X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=wrt-setup-local;h=1f0a2d547cf90223d71b5646a688ed6e329809e3;hb=2fad38490e36bd2f0328b82c38448d9675e662e8;hp=642c1935150c17dd756a08740f8ed4d94a5c1f04;hpb=3f20eea52b8d7f665b2c3b483921f15a0e48d7ee;p=automated-distro-installer

diff --git a/wrt-setup-local b/wrt-setup-local
index 642c193..1f0a2d5 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -15,21 +15,22 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
+
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 
 usage() {
   cat <<EOF
-usage: ${0##*/} [-h] [-t 2|3|test] [-m WIRELESS_MAC]
+usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC]
 setup my router in general: dhcp, dns, etc.
 
 Type 2 or 3 is for setting up a backup device, there are two kinds so
 that you can switch the main device to a backup, then a backup to the
 main. Type test is for setting up a testing device.
 
-Passing an empty string for WIRELESS_MAC will cause the device's native
-mac to be used.
+Passing an empty string for WIRELESS_MAC, or if none is defined in the
+secrets file, will cause the device's native mac to be used.
 
 EOF
 
@@ -39,20 +40,25 @@ EOF
 
 
 
-dev2=false
-test=false
-libremanage_host=wrt2
 
-if [[ -e /p/router-secrets ]]; then
-  source /p/router-secrets
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
 fi
 rmac=$(cat /sys/class/net/eth0/address)
-if [[ $rhost ]]; then
+if $secrets; then
   hostname=${rhost[$rmac]}
 fi
 : ${hostname:=wrt}
 
 
+dnsmasq_restart=false
+firewall_restart=false
+dev2=false
+test=false
+client=false
+libremanage_host=wrt2
 lanip=1
 while getopts hm:t: opt; do
   case $opt in
@@ -74,6 +80,9 @@ while getopts hm:t: opt; do
         test)
           test=true
           ;;
+        client)
+          client=true
+          ;;
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
@@ -83,10 +92,10 @@ while getopts hm:t: opt; do
 done
 shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
-if [[ ! $mac ]] && ! $test; then
+if [[ ! $mac ]] && ! $test && $secrets; then
   # if we wanted to increment it
-  #WIRELESSMAC=${WIRELESSMAC:0: -1}$((${WIRELESSMAC: -1} + 2))
-  mac=$WIRELESSMAC
+  #mac=${mac:0: -1}$((${mac: -1} + 2))
+  mac=${rwmac[$rmac]}
 fi
 
 if (( $# != 0 )); then
@@ -183,17 +192,25 @@ udel() {
 
 ### network config
 ###
-ssid="check out gnu.org"
 lan=10.0.0.0
 if $test; then
-  ssid="gnuv3"
   lan=10.1.0.0
 elif [[ $hostname == cmc ]]; then
-  ssid=Svenska
   lan=10.2.0.0
+elif $client; then
+  lan=10.3.0.0
+fi
+
+if $test; then
+  ssid="gnuv3"
+elif $secrets; then
+  ssid=${rssid[$rmac]}
 fi
 
-if [[ $rkey ]]; then
+: ${ssid:=librecmc}
+
+
+if $secrets; then
   key=${rkey[$rmac]}
 fi
 : ${key:=pictionary49}
@@ -212,6 +229,7 @@ cat /root/router >>/etc/shadow
 uset system.@system[0].ttylogin 1
 
 
+
 cat >/usr/bin/archlike-pxe-mount <<'EOFOUTER'
 #!/bin/bash
 # symlinks are collapsed for nfs mount points, so use a bind mount.
@@ -248,10 +266,12 @@ fi
 
 uset network.lan.ipaddr $l.$lanip
 uset network.lan.netmask $mask
-if $dev2; then
-  uset network.lan.gateway $l.1
-  uset network.wan.proto none
-  uset network.wan6.proto none
+if $dev2  || $client; then
+  if $dev2; then
+    uset network.lan.gateway $l.1
+    uset network.wan.proto none
+    uset network.wan6.proto none
+  fi
   /etc/init.d/dnsmasq stop
   /etc/init.d/dnsmasq disable
   /etc/init.d/odhcpd stop
@@ -285,27 +305,45 @@ else
 fi
 
 wireless_restart=false
-for x in 0 1; do
-  uset wireless.default_radio$x.ssid "$ssid"
-  uset wireless.default_radio$x.key $key
-  uset wireless.default_radio$x.encryption psk2
-  if [[ $mac ]]; then
-    uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
-  fi
-  # secondary device has wireless disabled
-  uset wireless.radio$x.disabled $dev2
-done
 
-if $wireless_restart; then
-  v wifi
+if $client; then
+  uset wireless.default_radio0.network 'wwan'
+  uset wireless.default_radio0.ssid ${rclientssid[$rmac]}
+  uset wireless.default_radio0.encryption 'psk2'
+  uset wireless.default_radio0.device 'radio0'
+  uset wireless.default_radio0.mode 'sta'
+  uset wireless.default_radio0.bssid ${rclientbssid[$rmac]}
+  # todo: look into whether 5g network is available.
+  uset wireless.default_radio0.key ${rclientkey[$rmac]}
+  uset wireless.radio0.disabled false
+  uset wireless.radio1.disabled true
+else
+  # defaults, just reseting in case client config ran
+  uset wireless.default_radio0.network lan
+  uset wireless.default_radio0.mode ap
+  for x in 0 1; do
+    uset wireless.default_radio$x.ssid "$ssid"
+    uset wireless.default_radio$x.key $key
+    uset wireless.default_radio$x.encryption psk2
+    if [[ $mac ]]; then
+      uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
+    fi
+    # secondary device has wireless disabled
+    uset wireless.radio$x.disabled $dev2
+  done
 fi
 
 
 
+
+
 # usb, screen, relay are for libremanage
 # rsync is for brc
+#
+# relay package temporarily disabled
+# /root/relay_1.0-1_mips_24kc.ipk
 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl adblock libusb-compat /root/relay_1.0-1_mips_24kc.ipk \
+  tcpdump openvpn-openssl adblock libusb-compat \
   screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
 
 cat >/etc/libremanage.conf <<EOF
@@ -408,25 +446,84 @@ EOF
 #         option config /etc/openvpn/client.conf
 # EOF
 
+wgip4=10.3.0.1/24
+wgip6=fdfd::1/64
+wgport=26000
 
+network_restart=false
+if $client; then
+  v cedit wific /etc/config/network <<EOF || network_restart=true
+# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
+config interface 'wwan'
+ option proto 'dhcp'
+EOF
+fi
 
-v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
+v cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
-        option 'interface' 'lan'
-        option 'target' '10.173.0.0'
-        option 'netmask' '255.255.0.0'
-        option 'gateway' '$l.3'
+ option 'interface' 'lan'
+ option 'target' '10.173.0.0'
+ option 'netmask' '255.255.0.0'
+ option 'gateway' '$l.3'
+
+option interface 'wg0'
+ option proto 'wireguard'
+ option private_key '$(cat /root/wg.key)'
+ option listen_port $wgport
+ list addresses '10.3.0.1/24'
+ list addresses 'fdfd::1/64'
+
+# tp
+config wireguard_wg0 'wgclient'
+ option public_key '3q+WJGrm85r59NgeXOIvppxoW4ux/+koSw6Fee1c1TI='
+ option preshared_key '$(cat /root/wg.psk)'
+ list allowed_ips '10.3.0.2/24'
+ list allowed_ips 'fdfd::2/64'
 EOF
 
-firewall_restart=false
-v cedit /etc/config/firewall <<EOF || firewall_restart=true
+if $network_restart; then
+  v /etc/init.d/network reload
+fi
 
+firewall-cedit() {
+
+  if $client; then
+    v cedit wific /etc/config/firewall <<EOF
+config zone
+ option name    wwan
+ option input    REJECT
+ option output   ACCEPT
+ option forward  REJECT
+ option masq     1
+ option mtu_fix  1
+ option network  wwan
+EOF
+  fi
+
+  case $hostname in
+    wrt)
+      v cedit host /etc/config/firewall <<EOF
+config redirect
+ option name ssh
+ option src              wan
+ option src_dport        22
+ option dest_ip          $l.3
+ option dest             lan
+EOF
+      ;;
+    cmc)
+      v cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
  option src_dport        22
  option dest_ip          $l.2
  option dest             lan
+EOF
+      ;;
+  esac
+
+  v cedit /etc/config/firewall <<EOF
 config rule
  option src              wan
  option target           ACCEPT
@@ -437,25 +534,13 @@ config redirect
  option src              wan
  option src_dport        2202
  option dest_port        22
- option dest_ip          $l.8
+ option dest_ip          $l.2
  option dest             lan
 config rule
  option src              wan
  option target           ACCEPT
  option dest_port        2202
 
-config redirect
- option name sshfrodo
- option src              wan
- option src_dport        2203
- option dest_port        22
- option dest_ip          $l.3
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        2203
-
 config redirect
  option name sshx2
  option src              wan
@@ -492,34 +577,50 @@ config rule
  option target           ACCEPT
  option dest_port        2208
 
-
+config redirect
+ option name sshbb8
+ option src              wan
+ option src_dport        2209
+ option dest_port        22
+ option dest_ip          $l.9
+ option dest             lan
 config rule
- option name sshwrt
  option src              wan
  option target           ACCEPT
- option dest_port        2220
-
+ option dest_port        2209
 
 config redirect
- option name vpntp
+ option name icecast
  option src              wan
- option src_dport        1196
+ option src_dport        8000
+ option dest_port        8000
+ option dest_ip          $l.2
  option dest             lan
- option dest_ip          $l.8
- option proto            udp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        1196
+ option dest_port        8000
+
+config rule
+ option name sshwrt
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2220
+
+config rule
+ option name wg
+ option src              wan
+ option target           ACCEPT
+ option dest_port        $wgport
  option proto            udp
 
 
 config redirect
- option name httptp
+ option name httpkd
  option src              wan
  option src_dport        80
  option dest             lan
- option dest_ip          $l.8
+ option dest_ip          $l.2
  option proto            tcp
 config rule
  option src              wan
@@ -528,11 +629,11 @@ config rule
  option proto            tcp
 
 config redirect
- option name httpstp
+ option name httpskd
  option src              wan
  option src_dport        443
  option dest             lan
- option dest_ip          $l.8
+ option dest_ip          $l.2
  option proto            tcp
 config rule
  option src              wan
@@ -595,34 +696,43 @@ config rule
  option target ACCEPT
  option family ipv6
 
-
 EOF
+}
+firewall-cedit || firewall_restart=true
+
+# not using wireguard for now
+# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+#   # cant mix cedit plus uci
+#   echo | cedit /etc/config/firewall ||:
+#   uci add_list firewall.@zone[1].network=wg0
+#   uci commit firewall
+#   firewall-cedit ||:
+#   firewall_restart=true
+# fi
 
 
 
-
-dnsmasq_restart=false
 v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 127.0.1.1 $hostname
+EOF
+# not sure this case statement is needed
+case $hostname in
+  cmc)
+    v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
 $l.1 $hostname
-$l.2 kd faiserver
-$l.3 frodo
-$l.4 wrt2
-$l.5 x2
-$l.6 demohost
-#$l.7 x3
-$l.8 tp b8.nz
-$l.9 bb8
-$l.14 wrt3
-2600:3c00::f03c:91ff:fe6d:baf8 li
-72.14.176.105 li
-2a01:7e01::f03c:91ff:feb5:baec l2
-172.105.84.95 l2
-
-# netns creation looks for next free subnet starting at 10.173, but I only
-# use one, and I would keep this one as the first created.
-10.173.0.2 transmission
+# 127.0.0.1 www.youtube.com
+# 127.0.0.1 googlevideo.com
+# 127.0.0.1 youtu.be
+# 127.0.0.1 youtube-nocookie.com
+# 127.0.0.1 youtube.com
+# 127.0.0.1 youtube.googleapis.com
+# 127.0.0.1 youtubei.googleapis.com
+# 127.0.0.1 ytimg.com
+# 127.0.0.1 ytimg.l.google.com
 EOF
+    ;;
+esac
+
 
 #mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
 # if [[ $mail_host ]]; then
@@ -631,11 +741,25 @@ EOF
 
 
 uset dhcp.@dnsmasq[0].domain b8.nz
-uset dhcp.@dnsmasq[0].local /b8.nz/
 uset system.@system[0].hostname $hostname
+uset dhcp.@dnsmasq[0].local
 
-if [[ $(uci get adblock.global.adb_enabled) != 1 ]]; then
-  v uci set adblock.global.adb_enabled=1
+# uci doesnt seem to have a way to set an empty value,
+# if you delete it, it goes back to the default. this seems
+# to be a decent workaround.
+# todo: setup /etc/resolv.conf to point to 127.0.0.1
+uset dhcp.@dnsmasq[0].resolvfile /dev/null
+
+# by default it will send out ipv6 dns, like this
+# NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
+# but i dont want ipv6 dns, just keep it simple to ipv4.
+uset dhcp.@odhcpd[0].dns 10.2.0.1
+
+
+# disabled for now. i want to selectively enable it
+# for specific hosts.
+if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+  v uci set adblock.global.adb_enabled=0
   uci commit adblock
   /etc/init.d/adblock restart
 fi
@@ -652,17 +776,14 @@ EOF
 # to start.
 mkdir -p /mnt/usb/tftpboot
 v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
-server=/dmarctest.b8.nz/#
-server=/_domainkey.b8.nz/#
-server=/_dmarc.b8.nz/#
-server=/ns1.b8.nz/#
-server=/ns2.b8.nz/#
-mx-host=b8.nz,mail.iankelling.org,10
-txt-record=b8.nz,"v=spf1 a ?all"
-
+# no dns
+port=0
+server=/b8.nz/#
+ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
+rebind-domain-ok=b8.nz
 
 # this says the ip of default gateway and dns server,
 # but I think they are unneded and default
@@ -688,10 +809,15 @@ all-servers
 # download namebench and run it like this:
 # for x in all regional isp global preferred nearby; do ./namebench.py -s \$x -c US -i firefox -m weighted -J 10 -w; echo \$x; hr;  done
 # google
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8888
-server=2001:4860:4860::8844
+server=1.1.1.3
+server=1.0.0.3
+server=2606:4700:4700::1113
+server=2606:4700:4700::1003
+
+# server=8.8.4.4
+# server=8.8.8.8
+# server=2001:4860:4860::8888
+# server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
@@ -700,18 +826,30 @@ server=2001:4860:4860::8844
 # default dhcp range is 100-150
 # bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
 dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
+dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
-# 4 is reserved for a staticly configured host.
-dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+# 4 is reserved for a staticly configured host wrt2
+# old x2 with bad fan
+#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
+dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
+dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
+dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
+dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
 # This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.6,demohost
-dhcp-host=00:1f:16:14:01:d8,set:tp,$l.7,x3
-dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
+dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
+dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
+dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
+# BRN001BA98CA823 in dhcp logs
+dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
+
+dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
+dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
+dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+
 
 # faiserver vm
 dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
@@ -729,12 +867,25 @@ dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 enable-tftp=br-lan
 tftp-root=/mnt/usb/tftpboot
 dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
-EOF
-
 
+#log-queries=extra
+EOF
 
 
 if $dnsmasq_restart && ! $dev2; then
+  # todo: can our ptr records be put in /etc/hosts?
+  # eg: user normal /etc/hosts records, and they wont be used for A resolution
+  # due to the other settings, but will be used for ptr? then maybe
+  # we dont have to restart dnsmasq for a dns update?
+  #
+  # todo: according to this
+  # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
+  # we should turn on dnssec validation when wrt gets version > 2.80. currently at 2.80.
+  # todo: download https://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dnsmasq-full_2.84-1_mipsel_24kc.ipk
+  # and install it. then we can turn off dnssec in systemd-resolved
+  #
+  # Also, reload of dnsmasq seems to break things, wifi
+  # clients were not getting internet connectivity.
   v /etc/init.d/dnsmasq restart
 fi
 
@@ -742,6 +893,10 @@ if $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
+# this may just restart the network and take care of the network_restart below.
+if $wireless_restart; then
+  v wifi
+fi
 
 # todo: we should catch errors and still run this if needed
 if $network_restart; then