180 lines
4.8 KiB
Bash
Executable file
180 lines
4.8 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
# Assumptions:
|
|
# - pib (APU) is factory reset OpenWRT
|
|
# - WAN port is connected with an active upstream (pib has internet connectivity via WAN port)
|
|
# - You are connected via LAN and you can ssh into it
|
|
|
|
# How it works
|
|
#
|
|
|
|
if [ $# -lt 2 ]; then
|
|
echo "$0 ip-address vpn-network [wireguard-private-key]"
|
|
echo " ip-address: where to find the PIB"
|
|
echo " network: 2a0a:e5c0:123::/48"
|
|
echo " private-key: specify if you already have a private key"
|
|
exit 1
|
|
fi
|
|
|
|
my_ip=$1; shift
|
|
my_network=$1; shift
|
|
|
|
if [ $# -eq 1 ]; then
|
|
private_key=$1; shift
|
|
else
|
|
private_key=$(wg genkey)
|
|
fi
|
|
|
|
my_prefix=$(echo $my_network | sed 's,::/.*,,')
|
|
my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g')
|
|
|
|
my_wireguard_ip=${my_prefix}::42
|
|
my_lan_ip=${my_prefix}:cafe::42
|
|
|
|
public_key=$(echo $private_key | wg pubkey)
|
|
|
|
vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch
|
|
vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=
|
|
|
|
cat <<EOF | ssh -t "root@${my_ip}" || exit 1
|
|
set -x
|
|
|
|
# Check if we can reach upstream - otherwise abort
|
|
ping6 -c5 ungleich.ch || ping -c5 ungleich.ch || exit 1
|
|
|
|
# update the sources & allow https handling
|
|
opkg update
|
|
opkg install libustream-openssl ca-bundle ca-certificates
|
|
|
|
# install wireguard + gui
|
|
opkg install wireguard luci-app-wireguard
|
|
|
|
# We are never authoritative for IPv4
|
|
uci delete dhcp.@dnsmasq[0].authoritative
|
|
|
|
# Do not announce ULA - we have GUA
|
|
uci delete network.globals.ula_prefix
|
|
|
|
# Setup hostname
|
|
uci set system.@system[0].hostname="${my_hostname}"
|
|
|
|
# Do not set/get? Was necessary, don't recall why
|
|
uci set dhcp.@dnsmasq[0].noresolv='1'
|
|
|
|
# Fix DNS: make the OS use the locally provided DNS servers
|
|
# otherwise the VPN tunnel cannot be established
|
|
uci set dhcp.@dnsmasq[0].localuse='0'
|
|
|
|
# Remove static IPv4 on LAN
|
|
uci delete network.lan.ipaddr
|
|
uci delete network.lan.netmask
|
|
|
|
# Setup IPv6 on LAN
|
|
uci add_list network.lan.ip6addr='${my_lan_ip}/64'
|
|
|
|
# IPv6 announcements
|
|
uci set dhcp.lan.ra='server'
|
|
uci set dhcp.lan.ra_management='1'
|
|
|
|
# No DHCP server on the LAN
|
|
uci set dhcp.lan.ignore='1'
|
|
|
|
# Cleanup dhcp options
|
|
|
|
# Disable any dynamic leases
|
|
uci set dhcp.lan.dynamicdhcp='0'
|
|
|
|
# Remove dhcpv6 server
|
|
uci delete dhcp.lan.dhcpv6
|
|
|
|
# Remove leftover from the dhcpv4 server items
|
|
uci delete dhcp.lan.start
|
|
uci delete dhcp.lan.limit
|
|
uci delete dhcp.lan.leasetime
|
|
|
|
# VPN / Wireguard
|
|
uci set network.wg0=interface
|
|
uci set network.wg0.proto='wireguard'
|
|
uci set network.wg0.private_key='${private_key}'
|
|
uci set network.wg0.listen_port='51820'
|
|
uci set network.wg0.addresses='${my_wireguard_ip}/64'
|
|
|
|
if ! uci get network.@wireguard_wg0[0]; then
|
|
uci add network wireguard_wg0
|
|
fi
|
|
|
|
uci set network.@wireguard_wg0[0]=wireguard_wg0
|
|
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
|
|
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
|
|
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
|
|
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
|
|
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
|
|
uci set network.@wireguard_wg0[0].endpoint_port='51820'
|
|
uci set network.@wireguard_wg0[0].route_allowed_ips='1'
|
|
|
|
# Firewall configuration
|
|
if ! uci show firewall | grep "name='Allow-SSH'"; then
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].name='Allow-SSH'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
uci set firewall.@rule[-1].dest_port='22'
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
fi
|
|
|
|
if ! uci show firewall | grep "name='Allow-HTTPS'"; then
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].name='Allow-HTTPS'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
uci set firewall.@rule[-1].dest_port='443'
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
fi
|
|
|
|
if ! uci show firewall | grep "name='Allow-HTTP'"; then
|
|
uci add firewall rule
|
|
uci set firewall.@rule[-1].name='Allow-HTTP'
|
|
uci set firewall.@rule[-1].src='wan'
|
|
uci set firewall.@rule[-1].dest='lan'
|
|
uci set firewall.@rule[-1].proto='tcp'
|
|
uci set firewall.@rule[-1].dest_port='80'
|
|
uci set firewall.@rule[-1].target='ACCEPT'
|
|
fi
|
|
|
|
# Add interfaces to the right network zone
|
|
uci set firewall.@zone[0].network='lan lanv6'
|
|
uci set firewall.@zone[1].network='wan wg0'
|
|
|
|
# DNS upstream over VPN gives DNS64
|
|
uci delete dhcp.@dnsmasq[0].server
|
|
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
|
|
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'
|
|
|
|
# This is the save & apply button in LUCI (or just save button)
|
|
uci commit
|
|
|
|
reboot
|
|
|
|
EOF
|
|
|
|
my_ip=$my_lan_ip
|
|
|
|
echo "Waiting for it to come back..."
|
|
while ! ping -c1 ${my_ip}; do
|
|
echo "Cannot ping $my_ip yet - waiting"
|
|
sleep 2
|
|
done
|
|
|
|
echo "Wireguard public key and id: ${id} ${public_key}"
|
|
echo ${public_key} > ${my_hostname}.public_key
|
|
|
|
cat <<EOF
|
|
Open steps:
|
|
|
|
- Remove your ssh key(s) from the device (if any are present)
|
|
- Setup a secure root password and forward it to the customer
|
|
- Ensure that the VPN works
|
|
|
|
EOF
|