From 587599a74a8076fb23568b55fad0e7b9b53f5d45 Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Mon, 21 Dec 2020 20:24:52 +0100
Subject: [PATCH] [vigir] phase in 2/3/4 scripts

---
 openwrt/vigir-2-configure.sh | 206 +++++++++++++++++++++++++++++++++++
 openwrt/vigir-3-vpn.sh       |  70 ++++++++++++
 openwrt/vigir-4-cleanup.sh   |  42 +++++++
 3 files changed, 318 insertions(+)
 create mode 100755 openwrt/vigir-2-configure.sh
 create mode 100755 openwrt/vigir-3-vpn.sh
 create mode 100755 openwrt/vigir-4-cleanup.sh

diff --git a/openwrt/vigir-2-configure.sh b/openwrt/vigir-2-configure.sh
new file mode 100755
index 0000000..d692f01
--- /dev/null
+++ b/openwrt/vigir-2-configure.sh
@@ -0,0 +1,206 @@
+#!/bin/sh
+# 2020-06-13, Nico Schottelius
+# See https://ungleich.ch/u/products/vigir/
+
+if [ $# -lt 2 ]; then
+    echo "$0 vigir-ip-address vigir-id [wgprivkey]"
+    echo "    vigir-ip-address: where to find the vigir"
+    echo "    vigir-id: number in decimal format"
+    echo "    wgprivkey: if specified, use this private key"
+    exit 1
+fi
+
+
+set -x
+vigir_ip=$1; shift
+id=$1; shift
+hex_id=$(printf "%0.2x\n" "$id")
+vigir_hostname=vigir${id}
+
+prefix_base=2a0a:e5c1:5
+my_prefix=${prefix_base}${hex_id}
+my_network=${my_prefix}::/48
+
+my_wireguard_ip=${my_prefix}::42
+my_lan_ip=${my_prefix}:cafe::42
+my_wifi_ip=${my_prefix}:7ea::42
+
+# wireguard
+if [ $# -eq 1 ]; then
+    private_key=$1; shift
+else
+    private_key=$(wg genkey)
+fi
+public_key=$(echo $private_key | wg pubkey)
+
+vpn_endpoint_host=vpn-2a0ae5c1500.ungleich.ch
+vpn_endpoint_pubkey=ygZQW3OSiMJl/RpKyaJVE0GSt6bjEDnoxdMJsNiloRE=
+
+i=0
+found=""
+while [ $i -lt 30 ]; do
+    echo "Trying to reach ${vigir_ip} ($i)"
+    if ping -c1 ${vigir_ip} >/dev/null; then
+        found="yes"
+        break
+    fi
+    i=$((i+1))
+done
+
+if [ -z "$found" ]; then
+    echo "Unable to contact vigir. Exiting"
+    exit 1
+fi
+
+
+cat <<EOF | ssh -t "root@${vigir_ip}"
+set -x
+# Setup lan to also retrieve an ip address via dhcp
+
+# Adjust LAN to be IPv6 only
+uci delete network.lan.ipaddr
+uci delete network.lan.netmask
+uci set network.lan.ip6addr='${my_lan_ip}/64'
+
+# Do not announce ULA - we have GUA
+uci delete network.globals.ula_prefix
+
+# Setup Router Advertisements / remove IPv4 dhcp
+uci set dhcp.lan.ra='server'
+uci set dhcp.lan.dynamicdhcp='0'
+
+uci delete dhcp.@dnsmasq[0].authoritative
+
+uci delete dhcp.lan.start
+uci delete dhcp.lan.limit
+uci delete dhcp.lan.leasetime
+
+# We do stateless by default everywhere
+uci delete dhcp.lan.dhcpv6
+
+# Fix DNS: make dnsmasq NOT use a resolv.conf
+# so that it only reads from our servers with DNS64 enabled
+uci set dhcp.@dnsmasq[0].noresolv='1'
+
+# Fix DNS: make the OS use the locally provided DNS servers
+# otherwise the VPN tunnel cannot be established
+uci set dhcp.@dnsmasq[0].localuse='0'
+
+# DNS upstream over VPN gives DNS64
+uci delete dhcp.@dnsmasq[0].server
+uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
+uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
+
+uci set system.@system[0].hostname="${vigir_hostname}"
+
+# wifi ip address
+# uci set network.wifi=interface
+# uci set network.wifi.proto='static'
+# uci set network.wifi.ip6addr='${my_wifi_ip}/64'
+
+# Wifi configuration
+uci set wireless.radio0=wifi-device
+uci set wireless.radio0.htmode='HT40'
+uci set wireless.radio0.country='CH'
+uci set wireless.radio0.channel='6'
+uci set wireless.default_radio0.encryption='psk2'
+uci set wireless.default_radio0.key='iloveipv6'
+uci set wireless.default_radio0.ssid='IPv6 everywhere ${vigir_hostname}'
+
+# Ensure it is not disabled
+uci delete wireless.radio0.disabled
+
+# Create temporary IPV4 CLIENT on LAN
+# This way we get Internet/upstream from the LAN port
+# Can we do this via IPv6 instead?
+# this breaks if multiple vigir are setup, as we have fake / wrong
+# dhcp server configurations.
+# easy solution: using two different networks...
+
+uci commit
+
+# ensure no overlapping networks are there
+ip addr del 192.168.1.1/24 dev br-lan
+
+ping -c5 ungleich.ch || exit 1
+
+# update the sources
+opkg update
+
+# install wireguard + gui
+opkg install wireguard
+opkg install luci-app-wireguard
+
+# VPN / Wireguard
+uci set network.wg0=interface
+uci set network.wg0.proto='wireguard'
+uci set network.wg0.private_key='${private_key}'
+uci set network.wg0.listen_port='51820'
+uci set network.wg0.addresses='${my_wireguard_ip}/64'
+
+if ! uci get network.@wireguard_wg0[0]; then
+   uci add network wireguard_wg0
+fi
+
+uci set network.@wireguard_wg0[0]=wireguard_wg0
+uci set network.@wireguard_wg0[0].persistent_keepalive='25'
+uci set network.@wireguard_wg0[0].public_key="${vpn_endpoint_pubkey}"
+uci set network.@wireguard_wg0[0].description="IPv6VPN.ch by ungleich"
+uci set network.@wireguard_wg0[0].allowed_ips='::/0'
+uci set network.@wireguard_wg0[0].endpoint_host="${vpn_endpoint_host}"
+uci set network.@wireguard_wg0[0].endpoint_port='51820'
+uci set network.@wireguard_wg0[0].route_allowed_ips='1'
+
+# Firewall configuration
+if ! uci show firewall | grep "name='Allow-SSH'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-SSH'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='22'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-HTTPS'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-HTTPS'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='443'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-HTTP'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-HTTP'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='80'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+# Add interfaces to the right network zone
+uci set firewall.@zone[1].network='wan wan6 wg0'
+
+uci commit
+
+reboot
+EOF
+
+echo "Wireguard public key and id: ${id} ${public_key}"
+echo ${public_key} > ${vigir_hostname}.public_key
+
+# change to ipv6
+vigir_ip=${my_lan_ip}
+
+sleep 15
+
+while ! ping -c5 ${vigir_ip}; do
+    echo "Waiting for vigir ${id}"
+    sleep 2
+done
+
+echo "Wireguard public key and id: ${id} ${public_key}"
diff --git a/openwrt/vigir-3-vpn.sh b/openwrt/vigir-3-vpn.sh
new file mode 100755
index 0000000..615594a
--- /dev/null
+++ b/openwrt/vigir-3-vpn.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+# 2020-12-21, Nico Schottelius
+
+if [ $# -ne 3 ]; then
+    echo "$0 your-dot-cdist vigir-id public-key"
+    echo "    your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
+    echo "    vigir-id: number in decimal format"
+    echo "    wireguard public key"
+    exit 1
+fi
+
+set -x
+dot_cdist=$1; shift
+id=$1; shift
+public_key=$1; shift
+
+hex_id=$(printf "%0.2x\n" "$id")
+vigir_hostname=vigir${id}
+
+prefix_base=2a0a:e5c1:5
+my_prefix=${prefix_base}${hex_id}
+my_network=${my_prefix}::/48
+my_wireguard_ip=${my_prefix}::42
+my_lan_ip=${my_prefix}:cafe::42
+my_wifi_ip=${my_prefix}:7ea::42
+
+vpn_endpoint_host=vpn-2a0ae5c1500.ungleich.ch
+
+# cdist
+dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
+peerfilename=${vpn_endpoint_host}.peer${hex_id}
+peerfile=${dot_cdist_files}/${peerfilename}
+vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}
+
+
+# Configure VPN server / update cdist
+echo Updating VPNserver
+cat <<EOF > ${peerfile}
+# ${vigir_hostname}, $(date +%F)
+[Peer]
+PublicKey = ${public_key}
+AllowedIPs = ${my_network}
+
+EOF
+
+# Generate real config
+cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
+cd ${dot_cdist_files}
+git add ${vpn_endpoint_host} ${peerfilename}
+git commit -m "[vpn] Updated config for peer ${vigir_hostname} ${my_network}"
+git pull
+git push
+
+cdist config -v -j8 ${vpn_endpoint_host} -c ${dot_cdist}
+
+# Test that the VPN connection is established
+# Might take longer due to reboot
+sleep 10
+
+i=0
+while [ $i -lt 10 ]; do
+    ping -c1 ${my_wireguard_ip} && break
+    i=$((i+1))
+done
+
+i=0
+while [ $i -lt 30 ]; do
+    ping -c1 ${my_lan_ip} && break
+    i=$((i+1))
+done
diff --git a/openwrt/vigir-4-cleanup.sh b/openwrt/vigir-4-cleanup.sh
new file mode 100755
index 0000000..8b85106
--- /dev/null
+++ b/openwrt/vigir-4-cleanup.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+# Nico Schottelius
+# 2020-12-21
+
+set -e
+set -x
+
+if [ $# -ne 2 ]; then
+    echo "$0 vigir-ip-address vigir-id"
+    echo "    vigir-ip-address: where to find the vigir"
+    echo "    vigir-id: number in decimal format"
+    exit 1
+fi
+
+vigir_ip=$1; shift
+
+id=$1; shift
+vigir_hostname=vigir${id}
+
+root_password=$(pwgen -1 32)
+
+# Save for sending to user
+# FIXME: future make this more easy / better to transfer
+echo $root_password > ${vigir_hostname}.rootpw
+
+cat <<EOF | ssh -t "root@${vigir_ip}"
+# Remove temporary IP
+
+# Correct test SSID to final one
+uci set wireless.default_radio0.ssid='IPv6 everywhere'
+uci commit
+
+# Remove our ssh keys
+rm -f /etc/dropbear/authorized_keys
+
+# Setup root password
+printf "${root_password}\n${root_password}\n" | passwd
+
+reboot
+EOF
+
+echo "Submit to user the root password = ${root_password}"