From c7cf070fb94fe7f8c94cac9014df438075bfc64e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexander=20B=C3=B6hm?= <alexander.boehm@malbolge.net>
Date: Mon, 20 Dec 2021 19:35:06 +0100
Subject: [PATCH] WIP

---
 .env                  |  32 ++++++++
 .gitignore            |   2 +
 Vagrantfile           | 152 +++++++++++++++++++++++++++++++++++
 batman/Dockerfile     |  34 ++++++--
 batman/entry-point.sh |  54 +++++++++----
 docker-compose.yml    |  28 ++++---
 playbook.yml          | 179 ++++++++++++++++++++++++++++++++++++++++++
 requirements.yml      |   3 +
 restart.sh            |   5 ++
 9 files changed, 454 insertions(+), 35 deletions(-)
 create mode 100644 .env
 create mode 100644 .gitignore
 create mode 100644 Vagrantfile
 create mode 100644 playbook.yml
 create mode 100644 requirements.yml
 create mode 100755 restart.sh

diff --git a/.env b/.env
new file mode 100644
index 0000000..b326759
--- /dev/null
+++ b/.env
@@ -0,0 +1,32 @@
+BATMAN_BRIDGE_IPV4=172.29.0.1/24
+BATMAN_BRIDGE_IPV6=fc00:1234:5678::1/24
+BATMAN_BRIDGE=br-batman0
+BATMAN_FORWARD_GATEWAY4=172.28.0.2
+BATMAN_FORWARD_GATEWAY6=fc00:172:28::2
+BATMAN_LIMIT_DOWNLOAD=1000
+BATMAN_LIMIT_UPLOAD=1000
+
+WIREGUARD_CONFIG=/wireguard.conf
+
+FASTD_ON_UP_MASTER_INTERFACE=
+FASTD_BATMAN_INTERFACE=bat0
+FASTD_SECRET_KEY=90f0637239cdf4c27dc80ee8a755ae4922769d045c86cc2086a96a3a281ed04a
+FASTD_LOG_LEVEL=debug
+FASTD_DONT_VERIFY_PEERS=1
+FASTD_INTERFACE=
+FASTD_PEER_LIMIT=10
+FASTD_MTU=1300
+
+DHCPD_V4_NET=172.29.0.0
+DHCPD_V4_RANGE=172.29.0.16 172.29.0.32
+DHCPD_V4_GATEWAY=172.29.0.1
+DHCPD_V6_NET=fc00:1234:5678::/64
+DHCPD_V6_RANGE=fc00:1234:5678::1000 fc00:1234:5678::1fff
+DHCPD_INTERFACE=br-batman0
+
+RADVD_INTERFACE=br-batman0
+RADVD_PREFIX=fc00:1234:5678::/64
+RADVD_SOURCE_LL_ADDRESS=on
+RADVD_ADV_MANAGEMENT_FLAG=on
+RADVD_OTHER_CONFIG_FLAG=on
+RADVD_MTU=1300
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..718bf30
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+# vagrant environment
+/.vagrant
diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..9b06479
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,152 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+def configure_node(config, name, ip, vpn_server)
+  config.vm.define name do |node|
+    node.vm.guest = "linux"
+    node.vm.box = "freifunk-leipzig/openwrt"
+    node.vm.boot_timeout = 60
+    node.ssh.shell = "/bin/ash"
+    node.vm.network "private_network", ip: ip, auto_config: false
+
+    node.vm.provider "virtualbox" do |vb|
+      vb.memory = "256"
+      vb.linked_clone = true
+      vb.customize ["modifyvm", :id, "--nic3", "intnet", "--intnet3", "gluon-supernode-wan", "--nictype3", "virtio"]
+    end
+
+    node.vm.synced_folder './', '/vagrant', disabled: true
+
+    node.vm.provision "shell", inline: <<-SHELL
+opkg update
+opkg install fastd kmod-batman-adv batctl-full vim 
+
+cat >/etc/config/fastd <<EOF
+config fastd 'vpn'
+  list method 'salsa2012+umac'
+  list method 'salsa2012+gmac'
+  list method 'null+salsa2012+umac'
+  option mtu 1300
+  option status_socket '/var/run/fastd.mesh_vpn.socket'
+  option packet_mark 1
+  option mode 'tap'
+  option secure_handshakes '1'
+  option interface 'fastd-vpn'
+  option enabled '1'
+  option secret 'f80481c9d3c4567549d0769011d0442172070c033818f487dcb535a77823514a'
+
+config peer_group 'mesh_vpn_backbone'
+  option enabled '1'
+  option peer_limit '2'
+  option net 'vpn'
+
+config peer vpn_server
+  option enabled 1
+  option key '5d7046023a57481415378c430d71d6603e47e45760722bfa7dd5d35e160a62c4'
+  option net 'vpn'
+  list remote '#{vpn_server}:10000'
+  option group 'mesh_vpn_backbone'
+EOF
+
+cat >/etc/config/network << EOF  
+config interface 'loopback'
+  option ifname 'lo'
+  option proto 'static'
+  option ipaddr '127.0.0.1'
+  option netmask '255.0.0.0'
+
+config globals 'globals'
+  option ula_prefix 'fdec:4589:e690::/48'
+
+config interface 'vagrant'
+  option ifname 'eth0'
+  option proto 'static'
+  option ipaddr '10.0.2.15'
+  option netmask '255.255.255.0'
+
+config interface 'private'
+  option ifname 'eth1'
+  option proto 'static'
+  option ipaddr '#{ip}'
+  option netmask '255.255.255.0'
+
+config interface 'bat0'
+  option auto '1'
+  option proto 'batadv'
+  option routing_algo 'BATMAN_IV'
+  option ap_isolation 0
+  option fragmentation 1
+  option gw_mode 'client'
+  option multicast_mode 1
+  option mtu '1426'
+  option fixed_mtu '1'
+
+config interface 'vpn'
+  option auto '1'
+  option ifname 'fastd-vpn'
+  option proto 'batadv_hardif'
+  option master 'bat0'
+
+config interface 'mesh'
+  option auto '1'
+  option ifname 'bat0'
+  option proto 'dhcp'
+
+config interface 'mesh6'
+  option auto '1'
+  option ifname 'bat0'
+  option proto 'dhcpv6'
+
+EOF
+
+/etc/init.d/fastd restart
+/etc/init.d/network restart
+#sleep 3
+#ip route del default dev eth0 || true
+SHELL
+  end 
+end
+
+def configure_supernode(config, name, ip)
+  config.vm.define name do |node|
+    node.vm.hostname = name
+    node.vm.box = "generic/debian11"
+    node.vm.synced_folder ".", "/vagrant_data"
+    node.vm.network "forwarded_port", guest: 10000, host: 10000, protocol: "udp"
+    node.vm.network "private_network", ip: ip
+
+    node.vm.provider "virtualbox" do |vb|
+      vb.memory = "512"
+      vb.linked_clone = true
+      vb.customize ["modifyvm", :id, "--nic1", "nat", "--nictype1", "virtio"]
+      # the pseudo wan net without any ip configuration
+      vb.customize ["modifyvm", :id, "--nic2", "intnet", "--intnet2", "gluon-supernode-wan", "--nictype2", "virtio"]
+    end
+
+    node.vm.provision "shell", inline: <<-SHELL
+      # reactivate ipv6 which disable per default in the vagrant box
+      sed 's/^net.ipv6.conf.all.disable_ipv6 = 1//' -i /etc/sysctl.conf
+      sysctl -w net.ipv6.conf.all.disable_ipv6=0
+
+      export DEBIAN_FRONTEND=noninteractive
+      apt-get update
+      apt-get install -y docker.io docker-compose
+
+      adduser vagrant docker || true
+
+      # give docker daemon some time
+      sleep 3
+    SHELL
+
+    node.vm.provision "shell", privileged: false, inline: <<-SHELL
+      cd /vagrant_data
+      docker-compose up -d batman_network fastd_server dhcpd_v4 dhcpd_v6 radvd wireguard
+    SHELL
+
+  end
+end
+
+Vagrant.configure("2") do |config|
+  configure_supernode(config, "supernode", "192.168.56.1")
+  configure_node(config, "node", "192.168.56.2", "192.168.56.1")
+end
diff --git a/batman/Dockerfile b/batman/Dockerfile
index 9659f1b..0f526e8 100644
--- a/batman/Dockerfile
+++ b/batman/Dockerfile
@@ -1,6 +1,26 @@
 FROM docker.io/library/debian:bullseye
 
 ARG DEBIAN_FRONTEND=noninteractive
+
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+	batctl \
+	iproute2 \
+	nftables \
+	inetutils-ping \
+	inetutils-traceroute \
+	curl \
+	wireguard-tools \
+    radvd \
+    && rm -rf /var/lib/apt/lists /var/cache/apt/archives
+
+RUN mv /usr/bin/wg-quick /usr/bin/wg-quick.org && \
+    egrep -v 'sysctl -q net.ipv4.conf.all.src_valid_mark=1' /usr/bin/wg-quick.org >/usr/bin/wg-quick && \
+    chmod +x /usr/bin/wg-quick
+
+COPY entry-point.sh /entry-point.sh
+
 ENV BATMAN_INTERFACE=bat0
 ENV BATMAN_BRIDGE=br-batman0
 ENV BATMAN_BRIDGE_IPV4=
@@ -8,11 +28,11 @@ ENV BATMAN_BRIDGE_IPV6=
 ENV BATMAN_FORWARD_GATEWAY4=
 ENV BATMAN_FORWARD_GATEWAY6=
 ENV BATMAN_FORWARD_TABLE=5000
-
-RUN apt-get update && \
-    apt-get install -y  batctl iproute2 nftables inetutils-ping inetutils-traceroute curl && \
-    rm -rf /var/lib/apt/lists /var/cache/apt/archives
-
-COPY entry-point.sh /entry-point.sh
-
+ENV RADVD_INTERFACE=
+ENV RADVD_ADV_MANAGEMENT_FLAG=off
+ENV RADVD_MTU=1500
+ENV RADVD_ADV_MANAGEMENT_FLAG=
+ENV RADVD_SOURCE_LL_ADDRESS=
+ENV RADVD_PREFIX=
+ENV WIREGUARD_INTERFACE=wg0
 ENTRYPOINT ["/bin/bash", "/entry-point.sh"]
diff --git a/batman/entry-point.sh b/batman/entry-point.sh
index 9fdcadd..ff0098e 100644
--- a/batman/entry-point.sh
+++ b/batman/entry-point.sh
@@ -2,36 +2,58 @@
 set -e
 
 batctl meshif ${BATMAN_INTERFACE} interface create
-ip link add ${BATMAN_BRIDGE} type bridge
-ip link set ${BATMAN_INTERFACE} master ${BATMAN_BRIDGE}
 ip link set ${BATMAN_INTERFACE} up
-ip link set ${BATMAN_BRIDGE} up
 
 # setup ips
 if [ "${BATMAN_BRIDGE_IPV4}" ] ; then
-    ip -4 addr add ${BATMAN_BRIDGE_IPV4} dev ${BATMAN_BRIDGE}
+    ip -4 addr add ${BATMAN_BRIDGE_IPV4} dev ${BATMAN_INTERFACE}
 fi
 if [ "${BATMAN_BRIDGE_IPV6}" ] ; then
-    ip -6 addr add ${BATMAN_BRIDGE_IPV6} dev ${BATMAN_BRIDGE}
+    ip -6 addr add ${BATMAN_BRIDGE_IPV6} dev ${BATMAN_INTERFACE}
 fi
 
 # mark node as dhcp server
 batctl meshif ${BATMAN_INTERFACE} gw server ${BATMAN_LIMIT_DOWNLOAD}Mbit/${BATMAN_LIMIT_UPLOAD}Mbit
 
-# configure routing 
-ip rule add iif ${BATMAN_BRIDGE} table ${BATMAN_FORWARD_TABLE}
-[ "${BATMAN_FORWARD_GATEWAY4}" ] && \
-    ip -4 route add table ${BATMAN_FORWARD_TABLE} default via ${BATMAN_FORWARD_GATEWAY4}
-[ "${BATMAN_FORWARD_GATEWAY6}" ] && \
-    ip -6 route add table ${BATMAN_FORWARD_TABLE} default via ${BATMAN_FORWARD_GATEWAY6}
-
 nft add table ip nat || true
 nft add chain 'ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }' || true
 nft add rule nat POSTROUTING counter masquerade || true
 nft add table ip6 nat || true
 nft add chain 'ip6 nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }' || true
-nft add rule ip6 nat counter masquerade || true
+nft add rule ip6 nat POSTROUTING counter masquerade || true
+
+# remove dns defintion, because resolv.conf is write protected in the container
+if [ "${WIREGUARD_CONFIG}" ] ; then \
+    egrep -v '^\s*DNS\s*=' ${WIREGUARD_CONFIG} >/etc/wireguard/${WIREGUARD_INTERFACE}.conf
+    wg-quick up ${WIREGUARD_INTERFACE}
+    ip rule add iif br-batman0 table 5000
+fi
+
+cat >/etc/radvd.conf <<EOF
+interface ${RADVD_INTERFACE} {
+  AdvSendAdvert on;
+  IgnoreIfMissing on;
+EOF
+
+[ "${RADVD_ADV_MANAGEMENT_FLAG}" ] && \
+  echo "  AdvManagedFlag ${RADVD_ADV_MANAGEMENT_FLAG};" >>/etc/radvd.conf
+[ "${RADVD_MTU}" ] && \
+  echo "  AdvLinkMTU ${RADVD_MTU};" >>/etc/radvd.conf
+[ "${RADVD_SOURCE_LL_ADDRESS}" ] && \
+  echo "  AdvSourceLLAddress ${RADVD_SOURCE_LL_ADDRESS};" >>/etc/radvd.conf
+[ "${RADVD_OTHER_CONFIG_FLAG}" ] && \
+  echo "  AdvOtherConfigFlag ${RADVD_OTHER_CONFIG_FLAG};" >>/etc/radvd.conf
+  
+cat >>/etc/radvd.conf <<EOF
+  prefix ${RADVD_PREFIX}
+  {
+    AdvOnLink on;
+    AdvAutonomous on;
+    AdvRouterAddr on;
+    DeprecatePrefix on;
+  };
+};
+EOF
+
+/usr/sbin/radvd --config=/etc/radvd.conf --logmethod=stderr --nodaemon
 
-while true ; do
-    sleep 1
-done
diff --git a/docker-compose.yml b/docker-compose.yml
index 935e164..5d222da 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2.4'
 
 services:
-  batman_network:
+  batman:
     build: batman/
     env_file: .env
     cap_add:
@@ -11,10 +11,12 @@ services:
       - net.ipv4.ip_forward=1
       - net.ipv4.conf.all.forwarding=1
       - net.ipv6.conf.all.forwarding=1
-    networks:
-      vpn_frontend:
-        ipv4_address: 172.28.0.3
-        ipv6_address: fc00:172:28::3
+      - net.ipv4.conf.all.src_valid_mark=1
+    volumes:
+      - type: bind
+        source: ./wg0.conf
+        target: /wireguard.conf
+        read_only: true
     ports:
       - 10000:10000/udp
     #privileged: true
@@ -47,9 +49,9 @@ services:
       - NET_ADMIN
     devices:
       - /dev/net/tun:/dev/net/tun
-    network_mode: service:batman_network
+    network_mode: service:batman
     depends_on:
-      - batman_network
+      - batman
 
   dhcpd_v4:
     build: dhcpd/
@@ -58,11 +60,11 @@ services:
       DHCPD_MODE: 4
     cap_add:
       - NET_ADMIN
-    network_mode: service:batman_network
+    network_mode: service:batman
     volumes:
       - dhcpd_v4_leases:/var/lib/dhcp
     depends_on:
-      - batman_network
+      - batman
 
   dhcpd_v6:
     build: dhcpd/
@@ -71,22 +73,24 @@ services:
       DHCPD_MODE: 6
     cap_add:
       - NET_ADMIN
-    network_mode: service:batman_network
+    network_mode: service:batman
     volumes:
       - dhcpd_v6_leases:/var/lib/dhcp
+    depends_on:
+      - batman
 
   radvd:
     build: radvd/
     env_file: .env
     cap_add:
       - NET_ADMIN
-    network_mode: service:batman_network
+    network_mode: service:batman
 
   debug:
     build: debug/
     cap_add:
       - NET_ADMIN
-    network_mode: service:batman_network
+    network_mode: service:batman
     
 
 volumes:
diff --git a/playbook.yml b/playbook.yml
new file mode 100644
index 0000000..134ce4d
--- /dev/null
+++ b/playbook.yml
@@ -0,0 +1,179 @@
+- hosts: supernode
+  vars:
+    docker_ipv6_net: fcff:ffff:ffff:ffff::/64
+  become: yes
+  collections:
+    - ansible.posix
+  handlers:
+    - name: Reload kernel modules
+      service:
+        name: systemd-modules-load
+        state: restarted
+      listen: reload modules
+    - name: Reload docker daemon
+      service:
+        name: docker
+        state: restarted
+      listen: reload docker
+  tasks:
+    - name: install programs
+      package:
+        name:
+          - docker.io
+          - docker-compose
+          - wireguard-dkms
+
+    - name: ensure kernel modules are loaded
+      blockinfile:
+        path: /etc/modules
+        block:
+          wireguard
+          tap
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+      notify: reload modules
+
+    - name: Configure docker
+      copy:
+        content: | 
+          {
+            "log-driver": "json-file",
+            "log-opts": {
+              "max-size": "1m",
+              "max-file": "3"
+            },
+            "ipv6": true,
+            "fixed-cidr-v6": "{{ docker_ipv6_net }}"
+          }
+        dest: /etc/docker/daemon.json
+        mode: u=rw,g=r,o=r
+        owner: root
+        group: root
+      notify: reload docker
+
+    - name: Start docker daemon
+      service:
+        name: docker
+        state: started
+
+- hosts: supernode
+  vars:
+    env_file: /home/vagrant/supernode.env
+    supernode_v4_ip: 172.29.0.1/24
+    supernode_v4_range_start: 172.29.0.16
+    supernode_v4_range_end: 172.29.0.31
+    supernode_v6_ip: fc00:1234:5678::1/64
+    supernode_v6_range_start: fc00:1234:5678::1000
+    supernode_v6_range_end: fc00:1234:5678::1fff
+    fastd_secret_key: 90f0637239cdf4c27dc80ee8a755ae4922769d045c86cc2086a96a3a281ed04a
+    fastd_port: 10000
+    wireguard_key: tbd
+  collections:
+    - community.docker
+  tasks:
+    - name: Create vpn frontend network
+      community.docker.docker_network:
+        name: vpn_frontend
+        enable_ipv6: yes
+        ipam_config:
+          - subnet: "{{ supernode_v4_ip |ipaddr('network/prefix') }}"
+          - subnet: "{{ supernode_v6_ip |ipaddr('network/prefix') }}"
+
+    - name: Build docker images
+      docker_image:
+        build:
+          path: "/vagrant_data/{{ item }}"
+        name: "{{ item }}"
+        source: build
+      with_items:
+        - batman
+        - dhcpd
+        - fastd
+        - wireguard
+
+    - name: place env config
+      copy:
+        content: |
+          # ansible managed
+          BATMAN_BRIDGE=br-batman0
+          BATMAN_BRIDGE_IPV4={{ supernode_v4_ip }}
+          BATMAN_BRIDGE_IPV6={{ supernode_v6_ip }}
+          BATMAN_FORWARD_GATEWAY=172.28.0.2
+          BATMAN_LIMIT_DOWNLOAD=1000
+          BATMAN_LIMIT_UPLOAD=1000
+
+          FASTD_BATMAN_INTERFACE=bat0
+          FASTD_DONT_VERIFY_PEERS=1
+          FASTD_LOG_LEVEL=debug
+          FASTD_PEER_LIMIT=10
+          FASTD_SECRET_KEY={{ fastd_secret_key }}
+
+          DHCPD_INTERFACE=br-batman0
+          DHCPD_V4_NET={{ supernode_v4_ip |ipaddr('network') }}
+          DHCPD_V4_SUBNET={{ supernode_v4_ip |ipaddr('netmask') }}
+          DHCPD_V4_RANGE={{ supernode_v4_range_start }} {{ supernode_v4_range_end }}
+          DHCPD_V6_NET={{ supernode_v6_ip |ipaddr('network/prefix') }}
+          DHCPD_V6_RANGE={{ supernode_v6_range_start }} {{ supernode_v6_range_end }}
+          DHCPD_V6_TEMPORARY_NET={{ supernode_v6_ip |ipaddr('network/prefix') }}
+        dest: "{{ env_file }}"
+        mode: u=rw,g=,o=
+      register: __env_file
+
+    - name: Remove old containers
+      docker_container:
+        name: "{{ item }}"
+        state: absent
+        stop_timeout: 0
+      with_items:
+        - batman_network
+        - fastd_server
+        - dhcp_v4
+        - dhcp_v6
+      when: __env_file.changed
+
+    - name: Start batman network
+      docker_container:
+        name: batman_network
+        image: batman
+        env_file: "{{ env_file }}"
+        capabilities:
+          - NET_ADMIN
+        published_ports:
+          - "{{ fastd_port }}:10000/udp"
+          - "{{ fastd_port }}:10000/tcp"
+        networks:
+          - name: vpn_frontend
+        sysctls:
+          net.ipv6.conf.all.disable_ipv6: 0
+
+    - name: Start fastd
+      docker_container:
+        name: fastd_server
+        image: fastd
+        env_file: "{{ env_file }}"
+        capabilities:
+          - NET_ADMIN
+        devices:
+          - /dev/net/tun:/dev/net/tun
+        network_mode: container:batman_network
+
+    - name: Start dhcp server for ipv4
+      docker_container:
+        name: dhcp_v4
+        image: dhcpd
+        env_file: "{{ env_file }}"
+        env:
+          DHCPD_MODE: "4"
+        capabilities:
+          - NET_ADMIN
+        network_mode: container:batman_network
+
+    - name: Start dhcp server for ipv6
+      docker_container:
+        name: dhcp_v6
+        image: dhcpd
+        env_file: "{{ env_file }}"
+        env:
+          DHCPD_MODE: "6"
+        capabilities:
+          - NET_ADMIN
+        network_mode: container:batman_network
diff --git a/requirements.yml b/requirements.yml
new file mode 100644
index 0000000..3023cd6
--- /dev/null
+++ b/requirements.yml
@@ -0,0 +1,3 @@
+collections:
+    - name: community.general
+    - name: community.docker
diff --git a/restart.sh b/restart.sh
new file mode 100755
index 0000000..5417358
--- /dev/null
+++ b/restart.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+docker-compose down -t 0
+docker-compose build batman fastd_server dhcpd_v4 dhcpd_v6 debug
+docker-compose --env-file .env up -d batman fastd_server dhcpd_v4 dhcpd_v6