package/gluon-mesh-olsrd/files/usr/lib/autoupdater/upgrade.d/10olsrd

+#!/bin/sh
+
+# shellcheck source=package/gluon-autoupdater/files/lib/gluon/autoupdater/lib.sh
+. /lib/gluon/autoupdater/lib.sh
+
+
+stop olsrd2
+wifi down

package/gluon-mesh-olsrd/luasrc/lib/gluon/upgrade/360-gluon-mesh-olsrd-setup-intf

+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+local site = require 'gluon.site'
+local util = require 'gluon.util'
+local wireless = require 'gluon.wireless'
+local l3 = require 'gluon.l3'
+
+local mesh_interfaces = util.get_role_interfaces(uci, 'mesh')
+local uplink_interfaces = util.get_role_interfaces(uci, 'uplink')
+local client_interfaces = util.get_role_interfaces(uci, 'client')
+
+local mesh_interfaces_uplink = {}
+local mesh_interfaces_client = {}
+local mesh_interfaces_other = {}
+for _, iface in ipairs(mesh_interfaces) do
+	if util.contains(uplink_interfaces, iface) then
+		table.insert(mesh_interfaces_uplink, iface)
+	elseif util.contains(client_interfaces, iface) then
+		table.insert(mesh_interfaces_client, iface)
+	else
+		table.insert(mesh_interfaces_other, iface)
+	end
+end
+
+local intf = {
+	wired_mesh = {},
+	vpn_mesh = {},
+	radio_mesh = {},
+}
+
+intf.all_intfs = {}
+
+for _, l in ipairs({ intf.wired_mesh, intf.vpn_mesh, intf.radio_mesh }) do
+	for _, n in ipairs(l) do
+		table.insert(intf.all_intfs, n)
+	end
+end
+
+-- get all mesh radios and mesh lans and then add them to olsrd
+wireless.foreach_radio(uci, function(radio, _, _)
+	local radio_name = radio['.name']
+	table.insert(intf.radio_mesh, 'mesh_' .. radio_name)
+end)
+
+if pcall(function() require 'gluon.mesh-vpn' end) then
+	local vpn_core = require 'gluon.mesh-vpn'
+
+	if vpn_core.enabled() then
+		-- mesh_vpn is a interface that has the right ifname
+		-- we can't use mesh-vpn (dash instead of underscore) since it's not a uci interface
+		table.insert(intf.vpn_mesh, 'mesh_vpn')
+	end
+end
+
+
+local has_uplink_mesh = false
+local has_other_mesh = false
+
+for _,i in pairs(mesh_interfaces) do
+	if util.contains(uplink_interfaces, i) then
+		has_uplink_mesh = true
+	else
+		has_other_mesh = true
+	end
+end
+
+if has_uplink_mesh then
+	table.insert(intf.wired_mesh, 'mesh_uplink')
+end
+
+if has_other_mesh then
+	table.insert(intf.wired_mesh, 'mesh_other')
+end
+
+uci:delete_all('olsrd2', 'interface')
+uci:delete_all('olsrd2', 'lan_import')
+
+if site.mesh.olsrd.v2.enable(true) then
+	os.execute('/etc/init.d/olsrd2 enable')
+
+	local addrs = { }
+	local lan = nil
+	local orig = { }
+	local cfg = site.mesh.olsrd.v2
+
+	-- set global config
+	local olsr2Config = {
+		failfast = 'no',
+		pidfile = '/var/run/olsrd2.pid',
+		lockfile = '/var/lock/olsrd2'
+	}
+
+	local extraConf = cfg.config()
+	if extraConf then
+		for k, _ in pairs(extraConf) do
+			olsr2Config[k] = extraConf[k]
+		end
+	end
+
+	uci:delete_all('olsrd2', 'global')
+	uci:section('olsrd2', 'global', 'global', olsr2Config)
+
+	uci:delete_all('olsrd2', 'telnet')
+	uci:section('olsrd2', 'telnet', 'telnet', {
+
+	})
+
+	uci:delete_all('olsrd2', 'http')
+	uci:section('olsrd2', 'http', 'http', {
+
+	})
+
+	if cfg.lan() then
+		lan = cfg.lan()
+	end
+
+	table.insert(addrs, '-127.0.0.1/8')
+	table.insert(addrs, '-::1/128')
+	local addr = uci:get('network', 'loopback', 'ip6addr')
+	table.insert(orig, addr)
+
+	table.insert(addrs, 'default_accept')
+	table.insert(orig, 'default_reject')
+
+	local client_ranges_v6 = {}
+	local l3roamd_ranges = {}
+
+	table.insert(client_ranges_v6, site.prefix6())
+	table.insert(client_ranges_v6, 'default_reject')
+
+	table.insert(l3roamd_ranges, l3.node_client_prefix6())
+	table.insert(l3roamd_ranges, 'default_reject')
+
+	uci:delete_all('olsrd2', 'olsrv2')
+	uci:section('olsrd2', 'olsrv2', nil, {
+		originator = orig,
+		lan = lan,
+	})
+
+	if #intf.wired_mesh then
+		uci:section('olsrd2', 'interface', 'wired_mesh', {
+			ifname = intf.wired_mesh,
+			bindto = addrs,
+		})
+	end
+
+	if #intf.vpn_mesh then
+		uci:section('olsrd2', 'interface', 'vpn_mesh', {
+			ifname = intf.vpn_mesh,
+			bindto = addrs,
+		})
+	end
+
+	if #intf.radio_mesh then
+		uci:section('olsrd2', 'interface', 'radio_mesh', {
+			ifname = intf.radio_mesh,
+			bindto = addrs,
+		})
+	end
+
+	local loopback_addrs = {
+		uci:get('network', 'loopback', 'ip6addr'),
+		'default_reject',
+	}
+
+	uci:section('olsrd2', 'interface', 'loopback', {
+		ifname = { 'loopback' },
+		routeable = loopback_addrs,
+		bindto = loopback_addrs,
+	})
+
+	uci:section('olsrd2', 'lan_import', 'l3roamd_clients_v6', {
+		name = 'l3roamd_clients_v6',
+		matches = client_ranges_v6,
+		prefix_length = 128,
+		protocol = 158, -- l3roamd
+	})
+
+	-- This does not work as olsrv2 rejects any addresses from loopback
+	-- as that is already a mesh interface
+	-- l3roamd works fine without, as wifi disassociation events still notify
+	-- the daemon and remove the routes
+	--uci:section('olsrd2', 'lan_import', 'l3roamd_prefix', {
+	--	name = 'l3roamd_ranges',
+	--	matches = l3roamd_ranges,
+	--})
+
+	uci:section('firewall', 'rule', 'allow_olsr2_mesh', {
+		src = 'mesh',
+		dest_port = '269',
+		proto = 'udp',
+		target = 'ACCEPT',
+	})
+else
+	-- site.mesh.olsrd.v2.enable false
+	os.execute('/etc/init.d/olsrd2 disable')
+	uci:delete('firewall', 'allow_olsr2_mesh')
+end
+uci:save('olsrd2')
+uci:save('firewall')
+uci:save('network')

package/gluon-mesh-olsrd/luasrc/lib/gluon/upgrade/370-gluon-mesh-olsrd-setup-fw

+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+local util = require 'gluon.util'
+
+local networks = uci:get_list('firewall', 'drop', 'network')
+util.remove_from_set(networks, 'client')
+uci:set_list('firewall', 'drop', 'network', networks)
+
+uci:save('firewall')

package/gluon-mesh-vpn-core/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-mesh-vpn-core
-PKG_VERSION:=1
 
 include ../gluon.mk
 
 define Package/gluon-mesh-vpn-core
   TITLE:=Basic support for connecting meshes via VPN tunnels
-  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables +iptables-mod-extra +simple-tc \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_ADDRTYPE \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_OWNER \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_PKTTYPE \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NETFILTER_XT_MATCH_QUOTA \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_CLS_BASIC \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_TBF \
-	+@GLUON_SPECIALIZE_KERNEL:KERNEL_NET_SCH_INGRESS
+  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables-zz-legacy +iptables-mod-extra
   USERID:=:gluon-mesh-vpn=800
 endef
 

package/gluon-mesh-vpn-core/check_site.lua

 need_boolean(in_site({'mesh_vpn', 'enabled'}), false)
-need_number({'mesh_vpn', 'mtu'})
 need_boolean(in_site({'mesh_vpn', 'pubkey_privacy'}), false)
 
 need_boolean(in_site({'mesh_vpn', 'bandwidth_limit', 'enabled'}), false)

package/gluon-mesh-vpn-core/luasrc/lib/gluon/mesh-vpn/update-config

 #!/usr/bin/lua
 
 local uci = require('simple-uci').cursor()
-local unistd = require 'posix.unistd'
-
-local vpn
-if unistd.access('/lib/gluon/mesh-vpn/fastd') then
-	vpn = 'fastd'
-elseif unistd.access('/lib/gluon/mesh-vpn/tunneldigger') then
-	vpn = 'tunneldigger'
-end
+local vpn_name, vpn = require('gluon.mesh-vpn').get_active_provider()
 
 local vpn_config = {
 	enabled = uci:get_bool('gluon', 'mesh_vpn', 'enabled'),
@@ -17,32 +10,15 @@ local vpn_config = {
 	limit_ingress = uci:get('gluon', 'mesh_vpn', 'limit_ingress'),
 }
 
-uci:delete('simple-tc', 'mesh_vpn')
-uci:section('simple-tc', 'interface', 'mesh_vpn', {
-	ifname = 'mesh-vpn',
-	enabled = vpn_config.limit_enabled,
-	limit_egress = vpn_config.limit_egress,
-})
-
-if vpn == 'fastd' then
-	uci:set('fastd', 'mesh_vpn', 'enabled', vpn_config.enabled)
-	uci:set('simple-tc', 'mesh_vpn', 'limit_ingress', vpn_config.limit_ingress)
-else
+if vpn_name ~= 'fastd' then
 	uci:set('fastd', 'mesh_vpn', 'enabled', false)
-end
 	uci:save('fastd')
+end
 
-if vpn == 'tunneldigger' then
-	uci:set('tunneldigger', 'mesh_vpn', 'enabled', vpn_config.enabled)
-
+vpn.enable(vpn_config.enabled)
 if vpn_config.limit_enabled then
-		uci:set('tunneldigger', 'mesh_vpn', 'limit_bw_down', vpn_config.limit_ingress)
-	else
-		uci:delete('tunneldigger', 'mesh_vpn', 'limit_bw_down')
-	end
+	vpn.set_limit(vpn_config.limit_ingress, vpn_config.limit_egress)
 else
-	uci:set('tunneldigger', 'mesh_vpn', 'enabled', false)
+	vpn.set_limit(nil, nil)
 end
-uci:save('tunneldigger')
 
-uci:save('simple-tc')

package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn

 #!/usr/bin/lua
 
 local site = require 'gluon.site'
-local users = require 'gluon.users'
 local util = require 'gluon.util'
 
 local uci = require('simple-uci').cursor()
-local unistd = require 'posix.unistd'
 
+local vpn_core = require 'gluon.mesh-vpn'
+local _, active_vpn = vpn_core.get_active_provider()
 
 uci:section('network', 'interface', 'mesh_vpn', {
-	ifname = 'mesh-vpn',
+	ifname = vpn_core.get_interface(),
 	proto = 'gluon_mesh',
-	transitive = true,
 	fixed_mtu = true,
-	macaddr = util.generate_mac(7),
-	mtu = site.mesh_vpn.mtu(),
+	hop_penalty = uci:get('gluon', 'mesh_vpn', 'batadv_hop_penalty'),
+	macaddr = util.generate_mac_by_name('mesh_vpn'),
+	mtu = active_vpn.mtu(),
 })
 
 uci:save('network')
 
 
--- The previously used user and group are removed, we now have a generic group
-users.remove_user('gluon-fastd')
-users.remove_group('gluon-fastd')
-
 uci:section('firewall', 'include', 'mesh_vpn_dns', {
 	type = 'restore',
 	path = '/lib/gluon/mesh-vpn/iptables.rules',
@@ -32,53 +28,13 @@ uci:section('firewall', 'include', 'mesh_vpn_dns', {
 
 uci:save('firewall')
 
-
--- VPN migration
+-- Inital VPN setup
 if not uci:get('gluon', 'mesh_vpn') then
-	local vpn
-	if unistd.access('/lib/gluon/mesh-vpn/fastd') then
-		vpn = 'fastd'
-	elseif unistd.access('/lib/gluon/mesh-vpn/tunneldigger') then
-		vpn = 'tunneldigger'
-	end
-
-	local fastd_enabled = uci:get('fastd', 'mesh_vpn', 'enabled')
-	local tunneldigger_enabled = uci:get('tunneldigger', 'mesh_vpn', 'enabled')
-
-	local enabled
-
-	-- If the installed VPN package has its enabled state set, keep the value
-	if vpn == 'fastd' and fastd_enabled then
-		enabled = fastd_enabled == '1'
-	elseif vpn == 'tunneldigger' and tunneldigger_enabled then
-		enabled = tunneldigger_enabled == '1'
-	-- Otherwise, migrate the other package's value if any is set
-	elseif fastd_enabled or tunneldigger_enabled then
-		enabled = fastd_enabled == '1' or tunneldigger_enabled == '1'
-	-- If nothing is set, use the default
-	else
-		enabled = site.mesh_vpn.enabled(false)
-	end
-
-
-	local limit_enabled = tonumber((uci:get('simple-tc', 'mesh_vpn', 'enabled')))
-	if limit_enabled == nil then
-		limit_enabled = site.mesh_vpn.bandwidth_limit.enabled(false)
-	end
-
-	local limit_ingress = tonumber((uci:get('tunneldigger', 'mesh_vpn', 'limit_bw_down')))
-	if limit_ingress == nil then
-		limit_ingress = tonumber((uci:get('simple-tc', 'mesh_vpn', 'limit_ingress')))
-	end
-	if limit_ingress == nil then
-		limit_ingress = site.mesh_vpn.bandwidth_limit.ingress()
-	end
-
-	local limit_egress = tonumber((uci:get('simple-tc', 'mesh_vpn', 'limit_egress')))
-	if limit_egress == nil then
-		limit_egress = site.mesh_vpn.bandwidth_limit.egress()
-	end
+	local enabled = site.mesh_vpn.enabled(false)
 
+	local limit_enabled = site.mesh_vpn.bandwidth_limit.enabled(false)
+	local limit_ingress = site.mesh_vpn.bandwidth_limit.ingress()
+	local limit_egress = site.mesh_vpn.bandwidth_limit.egress()
 
 	uci:section('gluon', 'mesh_vpn', 'mesh_vpn', {
 		enabled = enabled,

package/gluon-mesh-vpn-core/luasrc/usr/bin/gluon-wan → package/gluon-mesh-vpn-core/luasrc/usr/bin/gluon-wan-dns

@@ -6,19 +6,19 @@ local grp = require 'posix.grp'
 local unistd = require 'posix.unistd'
 
 if #arg < 1 then
-	io.stderr:write('Usage: gluon-wan <command> ...\n')
+	io.stderr:write('Usage: gluon-wan-dns <command> ...\n')
 	os.exit(1)
 end
 
 local g = grp.getgrnam(GROUP)
 if not g then
-	io.stderr:write(string.format("gluon-wan: unable to find group '%s'\n", GROUP))
+	io.stderr:write(string.format("gluon-wan-dns: unable to find group '%s'\n", GROUP))
 	os.exit(1)
 end
 
 local ok, err = unistd.setpid('g', g.gr_gid)
 if ok ~= 0 then
-	io.stderr:write(string.format("gluon-wan: unable to change to group: %s\n", err))
+	io.stderr:write(string.format("gluon-wan-dns: unable to change to group: %s\n", err))
 	os.exit(1)
 end
 local args = {[0] = arg[1], unpack(arg)}
@@ -27,5 +27,5 @@ table.remove(args, 1)
 local _
 _, err = unistd.execp(args[0], args)
 
-io.stderr:write(string.format("gluon-wan: exec failed: %s\n", err))
+io.stderr:write(string.format("gluon-wan-dns: exec failed: %s\n", err))
 os.exit(1)

package/gluon-mesh-vpn-core/luasrc/usr/lib/lua/gluon/mesh-vpn.lua

+local uci = require('simple-uci').cursor()
+
+local util = require 'gluon.util'
+
 local M = {}
 
-function M.get_mesh_vpn_interface()
+function M.enabled()
+	return uci:get_bool('gluon', 'mesh_vpn', 'enabled')
+end
+
+function M.enable(val)
+	return uci:set('gluon', 'mesh_vpn', 'enabled', val)
+end
+
+function M.get_interface()
 	return 'mesh-vpn'
 end
 
+function M.get_provider(name)
+	return require('gluon.mesh-vpn.provider.' .. name)
+end
+
+function M.get_provider_names()
+	local out = {}
+
+	for _, v in ipairs(util.glob('/lib/gluon/mesh-vpn/provider/*')) do
+		table.insert(out, v:match('([^/]+)$'))
+	end
+
+	return out
+end
+
+function M.get_active_provider()
+	-- Active provider is the provider in use
+	-- by the currently active site / domain
+
+	for _, name in ipairs(M.get_provider_names()) do
+		local provider = M.get_provider(name)
+		if provider.active() then
+			return name, provider
+		end
+	end
+
+	return nil, nil
+end
+
 return M

package/gluon-mesh-vpn-core/src/Makefile

+all: respondd.so
+
+CFLAGS += -Wall -Werror-implicit-function-declaration
+
+respondd.so: respondd.c
+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -fPIC -D_GNU_SOURCE -o $@ $^ $(LDLIBS) -lgluonutil -luci

package/gluon-mesh-vpn-core/src/respondd.c

+/* SPDX-FileCopyrightText: 2021, Aiyion <gluon@aiyionpri.me> */
+/* SPDX-FileCopyrightText: 2016, Matthias Schiffer <mschiffer@universe-factory.net> */
+/* SPDX-License-Identifier: BSD-2-Clause */
+
+#include <respondd.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <json-c/json.h>
+#include <libgluonutil.h>
+#include <uci.h>
+
+
+static struct json_object * get_bandwidth_limit(void) {
+	bool enabled = false;
+	int egress = -1;
+	int ingress = -1;
+
+	struct json_object *ret = json_object_new_object();
+
+	struct uci_context *ctx = uci_alloc_context();
+	if (!ctx)
+		goto disabled;
+	ctx->flags &= ~UCI_FLAG_STRICT;
+
+	struct uci_package *p;
+	if (uci_load(ctx, "gluon", &p))
+		goto disabled;
+
+	struct uci_section *s = uci_lookup_section(ctx, p, "mesh_vpn");
+	if (!s)
+		goto disabled;
+
+	const char *enabled_str = uci_lookup_option_string(ctx, s, "limit_enabled");
+	if (enabled_str && strcmp(enabled_str, "1"))
+		goto disabled;
+
+	enabled = true;
+
+	const char *egress_str = uci_lookup_option_string(ctx, s, "limit_egress");
+	if (egress_str && strcmp(egress_str, "-"))
+		egress = atoi(egress_str);
+
+	const char *ingress_str = uci_lookup_option_string(ctx, s, "limit_ingress");
+	if (ingress_str && strcmp(ingress_str, "-"))
+		ingress = atoi(ingress_str);
+
+	if (egress >= 0)
+		json_object_object_add(ret, "egress", json_object_new_int(egress));
+	if (ingress >= 0)
+		json_object_object_add(ret, "ingress", json_object_new_int(ingress));
+
+disabled:
+	if (ctx)
+		uci_free_context(ctx);
+
+	json_object_object_add(ret, "enabled", json_object_new_boolean(enabled));
+	return ret;
+}
+
+char * read_stdout(const char *command) {
+	FILE *f = popen(command, "r");
+	if (!f)
+		return NULL;
+
+	char *line = NULL;
+	size_t len = 0;
+
+	ssize_t r = getline(&line, &len, f);
+
+	pclose(f);
+
+	if (r < 0) {
+		free(line);
+		return NULL;
+	}
+
+	/* The len given by getline is the buffer size, not the string length */
+	len = strlen(line);
+
+	if (len && line[len-1] == '\n')
+		line[len-1] = 0;
+
+	return line;
+}
+
+static struct json_object * get_mesh_vpn_enabled() {
+	int enabled = -1;
+	char *line = read_stdout("exec lua -e 'print(require(\"gluon.mesh-vpn\").enabled())'");
+
+	if (!line)
+		return NULL;
+
+	if (!strcmp(line, "true"))
+		enabled = 1;
+	if (!strcmp(line, "false"))
+		enabled = 0;
+	free(line);
+
+	if (enabled < 0)
+		return NULL;
+
+	struct json_object *ret = json_object_new_boolean((json_bool)enabled);
+	return ret;
+}
+
+static struct json_object * get_active_vpn_provider() {
+	char *line = read_stdout("exec lua -e 'name, _ = require(\"gluon.mesh-vpn\").get_active_provider(); print(name)'");
+
+	if (line && !strcmp(line, "nil")) {
+		free(line);
+		return NULL;
+	}
+
+	return gluonutil_wrap_and_free_string(line);
+}
+
+static struct json_object * respondd_provider_nodeinfo(void) {
+	struct json_object *ret = json_object_new_object();
+	struct json_object *network = json_object_new_object();
+	struct json_object *mesh_vpn = json_object_new_object();
+
+	json_object_object_add(mesh_vpn, "bandwidth_limit", get_bandwidth_limit());
+	json_object_object_add(mesh_vpn, "provider", get_active_vpn_provider());
+	json_object_object_add(mesh_vpn, "enabled", get_mesh_vpn_enabled());
+	json_object_object_add(network, "mesh_vpn", mesh_vpn);
+	json_object_object_add(ret, "network", network);
+
+	return ret;
+}
+
+const struct respondd_provider_info respondd_providers[] = {
+	{"nodeinfo", respondd_provider_nodeinfo},
+	{},
+	{}
+};

package/gluon-mesh-vpn-fastd-l2tp/Makefile

+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-mesh-vpn-fastd-l2tp
+PKG_VERSION:=1
+
+include ../gluon.mk
+
+define Package/gluon-mesh-vpn-fastd-l2tp
+  TITLE:=Support for connecting meshes via fastd (with L2TP kernel offloading)
+  DEPENDS:=+gluon-core +gluon-mesh-vpn-fastd +kmod-l2tp-eth
+endef
+
+$(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd-l2tp))

package/gluon-mesh-vpn-fastd/Makefile

 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gluon-mesh-vpn-fastd
-PKG_VERSION:=3
 
 include ../gluon.mk
 
 define Package/gluon-mesh-vpn-fastd
   TITLE:=Support for connecting meshes via fastd
-  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd +@GLUON_SPECIALIZE_KERNEL:KERNEL_TUN
+  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +fastd +simple-tc
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-vpn-fastd))

package/gluon-mesh-vpn-fastd/check_site.lua

-local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'}
+local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null@l2tp', 'null'}
 need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods)
 need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false)
+need_number({'mesh_vpn', 'fastd', 'mtu'})
 
 need_one_of(in_site({'mesh_vpn', 'fastd', 'syslog_level'}),
 	{'error', 'warn', 'info', 'verbose', 'debug', 'debug2'}, false)

package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd

@@ -2,29 +2,39 @@
 
 local site = require 'gluon.site'
 local util = require 'gluon.util'
+local vpn_core = require 'gluon.mesh-vpn'
+local _, active_vpn = vpn_core.get_active_provider()
 
 local uci = require('simple-uci').cursor()
+local unistd = require 'posix.unistd'
 
 
 local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose'
 
+local secret = uci:get('fastd', 'mesh_vpn', 'secret')
+if not secret or not secret:match(('%x'):rep(64)) then
+	secret = 'generate'
+end
+
 local methods
 
 if site.mesh_vpn.fastd.configurable(false) then
-	local has_null = util.contains(site.mesh_vpn.fastd.methods(), 'null')
+	local site_methods = site.mesh_vpn.fastd.methods()
+	local has_null = util.contains(site_methods, 'null@l2tp') or util.contains(site_methods, 'null')
 
 	local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
 	if old_methods then
-		has_null = util.contains(old_methods, 'null')
+		has_null = util.contains(old_methods, 'null@l2tp') or util.contains(old_methods, 'null')
 	end
 
 	methods = {}
 	if has_null then
+		table.insert(methods, 'null@l2tp')
 		table.insert(methods, 'null')
 	end
 
-	for _, method in ipairs(site.mesh_vpn.fastd.methods()) do
-		if method ~= 'null' then
+	for _, method in ipairs(site_methods) do
+		if method ~= 'null@l2tp' and method ~= 'null' then
 			table.insert(methods, method)
 		end
 	end
@@ -37,36 +47,74 @@ end
 uci:section('fastd', 'fastd', 'mesh_vpn', {
 	group = 'gluon-mesh-vpn',
 	syslog_level = syslog_level,
-	interface = 'mesh-vpn',
+	secret = secret,
+	interface = vpn_core.get_interface(),
 	mode = 'tap',
-	mtu = site.mesh_vpn.mtu(),
+	mtu = active_vpn.mtu(),
 	secure_handshakes = true,
 	method = methods,
 	packet_mark = 1,
+	persist_interface = true,
+	offload_l2tp = false,
 	status_socket = '/var/run/fastd.mesh_vpn.socket',
 })
-uci:delete('fastd', 'mesh_vpn', 'user')
+uci:delete('fastd', 'mesh_vpn', 'peer_limit')
+
+-- L2TP offload support
+if unistd.access('/lib/gluon/mesh-vpn/fastd/l2tp') then
+	uci:set('fastd', 'mesh_vpn', 'mode', 'multitap')
+	uci:set('fastd', 'mesh_vpn', 'persist_interface', false)
+	uci:set('fastd', 'mesh_vpn', 'offload_l2tp', true)
+	uci:set('fastd', 'mesh_vpn', 'peer_limit', 1)
+end
+
+-- Collect list of groups that have peers with 'preserve' flag
+local preserve_groups = {}
+
+local function preserve_group(name)
+	if not name or preserve_groups[name] then
+		return
+	end
+	preserve_groups[name] = true
+
+	local parent = uci:get('fastd', name, 'group')
+	preserve_group(parent)
+end
+
+uci:foreach('fastd', 'peer', function(peer)
+	if peer.net == 'mesh_vpn' and peer.preserve == '1' then
+		preserve_group(peer.group)
+	end
+end)
+
+
+-- Clean up previous configuration
+uci:delete_all('fastd', 'peer', function(peer)
+	return (peer.net == 'mesh_vpn' and peer.preserve ~= '1')
+end)
+uci:delete_all('fastd', 'peer_group', function(group)
+	return (group.net == 'mesh_vpn' and not preserve_groups[group['.name']])
+end)
 
 
 local add_groups
 
 local function add_peer(group, name, config)
-	uci:section('fastd', 'peer', group .. '_peer_' .. name, {
+	local uci_name = group .. '_peer_' .. name
+	if uci:get_bool('fastd', uci_name, 'preserve') then
+		return
+	end
+	uci:section('fastd', 'peer', uci_name, {
 		enabled = true,
 		net = 'mesh_vpn',
 		group = group,
+		interface = 'mesh-vpn',
 		key = config.key,
 		remote = config.remotes,
 	})
 end
 
 local function add_group(name, config, parent)
-	uci:delete('fastd', name)
-	uci:delete_all('fastd', 'peer',	function(peer)
-		return (peer.net == 'mesh_vpn' and peer.group == name)
-	end)
-
-
 	uci:section('fastd', 'peer_group', name, {
 		enabled = true,
 		net = 'mesh_vpn',
@@ -74,25 +122,27 @@ local function add_group(name, config, parent)
 		peer_limit = config.limit,
 	})
 
-	if config.peers then
-		for peername, peerconfig in pairs(config.peers) do
+	for peername, peerconfig in pairs(config.peers or {}) do
 		add_peer(name, peername, peerconfig)
 	end
-	end
 
 	add_groups(name, config.groups, name)
 end
 
 -- declared local above
 function add_groups(prefix, groups, parent)
-	if groups then
-		for name, group in pairs(groups) do
+	for name, group in pairs(groups or {}) do
 		add_group(prefix .. '_' .. name, group, parent)
 	end
 end
-end
 
 add_groups('mesh_vpn', site.mesh_vpn.fastd.groups())
 
+-- Update preserved peers as well
+uci:foreach('fastd', 'peer', function(peer)
+	if peer.net == 'mesh_vpn' then
+		uci:set('fastd', peer['.name'], 'interface', 'mesh-vpn')
+	end
+end)
 
 uci:save('fastd')