From 9b57f031ce050053019ed8d35fb84f1e71027fb5 Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sun, 14 Jun 2020 22:22:11 +0200
Subject: [PATCH] Make stage4 output the wireguard public key

---
 setup-viirb.sh | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/setup-viirb.sh b/setup-viirb.sh
index b8e7ca6..3e60825 100755
--- a/setup-viirb.sh
+++ b/setup-viirb.sh
@@ -195,6 +195,12 @@ opkg update
 opkg install wireguard
 opkg install luci-app-wireguard
 
+# The IPv6 lan configuration
+uci set network.lanv6=interface
+uci set network.lanv6.proto='static'
+uci set network.lanv6.ip6addr='${my_lan_ip}/64'
+uci set network.lanv6.ifname='br-lan'
+
 # wifi ip address
 uci set network.wifi=interface
 uci set network.wifi.proto='static'
@@ -226,6 +232,23 @@ uci set dhcp.wifi.interface='wifi'
 uci set dhcp.wifi.ra='server'
 uci set dhcp.wifi.dynamicdhcp='0'
 
+# LAN / Router advertisements / DHCP
+# DHCP: we are not authoratative
+uci delete dhcp.@dnsmasq[0].authoritative
+uci delete dhcp.lan.dhcpv6
+uci delete dhcp.lan.start
+uci delete dhcp.lan.limit
+uci delete dhcp.lan.leasetime
+
+# Do not announce ULA - we have GUA
+uci delete network.globals.ula_prefix
+
+uci set dhcp.lan=dhcp
+uci set dhcp.lan.interface='lanv6'
+uci set dhcp.lan.ra='server'
+uci set dhcp.lan.dynamicdhcp='0'
+
+
 # Fix DNS: make dnsmasq NOT use a resolv.conf
 # so that it only reads from our servers with DNS64 enabled
 uci set dhcp.@dnsmasq[0].noresolv='1'
@@ -234,6 +257,10 @@ uci set dhcp.@dnsmasq[0].noresolv='1'
 # otherwise the VPN tunnel cannot be established
 dhcp.@dnsmasq[0].localuse='0'
 
+# DNS upstream over VPN gives DNS64
+uci delete dhcp.@dnsmasq[0].server
+uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
+uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
 
 # VPN / Wireguard
 uci set network.wg0=interface
@@ -292,7 +319,7 @@ uci set firewall.@rule[-1].target='ACCEPT'
 fi
 
 # Add interfaces to the right network zone
-uci set firewall.@zone[0].network='lan lanv4 wifi'
+uci set firewall.@zone[0].network='lan lanv6 wifi'
 uci set firewall.@zone[1].network='wg0'
 
 uci commit firewall
@@ -301,6 +328,7 @@ uci commit firewall
 reboot
 EOF
 
+    echo "Wireguard public key: ${public_key}"
 }
 
 ################################################################################
@@ -334,14 +362,8 @@ stage5()
 
     # VPN works, remove artefacts, set correct DNS servers that support DNS64
     cat <<EOF | ssh -t "root@${viirb_ip}"
-# DNS upstream over VPN gives DNS64
-uci delete dhcp.@dnsmasq[0].server
-uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
-uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
-
 # Remove temporary IP
 uci delete network.lanv4temp
-
 uci commit
 
 # Remove our ssh keys