I'm trying to partially automate WireGuard with a menu and sub-menu based bash script but I'm having difficulties assigning the firewall zone to my already existing firewall zones using UCI commands. Below is the script I am so far using to create the server keys and WireGuard interface.
# Create directories
umask 077; mkdir -p /etc/wireguard/networks/{guest/peers,lan/peers}
# Variables
wg_guest_server_port="45678"
wg_guest_server_ip="10.0.1.1/24"
wg_lan_server_firewall="lan"
# Generate WireGuard server keys for 'LAN' network
echo -n "Generating WireGuard server keys for 'LAN' network... "
wg genkey | tee /etc/wireguard/networks/lan/lan_server_private.key | wg pubkey | tee /etc/wireguard/networks/lan/lan_server_public.key
echo "Done"
# Remove pre-existing WireGuard interface
echo -n "Removing pre-existing WireGuard interface... "
uci del network.wg_lan
echo "Done"
# Create WireGuard interface for 'LAN' network
echo -n "Creating WireGuard interface for 'LAN' network... "
uci set network.wg_lan=interface
uci set network.wg_lan.proto='wireguard'
uci set network.wg_lan.private_key="$(cat /etc/wireguard/networks/lan/lan_server_private.key)"
uci set network.wg_lan.listen_port="${wg_lan_server_port}"
uci add_list network.wg_lan.addresses="${wg_lan_server_ip}"
uci set firewall.${wg_lan_server_firewall}.network="${wg_lan_server_firewall} wg_lan"
uci commit
echo "Done"
If I list the firewall zones attached to networks 'lan' seems to be the only odd one out.
For all zones other than 'lan' I have to asign the zone using
uci set firewall.@zone[2].network="${wg_guest_server_firewall} wg_guest"
whereas 'lan' can be configured with it's actual name
uci set firewall.lan.network="${wg_lan_server_firewall} wg_lan"
Is there a way of naming the anonymous names to their respective network names, e.g. firewall zone 2 becomes firewall.guest.network='guest wg_guest'? Failing that, shall I extract the anonymous name that is being used and feed it into a variable that can be used to assign the Guest WireGuard interface to the existing Guest firewall zone i.e
fw_zone="$(uci show firewall | grep network | grep guest | cut -d '.' -f 2)"
uci set firewall.${fw_zone}.network="${fw_zone} wg_guest"
I assume when creating these same configurations via LuCI they don't use named sections? If I was use a 'uci_defaults' file in a custom compiled firmware, would I need to specify the rename command to every interface created?
LuCI creates named sections only in some cases such as interfaces in the network config.
In other cases like firewall config, it creates only anonymous sections.
However, when you work in CLI, or perform troubleshooting, or run configuration scripts, named sections are significantly more convenient to manage.
Are there any changes made to the config files at /etc/config/ when anonymous sections are converted to named sections? The reason I ask is if I placed the config files themselves into the folder path files\etc\uci-defaults and compiled a custom firmware image or directly replaced the files on a live system are there any parameters stored in the configs that distinguish it from anonymous sections?
If I open up the firewall config at /etc/config/firewall it looks like this:
config defaults
option forward 'REJECT'
option input 'ACCEPT'
option output 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option name 'admin'
option network 'admin'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan wg_lan'
option forward 'ACCEPT'
config zone
option name 'guest'
option output 'ACCEPT'
option network 'guest wg_guest'
option input 'REJECT'
option forward 'REJECT'
config zone
option network 'IoT'
option name 'IoT'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'REJECT'
config zone
option name 'public'
option network 'public'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option output 'ACCEPT'
option syn_flood '1'
option conntrack '1'
option name 'tor'
option network 'tor'
option input 'REJECT'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option network 'wan wan6'
option forward 'REJECT'
If I rename zone 0 (admin in this case) using uci rename firewall.@zone[0]="admin" the only difference I can see with the config file is the word 'admin' in single quotes to the right of config zone. Is this what named sections look like directly in the config files?
config zone 'admin'
option name 'admin'
option network 'admin'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
Not sure if this sounds stupid but, before utilizing the uci-default files the lan and wan zones/interfaces already exist as part of the factory settings. Would it be better to clear the factory settings so that there are no zones/interfaces and then set all of my zones from scratch, or shall I update the pre-existing networks with new values and add the new networks for those that don't exist?