norn/parahub-mesh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(vpn): Replace UCI grev6 with manual GRE6 tunnel init script

Browse Source 
OpenWrt 25.x lacks the netifd grev6 protocol handler, so the UCI
vpn_tunnel interface never came up (NO_DEVICE). Now using a dedicated
init script (parahub-vpn-tunnel, START=96) that:

- Creates ip6gre tunnel with encaplimit none (critical: Yggdrasil
  drops IPv6 packets with DSTOPT extension headers from encaplimit)
- Waits for Yggdrasil address before creating tunnel
- Adds guest subnet direct route to table 100 (fixes DNS/reply
  routing — without it, router replies with source in guest subnet
  get routed through GRE instead of back to the client)
- Reloads firewall so vpn_tunnel zone picks up gre6-vpn device

Also updated VPS mesh-gateway.sh with encaplimit none.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Parahub AI
2026-02-09 17:02:49 +00:00
parent e84d578ce4
commit 3771521d59
2 changed files with 76 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
files/etc/uci-defaults/99-parahub-mesh
View File

@@ -219,15 +219,10 @@ set network.wan=interface
set network.wan.device='${WAN_DEV}'
set network.wan.proto='dhcp'
# --- GRE6 tunnel (guest traffic → VPS gateway via Yggdrasil) ---
# --- VPN tunnel interface (device created by parahub-vpn-tunnel init script) ---
set network.vpn_tunnel=interface
set network.vpn_tunnel.proto='grev6'
set network.vpn_tunnel.peeraddr='200:39f1:6a26:328a:d901:fbd2:d30d:faef'
set network.vpn_tunnel.ipaddr='172.16.0.2'
set network.vpn_tunnel.netmask='255.255.255.0'
set network.vpn_tunnel.gateway='172.16.0.1'
set network.vpn_tunnel.mtu='1400'
set network.vpn_tunnel.ip4table='100'
set network.vpn_tunnel.device='gre6-vpn'
set network.vpn_tunnel.proto='none'
# --- Policy routing: guest traffic → VPN table 100 ---
add network rule
@@ -710,8 +705,9 @@ set firewall.@forwarding[-1].dest='yggdrasil'
YGG_FW_EOF
uci commit firewall
# Enable yggdrasil service
# Enable yggdrasil service + VPN tunnel (creates GRE6 after yggdrasil starts)
/etc/init.d/yggdrasil enable 2>/dev/null || true
/etc/init.d/parahub-vpn-tunnel enable 2>/dev/null || true
# Save yggdrasil address to node keys file
YGG_ADDR=$(yggdrasil -address -useconffile /etc/yggdrasil.conf 2>/dev/null || echo "unknown")