Skip to content

Instantly share code, notes, and snippets.

@foertel

foertel/setupGateway.sh

Created July 18, 2014 15:24
Show Gist options
  • Save foertel/b1497398568b22aec7d8 to your computer and use it in GitHub Desktop.
Save foertel/b1497398568b22aec7d8 to your computer and use it in GitHub Desktop.
Download ZIP
setup gateway script from 18 july
Raw
setupGateway.sh
#!/bin/bash
###
# gateway creator v0.1
# by wiflix
#
# just run as root, add your VPN credentials and reboot!
# please remove my name, if you wanna extend or alter this script!
###
echo 'Welcome to Gateway Creator
Please tell me some stuff about your gateway.
IP (the LAN IP from the wiki): '
read lan_ip
echo 'MAC of mash vpn (from wiki): '
read vpn_mac
echo 'Private Key of mesh vpn (from wlanf3ak): '
read vpn_secret
echo 'First IP to give via DHCP (from wiki): '
read dhcp_from_ip
echo 'Last IP to give via DHCP (from wiki): '
read dhcp_to_ip
###
# ubuntu
#
# repair some out-of-the-box-fuckup
###
locale-gen en_US en_US.UTF-8 de_DE.UTF-8
dpkg-reconfigure locales
###
# batctl
#
# install batctl from external apt-repository
###
echo "deb http://repo.universe-factory.net/debian/ sid main" > /etc/apt/sources.list.d/fastd.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 16EF3F64CB201D9C
apt-get update
apt-get install -y linux-headers-generic batman-adv-dkms batctl git fastd isc-dhcp-server radvd iptables-persistent dnsmasq
###
# ubuntu 14.04 shipps 3.13 which shipps batman-adv 2014.0
# gluon only supports batman-adv 2013.4 at the moment, so
# we have to downgrade the module via dkms with --force
###
cd /usr/src/batman-adv-2013.4.0
dkms remove batman-adv/2013.4.0 --all
dkms add batman-adv/2013.4.0
dkms build batman-adv/2013.4.0
dkms install --force batman-adv/2013.4.0
###
# import peers
###
git clone https://github.com/freifunk-flensburg/fffl-fastd-peers.git /etc/fastd/vpn/peers
###
# iptables
#
# everything routed through the external vpn has to be masqueraded (NAT)
###
tee /etc/iptables/rules.v4 <<DELIM
*nat
:PREROUTING ACCEPT [15:1459]
:INPUT ACCEPT [2:88]
:OUTPUT ACCEPT [1:74]
:POSTROUTING ACCEPT [1:74]
-A POSTROUTING -o vpn-external -j MASQUERADE
COMMIT
DELIM
###
# routing
#
# send all packages from bat0 (mesh vpn) through external vpn
###
tee /etc/rc.local <<DELIM
ip rule add from all iif bat0 table 42
ip route add unreachable default table 42
ip route add 10.129.0.0/16 dev bat0 table 42
exit 0
DELIM
###
# network device
#
# batman-adv will manage bat0. when the device is brought up
# it will include the mesh vpn (vpn-fffl) into the routing.
###
tee -a /etc/network/interfaces <<DELIM
allow-hotplug bat0
iface bat0 inet manual
pre-up modprobe batman-adv
pre-up batctl if add vpn-mesh
pre-up batctl gw server 100mbit/100mbit
up ip addr add $lan_ip/16 broadcast 10.192.255.255 dev bat0
up ip link set up dev bat0
post-up batctl it 10000
down ip link set down dev bat0
DELIM
###
# set up fffl mesh vpn
###
mkdir -p /etc/fastd/vpn/
cd /etc/fastd/vpn/
tee fastd.conf <<DELIM
log to syslog level warn;
interface "vpn-mesh";
method "salsa2012+gmac"; # new method, between gateways for the moment (faster)
bind 0.0.0.0:10000;
hide ip addresses yes;
hide mac addresses yes;
include "secret.conf";
mtu 1426;
include peers from "peers";
on up "
ifup bat0 --force
ip link set address $vpn_mac up dev \$INTERFACE
";
DELIM
echo 'secret "'$vpn_secret'";' > secret.conf
###
# DHCP
###
tee /etc/dhcp/dhcpd.conf <<DELIM
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
default-lease-time 600;
max-lease-time 3600;
log-facility local7;
subnet 10.129.0.0 netmask 255.255.0.0 {
authoritative;
range $dhcp_from_ip $dhcp_to_ip;
option domain-name-servers $lan_ip;
option routers $lan_ip;
}
DELIM
###
# external vpn
###
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
rm -rf /etc/sysctl.d/99-hetzner.conf
# when the vpn comes up, we set an outbound route to our table 42
tee /etc/openvpn/vpn-external-up <<DELIM
#!/bin/sh
ip route replace default via \$5 table 42
exit 0
DELIM
chmod u+x /etc/openvpn/vpn-external-up
# when the vpn goes down, we remove our outbound route, so no mesh vpn traffic
# will leaver our gateway through eth0.
tee /etc/openvpn/vpn-external-down <<DELIM
#!/bin/sh
ip route replace unreachable default table 42
exit 0
DELIM
chmod u+x /etc/openvpn/vpn-external-down
tee /etc/openvpn/mullvad.conf <<DELIM
client
dev-type tun
dev vpn-external
proto udp
remote openvpn.mullvad.net 1194
remote se.mullvad.net # Servers in Sweden
remote nl.mullvad.net # Servers in the Netherlands
resolv-retry infinite
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# Enable compression on the VPN link.
comp-lzo
# Set log file verbosity.
verb 3
remote-cert-tls server
ping-restart 60
# Allow calling of built-in executables and user-defined scripts.
script-security 2
route-noexec
up /etc/openvpn/vpn-external-up
down /etc/openvpn/vpn-external-down
ping 10
ca /etc/openvpn/mullvad/ca.crt
cert /etc/openvpn/mullvad/mullvad.crt
key /etc/openvpn/mullvad/mullvad.key
crl-verify /etc/openvpn/mullvad/crl.pem
DELIM
###
# autostart on boot
###
update-rc.d openvpn defaults
update-rc.d iptables-persistent defaults
update-rc.d isc-dhcp-server defaults
echo '
[!!!] TODO
* unzip mullvad credentials to /etc/openvpn/mullvad/
* reboot'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment