Git Product home page Git Product logo

vyatta-wireguard-installer's Introduction

vyatta-wireguard-installer

Install, upgrade or remove WireGuard (WireGuard/wireguard-vyatta-ubnt) on Ubiquiti hardware. By default, the installer caches the deb-package so that the same version of WireGuard can be restored after a firmware upgrade.

Installation

Simply copy the script onto your Ubiquiti router and run it.

Note: By placing this script in /config/scripts/post-config.d, the WireGuard installation will persist across firmware upgrades.

curl -sSL https://github.com/mafredri/vyatta-wireguard-installer/raw/master/wireguard.sh -o /config/scripts/post-config.d/wireguard.sh
chmod +x /config/scripts/post-config.d/wireguard.sh

Usage

$ ./wireguard.sh help
Install, upgrade or remove WireGuard (github.com/WireGuard/wireguard-vyatta-ubnt) on
Ubiquiti hardware. By default, the installer caches the deb-package so that the
same version of WireGuard can be restored after a firmware upgrade.

Note: This script can be placed in /config/scripts/post-config.d for automatic
installation after firmware upgrades.

Usage:
  ./wireguard.sh [COMMAND] [OPTION]...

Commands:
  check        Check if there's a new version of WireGuard (without installing)
  install      Install the latest version of WireGuard
  upgrade      Upgrade WireGuard to the latest version
  remove       Remove WireGuard
  self-update  Fetch the latest version of this script
  help         Show this help
  version      Show the version of this tool

Options:
      --no-cache  Disable package caching, cache is used during (re)install

Configuration

Automatic upgrade

The script in this repo can be used to perform automatic upgrades via the VyOS task scheduler. See VyOS Wiki: Task scheduler for more configuration options.

WARNING: There is no rollback functionality implemented (yet). If something goes wrong during the auto upgrade you could be left with a non-functioning WireGuard install.

On device configuration

This configuration method can be used on any Ubiquti device, but will not persist across provisions on the USG.

configure
set system task-scheduler task wireguard_auto_upgrade executable path /config/scripts/post-config.d/wireguard.sh
set system task-scheduler task wireguard_auto_upgrade executable arguments upgrade
set system task-scheduler task wireguard_auto_upgrade interval 14d
commit
save
exit

Ubiquiti Security Gateway

Update your config.gateway.json to include the following:

{
  "system": {
    "task-scheduler": {
      "task": {
        "wireguard_auto_upgrade": {
          "executable": {
            "path": "/config/scripts/post-config.d/wireguard.sh",
            "arguments": "upgrade"
          },
          "interval": "14d"
        }
      }
    }
  }
}

Todo

  • Investigate using /config/scripts/pre-config.d for post-firmware upgrade installation
    • Why? It would make WireGuard available by the time the initial configuration is run
    • Possible, since we cache the installer in /config/user-data/wireguard/cache.
  • Periodically check for new releases via cron (+automatic upgrades)
  • Support rollback if a release doesn't work as expected?
  • Check compatibility with current kernel / firmware version?

Resources

vyatta-wireguard-installer's People

Contributors

mafredri avatar mvn23 avatar ruimarinho avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

ruimarinho imochen asquera mvn23 yungmichael ermitovski mikolatero ignaciojimenez briang61uk tronpaul frzk jmcgarrigle mlritchie psmit switch-42 raptordemon

vyatta-wireguard-installer's Issues

ER-12 not supported

Ran script on ER-12 and received following. Can this script be updated to support ER-12, 12P.

I added a line for e320=e300, and it seemed to work just fine.

xxx@xxx:/config/scripts/post-config.d$ ./wireguard.sh help Unsupported board e302, aborting.

Allow installation of locally stored wireguard packages

It would be nice to be able to install local wireguad.deb packages. This might help troubleshooting if one wants to go back to an older wireguard version which has been stored locally instead of always installing the latest version.

Thanks

./wireguard.sh install local /PATH/TO/wireguad.deb

It doesn't seem to work for me on my Edgerouter X.

When I try to upgrade the wireguard on my Edgerouter X this is what happens:

admin@ubnt:~$
admin@ubnt:~$
admin@ubnt:~$
admin@ubnt:~$ sudo /config/scripts/post-config.d/wireguard.sh upgrade
Upgrading WireGuard...
Checking latest release for e50-v2...
Downloading e50-v2-v1.0.20200520-v1.0.20200513.deb...
Disabling wg0...
The specified configuration node already exists
[ interfaces wireguard wg0 address 192.168.213.1/24 ]
RTNETLINK answers: Cannot assign requested address

Commit failed
admin@ubnt:~$ show version all
Version:      v2.0.8-hotfix.1
Build ID:     5278088
Build on:     03/05/20 16:41
Copyright:    2012-2019 Ubiquiti Networks, Inc.
HW model:     EdgeRouter X 5-Port
HW S/N:       18E829ADC776
Uptime:       20:41:47 up 1 day, 20:53,  1 user,  load average: 1.21, 1.13, 1.04

Aii wireguard                 1.0.20200506-2
admin@ubnt:~$

Add ID e303 for ER 12P

Hello,

Looks like need to add the board ID of e303 for the ER 12P model to the installer script as its only got e302 for the non-POE ER 12.

Cannot find device "wg0"

I always used the script to update my USG, but today ist failed.

marburger@USG:/config/scripts/post-config.d$ ./wireguard.sh self-update
Downloading script...
Checking for changes...

Script is already up to date, nothing to do.
marburger@USG:/config/scripts/post-config.d$ ./wireguard.sh upgrade    
Upgrading WireGuard...
Checking latest release for ugw3...
Downloading ugw3-v1-v1.0.20201221-v1.0.20200827.deb...
Disabling wg0...
Unloading kernel module...
Installing ugw3-v1-v1.0.20201221-v1.0.20200827.deb...
(Reading database ... 33317 files and directories currently installed.)
Preparing to replace wireguard 1.0.20201112-1 (using .../ugw3-v1-v1.0.20201221-v1.0.20200827.deb) ...
Unpacking replacement wireguard ...
Setting up wireguard (1.0.20201221-1) ...
Purging previous cache...
Caching installer to /config/user-data/wireguard/cache...
Reloading configuration...
Loading configuration from '/config/config.boot'...

Load complete.  Use 'commit' to make changes active.
[ interfaces wireguard wg0 description Remote Wireguard VPN ]
Cannot find device "wg0"

Commit failed

ER-X-SFP

Please add the Edgerouter X SFP model to your script. The board identifier is e51.

Module wireguard not found

Hi there ๐Ÿ‘‹,

Thank you for putting this repo together. When trying to run the script for the first time, on an ER-X which has never had Wireguard installed, I ran into the following:

ubnt@ubnt:/config/scripts/post-config.d$ ./wireguard.sh install
Installing WireGuard...
Checking latest release for e50...
Downloading wireguard-e50-0.0.20190406-1.deb...
Installing wireguard-e50-0.0.20190406-1.deb...
Selecting previously unselected package wireguard.
(Reading database ... 37023 files and directories currently installed.)
Preparing to unpack .../wireguard-e50-0.0.20190406-1.deb ...
Adding 'diversion of /opt/vyatta/share/perl5/Vyatta/Interface.pm to /opt/vyatta/share/perl5/Vyatta/Interface.pm.vyatta by wireguard'
Adding 'diversion of /opt/vyatta/share/vyatta-cfg/templates/firewall/options/mss-clamp/interface-type/node.def to /opt/vyatta/share/vyatta-cfg/
templates/firewall/options/mss-clamp/interface-type/node.def.vyatta by wireguard'
Unpacking wireguard (0.0.20190406-1) ...
Setting up wireguard (0.0.20190406-1) ...
modprobe: FATAL: Module wireguard not found in directory /lib/modules/4.14.54-UBNT

Which I suspect is coming from this line:

vyatta-wireguard-installer/wireguard.sh

Line 95 in 5e6f2f2

sudo modprobe wireguard

But I'm not sure it's this script or the actual .deb that's not properly installing WireGuard.

And separately, when trying to subsequently remove wireguard, the following is returned:

ubnt@ubnt:/config/scripts/post-config.d$ ./wireguard.sh remove
Removing WireGuard...
Disabling ...
The specified configuration node is not valid
Set failed

Perhaps the order of the remove function should be shuffled around to ensure that wireguard is purged from dkpg so that is_installed returns an appropriate value?

vyatta-wireguard-installer/wireguard.sh

Line 210 in 5e6f2f2

sudo dpkg --purge wireguard

Happy to put together a PR to move those around if you think this is a wise idea.

Unnecessary prompt for "commit" after upgrade script runs

After the upgrade script completes (./wireguard.sh upgrade) there is a prompt to enter "commit" to save changes, but it appears that the commit/save is already completed by the current version of the script. Should that request to enter "commit" be removed?

Upgrade option - unable to resolve host

FYI, tried the script using the upgrade option and it was unable to complete the download. Let me know if you'd like me to test anything! Thanks.

xxx@xxx:/config/scripts/post-config.d$ ./wireguard.sh upgrade Upgrading WireGuard... Checking latest release for v2.0-e300... Downloading null... curl: (6) Could not resolve host: null xxx@xxx:/config/scripts/post-config.d$

[v1.2.0] Firewall config error: Rule set LAN_LOCAL is not configured

Upgraded to script v1.2.0 and run upgrade to latest wireguard version on ugw3 resulted in an error:

Loading configuration from '/config/config.boot'... Load complete. Use 'commit' to make changes active. [ interfaces wireguard wg0 firewall local name LAN_LOCAL ] Firewall config error: Rule set LAN_LOCAL is not configured Commit failed

Previous upgrades via script never failed.
My config.gateway.json

	"protocols": {
		"static": {
			"arp": {
				"10.0.10.6": {
					"hwaddr": "70XXXX76"
				}
			}
		}
	},
	"firewall": {
		"group": {
			"network-group": {
				"remote_user_vpn_network": {
					"description": "Remote Wireguard VPN subnets",
					"network": [
						"10.0.40.0/24"
					]
				}
			}
		}
	},
	"interfaces": {
		"wireguard": {
			"wg0": {
				"description": "Remote Wireguard VPN",
				"address": [
					"10.0.40.1/24"
				],
				"firewall": {
					"in": {
						"name": "LAN_IN"
					},
					"local": {
						"name": "LAN_LOCAL"
					},
					"out": {
						"name": "LAN_OUT"
					}
				},
				"listen-port": "51820",
				"peer": [{
						"CDklYIxs=": {
							"allowed-ips": [
								"10.0.40.2/32"
							],
							"persistent-keepalive": 25,
							"description": "X230"
						}

					},
					{
						"taMGU=": {
							"allowed-ips": [
								"10.0.40.3/32"
							],
							"persistent-keepalive": 25,
							"description": "Sony XZ1 compact"
						}

					},
					{
						"bAxPG/1mE=": {
							"allowed-ips": [
								"10.0.40.4/32"
							],
							"persistent-keepalive": 25,
							"description": "iPad"
						}

					},
					{
						"diCVw=": {
							"allowed-ips": [
								"10.0.40.5/32"
							],
							"persistent-keepalive": 25,
							"description": "Marie Laptop"
						}
					}
				],
				"private-key": "/config/auth/wireguard/wg_private.key",
				"route-allowed-ips": "true"
			}
		}
	},
	"service": {
		"mdns": {
			"repeater": {
				"interface": [
					"eth1",
					"eth1.10",
					"eth1.99"
				]
			}
		},

		"dns": {
			"dynamic": {
				"interface": {
					"eth0": {
						"web": "dyndns"
					}
				}
			}
		}
	},
	"system": {
		"task-scheduler": {
			"task": {
				"postprovision": {
					"executable": {
						"path": "/config/scripts/freeradius.sh"
					},
					"interval": "1m"
				}
			}
		}
	}
}

Upgrade failed

There seems to be an issue that is causing an upgrade to fail. I receive the following error during ./wireguard.sh upgrade

Upgrading WireGuard...
Checking latest release for e200...
Downloading wireguard-e200-0.0.20190702-1.deb...
Disabling wg0 wg1...
wg must be (wg0-wg999)

Value validation failed
Set failed

wg version 0.0.20180802-1.
EdgeOS 1.10.5
Two interfaces wg0 and wg1

This line:

vyatta-wireguard-installer/wireguard.sh

Line 56 in 5619a90

interfaces=("$(wg show interfaces)")

returns interfaces:
wg0 wg1

This line:

vyatta-wireguard-installer/wireguard.sh

Line 62 in 5619a90

echo "Disabling ${i}..."

shows both interfaces in the output as follows:
Disabling wg0 wg1...

The expected output should be:

Disabling wg0...
Disabling wg1...

so it appears to me that the list of interfaces has not been tokenized?

Upgrade from EdgeOS 1.10.5 to 2.0.6 causes problem

I think there may be a problem with the upgrade to v2. I ran the script to upgrade WireGuard when still running EdgeOS 1.10.5. That ran properly after I fixed the interfaces issue and wg came back up. I then did the upgrade to EdgeOS v2.0.6. Now, the WireGuard interfaces do not come up. I think this is because the proper version of WireGuard is not installed. So, i did another upgrade. This time, the upgrade shows:

Upgrading WireGuard...
Checking latest release for v2.0-e200...
WireGuard is already up to date (0.0.20190702-1), nothing to do.

However, when I look in the cache directory, this is what is there:

-rw-r--r--    1 sslupsky vyattacf    198426 Aug  7 09:46 wireguard-e200-0.0.20190702-1.deb

Which is not the correct version.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.