kjg/ungleich-tools
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Make stage4 output the wireguard public key

Browse source
This commit is contained in:
Nico Schottelius 2020-06-14 22:22:11 +02:00
parent de918f9456
commit 9b57f031ce
1 changed files with 29 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
setup-viirb.sh
View file

@ -195,6 +195,12 @@ opkg update
opkg install wireguard opkg install wireguard
opkg install luci-app-wireguard opkg install luci-app-wireguard
# The IPv6 lan configuration
uci set network.lanv6=interface
uci set network.lanv6.proto='static'
uci set network.lanv6.ip6addr='${my_lan_ip}/64'
uci set network.lanv6.ifname='br-lan'
# wifi ip address # wifi ip address
uci set network.wifi=interface uci set network.wifi=interface
uci set network.wifi.proto='static' uci set network.wifi.proto='static'
@ -226,6 +232,23 @@ uci set dhcp.wifi.interface='wifi'
uci set dhcp.wifi.ra='server' uci set dhcp.wifi.ra='server'
uci set dhcp.wifi.dynamicdhcp='0' uci set dhcp.wifi.dynamicdhcp='0'
# LAN / Router advertisements / DHCP
# DHCP: we are not authoratative
uci delete dhcp.@dnsmasq[0].authoritative
uci delete dhcp.lan.dhcpv6
uci delete dhcp.lan.start
uci delete dhcp.lan.limit
uci delete dhcp.lan.leasetime
# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix
uci set dhcp.lan=dhcp
uci set dhcp.lan.interface='lanv6'
uci set dhcp.lan.ra='server'
uci set dhcp.lan.dynamicdhcp='0'
# Fix DNS: make dnsmasq NOT use a resolv.conf # Fix DNS: make dnsmasq NOT use a resolv.conf
# so that it only reads from our servers with DNS64 enabled # so that it only reads from our servers with DNS64 enabled
uci set dhcp.@dnsmasq[0].noresolv='1' uci set dhcp.@dnsmasq[0].noresolv='1'
@ -234,6 +257,10 @@ uci set dhcp.@dnsmasq[0].noresolv='1'
# otherwise the VPN tunnel cannot be established # otherwise the VPN tunnel cannot be established
dhcp.@dnsmasq[0].localuse='0' dhcp.@dnsmasq[0].localuse='0'
# DNS upstream over VPN gives DNS64
uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
# VPN / Wireguard # VPN / Wireguard
uci set network.wg0=interface uci set network.wg0=interface
@ -292,7 +319,7 @@ uci set firewall.@rule[-1].target='ACCEPT'
fi fi
# Add interfaces to the right network zone # Add interfaces to the right network zone
uci set firewall.@zone[0].network='lan lanv4 wifi' uci set firewall.@zone[0].network='lan lanv6 wifi'
uci set firewall.@zone[1].network='wg0' uci set firewall.@zone[1].network='wg0'
uci commit firewall uci commit firewall
@ -301,6 +328,7 @@ uci commit firewall
reboot reboot
EOF EOF
echo "Wireguard public key: ${public_key}"
} }
################################################################################ ################################################################################
@ -334,14 +362,8 @@ stage5()
# VPN works, remove artefacts, set correct DNS servers that support DNS64 # VPN works, remove artefacts, set correct DNS servers that support DNS64
cat <<EOF | ssh -t "root@${viirb_ip}" cat <<EOF | ssh -t "root@${viirb_ip}"
# DNS upstream over VPN gives DNS64
uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
# Remove temporary IP # Remove temporary IP
uci delete network.lanv4temp uci delete network.lanv4temp
uci commit uci commit
# Remove our ssh keys # Remove our ssh keys