Implementation of wgsd on OpenWRT's ucode.
Goal of that implementation is to support AmneziaWG, a variation of WireGuard. It have a little bit different netlink protocol, so usual Golang wireguard control module would not work. So instead of forking all required parts, I decided just to script that out on the existing language. That also makes whole thing much smaller, as you don't have to carry Go runtime.
This version has tho parts:
wgsd-registry- a registry side part, which generates zone file for DNS serverwgsd-client-ucode- client, which resolves endpoints and updates WG/AWG endpoints
This repository is an OpenWRT feed with extra packages.
- Add this line to
feeds.conf:
src-git wgsduc https://github.com/vooon/wgsd-ucode.git
- Run feeds update & install:
./scripts/feeds update -a
./scripts/feeds install -a- Then in
menuconfigselect:- Network -> VPN -> wgsd-registry (and wgsd-registry-awg for AmneziaWG)
- Network -> VPN -> wgsd-client-ucode (and wgsd-client-ucode-awg for AmneziaWG)
Note
*-awg packages is a metapackage to select additional dependencies needed for AmneziaWG support.
This service periodically regenerates RFC1035 DNS zone files.
Generated file locates in /tmp/wgsd/<zone>.zone.
Configuration done trough the UCI interface. Service can run multiple instances for each interface.
Instances defined by config section of type registry. See the example file.
| Option | Req | Description |
|---|---|---|
| disabled | No | Disable registry instance. Default 0. |
| interface | Yes | Network interface, must be of wireguard or amneziawg protocol |
| zone | Yes | Base domain zone. Must end with dot. |
| ttl | No | Time to leave for records and file regeneration. Default 60 seconds. |
Note
In the contrast to the original wgsd plugin it does not provide you a DNS server.
But that gives you flexibility to choose whatever NS server you want.
The only requirement for the server is to be able to automatically reload zone file on change or by time.
Discovery client, that setup endpoints published by registry.
wgsd-client-ucode -i <INTERFACE> -s <DNS-SERVER> -z <ZONE> [-a]
| Option | Req | Description |
|---|---|---|
-i <INTERFACE> |
Yes | Interface name. |
-s <DNS-SERVER> |
Yes | DNS server that serves registry zone(s), <host-or-ip>[:<port>] |
-z <ZONE> |
Yes | Registry zone name. |
-a |
No | Assign Allowed IPs from registry. |
Add line like that to cron tab:
1,6,11,16,21,26,31,36,41,46,51,56 * * * * wgsd-client-ucode -i vpn_wg -s ns.example.com:5353 -z wg.example.comNote
-a option merge existing Allowed IPs with the one exposed by registry TXT records.
Please note, that if you change this list on registry, peer would keep old IPs until interface restart.
Note
By default firewall accept incoming packets on WAN only from known destination, i.e. from your registry node. So mesh peers couldn't establish connection to each other. To overcome that set static port on WG/AWG interface and the add firewall rule to allow incoming UDP on that port.
Note
If you don't want to expose your public keys and IPs to the internet, simply use your registry connection.
Suppose you use 10.0.0.0/24 for your VPN network, and 10.0.0.1 for the registry.
wg.example.com.:5353 {
bind 10.0.0.1
# ...
}
And then use -s 10.0.0.1:5353 on the client side.
The module provides Base32 encoding/decoding functions to ucode. Unfortunately base language has only Base64.
Plugin for rpcd to support AmneziaWG calls.
It's a copy of rpcd-mod-wireguard modified for proto=amneziawg.
A collector plugin for prometheus-node-exporter-ucode.
Modified version of prometheus-node-exporter-ucode-wireguard.
A copy of package I sent to packages#26900.
It contains original wgsd plugin (optional), but I use it to serve zones generated by wgsd-registry, like that:
wg.example.com.:5353 {
log
file /tmp/wgsd/wg.example.com.zone {
reload 60s
}
}
WireGuard is a registered trademark of Jason A. Donenfeld.