From a7bef1c0567b65abab8992c20701a7014a65daab Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Mon, 11 Sep 2023 23:54:12 +0200 Subject: [PATCH] gluon-mesh-vpn-tunneldigger: drop package Tunneldigger has quite a few drawbacks in comparison to fastd with L2TP: - no IPv6 Support - less testing - watchdog required The recomended way forward is to migrate to fastd with the null@l2tp method. On the Node side this can be simply done via a firmware update. On the Gateway side it's required to install and configure fastd. --- .github/labeler.yml | 2 - docs/dev/packages.rst | 4 +- docs/features/multidomain.rst | 1 - docs/features/vpn.rst | 9 -- docs/user/mtu.rst | 124 +++++++++--------- docs/user/site.rst | 15 +-- package/features | 1 - .../luasrc/lib/gluon/mesh-vpn/update-config | 5 - .../luasrc/lib/gluon/upgrade/500-mesh-vpn | 7 - package/gluon-mesh-vpn-tunneldigger/Makefile | 12 -- .../check_site.lua | 2 - .../lib/gluon/mesh-vpn/provider/tunneldigger | 0 .../lib/gluon/reload.d/310-tunneldigger-stop | 2 - .../lib/gluon/reload.d/790-tunneldigger-start | 2 - .../usr/lib/micron.d/tunneldigger-watchdog | 1 - .../gluon/upgrade/400-mesh-vpn-tunneldigger | 19 --- .../luasrc/usr/bin/tunneldigger-watchdog | 31 ----- .../gluon/mesh-vpn/provider/tunneldigger.lua | 46 ------- 18 files changed, 65 insertions(+), 218 deletions(-) delete mode 100644 package/gluon-mesh-vpn-tunneldigger/Makefile delete mode 100644 package/gluon-mesh-vpn-tunneldigger/check_site.lua delete mode 100644 package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/mesh-vpn/provider/tunneldigger delete mode 100755 package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop delete mode 100755 package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start delete mode 100644 package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog delete mode 100755 package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger delete mode 100755 package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog delete mode 100644 package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua diff --git a/.github/labeler.yml b/.github/labeler.yml index b1efaf70cfe..6373cd4efa0 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -47,8 +47,6 @@ - package/gluon-status-page/** "3. topic: tests": - tests/** -"3. topic: tunneldigger": - - package/gluon-mesh-vpn-tunneldigger/** "3. topic: wireguard": - package/gluon-mesh-vpn-wireguard/** "3. topic: wireless": diff --git a/docs/dev/packages.rst b/docs/dev/packages.rst index 7c239675bdf..005a2a2c813 100644 --- a/docs/dev/packages.rst +++ b/docs/dev/packages.rst @@ -195,7 +195,7 @@ Example:: 'gluon-config-mode-outdoor', }) - when(_'web-wizard' and (_'mesh-vpn-fastd' or _'mesh-vpn-tunneldigger'), { + when(_'web-wizard' and _'mesh-vpn-fastd' or _'mesh-vpn-wireguard'), { 'gluon-config-mode-mesh-vpn', }) @@ -210,5 +210,5 @@ This will corresponding feature flags appear in *GLUON_FEATURES* * enable four additional config mode packages when the *web-wizard* feature is enabled * enable *gluon-config-mode-mesh-vpn* when both *web-wizard* and one - of *mesh-vpn-fastd* and *mesh-vpn-tunneldigger* are enabled + of *mesh-vpn-fastd* and *mesh-vpn-wireguard* are enabled * disable the *gluon-radvd* package when *gluon-no-radvd* is enabled diff --git a/docs/features/multidomain.rst b/docs/features/multidomain.rst index 43f343bbb60..63a13c9d623 100644 --- a/docs/features/multidomain.rst +++ b/docs/features/multidomain.rst @@ -206,7 +206,6 @@ domain.conf only variables - wifi*.mesh.id - mesh_vpn.fastd.groups.*.peers.remotes - mesh_vpn.fastd.groups.*.peers.key - - mesh_vpn.tunneldigger.brokers - Clients consider WiFi networks sharing the same ESSID as if they were the same L2 network and try to reconfirm and reuse previous diff --git a/docs/features/vpn.rst b/docs/features/vpn.rst index 52bb65fcf2f..3abf80742e7 100644 --- a/docs/features/vpn.rst +++ b/docs/features/vpn.rst @@ -24,15 +24,6 @@ work around the context-switching bottleneck, but it comes at the cost of losing the ability to protect tunnel connections against eavesdropping or manipulation. -mesh-vpn-tunneldigger -""""""""""""""""""""" - -Tunneldigger always uses L2TPv3, generally achieving the same -performance as fastd with the ``null@l2tp`` method, but offering -no security. -Tunneldigger's primary drawback is the lack of IPv6 support. -It also provides less configurability than fastd. - mesh-vpn-wireguard """""""""""""""""" diff --git a/docs/user/mtu.rst b/docs/user/mtu.rst index 29e09353924..c58a01c4092 100644 --- a/docs/user/mtu.rst +++ b/docs/user/mtu.rst @@ -84,19 +84,19 @@ VPN Protocol Overhead (IPv4) Overhead of the VPN protocol layers in bytes on top of an Ethernet frame. -+----------+-------+--------------+-----------+ -| | fastd | Tunneldigger | Wireguard | -+==========+=======+==============+===========+ -| IPv4 | 20 | 20 | 20 | -+----------+-------+--------------+-----------+ -| UDP | 8 | 8 | 8 | -+----------+-------+--------------+-----------+ -| Protocol | 24 | 8 | 32 | -+----------+-------+--------------+-----------+ -| TAP | 14 | 14 | / | -+----------+-------+--------------+-----------+ -| Sum | 66 | 50 | 60 | -+----------+-------+--------------+-----------+ ++----------+-------+-----------+ +| | fastd | Wireguard | ++==========+=======+===========+ +| IPv4 | 20 | 20 | ++----------+-------+-----------+ +| UDP | 8 | 8 | ++----------+-------+-----------+ +| Protocol | 24 | 32 | ++----------+-------+-----------+ +| TAP | 14 | / | ++----------+-------+-----------+ +| Sum | 66 | 60 | ++----------+-------+-----------+ Intermediate Layer Overhead ^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -104,21 +104,21 @@ Intermediate Layer Overhead Overhead of additional layers on top of the VPN packet needed for different VPN providers. -+------------+-------+--------------+-----------+ -| | fastd | Tunneldigger | Wireguard | -+============+=======+==============+===========+ -| IPv6 | / | / | 40 | -+------------+-------+--------------+-----------+ -| vxlan | / | / | 16 | -+------------+-------+--------------+-----------+ -| Ethernet | / | / | 14 | -+------------+-------+--------------+-----------+ -| Batman v15 | 18 | 18 | 18 | -+------------+-------+--------------+-----------+ -| Ethernet | 14 | 14 | 14 | -+------------+-------+--------------+-----------+ -| Sum | 32 | 32 | 102 | -+------------+-------+--------------+-----------+ ++------------+-------+-----------+ +| | fastd | Wireguard | ++============+=======+===========+ +| IPv6 | / | 40 | ++------------+-------+-----------+ +| vxlan | / | 16 | ++------------+-------+-----------+ +| Ethernet | / | 14 | ++------------+-------+-----------+ +| Batman v15 | 18 | 18 | ++------------+-------+-----------+ +| Ethernet | 14 | 14 | ++------------+-------+-----------+ +| Sum | 32 | 102 | ++------------+-------+-----------+ Minimum MTU ^^^^^^^^^^^ @@ -128,7 +128,7 @@ avoid fragmentation. Suggestions: -- This configuration is only suggested for fastd and Tunneldigger. +- This configuration is only suggested for fastd. - For WireGuard, this configuration is **unsuitable**. To obtain a 1280 byte payload with our protocol stack (see below), the Ethernet frame payload would @@ -136,21 +136,21 @@ Suggestions: a (worst case) MTU of only 1436 (with DSLite), this packet would be too long for the WAN network. -+-------------------------------+-------+--------------+-----------+ -| | fastd | Tunneldigger | Wireguard | -+===============================+=======+==============+===========+ -| max unfragmented payload\* | 1280 | 1280 | 1280 | -+-------------------------------+-------+--------------+-----------+ -| intermed layer overhead | 32 | 32 | 102 | -+-------------------------------+-------+--------------+-----------+ -| VPN MTU\*\* | 1312 | 1312 | 1382 | -+-------------------------------+-------+--------------+-----------+ -| protocol overhead (IPv4) | 66 | 50 | 60 | -+-------------------------------+-------+--------------+-----------+ -| min acceptable WAN MTU (IPv4) | 1378 | 1362 | **1442** | -+-------------------------------+-------+--------------+-----------+ -| min acceptable WAN MTU (IPv6) | 1398 | 1382 | 1462 | -+-------------------------------+-------+--------------+-----------+ ++-------------------------------+-------+-----------+ +| | fastd | Wireguard | ++===============================+=======+===========+ +| max unfragmented payload\* | 1280 | 1280 | ++-------------------------------+-------+-----------+ +| intermed layer overhead | 32 | 102 | ++-------------------------------+-------+-----------+ +| VPN MTU\*\* | 1312 | 1382 | ++-------------------------------+-------+-----------+ +| protocol overhead (IPv4) | 66 | 60 | ++-------------------------------+-------+-----------+ +| min acceptable WAN MTU (IPv4) | 1378 | **1442** | ++-------------------------------+-------+-----------+ +| min acceptable WAN MTU (IPv6) | 1398 | 1462 | ++-------------------------------+-------+-----------+ \* Maximum size of payload going into the bat0 interface, that will not be fragmented by batman. @@ -164,26 +164,26 @@ Calculation of different derived MTUs based on a maximum WAN MTU of 1436. Suggestions: -- This configuration can be used for fastd and Tunneldigger. +- This configuration can be used for fastd. - For WireGuard, this is the recommended configuration. batman-adv will fragment larger packets transparently to avoid packet loss. -+-------------------------------+-------+--------------+-----------+ -| | fastd | Tunneldigger | Wireguard | -+===============================+=======+==============+===========+ -| min acceptable WAN MTU (IPv4) | 1436 | 1436 | 1436 | -+-------------------------------+-------+--------------+-----------+ -| protocol overhead (IPv4) | 66 | 50 | 60 | -+-------------------------------+-------+--------------+-----------+ -| VPN MTU\*\* | 1370 | 1386 | 1376 | -+-------------------------------+-------+--------------+-----------+ -| intermed layer overhead | 32 | 32 | 102 | -+-------------------------------+-------+--------------+-----------+ -| max unfragmented payload\* | 1338 | 1354 | 1274 | -+-------------------------------+-------+--------------+-----------+ -| min acceptable WAN MTU (IPv6) | 1398 | 1382 | 1462 | -+-------------------------------+-------+--------------+-----------+ ++-------------------------------+-------+-----------+ +| | fastd | Wireguard | ++===============================+=======+===========+ +| min acceptable WAN MTU (IPv4) | 1436 | 1436 | ++-------------------------------+-------+-----------+ +| protocol overhead (IPv4) | 66 | 60 | ++-------------------------------+-------+-----------+ +| VPN MTU\*\* | 1370 | 1376 | ++-------------------------------+-------+-----------+ +| intermed layer overhead | 32 | 102 | ++-------------------------------+-------+-----------+ +| max unfragmented payload\* | 1338 | 1274 | ++-------------------------------+-------+-----------+ +| min acceptable WAN MTU (IPv6) | 1398 | 1462 | ++-------------------------------+-------+-----------+ \* Maximum size of payload going into the bat0 interface, that will not be fragmented by batman. @@ -219,5 +219,5 @@ Conclusion Determining the maximum MTU can be a tedious process, especially since the PMTU of peers could change at any time. The general recommendation for maximized -compatibility is therefore an MTU of 1312 bytes (for fastd and tunneldigger) -and 1376 bytes (for WireGuard). +compatibility is therefore an MTU of 1312 bytes for fastd +and 1376 bytes for WireGuard. diff --git a/docs/user/site.rst b/docs/user/site.rst index 96bb5eacffd..624e5e9ad9c 100644 --- a/docs/user/site.rst +++ b/docs/user/site.rst @@ -320,13 +320,6 @@ mesh_vpn to the peer list, removal and modification of peers can be prevented by setting the *preserve* option of a peer to ``1`` in UCI. - The `tunneldigger` section is used to define the *tunneldigger* broker list. - - **Note:** It doesn't make sense to include both `fastd` and `tunneldigger` - sections in the same configuration file, as only one of the packages *gluon-mesh-vpn-fastd* - and *gluon-mesh-vpn-tunneldigger* should be installed with the current - implementation. - **Note:** It may be interesting to include the package *gluon-iptables-clamp-mss-to-pmtu* in the build when using *gluon-mesh-babel* to work around ICMP blackholes on the internet. @@ -386,11 +379,6 @@ mesh_vpn }, }, - tunneldigger = { - mtu = 1312, - brokers = {'vpn1.alpha-centauri.freifunk.net'}, - }, - wireguard = { mtu = 1376, peers = { @@ -708,8 +696,7 @@ package: Includes the *gluon-config-mode-...* base packages (hostname, geolocation and contact info), as well as the *gluon-config-mode-autoupdater* (when *autoupdater* is in *GLUON_FEATURES*), - and *gluon-config-mode-mesh-vpn* (when *mesh-vpn-fastd* or *mesh-vpn-tunneldigger* are in - *GLUON_FEATURES*) + and *gluon-config-mode-mesh-vpn* when *mesh-vpn-fastd* is in *GLUON_FEATURES*) * web-advanced diff --git a/package/features b/package/features index fdc492faaaa..b90fb54c2ff 100644 --- a/package/features +++ b/package/features @@ -19,7 +19,6 @@ when(_'web-wizard' and _'autoupdater', { when(_'web-wizard' and ( _'mesh-vpn-fastd' or _'mesh-vpn-fastd-l2tp' or - _'mesh-vpn-tunneldigger' or _'mesh-vpn-wireguard' ), { 'gluon-config-mode-mesh-vpn', diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config index 935d0b9ad1f..f3aeb1d6c0f 100755 --- a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config +++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config @@ -15,11 +15,6 @@ if vpn_name ~= 'fastd' then uci:save('fastd') end -if vpn_name ~= 'tunneldigger' then - uci:set('tunneldigger', 'mesh_vpn', 'enabled', false) - uci:save('tunneldigger') -end - vpn.enable(vpn_config.enabled) if vpn_config.limit_enabled then vpn.set_limit(vpn_config.limit_ingress, vpn_config.limit_egress) diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn index b14952552da..4f880c67584 100755 --- a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn +++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn @@ -39,18 +39,12 @@ if not uci:get('gluon', 'mesh_vpn') then local vpn, _ = vpn_core.get_active_provider() local fastd_enabled = uci:get('fastd', 'mesh_vpn', 'enabled') - local tunneldigger_enabled = uci:get('tunneldigger', 'mesh_vpn', 'enabled') local enabled -- If the installed VPN package has its enabled state set, keep the value if vpn == 'fastd' and fastd_enabled then enabled = fastd_enabled == '1' - elseif vpn == 'tunneldigger' and tunneldigger_enabled then - enabled = tunneldigger_enabled == '1' - -- Otherwise, migrate the other package's value if any is set - elseif fastd_enabled or tunneldigger_enabled then - enabled = fastd_enabled == '1' or tunneldigger_enabled == '1' -- If nothing is set, use the default else enabled = site.mesh_vpn.enabled(false) @@ -64,7 +58,6 @@ if not uci:get('gluon', 'mesh_vpn') then limit_enabled = site.mesh_vpn.bandwidth_limit.enabled(false) end - local limit_ingress = tonumber((uci:get('tunneldigger', 'mesh_vpn', 'limit_bw_down'))) if limit_ingress == nil then limit_ingress = tonumber((uci:get('simple-tc', 'mesh_vpn', 'limit_ingress'))) end diff --git a/package/gluon-mesh-vpn-tunneldigger/Makefile b/package/gluon-mesh-vpn-tunneldigger/Makefile deleted file mode 100644 index 3a206e81610..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-mesh-vpn-tunneldigger - -include ../gluon.mk - -define Package/gluon-mesh-vpn-tunneldigger - TITLE:=Support for connecting meshes via tunneldigger/L2TPv3 pseudowire - DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger -endef - -$(eval $(call BuildPackageGluon,gluon-mesh-vpn-tunneldigger)) diff --git a/package/gluon-mesh-vpn-tunneldigger/check_site.lua b/package/gluon-mesh-vpn-tunneldigger/check_site.lua deleted file mode 100644 index 77ea83c5cf3..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/check_site.lua +++ /dev/null @@ -1,2 +0,0 @@ -need_string_array(in_domain({'mesh_vpn', 'tunneldigger', 'brokers'})) -need_number({'mesh_vpn', 'tunneldigger', 'mtu'}) diff --git a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/mesh-vpn/provider/tunneldigger b/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/mesh-vpn/provider/tunneldigger deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop b/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop deleted file mode 100755 index 651530b2604..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/310-tunneldigger-stop +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/etc/init.d/tunneldigger stop diff --git a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start b/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start deleted file mode 100755 index 9b174f178b5..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/790-tunneldigger-start +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/etc/init.d/tunneldigger start diff --git a/package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog b/package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog deleted file mode 100644 index c4ae3bc6c7b..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog +++ /dev/null @@ -1 +0,0 @@ -*/5 * * * * /usr/bin/tunneldigger-watchdog diff --git a/package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger b/package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger deleted file mode 100755 index 9888d87eb5c..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/lua - -local site = require 'gluon.site' -local util = require 'gluon.util' -local vpn_core = require 'gluon.mesh-vpn' - -local uci = require('simple-uci').cursor() - - -uci:section('tunneldigger', 'broker', 'mesh_vpn', { - uuid = util.node_id(), - interface = vpn_core.get_interface(), - bind_interface = 'br-wan', - group = 'gluon-mesh-vpn', - broker_selection = 'usage', - address = site.mesh_vpn.tunneldigger.brokers(), -}) - -uci:save('tunneldigger') diff --git a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog b/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog deleted file mode 100755 index 0f1e5603c13..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/lua - -local uci = require('simple-uci').cursor() - -local function restart_tunneldigger() - os.execute('logger -t tunneldigger-watchdog "Restarting Tunneldigger."') - os.execute('/etc/init.d/tunneldigger restart') -end - -local function has_mesh_vpn_neighbours() - local handle = io.popen('batctl o', 'r') - if not handle then - return false - end - for line in handle:lines() do - if line:find('mesh%-vpn') then - handle:close() - return true - end - end - handle:close() - return false -end - -if uci:get_bool('tunneldigger', 'mesh_vpn', 'enabled') then - if not has_mesh_vpn_neighbours() then - os.execute('logger -t tunneldigger-watchdog "No vpn-mesh neighbours found."') - restart_tunneldigger() - return - end -end diff --git a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua b/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua deleted file mode 100644 index 9ae67539ddf..00000000000 --- a/package/gluon-mesh-vpn-tunneldigger/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/tunneldigger.lua +++ /dev/null @@ -1,46 +0,0 @@ -local uci = require('simple-uci').cursor() - -local site = require 'gluon.site' -local vpn_core = require 'gluon.mesh-vpn' - -local M = {} - -function M.public_key() - return nil -end - -function M.enable(val) - uci:set('tunneldigger', 'mesh_vpn', 'enabled', val) - uci:save('tunneldigger') -end - -function M.active() - return site.mesh_vpn.tunneldigger() ~= nil -end - -function M.set_limit(ingress_limit, egress_limit) - if ingress_limit ~= nil then - uci:set('tunneldigger', 'mesh_vpn', 'limit_bw_down', ingress_limit) - else - uci:delete('tunneldigger', 'mesh_vpn', 'limit_bw_down') - end - - if egress_limit ~= nil then - uci:section('simple-tc', 'interface', 'mesh_vpn', { - ifname = vpn_core.get_interface(), - enabled = true, - limit_egress = egress_limit, - }) - else - uci:delete('simple-tc', 'mesh_vpn') - end - - uci:save('tunneldigger') - uci:save('simple-tc') -end - -function M.mtu() - return site.mesh_vpn.tunneldigger.mtu() -end - -return M