refactor: Remove GRE tunnels, add Mullvad gateway health check

Radical simplification — no more VPS data plane: - Delete parahub-vpn-tunnel init script (GRE6 no longer used) - Revert heartbeat to clean version (no tunnel_ip parsing) - Add parahub-gw-check: monitors WireGuard handshake, switches batman-adv gw_mode between server/client (cron every 2 min) - Update uci-defaults: remove vpn_tunnel zone/interface, start bumblebee as gw_mode=client (health check promotes to server) Guest internet now requires Mullvad — kill switch by design. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-11 12:50:31 +00:00
parent f96a455dc8
commit e31f626c7c
4 changed files with 56 additions and 158 deletions
--- a/files/usr/bin/parahub-gw-check
+++ b/files/usr/bin/parahub-gw-check
@@ -0,0 +1,36 @@
+#!/bin/sh
+# Parahub Gateway Health Check
+# Monitors Mullvad WireGuard status and switches batman-adv gw_mode:
+#   - Mullvad active (recent handshake) → gw_mode=server (advertise as gateway)
+#   - Mullvad down or not configured    → gw_mode=client (relay only)
+#
+# Run via cron every 2 minutes. Bumblebee only.
+
+[ "$(cat /etc/parahub/role 2>/dev/null)" = "bumblebee" ] || exit 0
+
+# Check if Mullvad WireGuard interface exists and has recent handshake
+MULLVAD_OK=0
+if command -v wg >/dev/null 2>&1; then
+    # Get latest handshake timestamp from any WireGuard interface
+    LAST_HS=$(wg show all latest-handshakes 2>/dev/null | awk '{print $NF}' | sort -rn | head -1)
+    if [ -n "$LAST_HS" ] && [ "$LAST_HS" -gt 0 ] 2>/dev/null; then
+        NOW=$(date +%s)
+        AGE=$((NOW - LAST_HS))
+        # Handshake within last 5 minutes = alive
+        [ "$AGE" -lt 300 ] && MULLVAD_OK=1
+    fi
+fi
+
+CURRENT_MODE=$(batctl gw_mode 2>/dev/null | awk '{print $1}')
+
+if [ "$MULLVAD_OK" = "1" ]; then
+    if [ "$CURRENT_MODE" != "server" ]; then
+        batctl gw_mode server
+        logger -t parahub-gw "Mullvad active, switched to gw_mode=server"
+    fi
+else
+    if [ "$CURRENT_MODE" != "client" ]; then
+        batctl gw_mode client
+        logger -t parahub-gw "Mullvad down, switched to gw_mode=client"
+    fi
+fi
--- a/files/usr/bin/parahub-heartbeat
+++ b/files/usr/bin/parahub-heartbeat
@@ -37,12 +37,9 @@ PAYLOAD="{\"mac\":\"${MAC}\",\"hostname\":\"${HOSTNAME}\",\"yggdrasil_address\":

 RESPONSE=""

-# Use longer timeout if called from vpn-tunnel init (first boot)
-CURL_TIMEOUT="${HEARTBEAT_CURL_TIMEOUT:-10}"
-
 if [ "$ROLE" = "bee" ]; then
    # Bee: no yggdrasil, use public URL only
-    RESPONSE=$(curl -s -m "$CURL_TIMEOUT" -X POST \
+    RESPONSE=$(curl -s -m 10 -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${HEARTBEAT_KEY}" \
        -d "$PAYLOAD" \
@@ -50,13 +47,13 @@ if [ "$ROLE" = "bee" ]; then
 else
    # Bumblebee: try yggdrasil first, fallback to public
    if ping6 -c 1 -W 3 200:abb9:5810:37d3:8a4c:98a6:b82b:969a >/dev/null 2>&1; then
-        RESPONSE=$(curl -s -m "$CURL_TIMEOUT" -X POST \
+        RESPONSE=$(curl -s -m 10 -X POST \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer ${HEARTBEAT_KEY}" \
            -d "$PAYLOAD" \
            "${PARAHUB_API_YGG}" 2>/dev/null)
    else
-        RESPONSE=$(curl -s -m "$CURL_TIMEOUT" -X POST \
+        RESPONSE=$(curl -s -m 10 -X POST \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer ${HEARTBEAT_KEY}" \
            -d "$PAYLOAD" \
@@ -64,22 +61,6 @@ else
    fi
 fi

-# Parse tunnel_ip from response and update local config (Bumblebee only)
-if [ "$ROLE" != "bee" ] && [ -n "$RESPONSE" ]; then
-    NEW_TUNNEL_IP=$(echo "$RESPONSE" | jsonfilter -e '$.tunnel_ip' 2>/dev/null)
-    if [ -n "$NEW_TUNNEL_IP" ]; then
-        OLD_TUNNEL_IP=$(cat /etc/parahub/tunnel_ip 2>/dev/null)
-        if [ "$OLD_TUNNEL_IP" != "$NEW_TUNNEL_IP" ]; then
-            echo "$NEW_TUNNEL_IP" > /etc/parahub/tunnel_ip
-            logger -t parahub-heartbeat "Tunnel IP updated: ${OLD_TUNNEL_IP:-none} → $NEW_TUNNEL_IP"
-            # Restart vpn-tunnel if it's running (IP changed)
-            if [ -n "$OLD_TUNNEL_IP" ]; then
-                /etc/init.d/parahub-vpn-tunnel restart 2>/dev/null &
-            fi
-        fi
-    fi
-fi
-
 # Sync paid_clients to speed control (Bumblebee only)
 if [ "$ROLE" != "bee" ] && [ -x /usr/bin/parahub-speed-control ] && [ -n "$RESPONSE" ]; then
    PAID_IPS=$(echo "$RESPONSE" | jsonfilter -e '$.paid_clients[*]' 2>/dev/null)