diff --git a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua
index d67470a09..690045e88 100644
--- a/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua
+++ b/luci-app-openmptcprouter/luasrc/controller/openmptcprouter.lua
@@ -497,6 +497,11 @@ function wizard_add()
ucic:save("openmptcprouter")
end
+ -- Get VPN used for MPTCP over VPN
+ local mptcpovervpn_vpn = luci.http.formvalue("mptcpovervpn_vpn") or "wireguard"
+ ucic:set("openmptcprouter","settings","mptcpovervpn",mptcpovervpn_vpn)
+ ucic:save("openmptcprouter")
+
-- Get Proxy set by default
local default_proxy = luci.http.formvalue("default_proxy") or "shadowsocks"
if default_proxy == "shadowsocks" and serversnb > 0 and serversnb > disablednb then
diff --git a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm
index 02e20ebad..f5f028568 100644
--- a/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm
+++ b/luci-app-openmptcprouter/luasrc/view/openmptcprouter/wizard.htm
@@ -365,6 +365,23 @@
+
+ <%:MPTCP over VPN settings%>
+ <%:MPTCP over VPN should be used only when Multipath TCP is blocked on a connection.%>
+
+
<%:MPTCP over VPN%>
+
+
+ <% if nixio.fs.access("/etc/init.d/openvpn") then %>selected="selected"<% end %>>OpenVPN <% end %>
+ <% if nixio.fs.access("/usr/bin/wg") then %>selected="selected"<% end %>>WireGuard <% end %>
+
+
+
+ <%:Set VPN to use for MPTCP over VPN.%>
+
+
+
+
diff --git a/openmptcprouter-full/Makefile b/openmptcprouter-full/Makefile
index f5b008643..2c844f62d 100644
--- a/openmptcprouter-full/Makefile
+++ b/openmptcprouter-full/Makefile
@@ -81,7 +81,8 @@ MY_DEPENDS := \
!TARGET_mvebu:luci-proto-qmi wpad-basic kmod-mt7601u kmod-rtl8187 \
luci-app-mlvpn mlvpn 464xlat !TARGET_mvebu:kmod-usb-net-smsc75xx kmod-zram kmod-swconfig swconfig kmod-ipt-nat kmod-ipt-nat6 luci-app-https-dns-proxy kmod-tcp-nanqinlang (TARGET_x86_64||aarch64):kmod-tcp-bbr2 iptables-mod-ipopt igmpproxy ss iptraf-ng \
luci-app-acl block-mount blockd fstools luci-app-shutdown libwebp luci-proto-gre tcptraceroute luci-proto-mbim kmod-rtl8xxxu kmod-ath9k-htc luci-app-ttyd luci-mod-dashboard (TARGET_x86||TARGET_x86_64):rtl8192eu-firmware kmod-usb2 libustream-wolfssl (TARGET_x86||TARGET_x86_64):kmod-ixgbevf \
- hwinfo (TARGET_x86||TARGET_x86_64):dmidecode luci-app-packet-capture kmod-bonding luci-proto-bonding luci-app-sysupgrade
+ hwinfo (TARGET_x86||TARGET_x86_64):dmidecode luci-app-packet-capture kmod-bonding luci-proto-bonding luci-app-sysupgrade \
+ luci-theme-openwrt-2020 luci-proto-wireguard luci-app-wireguard
# luci-theme-bootstrap luci-theme-openwrt-2020 luci-theme-openwrt luci-app-status
# luci-proto-bonding luci-app-statistics luci-proto-gre
# softethervpn5-client softethervpn5-server luci-app-nginx-ha
diff --git a/openmptcprouter/files/etc/init.d/mptcpovervpn b/openmptcprouter/files/etc/init.d/mptcpovervpn
index a2f7d97e4..4f2825e47 100755
--- a/openmptcprouter/files/etc/init.d/mptcpovervpn
+++ b/openmptcprouter/files/etc/init.d/mptcpovervpn
@@ -9,7 +9,10 @@
}
_getremoteip() {
- [ "$(uci -q get openmptcprouter.$1.master)" = "1" ] && remoteip=$(uci -q get openmptcprouter.$1.ip | awk '{print $1}')
+ [ "$(uci -q get openmptcprouter.$1.master)" = "1" ] && {
+ remoteip=$(uci -q get openmptcprouter.$1.ip | awk '{print $1}')
+ wg_server_key=$(uci -q get openmptcprouter.$1.wgkey)
+ }
}
mptcp_over_vpn() {
@@ -20,19 +23,22 @@ mptcp_over_vpn() {
uci -q batch <<-EOF >/dev/null
delete openmptcprouter.${interface}
delete network.ovpn${interface}
+ delete network.wg${interface}
delete openvpn.${interface}
commit openvpn
delete openmptcprouter.${interface}
delete openmptcprouter.ovpn${interface}
+ delete openmptcprouter.wg${interface}
commit openmptcprouter
commit network
del_list firewall.zone_vpn.network="ovpn${interface}"
+ del_list firewall.zone_vpn.network="wg${interface}"
commit firewall
EOF
return
fi
nbintfvpn=$(($nbintfvpn+1))
- if [ "$(uci -q get network.ovpn${interface})" = "" ]; then
+ if [ "$(uci -q get network.ovpn${interface})" = "" ] && [ "$vpn" = "openvpn" ]; then
logger -t "MPTCPoverVPN" "Enable MPTCP over VPN for ${interface}"
id=$(uci -q get network.${interface}.metric)
remoteip=""
@@ -43,42 +49,108 @@ mptcp_over_vpn() {
[ -n "$(uci -q get openmptcprouter.ovpn${interface}.multipath)" ] && multipath=$(uci -q get openmptcprouter.ovpn${interface}.multipath)
[ -z "$multipath" ] && multipath="on"
uci -q batch <<-EOF >/dev/null
- set network.ovpn${interface}=interface
- set network.ovpn${interface}.ifname="tun${id}"
- set network.ovpn${interface}.defaultroute='0'
- set network.ovpn${interface}.peerdns='0'
- set network.ovpn${interface}.proto='none'
- set network.ovpn${interface}.ip4table='wan'
- set network.ovpn${interface}.multipath="${multipath}"
- set network.${interface}.multipath='off'
- commit network
- set openvpn.${interface}=openvpn
- set openvpn.${interface}.dev="tun${id}"
- set openvpn.${interface}.cipher='AES-256-CBC'
- set openvpn.${interface}.port='65301'
- set openvpn.${interface}.remote="${remoteip}"
- set openvpn.${interface}.local="${localip}"
- set openvpn.${interface}.lport='0'
- set openvpn.${interface}.ncp_disable='1'
- set openvpn.${interface}.auth_nocache='1'
- set openvpn.${interface}.proto='udp'
- set openvpn.${interface}.client='1'
- set openvpn.${interface}.enabled='1'
- set openvpn.${interface}.allow_recursive_routing='1'
- set openvpn.${interface}.key='/etc/luci-uploads/client.key'
- set openvpn.${interface}.cert='/etc/luci-uploads/client.crt'
- set openvpn.${interface}.ca='/etc/luci-uploads/ca.crt'
- commit openvpn
- set openmptcprouter.${interface}.multipath="off"
- set openmptcprouter.${interface}.multipathvpn="1"
- set openmptcprouter.ovpn${interface}="interface"
- set openmptcprouter.ovpn${interface}.multipath="${multipath}"
- set openmptcprouter.ovpn${interface}.vpn="1"
- set openmptcprouter.ovpn${interface}.baseintf="${interface}"
+ delete network.wg${interface}
+ delete openmptcprouter.wg${interface}
commit openmptcprouter
- add_list firewall.zone_vpn.network="ovpn${interface}"
+ commit network
+ del_list firewall.zone_vpn.network="wg${interface}"
commit firewall
EOF
+
+ uci -q batch <<-EOF >/dev/null
+ set network.ovpn${interface}=interface
+ set network.ovpn${interface}.ifname="tun${id}"
+ set network.ovpn${interface}.defaultroute='0'
+ set network.ovpn${interface}.peerdns='0'
+ set network.ovpn${interface}.proto='none'
+ set network.ovpn${interface}.ip4table='wan'
+ set network.ovpn${interface}.multipath="${multipath}"
+ set network.${interface}.multipath='off'
+ commit network
+ set openvpn.${interface}=openvpn
+ set openvpn.${interface}.dev="tun${id}"
+ set openvpn.${interface}.cipher='AES-256-CBC'
+ set openvpn.${interface}.port='65301'
+ set openvpn.${interface}.remote="${remoteip}"
+ set openvpn.${interface}.local="${localip}"
+ set openvpn.${interface}.lport='0'
+ set openvpn.${interface}.ncp_disable='1'
+ set openvpn.${interface}.auth_nocache='1'
+ set openvpn.${interface}.proto='udp'
+ set openvpn.${interface}.client='1'
+ set openvpn.${interface}.enabled='1'
+ set openvpn.${interface}.allow_recursive_routing='1'
+ set openvpn.${interface}.key='/etc/luci-uploads/client.key'
+ set openvpn.${interface}.cert='/etc/luci-uploads/client.crt'
+ set openvpn.${interface}.ca='/etc/luci-uploads/ca.crt'
+ commit openvpn
+ set openmptcprouter.${interface}.multipath="off"
+ set openmptcprouter.${interface}.multipathvpn="1"
+ set openmptcprouter.ovpn${interface}="interface"
+ set openmptcprouter.ovpn${interface}.multipath="${multipath}"
+ set openmptcprouter.ovpn${interface}.vpn="1"
+ set openmptcprouter.ovpn${interface}.baseintf="${interface}"
+ commit openmptcprouter
+ add_list firewall.zone_vpn.network="ovpn${interface}"
+ commit firewall
+ EOF
+ elif [ "$(uci -q get network.wg${interface})" = "" ] && [ "$vpn" = "wireguard" ]; then
+ logger -t "MPTCPoverVPN" "Enable MPTCP over VPN for ${interface}"
+ id=$(uci -q get network.${interface}.metric)
+ remoteip=""
+ wg_server_key=""
+ config_load openmptcprouter
+ config_foreach _getremoteip server
+ metric=$(uci -q get network.${interface}.metric)
+ [ -z "$(uci -q get openmptcprouter.wg${interface}.multipath)" ] && multipath=$(uci -q get network.${interface}.multipath)
+ [ -n "$(uci -q get openmptcprouter.wg${interface}.multipath)" ] && multipath=$(uci -q get openmptcprouter.wg${interface}.multipath)
+ [ -z "$multipath" ] && multipath="on"
+ private_key=$(wg genkey | tr -d "\n")
+ public_key=$(echo $private_key | wg pubkey | tr -d "\n")
+ uci -q batch <<-EOF >/dev/null
+ delete network.ovpn${interface}
+ delete openvpn.${interface}
+ commit openvpn
+ delete openmptcprouter.ovpn${interface}
+ commit openmptcprouter
+ commit network
+ del_list firewall.zone_vpn.network="ovpn${interface}"
+ commit firewall
+ EOF
+
+ uci -q batch <<-EOF >/dev/null
+ set network.wg${interface}=interface
+ set network.wg${interface}.nohostroute='1'
+ set network.wg${interface}.proto='wireguard'
+ set network.wg${interface}.fwmark="0x539${metric}"
+ del_list network.wg${interface}.addresses
+ add_list network.wg${interface}.addresses='10.255.247.${metric}/24'
+ set network.wg${interface}.private_key="${private_key}"
+ set network.wg${interface}.gateway="10.255.247.1"
+ set network.wg${interface}.public_key="${public_key}"
+ set network.wg${interface}.multipath="${multipath}"
+ set network.${interface}.multipath='off'
+ add network wireguard_wg${interface}
+ set network.@wireguard_wg${interface}[0]=wireguard_wg${interface}
+ set network.@wireguard_wg${interface}[0].description="Wireguard on ${interface}"
+ set network.@wireguard_wg${interface}[0].endpoint_host="${remoteip}"
+ set network.@wireguard_wg${interface}[0].endpoint_port="65311"
+ set network.@wireguard_wg${interface}[0].persistent_keepalive="28"
+ del_list network.@wireguard_wg${interface}[0].allowed_ips
+ add_list network.@wireguard_wg${interface}[0].allowed_ips="0.0.0.0/0"
+ set network.@wireguard_wg${interface}[0].public_key="${wg_server_key}"
+ commit network
+ set openmptcprouter.${interface}.multipath="off"
+ set openmptcprouter.${interface}.multipathvpn="1"
+ set openmptcprouter.wg${interface}="interface"
+ set openmptcprouter.wg${interface}.multipath="${multipath}"
+ set openmptcprouter.wg${interface}.vpn="1"
+ set openmptcprouter.wg${interface}.baseintf="${interface}"
+ commit openmptcprouter
+ add_list firewall.zone_vpn.network="wg${interface}"
+ commit firewall
+ EOF
+ ubus call network reload 2>&1 >/dev/null
else
uci -q batch <<-EOF >/dev/null
set network.${interface}.multipath='off'
@@ -92,6 +164,7 @@ mptcp_over_vpn() {
multipath=$(uci -q get openmptcprouter.ovpn${interface}.multipath)
[ -z "$multipath" ] && multipath="on"
uci -q batch <<-EOF >/dev/null
+ delete network.wg${interface}
delete network.ovpn${interface}
delete openvpn.${interface}
commit openvpn
@@ -99,13 +172,16 @@ mptcp_over_vpn() {
set network.${interface}.multipath="${multipath}"
set openmptcprouter.${interface}.multipathvpn="0"
delete openmptcprouter.ovpn${interface}
+ delete openmptcprouter.wg${interface}
commit openmptcprouter
commit network
del_list firewall.zone_vpn.network="ovpn${interface}"
+ del_list firewall.zone_vpn.network="wg${interface}"
commit firewall
EOF
elif [ "$(uci -q get openmptcprouter.${interface}.vpn)" = "1" ]; then
intf="$(echo ${interface} | sed 's/ovpn//g')"
+ [ "$intf" = "$interface" ] && intf="$(echo ${interface} | sed 's/wg//g')"
if [ -n "$intf" ] && [ "$intf" != "$interface" ] && [ "$(uci -q get network.${intf})" = "" ]; then
uci -q batch <<-EOF >/dev/null
delete network.${interface}
@@ -126,6 +202,8 @@ start_service()
{
nbintf=0
nbintfvpn=0
+ vpn="$(uci -q get openmptcprouter.settings.mptcpovervpn)"
+ [ -z "$vpn" ] && vpn="openvpn"
config_load openmptcprouter
config_foreach mptcp_over_vpn interface
if [ "$nbintf" = "$nbintfvpn" ] && [ "$nbintf" != "0" ]; then
diff --git a/openmptcprouter/files/etc/init.d/openmptcprouter-vps b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
index 265446b56..f5e2c977e 100755
--- a/openmptcprouter/files/etc/init.d/openmptcprouter-vps
+++ b/openmptcprouter/files/etc/init.d/openmptcprouter-vps
@@ -140,6 +140,29 @@ _set_openvpn_vps() {
fi
}
+_set_wireguard_vps() {
+ local enabled port key
+ ipskey=""
+ _get_wg_ipskey() {
+ local interface=$1
+ proto=$(uci -q get network.${interface}.proto)
+ if [ "$proto" = "wireguard" ]; then
+ ip="$(uci -q get network.${interface}.addresses)"
+ key="$(uci -q get network.${interface}.public_key)"
+ if [ -z "$ipskey" ]; then
+ ipskey='{"ip": "'$ip'", "key": "'$key'"}'
+ else
+ ipskey=$ipskey',{"ip": "'$ip'", "key": "'$key'"}'
+ fi
+ fi
+ }
+ config_load network
+ config_foreach _get_wg_ipskey interface
+ local settings
+ settings='{"peers": ['$ipskey']}'
+ echo $(_set_json "wireguard" "$settings")
+}
+
get_openvpn_key() {
servername=$2
[ -z "$vps_config" ] && vps_config=$(_get_json "config")
@@ -728,14 +751,28 @@ _set_wan_ip() {
fi
}
+_get_lan_ip() {
+ local intf=$1
+ if [ "$(uci -q get firewall.zone_lan.network | grep $intf)" != "" ]; then
+ lanip="$(uci -q get network.${intf}.ipaddr)/$(uci -q get network.${intf}.netmask)"
+ if [ "$lanip" != "/" ]; then
+ if [ -z "$lanips" ]; then
+ lanips='"'${lanip}'"'
+ else
+ lanips='"'$lanips'" "'${lanip}'"'
+ fi
+ fi
+ fi
+}
+
_set_lan_ip() {
local settings
[ -z "$vps_config" ] && vps_config=$(_get_json "config")
[ -z "$vps_config" ] && return
- lanip_current="$(echo "$vps_config" | jsonfilter -q -e '@.lan.ips')"
- lanips="$(uci -q get network.lan.ipaddr)/$(uci -q get network.lan.netmask)"
- if [ "$lanips" != "/" ] && [ "$lanip_current" != "$lanips" ]; then
- settings='{"lanips" : ["'$lanips'"]}'
+ #lanip_current="$(echo "$vps_config" | jsonfilter -q -e '@.lan.ips')"
+ #if [ "$lanips" != "" ] && [ "$lanip_current" != "$lanips" ]; then
+ if [ "$lanips" != "" ]; then
+ settings='{"lanips" : ['$lanips']}'
result=$(_set_json "lan" "$settings")
fi
}
@@ -814,6 +851,7 @@ _vps_firewall_redirect_port() {
EOF
src_dport='2-64999'
fi
+ [ -n "$src_dport" ] && src_dport=$(echo $src_dport | sed 's/:/-/')
if [ -n "$src_dport" ] && [ "$(echo $src_dport | cut -d'-' -f2)" -ge "65000" ]; then
logger -t "OMR-VPS" "You can't redirect ports >= 65000, they are needed by OpenMPTCProuter Server part"
enabled="0"
@@ -1371,6 +1409,12 @@ _set_config_from_vps() {
set openmptcprouter.${servername}.redirect_ports=$redirect
EOF
+ # Wireguard settings
+ wireguard_key="$(echo "$vps_config" | jsonfilter -q -e '@.wireguard.key')"
+ uci -q batch <<-EOF >/dev/null
+ set openmptcprouter.${servername}.wgkey=$wireguard_key
+ EOF
+
# MPTCP settings
mptcp_path_manager="$(echo "$vps_config" | jsonfilter -q -e '@.mptcp.path_manager')"
mptcp_scheduler="$(echo "$vps_config" | jsonfilter -q -e '@.mptcp.scheduler')"
@@ -1684,6 +1728,7 @@ _config_service() {
[ -z "$(_set_glorytun_vps)" ] && error=1
[ -z "$(_set_openvpn_vps)" ] && error=1
_set_vps_firewall
+ _set_wireguard_vps
fi
_backup_list
redirect_port="0"
@@ -1700,9 +1745,11 @@ _config_service() {
#_set_pihole
[ -n "$wanips" ] && _set_wan_ip
- _set_lan_ip
_set_vpn_ip
config_load network
+ lanips=""
+ config_foreach _get_lan_ip interface
+ _set_lan_ip
config_foreach _delete_client2client route
if [ "$(uci -q get openmptcprouter.settings.vpn)" != "openvpn" ] && [ "$(echo "$vps_config" | jsonfilter -q -e '@.client2client.enabled')" == "true" ]; then
_set_client2client