#!/bin/sh # Assumptions: # - pib (APU) is factory reset OpenWRT # - WAN port is connected with an active upstream (pib has internet connectivity via WAN port) # - You are connected via LAN and you can ssh into it # How it works # if [ $# -lt 2 ]; then echo "$0 ip-address vpn-network [wireguard-private-key]" echo " ip-address: where to find the PIB" echo " network: 2a0a:e5c0:123::/48" echo " private-key: specify if you already have a private key" exit 1 fi my_ip=$1; shift my_network=$1; shift if [ $# -eq 1 ]; then private_key=$1; shift else private_key=$(wg genkey) fi my_prefix=$(echo $my_network | sed 's,::/.*,,') my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g') my_wireguard_ip=${my_prefix}::42 my_lan_ip=${my_prefix}:cafe::42 public_key=$(echo $private_key | wg pubkey) vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ= cat <<EOF | ssh -t "root@${my_ip}" || exit 1 set -x # Check if we can reach upstream - otherwise abort ping6 -c5 ungleich.ch || ping -c5 ungleich.ch || exit 1 # update the sources & allow https handling opkg update opkg install libustream-openssl ca-bundle ca-certificates # install wireguard + gui opkg install wireguard luci-app-wireguard # We are never authoritative for IPv4 uci delete dhcp.@dnsmasq[0].authoritative # Do not announce ULA - we have GUA uci delete network.globals.ula_prefix # Setup hostname uci set system.@system[0].hostname="${my_hostname}" # Do not set/get? Was necessary, don't recall why uci set dhcp.@dnsmasq[0].noresolv='1' # Fix DNS: make the OS use the locally provided DNS servers # otherwise the VPN tunnel cannot be established uci set dhcp.@dnsmasq[0].localuse='0' # Remove static IPv4 on LAN uci delete network.lan.ipaddr uci delete network.lan.netmask # Setup IPv6 on LAN uci add_list network.lan.ip6addr='${my_lan_ip}/64' # IPv6 announcements uci set dhcp.lan.ra='server' uci set dhcp.lan.ra_management='1' # No DHCP server on the LAN uci set dhcp.lan.ignore='1' # Cleanup dhcp options # Disable any dynamic leases uci set dhcp.lan.dynamicdhcp='0' # Remove dhcpv6 server uci delete dhcp.lan.dhcpv6 # Remove leftover from the dhcpv4 server items uci delete dhcp.lan.start uci delete dhcp.lan.limit uci delete dhcp.lan.leasetime # VPN / Wireguard uci set network.wg0=interface uci set network.wg0.proto='wireguard' uci set network.wg0.private_key='${private_key}' uci set network.wg0.listen_port='51820' uci set network.wg0.addresses='${my_wireguard_ip}/64' if ! uci get network.@wireguard_wg0[0]; then uci add network wireguard_wg0 fi uci set network.@wireguard_wg0[0]=wireguard_wg0 uci set network.@wireguard_wg0[0].persistent_keepalive='25' uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}' uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich' uci set network.@wireguard_wg0[0].allowed_ips='::/0' uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}' uci set network.@wireguard_wg0[0].endpoint_port='51820' uci set network.@wireguard_wg0[0].route_allowed_ips='1' # Firewall configuration if ! uci show firewall | grep "name='Allow-SSH'"; then uci add firewall rule uci set firewall.@rule[-1].name='Allow-SSH' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].dest='lan' uci set firewall.@rule[-1].proto='tcp' uci set firewall.@rule[-1].dest_port='22' uci set firewall.@rule[-1].target='ACCEPT' fi if ! uci show firewall | grep "name='Allow-HTTPS'"; then uci add firewall rule uci set firewall.@rule[-1].name='Allow-HTTPS' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].dest='lan' uci set firewall.@rule[-1].proto='tcp' uci set firewall.@rule[-1].dest_port='443' uci set firewall.@rule[-1].target='ACCEPT' fi if ! uci show firewall | grep "name='Allow-HTTP'"; then uci add firewall rule uci set firewall.@rule[-1].name='Allow-HTTP' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].dest='lan' uci set firewall.@rule[-1].proto='tcp' uci set firewall.@rule[-1].dest_port='80' uci set firewall.@rule[-1].target='ACCEPT' fi # Add interfaces to the right network zone uci set firewall.@zone[0].network='lan lanv6' uci set firewall.@zone[1].network='wan wg0' # DNS upstream over VPN gives DNS64 uci delete dhcp.@dnsmasq[0].server uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a' uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a' # This is the save & apply button in LUCI (or just save button) uci commit reboot EOF my_ip=$my_lan_ip echo "Waiting for it to come back..." while ! ping -c1 ${my_ip}; do echo "Cannot ping $my_ip yet - waiting" sleep 2 done echo "Wireguard public key and id: ${id} ${public_key}" echo ${public_key} > ${my_hostname}.public_key cat <<EOF Open steps: - Remove your ssh key(s) from the device (if any are present) - Setup a secure root password and forward it to the customer - Ensure that the VPN works - Connect to the LAN port and surf in the Internet IPv6 only! EOF