Last active
August 31, 2017 20:07
-
-
Save lutostag/a997f9189c1ae299a313853ecf4b14a7 to your computer and use it in GitHub Desktop.
Setup script for rpi2/3 router with ubuntu core
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # first do a reboot, to let some of the snaps refresh | |
| # (in particular the wifi wont work as an AP until a new core + kernel snap is installed) | |
| # this will happen by itself via a timer, but if not, just give it a kick. | |
| # sudo reboot | |
| # setup our hostname | |
| sudo hostnamectl set-hostname fbi | |
| # disable password auth, so only our ssh key can login | |
| echo 'PasswordAuthentication no' | sudo tee -a /etc/ssh/sshd_config | |
| # install our firewall | |
| snap install ufw | |
| # allow ssh from everywhere, because we want to use our rpi, don't we? | |
| sudo ufw allow ssh/tcp | |
| # lets deny most things... | |
| sudo ufw default deny incoming | |
| sudo ufw deny in on eth0 | |
| sudo ufw route deny in on eth0 | |
| # and enable the firewall for now | |
| echo 'y' | sudo ufw enable | |
| # allow through routing | |
| sudo ufw route allow in on wlan0 out on eth0 from 192.168.42.0/24 | |
| # allow dns | |
| sudo ufw allow out on wlan0 from 192.168.42.1 to 192.168.42.0/24 port domain proto udp | |
| sudo ufw allow in on wlan0 from 192.168.42.0/24 to 192.168.42.1 port domain proto udp | |
| # allow dhcp | |
| sudo ufw allow in on wlan0 from any port bootpc proto udp | |
| sudo ufw allow out on wlan0 to any port bootps proto udp | |
| sudo ufw reload | |
| # install our wireless ap and set it up following the on-screen guide | |
| snap install wifi-ap | |
| sudo wifi-ap.setup-wizard | |
| # lets get some fun containers | |
| snap install lxd | |
| # first workaround (seems like the lxd daemon does not come up quickly enough by default) | |
| sleep 60 | |
| sudo lxd init | |
| sudo lxc launch images:ubuntu/zesty openvpn | |
| sudo lxc launch images:ubuntu/zesty quassel | |
| # lets set their internal ips to be static | |
| sudo lxc network attach lxdbr0 openvpn eth0 | |
| sudo lxc network attach lxdbr0 quassel eth0 | |
| OPENVPN_IP=$(sudo lxc list -c 4,n | grep openvpn | cut -d' ' -f2) | |
| sudo lxc config device set openvpn eth0 ipv4.address $OPENVPN_IP | |
| sudo lxc config device set quassel eth0 ipv4.address $(sudo lxc list -c 4,n | grep quassel | cut -d' ' -f2) | |
| # and have them start on boot | |
| sudo lxc config set openvpn boot.autostart true | |
| sudo lxc config set quassel boot.autostart true | |
| sudo lxc exec quassel -- apt install -y quassel-core | |
| sudo lxc exec openvpn -- apt install -y iptables | |
| sudo lxc exec openvpn -- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $OPENVPN_IP | |
| sudo lxc exec openvpn -- bash -c "iptables-save > /etc/iptables.rules" | |
| sudo lxc exec openvpn -- bash -c 'echo -e "#!/bin/sh\niptables-restore < /etc/iptables.rules\nexit 0" > /etc/network/if-pre-up.d/iptables' | |
| sudo lxc exec openvpn -- chmod +x /etc/network/if-pre-up.d/iptables | |
| # install openvpn via the great script from Angristan | |
| sudo lxc exec openvpn -- apt install -y wget | |
| sudo lxc exec openvpn -- wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh | |
| sudo lxc exec openvpn -- chmod +x openvpn-install.sh | |
| # when running this, generating diffie-hellman params can take much longer than a few hours... | |
| sudo lxc exec openvpn -- ./openvpn-install.sh | |
| # workaround #2, bug https://github.com/Nyr/openvpn-install/issues/206 | |
| sudo lxc exec openvpn -- sed -i '/LimitNPROC/d' /lib/systemd/system/openvpn@.service | |
| # workaround #3, https://askubuntu.com/questions/650471/how-do-i-allow-dev-net-tun-in-a-lxd-managed-lxc-container | |
| sudo lxc config set openvpn raw.lxc 'lxc.cgroup.devices.allow = c 10:200 rwm' | |
| sudo lxc config device add openvpn tun unix-char path=/dev/net/tun | |
| # workaround #4 | |
| sudo systemctl disable snap.lxd.daemon.service | |
| sudo cp /etc/systemd/system/snap.lxd.daemon.service /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i '/X-Snappy/d' /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i '/WorkingDirectory/d' /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i '/ExecStop/d' /etc/systemd/system/lxd.daemon.service | |
| sudo sed -i 's/ExecStart.*/ExecStart=\/snap\/bin\/lxd/' /etc/systemd/system/lxd.daemon.service | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable lxd.daemon.service | |
| sudo systemctl start lxd.daemon.service | |
| # get the openvpn client config file | |
| sudo lxc file pull openvpn/root/client.ovpn - > client.ovpn | |
| # and now allow port forwarding for openvpn https://www.cyberciti.biz/faq/how-to-configure-ufw-to-forward-port-80443-to-internal-server-hosted-on-lan/ | |
| echo -e "\n*nat\n:PREROUTING ACCEPT [0:0]\n-A PREROUTING -i eth0 -p udp --dport 1194 -j DNAT --to-destination $OPENVPN_IP\nCOMMIT" | sudo tee -a /var/snap/ufw/current/etc/ufw/before.rules | |
| sudo ufw route allow in on eth0 from any out on lxdbr0 to $OPENVPN_IP port openvpn proto udp | |
| sudo ufw reload | |
| # for some phone/laptop sharing goodness | |
| snap install syncthing | |
| # to give us a free dynamic dns name | |
| snap install noip-client | |
| sudo noip-client.configure | |
| sudo systemctl restart snap.noip-client.launcher.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment