocks-libev","tracker","local_address") or "" + tracker_ip = uci:get("shadowsocks-libev","tracker_sss0","local_address") or "" if tracker_ip ~= "" then - local tracker_port = uci:get("shadowsocks-libev","tracker","local_port") + local tracker_port = uci:get("shadowsocks-libev","tracker_sss0","local_port") if mArray.openmptcprouter["external_check"] ~= false then mArray.openmptcprouter["ss_addr"] = ut.trim(sys.exec("curl -s -4 --socks5 " .. tracker_ip .. ":" .. tracker_port .. " -m " .. timeout .. " " .. check_ipv4_website)) if mArray.openmptcprouter["ss_addr"] == "" then From c939ab5a24edf51a57a812177e2919af15f272d3 Mon Sep 17 00:00:00 2001 From: "Ycarus (Yannick Chabanois)" Date: Wed, 3 Mar 2021 11:32:42 +0100 Subject: [PATCH 10/10] Update https-dns-proxy --- https-dns-proxy/Makefile | 22 ++++++-- https-dns-proxy/files/https-dns-proxy.init | 66 ++++++++++++++++------ 2 files changed, 66 insertions(+), 22 deletions(-) diff --git a/https-dns-proxy/Makefile b/https-dns-proxy/Makefile index 0fefc7ca5..331318402 100644 --- a/https-dns-proxy/Makefile +++ b/https-dns-proxy/Makefile @@ -1,14 +1,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=https-dns-proxy -PKG_VERSION:=2019-12-03 -PKG_RELEASE=5 +PKG_VERSION:=2021-01-17 +PKG_RELEASE=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy -PKG_SOURCE_DATE:=2019-12-03 -PKG_SOURCE_VERSION:=2adeafb67cbe8d67148219c48334856ae4f3bd75 -PKG_MIRROR_HASH:=58088baa092cd9634652d65f9b5650db88d2e102cb370710654db7b15f2f0e42 +PKG_SOURCE_DATE:=2021-01-17 +PKG_SOURCE_VERSION:=37511cc08712d7548978a4f6f1cc457b7594fb96 +PKG_MIRROR_HASH:=4e6a7dcb69e350d1df9f17570439b589e031e249da7f91f2ec7600a955e0aaa3 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE @@ -22,14 +22,26 @@ define Package/https-dns-proxy SECTION:=net CATEGORY:=Network TITLE:=DNS Over HTTPS Proxy + URL:=https://docs.openwrt.melmac.net/https-dns-proxy/ DEPENDS:=+libcares +libcurl +libev +ca-bundle CONFLICTS:=https_dns_proxy endef +define Package/https-dns-proxy/description +https-dns-proxy is a light-weight DNS<-->HTTPS, non-caching translation proxy for the RFC 8484 DoH standard. +It receives regular (UDP) DNS requests and issues them via DoH. +Please see https://docs.openwrt.melmac.net/https-dns-proxy/ for more information. +endef + +define Package/https-dns-proxy/conffiles +/etc/config/https-dns-proxy +endef + define Package/https-dns-proxy/install $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d ${1}/etc/config $(INSTALL_BIN) $(PKG_BUILD_DIR)/https_dns_proxy $(1)/usr/sbin/https-dns-proxy $(INSTALL_BIN) ./files/https-dns-proxy.init $(1)/etc/init.d/https-dns-proxy + $(SED) "s|^\(PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/https-dns-proxy $(INSTALL_CONF) ./files/https-dns-proxy.config $(1)/etc/config/https-dns-proxy endef diff --git a/https-dns-proxy/files/https-dns-proxy.init b/https-dns-proxy/files/https-dns-proxy.init index 5ca0bd133..64bf7eccf 100755 --- a/https-dns-proxy/files/https-dns-proxy.init +++ b/https-dns-proxy/files/https-dns-proxy.init @@ -1,13 +1,25 @@ #!/bin/sh /etc/rc.common -# Copyright 2019 Stan Grishin (stangri@melmac.net) +# Copyright 2019-2020 Stan Grishin (stangri@melmac.net) # shellcheck disable=SC2039 +PKG_VERSION='dev-test' -export START=80 -export USE_PROCD=1 +# shellcheck disable=SC2034 +START=80 +# shellcheck disable=SC2034 +USE_PROCD=1 +if type extra_command 1>/dev/null 2>&1; then + extra_command 'version' 'Show version information' +else +# shellcheck disable=SC2034 + EXTRA_COMMANDS='version' +fi + +readonly PROG=/usr/sbin/https-dns-proxy dnsmasqConfig='' +forceDNS='1' -PROG=/usr/sbin/https-dns-proxy +version() { echo "$PKG_VERSION"; } xappend() { param="$param $1"; } @@ -35,27 +47,27 @@ append_parm() { start_instance() { local cfg="$1" param listen_addr listen_port i - + append_parm "$cfg" 'resolver_url' '-r' + append_parm "$cfg" 'polling_interval' '-i' append_parm "$cfg" 'listen_addr' '-a' '127.0.0.1' append_parm "$cfg" 'listen_port' '-p' "$p" + append_parm "$cfg" 'dscp_codepoint' '-c' append_parm "$cfg" 'bootstrap_dns' '-b' - append_parm "$cfg" 'resolver_url' '-r' append_parm "$cfg" 'user' '-u' 'nobody' append_parm "$cfg" 'group' '-g' 'nogroup' - append_parm "$cfg" 'edns_subnet' '-e' append_parm "$cfg" 'proxy_server' '-t' append_parm "$cfg" 'logfile' '-l' append_bool "$cfg" 'use_http1' '-x' config_get_bool ipv6_resolvers_only "$cfg" 'use_ipv6_resolvers_only' '0' - config_get verbosity "$cfg" 'verbosity' "0" + config_get verbosity "$cfg" 'verbosity' '0' # shellcheck disable=SC2086,SC2154 for i in $(seq 1 $verbosity); do - xappend "-v" + xappend '-v' done # shellcheck disable=SC2154 if [ "$ipv6_resolvers_only" = 0 ]; then - xappend "-4" + xappend '-4' fi procd_open_instance @@ -80,19 +92,36 @@ start_instance() { p="$((p+1))" } -service_triggers() { - procd_add_reload_trigger 'https-dns-proxy' -} +is_force_dns_active() { iptables-save | grep -q -w -- '--dport 53'; } start_service() { local p=5053 config_load 'https-dns-proxy' config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' + config_get_bool forceDNS 'config' 'force_dns' '1' dhcp_backup 'create' config_load 'https-dns-proxy' config_foreach start_instance 'https-dns-proxy' - if [ "$p" != "5053" ] && [ "$dnsmasqConfig" = "*" ]; then - uci -q del_list "dhcp.@dnsmasq[0].server=127.0.0.1#5353" + if [ "$forceDNS" -ne 0 ]; then + procd_open_instance 'main' + procd_set_param command /bin/true + procd_set_param stdout 1 + procd_set_param stderr 1 + procd_open_data + json_add_array firewall + json_add_object '' + json_add_string type redirect + json_add_string name https_dns_proxy_dns_redirect + json_add_string target DNAT + json_add_string src lan + json_add_string proto tcpudp + json_add_string src_dport 53 + json_add_string dest_port 53 + json_add_string reflection 0 + json_close_object + json_close_array + procd_close_data + procd_close_instance fi if [ -n "$(uci -q changes dhcp)" ]; then uci -q commit dhcp @@ -102,7 +131,7 @@ start_service() { stop_service() { config_load 'https-dns-proxy' - config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' + config_get dnsmasqConfig 'config' 'update_dnsmasq_config' '*' dhcp_backup 'restore' if [ -n "$(uci -q changes dhcp)" ]; then uci -q commit dhcp @@ -111,9 +140,12 @@ stop_service() { } service_triggers() { - procd_add_reload_trigger 'https-dns-proxy' + procd_add_config_trigger "config.change" "https-dns-proxy" /etc/init.d/https-dns-proxy reload } +service_started() { procd_set_config_changed firewall; } +service_stopped() { procd_set_config_changed firewall; } + dnsmasq_add_doh_server() { local cfg="$1" address="$2" port="$3" case $address in