Guest WiFi interface (phy0-ap0) may not be up when init script runs at
boot. Move guest route addition to a background retry loop (up to 60s).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OpenWrt 25.x lacks the netifd grev6 protocol handler, so the UCI
vpn_tunnel interface never came up (NO_DEVICE). Now using a dedicated
init script (parahub-vpn-tunnel, START=96) that:
- Creates ip6gre tunnel with encaplimit none (critical: Yggdrasil
drops IPv6 packets with DSTOPT extension headers from encaplimit)
- Waits for Yggdrasil address before creating tunnel
- Adds guest subnet direct route to table 100 (fixes DNS/reply
routing — without it, router replies with source in guest subnet
get routed through GRE instead of back to the client)
- Reloads firewall so vpn_tunnel zone picks up gre6-vpn device
Also updated VPS mesh-gateway.sh with encaplimit none.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1. Add yggdrasil init script (procd) — OpenWrt 25.x package doesn't
include one, causing uci-defaults to fail on `/etc/init.d/yggdrasil
enable` with set -e, leaving script in /etc/uci-defaults/ to re-run
every boot and overwrite all config changes.
2. Delete default br-lan/lan before creating br-private — both bridges
competing for eth0/eth1 port, preventing LAN cable access.
3. Per-device port mapping via /etc/parahub/port_map — filogic devices
(MT3000, MT6000, WR3000) have eth0=WAN, eth1=LAN (opposite of
qualcommax/ath79). Build.sh writes PORT_MAP, uci-defaults reads it.
Also: remove `set -e` from uci-defaults (too fragile for first-boot),
add SSH/HTTP firewall rules on yggdrasil zone for remote management.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
OTA: build.sh writes version/profile to firmware, generates manifest.json
with SHA256 per device. parahub-autoupdate script runs nightly at 3am,
fetches manifest (Yggdrasil first), verifies checksum, runs sysupgrade.
sysupgrade.conf preserves /etc/parahub/, yggdrasil.conf, dropbear keys.
Guest IPv6: Yggdrasil 300::/64 subnet assigned to guest via SLAAC.
Separate yggdrasil firewall zone (5 zones total) with guest→yggdrasil
forwarding. IPv6 exempt from tc shaping — full speed to Parahub services.
IPv6 to WAN blocked. Heartbeat now reads version from file, not hardcoded.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add parahub-speed-control script (nftables set + tc HTB) for per-IP
speed shaping. Free tier 512kbps, paid tier unlimited. Heartbeat now
parses paid_clients from API response and syncs nftables set.
Replaced sqm-scripts/kmod-sched-cake/luci-app-sqm packages with
tc-full/kmod-ifb/kmod-sched-htb. Section 8 of uci-defaults creates
init.d service for speed control instead of SQM config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- parahub-heartbeat: cURL heartbeat to cloud API every 5min via cron
- authorized_keys: add norn@parahub-ng for WiFi password SSH retrieval
- 99-parahub-mesh: section 12 enables cron + heartbeat on first boot
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- GRE6 tunnel over Yggdrasil to VPS gateway (172.16.0.0/24)
- Kill switch: guest→vpn_tunnel only (no guest→wan)
- OWE transition mode on Parahub_Free (encrypted + open fallback)
- DNS-over-HTTPS via https-dns-proxy (Cloudflare 1.1.1.1)
- Guest DNS hijacked via firewall DNAT redirect
- IPv6 blocked for guest zone (leak prevention)
- SQM 128→512 kbps
- Added kmod-gre6, https-dns-proxy to PACKAGES_CORE
- SSH authorized key for passwordless root access
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Random per-node mesh keys prevented nodes from connecting to each other.
Now all Parahub nodes share a pre-configured mesh SAE key for automatic
802.11s mesh peering. Private WiFi keys remain randomly generated per node.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrite build.sh to support per-device target/subtarget selection.
Adds Asus RT-AX53U (ramips/mt7621), GL-MT6000, upgrades to OpenWrt 25.12.0-rc4,
and auto-detects tar.zst vs tar.xz for Image Builder download.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
First-boot script that configures a Parahub mesh node with zero user
interaction: batman-adv BATMAN_V mesh, dual-band WiFi (private SAE +
public open), firewall zones with guest isolation, SQM 128kbps shaping,
MAC-derived subnets for collision avoidance, and key generation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
