package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/400-mesh-vpn-fastd

@@ -2,29 +2,39 @@
 
 local site = require 'gluon.site'
 local util = require 'gluon.util'
+local vpn_core = require 'gluon.mesh-vpn'
+local _, active_vpn = vpn_core.get_active_provider()
 
 local uci = require('simple-uci').cursor()
+local unistd = require 'posix.unistd'
 
 
 local syslog_level = uci:get('fastd', 'mesh_vpn', 'syslog_level') or 'verbose'
 
+local secret = uci:get('fastd', 'mesh_vpn', 'secret')
+if not secret or not secret:match(('%x'):rep(64)) then
+	secret = 'generate'
+end
+
 local methods
 
 if site.mesh_vpn.fastd.configurable(false) then
-	local has_null = util.contains(site.mesh_vpn.fastd.methods(), 'null')
+	local site_methods = site.mesh_vpn.fastd.methods()
+	local has_null = util.contains(site_methods, 'null@l2tp') or util.contains(site_methods, 'null')
 
 	local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
 	if old_methods then
-		has_null = util.contains(old_methods, 'null')
+		has_null = util.contains(old_methods, 'null@l2tp') or util.contains(old_methods, 'null')
 	end
 
 	methods = {}
 	if has_null then
+		table.insert(methods, 'null@l2tp')
 		table.insert(methods, 'null')
 	end
 
-	for _, method in ipairs(site.mesh_vpn.fastd.methods()) do
-		if method ~= 'null' then
+	for _, method in ipairs(site_methods) do
+		if method ~= 'null@l2tp' and method ~= 'null' then
 			table.insert(methods, method)
 		end
 	end
@@ -37,36 +47,74 @@ end
 uci:section('fastd', 'fastd', 'mesh_vpn', {
 	group = 'gluon-mesh-vpn',
 	syslog_level = syslog_level,
-	interface = 'mesh-vpn',
+	secret = secret,
+	interface = vpn_core.get_interface(),
 	mode = 'tap',
-	mtu = site.mesh_vpn.mtu(),
+	mtu = active_vpn.mtu(),
 	secure_handshakes = true,
 	method = methods,
 	packet_mark = 1,
+	persist_interface = true,
+	offload_l2tp = false,
 	status_socket = '/var/run/fastd.mesh_vpn.socket',
 })
-uci:delete('fastd', 'mesh_vpn', 'user')
+uci:delete('fastd', 'mesh_vpn', 'peer_limit')
+
+-- L2TP offload support
+if unistd.access('/lib/gluon/mesh-vpn/fastd/l2tp') then
+	uci:set('fastd', 'mesh_vpn', 'mode', 'multitap')
+	uci:set('fastd', 'mesh_vpn', 'persist_interface', false)
+	uci:set('fastd', 'mesh_vpn', 'offload_l2tp', true)
+	uci:set('fastd', 'mesh_vpn', 'peer_limit', 1)
+end
+
+-- Collect list of groups that have peers with 'preserve' flag
+local preserve_groups = {}
+
+local function preserve_group(name)
+	if not name or preserve_groups[name] then
+		return
+	end
+	preserve_groups[name] = true
+
+	local parent = uci:get('fastd', name, 'group')
+	preserve_group(parent)
+end
+
+uci:foreach('fastd', 'peer', function(peer)
+	if peer.net == 'mesh_vpn' and peer.preserve == '1' then
+		preserve_group(peer.group)
+	end
+end)
+
+
+-- Clean up previous configuration
+uci:delete_all('fastd', 'peer', function(peer)
+	return (peer.net == 'mesh_vpn' and peer.preserve ~= '1')
+end)
+uci:delete_all('fastd', 'peer_group', function(group)
+	return (group.net == 'mesh_vpn' and not preserve_groups[group['.name']])
+end)
 
 
 local add_groups
 
 local function add_peer(group, name, config)
-	uci:section('fastd', 'peer', group .. '_peer_' .. name, {
+	local uci_name = group .. '_peer_' .. name
+	if uci:get_bool('fastd', uci_name, 'preserve') then
+		return
+	end
+	uci:section('fastd', 'peer', uci_name, {
 		enabled = true,
 		net = 'mesh_vpn',
 		group = group,
+		interface = 'mesh-vpn',
 		key = config.key,
 		remote = config.remotes,
 	})
 end
 
 local function add_group(name, config, parent)
-	uci:delete('fastd', name)
-	uci:delete_all('fastd', 'peer',	function(peer)
-		return (peer.net == 'mesh_vpn' and peer.group == name)
-	end)
-
-
 	uci:section('fastd', 'peer_group', name, {
 		enabled = true,
 		net = 'mesh_vpn',
@@ -74,25 +122,27 @@ local function add_group(name, config, parent)
 		peer_limit = config.limit,
 	})
 
-	if config.peers then
-		for peername, peerconfig in pairs(config.peers) do
+	for peername, peerconfig in pairs(config.peers or {}) do
 		add_peer(name, peername, peerconfig)
 	end
-	end
 
 	add_groups(name, config.groups, name)
 end
 
 -- declared local above
 function add_groups(prefix, groups, parent)
-	if groups then
-		for name, group in pairs(groups) do
+	for name, group in pairs(groups or {}) do
 		add_group(prefix .. '_' .. name, group, parent)
 	end
 end
-end
 
 add_groups('mesh_vpn', site.mesh_vpn.fastd.groups())
 
+-- Update preserved peers as well
+uci:foreach('fastd', 'peer', function(peer)
+	if peer.net == 'mesh_vpn' then
+		uci:set('fastd', peer['.name'], 'interface', 'mesh-vpn')
+	end
+end)
 
 uci:save('fastd')

package/gluon-mesh-vpn-fastd/luasrc/lib/gluon/upgrade/410-mesh-vpn-fastd-generate-secret

-#!/usr/bin/lua
-
-local uci = require 'simple-uci'
-
-local c = uci.cursor()
-
-local secret = c:get("fastd", "mesh_vpn", "secret")
-
-if not secret or not secret:match(("%x"):rep(64)) then
-  c:set("fastd", "mesh_vpn", "secret", "generate")
-  c:save("fastd")
-end

package/gluon-mesh-vpn-fastd/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/fastd.lua

+local uci = require('simple-uci').cursor()
+
+local site = require 'gluon.site'
+local util = require 'gluon.util'
+local vpn_core = require 'gluon.mesh-vpn'
+
+local unistd = require 'posix.unistd'
+
+local M = {}
+
+function M.public_key()
+	local key = util.trim(util.exec('/etc/init.d/fastd show_key mesh_vpn'))
+
+	if key == '' then
+		key = nil
+	end
+
+	return key
+end
+
+function M.enable(val)
+	uci:set('fastd', 'mesh_vpn', 'enabled', val)
+	uci:save('fastd')
+end
+
+function M.active()
+	return site.mesh_vpn.fastd() ~= nil
+end
+
+local function set_limit_simple_tc(ingress_limit, egress_limit)
+	uci:section('simple-tc', 'interface', 'mesh_vpn', {
+		ifname = vpn_core.get_interface(),
+		enabled = true,
+		limit_egress = egress_limit,
+		limit_ingress = ingress_limit,
+	})
+end
+
+local function set_limit_sqm(ingress_limit, egress_limit)
+	uci:section('sqm', 'queue', 'mesh_vpn', {
+		interface = vpn_core.get_interface(),
+		enabled = true,
+		upload = egress_limit,
+		download = ingress_limit,
+		qdisc = 'cake',
+		script = 'piece_of_cake.qos',
+		debug_logging = '0',
+		verbosity = '5',
+	})
+end
+
+local function sqm_available()
+	return unistd.access('/lib/gluon/mesh-vpn/sqm')
+end
+
+function M.set_limit(ingress_limit, egress_limit)
+	uci:delete('simple-tc', 'mesh_vpn')
+	uci:delete('sqm', 'mesh_vpn')
+
+	if ingress_limit ~= nil and egress_limit ~= nil then
+		if sqm_available() and util.get_mem_total() > 200*1024 then
+			set_limit_sqm(ingress_limit, egress_limit)
+		else
+			set_limit_simple_tc(ingress_limit, egress_limit)
+		end
+	end
+
+	uci:save('simple-tc')
+	uci:save('sqm')
+end
+
+function M.mtu()
+	return site.mesh_vpn.fastd.mtu()
+end
+
+return M

package/gluon-mesh-vpn-fastd/src/respondd.c

-/*
-  Copyright (c) 2016, Matthias Schiffer <mschiffer@universe-factory.net>
-  All rights reserved.
-
-  Redistribution and use in source and binary forms, with or without
-  modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-    2. Redistributions in binary form must reproduce the above copyright notice,
-       this list of conditions and the following disclaimer in the documentation
-       and/or other materials provided with the distribution.
-
-  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-  CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-  OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
+/* SPDX-License-Identifier: BSD-2-Clause */
+/* SPDX-FileCopyrightText: 2016, Matthias Schiffer <mschiffer@universe-factory.net> */
 
 
 #include <respondd.h>
@@ -65,7 +43,7 @@ static struct json_object * get_fastd_version(void) {
 	}
 
 	const char *version = line;
-	if (strncmp(version, "fastd ", 6) == 0)
+	if (version && strncmp(version, "fastd ", 6) == 0)
 		version += 6;
 
 	struct json_object *ret = gluonutil_wrap_string(version);
@@ -239,7 +217,7 @@ static bool get_peer_connection(struct json_object **ret, struct json_object *co
 	if (!key)
 		return false;
 
-	struct json_object *peer, *connection, *established;
+	struct json_object *peer, *connection, *established, *method;
 	if (!json_object_object_get_ex(peers, key, &peer) ||
 			!json_object_object_get_ex(peer, "connection", &connection))
 		return false;
@@ -251,6 +229,10 @@ static bool get_peer_connection(struct json_object **ret, struct json_object *co
 		struct json_object *jso = json_object_new_double(established_time/1000.0);
 		json_object_set_serializer(jso, json_object_double_to_json_string, "%.3f", NULL);
 		json_object_object_add(*ret, "established", jso);
+
+		if (json_object_object_get_ex(connection, "method", &method)) {
+			json_object_object_add(*ret, "method", json_object_get(method));
+		}
 	}
 	else {
 		*ret = NULL;

package/gluon-mesh-vpn-sqm/Makefile

+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-mesh-vpn-sqm
+
+include ../gluon.mk
+
+define Package/gluon-mesh-vpn-sqm
+  TITLE:=Adds support for SQM with CAKE on VPN links
+  DEPENDS:= +gluon-mesh-vpn-core +sqm-scripts
+endef
+
+define Package/gluon-mesh-vpn-sqm/install
+	$(Gluon/Build/Install)
+	$(INSTALL_DIR) $(1)/lib/gluon/mesh-vpn
+	touch $(1)/lib/gluon/mesh-vpn/sqm
+endef
+
+$(eval $(call BuildPackageGluon,gluon-mesh-vpn-sqm))

package/gluon-mesh-vpn-tunneldigger/Makefile

-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-mesh-vpn-tunneldigger
-PKG_VERSION:=3
-
-include ../gluon.mk
-
-define Package/gluon-mesh-vpn-tunneldigger
-  TITLE:=Support for connecting meshes via tunneldigger/L2TPv3 pseudowire
-  DEPENDS:=+gluon-core +gluon-mesh-vpn-core +tunneldigger +@GLUON_SPECIALIZE_KERNEL:KERNEL_L2TP
-endef
-
-$(eval $(call BuildPackageGluon,gluon-mesh-vpn-tunneldigger))

package/gluon-mesh-vpn-tunneldigger/check_site.lua

-need_string_array(in_domain({'mesh_vpn', 'tunneldigger', 'brokers'}))

package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/200-mesh-vpn-tunneldigger-stop

-#!/bin/sh
-/etc/init.d/tunneldigger stop

package/gluon-mesh-vpn-tunneldigger/files/lib/gluon/reload.d/800-mesh-vpn-tunneldigger-start

-#!/bin/sh
-/etc/init.d/tunneldigger start

package/gluon-mesh-vpn-tunneldigger/files/usr/lib/micron.d/tunneldigger-watchdog

-*/5 * * * * /usr/bin/tunneldigger-watchdog

package/gluon-mesh-vpn-tunneldigger/luasrc/lib/gluon/upgrade/400-mesh-vpn-tunneldigger

-#!/usr/bin/lua
-
-local site = require 'gluon.site'
-local util = require 'gluon.util'
-
-local uci = require('simple-uci').cursor()
-
-
-local enabled
-
--- Delete old broker config section (remove in 2019)
-if not uci:get('tunneldigger', 'mesh_vpn') then
-	if uci:get_first('tunneldigger', 'broker', 'interface') == 'mesh-vpn' then
-		enabled = uci:get_first('tunneldigger', 'broker', 'enabled')
-	end
-
-	-- In the usual case (no migration from old tunneldigger package), the
-	-- enabled state is set in the 500-mesh-vpn script
-
-	uci:delete_all('tunneldigger', 'broker')
-end
-
-uci:section('tunneldigger', 'broker', 'mesh_vpn', {
-	enabled = enabled,
-	uuid = util.node_id(),
-	interface = 'mesh-vpn',
-	bind_interface = 'br-wan',
-	group = 'gluon-mesh-vpn',
-	broker_selection = 'usage',
-	address = site.mesh_vpn.tunneldigger.brokers(),
-})
-
-uci:save('tunneldigger')

package/gluon-mesh-vpn-tunneldigger/luasrc/usr/bin/tunneldigger-watchdog

-#!/usr/bin/lua
-
-local uci = require('simple-uci').cursor()
-
-local function restart_tunneldigger()
-	os.execute('logger -t tunneldigger-watchdog "Restarting Tunneldigger."')
-	os.execute('/etc/init.d/tunneldigger restart')
-end
-
-local function read_pid_file()
-	local pid_file = io.open('/var/run/tunneldigger.mesh-vpn.pid', 'r')
-	if not pid_file then
-		return nil
-	end
-	local pid = pid_file:read('*l')
-	pid_file:close()
-	return pid
-end
-
-local function has_mesh_vpn_neighbours()
-	local handle = io.popen('batctl o', 'r')
-	if not handle then
-		return false
-	end
-	for line in handle:lines() do
-		if line:find('mesh%-vpn') then
-			handle:close()
-			return true
-		end
-	end
-	handle:close()
-	return false
-end
-
-if uci:get_bool('tunneldigger', 'mesh_vpn', 'enabled') then
-	if io.popen('pgrep tunneldigger'):read('*l') ~= read_pid_file() then
-		os.execute('logger -t tunneldigger-watchdog "Process-Pid does not match with pid-File."')
-		restart_tunneldigger()
-		return
-	end
-	if not has_mesh_vpn_neighbours() then
-		os.execute('logger -t tunneldigger-watchdog "No vpn-mesh neighbours found."')
-		restart_tunneldigger()
-		return
-	end
-end

package/gluon-mesh-vpn-wireguard/Makefile

+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-mesh-vpn-wireguard
+
+include ../gluon.mk
+
+define Package/gluon-mesh-vpn-wireguard
+  TITLE:=Support for connecting meshes via wireguard
+  DEPENDS:=+gluon-core +libgluonutil +gluon-mesh-vpn-core +wireguard-tools +wgpeerselector +libubox +libubus +simple-tc
+endef
+
+define Package/gluon-mesh-vpn-wireguard/install
+	$(Gluon/Build/Install)
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/gluon-hex-to-b64 $(1)/usr/sbin/
+endef
+
+$(eval $(call BuildPackageGluon,gluon-mesh-vpn-wireguard))

package/gluon-mesh-vpn-wireguard/check_site.lua

+local function check_peer(k)
+	need_alphanumeric_key(k)
+
+	need_string_match(in_domain(extend(k,
+		{'public_key'})), "^" .. ("[%a%d+/]"):rep(42) .. "[AEIMQUYcgkosw480]=$")
+	need_string(in_domain(extend(k, {'endpoint'})))
+end
+
+need_table({'mesh_vpn', 'wireguard', 'peers'}, check_peer)
+need_number({'mesh_vpn', 'wireguard', 'mtu'})

package/gluon-mesh-vpn-wireguard/files/lib/gluon/mesh-vpn/wireguard_pubkey.sh

+#!/bin/sh
+
+# shellcheck disable=SC1091,SC2034
+
+INCLUDE_ONLY=1
+. /lib/netifd/proto/wireguard.sh
+
+ensure_key_is_generated wg_mesh
+uci get "network.wg_mesh.private_key" | /usr/bin/wg pubkey

package/gluon-mesh-vpn-wireguard/files/lib/netifd/proto/gluon_wireguard.sh

+#!/bin/sh
+
+# shellcheck disable=SC1091
+
+. /lib/functions.sh
+. ../netifd-proto.sh
+init_proto "$@"
+
+proto_gluon_wireguard_init_config() {
+	:
+}
+
+interface_linklocal_from_wg_public_key() {
+	# We generate a predictable v6 address
+	local macaddr
+	macaddr="$(printf "%s" "$1"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')"
+	local oldIFS="$IFS"; IFS=':';
+	# shellcheck disable=SC2086
+	set -- $macaddr; IFS="$oldIFS"
+	echo "fe80::$1$2:$3ff:fe$4:$5$6"
+}
+
+proto_gluon_wireguard_setup() {
+	local config="$1"
+	local ifname="$2"
+
+	local public_key
+	public_key="$(/lib/gluon/mesh-vpn/wireguard_pubkey.sh)"
+
+	# The wireguard proto itself can not be moved here, as the proto does not
+	# allow add_dynamic.
+
+	local wireguard_ip
+	wireguard_ip=$(interface_linklocal_from_wg_public_key "$public_key")
+
+	## Add IP
+
+	proto_add_host_dependency "$config" '' "$ifname"
+	proto_init_update "$ifname" 1
+	proto_add_data
+	json_add_string zone 'wired_mesh'
+	proto_close_data
+	proto_add_ipv6_address "$wireguard_ip" "128"
+	proto_send_update "$ifname"
+
+	## wgpeerselector
+
+	json_init
+	json_add_string name "${ifname}_peerselector"
+	json_add_string ifname "$ifname"
+	json_add_string proto 'wgpeerselector'
+	json_add_string unix_group 'gluon-mesh-vpn'
+	json_close_object
+	ubus call network add_dynamic "$(json_dump)"
+
+	## vxlan
+
+	json_init
+	json_add_string name "mesh-vpn"
+	json_add_string proto 'vxlan6'
+	json_add_string tunlink "$ifname"
+	# ip6addr (the lower interface ip6) is used by the vxlan.sh proto
+	json_add_string ip6addr "$wireguard_ip"
+	json_add_string peer6addr "fe80::1"
+	json_add_int vid "$(lua -e 'print(tonumber(require("gluon.util").domain_seed_bytes("gluon-mesh-vxlan", 3), 16))')"
+	json_add_boolean rxcsum '0'
+	json_add_boolean txcsum '0'
+	json_close_object
+	ubus call network add_dynamic "$(json_dump)"
+
+	proto_init_update "$ifname" 1
+	proto_send_update "$config"
+}
+
+proto_gluon_wireguard_teardown() {
+	local config="$1"
+
+	proto_init_update "*" 0
+	proto_send_update "$config"
+}
+
+add_protocol gluon_wireguard

package/gluon-mesh-vpn-wireguard/luasrc/lib/gluon/upgrade/400-mesh-vpn-wireguard

+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+local unistd = require 'posix.unistd'
+local util = require('gluon.util')
+local site = require 'gluon.site'
+local sp = util.subprocess
+local wait = require 'posix.sys.wait'
+local vpn_core = require('gluon.mesh-vpn')
+local _, active_vpn = vpn_core.get_active_provider()
+
+local wg_private_key = uci:get("network_gluon-old", 'wg_mesh', "private_key")
+
+local function valid_fastd_key(fastd_key)
+	return fastd_key and fastd_key:match(('%x'):rep(64))
+end
+
+local function valid_wireguard_key(wireguard_key)
+	return wireguard_key and wireguard_key:match("^" .. ("[%a%d+/]"):rep(42) .. "[AEIMQUYcgkosw480]=$")
+end
+
+local function migrate_from_fastd_secret(fastd_secret)
+	local options = {
+		stdin = sp.PIPE,
+		stdout = sp.PIPE,
+	}
+	local pid, pipe = sp.popen('gluon-hex-to-b64', {}, options)
+
+	if not pid then
+		return
+	end
+
+	local inw = pipe.stdin
+	local out = pipe.stdout
+
+	unistd.write(inw, string.format('%s\n', fastd_secret))
+	unistd.close(inw)
+
+	local wpid, status, code = wait.wait(pid)
+	if wpid and status == 'exited' and code == 0 then
+		local result = unistd.read(out, 44)
+		unistd.close(out)
+		return result
+	end
+end
+
+if not valid_wireguard_key(wg_private_key) then
+	local fastd_secret = uci:get('fastd', 'mesh_vpn', 'secret')
+	if valid_fastd_key(fastd_secret) then
+		wg_private_key = migrate_from_fastd_secret(fastd_secret)
+	end
+end
+
+if not valid_wireguard_key(wg_private_key) then
+	wg_private_key = "generate"
+end
+
+
+uci:section('network', 'interface', 'wg_mesh', {
+	proto = 'wireguard',
+	fwmark = 1,
+	private_key = wg_private_key,
+	-- Add 70 bytes for IPv6 VXLAN overhead
+	mtu = active_vpn.mtu() + 70,
+})
+
+uci:section('network', 'interface', 'mesh_wg_mesh', {
+	ifname = 'wg_mesh',
+	proto = 'gluon_wireguard'
+})
+
+-- Clean up previous configuration
+uci:delete_all('wgpeerselector', 'peer', function(peer)
+	return peer.preserve ~= '1'
+end)
+
+for name, peer in pairs(site.mesh_vpn.wireguard.peers()) do
+	uci:section("wgpeerselector", "peer", name, {
+		enabled = true,
+		endpoint = peer.endpoint,
+		public_key = peer.public_key,
+		allowed_ips = { "fe80::1/128" },
+		ifname = 'wg_mesh',
+	})
+end
+
+uci:save("wgpeerselector")
+uci:save("network")

package/gluon-mesh-vpn-wireguard/luasrc/usr/lib/lua/gluon/mesh-vpn/provider/wireguard.lua

+local uci = require('simple-uci').cursor()
+
+local site = require 'gluon.site'
+local util = require 'gluon.util'
+local vpn_core = require 'gluon.mesh-vpn'
+
+local M = {}
+
+function M.public_key()
+	local key = util.trim(util.exec("/lib/gluon/mesh-vpn/wireguard_pubkey.sh"))
+
+	if key == '' then
+		key = nil
+	end
+
+	return key
+end
+
+function M.enable(val)
+	uci:set('network', 'wg_mesh', 'disabled', not val)
+	uci:save('network')
+end
+
+function M.active()
+	return site.mesh_vpn.wireguard() ~= nil
+end
+
+function M.set_limit(ingress_limit, egress_limit)
+	uci:delete('simple-tc', 'mesh_vpn')
+	if ingress_limit ~= nil and egress_limit ~= nil then
+		uci:section('simple-tc', 'interface', 'mesh_vpn', {
+			ifname = vpn_core.get_interface(),
+			enabled = true,
+			limit_egress = egress_limit,
+			limit_ingress = ingress_limit,
+		})
+	end
+
+	uci:save('simple-tc')
+end
+
+function M.mtu()
+	return site.mesh_vpn.wireguard.mtu()
+end
+
+return M