2020-06-14 21:09:06 +00:00
|
|
|
#!/bin/sh
|
|
|
|
# 2020-06-13, Nico Schottelius
|
2020-12-12 12:27:49 +00:00
|
|
|
# See https://ungleich.ch/u/products/viwib-wifi-ipv6-box/
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-10-12 19:22:06 +00:00
|
|
|
if [ $# -lt 2 ]; then
|
2020-12-12 12:27:49 +00:00
|
|
|
echo "$0 viwib-ip-address viwib-id [wgprivkey]"
|
|
|
|
echo " viwib-ip-address: where to find the viwib"
|
|
|
|
echo " viwib-id: number in decimal format"
|
2020-10-12 19:17:05 +00:00
|
|
|
echo " wgprivkey: if specified, use this private key"
|
2020-06-14 21:09:06 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
set -x
|
2020-12-12 12:27:49 +00:00
|
|
|
viwib_ip=$1; shift
|
2020-06-14 21:09:06 +00:00
|
|
|
id=$1; shift
|
|
|
|
hex_id=$(printf "%0.2x\n" "$id")
|
2020-12-12 12:27:49 +00:00
|
|
|
viwib_hostname=viwib${id}
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-12-15 21:51:28 +00:00
|
|
|
prefix_base=2a0a:e5c1:6
|
2020-06-14 21:09:06 +00:00
|
|
|
my_prefix=${prefix_base}${hex_id}
|
|
|
|
my_network=${my_prefix}::/48
|
|
|
|
|
|
|
|
my_wireguard_ip=${my_prefix}::42
|
|
|
|
my_lan_ip=${my_prefix}:cafe::42
|
|
|
|
my_wifi_ip=${my_prefix}:7ea::42
|
|
|
|
|
|
|
|
# wireguard
|
2020-10-12 19:17:05 +00:00
|
|
|
if [ $# -eq 1 ]; then
|
|
|
|
private_key=$1; shift
|
|
|
|
else
|
|
|
|
private_key=$(wg genkey)
|
|
|
|
fi
|
2020-06-14 21:09:06 +00:00
|
|
|
public_key=$(echo $private_key | wg pubkey)
|
|
|
|
|
2020-12-15 21:51:28 +00:00
|
|
|
vpn_endpoint_host=vpn-2a0ae5c1600.ungleich.ch
|
|
|
|
vpn_endpoint_pubkey=ygZQW3OSiMJl/RpKyaJVE0GSt6bjEDnoxdMJsNiloRE=
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-12-12 12:27:49 +00:00
|
|
|
ping -c3 ${viwib_ip}
|
2020-06-14 22:27:53 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
2020-12-12 12:27:49 +00:00
|
|
|
echo "Cannot reach ${viwib_ip}, aborting"
|
2020-06-14 22:27:53 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2020-12-15 22:43:20 +00:00
|
|
|
root_password=$(pwgen -1 32)
|
|
|
|
echo $root_password > ${viwib_hostname}.rootpw
|
|
|
|
|
|
|
|
|
2020-12-12 12:27:49 +00:00
|
|
|
cat <<EOF | ssh -t "root@${viwib_ip}"
|
2020-06-14 21:09:06 +00:00
|
|
|
set -x
|
|
|
|
# Setup lan to also retrieve an ip address via dhcp
|
|
|
|
|
2020-12-15 21:51:28 +00:00
|
|
|
# Adjust LAN to be IPv6 only
|
2020-06-14 21:09:06 +00:00
|
|
|
uci delete network.lan.ipaddr
|
|
|
|
uci delete network.lan.netmask
|
2020-12-15 21:51:28 +00:00
|
|
|
uci set network.lan.ip6addr='${my_lan_ip}/64'
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-12-15 21:51:28 +00:00
|
|
|
# Do not announce ULA - we have GUA
|
|
|
|
uci delete network.globals.ula_prefix
|
|
|
|
|
|
|
|
# Setup Router Advertisements / remove IPv4 dhcp
|
|
|
|
uci set dhcp.lan.ra='server'
|
|
|
|
uci set dhcp.lan.dynamicdhcp='0'
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-06-14 21:21:38 +00:00
|
|
|
uci delete dhcp.@dnsmasq[0].authoritative
|
2020-12-15 21:51:28 +00:00
|
|
|
|
2020-06-14 21:21:38 +00:00
|
|
|
uci delete dhcp.lan.start
|
|
|
|
uci delete dhcp.lan.limit
|
|
|
|
uci delete dhcp.lan.leasetime
|
|
|
|
|
2020-12-15 21:51:28 +00:00
|
|
|
# We do stateless by default everywhere
|
|
|
|
uci delete dhcp.lan.dhcpv6
|
2020-06-14 21:21:38 +00:00
|
|
|
|
|
|
|
# Fix DNS: make dnsmasq NOT use a resolv.conf
|
|
|
|
# so that it only reads from our servers with DNS64 enabled
|
|
|
|
uci set dhcp.@dnsmasq[0].noresolv='1'
|
|
|
|
|
|
|
|
# Fix DNS: make the OS use the locally provided DNS servers
|
|
|
|
# otherwise the VPN tunnel cannot be established
|
2020-12-15 22:01:30 +00:00
|
|
|
uci set dhcp.@dnsmasq[0].localuse='0'
|
2020-06-14 21:21:38 +00:00
|
|
|
|
|
|
|
# DNS upstream over VPN gives DNS64
|
|
|
|
uci delete dhcp.@dnsmasq[0].server
|
|
|
|
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
|
|
|
|
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
|
|
|
|
|
2020-12-15 22:01:30 +00:00
|
|
|
uci set system.@system[0].hostname="${viwib_hostname}"
|
|
|
|
|
2020-06-14 21:09:06 +00:00
|
|
|
# wifi ip address
|
2020-12-15 21:51:28 +00:00
|
|
|
# uci set network.wifi=interface
|
|
|
|
# uci set network.wifi.proto='static'
|
|
|
|
# uci set network.wifi.ip6addr='${my_wifi_ip}/64'
|
2020-06-14 21:09:06 +00:00
|
|
|
|
|
|
|
# Wifi configuration
|
|
|
|
uci set wireless.radio0=wifi-device
|
|
|
|
uci set wireless.radio0.htmode='HT40'
|
|
|
|
uci set wireless.radio0.country='CH'
|
|
|
|
uci set wireless.radio0.channel='6'
|
|
|
|
uci set wireless.default_radio0.encryption='psk2'
|
|
|
|
uci set wireless.default_radio0.key='iloveipv6'
|
2020-12-12 12:27:49 +00:00
|
|
|
uci set wireless.default_radio0.ssid='IPv6 everywhere ${viwib_hostname}'
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-06-14 21:21:38 +00:00
|
|
|
# Ensure it is not disabled
|
|
|
|
uci delete wireless.radio0.disabled
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-12-15 21:51:28 +00:00
|
|
|
# Create temporary IPV4 CLIENT on LAN
|
|
|
|
# This way we get Internet/upstream from the LAN port
|
|
|
|
# Can we do this via IPv6 instead?
|
|
|
|
# this breaks if multiple viwib are setup, as we have fake / wrong
|
|
|
|
# dhcp server configurations.
|
|
|
|
# easy solution: using two different networks...
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-06-14 21:21:38 +00:00
|
|
|
uci commit
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-06-14 21:21:38 +00:00
|
|
|
ping -c5 ungleich.ch || exit 1
|
|
|
|
|
|
|
|
# update the sources
|
|
|
|
opkg update
|
|
|
|
|
|
|
|
# install wireguard + gui
|
|
|
|
opkg install wireguard
|
|
|
|
opkg install luci-app-wireguard
|
2020-06-14 21:09:06 +00:00
|
|
|
|
|
|
|
# VPN / Wireguard
|
|
|
|
uci set network.wg0=interface
|
|
|
|
uci set network.wg0.proto='wireguard'
|
|
|
|
uci set network.wg0.private_key='${private_key}'
|
|
|
|
uci set network.wg0.listen_port='51820'
|
|
|
|
uci set network.wg0.addresses='${my_wireguard_ip}/64'
|
|
|
|
|
|
|
|
if ! uci get network.@wireguard_wg0[0]; then
|
|
|
|
uci add network wireguard_wg0
|
|
|
|
fi
|
|
|
|
|
|
|
|
uci set network.@wireguard_wg0[0]=wireguard_wg0
|
|
|
|
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
2020-12-15 21:51:28 +00:00
|
|
|
uci set network.@wireguard_wg0[0].public_key="${vpn_endpoint_pubkey}"
|
|
|
|
uci set network.@wireguard_wg0[0].description="IPv6VPN.ch by ungleich"
|
2020-06-14 21:09:06 +00:00
|
|
|
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
|
2020-12-15 21:51:28 +00:00
|
|
|
uci set network.@wireguard_wg0[0].endpoint_host="${vpn_endpoint_host}"
|
2020-06-14 21:09:06 +00:00
|
|
|
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
|
|
|
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
|
|
|
|
|
|
|
|
# Firewall configuration
|
|
|
|
if ! uci show firewall | grep "name='Allow-SSH'"; then
|
|
|
|
uci add firewall rule
|
|
|
|
uci set firewall.@rule[-1].name='Allow-SSH'
|
|
|
|
uci set firewall.@rule[-1].src='wan'
|
|
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
|
|
uci set firewall.@rule[-1].dest_port='22'
|
|
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
|
|
fi
|
|
|
|
|
|
|
|
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
|
|
|
|
uci add firewall rule
|
|
|
|
uci set firewall.@rule[-1].name='Allow-HTTPS'
|
|
|
|
uci set firewall.@rule[-1].src='wan'
|
|
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
|
|
uci set firewall.@rule[-1].dest_port='443'
|
|
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
|
|
fi
|
|
|
|
|
|
|
|
if ! uci show firewall | grep "name='Allow-HTTP'"; then
|
|
|
|
uci add firewall rule
|
|
|
|
uci set firewall.@rule[-1].name='Allow-HTTP'
|
|
|
|
uci set firewall.@rule[-1].src='wan'
|
|
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
|
|
uci set firewall.@rule[-1].dest_port='80'
|
|
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Add interfaces to the right network zone
|
2020-12-15 21:51:28 +00:00
|
|
|
uci set firewall.@zone[1].network='wan wan6 wg0'
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-06-14 21:21:38 +00:00
|
|
|
uci commit
|
2020-06-14 21:09:06 +00:00
|
|
|
|
2020-12-15 22:43:20 +00:00
|
|
|
|
|
|
|
# Remove our ssh keys
|
|
|
|
rm -f /etc/dropbear/authorized_keys
|
|
|
|
|
|
|
|
# Setup root password
|
|
|
|
printf "${root_password}\n${root_password}\n" | passwd
|
|
|
|
|
|
|
|
|
2020-06-14 21:09:06 +00:00
|
|
|
reboot
|
|
|
|
EOF
|
|
|
|
|
2020-07-07 19:00:49 +00:00
|
|
|
echo "Wireguard public key and id: ${id} ${public_key}"
|
2020-12-15 22:43:20 +00:00
|
|
|
echo "Root password: ${root_password}"
|
2020-12-12 12:27:49 +00:00
|
|
|
echo ${public_key} > ${viwib_hostname}.public_key
|
2020-12-15 22:16:50 +00:00
|
|
|
|
|
|
|
# change to ipv6
|
|
|
|
viwib_ip=${my_lan_ip}
|
|
|
|
|
2020-12-15 22:43:20 +00:00
|
|
|
sleep 15
|
|
|
|
|
2020-12-15 22:16:50 +00:00
|
|
|
while ! ping -c5 ${viwib_ip}; do
|
|
|
|
echo "Waiting for viwib ${id}"
|
|
|
|
sleep 2
|
|
|
|
done
|