uci-defaults only runs on first boot, so devices updating from ph3
would never generate WG keys. Heartbeat now generates them if missing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- uci-defaults: WG keygen, vps_gateway interface+zone+forwarding
- heartbeat: sends wg_public_key, parses VPS config, calls vps-setup
- parahub-vps-setup: new script for auto-configuring VPS tunnel with
OTA bootstrap support and idempotent state tracking
- parahub-mullvad: setup disables vps_gateway, remove re-enables it
(fixes bug referencing non-existent vpn_tunnel interface)
- parahub-gw-check: works with both vps_gateway and mullvad_local
- sysupgrade.conf: preserves WG VPS keys across upgrades
- build.sh: bump PARAHUB_BUILD to 4
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Radical simplification — no more VPS data plane:
- Delete parahub-vpn-tunnel init script (GRE6 no longer used)
- Revert heartbeat to clean version (no tunnel_ip parsing)
- Add parahub-gw-check: monitors WireGuard handshake, switches
batman-adv gw_mode between server/client (cron every 2 min)
- Update uci-defaults: remove vpn_tunnel zone/interface, start
bumblebee as gw_mode=client (health check promotes to server)
Guest internet now requires Mullvad — kill switch by design.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
vpn-tunnel reads IP from /etc/parahub/tunnel_ip instead of hardcoded
172.16.0.2. On first boot, calls heartbeat synchronously to get assignment.
Heartbeat parses tunnel_ip from response and restarts vpn-tunnel on change.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OTA: build.sh writes version/profile to firmware, generates manifest.json
with SHA256 per device. parahub-autoupdate script runs nightly at 3am,
fetches manifest (Yggdrasil first), verifies checksum, runs sysupgrade.
sysupgrade.conf preserves /etc/parahub/, yggdrasil.conf, dropbear keys.
Guest IPv6: Yggdrasil 300::/64 subnet assigned to guest via SLAAC.
Separate yggdrasil firewall zone (5 zones total) with guest→yggdrasil
forwarding. IPv6 exempt from tc shaping — full speed to Parahub services.
IPv6 to WAN blocked. Heartbeat now reads version from file, not hardcoded.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add parahub-speed-control script (nftables set + tc HTB) for per-IP
speed shaping. Free tier 512kbps, paid tier unlimited. Heartbeat now
parses paid_clients from API response and syncs nftables set.
Replaced sqm-scripts/kmod-sched-cake/luci-app-sqm packages with
tc-full/kmod-ifb/kmod-sched-htb. Section 8 of uci-defaults creates
init.d service for speed control instead of SQM config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- parahub-heartbeat: cURL heartbeat to cloud API every 5min via cron
- authorized_keys: add norn@parahub-ng for WiFi password SSH retrieval
- 99-parahub-mesh: section 12 enables cron + heartbeat on first boot
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
