yggdrasil IP Tunnel (#305)

Initial yggdrasill iptunnel script
Update install
added jq to install
Remove sleep
Added documentation and install and uninstall

docs/MODULES.md

@@ -25,6 +25,8 @@ A short summary of each module is directly below. Documentation for specific abi
 | `WITH_WATCHDOG`                 | None                                           | Set to `true` if you want to enable hardware watchdog that will reset the device when the operating system becomes unresponsive. |
 | `WITH_YRD`                      | None                                           | Set to `true` if you want to enable [yrd](https://github.com/kpcyrd/yrd), a helpful command-line tool for cjdns. |
 | `WITH_YGGDRASIL`                | None                                           | Set to `true` if you want to install [Yggdrasil](https://yggdrasil-network.github.io/), an alternate and possibly more efficient mesh routing software than CJDNS. |
+| `WITH_YGGDRASIL_IPTUNNEL`       | None                                           | Set to `true` if you want to use the yggdrasil iptunnel feature to set up an Internet gateway for your node. To configure as a server (exit Internet traffic for other nodes), create **/etc/yggdrasil.iptunnel.server** containing a newline-separated list of yggdrasil public keys of allowed clients and an ipaddress for that client. To configure as a client (use an exit server to access the Internet), create **/etc/yggdrasil.iptunnel.client** containing a newline-separated list of yggdrasil public keys of the gateway servers followed by the IP address set on the server. You can only configure as one or the other, not both and you can only have one entry on the client. |
+
 
 To install all optional modules (not recommended), run the following command:
 
@@ -50,6 +52,38 @@ Yggdrasil will give each node (like your Pi, for example) an IPv6 address, but i
 
 However, the Pi does have a firewall, so various commands need be run to allow access to clients. By default all Yggdrasil client access is blocked. See [**Firewall/IPv6/Yggdrasil Clients**](#yggdrasil-clients) to learn how to change that.
 
+### Yggdrasil IPTunnel
+
+This module will allow you to tunnel internet from an EXIT node (server) that has Internet to another node that does not. To do this you must exchange public keys.  The public key can be found in /etc/yggdrasil.conf
+
+#### Server
+ To configure as a server (exit Internet traffic for other nodes), 
+ 1. create **/etc/yggdrasil.iptunnel.server**
+ 1. fill it with newline-separated list of:
+   - public key of the clients
+   - single white space
+   - IP Address in the 10.10.0.0/24 range that will be assigned to the client
+
+Example
+```
+1234567890123456789012345678901234567890123456789012345678901234 10.10.0.1
+2345678901234567890123456789012345678901234567890123456789012345 10.10.0.2
+3456789012345678901234567890123456789012345678901234567890123467 10.10.0.3
+```
+
+#### Client
+To configure as a client (use an exit server to access the Internet), 
+1. create **/etc/yggdrasil.iptunnel.client** 
+1. place a single line containing
+   - public key of the server
+   - single space
+   - IP Address assigned to you by the server
+
+Example
+```
+4567890123456789012345678901234567890123456789012345678901234567 10.10.0.4
+```
+
 ## IPFS
 IPFS stands for Interplanetary File System. It is an open-source, peer-to-peer distributed hypermedia protocol that aims to function as a ubiquitous file system for all computing devices. 
 

scripts/cjdns-iptunnel/uninstall

@@ -3,5 +3,10 @@
 set -e
 
 # Uninstall scripts that configure cjdns iptunnel
-sudo rm /etc/udev/rules.d/50-cjdns.rules
 sudo rm /usr/local/sbin/cjdns-setup
+if [ -f /lib/systemd/system/cjdns.service ]; then
+    sudo sed -i /ExecStartPost/d /lib/systemd/system/cjdns.service
+fi
+if [ -f /etc/systemd/system/cjdns.service ]; then
+    sudo sed -i /ExecStartPost/d /etc/systemd/system/cjdns.service
+fi

scripts/install

@@ -41,6 +41,7 @@ git checkout $TAG_PROTOTYPE_CJDNS_PI
 
 # Export environment variables
 export WITH_YGGDRASIL
+export WITH_YGGDRASIL_IPTUNNEL
 export WITH_MESH_POINT
 export WITH_AD_HOC
 export WITH_WIFI_AP

scripts/install2

@@ -90,12 +90,12 @@ else
     if [[ $BOARD_REVISION == *"900092"* || $BOARD_REVISION == *"900093"* || $BOARD_REVISION == *"9000c1"* ]]; then
         BOARD_NAME="Zero"
         CJDNS_BUILD_CMD="sudo Seccomp_NO=1 NO_NEON=1 NO_TEST=1 CFLAGS=\"-s -mfpu=vfp -O2\" ./do"
-	SUPPORT_HOSTAP=true
-	CJDNS_PACKAGE="cjdns-no-neon-v4.deb"
+	      SUPPORT_HOSTAP=true
+	      CJDNS_PACKAGE="cjdns-no-neon-v4.deb"
     elif [[ $BOARD_REVISION == *"00"* ]]; then
         BOARD_NAME="1"
         CJDNS_BUILD_CMD="sudo Seccomp_NO=1 NO_NEON=1 NO_TEST=1 CFLAGS=\"-s -static -Wall\" ./do"
-	CJDNS_PACKAGE="cjdns-no-neon-v4.deb"
+	      CJDNS_PACKAGE="cjdns-no-neon-v4.deb"
     elif [[ $BOARD_REVISION == *"a01041"* || $BOARD_REVISION == *"a21041"* ]]; then
         BOARD_NAME="2"
         CJDNS_BUILD_CMD="sudo NO_TEST=1 CFLAGS=\"-mfpu=neon-vfpv4 -O2\" ./do"
@@ -164,14 +164,15 @@ if [ "$(checkModule 'WITH_DIALOG')" ]; then
 fi
 
 
-askSelection "A Basic node\nB IPFS Node\nC Monitor Node\nD SSB Node\nE Camera Node\nF Raspberry Pi Adhoc (Experimental) \nZ Custom" "Select node install type" Z
+askSelection "A Basic node\nB IPFS Node\nC Monitor Node\nD SSB Node\nE Camera Node\nZ Custom" "Select node install type" Z
 
 case "$dialogREPLY" in
     "A")
         echo "Basic node"
-	WITH_YGGDRASIL=true
-	WITH_MESH_POINT=""
-	WITH_WIFI_AP=""
+        WITH_YGGDRASIL=true
+        WITH_YGGDRASIL_IPTUNNEL=true
+        WITH_MESH_POINT=""
+        WITH_WIFI_AP=""
         WITH_FIREWALL=true
         WITH_CJDNS_IPTUNNEL=true
         WITH_IPFS=false
@@ -187,7 +188,8 @@ case "$dialogREPLY" in
     ;;
     "B")
         echo "Basic IPFS node"
-	WITH_YGGDRASIL=true
+        WITH_YGGDRASIL=true
+        WITH_YGGDRASIL_IPTUNNEL=true
         WITH_MESH_POINT=""
         WITH_WIFI_AP=""
         WITH_FIREWALL=true
@@ -205,7 +207,8 @@ case "$dialogREPLY" in
     ;;
     "C")
         echo "Monitor Node"
-	WITH_YGGDRASIL=true
+        WITH_YGGDRASIL=true
+        WITH_YGGDRASIL_IPTUNNEL=true
         WITH_MESH_POINT=""
         WITH_WIFI_AP=""
         WITH_FIREWALL=true
@@ -223,7 +226,8 @@ case "$dialogREPLY" in
     ;;
     "D")
         echo "SSB Node"
-	WITH_YGGDRASIL=true
+        WITH_YGGDRASIL=true
+        WITH_YGGDRASIL_IPTUNNEL=true
         WITH_MESH_POINT=""
         WITH_WIFI_AP=""
         WITH_FIREWALL=true
@@ -241,7 +245,8 @@ case "$dialogREPLY" in
     ;;
     "E")
         echo "IPFS Camera Node"
-	WITH_YGGDRASIL=true
+        WITH_YGGDRASIL=true
+        WITH_YGGDRASIL_IPTUNNEL=true
         WITH_MESH_POINT=""
         WITH_WIFI_AP=""
         WITH_FIREWALL=true
@@ -257,25 +262,6 @@ case "$dialogREPLY" in
         WITH_SSB_PATCHFOO=false
         WITH_IPFS_PI_STREAM=true
     ;;
-    "F")
-        echo "Raspberry Pi Ad-Hoc"
-	WITH_YGGDRASIL=true
-        WITH_MESH_POINT=false
-	WITH_AD_HOC=true
-        WITH_WIFI_AP=false
-        WITH_FIREWALL=true
-        WITH_CJDNS_IPTUNNEL=true
-        WITH_IPFS=false
-        WITH_PROMETHEUS_NODE_EXPORTER=true
-        WITH_EXTRA_TOOLS=true
-        WITH_WATCHDOG=true
-        WITH_YRD=true
-        WITH_PROMETHEUS_SERVER=false
-        WITH_GRAFANA=false
-        WITH_SSB=false
-        WITH_SSB_PATCHFOO=false
-        WITH_IPFS_PI_STREAM=false
-    ;;
     "Z")
     ;;
     *)
@@ -296,7 +282,9 @@ fi
 export MESH_NAME
 
 askModule "WITH_YGGDRASIL" "Yggdrasil routing engine"
-
+if [ "$WITH_YGGDRASIL" == "true" ]; then
+    askModule "WITH_YGGDRASIL_IPTUNNEL" "Internet Gateway over Yggdrasil"
+fi
 askModule "WITH_MESH_POINT" "Mesh Point Interface"
 if [ "$WITH_MESH_POINT" == false ]; then
     askModule "WITH_AD_HOC" "Ad-Hoc Interface"
@@ -305,7 +293,7 @@ if [ "$SUPPORT_HOSTAP" == "true" ]; then
     askModule "WITH_WIFI_AP" "WiFi Access Point"
 fi
 askModule "WITH_FIREWALL" "Basic Firewall"
-askModule "WITH_CJDNS_IPTUNNEL" "Internet Gateway"
+askModule "WITH_CJDNS_IPTUNNEL" "Internet Gateway over CJDNS"
 askModule "WITH_IPFS" "IPFS"
 if [ "$WITH_IPFS" == true ] && [ "$BOARD_FAMILY" == "Raspberry Pi" ]; then
     askModule "WITH_IPFS_PI_STREAM" "IPFS Pi Stream" "n"
@@ -443,7 +431,10 @@ fi
 if [ "$(checkModule 'WITH_CJDNS_IPTUNNEL')" ]; then
     source cjdns-iptunnel/install
 fi
-
+# Configure Internet gateway using yggdrasil  iptunnel
+if [ "$(checkModule 'WITH_YGGDRASIL_IPTUNNEL')" ]; then
+    source cjdns-iptunnel/install
+fi
 # IPFS
 if [ ! -x "$(command -v ipfs)" ] && [ "$(checkModule 'WITH_IPFS')" ]; then
     source ipfs/install

scripts/uninstall

@@ -25,6 +25,7 @@ if [ -f "/etc/cjdroute.conf" ]; then
 fi
 
 # Uninstall optional modules
+source "$BASE_DIR/cjdns-iptunnel/uninstall"
 source "$BASE_DIR/ssb/uninstall"
 source "$BASE_DIR/mesh-point/uninstall"
 source "$BASE_DIR/mesh-adhoc/uninstall"
@@ -40,10 +41,11 @@ source "$BASE_DIR/yrd/uninstall"
 source "$BASE_DIR/shared/nodeinfo/uninstall"
 source "$BASE_DIR/nginx/uninstall"
 source "$BASE_DIR/yggdrasil/uninstall"
+source "$BASE_DIR/yggdrasil-iptunnel/uninstall"
 
 sudo systemctl daemon-reload
 
-sudo sed -i 's/service dnsmasq restart//' /etc/rc.local 
+sudo sed -i 's/service dnsmasq restart//' /etc/rc.local
 
 # Uninstall status script
 sudo rm -f /usr/local/bin/status

scripts/yggdrasil-iptunnel/install

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -e
+
+BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+sudo apt-get -y install jq
+
+sudo cp "$BASE_DIR/yggdrasil-setup" "/usr/local/sbin/yggdrasil-setup"
+sudo cp "$BASE_DIR/yggdrasil-pre-setup" "/usr/local/sbin/yggdrasil-pre-setup"
+
+sudo chmod a+x /usr/local/sbin/yggdrasil-pre-setup
+sudo chmod a+x /usr/local/sbin/yggdrasil-setup
+
+# Update service to start script on cjdns start
+if [ -f /etc/systemd/system/yggdrasil.service ]; then
+    sudo sed -i /ExecStartPost/d /etc/systemd/system/yggdrasil.service
+    sudo sed -i s#Restart=always#Restart=always\\nExecStartPost=/usr/local/sbin/yggdrasil-setup# /etc/systemd/system/yggdrasil.service
+    sudo sed -i "s#fi\"#fi; /usr/local/sbin/yggdrasil-pre-setup\"#" /etc/systemd/system/yggdrasil.service
+fi
+
+sudo systemctl daemon-reload

scripts/yggdrasil-iptunnel/uninstall

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Uninstall scripts that configure yggdrasil iptunnel
+sudo rm /usr/local/sbin/yggdrasil-setup
+sudo rm /usr/local/sbin/yggdrasil-pre-setup
+if [ -f /lib/systemd/system/yggdrasil.service ]; then
+    sudo sed -i /ExecStartPost/d /lib/systemd/system/yggdrasil.service
+fi
+if [ -f /etc/systemd/system/yggdrasil.service ]; then
+    sudo sed -i /ExecStartPost/d /etc/systemd/system/yggdrasil.service
+fi

scripts/yggdrasil-iptunnel/yggdrasil-pre-setup

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Convert existing yggdrasil config to json from hjson
+   
+# Detect if there is a # as a first character of the file.
+# If it is then its proably a hjson and needs to be converted into json
+if [ ! -z "$(tr -d ' \t\r\f' < /etc/yggdrasil.conf   | grep -i "^[#]")"  ]; then
+    sudo mv /etc/yggdrasil.conf /etc/yggdrasil.conf.orig
+    sudo yggdrasil -useconffile /etc/yggdrasil.conf.orig -normaliseconf -json | sudo tee /etc/yggdrasil.conf > /dev/null
+fi
+
+if [ -e /etc/yggdrasil.iptunnel.server ]; then
+    # Add each client to yggdrasil iptunnel allowed connections
+    while read -r PUBLIC_KEY IP_ADDR; do
+        if [[ "${PUBLIC_KEY}" =~ ^[0-z]{64}]]; then
+            IPv4Destinations="${IPv4Destinations} \"${IP_ADDR}/32\": \"${PUBLIC_KEY}\","
+        fi
+    done < /etc/yggdrasil.iptunnel.server
+
+    # Trim last ,
+    IPv4Destinations="${IPv4Destinations%?}"
+    IPv4Sources="0.0.0.0/0"
+elif [ -e /etc/yggdrasil.iptunnel.client ]; then
+    # Add each server to yggdrasil iptunnel connect-to's
+    while read -r PUBLIC_KEY IP_ADDR; do
+        if [[ "${PUBLIC_KEY}" =~ ^[0-z]{64} ]]; then
+            IPv4Destinations="\"0.0.0.0/0\": \"${PUBLIC_KEY}\""
+            IPv4Sources="${IP_ADDR}/32"
+        fi
+    done < /etc/yggdrasil.iptunnel.client
+ fi
+
+# Check if there are values to set in the new config file
+if [ ! -z "$IPv4Sources" ];then
+    # Re-write tunnel routing
+    sudo jq 'del(.TunnelRouting)' /etc/yggdrasil.conf > /tmp/yggdrasil.conf
+    sudo jq '.TunnelRouting.Enable = true' /tmp/yggdrasil.conf > /tmp/yggdrasil-edit.conf && sudo mv /tmp/yggdrasil-edit.conf /tmp/yggdrasil.conf
+    sudo jq '.TunnelRouting.IPv4Sources = "__IPv4Sources__"' /tmp/yggdrasil.conf > /tmp/yggdrasil-edit.conf && sudo mv /tmp/yggdrasil-edit.conf /tmp/yggdrasil.conf
+    sudo jq '.TunnelRouting.IPv4Destinations = "__IPv4Destinations__"' /tmp/yggdrasil.conf > /tmp/yggdrasil-edit.conf && sudo mv /tmp/yggdrasil-edit.conf /tmp/yggdrasil.conf
+    sudo sed -i "s#\"__IPv4Sources__\"#[\"$IPv4Sources\"]#" /tmp/yggdrasil.conf
+    sudo sed -i "s#\"__IPv4Destinations__\"#\{$IPv4Destinations\}#" /tmp/yggdrasil.conf
+    sudo mv /tmp/yggdrasil.conf /etc/yggdrasil.conf
+fi

scripts/yggdrasil-iptunnel/yggdrasil-setup

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+
+# Enable forwarding for ipv4 and ipv6
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+SUBNET4="10.10.0."
+
+# Give yggdrasil enough time to create an ygg0 interface before we start adding routes
+sleep 5
+
+if [ -e /etc/yggdrasil.iptunnel.server ]; then
+    # Add route for cjdns ygg0 interface
+    sudo route add -net "${SUBNET4}0/24" ygg0 || true
+
+    # If no NAT (masquarading) being done, start doing it
+    if [ -z "$(sudo iptables -L POSTROUTING -v -n -t nat  | grep MASQUERADE)" ]; then
+        sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+    fi
+# Configure as yggdrasil iptunnel client if client file is present (this is simply a newline-separated list
+# of cjdns public keys in /etc/yggdrasil.iptunnel.client, each key indicating an iptunnel exit server)
+elif [ -e /etc/yggdrasil.iptunnel.client ]; then
+
+    # Add each server to yggdrasil iptunnel connect-to's
+    while read -r PUBLIC_KEY ASSIGNED_IP; do
+        if [[ "${PUBLIC_KEY}" =~ ^[0-z]{64} ]]; then
+            sudo ip addr add dev ygg0 ${ASSIGNED_IP}/32
+        fi
+    done < /etc/yggdrasil.iptunnel.client
+
+    # Remove NAT from eth0 if it exists
+    sudo iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE || true
+
+    # Route NAT traffic through to yggdrasil ygg0 interface to use iptunnel exit server
+    sudo iptables -t nat -A POSTROUTING -o ygg0 -j MASQUERADE
+
+    # Special hack to change default route without removing original one
+    sudo route add  -net 0.0.0.0/1 ygg0
+    sudo route add  -net 128.0.0.0/1 ygg0
+fi