exit
}
EOF
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server tcpdump
+v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
+ tcpdump openvpn-openssl
- # exportfs -ra won't cut it when its the same path, but now a bind mount
+# exportfs -ra wont cut it when its the same path, but now a bind mount
cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
/mnt/usb 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
# for arch pxe
/run/archiso/bootmnt 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
-
EOF
v /etc/init.d/portmap enable
v /etc/init.d/nfsd enable
-# default is 250, but my switch wants a high static address by default,
-# and I don't need that many, so lets just reduce it.
-sed -ri 's/^(.*option limit ).*/\1100/' /etc/config/dhcp
+v /etc/init.d/openvpn start
+v /etc/init.d/openvpn enable
+
+
+# setup to use only vpn in 5 ways:
+# set lan forward to vpn instead of wan,
+# disable wan masquerade,
+# set the default for outgoing to reject,
+# open wan port 1194 and 22 (ssh is too useful),
+# setup port forwardings to use vpn.
+firewall_restart=false
+# https://wiki.openwrt.org/doc/uci
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+ # default is wan
+ # https://wiki.openwrt.org/doc/uci
+ v uci set firewall.@forwarding[0].dest=vpn
+ uci commit firewall
+ firewall_restart=true
+fi
+
+wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+w="firewall.@zone[$wan_index]"
+if [[ $(uci get $w.masq) == 1 ]]; then
+ v uci set $w.masq=0
+ uci commit firewall
+ firewall_restart=true
+fi
+
+if [[ $(uci get $w.output) != REJECT ]]; then
+ v uci set $w.masq=REJECT
+ uci commit firewall
+ firewall_restart=true
+fi
+
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+ # default is wan
+ v uci set uci set firewall.@forwarding[0].dest=vpn
+ uci commit firewall
+ firewall_restart=true
+fi
+
+
+# from https://wiki.openwrt.org/doc/uci/firewall
+# todo: not sure if /etc/init.d/network needs restarting.
+# I did, and I had to restart the vpn afterwards.
+# This maps a uci interface to a real interface which is
+# managed outside of uci.
+cedit /etc/config/network <<'EOF' ||:
+config interface 'tun0'
+ option ifname 'tun0'
+ option proto 'none'
+EOF
+
+
+
+# each port forward needs corresponding forward in the vpn server
+cedit /etc/config/firewall <<'EOF' || firewall_restart=true
+config zone
+ option name vpn
+ list network 'tun0'
+ option input REJECT
+ option output ACCEPT
+ option forward REJECT
+ option masq 1
+
+config rule
+ option dest wan
+ option target ACCEPT
+ option dest_port '1194 22'
-cedit /etc/config/firewall <<'EOF' || /etc/init.d/firewall restart
# port forwarding
config redirect
option name bittorrent
-option src wan
+option src vpn
option src_dport 63324
option dest_ip 192.168.1.2
option dest lan
# making the port open (not sure if this is actually needed)
config rule
-option src wan
+option src vpn
option target ACCEPT
option dest_port 63324
config redirect
option name frodobittorrent
-option src wan
+option src vpn
option src_dport 63326
option dest_ip 192.168.1.3
option dest lan
config rule
-option src wan
+option src vpn
option target ACCEPT
option dest_port 63326
config redirect
option name treetowlsyncthing
-option src wan
+option src vpn
option src_dport 22000
option dest_ip 192.168.1.2
option dest lan
option proto tcp
config rule
-option src wan
+option src vpn
option target ACCEPT
option dest_port 22000
config redirect
option name bithtpc
-option src wan
+option src vpn
option src_dport 63325
option dest_ip 192.168.1.4
option dest lan
config rule
-option src wan
+option src vpn
option target ACCEPT
option dest_port 63325
config redirect
option name ssh
option src wan
-#uncomment the 2 lines for security of using a non-standard port
+# example of using a non-standard port
# and comment out the 22 port line
# option src_dport 63321
+# option dest_port 22 # already default
option src_dport 22
option dest_ip 192.168.1.2
option dest lan
-# option dest_port 22 # already default
config rule
option src wan
option dest_port 22
+# not using http server atm, so disable it.
# for https
-config redirect
- option src wan
- option src_dport 443
- option dest lan
- option dest_ip 192.168.1.2
- option proto tcp
+# config redirect
+# option src wan
+# option src_dport 443
+# option dest lan
+# option dest_ip 192.168.1.2
+# option proto tcp
-config rule
- option src wan
- option target ACCEPT
- option dest_port 443
- option proto tcp
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 443
+# option proto tcp
-# not using http server atm, so disable it.
# config redirect
# option src wan
# option src_dport 80
# option proto tcp
EOF
+if $firewall_restart; then
+ /etc/init.d/firewall restart
+fi
dnsmasq_restart=false
cedit /etc/hosts <<EOF || dnsmasq_restart=true
72.14.176.105 li
173.255.202.210 lj
23.239.31.172 lk
+104.131.150.120 dopub
+# cant ssh to do when on vpn. some routing/firewall rule or something,
+# I don't know. I can get there from wrt but not my machine.
+# but we can get to it from this address, so, good enough.
+10.8.0.1 do
EOF
+# avoid using the dns servers that my isp tells me about.
+if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
+ # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
+ # /etc/resolv.conf
+ v uci delete dhcp.@dnsmasq[0].resolvfile
+ uci commit dhcp
+ dnsmasq_restart=true
+fi
+
# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
############ updating dns servers ###################3
-# download namebench and run it like this:
-# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr; done
# this says the ip of default gateway and dns server,
# in a browsing session, I probably won't ever do 5000 lookups
# before the ttl expiration or whatever does expiration.
cache-size=10000
+
# ask all servers, use the one which responds first.
# http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
all-servers
-# namebench showed 4 servers fairly close ranking.
-# qwest
-#server=205.171.3.65
-#server=205.171.2.25
-# clearwire anchorage
-#server=64.13.115.12
-# comcast spokane
-#server=68.87.69.146
+
+# namebench benchmarks dns servers. google's dns was only
+# slightly less fast than some others, and I trust it more
+# to give accurate results, stay relatively fast, and
+# not do anythin too malicious, so just use that.
+# download namebench and run it like this:
+# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr; done
# google
server=8.8.4.4
server=8.8.8.8
-# NTT
-#server=129.250.35.250
-# isp servers
-#server=75.75.76.76
-#server=75.75.75.75
-
+server=2001:4860:4860::8888
+server=2001:4860:4860::8844
# to fixup existin ips, on the client you can do
# Just leave the tftp server up even if we aren't doing pxe boot.
# It has no sensitive info.
-enable-tftp
tftp-root=/mnt/usb/tftpboot
EOF
if $dnsmasq_restart; then
v /etc/init.d/dnsmasq restart
fi
+
+cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+config openvpn my_client_config
+ option enabled 1
+ option config /etc/openvpn/client.conf
+EOF
iankelling.org / git / automated-distro-installer / commitdiff