phase in pib setup
This commit is contained in:
parent
8429201d0d
commit
7f07870d7f
1 changed files with 168 additions and 0 deletions
168
pib-setup.sh
Executable file
168
pib-setup.sh
Executable file
|
@ -0,0 +1,168 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ $# -ne 2 ]; then
|
||||
echo "$0 ip-address vpn-network"
|
||||
echo " ip-address: where to find the PIB"
|
||||
echo " network: 2a0a:e5c0:123::/48"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
|
||||
my_ip=$1; shift
|
||||
my_network=$1; shift
|
||||
|
||||
my_prefix=$(echo $my_network | sed 's,::/.*,,')
|
||||
my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g')
|
||||
|
||||
my_wireguard_ip=${my_prefix}::42
|
||||
my_lan_ip=${my_prefix}:cafe::42
|
||||
my_lanv6_ip=${my_prefix}:7ea::42
|
||||
|
||||
private_key=$(wg genkey)
|
||||
public_key=$(echo $private_key | wg pubkey)
|
||||
|
||||
vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch
|
||||
vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
|
||||
|
||||
cat <<EOF | ssh -t "root@${my_ip}"
|
||||
set -x
|
||||
|
||||
# Global / general settings
|
||||
|
||||
# We are never authoritative for IPv4
|
||||
uci delete dhcp.@dnsmasq[0].authoritative
|
||||
|
||||
# Do not announce ULA - we have GUA
|
||||
uci delete network.globals.ula_prefix
|
||||
|
||||
# Do not set/get? Was necessary, don't recall why
|
||||
uci set dhcp.@dnsmasq[0].noresolv='1'
|
||||
|
||||
# Fix DNS: make the OS use the locally provided DNS servers
|
||||
# otherwise the VPN tunnel cannot be established
|
||||
uci set dhcp.@dnsmasq[0].localuse='0'
|
||||
|
||||
# Remove static IPv4 from LAN / replace with DHCP
|
||||
uci delete network.lan.ipaddr
|
||||
uci delete network.lan.netmask
|
||||
uci set network.lan.ifname='eth1'
|
||||
uci set network.lan.proto='dhcp'
|
||||
|
||||
# Add IPv6 address in LAN
|
||||
uci set network.lanv6=interface
|
||||
uci set network.lanv6.ifname='br-lan'
|
||||
uci set network.lanv6.proto='static'
|
||||
uci set network.lanv6.ifname='br-lan'
|
||||
uci add_list network.lanv6.ip6addr='${my_lan_ip}/64'
|
||||
|
||||
# IPv6 announcements / no DHCP server on the LAN
|
||||
uci set dhcp.lan.ra='server'
|
||||
uci set dhcp.lan.ra_management='1'
|
||||
uci set dhcp.lan.ignore='1'
|
||||
|
||||
uci set dhcp.lan.dynamicdhcp='0'
|
||||
uci delete dhcp.lan.dhcpv6
|
||||
uci delete dhcp.lan.start
|
||||
uci delete dhcp.lan.limit
|
||||
uci delete dhcp.lan.leasetime
|
||||
|
||||
uci commit
|
||||
|
||||
reboot
|
||||
|
||||
EOF
|
||||
|
||||
my_ip=$my_lan_ip
|
||||
echo "Waiting for it to come back..."
|
||||
while ! ping -c1 ${my_ip}; do
|
||||
echo "Cannot ping $my_ip yet - waiting"
|
||||
sleep 1
|
||||
done
|
||||
|
||||
|
||||
cat <<EOF | ssh -t "root@${my_ip}"
|
||||
ping -c5 ungleich.ch || exit 1
|
||||
|
||||
# update the sources & allow https handling
|
||||
opkg update
|
||||
opkg install libustream-openssl ca-bundle ca-certificates
|
||||
|
||||
# install wireguard + gui
|
||||
opkg install wireguard
|
||||
opkg install luci-app-wireguard
|
||||
|
||||
# VPN / Wireguard
|
||||
uci set network.wg0=interface
|
||||
uci set network.wg0.proto='wireguard'
|
||||
uci set network.wg0.private_key='${private_key}'
|
||||
uci set network.wg0.listen_port='51820'
|
||||
uci set network.wg0.addresses='${my_wireguard_ip}/64'
|
||||
|
||||
if ! uci get network.@wireguard_wg0[0]; then
|
||||
uci add network wireguard_wg0
|
||||
fi
|
||||
|
||||
uci set network.@wireguard_wg0[0]=wireguard_wg0
|
||||
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
||||
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
|
||||
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
|
||||
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
|
||||
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
|
||||
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
||||
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
|
||||
|
||||
uci set system.@system[0].hostname="${my_hostname}"
|
||||
|
||||
# Firewall configuration
|
||||
if ! uci show firewall | grep "name='Allow-SSH'"; then
|
||||
uci add firewall rule
|
||||
uci set firewall.@rule[-1].name='Allow-SSH'
|
||||
uci set firewall.@rule[-1].src='wan'
|
||||
uci set firewall.@rule[-1].dest='lan'
|
||||
uci set firewall.@rule[-1].proto='tcp'
|
||||
uci set firewall.@rule[-1].dest_port='22'
|
||||
uci set firewall.@rule[-1].target='ACCEPT'
|
||||
fi
|
||||
|
||||
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
|
||||
uci add firewall rule
|
||||
uci set firewall.@rule[-1].name='Allow-HTTPS'
|
||||
uci set firewall.@rule[-1].src='wan'
|
||||
uci set firewall.@rule[-1].dest='lan'
|
||||
uci set firewall.@rule[-1].proto='tcp'
|
||||
uci set firewall.@rule[-1].dest_port='443'
|
||||
uci set firewall.@rule[-1].target='ACCEPT'
|
||||
fi
|
||||
|
||||
if ! uci show firewall | grep "name='Allow-HTTP'"; then
|
||||
uci add firewall rule
|
||||
uci set firewall.@rule[-1].name='Allow-HTTP'
|
||||
uci set firewall.@rule[-1].src='wan'
|
||||
uci set firewall.@rule[-1].dest='lan'
|
||||
uci set firewall.@rule[-1].proto='tcp'
|
||||
uci set firewall.@rule[-1].dest_port='80'
|
||||
uci set firewall.@rule[-1].target='ACCEPT'
|
||||
fi
|
||||
|
||||
# Add interfaces to the right network zone
|
||||
uci set firewall.@zone[0].network='lan lanv6'
|
||||
uci set firewall.@zone[1].network='wan wg0'
|
||||
|
||||
# DNS upstream over VPN gives DNS64
|
||||
uci delete dhcp.@dnsmasq[0].server
|
||||
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
|
||||
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
|
||||
|
||||
uci commit
|
||||
|
||||
reboot
|
||||
EOF
|
||||
|
||||
echo "Wireguard public key and id: ${id} ${public_key}"
|
||||
echo ${public_key} > ${my_hostname}.public_key
|
||||
|
||||
exit 0
|
||||
|
||||
|
||||
# wget -O - https://downloads.openwrt.org/releases/19.07.3/targets/x86/64/openwrt-19.07.3-x86-64-rootfs-ext4.img.gz | gunzip > /dev/sda
|
Loading…
Reference in a new issue