OpenWrt base version doesn't change between our config/script updates.
PARAHUB_BUILD counter creates version like 25.12.0-rc4-ph1 for tracking.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. Add yggdrasil init script (procd) — OpenWrt 25.x package doesn't
include one, causing uci-defaults to fail on `/etc/init.d/yggdrasil
enable` with set -e, leaving script in /etc/uci-defaults/ to re-run
every boot and overwrite all config changes.
2. Delete default br-lan/lan before creating br-private — both bridges
competing for eth0/eth1 port, preventing LAN cable access.
3. Per-device port mapping via /etc/parahub/port_map — filogic devices
(MT3000, MT6000, WR3000) have eth0=WAN, eth1=LAN (opposite of
qualcommax/ath79). Build.sh writes PORT_MAP, uci-defaults reads it.
Also: remove `set -e` from uci-defaults (too fragile for first-boot),
add SSH/HTTP firewall rules on yggdrasil zone for remote management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OTA: build.sh writes version/profile to firmware, generates manifest.json
with SHA256 per device. parahub-autoupdate script runs nightly at 3am,
fetches manifest (Yggdrasil first), verifies checksum, runs sysupgrade.
sysupgrade.conf preserves /etc/parahub/, yggdrasil.conf, dropbear keys.
Guest IPv6: Yggdrasil 300::/64 subnet assigned to guest via SLAAC.
Separate yggdrasil firewall zone (5 zones total) with guest→yggdrasil
forwarding. IPv6 exempt from tc shaping — full speed to Parahub services.
IPv6 to WAN blocked. Heartbeat now reads version from file, not hardcoded.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add parahub-speed-control script (nftables set + tc HTB) for per-IP
speed shaping. Free tier 512kbps, paid tier unlimited. Heartbeat now
parses paid_clients from API response and syncs nftables set.
Replaced sqm-scripts/kmod-sched-cake/luci-app-sqm packages with
tc-full/kmod-ifb/kmod-sched-htb. Section 8 of uci-defaults creates
init.d service for speed control instead of SQM config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- GRE6 tunnel over Yggdrasil to VPS gateway (172.16.0.0/24)
- Kill switch: guest→vpn_tunnel only (no guest→wan)
- OWE transition mode on Parahub_Free (encrypted + open fallback)
- DNS-over-HTTPS via https-dns-proxy (Cloudflare 1.1.1.1)
- Guest DNS hijacked via firewall DNAT redirect
- IPv6 blocked for guest zone (leak prevention)
- SQM 128→512 kbps
- Added kmod-gre6, https-dns-proxy to PACKAGES_CORE
- SSH authorized key for passwordless root access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrite build.sh to support per-device target/subtarget selection.
Adds Asus RT-AX53U (ramips/mt7621), GL-MT6000, upgrades to OpenWrt 25.12.0-rc4,
and auto-detects tar.zst vs tar.xz for Image Builder download.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
First-boot script that configures a Parahub mesh node with zero user
interaction: batman-adv BATMAN_V mesh, dual-band WiFi (private SAE +
public open), firewall zones with guest isolation, SQM 128kbps shaping,
MAC-derived subnets for collision avoidance, and key generation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
