gluon-mesh-vpn-tunneldigger: drop package

Tunneldigger has quite a few drawbacks in comparison to fastd with L2TP:
 - no IPv6 Support
 - less testing
 - watchdog required

The recomended way forward is to migrate to fastd with the null@l2tp method.

On the Node side this can be simply done via a firmware update.
On the Gateway side it's required to install and configure fastd.

.github/labeler.yml

@@ -47,8 +47,6 @@
   - package/gluon-status-page/**
 "3. topic: tests":
   - tests/**
-"3. topic: tunneldigger":
-  - package/gluon-mesh-vpn-tunneldigger/**
 "3. topic: wireguard":
   - package/gluon-mesh-vpn-wireguard/**
 "3. topic: wireless":

docs/dev/packages.rst

@@ -195,7 +195,7 @@ Example::
       'gluon-config-mode-outdoor',
     })
 
-    when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger'), {
+    when(_'web-wizard' and _'mesh-vpn-fastd' or _'mesh-vpn-wireguard'), {
       'gluon-config-mode-mesh-vpn',
     })
 
@@ -210,5 +210,5 @@ This will
   corresponding feature flags appear in *GLUON_FEATURES*
 * enable four additional config mode packages when the *web-wizard* feature is enabled
 * enable *gluon-config-mode-mesh-vpn* when both *web-wizard* and one
-  of *mesh-vpn-fastd* and *mesh-vpn-tunneldigger* are enabled
+  of *mesh-vpn-fastd* and *mesh-vpn-wireguard* are enabled
 * disable the *gluon-radvd* package when *gluon-no-radvd* is enabled

docs/features/multidomain.rst

@@ -206,7 +206,6 @@ domain.conf only variables
   - wifi*.mesh.id
   - mesh_vpn.fastd.groups.*.peers.remotes
   - mesh_vpn.fastd.groups.*.peers.key
-  - mesh_vpn.tunneldigger.brokers
 
 - Clients consider WiFi networks sharing the same ESSID as if they were
   the same L2 network and try to reconfirm and reuse previous

docs/features/vpn.rst

@@ -24,15 +24,6 @@ work around the context-switching bottleneck, but it comes
 at the cost of losing the ability to protect tunnel connections
 against eavesdropping or manipulation.
 
-mesh-vpn-tunneldigger
-"""""""""""""""""""""
-
-Tunneldigger always uses L2TPv3, generally achieving the same
-performance as fastd with the ``null@l2tp`` method, but offering
-no security.
-Tunneldigger's primary drawback is the lack of IPv6 support.
-It also provides less configurability than fastd.
-
 mesh-vpn-wireguard
 """"""""""""""""""
 

docs/user/mtu.rst

@@ -84,41 +84,41 @@ VPN Protocol Overhead (IPv4)
 
 Overhead of the VPN protocol layers in bytes on top of an Ethernet frame.
 
-+----------+-------+--------------+-----------+
-|          | fastd | Tunneldigger | Wireguard |
-+==========+=======+==============+===========+
-| IPv4     | 20    | 20           | 20        |
-+----------+-------+--------------+-----------+
-| UDP      | 8     | 8            | 8         |
-+----------+-------+--------------+-----------+
-| Protocol | 24    | 8            | 32        |
-+----------+-------+--------------+-----------+
-| TAP      | 14    | 14           | /         |
-+----------+-------+--------------+-----------+
-| Sum      | 66    | 50           | 60        |
-+----------+-------+--------------+-----------+
++----------+-------+-----------+
+|          | fastd | Wireguard |
++==========+=======+===========+
+| IPv4     | 20    | 20        |
++----------+-------+-----------+
+| UDP      | 8     | 8         |
++----------+-------+-----------+
+| Protocol | 24    | 32        |
++----------+-------+-----------+
+| TAP      | 14    | /         |
++----------+-------+-----------+
+| Sum      | 66    | 60        |
++----------+-------+-----------+
 
 Intermediate Layer Overhead
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Overhead of additional layers on top of the VPN packet needed for different VPN
 providers.
 
-+------------+-------+--------------+-----------+
-|            | fastd | Tunneldigger | Wireguard |
-+============+=======+==============+===========+
-| IPv6       | /     | /            | 40        |
-+------------+-------+--------------+-----------+
-| vxlan      | /     | /            | 16        |
-+------------+-------+--------------+-----------+
-| Ethernet   | /     | /            | 14        |
-+------------+-------+--------------+-----------+
-| Batman v15 | 18    | 18           | 18        |
-+------------+-------+--------------+-----------+
-| Ethernet   | 14    | 14           | 14        |
-+------------+-------+--------------+-----------+
-| Sum        | 32    | 32           | 102       |
-+------------+-------+--------------+-----------+
++------------+-------+-----------+
+|            | fastd | Wireguard |
++============+=======+===========+
+| IPv6       | /     | 40        |
++------------+-------+-----------+
+| vxlan      | /     | 16        |
++------------+-------+-----------+
+| Ethernet   | /     | 14        |
++------------+-------+-----------+
+| Batman v15 | 18    | 18        |
++------------+-------+-----------+
+| Ethernet   | 14    | 14        |
++------------+-------+-----------+
+| Sum        | 32    | 102       |
++------------+-------+-----------+
 
 Minimum MTU
 ^^^^^^^^^^^
@@ -128,29 +128,29 @@ avoid fragmentation.
 
 Suggestions:
 
-- This configuration is only suggested for fastd and Tunneldigger.
+- This configuration is only suggested for fastd.
 
 - For WireGuard, this configuration is **unsuitable**. To obtain a 1280 byte
   payload with our protocol stack (see below), the Ethernet frame payload would
   be 1442 bytes long (for IPv4). As we assume that the WAN network might have
   a (worst case) MTU of only 1436 (with DSLite), this packet would be too long
   for the WAN network.
 
-+-------------------------------+-------+--------------+-----------+
-|                               | fastd | Tunneldigger | Wireguard |
-+===============================+=======+==============+===========+
-| max unfragmented payload\*    | 1280  | 1280         | 1280      |
-+-------------------------------+-------+--------------+-----------+
-| intermed layer overhead       | 32    | 32           | 102       |
-+-------------------------------+-------+--------------+-----------+
-| VPN MTU\*\*                   | 1312  | 1312         | 1382      |
-+-------------------------------+-------+--------------+-----------+
-| protocol overhead (IPv4)      | 66    | 50           | 60        |
-+-------------------------------+-------+--------------+-----------+
-| min acceptable WAN MTU (IPv4) | 1378  | 1362         | **1442**  |
-+-------------------------------+-------+--------------+-----------+
-| min acceptable WAN MTU (IPv6) | 1398  | 1382         | 1462      |
-+-------------------------------+-------+--------------+-----------+
++-------------------------------+-------+-----------+
+|                               | fastd | Wireguard |
++===============================+=======+===========+
+| max unfragmented payload\*    | 1280  | 1280      |
++-------------------------------+-------+-----------+
+| intermed layer overhead       | 32    | 102       |
++-------------------------------+-------+-----------+
+| VPN MTU\*\*                   | 1312  | 1382      |
++-------------------------------+-------+-----------+
+| protocol overhead (IPv4)      | 66    | 60        |
++-------------------------------+-------+-----------+
+| min acceptable WAN MTU (IPv4) | 1378  | **1442**  |
++-------------------------------+-------+-----------+
+| min acceptable WAN MTU (IPv6) | 1398  | 1462      |
++-------------------------------+-------+-----------+
 
 \* Maximum size of payload going into the bat0 interface, that will not be
 fragmented by batman.
@@ -164,26 +164,26 @@ Calculation of different derived MTUs based on a maximum WAN MTU of 1436.
 
 Suggestions:
 
-- This configuration can be used for fastd and Tunneldigger.
+- This configuration can be used for fastd.
 
 - For WireGuard, this is the recommended configuration. batman-adv will
   fragment larger packets transparently to avoid packet loss.
 
-+-------------------------------+-------+--------------+-----------+
-|                               | fastd | Tunneldigger | Wireguard |
-+===============================+=======+==============+===========+
-| min acceptable WAN MTU (IPv4) | 1436  | 1436         | 1436      |
-+-------------------------------+-------+--------------+-----------+
-| protocol overhead (IPv4)      | 66    | 50           | 60        |
-+-------------------------------+-------+--------------+-----------+
-| VPN MTU\*\*                   | 1370  | 1386         | 1376      |
-+-------------------------------+-------+--------------+-----------+
-| intermed layer overhead       | 32    | 32           | 102       |
-+-------------------------------+-------+--------------+-----------+
-| max unfragmented payload\*    | 1338  | 1354         | 1274      |
-+-------------------------------+-------+--------------+-----------+
-| min acceptable WAN MTU (IPv6) | 1398  | 1382         | 1462      |
-+-------------------------------+-------+--------------+-----------+
++-------------------------------+-------+-----------+
+|                               | fastd | Wireguard |
++===============================+=======+===========+
+| min acceptable WAN MTU (IPv4) | 1436  | 1436      |
++-------------------------------+-------+-----------+
+| protocol overhead (IPv4)      | 66    | 60        |
++-------------------------------+-------+-----------+
+| VPN MTU\*\*                   | 1370  | 1376      |
++-------------------------------+-------+-----------+
+| intermed layer overhead       | 32    | 102       |
++-------------------------------+-------+-----------+
+| max unfragmented payload\*    | 1338  | 1274      |
++-------------------------------+-------+-----------+
+| min acceptable WAN MTU (IPv6) | 1398  | 1462      |
++-------------------------------+-------+-----------+
 
 \* Maximum size of payload going into the bat0 interface, that will not be
 fragmented by batman.
@@ -219,5 +219,5 @@ Conclusion
 
 Determining the maximum MTU can be a tedious process, especially since the PMTU
 of peers could change at any time. The general recommendation for maximized
-compatibility is therefore an MTU of 1312 bytes (for fastd and tunneldigger)
-and 1376 bytes (for WireGuard).
+compatibility is therefore an MTU of 1312 bytes for fastd
+and 1376 bytes for WireGuard.

docs/user/site.rst

@@ -320,13 +320,6 @@ mesh_vpn
   to the peer list, removal and modification of peers can be prevented by
   setting the *preserve* option of a peer to ``1`` in UCI.
 
-  The `tunneldigger` section is used to define the *tunneldigger* broker list.
-
-  **Note:** It doesn't make sense to include both `fastd` and `tunneldigger`
-  sections in the same configuration file, as only one of the packages *gluon-mesh-vpn-fastd*
-  and *gluon-mesh-vpn-tunneldigger* should be installed with the current
-  implementation.
-
   **Note:** It may be interesting to include the package *gluon-iptables-clamp-mss-to-pmtu*
   in the build when using *gluon-mesh-babel* to work around ICMP blackholes on the internet.
 
@@ -386,11 +379,6 @@ mesh_vpn
         },
       },
 
-      tunneldigger = {
-        mtu = 1312,
-        brokers = {'vpn1.alpha-centauri.freifunk.net'},
-      },
-
       wireguard = {
         mtu = 1376,
         peers = {
@@ -708,8 +696,7 @@ package:
 
   Includes the *gluon-config-mode-...* base packages (hostname, geolocation and contact info),
   as well as the *gluon-config-mode-autoupdater* (when *autoupdater* is in *GLUON_FEATURES*),
-  and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or *mesh-vpn-tunneldigger* are in
-  *GLUON_FEATURES*)
+  and *gluon-config-mode-mesh-vpn* when *mesh-vpn-fastd* is in *GLUON_FEATURES*)
 
 * web-advanced
 

package/features

@@ -19,7 +19,6 @@ when(_'web-wizard' and _'autoupdater', {
 when(_'web-wizard' and (
 	_'mesh-vpn-fastd' or
 	_'mesh-vpn-fastd-l2tp' or
-	_'mesh-vpn-tunneldigger' or
 	_'mesh-vpn-wireguard'
 ), {
 	'gluon-config-mode-mesh-vpn',

package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config

@@ -15,11 +15,6 @@ if vpn_name ~= 'fastd' then
 	uci:save('fastd')
 end
 
-if vpn_name ~= 'tunneldigger' then
-	uci:set('tunneldigger', 'mesh_vpn', 'enabled', false)
-	uci:save('tunneldigger')
-end
-
 vpn.enable(vpn_config.enabled)
 if vpn_config.limit_enabled then
 	vpn.set_limit(vpn_config.limit_ingress, vpn_config.limit_egress)

package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn

@@ -39,18 +39,12 @@ if not uci:get('gluon', 'mesh_vpn') then
 	local vpn, _ = vpn_core.get_active_provider()
 
 	local fastd_enabled = uci:get('fastd', 'mesh_vpn', 'enabled')
-	local tunneldigger_enabled = uci:get('tunneldigger', 'mesh_vpn', 'enabled')
 
 	local enabled
 
 	-- If the installed VPN package has its enabled state set, keep the value
 	if vpn == 'fastd' and fastd_enabled then
 		enabled = fastd_enabled == '1'
-	elseif vpn == 'tunneldigger' and tunneldigger_enabled then
-		enabled = tunneldigger_enabled == '1'
-	-- Otherwise, migrate the other package's value if any is set
-	elseif fastd_enabled or tunneldigger_enabled then
-		enabled = fastd_enabled == '1' or tunneldigger_enabled == '1'
 	-- If nothing is set, use the default
 	else
 		enabled = site.mesh_vpn.enabled(false)
@@ -64,10 +58,7 @@ if not uci:get('gluon', 'mesh_vpn') then
 		limit_enabled = site.mesh_vpn.bandwidth_limit.enabled(false)
 	end
 
-	local limit_ingress = tonumber((uci:get('tunneldigger', 'mesh_vpn', 'limit_bw_down')))
-	if limit_ingress == nil then
-		limit_ingress = tonumber((uci:get('simple-tc', 'mesh_vpn', 'limit_ingress')))
-	end
+	local limit_ingress = tonumber((uci:get('simple-tc', 'mesh_vpn', 'limit_ingress')))
 	if limit_ingress == nil then
 		limit_ingress = site.mesh_vpn.bandwidth_limit.ingress()
 	end