}
-
-
-
secrets=false
if [[ -e /root/router-secrets ]]; then
secrets=true
: ${hostname:=wrt}
+zblock=false
+if [[ -e /root/zblock ]]; then
+ zblock=true
+fi
+
dnsmasq_restart=false
+unbound_restart=false
firewall_restart=false
dev2=false
test=false
client=false
libremanage_host=wrt2
lanip=1
-while getopts hm:t: opt; do
+while getopts hm:t:yz opt; do
case $opt in
h) usage ;;
t)
*) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
esac
;;
+ y)
+ zblock=false
+ rm -f /root/zblock
+ ;;
+ z)
+ zblock=true
+ touch /root/zblock
+ ;;
m) mac=$OPTARG ;;
*) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
esac
eval $restart_var=true
fi
}
-
+cedit() {
+ v command cedit -v "$@"
+}
### network config
# /root/relay_1.0-1_mips_24kc.ipk
v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
tcpdump openvpn-openssl adblock libusb-compat \
- screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
+ screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
+ unbound-daemon-heavy unbound-checkconf
cat >/etc/libremanage.conf <<EOF
${libremanage_host}_type=switch
## ian: usb broke on old router. if that happens, can just comment this to disable problems
# echo | cedit /etc/config/fstab ||:
-v cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
+cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
config global automount
option from_fstab 1
option anon_mount 1
# # I did, and I had to restart the vpn afterwards.
# # This maps a uci interface to a real interface which is
# # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
# config interface 'tun0'
# option ifname 'tun0'
# option proto 'none'
# EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
# config openvpn my_client_config
# option enabled 1
# option config /etc/openvpn/client.conf
network_restart=false
if $client; then
- v cedit wific /etc/config/network <<EOF || network_restart=true
+ cedit wific /etc/config/network <<EOF || network_restart=true
# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
config interface 'wwan'
option proto 'dhcp'
EOF
fi
-v cedit /etc/config/network <<EOF || network_restart=true
+cedit /etc/config/network <<EOF || network_restart=true
config 'route' 'transmission'
option 'interface' 'lan'
option 'target' '10.173.0.0'
firewall-cedit() {
if $client; then
- v cedit wific /etc/config/firewall <<EOF
+ cedit wific /etc/config/firewall <<EOF
config zone
option name wwan
option input REJECT
case $hostname in
wrt)
- v cedit host /etc/config/firewall <<EOF
+ cedit host /etc/config/firewall <<EOF
config redirect
option name ssh
option src wan
EOF
;;
cmc)
- v cedit host /etc/config/firewall <<EOF
+ cedit host /etc/config/firewall <<EOF
config redirect
option name ssh
option src wan
;;
esac
- v cedit /etc/config/firewall <<EOF
+ cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src lan
+ option src_ip 10.2.0.23
+ option dest_port 53
+ option dest wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip 10.2.0.23
+ option src_port 53
+ option dest lan
+ option target REJECT
+
+
+config rule
+ option src lan
+ option src_ip 10.2.0.31
+ option dest_port 53
+ option dest wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip 10.2.0.31
+ option src_port 53
+ option dest lan
+ option target REJECT
+
+
+config rule
+ option src lan
+ option src_ip 10.2.0.32
+ option dest_port 53
+ option dest wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip 10.2.0.32
+ option src_port 53
+ option dest lan
+ option target REJECT
+## end no external dns for ziva
+
+
config rule
option src wan
option target ACCEPT
option dest_port 22
config redirect
- option name sshtp
+ option name sshkd
option src wan
option src_dport 2202
option dest_port 22
option target ACCEPT
option dest_port 2202
+
+config redirect
+ option name sshkdalt
+ option src wan
+ option src_dport 8989
+ option dest_port 8989
+ option dest_ip $l.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 8989
+
+
config redirect
option name sshx2
option src wan
option dest_port 443
option proto tcp
+config redirect
+option name httpskd8448
+ option src wan
+ option src_dport 8448
+ option dest lan
+ option dest_ip $l.2
+ option proto tcp
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 8448
+ option proto tcp
+
+
config redirect
option name syncthing
option src wan
option target ACCEPT
option family ipv6
+# include a file with users custom iptables rules
+config include
+ option path /etc/firewall.user
+ option type 'restore'
+ option family 'ipv4'
+
+
EOF
}
firewall-cedit || firewall_restart=true
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
+cedit /etc/hosts <<EOF
127.0.1.1 $hostname
EOF
# not sure this case statement is needed
case $hostname in
cmc)
- v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
+ cedit host /etc/hosts <<EOF
$l.1 $hostname
# 127.0.0.1 www.youtube.com
# 127.0.0.1 googlevideo.com
# todo: setup /etc/resolv.conf to point to 127.0.0.1
uset dhcp.@dnsmasq[0].resolvfile /dev/null
-# by default it will send out ipv6 dns, like this
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
# NetworkManager[953]: <info> [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers => 'fd58:5801:8e02::1'
# but i dont want ipv6 dns, just keep it simple to ipv4.
-uset dhcp.@odhcpd[0].dns 10.2.0.1
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+/etc/init.d/odhcpd stop
+/etc/init.d/odhcpd disable
+# todo: make the above conditional on which server this is.
+
+# avoid errors in log. current isp doesnt have ipv6
+uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+{
+ cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
+
+ if $zblock; then
+ cat <<'EOF'
+# amy, amyw, samsungtab
+access-control-view: 10.2.0.8/32 "youtube"
+access-control-view: 10.2.0.23/32 "youtube"
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+ fi
+} | cedit /etc/unbound/unbound_srv.conf || restart_unbound=true
+
+
+# dns based blocking vs ip based. with ip, same
+# server can have multiple domains. in dns,
+# you have to make sure clients to use the local dns.
+# https dns will need to be blocked by ip in
+# order to be comprehensive
+
+cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.3 sy.b8.nz"
+local-data-ptr: "10.2.0.4 wrt2.b8.nz"
+local-data-ptr: "10.2.0.5 x2.b8.nz"
+local-data-ptr: "10.2.0.6 x2w.b8.nz"
+local-data-ptr: "10.2.0.7 syw.b8.nz"
+local-data-ptr: "10.2.0.8 amy.b8.nz"
+local-data-ptr: "10.2.0.9 bb8.b8.nz"
+local-data-ptr: "10.2.0.12 demohost.b8.nz"
+local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.19 brother.b8.nz"
+local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.31 amazontab.b8.nz"
+local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
+local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+ name: "."
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+ forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+ forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+ forward-ssl-upstream: yes
+ forward-first: no
+
+view:
+ name: "youtube"
+ local-zone: "googlevideo.com." refuse
+ local-zone: "video.google.com." refuse
+ local-zone: "youtu.be." refuse
+ local-zone: "youtube-nocookie.com." refuse
+ local-zone: "youtube-ui.l.google.com." refuse
+ local-zone: "youtube.com." refuse
+ local-zone: "youtube.googleapis.com." refuse
+ local-zone: "youtubeeducation.com." refuse
+ local-zone: "youtubei.googleapis.com." refuse
+ local-zone: "yt3.ggpht.com." refuse
+ local-zone: "youtubekids.com." refuse
+ # try global if no match in view
+ view-first: yes
+EOF
+
+
+if $restart_unbound; then
+ /etc/init.d/unbound restart
+ if ! unbound-checkconf; then
+ echo $0: error: unbound-checkconf failed >&2
+ exit 1
+ fi
+fi
# disabled for now. i want to selectively enable it
# so make sure we have this dir or else dnsmasq will fail
# to start.
mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
# no dns
port=0
server=/b8.nz/#
stop-dns-rebind
rebind-domain-ok=b8.nz
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=6,$l.1
server=2606:4700:4700::1113
server=2606:4700:4700::1003
+server=10.2.0.1
# server=8.8.4.4
# server=8.8.8.8
# server=2001:4860:4860::8888
# to fixup existin ips, on the client you can do
# sudo dhclient -r; sudo dhclient <interface-name>
+# or on cmc,
+# /etc/init.d/dnsmasq stop
+# vi /tmp/dhcp.leases
+# /etc/init.d/dnsmasq start
+
# default dhcp range is 100-150
# bottom port, iPXE (PCI 03:00.0) in seabios boot menu
# and copying the generated mac, so it should be randomish.
dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+# 14 = wrt3
dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
# BRN001BA98CA823 in dhcp logs
dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
+dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
+dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+
# faiserver vm
# due to the other settings, but will be used for ptr? then maybe
# we dont have to restart dnsmasq for a dns update?
#
- # todo: according to this
+ # interesing link:
# https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
- # we should turn on dnssec validation when wrt gets version > 2.80. currently at 2.80.
- # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk
- # and install it. then we can turn off dnssec in systemd-resolved
+ # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+ # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
#
# Also, reload of dnsmasq seems to break things, wifi
# clients were not getting internet connectivity.
+
v /etc/init.d/dnsmasq restart
fi