From ce6db3967cb73d7169cc8b410e53e2ecbd506752 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sun, 17 Jul 2016 19:00:33 -0700
Subject: [PATCH] cleanup, remove vpn stuff

---
 README                      |   6 +-
 wrt-disabled-firewall-rules | 102 ++++++++++++++++++
 wrt-setup                   | 210 ++++++++----------------------------
 wrt-setup-remote            |  41 +------
 4 files changed, 152 insertions(+), 207 deletions(-)
 create mode 100644 wrt-disabled-firewall-rules

diff --git a/README b/README
index 309d5ff..c5cf1be 100644
--- a/README
+++ b/README
@@ -9,14 +9,10 @@ Scripts meant to be called interactively:
 
 arch-init-remote # install arch (after it's been booted into it's setup env)
 chboot # Set grub to boot into a different distro (installed earlier)
-dsfull # install & setup a new distro (if data partition already synced)
+dsfull # install & setup a new fai distro (if data partition already synced)
 fai-revm  # test fai on a fresh vm
 faiserver-revm # create a vm which is a fai server
 faiserver-uninstall
 fresize # resize swap or boot partitions in a host
 pxe-server # temporarily enable (usually) fai or arch boot server
 wrt-setup-remote  # setup my router
-
-
-  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
-24412 nobody    30  10 33.209g 0.014t   1192 R  96.0 91.2  45:27.66 find
\ No newline at end of file
diff --git a/wrt-disabled-firewall-rules b/wrt-disabled-firewall-rules
new file mode 100644
index 0000000..18630cd
--- /dev/null
+++ b/wrt-disabled-firewall-rules
@@ -0,0 +1,102 @@
+firewall rules, temporarily disabled until I get them working
+
+
+#### begin port forwarding rules ####
+      # each port forward needs corresponding forward in the vpn server
+config redirect
+    option name ssh
+    option src              wan
+    # example of  using a non-standard port
+    # and comment out the 22 port line
+    #   option src_dport        63321
+    #   option dest_port        22  # already default
+    option src_dport        22
+    option dest_ip          192.168.1.2
+    option dest             lan
+config rule
+    option src              wan
+    option target           ACCEPT
+    option dest_port        22
+
+
+config redirect
+    option name bittorrent
+    option src              vpn
+    option src_dport        63324
+    option dest_ip          192.168.1.2
+    option dest             lan
+# making the port open (not sure if this is actually needed)
+config rule
+    option src              vpn
+    option target           ACCEPT
+    option dest_port        63324
+
+config redirect
+    option name frodobittorrent
+    option src              vpn
+    option src_dport        63326
+    option dest_ip          192.168.1.3
+    option dest             lan
+config rule
+    option src              vpn
+    option target           ACCEPT
+    option dest_port        63326
+
+
+config redirect
+    option name treetowlsyncthing
+    option src              vpn
+    option src_dport        22000
+    option dest_ip          192.168.1.2
+    option dest             lan
+    option proto            tcp
+config rule
+    option src              vpn
+    option target           ACCEPT
+    option dest_port        22000
+
+
+config redirect
+    option name bithtpc
+    option src              vpn
+    option src_dport        63325
+    option dest_ip          192.168.1.4
+    option dest             lan
+config rule
+    option src              vpn
+    option target           ACCEPT
+    option dest_port        63325
+
+
+
+
+
+# http server
+      # for https
+      # config redirect
+      #        option src              wan
+      #        option src_dport        443
+      #        option dest             lan
+      #        option dest_ip          192.168.1.2
+      #        option proto            tcp
+
+      # config rule
+      #        option src              wan
+      #        option target           ACCEPT
+      #        option dest_port        443
+      #        option proto            tcp
+
+      # config redirect
+      #        option src                      wan
+      #        option src_dport        80
+      #        option dest                     lan
+      #        option dest_ip          192.168.1.2
+      #        option proto            tcp
+
+      # config rule
+      #        option src              wan
+      #        option target           ACCEPT
+      #        option dest_port        80
+      #        option proto            tcp
+
+#### end port forwarding rules ####
diff --git a/wrt-setup b/wrt-setup
index 7d80612..4d208c0 100755
--- a/wrt-setup
+++ b/wrt-setup
@@ -3,7 +3,6 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
-
 # ssh
 
 pmirror() {
@@ -117,181 +116,66 @@ v /etc/init.d/nfsd start
 v /etc/init.d/portmap enable
 v /etc/init.d/nfsd enable
 
-v /etc/init.d/openvpn start
-v /etc/init.d/openvpn enable
-
-
-# setup to use only vpn in 5 ways:
-# set lan forward to vpn instead of wan,
-# disable wan masquerade,
-# set the default for outgoing to reject,
-# open wan port 1194 and 22 (ssh is too useful),
-# setup port forwardings to use vpn.
-firewall_restart=false
-# https://wiki.openwrt.org/doc/uci
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
-    # default is wan
-    # https://wiki.openwrt.org/doc/uci
-    v uci set firewall.@forwarding[0].dest=vpn
-    uci commit firewall
-    firewall_restart=true
-fi
 
-wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
-w="firewall.@zone[$wan_index]"
-if [[ $(uci get $w.masq) == 1 ]]; then
-    v uci set $w.masq=0
-    uci commit firewall
-    firewall_restart=true
-fi
 
-if [[ $(uci get $w.output) != REJECT ]]; then
-    v uci set $w.masq=REJECT
-    uci commit firewall
-    firewall_restart=true
-fi
 
-if [[ $(uci get firewall.@forwarding[0].dest) != vpn ]]; then
-    # default is wan
-    v uci set uci set firewall.@forwarding[0].dest=vpn
-    uci commit firewall
-    firewall_restart=true
-fi
 
 
-# from https://wiki.openwrt.org/doc/uci/firewall
-# todo: not sure if /etc/init.d/network needs restarting.
-# I did, and I had to restart the vpn afterwards.
-# This maps a uci interface to a real interface which is
-# managed outside of uci.
-cedit /etc/config/network <<'EOF' ||:
-config interface 'tun0'
-        option ifname 'tun0'
-        option proto 'none'
-EOF
+######### uci example:#######
+# # https://wiki.openwrt.org/doc/uci
+# wan_index=$(uci show firewall | sed -rn 's/firewall\.@zone\[([0-9])+\]\.name=wan/\1/p')
+# wan="firewall.@zone[$wan_index]"
+# if [[ $(uci get firewall.@forwarding[0].dest) != $forward_dest ]]; then
+#     # default is wan
+#     v uci set firewall.@forwarding[0].dest=$forward_dest
+#     uci commit firewall
+#     firewall_restart=true
+# fi
 
 
 
-# each port forward needs corresponding forward in the vpn server
-cedit /etc/config/firewall <<'EOF' || firewall_restart=true
-config zone
-        option name             vpn
-        list   network          'tun0'
-        option input            REJECT
-        option output           ACCEPT
-        option forward          REJECT
-        option masq             1
+########## openvpn exampl
+########## missing firewall settings for routing lan
+########## traffic
+# v /etc/init.d/openvpn start
+# v /etc/init.d/openvpn enable
 
-config rule
-        option dest wan
-        option target ACCEPT
-        option dest_port '1194 22'
+# # from https://wiki.openwrt.org/doc/uci/firewall
+# # todo: not sure if /etc/init.d/network needs restarting.
+# # I did, and I had to restart the vpn afterwards.
+# # This maps a uci interface to a real interface which is
+# # managed outside of uci.
+# v cedit /etc/config/network <<'EOF' ||:
+# config interface 'tun0'
+#         option ifname 'tun0'
+#         option proto 'none'
+# EOF
+# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# config openvpn my_client_config
+#         option enabled 1
+#         option config /etc/openvpn/client.conf
+# EOF
 
-# port forwarding
-config redirect
-option name bittorrent
-option src              vpn
-option src_dport        63324
-option dest_ip          192.168.1.2
-option dest             lan
-# making the port open (not sure if this is actually needed)
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63324
-
-config redirect
-option name frodobittorrent
-option src              vpn
-option src_dport        63326
-option dest_ip          192.168.1.3
-option dest             lan
-
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63326
 
 
+v cedit /etc/config/firewall <<'EOF' || firewall_restart=true
 config redirect
-option name treetowlsyncthing
-option src              vpn
-option src_dport        22000
-option dest_ip          192.168.1.2
-option dest             lan
-option proto            tcp
-
+    option name ssh
+    option src              wan
+    option src_dport        22
+    option dest_ip          192.168.1.2
+    option dest             lan
 config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        22000
-
-
-config redirect
-option name bithtpc
-option src              vpn
-option src_dport        63325
-option dest_ip          192.168.1.4
-option dest             lan
-
-config rule
-option src              vpn
-option target           ACCEPT
-option dest_port        63325
-
+    option src              wan
+    option target           ACCEPT
+    option dest_port        22
+EOF
 
-config redirect
-option name ssh
-option src              wan
-# example of  using a non-standard port
-# and comment out the 22 port line
-#   option src_dport        63321
-#   option dest_port        22  # already default
-option src_dport        22
-option dest_ip          192.168.1.2
-option dest             lan
 
-config rule
-option src              wan
-option target           ACCEPT
-option dest_port        22
-
-
-# not using http server atm, so disable it.
-# for https
-# config redirect
-#        option src              wan
-#        option src_dport        443
-#        option dest             lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
-
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        443
-#        option proto            tcp
-
-# config redirect
-#        option src                      wan
-#        option src_dport        80
-#        option dest                     lan
-#        option dest_ip          192.168.1.2
-#        option proto            tcp
-
-# config rule
-#        option src              wan
-#        option target           ACCEPT
-#        option dest_port        80
-#        option proto            tcp
-EOF
 
-if $firewall_restart; then
-    /etc/init.d/firewall restart
-fi
 
 dnsmasq_restart=false
-cedit /etc/hosts <<EOF || dnsmasq_restart=true
+v cedit /etc/hosts <<EOF || dnsmasq_restart=true
 192.168.1.1 wrt
 192.168.1.2 treetowl faiserver
 192.168.1.3 frodo
@@ -302,7 +186,7 @@ cedit /etc/hosts <<EOF || dnsmasq_restart=true
 72.14.176.105 li
 173.255.202.210 lj
 23.239.31.172 lk
-104.131.150.120 dopub
+138.68.10.24 dopub
 # cant ssh to do when on vpn. some routing/firewall rule or something,
 # I don't know. I can get there from wrt but not my machine.
 # but we can get to it from this address, so, good enough.
@@ -322,7 +206,7 @@ fi
 
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 
-cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
+v cedit /etc/dnsmasq.conf <<'EOF' || dnsmasq_restart=true
 
 ############ updating dns servers ###################3
 
@@ -390,8 +274,6 @@ if $dnsmasq_restart; then
     v /etc/init.d/dnsmasq restart
 fi
 
-cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
-config openvpn my_client_config
-        option enabled 1
-        option config /etc/openvpn/client.conf
-EOF
+if $firewall_restart; then
+    v /etc/init.d/firewall restart
+fi
diff --git a/wrt-setup-remote b/wrt-setup-remote
index effae75..6e542ed 100755
--- a/wrt-setup-remote
+++ b/wrt-setup-remote
@@ -3,49 +3,14 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
+cd "${BASH_SOURCE%/*}"
+
 h=root@192.168.1.1
 scp /a/bin/fai/wrt-setup /a/bin/cedit/cedit $h:/usr/bin
-ssh $h <<'EOF'
+ssh $h <<EOF
 if ! opkg list-installed|grep bash; then
     opkg update
     opkg install bash
 fi
 wrt-setup
 EOF
-
-if ! ssh wrt test -e /etc/openvpn/client.key; then
-    /a/bin/vpn-setup/vpn-mk-client-cert do wrt
-    sleep 10 # wait for connection before we try to ssh
-fi
-
-
-ssh do bash <<'EOFOUTER'
-set -eE -o pipefail
-old_rules="$(iptables -t nat -S PREROUTING)"
-iptables -t nat -F PREROUTING
-
-rm -rf /root/port-forwards
-for port in 63324 63326; do
-for proto in udp tcp; do
-echo iptables -t nat -A PREROUTING -i eth0 -p $proto -m $proto --dport $port -j DNAT --to-destination 10.8.0.6:$port >> /root/port-forwards
-done
-done
-chmod +x /root/port-forwards
-
-sudo dd of=/etc/systemd/system/myport-forward.service <<EOF
-[Unit]
-Description=Turns on port forwarding rules
-
-[Service]
-Type=oneshot
-ExecStart=/root/port-forwards
-
-[Install]
-WantedBy=multi-user.target
-EOF
-systemctl daemon-reload # needed if the file was already there
-systemctl enable myport-forward.service
-
-/root/port-forwards
-diff <(echo "$old_rules") <(iptables -t nat -S PREROUTING) ||:
-EOFOUTER
-- 
2.30.2