fwmark is used internally during firewall processing, and no mark
remains on egress. Yes, the fwmark is to identify egress encrypted
packets, but no egress packet itself contains this value, and
this metadata disappears once the packet leaves the firewall.
The current wording is ambiguous, since "for" does a lot of lifting.
"during" helps limit the scope of this definition.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
If for some reason luci-lib-uqr is absent, the GUI shows that the proto
handler needs installing (since it now has a dep which is missing).
Suitable action is to install the lib or remove/install wireguard again.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
The config generation code was referencing a not existing `dns_servers`
input field.
Fixes: #6921
Fixes: 5b26887c52 ("Adding a DNS option to the wireguard peer config ...")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some clients like iOS require this explicitly, and so this change
adds the appropriate config with some sensible defaults.
Closes#6351
Signed-off-by: Nicholaos Mouzourakis <nevumx@gmail.com>
Signed-off-by: Paul Donald <newtwen@gmail.com>
Tested-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit 990696d73f982de015df7c7d552daef1a03f50c5)
Quality of life improvements. Reduce click amounts.
LuCI batches all changes for user-review anyway.
Tested on 23.05.0
Signed-off-by: Paul Donald <newtwen@gmail.com>
Some clients like iOS require this explicitly, and so this change
adds the appropriate config with some sensible defaults.
Addresses issue #6050
Signed-off-by: Nicholaos Mouzourakis <nevumx@gmail.com>
The `domain` option of a DDNS service entry may contain non-hostname values,
use the `lookup_hostname` option instead.
Fixes: #6289
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This corrects the option `AllowedIPs` in generated peer configurations,
and allows to customize it via a dropdown list.
Fixes: #5956
Signed-off-by: Julien Cassette <julien.cassette@gmail.com>
[correct fixes tag, slightly adjust option description]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When importing a fully configuration, import all peer entries from it
instead of non-deterministically merging all peer keys into one.
When importing a remote configuration as peer, only use the setting from
the peer section matching our local interface pubkey.
Also relabel the `Import peer configuration` button to
`Import configuration as peer` in order to be more explicit.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Reword texts in import dialogs for better clarity, use different
descriptions for full import and peer import
- Allow importing configurations without [Peer] section
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The /etc/config/ddns in particular might not be present on the system,
don't fail if it is absent.
Fixes: #5838
Fixes: 9ba20645b0 ("luci-proto-wireguard: rewrite protocol handler")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit rewrites large chunks of the WireGuard protocol handler in order
to simplify the process of importing and exporting configuration. The major
changes are:
1) The wireguard interface configuration tab (General Settings) gained an
import assistant which allows dragging or pasting a native WireGuard
configuration file in order to import required settrings into uci
2) The peer configuration tab gained a similar import assistant which allows
importing the settings for a WireGuard peer from an existing native
WireGuard configuration file
3) The QR code export feature has been rewritten to make the resulting codes
actually useful for importing into a WireGuard client application.
Additionally the plaintext native WireGuard configuration is displayed
to allow copy-pasting it for use on a Linux or OS X system
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Turn the list of configured peers into a grid section in order to improve
the overview of the configuration form.
Fixes: #5489
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The iptables mark field is 32 bits wide, which is 4 bytes and so 8 hex
characters. Fix the fwmark validation to allow 8 characters in the hex
string.
Fixes: #5098
Suggested-by: Robert <32970961+differentblue@users.noreply.github.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The introduction of network device configuration support also implemented
all common, protocol-independent interface options directly in the
interface config view, so drop the redundant option definitions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This change allows to configure `nohostroute` option for wireguard to explicitely prevent creation
of host routes to endpoints.
By default without `option nohostroute '1'`, an explicite route to the peer's endpoint will be created in the main routing table with the next hop to the gateway. However, it causes issues with some setup. Enabling this option will inhibit this behavior. See discussions at http://lists.openwrt.org/pipermail/openwrt-devel/2019-March/016329.html.
Signed-off-by: Yuxiang Zhu <vfreex@gmail.com>
Jan Pazdziora
Paul Donald
Bryan Roessler
Jo-Philipp Wich
Nicholaos Mouzourakis
Paul Donald
Jonathan Duncan
Paul Dee
Julien Cassette
Florian Eckert
Lukas Voegl
Robert Walli
Keith Irwin
Wojciech Jowsa
Yuxiang Zhu