From e0d649c330362a53a7d08181875e93538470a7c3 Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Fri, 5 Jan 2024 02:18:45 +0100 Subject: [PATCH] gluon-mesh-vpn-tunneldigger: drop package (#3109) The Gluon Tunneldigger protocol handler hasn't received the care and attention a core package, especially a VPN protocol, should. Due to the works in #2102 it's no longer required to maintain VPN handlers in the Gluon Core and they can be instead included via a package feed. Users who wish to continue using a supported core Gluon package are encouraged to take a look at fastd in conjunction with it's null@l2tp method. It offers roughly the same performance (it's using the same principle of operation) and supports connections via IPv6 as a bonus. In general it should be possible to change the VPN used protocol asynchronously with a normal update. If Gluon users wish to continue using tunneldigger the recomendation is to participate in the development of tunneldigger inside our community-packages. --- .github/labeler.yml | 2 - docs/dev/packages.rst | 4 +- docs/features/multidomain.rst | 1 - docs/features/vpn.rst | 11 +- docs/user/mtu.rst | 124 +++++++++--------- docs/user/site.rst | 14 +- package/features | 1 - .../luasrc/lib/gluon/mesh-vpn/update-config | 5 - package/gluon-mesh-vpn-tunneldigger/Makefile | 12 -- .../check_site.lua | 2 - .../lib/gluon/mesh-vpn/provider/tunneldigger | 0 .../lib/gluon/reload.d/310-tunneldigger-stop | 2 - .../lib/gluon/reload.d/790-tunneldigger-start | 2 - .../usr/lib/micron.d/tunneldigger-watchdog | 1 - .../gluon/upgrade/400-mesh-vpn-tunneldigger | 19 --- .../luasrc/usr/bin/tunneldigger-watchdog | 31 ----- .../gluon/mesh-vpn/provider/tunneldigger.lua | 46 ------- 17 files changed, 66 insertions(+), 211 deletions(-) delete mode 100644 package/gluon-mesh-vpn-tunneldigger/Makefile delete mode 100644 package/gluon-mesh-vpn-tunneldigger/check_site.lua delete mode 100644 package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/mesh-vpn/provider/tunneldigger delete mode 100755 package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop delete mode 100755 package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start delete mode 100644 package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog delete mode 100755 package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger delete mode 100755 package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog delete mode 100644 package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua diff --git a/.github/labeler.yml b/.github/labeler.yml index f4f706039a..ebe74d062a 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -47,8 +47,6 @@ - package/gluon-status-page/** "3. topic: tests": - tests/** -"3. topic: tunneldigger": - - package/gluon-mesh-vpn-tunneldigger/** "3. topic: wireguard": - package/gluon-mesh-vpn-wireguard/** "3. topic: wireless": diff --git a/docs/dev/packages.rst b/docs/dev/packages.rst index 286a3014ac..2be2dc0051 100644 --- a/docs/dev/packages.rst +++ b/docs/dev/packages.rst @@ -196,7 +196,7 @@ Example:: 'gluon-config-mode-outdoor', }) - when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger'), { + when(_'web-wizard' and _'mesh-vpn-fastd' or _'mesh-vpn-wireguard'), { 'gluon-config-mode-mesh-vpn', }) @@ -211,5 +211,5 @@ This will corresponding feature flags are evaluated as selected in the image-customization.lua file * enable four additional config mode packages when the *web-wizard* feature is enabled * enable *gluon-config-mode-mesh-vpn* when both *web-wizard* and one - of *mesh-vpn-fastd* and *mesh-vpn-tunneldigger* are enabled + of *mesh-vpn-fastd* and *mesh-vpn-wireguard* are enabled * disable the *gluon-radvd* package when *gluon-no-radvd* is enabled diff --git a/docs/features/multidomain.rst b/docs/features/multidomain.rst index 853949fabf..5d80bdf62c 100644 --- a/docs/features/multidomain.rst +++ b/docs/features/multidomain.rst @@ -206,7 +206,6 @@ domain.conf only variables - wifi*.mesh.id - mesh_vpn.fastd.groups.*.peers.remotes - mesh_vpn.fastd.groups.*.peers.key - - mesh_vpn.tunneldigger.brokers - Clients consider WiFi networks sharing the same ESSID as if they were the same L2 network and try to reconfirm and reuse previous diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst index 4636869d65..29be962447 100644 --- a/docs/features/vpn.rst +++ b/docs/features/vpn.rst @@ -7,7 +7,7 @@ allow connections between local meshes through the internet. Protocol handlers ^^^^^^^^^^^^^^^^^ -There are currently three protocol handlers which can be selected +There are currently two protocol handlers which can be selected as a feature: mesh-vpn-fastd @@ -24,15 +24,6 @@ work around the context-switching bottleneck, but it comes at the cost of losing the ability to protect tunnel connections against eavesdropping or manipulation. -mesh-vpn-tunneldigger -""""""""""""""""""""" - -Tunneldigger always uses L2TPv3, generally achieving the same -performance as fastd with the ``null@l2tp`` method, but offering -no security. -Tunneldigger's primary drawback is the lack of IPv6 support. -It also provides less configurability than fastd. - mesh-vpn-wireguard """""""""""""""""" diff --git a/docs/user/mtu.rst b/docs/user/mtu.rst index 1891994ecf..33cf0a8ee8 100644 --- a/docs/user/mtu.rst +++ b/docs/user/mtu.rst @@ -84,19 +84,19 @@ VPN Protocol Overhead (IPv4) Overhead of the VPN protocol layers in bytes on top of an Ethernet frame. -+----------+-------+--------------+-----------+ -| | fastd | Tunneldigger | WireGuard | -+==========+=======+==============+===========+ -| IPv4 | 20 | 20 | 20 | -+----------+-------+--------------+-----------+ -| UDP | 8 | 8 | 8 | -+----------+-------+--------------+-----------+ -| Protocol | 24 | 8 | 32 | -+----------+-------+--------------+-----------+ -| TAP | 14 | 14 | / | -+----------+-------+--------------+-----------+ -| Sum | 66 | 50 | 60 | -+----------+-------+--------------+-----------+ ++----------+-------+-----------+ +| | fastd | WireGuard | ++==========+=======+===========+ +| IPv4 | 20 | 20 | ++----------+-------+-----------+ +| UDP | 8 | 8 | ++----------+-------+-----------+ +| Protocol | 24 | 32 | ++----------+-------+-----------+ +| TAP | 14 | / | ++----------+-------+-----------+ +| Sum | 66 | 60 | ++----------+-------+-----------+ Intermediate Layer Overhead ^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -104,21 +104,21 @@ Intermediate Layer Overhead Overhead of additional layers on top of the VPN packet needed for different VPN providers. -+------------+-------+--------------+-----------+ -| | fastd | Tunneldigger | WireGuard | -+============+=======+==============+===========+ -| IPv6 | / | / | 40 | -+------------+-------+--------------+-----------+ -| vxlan | / | / | 16 | -+------------+-------+--------------+-----------+ -| Ethernet | / | / | 14 | -+------------+-------+--------------+-----------+ -| Batman v15 | 18 | 18 | 18 | -+------------+-------+--------------+-----------+ -| Ethernet | 14 | 14 | 14 | -+------------+-------+--------------+-----------+ -| Sum | 32 | 32 | 102 | -+------------+-------+--------------+-----------+ ++------------+-------+-----------+ +| | fastd | WireGuard | ++============+=======+===========+ +| IPv6 | / | 40 | ++------------+-------+-----------+ +| vxlan | / | 16 | ++------------+-------+-----------+ +| Ethernet | / | 14 | ++------------+-------+-----------+ +| Batman v15 | 18 | 18 | ++------------+-------+-----------+ +| Ethernet | 14 | 14 | ++------------+-------+-----------+ +| Sum | 32 | 102 | ++------------+-------+-----------+ Minimum MTU ^^^^^^^^^^^ @@ -128,7 +128,7 @@ avoid fragmentation. Suggestions: -- This configuration is only suggested for fastd and Tunneldigger. +- This configuration is only suggested for fastd. - For WireGuard, this configuration is **unsuitable**. To obtain a 1280 byte payload with our protocol stack (see below), the Ethernet frame payload would @@ -136,21 +136,21 @@ Suggestions: a (worst case) MTU of only 1436 (with DSLite), this packet would be too long for the WAN network. -+-------------------------------+-------+--------------+-----------+ -| | fastd | Tunneldigger | WireGuard | -+===============================+=======+==============+===========+ -| max unfragmented payload\* | 1280 | 1280 | 1280 | -+-------------------------------+-------+--------------+-----------+ -| intermediate layer overhead | 32 | 32 | 102 | -+-------------------------------+-------+--------------+-----------+ -| VPN MTU\*\* | 1312 | 1312 | 1382 | -+-------------------------------+-------+--------------+-----------+ -| protocol overhead (IPv4) | 66 | 50 | 60 | -+-------------------------------+-------+--------------+-----------+ -| min acceptable WAN MTU (IPv4) | 1378 | 1362 | **1442** | -+-------------------------------+-------+--------------+-----------+ -| min acceptable WAN MTU (IPv6) | 1398 | 1382 | 1462 | -+-------------------------------+-------+--------------+-----------+ ++-------------------------------+-------+-----------+ +| | fastd | WireGuard | ++===============================+=======+===========+ +| max unfragmented payload\* | 1280 | 1280 | ++-------------------------------+-------+-----------+ +| intermediate layer overhead | 32 | 102 | ++-------------------------------+-------+-----------+ +| VPN MTU\*\* | 1312 | 1382 | ++-------------------------------+-------+-----------+ +| protocol overhead (IPv4) | 66 | 60 | ++-------------------------------+-------+-----------+ +| min acceptable WAN MTU (IPv4) | 1378 | **1442** | ++-------------------------------+-------+-----------+ +| min acceptable WAN MTU (IPv6) | 1398 | 1462 | ++-------------------------------+-------+-----------+ \* Maximum size of payload going into the bat0 interface, that will not be fragmented by batman. @@ -164,26 +164,26 @@ Calculation of different derived MTUs based on a maximum WAN MTU of 1436. Suggestions: -- This configuration can be used for fastd and Tunneldigger. +- This configuration can be used for fastd. - For WireGuard, this is the recommended configuration. batman-adv will fragment larger packets transparently to avoid packet loss. -+-------------------------------+-------+--------------+-----------+ -| | fastd | Tunneldigger | WireGuard | -+===============================+=======+==============+===========+ -| min acceptable WAN MTU (IPv4) | 1436 | 1436 | 1436 | -+-------------------------------+-------+--------------+-----------+ -| protocol overhead (IPv4) | 66 | 50 | 60 | -+-------------------------------+-------+--------------+-----------+ -| VPN MTU\*\* | 1370 | 1386 | 1376 | -+-------------------------------+-------+--------------+-----------+ -| intermediate layer overhead | 32 | 32 | 102 | -+-------------------------------+-------+--------------+-----------+ -| max unfragmented payload\* | 1338 | 1354 | 1274 | -+-------------------------------+-------+--------------+-----------+ -| min acceptable WAN MTU (IPv6) | 1398 | 1382 | 1462 | -+-------------------------------+-------+--------------+-----------+ ++-------------------------------+-------+-----------+ +| | fastd | WireGuard | ++===============================+=======+===========+ +| min acceptable WAN MTU (IPv4) | 1436 | 1436 | ++-------------------------------+-------+-----------+ +| protocol overhead (IPv4) | 66 | 60 | ++-------------------------------+-------+-----------+ +| VPN MTU\*\* | 1370 | 1376 | ++-------------------------------+-------+-----------+ +| intermediate layer overhead | 32 | 102 | ++-------------------------------+-------+-----------+ +| max unfragmented payload\* | 1338 | 1274 | ++-------------------------------+-------+-----------+ +| min acceptable WAN MTU (IPv6) | 1398 | 1462 | ++-------------------------------+-------+-----------+ \* Maximum size of payload going into the bat0 interface, that will not be fragmented by batman. @@ -219,5 +219,5 @@ Conclusion Determining the maximum MTU can be a tedious process, especially since the PMTU of peers could change at any time. The general recommendation for maximized -compatibility is therefore an MTU of 1312 bytes (for fastd and tunneldigger) -and 1376 bytes (for WireGuard). +compatibility is therefore an MTU of 1312 bytes for fastd +and 1376 bytes for WireGuard. diff --git a/docs/user/site.rst b/docs/user/site.rst index a6adbc0040..7f8f544be6 100644 --- a/docs/user/site.rst +++ b/docs/user/site.rst @@ -320,13 +320,6 @@ mesh_vpn to the peer list, removal and modification of peers can be prevented by setting the *preserve* option of a peer to ``1`` in UCI. - The `tunneldigger` section is used to define the *tunneldigger* broker list. - - **Note:** It doesn't make sense to include both `fastd` and `tunneldigger` - sections in the same configuration file, as only one of the packages *gluon-mesh-vpn-fastd* - and *gluon-mesh-vpn-tunneldigger* should be installed with the current - implementation. - **Note:** It may be interesting to include the package *gluon-iptables-clamp-mss-to-pmtu* in the build when using *gluon-mesh-babel* to work around ICMP black holes on the internet. @@ -386,11 +379,6 @@ mesh_vpn }, }, - tunneldigger = { - mtu = 1312, - brokers = {'vpn1.alpha-centauri.freifunk.net'}, - }, - wireguard = { mtu = 1376, peers = { @@ -682,7 +670,7 @@ package: Includes the *gluon-config-mode-...* base packages (hostname, geolocation and contact info), as well as the *gluon-config-mode-autoupdater* (when *autoupdater* is an enabled feature), - and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or *mesh-vpn-tunneldigger* are + and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or `mesh-vpn-wireguard` are enabled features) * web-advanced diff --git a/package/features b/package/features index 9dad830392..380775c61a 100644 --- a/package/features +++ b/package/features @@ -19,7 +19,6 @@ when(_'web-wizard' and _'autoupdater', { when(_'web-wizard' and ( _'mesh-vpn-fastd' or _'mesh-vpn-fastd-l2tp' or - _'mesh-vpn-tunneldigger' or _'mesh-vpn-wireguard' ), { 'gluon-config-mode-mesh-vpn', diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config index 935d0b9ad1..f3aeb1d6c0 100755 --- a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config +++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config @@ -15,11 +15,6 @@ if vpn_name ~= 'fastd' then uci:save('fastd') end -if vpn_name ~= 'tunneldigger' then - uci:set('tunneldigger', 'mesh_vpn', 'enabled', false) - uci:save('tunneldigger') -end - vpn.enable(vpn_config.enabled) if vpn_config.limit_enabled then vpn.set_limit(vpn_config.limit_ingress, vpn_config.limit_egress) diff --git a/package/gluon-mesh-vpn-tunneldigger/Makefile b/package/gluon-mesh-vpn-tunneldigger/Makefile deleted file mode 100644 index 65d0af407e..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-mesh-vpn-tunneldigger - -include ../gluon.mk - -define Package/gluon-mesh-vpn-tunneldigger - TITLE:=Support for connecting meshes via tunneldigger/L2TPv3 pseudowire - DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger +simple-tc -endef - -$(eval $(call BuildPackageGluon,gluon-mesh-vpn-tunneldigger)) diff --git a/package/gluon-mesh-vpn-tunneldigger/check_site.lua b/package/gluon-mesh-vpn-tunneldigger/check_site.lua deleted file mode 100644 index 77ea83c5cf..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/check_site.lua +++ /dev/null @@ -1,2 +0,0 @@ -need_string_array(in_domain({'mesh_vpn', 'tunneldigger', 'brokers'})) -need_number({'mesh_vpn', 'tunneldigger', 'mtu'}) diff --git a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/mesh-vpn/provider/tunneldigger b/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/mesh-vpn/provider/tunneldigger deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop b/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop deleted file mode 100755 index 651530b260..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/etc/init.d/tunneldigger stop diff --git a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start b/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start deleted file mode 100755 index 9b174f178b..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/etc/init.d/tunneldigger start diff --git a/package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog b/package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog deleted file mode 100644 index c4ae3bc6c7..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog +++ /dev/null @@ -1 +0,0 @@ -*/5 * * * * /usr/bin/tunneldigger-watchdog diff --git a/package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger b/package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger deleted file mode 100755 index 9888d87eb5..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/lua - -local site = require 'gluon.site' -local util = require 'gluon.util' -local vpn_core = require 'gluon.mesh-vpn' - -local uci = require('simple-uci').cursor() - - -uci:section('tunneldigger', 'broker', 'mesh_vpn', { - uuid = util.node_id(), - interface = vpn_core.get_interface(), - bind_interface = 'br-wan', - group = 'gluon-mesh-vpn', - broker_selection = 'usage', - address = site.mesh_vpn.tunneldigger.brokers(), -}) - -uci:save('tunneldigger') diff --git a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog b/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog deleted file mode 100755 index 0f1e5603c1..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/lua - -local uci = require('simple-uci').cursor() - -local function restart_tunneldigger() - os.execute('logger -t tunneldigger-watchdog "Restarting Tunneldigger."') - os.execute('/etc/init.d/tunneldigger restart') -end - -local function has_mesh_vpn_neighbours() - local handle = io.popen('batctl o', 'r') - if not handle then - return false - end - for line in handle:lines() do - if line:find('mesh%-vpn') then - handle:close() - return true - end - end - handle:close() - return false -end - -if uci:get_bool('tunneldigger', 'mesh_vpn', 'enabled') then - if not has_mesh_vpn_neighbours() then - os.execute('logger -t tunneldigger-watchdog "No vpn-mesh neighbours found."') - restart_tunneldigger() - return - end -end diff --git a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua b/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua deleted file mode 100644 index 9ae67539dd..0000000000 --- a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua +++ /dev/null @@ -1,46 +0,0 @@ -local uci = require('simple-uci').cursor() - -local site = require 'gluon.site' -local vpn_core = require 'gluon.mesh-vpn' - -local M = {} - -function M.public_key() - return nil -end - -function M.enable(val) - uci:set('tunneldigger', 'mesh_vpn', 'enabled', val) - uci:save('tunneldigger') -end - -function M.active() - return site.mesh_vpn.tunneldigger() ~= nil -end - -function M.set_limit(ingress_limit, egress_limit) - if ingress_limit ~= nil then - uci:set('tunneldigger', 'mesh_vpn', 'limit_bw_down', ingress_limit) - else - uci:delete('tunneldigger', 'mesh_vpn', 'limit_bw_down') - end - - if egress_limit ~= nil then - uci:section('simple-tc', 'interface', 'mesh_vpn', { - ifname = vpn_core.get_interface(), - enabled = true, - limit_egress = egress_limit, - }) - else - uci:delete('simple-tc', 'mesh_vpn') - end - - uci:save('tunneldigger') - uci:save('simple-tc') -end - -function M.mtu() - return site.mesh_vpn.tunneldigger.mtu() -end - -return M