303 lines
8.2 KiB
Bash
Executable file
303 lines
8.2 KiB
Bash
Executable file
#!/bin/sh
|
|
# 2020-06-13, 2022-01-20, Nico Schottelius
|
|
# Add a VPN to either of our devices
|
|
|
|
if [ $# -lt 2 ]; then
|
|
echo "$0 device-ip vpn-server"
|
|
echo " device-ip-address: where to find the device"
|
|
echo " device-name: device we configure"
|
|
echo " [wireguard-private-key]: wg key to reuse"
|
|
exit 1
|
|
fi
|
|
|
|
# Get & set vpnserver network & co. via rest?
|
|
|
|
device_ip=$1; shift
|
|
device_name=$1; shift
|
|
|
|
# Whitelisting of enabled networks
|
|
case $device_name in
|
|
*-03??|*-09??|*-0a??)
|
|
|
|
device_id=$(echo $device_name | sed 's/.*-\(....\)$/\1/')
|
|
vpnserver_id=$(echo $device_id | sed 's/\(..\)..$/\1/')
|
|
prefix_base=2a0a:e5c1:${device_id}
|
|
vpn_endpoint_host=vpn-2a0ae5c1${vpnserver_id}.ungleich.ch
|
|
|
|
case $vpnserver_id in
|
|
03) # cdist, viirb, linthal
|
|
vpn_endpoint_pubkey="ft68G2RID7gZ6PXjFCSCOdJ9yspRg+tUw0YrNK9cTxE="
|
|
;;
|
|
05) # cdist, vigir, linthal
|
|
vpn_endpoint_pubkey="oaFiIVV1NjvDcfdtwJqR4F3k2XIC07npNgj0YjIEem4="
|
|
;;
|
|
06) # cdist, viwib, linthal
|
|
vpn_endpoint_pubkey="ygZQW3OSiMJl/RpKyaJVE0GSt6bjEDnoxdMJsNiloRE="
|
|
;;
|
|
09) # k8s, viwib2 made, linthal
|
|
vpn_endpoint_pubkey="vnDJHqkAdMs8QkiIQizGGcPlaQfAwVBUvTBrYKfDZmE="
|
|
;;
|
|
a0) # k8s, viwib2 made, diesbach
|
|
vpn_endpoint_pubkey="Hxb5lV5r90r3hT9/JsMM8zIzrzYfXHCtt1jFtPgDlCQ="
|
|
;;
|
|
esac
|
|
;;
|
|
|
|
*)
|
|
echo "$device_type currently unsupported"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
echo Setting up $device_name connecting to $vpn_endpoint_host for $prefix_base
|
|
|
|
set -x
|
|
|
|
hex_id=$device_id
|
|
device_hostname=${device_name}
|
|
|
|
my_prefix=${prefix_base}
|
|
my_network=${my_prefix}::/48
|
|
|
|
my_wireguard_ip=${my_prefix}::42
|
|
my_lan_ip=${my_prefix}:cafe::42
|
|
my_wifi_ip=${my_prefix}:7ea::42
|
|
|
|
# wireguard
|
|
if [ $# -eq 1 ]; then
|
|
private_key=$1; shift
|
|
else
|
|
private_key=$(wg genkey)
|
|
fi
|
|
public_key=$(echo $private_key | wg pubkey)
|
|
|
|
echo "Trying to reach ${device_ip} ..."
|
|
ping -c3 ${device_ip}
|
|
if [ $? -ne 0 ]; then
|
|
echo "Cannot reach ${device_ip}, aborting"
|
|
exit 1
|
|
fi
|
|
|
|
cat <<EOF | ssh -t "root@${device_ip}"
|
|
set -x
|
|
|
|
ping -c5 downloads.openwrt.org || exit 1
|
|
|
|
# update the sources
|
|
opkg update
|
|
|
|
# install wireguard + gui
|
|
opkg install luci-app-wireguard luci-proto-wireguard
|
|
|
|
# VPN / Wireguard
|
|
uci set network.wg0=interface
|
|
uci set network.wg0.proto='wireguard'
|
|
uci set network.wg0.private_key='${private_key}'
|
|
uci set network.wg0.listen_port='51820'
|
|
uci set network.wg0.addresses='${my_wireguard_ip}/64'
|
|
|
|
if ! uci get network.@wireguard_wg0[0]; then
|
|
uci add network wireguard_wg0
|
|
fi
|
|
|
|
uci set network.@wireguard_wg0[0]=wireguard_wg0
|
|
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
|
|
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
|
|
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
|
|
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
|
|
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
|
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
|
|
|
|
uci set system.@system[0].hostname="${device_hostname}"
|
|
|
|
# The IPv6 lan configuration
|
|
uci set network.lan.ip6addr='${my_lan_ip}/64'
|
|
|
|
uci commit
|
|
|
|
|
|
EOF
|
|
|
|
echo "Wireguard public key and id: ${device_id} ${public_key}"
|
|
|
|
|
|
exit 0
|
|
|
|
# Firewall configuration
|
|
if ! uci show firewall | grep "name='Allow-SSH'"; then
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].name='Allow-SSH'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
uci set firewall.@rule[-1].dest_port='22'
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
fi
|
|
|
|
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].name='Allow-HTTPS'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
uci set firewall.@rule[-1].dest_port='443'
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
fi
|
|
|
|
if ! uci show firewall | grep "name='Allow-HTTP'"; then
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].name='Allow-HTTP'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
uci set firewall.@rule[-1].dest_port='80'
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
fi
|
|
|
|
# Add interfaces to the right network zone
|
|
uci set firewall.@zone[0].network='lan lanv6 wifi'
|
|
uci set firewall.@zone[1].network='wg0'
|
|
|
|
|
|
# LAN / Router advertisements / DHCP
|
|
# DHCP: we are not authoratative
|
|
uci delete dhcp.@dnsmasq[0].authoritative
|
|
uci delete dhcp.lan.dhcpv6
|
|
uci delete dhcp.lan.start
|
|
uci delete dhcp.lan.limit
|
|
uci delete dhcp.lan.leasetime
|
|
|
|
# Do not announce ULA - we have GUA
|
|
uci delete network.globals.ula_prefix
|
|
|
|
# This is configuring the dhcp IPv4 client
|
|
uci set dhcp.lan=dhcp
|
|
|
|
# Setup Router Advertisements
|
|
uci set dhcp.lan.interface='lanv6'
|
|
uci set dhcp.lan.ra='server'
|
|
uci set dhcp.lan.dynamicdhcp='0'
|
|
|
|
# Fix DNS: make dnsmasq NOT use a resolv.conf
|
|
# so that it only reads from our servers with DNS64 enabled
|
|
uci set dhcp.@dnsmasq[0].noresolv='1'
|
|
|
|
# Fix DNS: make the OS use the locally provided DNS servers
|
|
# otherwise the VPN tunnel cannot be established
|
|
dhcp.@dnsmasq[0].localuse='0'
|
|
|
|
# DNS upstream over VPN gives DNS64
|
|
uci delete dhcp.@dnsmasq[0].server
|
|
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
|
|
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
|
|
|
|
# wifi ip address
|
|
uci set network.wifi=interface
|
|
uci set network.wifi.proto='static'
|
|
uci set network.wifi.ip6addr='${my_wifi_ip}/64'
|
|
|
|
# Wifi configuration
|
|
uci set wireless.radio0=wifi-device
|
|
uci set wireless.radio0.type='mac80211'
|
|
uci set wireless.radio0.hwmode='11g'
|
|
uci set wireless.radio0.path='platform/10300000.wmac'
|
|
uci set wireless.radio0.htmode='HT40'
|
|
uci set wireless.radio0.country='CH'
|
|
uci set wireless.radio0.channel='6'
|
|
|
|
uci set wireless.default_radio0=wifi-iface
|
|
uci set wireless.default_radio0.device='radio0'
|
|
uci set wireless.default_radio0.mode='ap'
|
|
uci set wireless.default_radio0.encryption='psk2'
|
|
uci set wireless.default_radio0.key='iloveipv6'
|
|
uci set wireless.default_radio0.ssid='IPv6 everywhere ${device_hostname}'
|
|
uci set wireless.default_radio0.network='wifi'
|
|
|
|
# Wifi / Router advertisements
|
|
uci set dhcp.wifi=dhcp
|
|
uci set dhcp.wifi.interface='wifi'
|
|
uci set dhcp.wifi.ra='server'
|
|
uci set dhcp.wifi.dynamicdhcp='0'
|
|
|
|
# Ensure it is not disabled
|
|
uci delete wireless.radio0.disabled
|
|
|
|
# Setup lan to also retrieve an ip address via dhcp
|
|
|
|
# This stays in the final setup
|
|
uci set network.lan.proto='dhcp'
|
|
uci delete network.lan.ipaddr
|
|
uci delete network.lan.netmask
|
|
|
|
|
|
# Teltonika syntax: network
|
|
|
|
config interface 'wg_wg0'
|
|
option proto 'wireguard'
|
|
option private_key '...='
|
|
option public_key 'ZZYoBV8b2LhqCrcQ8wFv6e6mu41w9i1g5kh4LiKefFI='
|
|
list addresses '185.155.30.3/32'
|
|
option listen_port '51820'
|
|
option disabled '0'
|
|
|
|
config wireguard_wg_wg0
|
|
option description 'ungleich-ipv4'
|
|
option public_key '5ach7pUQ57aa402LHz1MYh7lyBZS0GvBEw2PC6dMHW4='
|
|
list allowed_ips '0.0.0.0/0'
|
|
option route_allowed_ips '1'
|
|
option endpoint_host 'vpn-18515530.ungleich.ch'
|
|
option persistent_keepalive '25'
|
|
|
|
config interface 'wg_ipv6'
|
|
option proto 'wireguard'
|
|
option private_key '...='
|
|
option public_key 'N2buXMy2IJDH+Au/e0ripdiWYlpTQVdWeCeGHpXyjB0='
|
|
list addresses '2a0a:e5c1:19e::42/48'
|
|
option listen_port '51821'
|
|
option disabled '0'
|
|
|
|
config wireguard_wg_ipv6
|
|
option public_key 'hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ='
|
|
list allowed_ips '::/0'
|
|
option route_allowed_ips '1'
|
|
option endpoint_host 'vpn-2a0ae5c1.ungleich.ch'
|
|
option endpoint_port '51820'
|
|
option persistent_keepalive '25'
|
|
option description 'ungleich-ipv6'
|
|
|
|
# Teltonika firewall
|
|
|
|
config zone
|
|
option name 'wireguard'
|
|
option input 'ACCEPT'
|
|
option output 'ACCEPT'
|
|
option forward 'REJECT'
|
|
option masq '1'
|
|
option device 'wg_+'
|
|
|
|
config rule
|
|
option name 'Allow-WireGuard'
|
|
option src 'wan'
|
|
option proto 'udp'
|
|
option target 'ACCEPT'
|
|
option enabled '1'
|
|
option dest_port '51820 51821'
|
|
|
|
config rule
|
|
option dest_port '51820'
|
|
option src 'wan'
|
|
option name 'Allow-wireguard_wg_wg0-traffic'
|
|
option target 'ACCEPT'
|
|
option vpn_type 'wireguard'
|
|
option proto 'udp'
|
|
option family 'ipv4'
|
|
|
|
config rule
|
|
option dest_port '51821'
|
|
option src 'wan'
|
|
option name 'Allow-wireguard_wg_ipv6-traffic'
|
|
option target 'ACCEPT'
|
|
option vpn_type 'wireguard'
|
|
option proto 'udp'
|
|
option family 'ipv4'
|