Networking tunnel manager for nym-node

network_tunnel_manager.sh

#!/bin/bash

network_device=$(ip route show default | awk '/default/ {print $5}')
tunnel_interface="nymtun0"
wg_tunnel_interface="nymwg"

if ! dpkg -s iptables-persistent >/dev/null 2>&1; then
    sudo apt-get update
    sudo apt-get install -y iptables-persistent
else
    echo "iptables-persistent is already installed."
fi

fetch_ipv6_address_nym_tun() {
    ipv6_global_address=$(ip -6 addr show $tunnel_interface scope global | grep inet6 | awk '{print $2}' | head -n 1)

    if [[ -z "$ipv6_global_address" ]]; then
        echo "no globally routable IPv6 address found on $tunnel_interface. please configure IPv6 or check your network settings."
        exit 1
    else
        echo "using IPv6 address: $ipv6_global_address"
    fi
}

fetch_and_display_ipv6() {
    ipv6_address=$(ip -6 addr show ${network_device} scope global | grep inet6 | awk '{print $2}')
    if [[ -z "$ipv6_address" ]]; then
        echo "no global IPv6 address found on ${network_device}."
    else
        echo "IPv6 address on ${network_device}: $ipv6_address"
    fi
}

adjust_ip_forwarding() {
    ipv6_forwarding_setting="net.ipv6.conf.all.forwarding=1"
    ipv4_forwarding_setting="net.ipv4.ip_forward=1"
    echo "$ipv6_forwarding_setting" | sudo tee -a /etc/sysctl.conf
    echo "$ipv4_forwarding_setting" | sudo tee -a /etc/sysctl.conf
    sysctl -p /etc/sysctl.conf
}

apply_iptables_rules_wg() {
    echo "applying IPtables rules..."
    echo "network device: ${network_device}"
    echo "tunnel_interface: ${wg_tunnel_interface}"
    sleep 2
    sudo iptables -A FORWARD -i "$wg_tunnel_interface" -o "$network_device" -j ACCEPT
    sudo iptables -A FORWARD -i "$network_device" -o "$wg_tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo ip6tables -A FORWARD -i "$network_device" -o "$wg_tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo ip6tables -A FORWARD -i "$wg_tunnel_interface" -o "$network_device" -j ACCEPT
    sudo iptables-save | sudo tee /etc/iptables/rules.v4
    sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
}

remove_iptables_rules_wg() {
    echo "removing IPtables rules..."
    echo "network device: ${network_device}"
    echo "tunnel_interface: ${wg_tunnel_interface}"
    sleep 2

    # IPv4 rules removal wg
    sudo iptables -D FORWARD -i "$wg_tunnel_interface" -o "$network_device" -j ACCEPT
    sudo iptables -D FORWARD -i "$network_device" -o "$wg_tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT

    # IPv6 rules removal wg
    sudo ip6tables -t nat -D POSTROUTING -o "$network_device" -j MASQUERADE
    sudo ip6tables -D FORWARD -i "$network_device" -o "$wg_tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo ip6tables -D FORWARD -i "$wg_tunnel_interface" -o "$network_device" -j ACCEPT

    sudo iptables-save | sudo tee /etc/iptables/rules.v4
    sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
}

apply_iptables_rules() {
    echo "applying IPtables rules..."
    echo "network device: ${network_device}"
    echo "tunnel_interface: ${tunnel_interface}"
    sleep 2
    sudo iptables -t nat -A POSTROUTING -o "$network_device" -j MASQUERADE
    sudo iptables -A FORWARD -i "$tunnel_interface" -o "$network_device" -j ACCEPT
    sudo iptables -A FORWARD -i "$network_device" -o "$tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo ip6tables -t nat -A POSTROUTING -o "$network_device" -j MASQUERADE
    sudo ip6tables -A FORWARD -i "$network_device" -o "$tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo ip6tables -A FORWARD -i "$tunnel_interface" -o "$network_device" -j ACCEPT
    adjust_ip_forwarding
    sudo iptables-save | sudo tee /etc/iptables/rules.v4
    sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
}

remove_iptables_rules() {
    echo "removing IPtables rules..."
    echo "network device: ${network_device}"
    echo "tunnel_interface: ${tunnel_interface}"
    sleep 2

    # IPv4 rules removal
    sudo iptables -t nat -D POSTROUTING -o "$network_device" -j MASQUERADE
    sudo iptables -D FORWARD -i "$tunnel_interface" -o "$network_device" -j ACCEPT
    sudo iptables -D FORWARD -i "$network_device" -o "$tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT

    # IPv6 rules removal
    sudo ip6tables -t nat -D POSTROUTING -o "$network_device" -j MASQUERADE
    sudo ip6tables -D FORWARD -i "$network_device" -o "$tunnel_interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
    sudo ip6tables -D FORWARD -i "$tunnel_interface" -o "$network_device" -j ACCEPT

    sudo iptables-save | sudo tee /etc/iptables/rules.v4
    sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
}

check_ipv6_ipv4_forwarding() {
    result_ipv4=$(cat /proc/sys/net/ipv4/ip_forward)
    result_ipv6=$(cat /proc/sys/net/ipv6/conf/all/forwarding)
    echo "IPv4 forwarding is $([ "$result_ipv4" == "1" ] && echo "enabled" || echo "not enabled")."
    echo "IPv6 forwarding is $([ "$result_ipv6" == "1" ] && echo "enabled" || echo "not enabled")."
}

check_nymtun_iptables() {
    echo "network Device: $network_device"
    echo "---------------------------------------"
    echo
    echo "inspecting IPv4 firewall rules..."
    iptables -L FORWARD -v -n | awk -v dev="$network_device" '/^Chain FORWARD/ || /nymtun0/ && dev || dev && /nymtun0/ || /ufw-reject-forward/'

    echo "---------------------------------------"
    echo
    echo "inspecting IPv6 firewall rules..."
    ip6tables -L FORWARD -v -n | awk -v dev="$network_device" '/^Chain FORWARD/ || /nymtun0/ && dev || dev && /nymtun0/ || /ufw6-reject-forward/'
}

joke_through_the_mixnet() {
    echo "checking Internet and mixnet connectivity (IPv4) via nymtun0..."
    ipv4_address=$(ip addr show nymtun0 | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)

    if [ -z "$ipv4_address" ]; then
        echo
        echo "no IPv4 address found on nymtun0."
        echo "please ensure IPv4 is configured correctly on your device."
        echo "unfortunately, there's no joke for you :( and you might not be able to route IPv4 traffic through your gateway to the internet."
    else
        joke=$(curl -s -H "Accept: application/json" --interface "$ipv4_address" https://icanhazdadjoke.com/ | jq -c .joke)

        if [ -z "$joke" ] || [ "$joke" = "null" ]; then
            echo "failed to fetch a joke. there might be an issue with the Internet connectivity or the joke service."
        else
            echo "joke fetched successfully:"
            echo "$joke"
        fi
    fi

    echo "checking Internet and mixnet connectivity (IPv6) via nymtun0..."
    ipv6_address=$(ip addr show nymtun0 | grep 'inet6 ' | awk '{print $2}' | cut -d'/' -f1 | grep -v '^fe80:')

    if [ -z "$ipv6_address" ]; then
        echo
        echo "no globally routable IPv6 address found on nymtun0."
        echo "please ensure IPv6 is enabled on your VPS or configure your security groups/firewall settings appropriately."
        echo "unfortunately there's no joke fo you :( and you can't route ipv6 traffic through your gateway to the internet"
    else
        joke=$(curl -s -H "Accept: application/json" --interface "$ipv6_address" https://icanhazdadjoke.com/ | jq -c .joke)

        if [ -z "$joke" ] || [ "$joke" = "null" ]; then
            echo "failed to fetch a joke. there might be an issue with the Internet connectivity or the joke service."
        else
            echo "joke fetched successfully:"
            echo "$joke"
        fi
    fi
}

check_ip6_ipv4_routing() {
    echo "---------------------------------------"
    echo "examining IPv4 routing table..."
    ip route
    echo "---------------------------------------"
    echo
    echo "examining IPv6 routing table..."
    ip -6 route
    echo
}

perform_ipv4_ipv6_pings() {
    echo "---------------------------------------"
    echo "checking IPv4 connectivity (example: google.com)..."
    ping -c 4 google.com
    echo "---------------------------------------"
    echo
    echo "checking IPv6 connectivity (example: google.com)..."
    ping6 -c 4 google.com
    echo
}

configure_dns_and_icmp_wg() {
    echo "allowing icmp (ping)..."
    sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

    echo "allowing dns over udp (port 53)..."
    sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

    echo "allowing dns over tcp (port 53)..."
    sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    
    echo "saving iptables rules..."
    sudo iptables-save > /etc/iptables/rules.v4

    echo "dns and icmp configuration completed."
}

joke_through_wg_tunnel() {
    echo "checking nymwg tunnel status..."

    tunnel_status=$(ip link show nymwg | grep -o "state [A-Z]*")

    if [[ $tunnel_status == "state UNKNOWN" ]]; then
        echo "nymwg tunnel is up."
    else
        echo "nymwg tunnel is down."
        echo "please check your nymwg tunnel configuration."
        return
    fi

    echo "checking internet and mixnet connectivity (ipv4) via nymwg..."
    ipv4_address=$(ip addr show nymwg | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)

    if [ -z "$ipv4_address" ]; then
        echo
        echo "no ipv4 address found on nymwg."
        echo "please ensure ipv4 is configured correctly on your device."
        echo "unfortunately, there's no joke for you :( and you might not be able to route ipv4 traffic through your gateway to the internet."
    else
        joke=$(curl -s -H "accept: application/json" --interface "$ipv4_address" https://icanhazdadjoke.com/ | jq -c .joke)

        if [ -z "$joke" ] || [ "$joke" = "null" ]; then
            echo "failed to fetch a joke. there might be an issue with the internet connectivity or the joke service."
        else
            echo "joke fetched successfully:"
            echo "$joke"
        fi
    fi

    echo "checking internet and mixnet connectivity (ipv6) via nymwg..."
    ipv6_address=$(ip addr show nymwg | grep 'inet6 ' | awk '{print $2}' | cut -d'/' -f1 | grep -v '^fe80:')

    if [ -z "$ipv6_address" ]; then
        echo
        echo "no globally routable ipv6 address found on nymwg."
        echo "please ensure ipv6 is enabled on your vps or configure your security groups/firewall settings appropriately."
        echo "unfortunately, there's no joke for you :( and you can't route ipv6 traffic through your gateway to the internet."
    else
        joke=$(curl -s -H "accept: application/json" --interface "$ipv6_address" https://icanhazdadjoke.com/ | jq -c .joke)

        if [ -z "$joke" ] || [ "$joke" = "null" ]; then
            echo "failed to fetch a joke. there might be an issue with the internet connectivity or the joke service."
        else
            echo "joke fetched successfully:"
            echo "$joke"
        fi
    fi
}

case "$1" in
fetch_ipv6_address_nym_tun)
    fetch_ipv6_address_nym_tun
    ;;
fetch_and_display_ipv6)
    fetch_and_display_ipv6
    ;;
check_nymtun_iptables)
    check_nymtun_iptables
    ;;
apply_iptables_rules)
    apply_iptables_rules
    ;;
remove_iptables_rules)
    remove_iptables_rules
    ;;
check_ipv6_ipv4_forwarding)
    check_ipv6_ipv4_forwarding
    ;;
check_ip6_ipv4_routing)
    check_ip6_ipv4_routing
    ;;
perform_ipv4_ipv6_pings)
    perform_ipv4_ipv6_pings
    ;;
joke_through_the_mixnet)
    joke_through_the_mixnet
    ;;
apply_iptables_rules_wg)
    apply_iptables_rules_wg
    ;;
joke_through_wg_tunnel)
    joke_through_wg_tunnel
    ;;
configure_dns_and_icmp_wg)
    configure_dns_and_icmp_wg
    ;;
*)
    echo "usage: $0 [command]"
    echo "commands:"
    echo "  fetch_ipv6_address_nym_tun    - Fetches the IPv6 address assigned to the '$tunnel_interface'."
    echo "  fetch_and_display_ipv6        - Displays the IPv6 address on the default network device."
    echo "  apply_iptables_rules          - Applies necessary IPv4 and IPv6 iptables rules."
    echo "  apply_iptables_rules_wg       - Applies iptable rules for IPv4 and IPv6 for Wireguard."
    echo "  remove_iptables_rules         - Removes applied IPv4 and IPv6 iptables rules."
    echo "  remove_iptables_rules_wg      - Removes applied IPv4 and IPv6 iptables rules for Wireguard."
    echo "  check_ipv6_ipv4_forwarding    - Checks if IPv4 and IPv6 forwarding are enabled."
    echo "  check_nymtun_iptables         - Check nymtun0 device."
    echo "  perform_ipv4_ipv6_pings       - Perform IPv4 and IPv6 pings to google."
    echo "  check_ip6_ipv4_routing        - Check IPv6 and IPv4 routing."
    echo "  joke_through_the_mixnet       - Run a joke through the mixnet via IPv4 and IPv6."
    echo "  joke_through_wg_tunnel        - Run a wg test, and get a joke through the wg tunnel."
    echo "  configure_dns_and_icmp_wg     - Allows icmp ping tests for probes alongside configuring dns"
    echo "please provide one of the above commands."
    exit 1
    ;;
esac

echo "operation $1 completed successfully."

network_tunnel_manager overview

purpose

this script manages network configurations, focusing on the nym-gateway tunnel interface nymtun0 managed by nym-gateway, and the nym wireguard tunnel interface nymwg. it assists in the creation and removal of iptables rules and checks on IPv4 and IPv6 forwarding statuses.

commands

• fetch_ipv6_address_nym_tun - fetches the IPv6 address assigned to nymtun0.
• fetch_and_display_ipv6 - displays the IPv6 address on the default network device.
• apply_iptables_rules - applies necessary IPv4 and IPv6 iptables rules for nymtun0.
• remove_iptables_rules - removes applied IPv4 and IPv6 iptables rules for nymtun0.
• apply_iptables_rules_wg - applies necessary IPv4 and IPv6 iptables rules for the nym wireguard tunnel nymwg.
• remove_iptables_rules_wg - removes applied IPv4 and IPv6 iptables rules for nymwg.
• check_ipv6_ipv4_forwarding - checks if IPv4 and IPv6 forwarding are enabled.
• check_nymtun_iptables - checks iptables rules specific to nymtun0.
• perform_ipv4_ipv6_pings - performs IPv4 and IPv6 pings to google.com.
• check_ip6_ipv4_routing - checks and displays IPv6 and IPv4 routing tables.
• joke_through_the_mixnet - checks connectivity via nymtun0 and fetches a joke using IPv4 and IPv6.
• joke_through_wg_tunnel - checks connectivity via the nymwg tunnel and fetches a joke using IPv4 and IPv6.
• configure_dns_and_icmp_wg - Allows icmp ping tests for probes alongside configuring dns.

nym-node dependency

the nymtun0 interface is dynamically managed by the nym-node service. when the service is stopped, nymtun0 disappears, and when started, nymtun0 is recreated. the script should be used in a context where nym-node is running to fully utilise its capabilities, particularly for fetching IPv6 addresses or applying network rules that depend on the nymtun0 interface.

nym wireguard (nymwg) interface

the nymwg interface is used for creating a secure wireguard tunnel as part of the nym network configuration. similar to nymtun0, the script manages iptables rules specific to nymwg to ensure proper routing and forwarding through the wireguard tunnel. the nymwg interface needs to be correctly configured and active for the related commands to function properly. this includes applying or removing iptables rules and running connectivity tests through the nymwg tunnel.

operational flow

installation and checks

• upon executing the script, it first checks for and installs iptables-persistent if not already installed.

network configuration

• adjusts system settings for IP forwarding.
• applies or removes iptables rules as needed to ensure proper routing and forwarding, both for nymtun0 and nymwg interfaces.

connectivity tests

• checks IPv4 and IPv6 forwarding statuses.
• optionally, performs a connectivity test by fetching a joke through IPv4 or IPv6 to validate network functionality through nymtun0 or nymwg.
• checks IPv6 and IPv4 routing.
• performs IPv6 and IPv4 pings to google.com.

usage and execution

the script is executed with specific commands to perform its various functions, e.g., ./network_tunnel_manager.sh apply_iptables_rules. proper functioning assumes that the nym-node service is active, as the presence of the nymtun0 interface is crucial for several script functions. for wireguard-specific functions, ensure that the nymwg interface is properly configured and active.

practical implications

before applying iptables rules or performing connectivity tests, ensure that nym-node is running so that the nymtun0 interface is active. similarly, for wireguard-related tasks, ensure that the nymwg interface is correctly set up and running.

Gist update

When developing the functionality to integrate WireGuard, while troubleshooting 30+ nodes in mainnet after incorporating netstack into our gateway probe, we encountered the following output:

{
  "wg": {
    "can_register": true,
    "can_handshake": true,
    "can_resolve_dns": false,
    "ping_hosts_performance": 0.0,
    "ping_ips_performance": 0.0
  }
}

Many nodes successfully registered and completed the handshake, but the probe failed to progress beyond that point. To resolve this, we've introduced the method configure_dns_and_icmp_wg, which should enable the nym-gateway-probe to proceed with the necessary DNS resolution and ping performance checks, allowing it to function as intended.

However, if these rules are being managed through security groups (for example, in AWS), you will need to apply the necessary UDP/53 rule there. This involves:

• Editing the security group associated with the instance.
• Adding an inbound rule for UDP on port 53 to allow DNS traffic. Optionally, TCP/53 can be opened for larger DNS responses, though it may not be necessary.