Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-tools

openwrt/vigir-1-firmware-upgrade.sh

@@ -0,0 +1,85 @@
+#!/bin/sh
+# 2020-06-13, Nico Schottelius
+# See https://ungleich.ch/u/products/viirb-ipv6-box/
+
+if [ $# -lt 1 ]; then
+    echo "$0 interface [address]"
+    echo "    interface to add the config ip address to"
+    echo "    address: connect to this address, ignore the interface"
+    exit 1
+fi
+
+set -x
+dev=$1; shift
+
+# $# = 2
+# shift -> remove the first argument
+# $# = 1
+
+if [ $# -ge 1 ]; then
+    vigir_ip=$1; shift
+    dev=""
+else
+    vigir_ip=192.168.8.1
+fi
+
+# openwrt
+version=19.07.5
+filename=openwrt-${version}-ramips-mt7621-zbt-wg3526-16M-squashfs-sysupgrade.bin
+
+# IP address for setting it up initially
+
+if [ "$dev" ]; then
+    sudo ip addr del 192.168.8.2/24 dev "$dev" 2>/dev/null || true
+    sudo ip addr add 192.168.8.2/24 dev "$dev"
+fi
+
+# don't care about other/old known_host entries
+ssh-keygen  -R ${vigir_ip}
+
+while ! ping -c1 ${vigir_ip}; do
+    echo "Cannot ping $vigir_ip yet - waiting"
+    sleep 1
+done
+
+cat ~/.ssh/id_rsa.pub | ssh root@${vigir_ip} "cat > /etc/dropbear/authorized_keys"
+
+# Don't re-download if we already have it
+wget -c http://downloads.openwrt.org/releases/${version}/targets/ramips/mt7621/${filename}
+
+if echo $vigir_ip | grep -q :; then
+    scp_ip="[$vigir_ip]"
+else
+    scp_ip="$vigir_ip"
+fi
+
+scp ${filename} root@${scp_ip}:/tmp
+ssh root@${vigir_ip} "sysupgrade -n /tmp/*.bin"
+
+# It still pings for some time - wait for the reboot to happen
+echo "Waiting for vigir to really disappear"
+sleep 15
+
+wait=0
+found=""
+
+while [ $wait -lt 180 ]; do
+    ping -c1 ${vigir_ip} >/dev/null
+
+    if [ $? -eq 0 ]; then
+        found=yes
+        # wait for ssh to come up
+        sleep 10
+        break
+    fi
+
+    sleep 1
+    wait=$((wait+1))
+    done
+
+if [ ! "$found" ]; then
+    echo "Did not find updated vigir - debug / restart it"
+    exit 1
+fi
+
+echo "vigir successfully updated to ${version}"

openwrt/vigir-2-configure.sh

@@ -0,0 +1,194 @@
+#!/bin/sh
+# 2020-06-13, Nico Schottelius
+# See https://ungleich.ch/u/products/vigir/
+
+if [ $# -lt 2 ]; then
+    echo "$0 vigir-ip-address vigir-id [wgprivkey]"
+    echo "    vigir-ip-address: where to find the vigir"
+    echo "    vigir-id: number in decimal format"
+    echo "    wgprivkey: if specified, use this private key"
+    exit 1
+fi
+
+
+set -x
+vigir_ip=$1; shift
+id=$1; shift
+hex_id=$(printf "%0.2x\n" "$id")
+vigir_hostname=vigir${id}
+
+prefix_base=2a0a:e5c1:5
+my_prefix=${prefix_base}${hex_id}
+my_network=${my_prefix}::/48
+
+my_wireguard_ip=${my_prefix}::42
+my_lan_ip=${my_prefix}:cafe::42
+my_wifi_ip=${my_prefix}:7ea::42
+
+# wireguard
+if [ $# -eq 1 ]; then
+    private_key=$1; shift
+else
+    private_key=$(wg genkey)
+fi
+public_key=$(echo $private_key | wg pubkey)
+
+vpn_endpoint_host=vpn-2a0ae5c1500.ungleich.ch
+vpn_endpoint_pubkey=oaFiIVV1NjvDcfdtwJqR4F3k2XIC07npNgj0YjIEem4=
+
+i=0
+found=""
+while [ $i -lt 30 ]; do
+    echo "Trying to reach ${vigir_ip} ($i)"
+    if ping -c1 ${vigir_ip} >/dev/null; then
+        found="yes"
+        break
+    fi
+    i=$((i+1))
+done
+
+if [ -z "$found" ]; then
+    echo "Unable to contact vigir. Exiting"
+    exit 1
+fi
+
+
+cat <<EOF | ssh -t "root@${vigir_ip}"
+set -x
+
+# Set IPv6 address on LAN
+uci set network.lan.ip6addr='${my_lan_ip}/64'
+
+# Do not announce ULA - we have GUA
+uci delete network.globals.ula_prefix
+
+# Setup Router Advertisements / remove IPv4 dhcp
+uci set dhcp.lan.ra='server'
+
+# We do stateless by default everywhere
+uci delete dhcp.lan.dhcpv6
+
+# Fix DNS: make dnsmasq NOT use a resolv.conf
+# so that it only reads from our servers with DNS64 enabled
+uci set dhcp.@dnsmasq[0].noresolv='1'
+
+# Fix DNS: make the OS use the locally provided DNS servers
+# otherwise the VPN tunnel cannot be established
+uci set dhcp.@dnsmasq[0].localuse='0'
+
+# DNS upstream over VPN gives DNS64
+uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
+uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
+
+uci set system.@system[0].hostname="${vigir_hostname}"
+
+# Wifi configuration
+uci set wireless.radio0=wifi-device
+uci set wireless.radio0.htmode='HT40'
+uci set wireless.radio0.country='CH'
+uci set wireless.radio0.channel='6'
+
+uci set wireless.default_radio0.encryption='psk2'
+uci set wireless.default_radio0.key='iloveipv6'
+uci set wireless.default_radio0.ssid='IPv6 everywhere ${vigir_hostname}'
+
+uci set wireless.radio1.country='CH'
+uci set wireless.default_radio1.encryption='psk2'
+uci set wireless.default_radio1.key='iloveipv6'
+uci set wireless.default_radio1.ssid='IPv6 everywhere ${vigir_hostname} 5Ghz'
+
+
+# Ensure it is not disabled
+uci delete wireless.radio0.disabled
+
+# Create temporary IPV4 CLIENT on LAN
+# This way we get Internet/upstream from the LAN port
+# Can we do this via IPv6 instead?
+# this breaks if multiple vigir are setup, as we have fake / wrong
+# dhcp server configurations.
+# easy solution: using two different networks...
+
+uci commit
+
+ping -c5 ungleich.ch || exit 1
+
+# update the sources
+opkg update
+
+# install wireguard + gui
+opkg install wireguard
+opkg install luci-app-wireguard
+
+# VPN / Wireguard
+uci set network.wg0=interface
+uci set network.wg0.proto='wireguard'
+uci set network.wg0.private_key='${private_key}'
+uci set network.wg0.listen_port='51820'
+uci set network.wg0.addresses='${my_wireguard_ip}/64'
+
+if ! uci get network.@wireguard_wg0[0]; then
+   uci add network wireguard_wg0
+fi
+
+uci set network.@wireguard_wg0[0]=wireguard_wg0
+uci set network.@wireguard_wg0[0].persistent_keepalive='25'
+uci set network.@wireguard_wg0[0].public_key="${vpn_endpoint_pubkey}"
+uci set network.@wireguard_wg0[0].description="IPv6VPN.ch by ungleich"
+uci set network.@wireguard_wg0[0].allowed_ips='::/0'
+uci set network.@wireguard_wg0[0].endpoint_host="${vpn_endpoint_host}"
+uci set network.@wireguard_wg0[0].endpoint_port='51820'
+uci set network.@wireguard_wg0[0].route_allowed_ips='1'
+
+# Firewall configuration
+if ! uci show firewall | grep "name='Allow-SSH'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-SSH'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='22'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-HTTPS'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-HTTPS'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='443'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+if ! uci show firewall | grep "name='Allow-HTTP'"; then
+uci add firewall rule
+uci set firewall.@rule[-1].name='Allow-HTTP'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].dest='lan'
+uci set firewall.@rule[-1].proto='tcp'
+uci set firewall.@rule[-1].dest_port='80'
+uci set firewall.@rule[-1].target='ACCEPT'
+fi
+
+# Add interfaces to the right network zone
+uci set firewall.@zone[1].network='wan wan6 wg0'
+
+uci commit
+
+reboot
+EOF
+
+echo "Wireguard public key and id: ${id} ${public_key}"
+echo ${public_key} > ${vigir_hostname}.public_key
+
+# change to ipv6
+vigir_ip=${my_lan_ip}
+
+sleep 15
+
+while ! ping -c5 ${vigir_ip}; do
+    echo "Waiting for vigir ${id}"
+    sleep 2
+done
+
+echo "Wireguard public key and id: ${id} ${public_key}"

openwrt/vigir-3-vpn.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+# 2020-12-21, Nico Schottelius
+
+if [ $# -ne 3 ]; then
+    echo "$0 your-dot-cdist vigir-id public-key"
+    echo "    your-dot-cdist: path to YOUR ungleich-dot-cdist repo"
+    echo "    vigir-id: number in decimal format"
+    echo "    wireguard public key"
+    exit 1
+fi
+
+set -x
+dot_cdist=$1; shift
+id=$1; shift
+public_key=$1; shift
+
+hex_id=$(printf "%0.2x\n" "$id")
+vigir_hostname=vigir${id}
+
+prefix_base=2a0a:e5c1:5
+my_prefix=${prefix_base}${hex_id}
+my_network=${my_prefix}::/48
+my_wireguard_ip=${my_prefix}::42
+my_lan_ip=${my_prefix}:cafe::42
+my_wifi_ip=${my_prefix}:7ea::42
+
+vpn_endpoint_host=vpn-2a0ae5c1500.ungleich.ch
+
+# cdist
+dot_cdist_files=${dot_cdist}/type/__ungleich_wireguard/files
+peerfilename=${vpn_endpoint_host}.peer${hex_id}
+peerfile=${dot_cdist_files}/${peerfilename}
+vpnconfig=${dot_cdist_files}/${vpn_endpoint_host}
+
+
+# Configure VPN server / update cdist
+echo Updating VPNserver
+cat <<EOF > ${peerfile}
+# ${vigir_hostname}, $(date +%F)
+[Peer]
+PublicKey = ${public_key}
+AllowedIPs = ${my_network}
+
+EOF
+
+# Generate real config
+cat ${dot_cdist_files}/${vpn_endpoint_host}.* > ${vpnconfig}
+cd ${dot_cdist_files}
+git add ${vpn_endpoint_host} ${peerfilename}
+git commit -m "[vpn] Updated config for peer ${vigir_hostname} ${my_network}"
+git pull
+git push
+
+cdist config -v -j8 ${vpn_endpoint_host} -c ${dot_cdist}
+
+# Test that the VPN connection is established
+# Might take longer due to reboot
+sleep 10
+
+i=0
+while [ $i -lt 10 ]; do
+    ping -c1 ${my_wireguard_ip} && break
+    i=$((i+1))
+done
+
+i=0
+while [ $i -lt 30 ]; do
+    ping -c1 ${my_lan_ip} && break
+    i=$((i+1))
+done

openwrt/vigir-4-cleanup.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+# Nico Schottelius
+# 2020-12-21
+
+set -e
+set -x
+
+if [ $# -ne 2 ]; then
+    echo "$0 vigir-ip-address vigir-id"
+    echo "    vigir-ip-address: where to find the vigir"
+    echo "    vigir-id: number in decimal format"
+    exit 1
+fi
+
+vigir_ip=$1; shift
+
+id=$1; shift
+vigir_hostname=vigir${id}
+
+root_password=$(pwgen -1 32)
+
+# Save for sending to user
+# FIXME: future make this more easy / better to transfer
+echo $root_password > ${vigir_hostname}.rootpw
+
+cat <<EOF | ssh -t "root@${vigir_ip}"
+# Remove temporary IP
+
+# Correct test SSID to final one
+uci set wireless.default_radio0.ssid='IPv6 everywhere'
+uci set wireless.default_radio1.ssid='IPv6 everywhere 5Ghz'
+
+uci commit
+
+# Remove our ssh keys
+rm -f /etc/dropbear/authorized_keys
+
+# Setup root password
+printf "${root_password}\n${root_password}\n" | passwd
+
+reboot
+EOF
+
+echo "Submit to user the root password = ${root_password}"