Update ffmuc-mesh-vpn-wireguard-vxlan README.md

freifunkMUC · Jan 16, 2024 · 5c96f01 · 5c96f01
1 parent 78cd05f
commit 5c96f01
Showing 1 changed file with 22 additions and 35 deletions.
diff --git a/ffmuc-mesh-vpn-wireguard-vxlan/README.md b/ffmuc-mesh-vpn-wireguard-vxlan/README.md
@@ -1,53 +1,40 @@
 # ffmuc-mesh-vpn-wireguard-vxlan
 
-You can use this package for connecting with wireguard to the Freifunk Munich network.
+This package adds support for WireGuard+VXLAN as Mesh VPN protocol stack as it is used in the Freifunk Munich network.
+
+### Dependencies
+
+This relies on [wgkex](https://github.com/freifunkMUC/wgkex), the FFMUC WireGuard key exchange broker running on the configured broker address. The broker programms the gateway to accept the WireGuard key which is transmitted during connection.
+Starting with the key exchange API v2, the wgkex broker also returns WireGuard peer data for a gateway selected by the broker, which this package then configures as mesh VPN peer/endpoint.
+
+For the health-checks a webserver of some kind needs to listen to `HTTP GET` requests on the gateways.
+
+### How it works
+
+When `checkuplink` gets called (which happens every minute via cronjob), it checks if the gateway connection is still alive by calling `wget` and connecting to the WireGuard peer link address. If this address replies, we also start a `batctl ping` to the same address. If both checks succeed the connection just stays alive.
+
+If one of the checks above bails out with an error the reconnect cycle is started. This means `checkuplink` registers itself with `wireguard.broker` by sending the WireGuard public key over either HTTP or HTTPS (depending on the device support).
+The broker responds with JSON data containing the gateway peer data (pubkey, address, port, allowed IPs aka link address). `checkuplink` adds the peer to the wg interface using this data, and sets up the VXLAN interface with the peer link address as remote endpoint.
+
+This script prefers to establish connections over IPv6 and falls back to IPv4 **only if there is no IPv6 default route**.
+
+### Configuration
 
 You should use something like the following in the site.conf:
 
-	
+
 ```
  mesh_vpn = {
 	mtu = 1400,
 	wireguard = {
 		enabled = '1',
-		iface = 'mesh-vpn',
+		iface = 'wg_mesh_vpn', -- not 'mesh-vpn', which is used for the VXLAN interface
 		limit = '1', -- actually unused
-		broker = 'broker.ffmuc.net/api/v1/wg/key/exchange',
-		peers = {
-				{
-					publickey ='N9uF5Gg1B5AqWrE9IuvDgzmQePhqhb8Em/HrRpAdnlY=',
-					endpoint ='ffkwsn01.freifunk-koenigswinter.de:30020',
-					link_address = 'fe80::f000:22ff:fe12:01',
-				},
-				{
-					publickey ='liatbdT62FbPiDPHKBqXVzrEo6hc5oO5tmEKDMhMTlU=',
-					endpoint ='ffkwsn02.freifunk-koenigswinter.de:30020',
-					link_address = 'fe80::f000:22ff:fe12:02',
-				},
-				{
-					publickey ='xakSGG39D1v90j3Z9eVWzojh6nDbnsVUc/RByVdcKB0=',
-					endpoint ='ffkwsn03.freifunk-koenigswinter.de:30020',
-					link_address = 'fe80::f000:22ff:fe12:07',
-				},
-
-			},
+		broker = 'broker.ffmuc.net/api/v2/wg/key/exchange',
 	},
-	
 ```
 And you should include the package in the site.mk of course!
 
-### Dependencies
-
-This relies on [wgkex](https://github.com/freifunkMUC/wgkex) the FFMUC wireguard broker running on the configured broker address. The broker programms the gateway to accept the WireGuard key which is transmitted during connection.
-
-For the health-checks a webserver of some kind needs to listen to `HTTP GET` requests on the gateways.
-
-### How it works
-
-When `checkuplink` gets called (which happens every minute via cronjob), it checks if the gateway connection is still alive by calling `wget` and connecting to `wireguard.peer.peer_[number].link_address`. If this address replies we also start a `batctl ping` to the same address. If both checks succeed the connection just stays alive.
-
-If one of the checks above bails out with an error the reconnect cycle is started. Which means `checkuplink` registers itself with `wireguard.broker` by sending the WireGuard public_key over either http or https (depending on the device support). After the key was sent the script tries to randomely connect to one of the `wireguard.peer`. This script prefers to establish connections over IPv6 and falls back to IPv4 only if there is no IPv6 default route.
-
 ### Interesting Links
 
 - [FFMUC: Half a year with WireGuard](https://www.slideshare.net/AnnikaWickert/ffmuc-half-a-year-with-wireguard)