diff --git a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua index d67470a09..690045e88 100644 --- a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua +++ b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua @@ -497,6 +497,11 @@ function wizard_add() ucic:save("openmptcprouter") end + -- Get VPN used for MPTCP over VPN + local mptcpovervpn_vpn = luci.http.formvalue("mptcpovervpn_vpn") or "wireguard" + ucic:set("openmptcprouter","settings","mptcpovervpn",mptcpovervpn_vpn) + ucic:save("openmptcprouter") + -- Get Proxy set by default local default_proxy = luci.http.formvalue("default_proxy") or "shadowsocks" if default_proxy == "shadowsocks" and serversnb > 0 and serversnb > disablednb then diff --git a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm index 02e20ebad..f5f028568 100644 --- a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm +++ b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm @@ -365,6 +365,23 @@ +
+ <%:MPTCP over VPN settings%> +
<%:MPTCP over VPN should be used only when Multipath TCP is blocked on a connection.%>
+
+ +
+ +
+
+ <%:Set VPN to use for MPTCP over VPN.%> +
+
+
+
diff --git a/openmptcprouter-full/Makefile b/openmptcprouter-full/Makefile index f5b008643..2c844f62d 100644 --- a/openmptcprouter-full/Makefile +++ b/openmptcprouter-full/Makefile @@ -81,7 +81,8 @@ MY_DEPENDS := \ !TARGET_mvebu:luci-proto-qmi wpad-basic kmod-mt7601u kmod-rtl8187 \ luci-app-mlvpn mlvpn 464xlat !TARGET_mvebu:kmod-usb-net-smsc75xx kmod-zram kmod-swconfig swconfig kmod-ipt-nat kmod-ipt-nat6 luci-app-https-dns-proxy kmod-tcp-nanqinlang (TARGET_x86_64||aarch64):kmod-tcp-bbr2 iptables-mod-ipopt igmpproxy ss iptraf-ng \ luci-app-acl block-mount blockd fstools luci-app-shutdown libwebp luci-proto-gre tcptraceroute luci-proto-mbim kmod-rtl8xxxu kmod-ath9k-htc luci-app-ttyd luci-mod-dashboard (TARGET_x86||TARGET_x86_64):rtl8192eu-firmware kmod-usb2 libustream-wolfssl (TARGET_x86||TARGET_x86_64):kmod-ixgbevf \ - hwinfo (TARGET_x86||TARGET_x86_64):dmidecode luci-app-packet-capture kmod-bonding luci-proto-bonding luci-app-sysupgrade + hwinfo (TARGET_x86||TARGET_x86_64):dmidecode luci-app-packet-capture kmod-bonding luci-proto-bonding luci-app-sysupgrade \ + luci-theme-openwrt-2020 luci-proto-wireguard luci-app-wireguard # luci-theme-bootstrap luci-theme-openwrt-2020 luci-theme-openwrt luci-app-status # luci-proto-bonding luci-app-statistics luci-proto-gre # softethervpn5-client softethervpn5-server luci-app-nginx-ha diff --git a/openmptcprouter/files/etc/init.d/mptcpovervpn b/openmptcprouter/files/etc/init.d/mptcpovervpn index a2f7d97e4..4f2825e47 100755 --- a/openmptcprouter/files/etc/init.d/mptcpovervpn +++ b/openmptcprouter/files/etc/init.d/mptcpovervpn @@ -9,7 +9,10 @@ } _getremoteip() { - [ "$(uci -q get openmptcprouter.$1.master)" = "1" ] && remoteip=$(uci -q get openmptcprouter.$1.ip | awk '{print $1}') + [ "$(uci -q get openmptcprouter.$1.master)" = "1" ] && { + remoteip=$(uci -q get openmptcprouter.$1.ip | awk '{print $1}') + wg_server_key=$(uci -q get openmptcprouter.$1.wgkey) + } } mptcp_over_vpn() { @@ -20,19 +23,22 @@ mptcp_over_vpn() { uci -q batch <<-EOF >/dev/null delete openmptcprouter.${interface} delete network.ovpn${interface} + delete network.wg${interface} delete openvpn.${interface} commit openvpn delete openmptcprouter.${interface} delete openmptcprouter.ovpn${interface} + delete openmptcprouter.wg${interface} commit openmptcprouter commit network del_list firewall.zone_vpn.network="ovpn${interface}" + del_list firewall.zone_vpn.network="wg${interface}" commit firewall EOF return fi nbintfvpn=$(($nbintfvpn+1)) - if [ "$(uci -q get network.ovpn${interface})" = "" ]; then + if [ "$(uci -q get network.ovpn${interface})" = "" ] && [ "$vpn" = "openvpn" ]; then logger -t "MPTCPoverVPN" "Enable MPTCP over VPN for ${interface}" id=$(uci -q get network.${interface}.metric) remoteip="" @@ -43,42 +49,108 @@ mptcp_over_vpn() { [ -n "$(uci -q get openmptcprouter.ovpn${interface}.multipath)" ] && multipath=$(uci -q get openmptcprouter.ovpn${interface}.multipath) [ -z "$multipath" ] && multipath="on" uci -q batch <<-EOF >/dev/null - set network.ovpn${interface}=interface - set network.ovpn${interface}.ifname="tun${id}" - set network.ovpn${interface}.defaultroute='0' - set network.ovpn${interface}.peerdns='0' - set network.ovpn${interface}.proto='none' - set network.ovpn${interface}.ip4table='wan' - set network.ovpn${interface}.multipath="${multipath}" - set network.${interface}.multipath='off' - commit network - set openvpn.${interface}=openvpn - set openvpn.${interface}.dev="tun${id}" - set openvpn.${interface}.cipher='AES-256-CBC' - set openvpn.${interface}.port='65301' - set openvpn.${interface}.remote="${remoteip}" - set openvpn.${interface}.local="${localip}" - set openvpn.${interface}.lport='0' - set openvpn.${interface}.ncp_disable='1' - set openvpn.${interface}.auth_nocache='1' - set openvpn.${interface}.proto='udp' - set openvpn.${interface}.client='1' - set openvpn.${interface}.enabled='1' - set openvpn.${interface}.allow_recursive_routing='1' - set openvpn.${interface}.key='/etc/luci-uploads/client.key' - set openvpn.${interface}.cert='/etc/luci-uploads/client.crt' - set openvpn.${interface}.ca='/etc/luci-uploads/ca.crt' - commit openvpn - set openmptcprouter.${interface}.multipath="off" - set openmptcprouter.${interface}.multipathvpn="1" - set openmptcprouter.ovpn${interface}="interface" - set openmptcprouter.ovpn${interface}.multipath="${multipath}" - set openmptcprouter.ovpn${interface}.vpn="1" - set openmptcprouter.ovpn${interface}.baseintf="${interface}" + delete network.wg${interface} + delete openmptcprouter.wg${interface} commit openmptcprouter - add_list firewall.zone_vpn.network="ovpn${interface}" + commit network + del_list firewall.zone_vpn.network="wg${interface}" commit firewall EOF + + uci -q batch <<-EOF >/dev/null + set network.ovpn${interface}=interface + set network.ovpn${interface}.ifname="tun${id}" + set network.ovpn${interface}.defaultroute='0' + set network.ovpn${interface}.peerdns='0' + set network.ovpn${interface}.proto='none' + set network.ovpn${interface}.ip4table='wan' + set network.ovpn${interface}.multipath="${multipath}" + set network.${interface}.multipath='off' + commit network + set openvpn.${interface}=openvpn + set openvpn.${interface}.dev="tun${id}" + set openvpn.${interface}.cipher='AES-256-CBC' + set openvpn.${interface}.port='65301' + set openvpn.${interface}.remote="${remoteip}" + set openvpn.${interface}.local="${localip}" + set openvpn.${interface}.lport='0' + set openvpn.${interface}.ncp_disable='1' + set openvpn.${interface}.auth_nocache='1' + set openvpn.${interface}.proto='udp' + set openvpn.${interface}.client='1' + set openvpn.${interface}.enabled='1' + set openvpn.${interface}.allow_recursive_routing='1' + set openvpn.${interface}.key='/etc/luci-uploads/client.key' + set openvpn.${interface}.cert='/etc/luci-uploads/client.crt' + set openvpn.${interface}.ca='/etc/luci-uploads/ca.crt' + commit openvpn + set openmptcprouter.${interface}.multipath="off" + set openmptcprouter.${interface}.multipathvpn="1" + set openmptcprouter.ovpn${interface}="interface" + set openmptcprouter.ovpn${interface}.multipath="${multipath}" + set openmptcprouter.ovpn${interface}.vpn="1" + set openmptcprouter.ovpn${interface}.baseintf="${interface}" + commit openmptcprouter + add_list firewall.zone_vpn.network="ovpn${interface}" + commit firewall + EOF + elif [ "$(uci -q get network.wg${interface})" = "" ] && [ "$vpn" = "wireguard" ]; then + logger -t "MPTCPoverVPN" "Enable MPTCP over VPN for ${interface}" + id=$(uci -q get network.${interface}.metric) + remoteip="" + wg_server_key="" + config_load openmptcprouter + config_foreach _getremoteip server + metric=$(uci -q get network.${interface}.metric) + [ -z "$(uci -q get openmptcprouter.wg${interface}.multipath)" ] && multipath=$(uci -q get network.${interface}.multipath) + [ -n "$(uci -q get openmptcprouter.wg${interface}.multipath)" ] && multipath=$(uci -q get openmptcprouter.wg${interface}.multipath) + [ -z "$multipath" ] && multipath="on" + private_key=$(wg genkey | tr -d "\n") + public_key=$(echo $private_key | wg pubkey | tr -d "\n") + uci -q batch <<-EOF >/dev/null + delete network.ovpn${interface} + delete openvpn.${interface} + commit openvpn + delete openmptcprouter.ovpn${interface} + commit openmptcprouter + commit network + del_list firewall.zone_vpn.network="ovpn${interface}" + commit firewall + EOF + + uci -q batch <<-EOF >/dev/null + set network.wg${interface}=interface + set network.wg${interface}.nohostroute='1' + set network.wg${interface}.proto='wireguard' + set network.wg${interface}.fwmark="0x539${metric}" + del_list network.wg${interface}.addresses + add_list network.wg${interface}.addresses='10.255.247.${metric}/24' + set network.wg${interface}.private_key="${private_key}" + set network.wg${interface}.gateway="10.255.247.1" + set network.wg${interface}.public_key="${public_key}" + set network.wg${interface}.multipath="${multipath}" + set network.${interface}.multipath='off' + add network wireguard_wg${interface} + set network.@wireguard_wg${interface}[0]=wireguard_wg${interface} + set network.@wireguard_wg${interface}[0].description="Wireguard on ${interface}" + set network.@wireguard_wg${interface}[0].endpoint_host="${remoteip}" + set network.@wireguard_wg${interface}[0].endpoint_port="65311" + set network.@wireguard_wg${interface}[0].persistent_keepalive="28" + del_list network.@wireguard_wg${interface}[0].allowed_ips + add_list network.@wireguard_wg${interface}[0].allowed_ips="0.0.0.0/0" + set network.@wireguard_wg${interface}[0].public_key="${wg_server_key}" + commit network + set openmptcprouter.${interface}.multipath="off" + set openmptcprouter.${interface}.multipathvpn="1" + set openmptcprouter.wg${interface}="interface" + set openmptcprouter.wg${interface}.multipath="${multipath}" + set openmptcprouter.wg${interface}.vpn="1" + set openmptcprouter.wg${interface}.baseintf="${interface}" + commit openmptcprouter + add_list firewall.zone_vpn.network="wg${interface}" + commit firewall + EOF + ubus call network reload 2>&1 >/dev/null else uci -q batch <<-EOF >/dev/null set network.${interface}.multipath='off' @@ -92,6 +164,7 @@ mptcp_over_vpn() { multipath=$(uci -q get openmptcprouter.ovpn${interface}.multipath) [ -z "$multipath" ] && multipath="on" uci -q batch <<-EOF >/dev/null + delete network.wg${interface} delete network.ovpn${interface} delete openvpn.${interface} commit openvpn @@ -99,13 +172,16 @@ mptcp_over_vpn() { set network.${interface}.multipath="${multipath}" set openmptcprouter.${interface}.multipathvpn="0" delete openmptcprouter.ovpn${interface} + delete openmptcprouter.wg${interface} commit openmptcprouter commit network del_list firewall.zone_vpn.network="ovpn${interface}" + del_list firewall.zone_vpn.network="wg${interface}" commit firewall EOF elif [ "$(uci -q get openmptcprouter.${interface}.vpn)" = "1" ]; then intf="$(echo ${interface} | sed 's/ovpn//g')" + [ "$intf" = "$interface" ] && intf="$(echo ${interface} | sed 's/wg//g')" if [ -n "$intf" ] && [ "$intf" != "$interface" ] && [ "$(uci -q get network.${intf})" = "" ]; then uci -q batch <<-EOF >/dev/null delete network.${interface} @@ -126,6 +202,8 @@ start_service() { nbintf=0 nbintfvpn=0 + vpn="$(uci -q get openmptcprouter.settings.mptcpovervpn)" + [ -z "$vpn" ] && vpn="openvpn" config_load openmptcprouter config_foreach mptcp_over_vpn interface if [ "$nbintf" = "$nbintfvpn" ] && [ "$nbintf" != "0" ]; then diff --git a/openmptcprouter/files/etc/init.d/openmptcprouter-vps b/openmptcprouter/files/etc/init.d/openmptcprouter-vps index 265446b56..f5e2c977e 100755 --- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps +++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps @@ -140,6 +140,29 @@ _set_openvpn_vps() { fi } +_set_wireguard_vps() { + local enabled port key + ipskey="" + _get_wg_ipskey() { + local interface=$1 + proto=$(uci -q get network.${interface}.proto) + if [ "$proto" = "wireguard" ]; then + ip="$(uci -q get network.${interface}.addresses)" + key="$(uci -q get network.${interface}.public_key)" + if [ -z "$ipskey" ]; then + ipskey='{"ip": "'$ip'", "key": "'$key'"}' + else + ipskey=$ipskey',{"ip": "'$ip'", "key": "'$key'"}' + fi + fi + } + config_load network + config_foreach _get_wg_ipskey interface + local settings + settings='{"peers": ['$ipskey']}' + echo $(_set_json "wireguard" "$settings") +} + get_openvpn_key() { servername=$2 [ -z "$vps_config" ] && vps_config=$(_get_json "config") @@ -728,14 +751,28 @@ _set_wan_ip() { fi } +_get_lan_ip() { + local intf=$1 + if [ "$(uci -q get firewall.zone_lan.network | grep $intf)" != "" ]; then + lanip="$(uci -q get network.${intf}.ipaddr)/$(uci -q get network.${intf}.netmask)" + if [ "$lanip" != "/" ]; then + if [ -z "$lanips" ]; then + lanips='"'${lanip}'"' + else + lanips='"'$lanips'" "'${lanip}'"' + fi + fi + fi +} + _set_lan_ip() { local settings [ -z "$vps_config" ] && vps_config=$(_get_json "config") [ -z "$vps_config" ] && return - lanip_current="$(echo "$vps_config" | jsonfilter -q -e '@.lan.ips')" - lanips="$(uci -q get network.lan.ipaddr)/$(uci -q get network.lan.netmask)" - if [ "$lanips" != "/" ] && [ "$lanip_current" != "$lanips" ]; then - settings='{"lanips" : ["'$lanips'"]}' + #lanip_current="$(echo "$vps_config" | jsonfilter -q -e '@.lan.ips')" + #if [ "$lanips" != "" ] && [ "$lanip_current" != "$lanips" ]; then + if [ "$lanips" != "" ]; then + settings='{"lanips" : ['$lanips']}' result=$(_set_json "lan" "$settings") fi } @@ -814,6 +851,7 @@ _vps_firewall_redirect_port() { EOF src_dport='2-64999' fi + [ -n "$src_dport" ] && src_dport=$(echo $src_dport | sed 's/:/-/') if [ -n "$src_dport" ] && [ "$(echo $src_dport | cut -d'-' -f2)" -ge "65000" ]; then logger -t "OMR-VPS" "You can't redirect ports >= 65000, they are needed by OpenMPTCProuter Server part" enabled="0" @@ -1371,6 +1409,12 @@ _set_config_from_vps() { set openmptcprouter.${servername}.redirect_ports=$redirect EOF + # Wireguard settings + wireguard_key="$(echo "$vps_config" | jsonfilter -q -e '@.wireguard.key')" + uci -q batch <<-EOF >/dev/null + set openmptcprouter.${servername}.wgkey=$wireguard_key + EOF + # MPTCP settings mptcp_path_manager="$(echo "$vps_config" | jsonfilter -q -e '@.mptcp.path_manager')" mptcp_scheduler="$(echo "$vps_config" | jsonfilter -q -e '@.mptcp.scheduler')" @@ -1684,6 +1728,7 @@ _config_service() { [ -z "$(_set_glorytun_vps)" ] && error=1 [ -z "$(_set_openvpn_vps)" ] && error=1 _set_vps_firewall + _set_wireguard_vps fi _backup_list redirect_port="0" @@ -1700,9 +1745,11 @@ _config_service() { #_set_pihole [ -n "$wanips" ] && _set_wan_ip - _set_lan_ip _set_vpn_ip config_load network + lanips="" + config_foreach _get_lan_ip interface + _set_lan_ip config_foreach _delete_client2client route if [ "$(uci -q get openmptcprouter.settings.vpn)" != "openvpn" ] && [ "$(echo "$vps_config" | jsonfilter -q -e '@.client2client.enabled')" == "true" ]; then _set_client2client