iankelling.org / git / automated-distro-installer / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
use vpn
[automated-distro-installer] / wrt-setup
1 #!/bin/bash
2
3 set -eE -o pipefail
4 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
5
6
7 # ssh
8
9 pmirror() {
10 # background: upgrading all packages is not recommended because it
11 # doesn't go into the firmware. build new firmware if you want
12 # lots of upgrades.
13 f=(/tmp/opkg-lists/*)
14 f=${f[0]}
15 if ! (( $(date -r $f +%s) + 60*60*24 > $(date +%s) )); then
16 opkg update
17 fi
18 }
19
20 pi() {
21 for x in "$@"; do
22 if [[ ! $(opkg list-installed "$x") ]]; then
23 pmirror
24 opkg install "$@"
25 fi
26 done
27 }
28
29 v() {
30 printf "+ %s\n" "$*"
31 "$@"
32 }
33
34 cat >/usr/bin/arch-pxe-mount <<'EOFOUTER'
35 #!/bin/bash
36 # symlinks are collapsed for nfs mount points, so use a bind mount.
37 # tried putting this in /etc/config/fstab,
38 # then doig block mount, it didn't work. This doesn't persist across reboots,
39 # todo: figure that out
40 d=/run/archiso/bootmnt
41 cat > /etc/fstab <<EOF
42 /mnt/usb/tftpboot $d none bind 0 0
43 EOF
44 mount | grep $d &>/dev/null || mount $d
45 /etc/init.d/nfsd restart
46 EOFOUTER
47 chmod +x /usr/bin/arch-pxe-mount
48
49 cat >.profile <<'EOF'
50 # changing login shell emits spam on ssh single commands & scp
51 # sed -i 's#/bin/ash$#/bin/bash#' /etc/passwd
52 #https://dev.openwrt.org/ticket/13852
53 [ "$PS1" = "" ] || {
54 /bin/bash
55 exit
56 }
57 EOF
58 v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
59 tcpdump openvpn-openssl
60
61
62
63 sed -ri "s/option[[:space:]]*encryption[[:space:]]*'?none'?/option encryption psk2\n option key pictionary49/" /etc/config/wireless
64 sed -i '/^[[:space:]]*option disabled/d' /etc/config/wireless
65 v wifi
66
67
68 v /etc/init.d/fstab enable ||:
69
70 # rebooting makes mounting work, but comparing lsmod,
71 # i'm guessing this will too. todo, test it.
72 # 255 == module already loaded
73 for mod in scsi_mod sd_mod; do v modprobe $mod || [[ $? == 255 ]]; done
74
75 # for arch pxe. The default settings in the installer expect to find
76 # the NFS at /run/archiso/bootmnt
77 mkdir -p /run/archiso/bootmnt
78
79 # todo: at some later time, i found /mnt/usb not mounted, watch to see if
80 # that is the case after running this or rebooting.
81 # wiki says safe to do in case of fstab changes:
82 cedit /etc/config/fstab <<'EOF' || { v block umount; v block mount; }
83 config global automount
84 option from_fstab 1
85 option anon_mount 1
86
87 config global autoswap
88 option from_fstab 1
89 option anon_swap 1
90
91 config mount
92 option target /mnt/usb
93 option device /dev/sda2
94 option fstype ext4
95 option options rw,async,noatime,nodiratime
96 option enabled 1
97 option enabled_fsck 0
98
99 config swap
100 option device /dev/sda1
101 option enabled 1
102
103 EOF
104
105
106
107 # exportfs -ra wont cut it when its the same path, but now a bind mount
108 cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
109 /mnt/usb 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
110 # for arch pxe
111 /run/archiso/bootmnt 192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
112 EOF
113
114
115 v /etc/init.d/portmap start
116 v /etc/init.d/nfsd start
117 v /etc/init.d/portmap enable
118 v /etc/init.d/nfsd enable
119
120 v /etc/init.d/openvpn start
121 v /etc/init.d/openvpn enable
122
123
124 # setup to use only vpn in 5 ways:
125 # set lan forward to vpn instead of wan,
126 # disable wan masquerade,
127 # set the default for outgoing to reject,
128 # open wan port 1194 and 22 (ssh is too useful),
129 # setup port forwardings to use vpn.
130 firewall_restart=false
131 # https://wiki.openwrt.org/doc/uci
132 if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
133 # default is wan
134 # https://wiki.openwrt.org/doc/uci
135 v uci set firewall.@forwarding[0].dest=vpn
136 uci commit firewall
137 firewall_restart=true
138 fi
139
140 wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
141 w="firewall.@zone[$wan_index]"
142 if [[ $(uci get $w.masq) == 1 ]]; then
143 v uci set $w.masq=0
144 uci commit firewall
145 firewall_restart=true
146 fi
147
148 if [[ $(uci get $w.output) != REJECT ]]; then
149 v uci set $w.masq=REJECT
150 uci commit firewall
151 firewall_restart=true
152 fi
153
154 if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
155 # default is wan
156 v uci set uci set firewall.@forwarding[0].dest=vpn
157 uci commit firewall
158 firewall_restart=true
159 fi
160
161
162 # from https://wiki.openwrt.org/doc/uci/firewall
163 # todo: not sure if /etc/init.d/network needs restarting.
164 # I did, and I had to restart the vpn afterwards.
165 # This maps a uci interface to a real interface which is
166 # managed outside of uci.
167 cedit /etc/config/network <<'EOF' ||:
168 config interface 'tun0'
169 option ifname 'tun0'
170 option proto 'none'
171 EOF
172
173
174
175 # each port forward needs corresponding forward in the vpn server
176 cedit /etc/config/firewall <<'EOF' || firewall_restart=true
177 config zone
178 option name vpn
179 list network 'tun0'
180 option input REJECT
181 option output ACCEPT
182 option forward REJECT
183 option masq 1
184
185 config rule
186 option dest wan
187 option target ACCEPT
188 option dest_port '1194 22'
189
190 # port forwarding
191 config redirect
192 option name bittorrent
193 option src vpn
194 option src_dport 63324
195 option dest_ip 192.168.1.2
196 option dest lan
197 # making the port open (not sure if this is actually needed)
198 config rule
199 option src vpn
200 option target ACCEPT
201 option dest_port 63324
202
203 config redirect
204 option name frodobittorrent
205 option src vpn
206 option src_dport 63326
207 option dest_ip 192.168.1.3
208 option dest lan
209
210 config rule
211 option src vpn
212 option target ACCEPT
213 option dest_port 63326
214
215
216 config redirect
217 option name treetowlsyncthing
218 option src vpn
219 option src_dport 22000
220 option dest_ip 192.168.1.2
221 option dest lan
222 option proto tcp
223
224 config rule
225 option src vpn
226 option target ACCEPT
227 option dest_port 22000
228
229
230 config redirect
231 option name bithtpc
232 option src vpn
233 option src_dport 63325
234 option dest_ip 192.168.1.4
235 option dest lan
236
237 config rule
238 option src vpn
239 option target ACCEPT
240 option dest_port 63325
241
242
243 config redirect
244 option name ssh
245 option src wan
246 # example of using a non-standard port
247 # and comment out the 22 port line
248 # option src_dport 63321
249 # option dest_port 22 # already default
250 option src_dport 22
251 option dest_ip 192.168.1.2
252 option dest lan
253
254 config rule
255 option src wan
256 option target ACCEPT
257 option dest_port 22
258
259
260 # not using http server atm, so disable it.
261 # for https
262 # config redirect
263 # option src wan
264 # option src_dport 443
265 # option dest lan
266 # option dest_ip 192.168.1.2
267 # option proto tcp
268
269 # config rule
270 # option src wan
271 # option target ACCEPT
272 # option dest_port 443
273 # option proto tcp
274
275 # config redirect
276 # option src wan
277 # option src_dport 80
278 # option dest lan
279 # option dest_ip 192.168.1.2
280 # option proto tcp
281
282 # config rule
283 # option src wan
284 # option target ACCEPT
285 # option dest_port 80
286 # option proto tcp
287 EOF
288
289 if $firewall_restart; then
290 /etc/init.d/firewall restart
291 fi
292
293 dnsmasq_restart=false
294 cedit /etc/hosts <<EOF || dnsmasq_restart=true
295 192.168.1.1 wrt
296 192.168.1.2 treetowl faiserver
297 192.168.1.3 frodo
298 192.168.1.4 htpc
299 192.168.1.5 x2
300 192.168.1.6 testvm
301 192.168.1.8 tp
302 72.14.176.105 li
303 173.255.202.210 lj
304 23.239.31.172 lk
305 104.131.150.120 dopub
306 # cant ssh to do when on vpn. some routing/firewall rule or something,
307 # I don't know. I can get there from wrt but not my machine.
308 # but we can get to it from this address, so, good enough.
309 10.8.0.1 do
310 EOF
311
312
313 # avoid using the dns servers that my isp tells me about.
314 if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
315 # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
316 # /etc/resolv.conf
317 v uci delete dhcp.@dnsmasq[0].resolvfile
318 uci commit dhcp
319 dnsmasq_restart=true
320 fi
321
322
323 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
324
325 cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
326
327 ############ updating dns servers ###################3
328
329
330 # this says the ip of default gateway and dns server,
331 # but I think they are unneded and default
332 #dhcp-option=3,192.168.1.1
333 #dhcp-option=6,192.168.1.1
334
335
336
337 # results from googling around dnsmasq optimizations
338 # about 50k in memory. router has 62 megs.
339 # in a browsing session, I probably won't ever do 5000 lookups
340 # before the ttl expiration or whatever does expiration.
341 cache-size=10000
342
343 # ask all servers, use the one which responds first.
344 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
345 all-servers
346
347 # namebench benchmarks dns servers. google's dns was only
348 # slightly less fast than some others, and I trust it more
349 # to give accurate results, stay relatively fast, and
350 # not do anythin too malicious, so just use that.
351 # download namebench and run it like this:
352 # for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr; done
353 # google
354 server=8.8.4.4
355 server=8.8.8.8
356 server=2001:4860:4860::8888
357 server=2001:4860:4860::8844
358
359
360 # to fixup existin ips, on the client you can do
361 # sudo dhclient -r; sudo dhclient <interface-name>
362
363 # default dhcp range is 100-150
364 dhcp-host=f4:6d:04:02:ed:66,set:treetowl,192.168.1.2,treetowl
365 dhcp-host=00:26:18:97:bb:16,set:frodo,192.168.1.3,frodo
366 dhcp-host=10:78:d2:da:29:22,set:htpc,192.168.1.4,htpc
367 dhcp-host=00:1f:16:16:39:24,set:x2,192.168.1.5,x2
368 # this is so fai can have an explicit name to use for testing,
369 # or else any random machine which did a pxe boot would get
370 # reformatted. The mac is from doing a virt-install, cancelling it,
371 # and copying the generated mac, so it should be randomish.
372 dhcp-host=52:54:00:9c:ef:ad,set:demohost,192.168.1.6,demohost
373 dhcp-host=52:54:00:56:09:f9,set:faiserver,192.168.1.7,faiserver
374 dhcp-host=80:fa:5b:1c:6e:cf,set:tp,192.168.1.8,tp
375 # this is the ip it picks by default if dhcp fails,
376 # so might as well use it.
377 # hostname is the name it uses according to telnet
378 dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
379
380
381 # template
382 # dhcp-host=,192.168.1.,
383
384 # Just leave the tftp server up even if we aren't doing pxe boot.
385 # It has no sensitive info.
386 tftp-root=/mnt/usb/tftpboot
387 EOF
388
389 if $dnsmasq_restart; then
390 v /etc/init.d/dnsmasq restart
391 fi
392
393 cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
394 config openvpn my_client_config
395 option enabled 1
396 option config /etc/openvpn/client.conf
397 EOF
PXE install w multi-boot, btrfs & Libreboot support