/rpi-setup.sh
Last active Aug 31, 2017
| #!/bin/bash | |
| # first do a reboot, to let some of the snaps refresh | |
| # (in particular the wifi wont work as an AP until a new core + kernel snap is installed) | |
| # this will happen by itself via a timer, but if not, just give it a kick. | |
| # sudo reboot | |
| # setup our hostname | |
| sudo hostnamectl set-hostname fbi | |
| # disable password auth, so only our ssh key can login | |
| echo 'PasswordAuthentication no' | sudo tee -a /etc/ssh/sshd_config | |
| # install our firewall | |
| snap install ufw | |
| # allow ssh from everywhere, because we want to use our rpi, don't we? | |
| sudo ufw allow ssh/tcp | |
| # lets deny most things... | |
| sudo ufw default deny incoming | |
| sudo ufw deny in on eth0 | |
| sudo ufw route deny in on eth0 | |
| # and enable the firewall for now | |
| echo 'y' | sudo ufw enable | |
| # allow through routing | |
| sudo ufw route allow in on wlan0 out on eth0 from 192.168.42.0/24 | |
| # allow dns | |
| sudo ufw allow out on wlan0 from 192.168.42.1 to 192.168.42.0/24 port domain proto udp | |
| sudo ufw allow in on wlan0 from 192.168.42.0/24 to 192.168.42.1 port domain proto udp | |
| # allow dhcp | |
| sudo ufw allow in on wlan0 from any port bootpc proto udp | |
| sudo ufw allow out on wlan0 to any port bootps proto udp | |
| sudo ufw reload | |
| # install our wireless ap and set it up following the on-screen guide | |
| snap install wifi-ap | |
| sudo wifi-ap.setup-wizard | |
| # lets get some fun containers | |
| snap install lxd | |
| # first workaround (seems like the lxd daemon does not come up quickly enough by default) | |
| sleep 60 | |
| sudo lxd init | |
| sudo lxc launch images:ubuntu/zesty openvpn | |
| sudo lxc launch images:ubuntu/zesty quassel | |
| # lets set their internal ips to be static | |
| sudo lxc network attach lxdbr0 openvpn eth0 | |
| sudo lxc network attach lxdbr0 quassel eth0 | |
| OPENVPN_IP=$(sudo lxc list -c 4,n | grep openvpn | cut -d' ' -f2) | |
| sudo lxc config device set openvpn eth0 ipv4.address $OPENVPN_IP | |
| sudo lxc config device set quassel eth0 ipv4.address $(sudo lxc list -c 4,n | grep quassel | cut -d' ' -f2) | |
| # and have them start on boot | |
| sudo lxc config set openvpn boot.autostart true | |
| sudo lxc config set quassel boot.autostart true | |
| sudo lxc exec quassel -- apt install -y quassel-core | |
| sudo lxc exec openvpn -- apt install -y iptables | |
| sudo lxc exec openvpn -- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $OPENVPN_IP | |
| sudo lxc exec openvpn -- bash -c "iptables-save > /etc/iptables.rules" | |
| sudo lxc exec openvpn -- bash -c 'echo -e "#!/bin/sh\niptables-restore < /etc/iptables.rules\nexit 0" > /etc/network/if-pre-up.d/iptables' | |
| sudo lxc exec openvpn -- chmod +x /etc/network/if-pre-up.d/iptables | |
| # install openvpn via the great script from Angristan | |
| sudo lxc exec openvpn -- apt install -y wget | |
| sudo lxc exec openvpn -- wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh | |
| sudo lxc exec openvpn -- chmod +x openvpn-install.sh | |
| # when running this, generating diffie-hellman params can take much longer than a few hours... | |
| sudo lxc exec openvpn -- ./openvpn-install.sh | |
| # workaround #2, bug https://github.com/Nyr/openvpn-install/issues/206 | |
| sudo lxc exec openvpn -- sed -i '/LimitNPROC/d' /lib/systemd/system/openvpn@.service | |
| # workaround #3, https://askubuntu.com/questions/650471/how-do-i-allow-dev-net-tun-in-a-lxd-managed-lxc-container | |
| sudo lxc config set openvpn raw.lxc 'lxc.cgroup.devices.allow = c 10:200 rwm' | |
| sudo lxc config device add openvpn tun unix-char path=/dev/net/tun | |
| # workaround #4 | |
| sudo systemctl disable snap.lxd.daemon.service | |
| sudo cp /etc/systemd/system/snap.lxd.daemon.service /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i '/X-Snappy/d' /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i '/WorkingDirectory/d' /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i '/ExecStop/d' /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i 's/ExecStart.*/ExecStart=\/snap\/bin\/lxd/' /etc/systemd/system/lxd.daemon.service | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable lxd.daemon.service | |
| sudo systemctl start lxd.daemon.service | |
| # get the openvpn client config file | |
| sudo lxc file pull openvpn/root/client.ovpn - > client.ovpn | |
| # and now allow port forwarding for openvpn https://www.cyberciti.biz/faq/how-to-configure-ufw-to-forward-port-80443-to-internal-server-hosted-on-lan/ | |
| echo -e "\n*nat\n:PREROUTING ACCEPT [0:0]\n-A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to-destination $OPENVPN_IP\nCOMMIT" | sudo tee -a /var/snap/ufw/current/etc/ufw/before.rules | |
| sudo ufw route allow in on eth0 from any out on lxdbr0 to $OPENVPN_IP port openvpn proto udp | |
| sudo ufw reload | |
| # for some phone/laptop sharing goodness | |
| snap install syncthing | |
| # to give us a free dynamic dns name | |
| snap install noip-client | |
| sudo noip-client.configure | |
| sudo systemctl restart snap.noip-client.launcher.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment