[pib] update setup script

This commit is contained in:
Nico Schottelius 2020-09-07 16:20:36 +02:00
parent 912dcabe9f
commit 3470ca62df

View file

@ -1,25 +1,33 @@
#!/bin/sh #!/bin/sh
# Assumptions:
# - pib is factory reset
# - WAN port is connected with an active upstream
# - You are connected via LAN/can ssh into it
if [ $# -ne 2 ]; then if [ $# -ne 2 ]; then
echo "$0 ip-address vpn-network" echo "$0 ip-address vpn-network [wireguard-private-key]"
echo " ip-address: where to find the PIB" echo " ip-address: where to find the PIB"
echo " network: 2a0a:e5c0:123::/48" echo " network: 2a0a:e5c0:123::/48"
echo " private-key: specify if you already have a private key"
exit 1 exit 1
fi fi
my_ip=$1; shift my_ip=$1; shift
my_network=$1; shift my_network=$1; shift
if [ $# -eq 1 ]; then
private_key=$1; shift
else
private_key=$(wg genkey)
fi
my_prefix=$(echo $my_network | sed 's,::/.*,,') my_prefix=$(echo $my_network | sed 's,::/.*,,')
my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g') my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g')
my_wireguard_ip=${my_prefix}::42 my_wireguard_ip=${my_prefix}::42
my_lan_ip=${my_prefix}:cafe::42 my_lan_ip=${my_prefix}:cafe::42
my_lanv6_ip=${my_prefix}:7ea::42
private_key=$(wg genkey)
public_key=$(echo $private_key | wg pubkey) public_key=$(echo $private_key | wg pubkey)
vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch
@ -28,7 +36,16 @@ vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
cat <<EOF | ssh -t "root@${my_ip}" cat <<EOF | ssh -t "root@${my_ip}"
set -x set -x
# Global / general settings # Check if we can reach upstream - otherwise abort
ping -c5 ungleich.ch || exit 1
# update the sources & allow https handling
opkg update
opkg install libustream-openssl ca-bundle ca-certificates
# install wireguard + gui
opkg install wireguard
opkg install luci-app-wireguard
# We are never authoritative for IPv4 # We are never authoritative for IPv4
uci delete dhcp.@dnsmasq[0].authoritative uci delete dhcp.@dnsmasq[0].authoritative
@ -43,55 +60,33 @@ uci set dhcp.@dnsmasq[0].noresolv='1'
# otherwise the VPN tunnel cannot be established # otherwise the VPN tunnel cannot be established
uci set dhcp.@dnsmasq[0].localuse='0' uci set dhcp.@dnsmasq[0].localuse='0'
# Remove static IPv4 from LAN / replace with DHCP # Remove static IPv4 on LAN
uci delete network.lan.ipaddr uci delete network.lan.ipaddr
uci delete network.lan.netmask uci delete network.lan.netmask
uci set network.lan.ifname='eth1'
uci set network.lan.proto='dhcp'
# Add IPv6 address in LAN # Setup IPv6 on LAN
uci set network.lanv6=interface uci add_list network.lan.ip6addr='${my_lan_ip}/64'
uci set network.lanv6.ifname='br-lan'
uci set network.lanv6.proto='static'
uci set network.lanv6.ifname='br-lan'
uci add_list network.lanv6.ip6addr='${my_lan_ip}/64'
# IPv6 announcements / no DHCP server on the LAN # IPv6 announcements
uci set dhcp.lan.ra='server' uci set dhcp.lan.ra='server'
uci set dhcp.lan.ra_management='1' uci set dhcp.lan.ra_management='1'
# No DHCP server on the LAN
uci set dhcp.lan.ignore='1' uci set dhcp.lan.ignore='1'
# Cleanup dhcp options
# Disable any dynamic leases
uci set dhcp.lan.dynamicdhcp='0' uci set dhcp.lan.dynamicdhcp='0'
# Remove dhcpv6 server
uci delete dhcp.lan.dhcpv6 uci delete dhcp.lan.dhcpv6
# Remove leftover from the dhcpv4 server items
uci delete dhcp.lan.start uci delete dhcp.lan.start
uci delete dhcp.lan.limit uci delete dhcp.lan.limit
uci delete dhcp.lan.leasetime uci delete dhcp.lan.leasetime
uci commit
reboot
EOF
my_ip=$my_lan_ip
echo "Waiting for it to come back..."
while ! ping -c1 ${my_ip}; do
echo "Cannot ping $my_ip yet - waiting"
sleep 1
done
cat <<EOF | ssh -t "root@${my_ip}"
ping -c5 ungleich.ch || exit 1
# update the sources & allow https handling
opkg update
opkg install libustream-openssl ca-bundle ca-certificates
# install wireguard + gui
opkg install wireguard
opkg install luci-app-wireguard
# VPN / Wireguard # VPN / Wireguard
uci set network.wg0=interface uci set network.wg0=interface
uci set network.wg0.proto='wireguard' uci set network.wg0.proto='wireguard'
@ -155,14 +150,23 @@ uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a' uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
uci commit uci commit
reboot reboot
EOF EOF
my_ip=$my_lan_ip
echo "Waiting for it to come back..."
while ! ping -c1 ${my_ip}; do
echo "Cannot ping $my_ip yet - waiting"
sleep 1
done
echo "Wireguard public key and id: ${id} ${public_key}" echo "Wireguard public key and id: ${id} ${public_key}"
echo ${public_key} > ${my_hostname}.public_key echo ${public_key} > ${my_hostname}.public_key
exit 0 cat <<EOF
Open steps:
- Remove your ssh key(s) from the device
# wget -O - https://downloads.openwrt.org/releases/19.07.3/targets/x86/64/openwrt-19.07.3-x86-64-rootfs-ext4.img.gz | gunzip > /dev/sda - Setup a secure root password and forward it to the customer
EOF