Skip to content

Instantly share code, notes, and snippets.

@crawc

crawc/README.md

Forked from taxilian/README.md
Created April 22, 2023 20:03
Show Gist options
  • Save crawc/6b77bf50fe4b66dde557e25013ee2d0c to your computer and use it in GitHub Desktop.
Save crawc/6b77bf50fe4b66dde557e25013ee2d0c to your computer and use it in GitHub Desktop.
Download ZIP
OPNSense: Scripts to run as a cron job to enable or disable wireguard based on the CARP status
Raw
README.md

Installation

  • Install checkWireguard as /usr/local/opnsense/scripts/OPNsense/Wireguard/checkWireguard
  • Install actions_wireguardCarp.conf as /usr/local/opnsense/service/conf/actions.d/actions_wireguardCarp.conf
  • run service configd restart
  • In the OPNSense UI - add a CRON job in System -> Settings -> Cron to call the script
Raw
actions_wireguardCarp.conf
[check]
command: /usr/local/opnsense/scripts/OPNsense/Wireguard/checkWireguard
parameters:
type:script
message: Updating Wireguard State
description: Enable or Disable Wireguard state from CARP state
Raw
checkWireguard
#!/usr/local/bin/php
<?php
/*
* Copyright (C) 2022 GradeCam
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
// Some of the ideas and methods of this come from this script:
// https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573
require_once("config.inc");
require_once("interfaces.inc");
require_once("util.inc");
$cmd = "/sbin/ifconfig -m -v | grep 'carp:' | awk '{print $2}'";
exec($cmd, $ifconfig_data, $ret);
$masterCount = 0;
$backupCount = 0;
// Loop over $ifconfig_data and count how many are "MASTER" and how many "BACKUP"
foreach ($ifconfig_data as $line) {
if (strpos($line, 'MASTER') !== false) {
$masterCount++;
} else if (strpos($line, 'BACKUP') !== false) {
$backupCount++;
}
}
if ($masterCount > $backupCount) {
// The current node is MASTER
echo "CARP MASTER detected\n";
# Checking `isset` avoids a race condition during startup when the
# WireGuard config stanza seems like it's not yet loaded. Without it, this
# can create an extra, empty, invalid stanza that breaks WireGuard.
if (isset($config['OPNsense']['wireguard']['general']['enabled'])) {
$config['OPNsense']['wireguard']['general']['enabled'] = '1';
}
configd_run('wireguard start');
write_config("Enable WireGuard due to CARP event '$type'", false);
} else {
echo "CARP BACKUP detected\n";
configd_run('wireguard stop');
if (isset($config['OPNsense']['wireguard']['general']['enabled'])) {
$config['OPNsense']['wireguard']['general']['enabled'] = '0';
}
write_config("Disable WireGuard due to CARP event '$type'", false);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment