[pib] cleanup / document the script

This commit is contained in:
Nico Schottelius 2020-09-07 16:52:14 +02:00
parent 3470ca62df
commit caabcc2f47

View file

@ -1,11 +1,14 @@
#!/bin/sh #!/bin/sh
# Assumptions: # Assumptions:
# - pib is factory reset # - pib (APU) is factory reset OpenWRT
# - WAN port is connected with an active upstream # - WAN port is connected with an active upstream (pib has internet connectivity via WAN port)
# - You are connected via LAN/can ssh into it # - You are connected via LAN and you can ssh into it
if [ $# -ne 2 ]; then # How it works
#
if [ $# -lt 2 ]; then
echo "$0 ip-address vpn-network [wireguard-private-key]" echo "$0 ip-address vpn-network [wireguard-private-key]"
echo " ip-address: where to find the PIB" echo " ip-address: where to find the PIB"
echo " network: 2a0a:e5c0:123::/48" echo " network: 2a0a:e5c0:123::/48"
@ -44,8 +47,7 @@ opkg update
opkg install libustream-openssl ca-bundle ca-certificates opkg install libustream-openssl ca-bundle ca-certificates
# install wireguard + gui # install wireguard + gui
opkg install wireguard opkg install wireguard luci-app-wireguard
opkg install luci-app-wireguard
# We are never authoritative for IPv4 # We are never authoritative for IPv4
uci delete dhcp.@dnsmasq[0].authoritative uci delete dhcp.@dnsmasq[0].authoritative
@ -53,6 +55,9 @@ uci delete dhcp.@dnsmasq[0].authoritative
# Do not announce ULA - we have GUA # Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix uci delete network.globals.ula_prefix
# Setup hostname
uci set system.@system[0].hostname="${my_hostname}"
# Do not set/get? Was necessary, don't recall why # Do not set/get? Was necessary, don't recall why
uci set dhcp.@dnsmasq[0].noresolv='1' uci set dhcp.@dnsmasq[0].noresolv='1'
@ -107,8 +112,6 @@ uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
uci set network.@wireguard_wg0[0].endpoint_port='51820' uci set network.@wireguard_wg0[0].endpoint_port='51820'
uci set network.@wireguard_wg0[0].route_allowed_ips='1' uci set network.@wireguard_wg0[0].route_allowed_ips='1'
uci set system.@system[0].hostname="${my_hostname}"
# Firewall configuration # Firewall configuration
if ! uci show firewall | grep "name='Allow-SSH'"; then if ! uci show firewall | grep "name='Allow-SSH'"; then
uci add firewall rule uci add firewall rule
@ -149,16 +152,19 @@ uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a' uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a' uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
# This is the save & apply button in LUCI (or just save button)
uci commit uci commit
reboot reboot
EOF EOF
my_ip=$my_lan_ip my_ip=$my_lan_ip
echo "Waiting for it to come back..." echo "Waiting for it to come back..."
while ! ping -c1 ${my_ip}; do while ! ping -c1 ${my_ip}; do
echo "Cannot ping $my_ip yet - waiting" echo "Cannot ping $my_ip yet - waiting"
sleep 1 sleep 2
done done
echo "Wireguard public key and id: ${id} ${public_key}" echo "Wireguard public key and id: ${id} ${public_key}"
@ -169,4 +175,5 @@ Open steps:
- Remove your ssh key(s) from the device - Remove your ssh key(s) from the device
- Setup a secure root password and forward it to the customer - Setup a secure root password and forward it to the customer
EOF EOF