ungleich-tools/openwrt/vpn-add.sh

223 lines
6 KiB
Bash
Raw Normal View History

#!/bin/sh
# 2020-06-13, 2022-01-20, Nico Schottelius
# Add a VPN to either of our devices
if [ $# -lt 2 ]; then
echo "$0 device-ip vpn-server"
echo " device-ip-address: where to find the device"
echo " device-name: device we configure"
echo " [wireguard-private-key]: wg key to reuse"
exit 1
fi
# Get & set vpnserver network & co. via rest?
device_ip=$1; shift
device_name=$1; shift
# Whitelisting of enabled networks
case $device_name in
*-09??|*-0a??)
device_id=$(echo $device_name | sed 's/.*-\(....\)$/\1/')
vpnserver_id=$(echo $device_id | sed 's/\(..\)..$/\1/')
prefix_base=2a0a:e5c1:${device_id}
vpn_endpoint_host=vpn-2a0ae5c1${vpnserver_id}.ungleich.ch
case $vpnserver_id in
09)
vpn_endpoint_pubkey="vnDJHqkAdMs8QkiIQizGGcPlaQfAwVBUvTBrYKfDZmE="
;;
a0)
vpn_endpoint_pubkey="Hxb5lV5r90r3hT9/JsMM8zIzrzYfXHCtt1jFtPgDlCQ="
;;
esac
;;
*)
echo "$device_type currently unsupported"
exit 1
;;
esac
echo Setting up $device_name connecting to $vpn_endpoint_host for $prefix_base
set -x
hex_id=$device_id
device_hostname=${device_name}
my_prefix=${prefix_base}
my_network=${my_prefix}::/48
my_wireguard_ip=${my_prefix}::42
my_lan_ip=${my_prefix}:cafe::42
my_wifi_ip=${my_prefix}:7ea::42
# wireguard
if [ $# -eq 1 ]; then
private_key=$1; shift
else
private_key=$(wg genkey)
fi
public_key=$(echo $private_key | wg pubkey)
echo "Trying to reach ${device_ip} ..."
ping -c3 ${device_ip}
if [ $? -ne 0 ]; then
echo "Cannot reach ${device_ip}, aborting"
exit 1
fi
cat <<EOF | ssh -t "root@${device_ip}"
set -x
ping -c5 downloads.openwrt.org || exit 1
# update the sources
opkg update
# install wireguard + gui
opkg install luci-app-wireguard luci-proto-wireguard
# VPN / Wireguard
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key='${private_key}'
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses='${my_wireguard_ip}/64'
if ! uci get network.@wireguard_wg0[0]; then
uci add network wireguard_wg0
fi
uci set network.@wireguard_wg0[0]=wireguard_wg0
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
uci set network.@wireguard_wg0[0].endpoint_port='51820'
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
uci set system.@system[0].hostname="${device_hostname}"
# The IPv6 lan configuration
uci set network.lan.ip6addr='${my_lan_ip}/64'
uci commit
EOF
echo "Wireguard public key and id: ${device_id} ${public_key}"
exit 0
# Firewall configuration
if ! uci show firewall | grep "name='Allow-SSH'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-SSH'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
fi
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTPS'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='443'
uci set firewall.@rule[-1].target='ACCEPT'
fi
if ! uci show firewall | grep "name='Allow-HTTP'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTP'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
fi
# Add interfaces to the right network zone
uci set firewall.@zone[0].network='lan lanv6 wifi'
uci set firewall.@zone[1].network='wg0'
# LAN / Router advertisements / DHCP
# DHCP: we are not authoratative
uci delete dhcp.@dnsmasq[0].authoritative
uci delete dhcp.lan.dhcpv6
uci delete dhcp.lan.start
uci delete dhcp.lan.limit
uci delete dhcp.lan.leasetime
# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix
# This is configuring the dhcp IPv4 client
uci set dhcp.lan=dhcp
# Setup Router Advertisements
uci set dhcp.lan.interface='lanv6'
uci set dhcp.lan.ra='server'
uci set dhcp.lan.dynamicdhcp='0'
# Fix DNS: make dnsmasq NOT use a resolv.conf
# so that it only reads from our servers with DNS64 enabled
uci set dhcp.@dnsmasq[0].noresolv='1'
# Fix DNS: make the OS use the locally provided DNS servers
# otherwise the VPN tunnel cannot be established
dhcp.@dnsmasq[0].localuse='0'
# DNS upstream over VPN gives DNS64
uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
# wifi ip address
uci set network.wifi=interface
uci set network.wifi.proto='static'
uci set network.wifi.ip6addr='${my_wifi_ip}/64'
# Wifi configuration
uci set wireless.radio0=wifi-device
uci set wireless.radio0.type='mac80211'
uci set wireless.radio0.hwmode='11g'
uci set wireless.radio0.path='platform/10300000.wmac'
uci set wireless.radio0.htmode='HT40'
uci set wireless.radio0.country='CH'
uci set wireless.radio0.channel='6'
uci set wireless.default_radio0=wifi-iface
uci set wireless.default_radio0.device='radio0'
uci set wireless.default_radio0.mode='ap'
uci set wireless.default_radio0.encryption='psk2'
uci set wireless.default_radio0.key='iloveipv6'
uci set wireless.default_radio0.ssid='IPv6 everywhere ${device_hostname}'
uci set wireless.default_radio0.network='wifi'
# Wifi / Router advertisements
uci set dhcp.wifi=dhcp
uci set dhcp.wifi.interface='wifi'
uci set dhcp.wifi.ra='server'
uci set dhcp.wifi.dynamicdhcp='0'
# Ensure it is not disabled
uci delete wireless.radio0.disabled
# Setup lan to also retrieve an ip address via dhcp
# This stays in the final setup
uci set network.lan.proto='dhcp'
uci delete network.lan.ipaddr
uci delete network.lan.netmask