ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-04 21:14:21 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
6ba3d70c95
openwrt/package/network/services/wireguard/Makefile

117 lines
3.4 KiB
Makefile
Raw Normal View History

wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
#
wireguard: bump to 0.0.20180531 to fix flow offloading This version bump was made upstream mostly for OpenWRT, and should fix an issue with a null dst when on the flow offloading path. While we're at it, Kevin and I are the only people actually taking care of this package, so trim the maintainer list a bit. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 01:05:51 +00:00
# Copyright (C) 2016-2018 Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
# Copyright (C) 2016 Baptiste Jonglez <openwrt@bitsofnetworks.org>
# Copyright (C) 2016-2017 Dan Luedtke <mail@danrl.com>
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=wireguard
wireguard: bump to 0.0.20190227 * wg-quick: freebsd: allow loopback to work FreeBSD adds a route for point-to-point destination addresses. We don't really want to specify any destination address, but unfortunately we have to. Before we tried to cheat by giving our own address as the destination, but this had the unfortunate effect of preventing loopback from working on our local ip address. We work around this with yet another kludge: we set the destination address to 127.0.0.1. Since 127.0.0.1 is already assigned to an interface, this has the same effect of not specifying a destination address, and therefore we accomplish the intended behavior. Note that the bad behavior is still present in Darwin, where such workaround does not exist. * tools: remove unused check phony declaration * highlighter: when subtracting char, cast to unsigned * chacha20: name enums * tools: fight compiler slightly harder * tools: c_acc doesn't need to be initialized * queueing: more reasonable allocator function convention Usual nits. * systemd: wg-quick should depend on nss-lookup.target Since wg-quick(8) calls wg(8) which does hostname lookups, we should probably only run this after we're allowed to look up hostnames. * compat: backport ALIGN_DOWN * noise: whiten the nanoseconds portion of the timestamp This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle. * hashtables: decouple hashtable allocations from the main device allocation The hashtable allocations are quite large, and cause the device allocation in the net framework to stall sometimes while it tries to find a contiguous region that can fit the device struct. To fix the allocation stalls, decouple the hashtable allocations from the device allocation and allocate the hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall back to vmalloc with little resistance. * chacha20poly1305: permit unaligned strides on certain platforms The map allocations required to fix this are mostly slower than unaligned paths. * noise: store clamped key instead of raw key This causes `wg show` to now show the right thing. Useful for doing comparisons. * compat: ipv6_stub is sometimes null On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has been disabled with a command line flag or other failures. * Makefile: don't duplicate code in install and modules-install * Makefile: make the depmod path configurable * queueing: net-next has changed signature of skb_probe_transport_header A 5.1 change. This could change again, but for now it allows us to keep this snapshot aligned with our upstream submissions. * netlink: don't remove allowed ips for new peers * peer: only synchronize_rcu_bh and traverse trie once when removing all peers * allowedips: maintain per-peer list of allowedips This is a rather big and important change that makes it much much faster to do operations involving thousands of peers. Batch peer/allowedip addition and clearing is several orders of magnitude faster now. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-27 23:36:49 +00:00
PKG_VERSION:=0.0.20190227
wireguard: bump to 0.0.20180802 Changelog taken from the version announcement > == Changes == > > * chacha20poly1305: selftest: split up test vector constants > > The test vectors are encoded as long strings -- really long strings -- and > apparently RFC821 doesn't like lines longer than 998. > https://cr.yp.to/smtp/message.html > > * queueing: keep reference to peer after setting atomic state bit > > This fixes a regression introduced when preparing the LKML submission. > > * allowedips: prevent double read in kref > * allowedips: avoid window of disappeared peer > * hashtables: document immediate zeroing semantics > * peer: ensure resources are freed when creation fails > * queueing: document double-adding and reference conditions > * queueing: ensure strictly ordered loads and stores > * cookie: returned keypair might disappear if rcu lock not held > * noise: free peer references on failure > * peer: ensure destruction doesn't race > > Various fixes, as well as lots of code comment documentation, for a > small variety of the less obvious aspects of object lifecycles, > focused on correctness. > > * allowedips: free root inside of RCU callback > * allowedips: use different macro names so as to avoid confusion > > These incorporate two suggestions from LKML. > > This snapshot contains commits from: Jason A. Donenfeld and Jann Horn. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-08-03 20:13:13 +00:00
PKG_RELEASE:=1
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/
wireguard: bump to 0.0.20190227 * wg-quick: freebsd: allow loopback to work FreeBSD adds a route for point-to-point destination addresses. We don't really want to specify any destination address, but unfortunately we have to. Before we tried to cheat by giving our own address as the destination, but this had the unfortunate effect of preventing loopback from working on our local ip address. We work around this with yet another kludge: we set the destination address to 127.0.0.1. Since 127.0.0.1 is already assigned to an interface, this has the same effect of not specifying a destination address, and therefore we accomplish the intended behavior. Note that the bad behavior is still present in Darwin, where such workaround does not exist. * tools: remove unused check phony declaration * highlighter: when subtracting char, cast to unsigned * chacha20: name enums * tools: fight compiler slightly harder * tools: c_acc doesn't need to be initialized * queueing: more reasonable allocator function convention Usual nits. * systemd: wg-quick should depend on nss-lookup.target Since wg-quick(8) calls wg(8) which does hostname lookups, we should probably only run this after we're allowed to look up hostnames. * compat: backport ALIGN_DOWN * noise: whiten the nanoseconds portion of the timestamp This mitigates unrelated sidechannel attacks that think they can turn WireGuard into a useful time oracle. * hashtables: decouple hashtable allocations from the main device allocation The hashtable allocations are quite large, and cause the device allocation in the net framework to stall sometimes while it tries to find a contiguous region that can fit the device struct. To fix the allocation stalls, decouple the hashtable allocations from the device allocation and allocate the hashtables with kvmalloc's implicit __GFP_NORETRY so that the allocations fall back to vmalloc with little resistance. * chacha20poly1305: permit unaligned strides on certain platforms The map allocations required to fix this are mostly slower than unaligned paths. * noise: store clamped key instead of raw key This causes `wg show` to now show the right thing. Useful for doing comparisons. * compat: ipv6_stub is sometimes null On ancient kernels, ipv6_stub is sometimes null in cases where IPv6 has been disabled with a command line flag or other failures. * Makefile: don't duplicate code in install and modules-install * Makefile: make the depmod path configurable * queueing: net-next has changed signature of skb_probe_transport_header A 5.1 change. This could change again, but for now it allows us to keep this snapshot aligned with our upstream submissions. * netlink: don't remove allowed ips for new peers * peer: only synchronize_rcu_bh and traverse trie once when removing all peers * allowedips: maintain per-peer list of allowedips This is a rather big and important change that makes it much much faster to do operations involving thousands of peers. Batch peer/allowedip addition and clearing is several orders of magnitude faster now. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-02-27 23:36:49 +00:00
PKG_HASH:=fcdb26fd2692d9e1dee54d14418603c38fbb973a06ce89d08fbe45292ff37f79
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
PKG_LICENSE:=GPL-2.0 Apache-2.0
PKG_LICENSE_FILES:=COPYING
wireguard: move to kernel build directory It builds a kernel module, so its build dir should be target specific Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-11 12:01:50 +00:00
PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/WireGuard-$(PKG_VERSION)
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
PKG_BUILD_PARALLEL:=1
PKG_USE_MIPS16:=0
# WireGuard's makefile needs this to know where to build the kernel module
export KERNELDIR:=$(LINUX_DIR)
include $(INCLUDE_DIR)/package.mk
define Package/wireguard/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=VPN
URL:=https://www.wireguard.com
wireguard: bump to 0.0.20180531 to fix flow offloading This version bump was made upstream mostly for OpenWRT, and should fix an issue with a null dst when on the flow offloading path. While we're at it, Kevin and I are the only people actually taking care of this package, so trim the maintainer list a bit. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2018-05-31 01:05:51 +00:00
MAINTAINER:=Jason A. Donenfeld <Jason@zx2c4.com> \
Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
endef
define Package/wireguard/Default/description
WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
more useful than IPSec, while avoiding the massive headache. It intends to
be considerably more performant than OpenVPN. WireGuard is designed as a
general purpose VPN for running on embedded interfaces and super computers
alike, fit for many different circumstances. It uses UDP.
endef
define Package/wireguard
$(call Package/wireguard/Default)
TITLE:=WireGuard meta-package
DEPENDS:=+wireguard-tools +kmod-wireguard
endef
include $(INCLUDE_DIR)/kernel-defaults.mk
include $(INCLUDE_DIR)/package-defaults.mk
# Used by Build/Compile/Default
MAKE_PATH:=src/tools
wireguard: no longer need portability patch Drop package/network/services/wireguard/patches/100-portability.patch Instead pass 'PLATFORM=linux' to make since we are always building FOR linux. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-05-17 22:08:21 +00:00
MAKE_VARS += PLATFORM=linux
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
define Build/Compile
$(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules
$(call Build/Compile/Default)
endef
define Package/wireguard/install
true
endef
define Package/wireguard/description
$(call Package/wireguard/Default/description)
endef
define Package/wireguard-tools
$(call Package/wireguard/Default)
TITLE:=WireGuard userspace control program (wg)
DEPENDS:=+libmnl +ip
endef
define Package/wireguard-tools/description
$(call Package/wireguard/Default/description)
This package provides the userspace control program for WireGuard,
wireguard-tools: add wireguard_watchdog script This watchdog script tries to re-resolve hostnames for inactive WireGuard peers. Use it for peers with a frequently changing dynamic IP. persistent_keepalive must be set, recommended value is 25 seconds. Run this script from cron every minute: echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com> [bump the package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-01 12:40:31 +00:00
`wg(8)`, a netifd protocol helper, and a re-resolve watchdog script.
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
endef
define Package/wireguard-tools/install
$(INSTALL_DIR) $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/tools/wg $(1)/usr/bin/
wireguard-tools: add wireguard_watchdog script This watchdog script tries to re-resolve hostnames for inactive WireGuard peers. Use it for peers with a frequently changing dynamic IP. persistent_keepalive must be set, recommended value is 25 seconds. Run this script from cron every minute: echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com> [bump the package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-07-01 12:40:31 +00:00
$(INSTALL_BIN) ./files/wireguard_watchdog $(1)/usr/bin/
wireguard: add wireguard to base packages Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Jo-Philipp Wich <jo@mein.io> Acked-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 15:05:18 +00:00
$(INSTALL_DIR) $(1)/lib/netifd/proto/
$(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/
endef
define KernelPackage/wireguard
SECTION:=kernel
CATEGORY:=Kernel modules
SUBMENU:=Network Support
TITLE:=WireGuard kernel module
DEPENDS:=+IPV6:kmod-udptunnel6 +kmod-udptunnel4
FILES:= $(PKG_BUILD_DIR)/src/wireguard.$(LINUX_KMOD_SUFFIX)
AUTOLOAD:=$(call AutoProbe,wireguard)
endef
define KernelPackage/wireguard/description
$(call Package/wireguard/Default/description)
This package provides the kernel module for WireGuard.
endef
$(eval $(call BuildPackage,wireguard))
$(eval $(call BuildPackage,wireguard-tools))
$(eval $(call KernelPackage,wireguard))
Reference in New Issue Copy Permalink