214 lines
5.3 KiB
Bash
214 lines
5.3 KiB
Bash
|
#!/bin/sh
|
||
|
# 2020-06-13, Nico Schottelius
|
||
|
# See https://ungleich.ch/u/products/viirb-ipv6-box/
|
||
|
|
||
|
if [ $# -ne 4 ]; then
|
||
|
echo "$0 interface viirb-id your-dot-cdist"
|
||
|
echo " interface to add the config ip address to"
|
||
|
echo " viirb-id: number in decimal format"
|
||
|
echo " your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
|
||
|
echo " owner-mail-reference: How to identify the owner"
|
||
|
echo ""
|
||
|
echo "Example to configure viirb02:"
|
||
|
echo "$0 wlan0 2 ~/vcs/ungleich-dot-cdist 'Nico Schottelius, nico.schottelius@ungleich.ch, Ticket 2342'"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
set -x
|
||
|
|
||
|
set -x
|
||
|
dev=$1; shift
|
||
|
id=$1; shift
|
||
|
dot_cdist=$1; shift
|
||
|
owner=$1; shift
|
||
|
|
||
|
hex_id=$(printf "%0.2x\n" "$id")
|
||
|
viirb_hostname=viirb${hex_id}
|
||
|
|
||
|
prefix_base=2a0a:e5c1:3
|
||
|
my_prefix=${prefix_base}${hex_id}
|
||
|
my_network=${my_prefix}::/48
|
||
|
|
||
|
my_wireguard_ip=${my_prefix}::42
|
||
|
my_lan_ip=${my_prefix}:cafe::42
|
||
|
my_wifi_ip=${my_prefix}:7ea::42
|
||
|
|
||
|
# openwrt
|
||
|
version=19.07.3
|
||
|
filename=openwrt-${version}-ramips-mt76x8-vocore2-squashfs-sysupgrade.bin
|
||
|
|
||
|
# IP address for setting it up initially
|
||
|
viirb_ip=192.168.61.1
|
||
|
|
||
|
# wireguard
|
||
|
private_key=$(wg genkey)
|
||
|
private_key=EL76tScnk84v8TGSSD3tPDhUjjYVPrfmNMBE3zbuRXg=
|
||
|
public_key=$(echo $private_key | wg pubkey)
|
||
|
|
||
|
vpn_endpoint_host=vpn-2a0ae5c1300.ungleich.ch
|
||
|
vpn_endpoint_pubkey=ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE=
|
||
|
|
||
|
# cdist
|
||
|
dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
|
||
|
peerfile=${dot_cdist_files}/${vpn_endpoint_host}.peer${hex_id}
|
||
|
vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}
|
||
|
|
||
|
# Configure VPN server / update cdist
|
||
|
echo Updating VPNserver
|
||
|
cat <<EOF > ${peerfile}
|
||
|
# ${viirb_hostname} ${owner}
|
||
|
[Peer]
|
||
|
PublicKey = ${public_key}
|
||
|
AllowedIPs = ${my_network}
|
||
|
|
||
|
EOF
|
||
|
|
||
|
# Generate real config
|
||
|
cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
|
||
|
cd ${dot_cdist_files}
|
||
|
git add ${vpn_endpoint_host}
|
||
|
git commit -m "[vpn] Updated config for peer ${viirb_hostname} ${my_network}"
|
||
|
git pull
|
||
|
git push
|
||
|
|
||
|
cdist config -vv -j8 ${vpn_endpoint_host} -c ${dot_cdist}
|
||
|
|
||
|
exit 0
|
||
|
|
||
|
# System
|
||
|
cat <<EOF | ssh -t "root@${viirb_ip}"
|
||
|
set -x
|
||
|
|
||
|
# Setup lan to also retrieve an ip address via dhcp
|
||
|
|
||
|
# This stays in the final setup
|
||
|
uci set network.lanv4=interface
|
||
|
uci set network.lanv4.proto='dhcp'
|
||
|
uci set network.lanv4.ifname='br-lan'
|
||
|
|
||
|
# This is temporary
|
||
|
uci set network.lanv4temp=interface
|
||
|
uci set network.lanv4temp.proto='static'
|
||
|
uci set network.lanv4temp.ifname='br-lan'
|
||
|
uci set network.lanv4temp.ipaddr='192.168.61.1'
|
||
|
uci set network.lanv4temp.netmask='255.255.255.0'
|
||
|
|
||
|
uci commit network
|
||
|
/etc/init.d/network restart
|
||
|
|
||
|
# update the sources
|
||
|
opkg update
|
||
|
opkg install wireguard
|
||
|
|
||
|
# DNS upstream over VPN gives DNS64
|
||
|
#uci set dhcp.@dnsmasq[0].server='2a0a:e5c0:a::a' '2a0a:e5c0:2:a::a'
|
||
|
|
||
|
# wifi ip address
|
||
|
uci set network.wifi=interface
|
||
|
uci set network.wifi.proto='static'
|
||
|
uci set network.wifi.ip6addr='${my_wifi_ip}/64'
|
||
|
|
||
|
# Wifi configuration
|
||
|
uci set wireless.radio0=wifi-device
|
||
|
uci set wireless.radio0.type='mac80211'
|
||
|
uci set wireless.radio0.hwmode='11g'
|
||
|
uci set wireless.radio0.path='platform/10300000.wmac'
|
||
|
uci set wireless.radio0.htmode='HT40'
|
||
|
uci set wireless.radio0.country='CH'
|
||
|
uci set wireless.radio0.channel='6'
|
||
|
|
||
|
uci set wireless.default_radio0=wifi-iface
|
||
|
uci set wireless.default_radio0.device='radio0'
|
||
|
uci set wireless.default_radio0.mode='ap'
|
||
|
uci set wireless.default_radio0.encryption='psk2'
|
||
|
uci set wireless.default_radio0.key='iloveipv6'
|
||
|
uci set wireless.default_radio0.ssid='IPv6 everywhere ${viirb_hostname}'
|
||
|
uci set wireless.default_radio0.network='wifi'
|
||
|
|
||
|
# Wifi / Router advertisements
|
||
|
uci set dhcp.wifi=dhcp
|
||
|
uci set dhcp.wifi.interface='wifi'
|
||
|
uci set dhcp.wifi.ra='server'
|
||
|
uci set dhcp.wifi.dynamicdhcp='0'
|
||
|
|
||
|
|
||
|
# VPN / Wireguard
|
||
|
uci set network.wg0=interface
|
||
|
uci set network.wg0.proto='wireguard'
|
||
|
uci set network.wg0.private_key='${private_key}'
|
||
|
uci set network.wg0.listen_port='51820'
|
||
|
uci set network.wg0.addresses='${my_wireguard_ip}/64'
|
||
|
|
||
|
uci add network wireguard_wg0
|
||
|
uci set network.@wireguard_wg0[0]=wireguard_wg0
|
||
|
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
||
|
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
|
||
|
uci set network.@wireguard_wg0[0].description='ungleich IPv6VPN.ch'
|
||
|
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
|
||
|
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
|
||
|
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
||
|
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
|
||
|
|
||
|
uci set system.@system[0].hostname="${viirb_hostname}"
|
||
|
|
||
|
uci commit
|
||
|
|
||
|
# Firewall configuration
|
||
|
|
||
|
# Remove temporary IP
|
||
|
|
||
|
# Reboot
|
||
|
|
||
|
# Ensure VPN works
|
||
|
|
||
|
# Remove our ssh keys!
|
||
|
|
||
|
#
|
||
|
|
||
|
EOF
|
||
|
|
||
|
|
||
|
exit 0
|
||
|
|
||
|
|
||
|
# We delete so that we can run idempotent
|
||
|
sudo ip addr del 192.168.61.2/24 dev "$dev" 2>/dev/null || true
|
||
|
sudo ip addr add 192.168.61.2/24 dev "$dev"
|
||
|
|
||
|
# don't care about other/old known_host entries
|
||
|
ssh-keygen -R 192.168.61.1
|
||
|
|
||
|
ping -c2 ${viirb_ip}
|
||
|
if [ $? -ne 0 ]; then
|
||
|
echo "Cannot reach any VIIRB - exiting"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
set -e
|
||
|
|
||
|
|
||
|
# Don't re-download if we already have it
|
||
|
wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt76x8/${filename}
|
||
|
scp ${filename} root@${viirb_ip}:/tmp
|
||
|
ssh root@${viirb_ip} "sysupgrade /tmp/*.bin"
|
||
|
|
||
|
wait=0
|
||
|
found=""
|
||
|
|
||
|
while [ $wait -lt 180 ]; do
|
||
|
ping -c1 ${viirb_ip} >/dev/null
|
||
|
|
||
|
if [ $? -eq 0 ]; then
|
||
|
found=yes
|
||
|
# wait for ssh to come up
|
||
|
sleep 10
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
if [ ! "$found" ]; then
|
||
|
echo "Did not find updated viirb - debug / restart it"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
exit 0
|