From 7815dd8b158226f7186bf987d270b4f824902555 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sun, 17 Jul 2016 17:18:18 -0700
Subject: [PATCH] use vpn

---
 dsfull                           |  28 +++++
 fai/config/class/50-host-classes |   2 +
 wrt-setup                        | 173 +++++++++++++++++++++++--------
 wrt-setup-remote                 |  37 +++++++
 4 files changed, 194 insertions(+), 46 deletions(-)
 create mode 100755 dsfull

diff --git a/dsfull b/dsfull
new file mode 100755
index 0000000..f141bc5
--- /dev/null
+++ b/dsfull
@@ -0,0 +1,28 @@
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+
+# distro setup full. (assuming we already synced data files to the host)
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+host=$1
+
+if [[ ! $host || $host == -h ]]; then
+    echo "$0: error: expected 1 arg of hostname"
+    exit 1
+fi
+
+set -x
+ssh $host sudo bash <<'EOF'
+set -e
+systemctl stop keyscriptoff.service
+reboot ||:
+EOF
+
+pxe-server fai $host
+while ! ssh $host :; do
+      sleep 5
+done
+dsremote $host
diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes
index cc8e3de..3548b1f 100755
--- a/fai/config/class/50-host-classes
+++ b/fai/config/class/50-host-classes
@@ -21,6 +21,8 @@ case $HOSTNAME in
         echo "FAIBASE DEBIAN LINODESTABLE PARTITION_PROMPT" ;;
     li)
         echo "FAIBASE DEBIAN LINODESTABLE PARTITION_PROMPT" ;;
+    do)
+        echo "FAIBASE DEBIAN STABLE PARTITION_PROMPT" ;;
     # faiserver)
     #     echo "FAIBASE DEBIAN DEMO FAISERVER" ;;
     # xfcehost)
diff --git a/wrt-setup b/wrt-setup
index beea6b1..7d80612 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -55,7 +55,8 @@ cat >.profile <<'EOF'
        exit
 }
 EOF
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server tcpdump
+v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
+  tcpdump openvpn-openssl
 
 
 
@@ -103,12 +104,11 @@ EOF
 
 
 
- # exportfs -ra won't cut it when its the same path, but now a bind mount
+# exportfs -ra wont cut it when its the same path, but now a bind mount
 cedit /etc/exports <<'EOF' || v /etc/init.d/nfsd restart ||:
 /mnt/usb  192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
 # for arch pxe
 /run/archiso/bootmnt	192.168.1.0/255.255.255.0(rw,no_root_squash,insecure,sync,no_subtree_check)
-
 EOF
 
 
@@ -117,60 +117,125 @@ v /etc/init.d/nfsd start
 v /etc/init.d/portmap enable
 v /etc/init.d/nfsd enable
 
-# default is 250, but my switch wants a high static address by default,
-# and I don't need that many, so lets just reduce it.
-sed -ri 's/^(.*option limit ).*/\1100/' /etc/config/dhcp
+v /etc/init.d/openvpn start
+v /etc/init.d/openvpn enable
+
+
+# setup to use only vpn in 5 ways:
+# set lan forward to vpn instead of wan,
+# disable wan masquerade,
+# set the default for outgoing to reject,
+# open wan port 1194 and 22 (ssh is too useful),
+# setup port forwardings to use vpn.
+firewall_restart=false
+# https://wiki.openwrt.org/doc/uci
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+    # default is wan
+    # https://wiki.openwrt.org/doc/uci
+    v uci set firewall.@forwarding[0].dest=vpn
+    uci commit firewall
+    firewall_restart=true
+fi
+
+wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+w="firewall.@zone[$wan_index]"
+if [[ $(uci get $w.masq) == 1 ]]; then
+    v uci set $w.masq=0
+    uci commit firewall
+    firewall_restart=true
+fi
+
+if [[ $(uci get $w.output) != REJECT ]]; then
+    v uci set $w.masq=REJECT
+    uci commit firewall
+    firewall_restart=true
+fi
+
+if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
+    # default is wan
+    v uci set uci set firewall.@forwarding[0].dest=vpn
+    uci commit firewall
+    firewall_restart=true
+fi
+
+
+# from https://wiki.openwrt.org/doc/uci/firewall
+# todo: not sure if /etc/init.d/network needs restarting.
+# I did, and I had to restart the vpn afterwards.
+# This maps a uci interface to a real interface which is
+# managed outside of uci.
+cedit /etc/config/network <<'EOF' ||:
+config interface 'tun0'
+        option ifname 'tun0'
+        option proto 'none'
+EOF
+
+
+
+# each port forward needs corresponding forward in the vpn server
+cedit /etc/config/firewall <<'EOF' || firewall_restart=true
+config zone
+        option name             vpn
+        list   network          'tun0'
+        option input            REJECT
+        option output           ACCEPT
+        option forward          REJECT
+        option masq             1
+
+config rule
+        option dest wan
+        option target ACCEPT
+        option dest_port '1194 22'
 
-cedit /etc/config/firewall <<'EOF' || /etc/init.d/firewall restart
 # port forwarding
 config redirect
 option name bittorrent
-option src              wan
+option src              vpn
 option src_dport        63324
 option dest_ip          192.168.1.2
 option dest             lan
 # making the port open (not sure if this is actually needed)
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        63324
 
 config redirect
 option name frodobittorrent
-option src              wan
+option src              vpn
 option src_dport        63326
 option dest_ip          192.168.1.3
 option dest             lan
 
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        63326
 
 
 config redirect
 option name treetowlsyncthing
-option src              wan
+option src              vpn
 option src_dport        22000
 option dest_ip          192.168.1.2
 option dest             lan
 option proto            tcp
 
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        22000
 
 
 config redirect
 option name bithtpc
-option src              wan
+option src              vpn
 option src_dport        63325
 option dest_ip          192.168.1.4
 option dest             lan
 
 config rule
-option src              wan
+option src              vpn
 option target           ACCEPT
 option dest_port        63325
 
@@ -178,13 +243,13 @@ option dest_port        63325
 config redirect
 option name ssh
 option src              wan
-#uncomment the 2 lines for security of using a non-standard port
+# example of  using a non-standard port
 # and comment out the 22 port line
 #   option src_dport        63321
+#   option dest_port        22  # already default
 option src_dport        22
 option dest_ip          192.168.1.2
 option dest             lan
-#   option dest_port        22  # already default
 
 config rule
 option src              wan
@@ -192,21 +257,21 @@ option target           ACCEPT
 option dest_port        22
 
 
+# not using http server atm, so disable it.
 # for https
-config redirect
-       option src                      wan
-       option src_dport        443
-       option dest                     lan
-       option dest_ip          192.168.1.2
-       option proto            tcp
+# config redirect
+#        option src              wan
+#        option src_dport        443
+#        option dest             lan
+#        option dest_ip          192.168.1.2
+#        option proto            tcp
 
-config rule
-       option src              wan
-       option target           ACCEPT
-       option dest_port        443
-       option proto            tcp
+# config rule
+#        option src              wan
+#        option target           ACCEPT
+#        option dest_port        443
+#        option proto            tcp
 
-# not using http server atm, so disable it.
 # config redirect
 #        option src                      wan
 #        option src_dport        80
@@ -221,6 +286,9 @@ config rule
 #        option proto            tcp
 EOF
 
+if $firewall_restart; then
+    /etc/init.d/firewall restart
+fi
 
 dnsmasq_restart=false
 cedit /etc/hosts <<EOF || dnsmasq_restart=true
@@ -234,17 +302,29 @@ cedit /etc/hosts <<EOF || dnsmasq_restart=true
 72.14.176.105 li
 173.255.202.210 lj
 23.239.31.172 lk
+104.131.150.120 dopub
+# cant ssh to do when on vpn. some routing/firewall rule or something,
+# I don't know. I can get there from wrt but not my machine.
+# but we can get to it from this address, so, good enough.
+10.8.0.1 do
 EOF
 
 
+# avoid using the dns servers that my isp tells me about.
+if [[ $(uci get dhcp.@dnsmasq[0].resolvfile) ]]; then
+    # default is '/tmp/resolv.conf.auto', we switch to the dnsmasq default of
+    # /etc/resolv.conf
+    v uci delete dhcp.@dnsmasq[0].resolvfile
+    uci commit dhcp
+    dnsmasq_restart=true
+fi
+
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 
 cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 
 ############ updating dns servers ###################3
-# download namebench and run it like this:
-# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 
 
 # this says the ip of default gateway and dns server,
@@ -259,26 +339,22 @@ cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 # in a browsing session, I probably won't ever do 5000 lookups
 # before the ttl expiration or whatever does expiration.
 cache-size=10000
+
 # ask all servers, use the one which responds first.
 # http://ma.ttwagner.com/make-dns-fly-with-dnsmasq-all-servers/
 all-servers
-# namebench showed 4 servers fairly close ranking.
-# qwest
-#server=205.171.3.65
-#server=205.171.2.25
-# clearwire anchorage
-#server=64.13.115.12
-# comcast spokane
-#server=68.87.69.146
+
+# namebench benchmarks dns servers. google's dns was only
+# slightly less fast than some others, and I trust it more
+# to give accurate results, stay relatively fast, and
+# not do anythin too malicious, so just use that.
+# download namebench and run it like this:
+# for x in all regional isp global preferred nearby; do ./namebench.py -s $x -c US -i firefox -m weighted -J 10 -w; echo $x; hr;  done
 # google
 server=8.8.4.4
 server=8.8.8.8
-# NTT
-#server=129.250.35.250
-# isp servers
-#server=75.75.76.76
-#server=75.75.75.75
-
+server=2001:4860:4860::8888
+server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
@@ -307,10 +383,15 @@ dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,192.168.1.251,switch9429ca
 
 # Just leave the tftp server up even if we aren't doing pxe boot.
 # It has no sensitive info.
-enable-tftp
 tftp-root=/mnt/usb/tftpboot
 EOF
 
 if $dnsmasq_restart; then
     v /etc/init.d/dnsmasq restart
 fi
+
+cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+config openvpn my_client_config
+        option enabled 1
+        option config /etc/openvpn/client.conf
+EOF
diff --git a/wrt-setup-remote b/wrt-setup-remote
index 7bbdea6..effae75 100755
--- a/wrt-setup-remote
+++ b/wrt-setup-remote
@@ -12,3 +12,40 @@ if ! opkg list-installed|grep bash; then
 fi
 wrt-setup
 EOF
+
+if ! ssh wrt test -e /etc/openvpn/client.key; then
+    /a/bin/vpn-setup/vpn-mk-client-cert do wrt
+    sleep 10 # wait for connection before we try to ssh
+fi
+
+
+ssh do bash <<'EOFOUTER'
+set -eE -o pipefail
+old_rules="$(iptables -t nat -S PREROUTING)"
+iptables -t nat -F PREROUTING
+
+rm -rf /root/port-forwards
+for port in 63324 63326; do
+for proto in udp tcp; do
+echo iptables -t nat -A PREROUTING -i eth0 -p $proto -m $proto --dport $port -j DNAT --to-destination 10.8.0.6:$port >> /root/port-forwards
+done
+done
+chmod +x /root/port-forwards
+
+sudo dd of=/etc/systemd/system/myport-forward.service <<EOF
+[Unit]
+Description=Turns on port forwarding rules
+
+[Service]
+Type=oneshot
+ExecStart=/root/port-forwards
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl daemon-reload # needed if the file was already there
+systemctl enable myport-forward.service
+
+/root/port-forwards
+diff <(echo "$old_rules") <(iptables -t nat -S PREROUTING) ||:
+EOFOUTER
-- 
2.30.2