Auto update wireguard tunnels when disabling/enabling bridging

emhttp/plugins/dynamix/scripts/netconfig

@@ -1,7 +1,7 @@
 #!/usr/bin/php -q
 <?PHP
-/* Copyright 2005-2018, Lime Technology
- * Copyright 2012-2018, Bergware International.
+/* Copyright 2005-2023, Lime Technology
+ * Copyright 2012-2023, Bergware International.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License version 2,
@@ -17,6 +17,21 @@ $run = $set != 'none';
 $ini = parse_ini_file('/var/local/emhttp/network.ini',true); ksort($ini,SORT_NATURAL);
 $cfg = '/boot/config/network.cfg';
 
+function update_wireguard($ifname) {
+  if (!in_array($ifname,['br0','bond0','eth0'])) return;
+  $nic = file_exists('/sys/class/net/br0') ? 'br0' : (file_exists('/sys/class/net/bond0') ? 'bond0' : 'eth0');
+  exec("wg show interfaces",$active);
+  foreach (glob("/etc/wireguard/*.conf",GLOB_NOSORT) as $wg) {
+    $vtun = basename($wg,'.conf');
+    // interface has changed?
+    if (exec("grep -Pom1 ' dev $nic ' $wg")=='') {
+      exec("logger -t netconfig 'updated wireguard $vtun configuration'");
+      exec("sed -ri 's/ dev (br0|bond0|eth0) / dev $nic /' $wg");
+    }
+    // restart active wireguard tunnels
+    if (in_array($vtun,$active)) exec("wg-quick down $vtun; sleep 1; wg-quick up $vtun");
+  }
+}
 function ifname($name) {
   global $old;
   if (!$name) return;
@@ -113,6 +128,7 @@ file_put_contents($cfg,implode("\r\n",$new)."\r\n");
 if ($run) {
   exec("/etc/rc.d/rc.inet1 {$ifname}_start >/dev/null 2>&1");
   exec("/usr/local/sbin/create_network_ini $ifname >/dev/null 2>&1 &");
+  update_wireguard($ifname);
 }
 exit(0);
 ?>

etc/rc.d/rc.wireguard

@@ -1,7 +1,10 @@
 #!/bin/bash
 # Start/stop wireguard interfaces
 
-log=/var/log/wg-quick.log
+SYSTEM=/sys/class/net
+WIREGUARD=/etc/wireguard
+LOG=/var/log/wg-quick.log
+TMP=/tmp/wg-quick.tmp
 
 start() {
   if ! iptables -S | grep -qom1 "WIREGUARD$"; then
@@ -12,59 +15,58 @@ start() {
     ip6tables -N WIREGUARD
     ip6tables -A FORWARD -j WIREGUARD
   fi
-  if [[ ! -d /etc/wireguard ]]; then
+  if [[ ! -d $WIREGUARD ]]; then
     mkdir -p /boot/config/wireguard
     ln -s /boot/config/wireguard /etc
   fi
-  tmp=/tmp/wg-quick.tmp
-  autostart=$(cat /etc/wireguard/autostart 2>/dev/null)
+  # get active interface
+  [[ -e $SYSTEM/bond0 ]] && NIC=bond0 || NIC=eth0
+  [[ -e $SYSTEM/br0 ]] && NIC=br0
+  AUTOSTART=$(cat $WIREGUARD/autostart 2>/dev/null)
   # Loop thru all configured WG tunnels
-  for WG in $(ls --indicator-style=none /etc/wireguard/*.conf 2>/dev/null); do
+  for WG in $(ls --indicator-style=none $WIREGUARD/*.conf 2>/dev/null); do
     # remove path and extension
-    WG=${WG##*/}; WG=${WG%.*}
+    WG=$(basename -s .conf $WG)
     # create routing table for network used by docker containers
-    index=$((${WG:2}+200))
-    network="172.31.$index.0/24"
-    if [[ -z $(ip rule|grep -Pom1 "from $network") ]]; then
-      ip -4 rule add from $network table $index
-      ip -4 route add unreachable default table $index
+    TABLE=$((${WG:2}+200))
+    NETWORK="172.31.$TABLE.0/24"
+    if [[ -z $(ip rule|grep -Pom1 "from $NETWORK") ]]; then
+      ip -4 rule add from $NETWORK table $TABLE
+      ip -4 route add unreachable default table $TABLE
+    fi
+    # interface has changed?
+    if ! grep -qm1 "dev $NIC " $WIREGUARD/$WG.conf; then
+      # update wireguard configuration
+      logger -t $(basename $0) "updated wireguard $WG configuration"
+      sed -ri "s/dev (br0|bond0|eth0) /dev $NIC /" $WIREGUARD/$WG.conf
     fi
     # autostart WG tunnel?
-    if [[ $autostart == *"$WG"* ]]; then
+    if [[ $AUTOSTART =~ $WG ]]; then
       # Get gateway IP address
-      gw=$(grep -Pom1 '^PostUp=ip -4 route add [\d\.]+/\d+ via \K[\d\.]+' /etc/wireguard/$WG.conf)
-      if [[ -n $gw ]]; then
-        timer=10
+      GW=$(grep -Pom1 '^PostUp=ip -4 route add [\d\.]+/\d+ via \K[\d\.]+' $WIREGUARD/$WG.conf)
+      if [[ -n $GW ]]; then
+        TIMER=10
         # wait for gateway to become reachable (max 10 seconds)
-        while [[ -z $(ip -4 route show default|grep -Pom1 "$gw ") && $timer -gt 0 ]]; do
-          ((timer--))
+        while [[ -z $(ip -4 route show default|grep -Pom1 "$GW ") && $TIMER -gt 0 ]]; do
           sleep 1
+          ((TIMER--))
         done
       fi
       # start WG tunnel
-      wg-quick up "$WG" 2>$tmp
-      echo "wg-quick up $WG (autostart)" >>$log
-      cat $tmp >>$log
-      echo >>$log
-      # WG tunnel for docker container?
-      if grep -qm1 '^TYPE:1="8"' /etc/wireguard/$WG.cfg; then
-        # update routing table for WG tunnels used by containers
-        table=$(grep -Pom1 'fwmark \K[\d]+' $tmp)
-        route=$(grep -Pom1 '^Address=\K.+$' /etc/wireguard/$WG.conf)
-        sleep 1
-        ip -4 route flush table $table
-        ip -4 route add $route dev $WG table $table
-      fi
+      wg-quick up $WG 2>$TMP
+      echo "wg-quick up $WG (autostart)" >>$LOG
+      cat $TMP >>$LOG
+      echo >>$LOG
     fi
   done
-  rm -f $tmp
+  rm -f $TMP
 }
 
 stop() {
   for WG in $(wg show interfaces); do
-    echo "wg-quick down $WG (autostop)" >>$log
-    wg-quick down "$WG" 2>>$log
-    echo >>$log
+    echo "wg-quick down $WG (autostop)" >>$LOG
+    wg-quick down $WG 2>>$LOG
+    echo >>$LOG
   done
 }