iHmm?
Signed-off-by: Nico Schottelius <nico@nico-notebook.schottelius.org>
This commit is contained in:
parent
5b64fd461e
commit
6d8c93b54c
2 changed files with 4 additions and 391 deletions
|
@ -63,7 +63,10 @@ uci delete dhcp.lan.leasetime
|
||||||
# Do not announce ULA - we have GUA
|
# Do not announce ULA - we have GUA
|
||||||
uci delete network.globals.ula_prefix
|
uci delete network.globals.ula_prefix
|
||||||
|
|
||||||
|
# This is configuring the dhcp IPv4 client
|
||||||
uci set dhcp.lan=dhcp
|
uci set dhcp.lan=dhcp
|
||||||
|
|
||||||
|
# Setup Router Advertisements
|
||||||
uci set dhcp.lan.interface='lanv6'
|
uci set dhcp.lan.interface='lanv6'
|
||||||
uci set dhcp.lan.ra='server'
|
uci set dhcp.lan.ra='server'
|
||||||
uci set dhcp.lan.dynamicdhcp='0'
|
uci set dhcp.lan.dynamicdhcp='0'
|
||||||
|
@ -114,6 +117,7 @@ uci delete wireless.radio0.disabled
|
||||||
|
|
||||||
# This is temporary - keeping it until the config process is through
|
# This is temporary - keeping it until the config process is through
|
||||||
# Probably not needet - we can connect to the final IPv6 address!
|
# Probably not needet - we can connect to the final IPv6 address!
|
||||||
|
# This code commented out == The address vanishes due to above reconfiguration
|
||||||
# uci set network.lanv4temp=interface
|
# uci set network.lanv4temp=interface
|
||||||
# uci set network.lanv4temp.proto='static'
|
# uci set network.lanv4temp.proto='static'
|
||||||
# uci set network.lanv4temp.ifname='br-lan'
|
# uci set network.lanv4temp.ifname='br-lan'
|
||||||
|
|
|
@ -1,391 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
# 2020-06-13, Nico Schottelius
|
|
||||||
# See https://ungleich.ch/u/products/viirb-ipv6-box/
|
|
||||||
|
|
||||||
if [ $# -lt 4 ]; then
|
|
||||||
echo "$0 interface viirb-id your-dot-cdist [stages]"
|
|
||||||
echo " interface to add the config ip address to"
|
|
||||||
echo " viirb-id: number in decimal format"
|
|
||||||
echo " your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
|
|
||||||
echo " owner-mail-reference: How to identify the owner"
|
|
||||||
echo " stages: define which stages to execute"
|
|
||||||
echo ""
|
|
||||||
echo " stage1: setup your host, check connection to VIIRB"
|
|
||||||
echo " stage2: flash latest openwrt onto the VIIRB"
|
|
||||||
echo " stage3: configure the vpn endpoint"
|
|
||||||
echo " stage4: configure the VIIRB with wireguard + settings"
|
|
||||||
echo " stage5: Verify VIIRB on VPN, cleanup VIIRB"
|
|
||||||
echo ""
|
|
||||||
echo "Example to configure viirb02:"
|
|
||||||
echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342'"
|
|
||||||
echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342' '1 3 4'"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "FIXME: missing IPv6 announcements on LAN"
|
|
||||||
echo "FIXME: DNS situation: upstream, non upstream, ungleich, how to resolve tunnel endpoint"
|
|
||||||
|
|
||||||
set -x
|
|
||||||
|
|
||||||
set -x
|
|
||||||
dev=$1; shift
|
|
||||||
id=$1; shift
|
|
||||||
dot_cdist=$1; shift
|
|
||||||
owner=$1; shift
|
|
||||||
|
|
||||||
if [ $# -ge 1 ]; then
|
|
||||||
stages=$1; shift
|
|
||||||
else
|
|
||||||
stages="1 2 3 4 5"
|
|
||||||
fi
|
|
||||||
|
|
||||||
hex_id=$(printf "%0.2x\n" "$id")
|
|
||||||
viirb_hostname=viirb${hex_id}
|
|
||||||
|
|
||||||
prefix_base=2a0a:e5c1:3
|
|
||||||
my_prefix=${prefix_base}${hex_id}
|
|
||||||
my_network=${my_prefix}::/48
|
|
||||||
|
|
||||||
my_wireguard_ip=${my_prefix}::42
|
|
||||||
my_lan_ip=${my_prefix}:cafe::42
|
|
||||||
my_wifi_ip=${my_prefix}:7ea::42
|
|
||||||
|
|
||||||
# openwrt
|
|
||||||
version=19.07.3
|
|
||||||
filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin
|
|
||||||
|
|
||||||
# root password
|
|
||||||
root_password=$(pwgen -1 32)
|
|
||||||
|
|
||||||
# IP address for setting it up initially
|
|
||||||
viirb_ip=192.168.61.1
|
|
||||||
|
|
||||||
# wireguard
|
|
||||||
private_key=$(wg genkey)
|
|
||||||
public_key=$(echo $private_key | wg pubkey)
|
|
||||||
|
|
||||||
vpn_endpoint_host=vpn-2a0ae5c1300.ungleich.ch
|
|
||||||
vpn_endpoint_pubkey=ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE=
|
|
||||||
|
|
||||||
# cdist
|
|
||||||
dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
|
|
||||||
peerfilename=${vpn_endpoint_host}.peer${hex_id}
|
|
||||||
peerfile=${dot_cdist_files}/${peerfilename}
|
|
||||||
vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Stage 1: test / connect to the new VIIRB
|
|
||||||
#
|
|
||||||
# We delete so that we can run idempotent
|
|
||||||
stage1()
|
|
||||||
{
|
|
||||||
sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true
|
|
||||||
sudo ip addr add 192.168.61.2/24 dev "$dev"
|
|
||||||
|
|
||||||
# don't care about other/old known_host entries
|
|
||||||
ssh-keygen -R ${viirb_ip}
|
|
||||||
|
|
||||||
ping -c2 ${viirb_ip}
|
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
echo "Cannot reach any VIIRB - exiting"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat ~/.ssh/id_rsa.pub | ssh root@${viirb_ip} "cat > /etc/dropbear/authorized_keys"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Get latest OpenWRT & flash it
|
|
||||||
stage2()
|
|
||||||
{
|
|
||||||
# Don't re-download if we already have it
|
|
||||||
wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt76x8/${filename}
|
|
||||||
scp ${filename} root@${viirb_ip}:/tmp
|
|
||||||
ssh root@${viirb_ip} "sysupgrade /tmp/*.bin"
|
|
||||||
|
|
||||||
# It still pings for some time - wait for the reboot to happen
|
|
||||||
echo "Waiting for VIIRB to disappear"
|
|
||||||
sleep 15
|
|
||||||
|
|
||||||
wait=0
|
|
||||||
found=""
|
|
||||||
|
|
||||||
while [ $wait -lt 180 ]; do
|
|
||||||
ping -c1 ${viirb_ip} >/dev/null
|
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
found=yes
|
|
||||||
# wait for ssh to come up
|
|
||||||
sleep 10
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
|
|
||||||
sleep 1
|
|
||||||
wait=$((wait+1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ ! "$found" ]; then
|
|
||||||
echo "Did not find updated viirb - debug / restart it"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Stage 3: prepare VPN endpoint
|
|
||||||
#
|
|
||||||
|
|
||||||
stage3()
|
|
||||||
{
|
|
||||||
|
|
||||||
# Configure VPN server / update cdist
|
|
||||||
echo Updating VPNserver
|
|
||||||
cat <<EOF > ${peerfile}
|
|
||||||
# ${viirb_hostname} ${owner}
|
|
||||||
[Peer]
|
|
||||||
PublicKey = ${public_key}
|
|
||||||
AllowedIPs = ${my_network}
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Generate real config
|
|
||||||
cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
|
|
||||||
cd ${dot_cdist_files}
|
|
||||||
git add ${vpn_endpoint_host} ${peerfilename}
|
|
||||||
git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}"
|
|
||||||
git pull
|
|
||||||
git push
|
|
||||||
|
|
||||||
cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist}
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Stage 4: configure the VIIRB
|
|
||||||
#
|
|
||||||
stage4()
|
|
||||||
{
|
|
||||||
|
|
||||||
cat <<EOF | ssh -t "root@${viirb_ip}"
|
|
||||||
set -x
|
|
||||||
|
|
||||||
# Setup lan to also retrieve an ip address via dhcp
|
|
||||||
|
|
||||||
# This stays in the final setup
|
|
||||||
uci set network.lan.proto='dhcp'
|
|
||||||
uci delete network.lan.ipaddr
|
|
||||||
uci delete network.lan.netmask
|
|
||||||
|
|
||||||
# This is temporary
|
|
||||||
uci set network.lanv4temp=interface
|
|
||||||
uci set network.lanv4temp.proto='static'
|
|
||||||
uci set network.lanv4temp.ifname='br-lan'
|
|
||||||
uci set network.lanv4temp.ipaddr='192.168.61.1'
|
|
||||||
uci set network.lanv4temp.netmask='255.255.255.0'
|
|
||||||
|
|
||||||
uci commit network
|
|
||||||
/etc/init.d/network restart
|
|
||||||
|
|
||||||
# ensure internet is up and running
|
|
||||||
sleep 3
|
|
||||||
ping -c5 ungleich.ch
|
|
||||||
|
|
||||||
# update the sources
|
|
||||||
opkg update
|
|
||||||
|
|
||||||
# install wireguard + gui
|
|
||||||
opkg install wireguard
|
|
||||||
opkg install luci-app-wireguard
|
|
||||||
|
|
||||||
# The IPv6 lan configuration
|
|
||||||
uci set network.lanv6=interface
|
|
||||||
uci set network.lanv6.proto='static'
|
|
||||||
uci set network.lanv6.ip6addr='${my_lan_ip}/64'
|
|
||||||
uci set network.lanv6.ifname='br-lan'
|
|
||||||
|
|
||||||
# wifi ip address
|
|
||||||
uci set network.wifi=interface
|
|
||||||
uci set network.wifi.proto='static'
|
|
||||||
uci set network.wifi.ip6addr='${my_wifi_ip}/64'
|
|
||||||
|
|
||||||
# Wifi configuration
|
|
||||||
uci set wireless.radio0=wifi-device
|
|
||||||
uci set wireless.radio0.type='mac80211'
|
|
||||||
uci set wireless.radio0.hwmode='11g'
|
|
||||||
uci set wireless.radio0.path='platform/10300000.wmac'
|
|
||||||
uci set wireless.radio0.htmode='HT40'
|
|
||||||
uci set wireless.radio0.country='CH'
|
|
||||||
uci set wireless.radio0.channel='6'
|
|
||||||
|
|
||||||
# Ensure it is not disabled
|
|
||||||
uci delete wireless.radio0.disabled
|
|
||||||
|
|
||||||
uci set wireless.default_radio0=wifi-iface
|
|
||||||
uci set wireless.default_radio0.device='radio0'
|
|
||||||
uci set wireless.default_radio0.mode='ap'
|
|
||||||
uci set wireless.default_radio0.encryption='psk2'
|
|
||||||
uci set wireless.default_radio0.key='iloveipv6'
|
|
||||||
uci set wireless.default_radio0.ssid='IPv6 everywhere ${viirb_hostname}'
|
|
||||||
uci set wireless.default_radio0.network='wifi'
|
|
||||||
|
|
||||||
# Wifi / Router advertisements
|
|
||||||
uci set dhcp.wifi=dhcp
|
|
||||||
uci set dhcp.wifi.interface='wifi'
|
|
||||||
uci set dhcp.wifi.ra='server'
|
|
||||||
uci set dhcp.wifi.dynamicdhcp='0'
|
|
||||||
|
|
||||||
# LAN / Router advertisements / DHCP
|
|
||||||
# DHCP: we are not authoratative
|
|
||||||
uci delete dhcp.@dnsmasq[0].authoritative
|
|
||||||
uci delete dhcp.lan.dhcpv6
|
|
||||||
uci delete dhcp.lan.start
|
|
||||||
uci delete dhcp.lan.limit
|
|
||||||
uci delete dhcp.lan.leasetime
|
|
||||||
|
|
||||||
# Do not announce ULA - we have GUA
|
|
||||||
uci delete network.globals.ula_prefix
|
|
||||||
|
|
||||||
uci set dhcp.lan=dhcp
|
|
||||||
uci set dhcp.lan.interface='lanv6'
|
|
||||||
uci set dhcp.lan.ra='server'
|
|
||||||
uci set dhcp.lan.dynamicdhcp='0'
|
|
||||||
|
|
||||||
|
|
||||||
# Fix DNS: make dnsmasq NOT use a resolv.conf
|
|
||||||
# so that it only reads from our servers with DNS64 enabled
|
|
||||||
uci set dhcp.@dnsmasq[0].noresolv='1'
|
|
||||||
|
|
||||||
# Fix DNS: make the OS use the locally provided DNS servers
|
|
||||||
# otherwise the VPN tunnel cannot be established
|
|
||||||
dhcp.@dnsmasq[0].localuse='0'
|
|
||||||
|
|
||||||
# DNS upstream over VPN gives DNS64
|
|
||||||
uci delete dhcp.@dnsmasq[0].server
|
|
||||||
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
|
|
||||||
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
|
|
||||||
|
|
||||||
# VPN / Wireguard
|
|
||||||
uci set network.wg0=interface
|
|
||||||
uci set network.wg0.proto='wireguard'
|
|
||||||
uci set network.wg0.private_key='${private_key}'
|
|
||||||
uci set network.wg0.listen_port='51820'
|
|
||||||
uci set network.wg0.addresses='${my_wireguard_ip}/64'
|
|
||||||
|
|
||||||
if ! uci get network.@wireguard_wg0[0]; then
|
|
||||||
uci add network wireguard_wg0
|
|
||||||
fi
|
|
||||||
|
|
||||||
uci set network.@wireguard_wg0[0]=wireguard_wg0
|
|
||||||
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
|
||||||
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
|
|
||||||
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
|
|
||||||
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
|
|
||||||
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
|
|
||||||
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
|
||||||
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
|
|
||||||
|
|
||||||
uci set system.@system[0].hostname="${viirb_hostname}"
|
|
||||||
|
|
||||||
uci commit
|
|
||||||
|
|
||||||
# Firewall configuration
|
|
||||||
|
|
||||||
if ! uci show firewall | grep "name='Allow-SSH'"; then
|
|
||||||
uci add firewall rule
|
|
||||||
uci set firewall.@rule[-1].name='Allow-SSH'
|
|
||||||
uci set firewall.@rule[-1].src='wan'
|
|
||||||
uci set firewall.@rule[-1].dest='lan'
|
|
||||||
uci set firewall.@rule[-1].proto='tcp'
|
|
||||||
uci set firewall.@rule[-1].dest_port='22'
|
|
||||||
uci set firewall.@rule[-1].target='ACCEPT'
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
|
|
||||||
uci add firewall rule
|
|
||||||
uci set firewall.@rule[-1].name='Allow-HTTPS'
|
|
||||||
uci set firewall.@rule[-1].src='wan'
|
|
||||||
uci set firewall.@rule[-1].dest='lan'
|
|
||||||
uci set firewall.@rule[-1].proto='tcp'
|
|
||||||
uci set firewall.@rule[-1].dest_port='443'
|
|
||||||
uci set firewall.@rule[-1].target='ACCEPT'
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! uci show firewall | grep "name='Allow-HTTP'"; then
|
|
||||||
uci add firewall rule
|
|
||||||
uci set firewall.@rule[-1].name='Allow-HTTP'
|
|
||||||
uci set firewall.@rule[-1].src='wan'
|
|
||||||
uci set firewall.@rule[-1].dest='lan'
|
|
||||||
uci set firewall.@rule[-1].proto='tcp'
|
|
||||||
uci set firewall.@rule[-1].dest_port='80'
|
|
||||||
uci set firewall.@rule[-1].target='ACCEPT'
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Add interfaces to the right network zone
|
|
||||||
uci set firewall.@zone[0].network='lan lanv6 wifi'
|
|
||||||
uci set firewall.@zone[1].network='wg0'
|
|
||||||
|
|
||||||
uci commit firewall
|
|
||||||
|
|
||||||
# Reboot
|
|
||||||
reboot
|
|
||||||
EOF
|
|
||||||
|
|
||||||
echo "Wireguard public key: ${public_key}"
|
|
||||||
}
|
|
||||||
|
|
||||||
################################################################################
|
|
||||||
# Stage 5: Verify the VIIRB via VPN
|
|
||||||
#
|
|
||||||
stage5()
|
|
||||||
{
|
|
||||||
|
|
||||||
# Wait for the VIIRB to come back, but on the VPN address
|
|
||||||
wait=0
|
|
||||||
found=""
|
|
||||||
|
|
||||||
while [ $wait -lt 180 ]; do
|
|
||||||
ping -c1 ${my_wireguard_ip} >/dev/null
|
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
found=yes
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
sleep 1
|
|
||||||
wait=$((wait+1))
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ ! "$found" ]; then
|
|
||||||
echo "Cannot reach VIIRB via VPN - check manually"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Cleanup process."
|
|
||||||
echo "Set the root password when prompted to: ${root_password}"
|
|
||||||
|
|
||||||
# VPN works, remove artefacts, set correct DNS servers that support DNS64
|
|
||||||
cat <<EOF | ssh -t "root@${viirb_ip}"
|
|
||||||
# Remove temporary IP
|
|
||||||
uci delete network.lanv4temp
|
|
||||||
|
|
||||||
# Correct SSID
|
|
||||||
uci set wireless.default_radio0.ssid='IPv6 everywhere'
|
|
||||||
uci commit
|
|
||||||
|
|
||||||
# Remove our ssh keys
|
|
||||||
rm -f /etc/dropbear/authorized_keys
|
|
||||||
|
|
||||||
# Setup root password
|
|
||||||
printf "${root_password}\n${root_password}\n" | passwd
|
|
||||||
EOF
|
|
||||||
|
|
||||||
echo "Submit to user the root password = ${root_password}"
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
for stage in $(seq 1 5);do
|
|
||||||
if echo $stages | grep -q $stage; then
|
|
||||||
eval stage${stage}
|
|
||||||
fi
|
|
||||||
done
|
|
Loading…
Reference in a new issue