diff --git a/documentation/docs/components/outputs/command-outputs/nym-node-cli-install-help.md b/documentation/docs/components/outputs/command-outputs/nym-node-cli-install-help.md index 70baf6f736..30c551b3ce 100644 --- a/documentation/docs/components/outputs/command-outputs/nym-node-cli-install-help.md +++ b/documentation/docs/components/outputs/command-outputs/nym-node-cli-install-help.md @@ -7,7 +7,8 @@ usage: nym-node-cli install [-h] [-V] [-d BRANCH] [-v] [--description DESCRIPTION] [--public-ip PUBLIC_IP] [--nym-node-binary NYM_NODE_BINARY] - [--uplink-dev UPLINK_DEV] [--env KEY=VALUE] + [--uplink-dev IPV4_UPLINK_DEV] + [--uplink-dev-v6 IPV6_UPLINK_DEV] [--env KEY=VALUE] options: -h, --help show this help message and exit @@ -30,8 +31,11 @@ options: External IPv4 address (autodetected if omitted) --nym-node-binary NYM_NODE_BINARY URL for nym-node binary (autodetected if omitted) - --uplink-dev UPLINK_DEV - Override uplink interface used for NAT/FORWARD (e.g., + --uplink-dev IPV4_UPLINK_DEV + Override ipv4 uplink interface used for NAT/FORWARD (e.g., 'eth0'; autodetected if omitted) + --uplink-dev-v6 IPV6_UPLINK_DEV + Override ipv6 uplink interface used for NAT/FORWARD (e.g., + 'eth0.1'; autodetected if omitted) --env KEY=VALUE (Optional) Extra ENV VARS, e.g. --env CUSTOM_KEY=value ``` diff --git a/scripts/nym-node-setup/network-tunnel-manager.sh b/scripts/nym-node-setup/network-tunnel-manager.sh index ab941e89b5..871def43a2 100755 --- a/scripts/nym-node-setup/network-tunnel-manager.sh +++ b/scripts/nym-node-setup/network-tunnel-manager.sh @@ -89,10 +89,12 @@ WG_INTERFACE="${WG_INTERFACE:-nymwg}" # Function to detect and validate uplink interface detect_uplink_interface() { - local cmd="$1" + local host="$2" + local ip local dev - dev="$(eval "$cmd" 2>/dev/null | awk '{print $5}' | head -n1 || true)" + ip="$(getent ahosts${1//-/v} "$host" 2>/dev/null | awk '$2=="STREAM" {print $1}' | head -n1 || true)" + dev="$(ip $1 -o route get "$ip" 2>/dev/null | awk '{print $5}' || true)" if [[ -n "$dev" && "$dev" =~ ^[a-zA-Z0-9._-]+$ ]]; then echo "$dev" @@ -102,15 +104,20 @@ detect_uplink_interface() { } # uplink device detection, can be overridden -NETWORK_DEVICE="${NETWORK_DEVICE:-}" -if [[ -z "$NETWORK_DEVICE" ]]; then - NETWORK_DEVICE="$(detect_uplink_interface "ip -o route show default")" +IPV4_UPLINK_DEV="${IPV4_UPLINK_DEV:-}" +if [[ -z "$IPV4_UPLINK_DEV" ]]; then + IPV4_UPLINK_DEV="$(detect_uplink_interface -4 "ifconfig.co")" fi -if [[ -z "$NETWORK_DEVICE" ]]; then - NETWORK_DEVICE="$(detect_uplink_interface "ip -o route show default table all")" +if [[ -z "$IPV4_UPLINK_DEV" ]]; then + error "cannot determine ipv4 uplink interface. set IPV4_UPLINK_DEV" + exit 1 +fi +IPV6_UPLINK_DEV="${IPV6_UPLINK_DEV:-}" +if [[ -z "$IPV6_UPLINK_DEV" ]]; then + IPV6_UPLINK_DEV="$(detect_uplink_interface -6 "ifconfig.co")" fi -if [[ -z "$NETWORK_DEVICE" ]]; then - error "cannot determine uplink interface. set NETWORK_DEVICE or UPLINK_DEV" +if [[ -z "$IPV6_UPLINK_DEV" ]]; then + error "cannot determine ipv6 uplink interface. set IPV6_UPLINK_DEV" exit 1 fi @@ -194,11 +201,11 @@ fetch_ipv6_address() { fetch_and_display_ipv6() { local ipv6_address - ipv6_address=$(ip -6 addr show "$NETWORK_DEVICE" scope global | awk '/inet6/ {print $2}') + ipv6_address=$(ip -6 addr show "$IPV6_UPLINK_DEV" scope global | awk '/inet6/ {print $2}') if [[ -z "$ipv6_address" ]]; then - error "no global ipv6 address found on $NETWORK_DEVICE" + error "no global ipv6 address found on $IPV6_UPLINK_DEV" else - ok "ipv6 address on $NETWORK_DEVICE: $ipv6_address" + ok "ipv6 address on $IPV6_UPLINK_DEV: $ipv6_address" fi } @@ -343,28 +350,31 @@ remove_duplicate_rules() { apply_iptables_rules() { local interface=$1 - info "applying iptables rules for $interface using uplink $NETWORK_DEVICE" + info "applying iptables rules for $interface using uplink $IPV4_UPLINK_DEV" sleep 1 # ipv4 nat and forwarding - iptables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null || \ - iptables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE + iptables -t nat -C POSTROUTING -o "$IPV4_UPLINK_DEV" -j MASQUERADE 2>/dev/null || \ + iptables -t nat -A POSTROUTING -o "$IPV4_UPLINK_DEV" -j MASQUERADE - iptables -C FORWARD -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null || \ - iptables -I FORWARD 1 -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT + iptables -C FORWARD -i "$interface" -o "$IPV4_UPLINK_DEV" -j ACCEPT 2>/dev/null || \ + iptables -I FORWARD 1 -i "$interface" -o "$IPV4_UPLINK_DEV" -j ACCEPT - iptables -C FORWARD -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \ - iptables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -C FORWARD -i "$IPV4_UPLINK_DEV" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \ + iptables -I FORWARD 2 -i "$IPV4_UPLINK_DEV" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT + + info "applying ip6tables rules for $interface using uplink $IPV6_UPLINK_DEV" + sleep 1 # ipv6 nat and forwarding - ip6tables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null || \ - ip6tables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE + ip6tables -t nat -C POSTROUTING -o "$IPV6_UPLINK_DEV" -j MASQUERADE 2>/dev/null || \ + ip6tables -t nat -A POSTROUTING -o "$IPV6_UPLINK_DEV" -j MASQUERADE - ip6tables -C FORWARD -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null || \ - ip6tables -I FORWARD 1 -i "$interface" -o "$NETWORK_DEVICE" -j ACCEPT + ip6tables -C FORWARD -i "$interface" -o "$IPV6_UPLINK_DEV" -j ACCEPT 2>/dev/null || \ + ip6tables -I FORWARD 1 -i "$interface" -o "$IPV6_UPLINK_DEV" -j ACCEPT - ip6tables -C FORWARD -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \ - ip6tables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT + ip6tables -C FORWARD -i "$IPV6_UPLINK_DEV" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \ + ip6tables -I FORWARD 2 -i "$IPV6_UPLINK_DEV" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT save_iptables_rules } @@ -539,37 +549,40 @@ create_nym_chain() { ip6tables -N "$NYM_CHAIN" fi - if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then - iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" + if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$IPV4_UPLINK_DEV" -j "$NYM_CHAIN" 2>/dev/null; then + iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$IPV4_UPLINK_DEV" -j "$NYM_CHAIN" fi - if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then - ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" + if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$IPV6_UPLINK_DEV" -j "$NYM_CHAIN" 2>/dev/null; then + ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$IPV6_UPLINK_DEV" -j "$NYM_CHAIN" fi } setup_nat_rules() { - info "setting up nat and forwarding rules for $WG_INTERFACE via $NETWORK_DEVICE" + info "setting up ipv4 nat and forwarding rules for $WG_INTERFACE via $IPV4_UPLINK_DEV" - if ! iptables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null; then - iptables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE - fi - if ! ip6tables -t nat -C POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE 2>/dev/null; then - ip6tables -t nat -A POSTROUTING -o "$NETWORK_DEVICE" -j MASQUERADE + if ! iptables -t nat -C POSTROUTING -o "$IPV4_UPLINK_DEV" -j MASQUERADE 2>/dev/null; then + iptables -t nat -A POSTROUTING -o "$IPV4_UPLINK_DEV" -j MASQUERADE fi - if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null; then - iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT + if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$IPV4_UPLINK_DEV" -j ACCEPT 2>/dev/null; then + iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$IPV4_UPLINK_DEV" -j ACCEPT + fi + if ! iptables -C FORWARD -i "$IPV4_UPLINK_DEV" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then + iptables -I FORWARD 2 -i "$IPV4_UPLINK_DEV" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT fi - if ! iptables -C FORWARD -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then - iptables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT + + info "setting up ipv6 nat and forwarding rules for $WG_INTERFACE via $IPV6_UPLINK_DEV" + + if ! ip6tables -t nat -C POSTROUTING -o "$IPV6_UPLINK_DEV" -j MASQUERADE 2>/dev/null; then + ip6tables -t nat -A POSTROUTING -o "$IPV6_UPLINK_DEV" -j MASQUERADE fi - if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT 2>/dev/null; then - ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j ACCEPT + if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$IPV6_UPLINK_DEV" -j ACCEPT 2>/dev/null; then + ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$IPV6_UPLINK_DEV" -j ACCEPT fi - if ! ip6tables -C FORWARD -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then - ip6tables -I FORWARD 2 -i "$NETWORK_DEVICE" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT + if ! ip6tables -C FORWARD -i "$IPV6_UPLINK_DEV" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null; then + ip6tables -I FORWARD 2 -i "$IPV6_UPLINK_DEV" -o "$WG_INTERFACE" -m state --state RELATED,ESTABLISHED -j ACCEPT fi } @@ -772,8 +785,8 @@ clear_exit_policy_rules() { iptables -F "$NYM_CHAIN" 2>/dev/null || true ip6tables -F "$NYM_CHAIN" 2>/dev/null || true - iptables -D FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null || true - ip6tables -D FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null || true + iptables -D FORWARD -i "$WG_INTERFACE" -o "$IPV4_UPLINK_DEV" -j "$NYM_CHAIN" 2>/dev/null || true + ip6tables -D FORWARD -i "$WG_INTERFACE" -o "$IPV6_UPLINK_DEV" -j "$NYM_CHAIN" 2>/dev/null || true iptables -X "$NYM_CHAIN" 2>/dev/null || true ip6tables -X "$NYM_CHAIN" 2>/dev/null || true @@ -781,7 +794,8 @@ clear_exit_policy_rules() { show_exit_policy_status() { info "nym exit policy status" - info "network device: $NETWORK_DEVICE" + info "ipv4 uplink device: $IPV4_UPLINK_DEV" + info "ipv6 uplink device: $IPV6_UPLINK_DEV" info "wireguard interface: $WG_INTERFACE" echo @@ -1063,15 +1077,15 @@ test_forward_chain_hook() { local failures=0 - if iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then - ok "ipv4 forward hook ok: -i $WG_INTERFACE -o $NETWORK_DEVICE -> $NYM_CHAIN" + if iptables -C FORWARD -i "$WG_INTERFACE" -o "$IPV4_UPLINK_DEV" -j "$NYM_CHAIN" 2>/dev/null; then + ok "ipv4 forward hook ok: -i $WG_INTERFACE -o $IPV4_UPLINK_DEV -> $NYM_CHAIN" else error "ipv4 forward hook missing or wrong" ((failures++)) fi - if ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then - ok "ipv6 forward hook ok: -i $WG_INTERFACE -o $NETWORK_DEVICE -> $NYM_CHAIN" + if ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$IPV6_UPLINK_DEV" -j "$NYM_CHAIN" 2>/dev/null; then + ok "ipv6 forward hook ok: -i $WG_INTERFACE -o $IPV6_UPLINK_DEV -> $NYM_CHAIN" else error "ipv6 forward hook missing or wrong" ((failures++)) @@ -1167,7 +1181,8 @@ nym_tunnel_setup() { } exit_policy_install() { - info "installing nym wireguard exit policy for ${WG_INTERFACE} via ${NETWORK_DEVICE}" + info "installing nym wireguard ipv4 exit policy for ${WG_INTERFACE} via ${IPV4_UPLINK_DEV}" + info "installing nym wireguard ipv6 exit policy for ${WG_INTERFACE} via ${IPV6_UPLINK_DEV}" exit_policy_install_deps adjust_ip_forwarding create_nym_chain @@ -1309,7 +1324,7 @@ tunnel and nat helpers: check_nym_wg_tun Inspect forward chain for ${WG_INTERFACE} check_nymtun_iptables Inspect forward chain for ${TUNNEL_INTERFACE} configure_dns_and_icmp_wg Allow ping and dns ports on this host - fetch_and_display_ipv6 Show ipv6 on uplink ${NETWORK_DEVICE} + fetch_and_display_ipv6 Show ipv6 on uplink ${IPV6_UPLINK_DEV} fetch_ipv6_address_nym_tun Show global ipv6 address on ${TUNNEL_INTERFACE} joke_through_the_mixnet Test via ${TUNNEL_INTERFACE} with joke joke_through_wg_tunnel Test via ${WG_INTERFACE} with joke @@ -1326,7 +1341,8 @@ exit policy manager: Run verification tests on exit policy (options: --skip-default-reject). environment overrides: - NETWORK_DEVICE Auto-detected uplink (e.g., eth0). Set manually if detection fails. + IPV4_UPLINK_DEV Auto-detected ipv4 uplink (e.g., eth0). Set manually if detection fails. + IPV6_UPLINK_DEV Auto-detected ipv6 uplink (e.g., eth0.1). Set manually if detection fails. TUNNEL_INTERFACE Default: nymtun0. Requires root privileges (sudo) to manage. WG_INTERFACE Default: nymwg - Must match your WireGuard interface name. diff --git a/scripts/nym-node-setup/nym-node-cli.py b/scripts/nym-node-setup/nym-node-cli.py index 9d99fc4ad0..4231df8ccf 100755 --- a/scripts/nym-node-setup/nym-node-cli.py +++ b/scripts/nym-node-setup/nym-node-cli.py @@ -573,9 +573,10 @@ def run_node_installation(self,args): """Main function called by argparser command install running full node install flow""" self.ensure_env_values(args) # Pass uplink override to all helper scripts if provided - if getattr(args, "uplink_dev", None): - os.environ["UPLINK_DEV"] = args.uplink_dev - os.environ["NETWORK_DEVICE"] = args.uplink_dev + if getattr(args, "uplink_dev_v4", None): + os.environ["IPV4_UPLINK_DEV"] = args.uplink_dev_v4 + if getattr(args, "uplink_dev_v6", None): + os.environ["IPV6_UPLINK_DEV"] = args.uplink_dev_v6 self.run_script(self.prereqs_install_sh) self.run_script(self.node_install_sh) self.run_script(self.service_config_sh) @@ -640,7 +641,8 @@ def parser_main(self): install_parser.add_argument("--description", help="Short public description of the node") install_parser.add_argument("--public-ip", help="External IPv4 address (autodetected if omitted)") install_parser.add_argument("--nym-node-binary", help="URL for nym-node binary (autodetected if omitted)") - install_parser.add_argument("--uplink-dev", help="Override uplink interface used for NAT/FORWARD (e.g., 'eth0'; autodetected if omitted)") + install_parser.add_argument("--uplink-dev", help="Override ipv4 uplink interface used for NAT/FORWARD (e.g., 'eth0'; autodetected if omitted)") + install_parser.add_argument("--uplink-dev-v6", help="Override ipv6 uplink interface used for NAT/FORWARD (e.g., 'eth0.1'; autodetected if omitted)") # generic fallback install_parser.add_argument( diff --git a/scripts/nym-node-setup/quic_bridge_deployment.sh b/scripts/nym-node-setup/quic_bridge_deployment.sh index a1fe29ff3a..a265722917 100644 --- a/scripts/nym-node-setup/quic_bridge_deployment.sh +++ b/scripts/nym-node-setup/quic_bridge_deployment.sh @@ -60,16 +60,27 @@ NYM_ETC_BRIDGES="$NYM_ETC_DIR/bridges.toml" NYM_ETC_CLIENT_PARAMS_DEFAULT="$NYM_ETC_DIR/client_bridge_params.json" SERVICE_FILE="/etc/systemd/system/nym-bridge.service" -NET_DEV="${UPLINK_DEV:-}" -if [[ -z "$NET_DEV" ]]; then - NET_DEV="$(ip -o route show default 2>/dev/null | awk '{print $5}' | head -n1)" - [[ -z "$NET_DEV" ]] && NET_DEV="$(ip -o route show default table all 2>/dev/null | awk '{print $5}' | head -n1)" +NET4_DEV="${IPV4_UPLINK_DEV:-}" +if [[ -z "$NET4_DEV" ]]; then + NET4_DEV="$(ip -o route show default 2>/dev/null | awk '{print $5}' | head -n1)" + [[ -z "$NET4_DEV" ]] && NET4_DEV="$(ip -4 -o route get "$(getent ahostsv4 "ifconfig.co" | awk '$2=="STREAM" {print $1}' | head -n1)" 2>/dev/null | awk '{print $5}')" fi -if [[ -z "$NET_DEV" ]]; then - echo -e "${RED}Cannot determine uplink interface. Set UPLINK_DEV.${RESET}" | tee -a "$LOG_FILE" +if [[ -z "$NET4_DEV" ]]; then + echo -e "${RED}Cannot determine uplink interface. Set IPV4_UPLINK_DEV.${RESET}" | tee -a "$LOG_FILE" exit 1 fi -echo "Using uplink device: $NET_DEV" +echo "Using ipv4 uplink device: $NET4_DEV" + +NET6_DEV="${IPV6_UPLINK_DEV:-}" +if [[ -z "$NET6_DEV" ]]; then + NET6_DEV="$(ip -o route show default 2>/dev/null | awk '{print $5}' | head -n1)" + [[ -z "$NET6_DEV" ]] && NET6_DEV="$(ip -6 -o route get "$(getent ahostsv6 "ifconfig.co" | awk '$2=="STREAM" {print $1}' | head -n1)" 2>/dev/null | awk '{print $5}')" +fi +if [[ -z "$NET6_DEV" ]]; then + echo -e "${RED}Cannot determine uplink interface. Set IPV6_UPLINK_DEV.${RESET}" | tee -a "$LOG_FILE" + exit 1 +fi +echo "Using ipv6 uplink device: $NET6_DEV" WG_IFACE="nymwg" @@ -454,7 +465,7 @@ EOF apply_bridge_iptables_rules() { title "Checking iptables rules for bridge routing" - echo "Inspecting current iptables state for interface ${WG_IFACE} and uplink ${NET_DEV}." + echo "Inspecting current iptables state for interface ${WG_IFACE} and uplink ${NET4_DEV}." echo echo "IPv4 FORWARD:" @@ -463,6 +474,10 @@ apply_bridge_iptables_rules() { echo "IPv4 NAT POSTROUTING:" iptables -t nat -L POSTROUTING -n -v 2>/dev/null | sed -n '1,20p' || true echo + + echo "Inspecting current ip6tables state for interface ${WG_IFACE} and uplink ${NET6_DEV}." + echo + echo "IPv6 FORWARD:" ip6tables -L FORWARD -n -v 2>/dev/null | sed -n '1,20p' || true echo