diff --git a/openwrt/vigir-1-firmware-upgrade.sh b/openwrt/vigir-1-firmware-upgrade.sh new file mode 100755 index 0000000..e192bc9 --- /dev/null +++ b/openwrt/vigir-1-firmware-upgrade.sh @@ -0,0 +1,85 @@ +#!/bin/sh +# 2020-06-13, Nico Schottelius +# See https://ungleich.ch/u/products/viirb-ipv6-box/ + +if [ $# -lt 1 ]; then + echo "$0 interface [address]" + echo " interface to add the config ip address to" + echo " address: connect to this address, ignore the interface" + exit 1 +fi + +set -x +dev=$1; shift + +# $# = 2 +# shift -> remove the first argument +# $# = 1 + +if [ $# -ge 1 ]; then + vigir_ip=$1; shift + dev="" +else + vigir_ip=192.168.8.1 +fi + +# openwrt +version=19.07.5 +filename=openwrt-${version}-ramips-mt7621-zbt-wg3526-16M-squashfs-sysupgrade.bin + +# IP address for setting it up initially + +if [ "$dev" ]; then + sudo ip addr del 192.168.8.2/24 dev "$dev" 2>/dev/null || true + sudo ip addr add 192.168.8.2/24 dev "$dev" +fi + +# don't care about other/old known_host entries +ssh-keygen -R ${vigir_ip} + +while ! ping -c1 ${vigir_ip}; do + echo "Cannot ping $vigir_ip yet - waiting" + sleep 1 +done + +cat ~/.ssh/id_rsa.pub | ssh root@${vigir_ip} "cat > /etc/dropbear/authorized_keys" + +# Don't re-download if we already have it +wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt7621/${filename} + +if echo $vigir_ip | grep -q :; then + scp_ip="[$vigir_ip]" +else + scp_ip="$vigir_ip" +fi + +scp ${filename} root@${scp_ip}:/tmp +ssh root@${vigir_ip} "sysupgrade -n /tmp/*.bin" + +# It still pings for some time - wait for the reboot to happen +echo "Waiting for vigir to really disappear" +sleep 15 + +wait=0 +found="" + +while [ $wait -lt 180 ]; do + ping -c1 ${vigir_ip} >/dev/null + + if [ $? -eq 0 ]; then + found=yes + # wait for ssh to come up + sleep 10 + break + fi + + sleep 1 + wait=$((wait+1)) + done + +if [ ! "$found" ]; then + echo "Did not find updated vigir - debug / restart it" + exit 1 +fi + +echo "vigir successfully updated to ${version}" diff --git a/openwrt/vigir-2-configure.sh b/openwrt/vigir-2-configure.sh new file mode 100755 index 0000000..5a4ba21 --- /dev/null +++ b/openwrt/vigir-2-configure.sh @@ -0,0 +1,194 @@ +#!/bin/sh +# 2020-06-13, Nico Schottelius +# See https://ungleich.ch/u/products/vigir/ + +if [ $# -lt 2 ]; then + echo "$0 vigir-ip-address vigir-id [wgprivkey]" + echo " vigir-ip-address: where to find the vigir" + echo " vigir-id: number in decimal format" + echo " wgprivkey: if specified, use this private key" + exit 1 +fi + + +set -x +vigir_ip=$1; shift +id=$1; shift +hex_id=$(printf "%0.2x\n" "$id") +vigir_hostname=vigir${id} + +prefix_base=2a0a:e5c1:5 +my_prefix=${prefix_base}${hex_id} +my_network=${my_prefix}::/48 + +my_wireguard_ip=${my_prefix}::42 +my_lan_ip=${my_prefix}:cafe::42 +my_wifi_ip=${my_prefix}:7ea::42 + +# wireguard +if [ $# -eq 1 ]; then + private_key=$1; shift +else + private_key=$(wg genkey) +fi +public_key=$(echo $private_key | wg pubkey) + +vpn_endpoint_host=vpn-2a0ae5c1500.ungleich.ch +vpn_endpoint_pubkey=oaFiIVV1NjvDcfdtwJqR4F3k2XIC07npNgj0YjIEem4= + +i=0 +found="" +while [ $i -lt 30 ]; do + echo "Trying to reach ${vigir_ip} ($i)" + if ping -c1 ${vigir_ip} >/dev/null; then + found="yes" + break + fi + i=$((i+1)) +done + +if [ -z "$found" ]; then + echo "Unable to contact vigir. Exiting" + exit 1 +fi + + +cat < ${vigir_hostname}.public_key + +# change to ipv6 +vigir_ip=${my_lan_ip} + +sleep 15 + +while ! ping -c5 ${vigir_ip}; do + echo "Waiting for vigir ${id}" + sleep 2 +done + +echo "Wireguard public key and id: ${id} ${public_key}" diff --git a/openwrt/vigir-3-vpn.sh b/openwrt/vigir-3-vpn.sh new file mode 100755 index 0000000..615594a --- /dev/null +++ b/openwrt/vigir-3-vpn.sh @@ -0,0 +1,70 @@ +#!/bin/sh +# 2020-12-21, Nico Schottelius + +if [ $# -ne 3 ]; then + echo "$0 your-dot-cdist vigir-id public-key" + echo " your-dot-cdist: path to YOUR ungleich-dot-cdist repo" + echo " vigir-id: number in decimal format" + echo " wireguard public key" + exit 1 +fi + +set -x +dot_cdist=$1; shift +id=$1; shift +public_key=$1; shift + +hex_id=$(printf "%0.2x\n" "$id") +vigir_hostname=vigir${id} + +prefix_base=2a0a:e5c1:5 +my_prefix=${prefix_base}${hex_id} +my_network=${my_prefix}::/48 +my_wireguard_ip=${my_prefix}::42 +my_lan_ip=${my_prefix}:cafe::42 +my_wifi_ip=${my_prefix}:7ea::42 + +vpn_endpoint_host=vpn-2a0ae5c1500.ungleich.ch + +# cdist +dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files +peerfilename=${vpn_endpoint_host}.peer${hex_id} +peerfile=${dot_cdist_files}/${peerfilename} +vpnconfig=${dot_cdist_files}/${vpn_endpoint_host} + + +# Configure VPN server / update cdist +echo Updating VPNserver +cat < ${peerfile} +# ${vigir_hostname}, $(date +%F) +[Peer] +PublicKey = ${public_key} +AllowedIPs = ${my_network} + +EOF + +# Generate real config +cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig} +cd ${dot_cdist_files} +git add ${vpn_endpoint_host} ${peerfilename} +git commit -m "[vpn] Updated config for peer ${vigir_hostname} ${my_network}" +git pull +git push + +cdist config -v -j8 ${vpn_endpoint_host} -c ${dot_cdist} + +# Test that the VPN connection is established +# Might take longer due to reboot +sleep 10 + +i=0 +while [ $i -lt 10 ]; do + ping -c1 ${my_wireguard_ip} && break + i=$((i+1)) +done + +i=0 +while [ $i -lt 30 ]; do + ping -c1 ${my_lan_ip} && break + i=$((i+1)) +done diff --git a/openwrt/vigir-4-cleanup.sh b/openwrt/vigir-4-cleanup.sh new file mode 100755 index 0000000..6e16ea4 --- /dev/null +++ b/openwrt/vigir-4-cleanup.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# Nico Schottelius +# 2020-12-21 + +set -e +set -x + +if [ $# -ne 2 ]; then + echo "$0 vigir-ip-address vigir-id" + echo " vigir-ip-address: where to find the vigir" + echo " vigir-id: number in decimal format" + exit 1 +fi + +vigir_ip=$1; shift + +id=$1; shift +vigir_hostname=vigir${id} + +root_password=$(pwgen -1 32) + +# Save for sending to user +# FIXME: future make this more easy / better to transfer +echo $root_password > ${vigir_hostname}.rootpw + +cat <