ungleich-tools/pib-setup.sh

180 lines
4.8 KiB
Bash
Raw Normal View History

2020-08-24 07:48:10 +00:00
#!/bin/sh
2020-09-07 14:20:36 +00:00
# Assumptions:
2020-09-07 14:52:14 +00:00
# - pib (APU) is factory reset OpenWRT
# - WAN port is connected with an active upstream (pib has internet connectivity via WAN port)
# - You are connected via LAN and you can ssh into it
2020-09-07 14:20:36 +00:00
2020-09-07 14:52:14 +00:00
# How it works
#
if [ $# -lt 2 ]; then
2020-09-07 14:20:36 +00:00
echo "$0 ip-address vpn-network [wireguard-private-key]"
2020-08-24 07:48:10 +00:00
echo " ip-address: where to find the PIB"
echo " network: 2a0a:e5c0:123::/48"
2020-09-07 14:20:36 +00:00
echo " private-key: specify if you already have a private key"
2020-08-24 07:48:10 +00:00
exit 1
fi
my_ip=$1; shift
my_network=$1; shift
2020-09-07 14:20:36 +00:00
if [ $# -eq 1 ]; then
private_key=$1; shift
else
private_key=$(wg genkey)
fi
2020-08-24 07:48:10 +00:00
my_prefix=$(echo $my_network | sed 's,::/.*,,')
my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g')
my_wireguard_ip=${my_prefix}::42
my_lan_ip=${my_prefix}:cafe::42
public_key=$(echo $private_key | wg pubkey)
vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch
vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
2020-09-08 15:19:51 +00:00
cat <<EOF | ssh -t "root@${my_ip}" || exit 1
2020-08-24 07:48:10 +00:00
set -x
2020-09-07 14:20:36 +00:00
# Check if we can reach upstream - otherwise abort
2020-09-08 15:22:52 +00:00
ping6 -c5 ungleich.ch || ping -c5 ungleich.ch || exit 1
2020-09-07 14:20:36 +00:00
# update the sources & allow https handling
opkg update
opkg install libustream-openssl ca-bundle ca-certificates
# install wireguard + gui
2020-09-07 14:52:14 +00:00
opkg install wireguard luci-app-wireguard
2020-08-24 07:48:10 +00:00
# We are never authoritative for IPv4
uci delete dhcp.@dnsmasq[0].authoritative
# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix
2020-09-07 14:52:14 +00:00
# Setup hostname
uci set system.@system[0].hostname="${my_hostname}"
2020-08-24 07:48:10 +00:00
# Do not set/get? Was necessary, don't recall why
uci set dhcp.@dnsmasq[0].noresolv='1'
# Fix DNS: make the OS use the locally provided DNS servers
# otherwise the VPN tunnel cannot be established
uci set dhcp.@dnsmasq[0].localuse='0'
2020-09-07 14:20:36 +00:00
# Remove static IPv4 on LAN
2020-08-24 07:48:10 +00:00
uci delete network.lan.ipaddr
uci delete network.lan.netmask
2020-09-07 14:20:36 +00:00
# Setup IPv6 on LAN
uci add_list network.lan.ip6addr='${my_lan_ip}/64'
2020-08-24 07:48:10 +00:00
2020-09-07 14:20:36 +00:00
# IPv6 announcements
2020-08-24 07:48:10 +00:00
uci set dhcp.lan.ra='server'
uci set dhcp.lan.ra_management='1'
2020-09-07 14:20:36 +00:00
# No DHCP server on the LAN
2020-08-24 07:48:10 +00:00
uci set dhcp.lan.ignore='1'
2020-09-07 14:20:36 +00:00
# Cleanup dhcp options
# Disable any dynamic leases
2020-08-24 07:48:10 +00:00
uci set dhcp.lan.dynamicdhcp='0'
2020-09-07 14:20:36 +00:00
# Remove dhcpv6 server
2020-08-24 07:48:10 +00:00
uci delete dhcp.lan.dhcpv6
2020-09-07 14:20:36 +00:00
# Remove leftover from the dhcpv4 server items
2020-08-24 07:48:10 +00:00
uci delete dhcp.lan.start
uci delete dhcp.lan.limit
uci delete dhcp.lan.leasetime
# VPN / Wireguard
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key='${private_key}'
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses='${my_wireguard_ip}/64'
if ! uci get network.@wireguard_wg0[0]; then
uci add network wireguard_wg0
fi
uci set network.@wireguard_wg0[0]=wireguard_wg0
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
uci set network.@wireguard_wg0[0].endpoint_port='51820'
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
# Firewall configuration
if ! uci show firewall | grep "name='Allow-SSH'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-SSH'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
fi
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTPS'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='443'
uci set firewall.@rule[-1].target='ACCEPT'
fi
if ! uci show firewall | grep "name='Allow-HTTP'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTP'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
fi
# Add interfaces to the right network zone
uci set firewall.@zone[0].network='lan lanv6'
uci set firewall.@zone[1].network='wan wg0'
# DNS upstream over VPN gives DNS64
uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
2020-09-07 14:52:14 +00:00
# This is the save & apply button in LUCI (or just save button)
2020-08-24 07:48:10 +00:00
uci commit
2020-09-07 14:52:14 +00:00
2020-08-24 07:48:10 +00:00
reboot
2020-09-07 14:20:36 +00:00
2020-08-24 07:48:10 +00:00
EOF
2020-09-07 14:20:36 +00:00
my_ip=$my_lan_ip
2020-09-07 14:52:14 +00:00
2020-09-07 14:20:36 +00:00
echo "Waiting for it to come back..."
while ! ping -c1 ${my_ip}; do
echo "Cannot ping $my_ip yet - waiting"
2020-09-07 14:52:14 +00:00
sleep 2
2020-09-07 14:20:36 +00:00
done
2020-08-24 07:48:10 +00:00
echo "Wireguard public key and id: ${id} ${public_key}"
echo ${public_key} > ${my_hostname}.public_key
2020-09-07 14:20:36 +00:00
cat <<EOF
Open steps:
2020-08-24 07:48:10 +00:00
2020-09-07 14:20:36 +00:00
- Remove your ssh key(s) from the device
- Setup a secure root password and forward it to the customer
2020-09-07 14:52:14 +00:00
2020-09-07 14:20:36 +00:00
EOF