cghmn-openwrt-build/mt300n/target/linux/ramips/base-files/etc/uci-defaults/99_cghmn

#!/bin/sh
# Set router defaults runing first boot

# Ensure this script is only run once
if CONFIGED=$(uci get system.@system[0].cghmn_is_configured 2>/dev/null) && [ "$CONFIGED" = "1" ]; then
	exit 0
fi

# Get last four letters of eth0 MAC
FULL_MAC=$(ip link show eth0 | awk '/link\/ether/ { gsub(":",""); print substr($2,0,4) ":" substr($2,5,4) ":" substr($2,9,4) }')
MAC_LASTFOUR=$(echo "${FULL_MAC}" | awk -F':' '{ print $3 }')
NEW_HOSTNAME="CGHMN-Node-$MAC_LASTFOUR"

# Turn last four letters of MAC into IPv4 address suffix
LOCAL_IP4_FROM_MAC=$(printf "%d.%d" $(echo "${MAC_LASTFOUR}" | awk '{ print "0x" substr($0,0,2) " 0x" substr($0,3,2)  }'))

# Static variables used to configure the Wireguard tunnel
WG_PEER_ADDRESS="insert.target.server.domain"
WG_PEER_PUBKEY="VAVFX88DKGoO2naiWml1jepF7MVrIjDAbMhhYq5S1nQ="

# Wireguard IPv4 variables
WG_TUNNEL_INNER_SUBNET4="10.234."
WG_TUNNEL_INNER_SUBNET4_SIZE="16"
WG_TUNNEL_INNER_LOCAL_IP4="${WG_TUNNEL_INNER_SUBNET4}${LOCAL_IP4_FROM_MAC}"
WG_TUNNEL_INNER_PEER_IP4="${WG_TUNNEL_INNER_SUBNET4}.0.1"
WG_TUNNEL_REMOTE_SUBNET4="10.201.0.0/23"

# Wireguard IPv6 variables
WG_TUNNEL_INNER_SUBNET6="fd38:f85d:a2fd::"
WG_TUNNEL_INNER_SUBNET6_SIZE="64"
WG_TUNNEL_INNER_LOCAL_IP6="${WG_TUNNEL_INNER_SUBNET6}${FULL_MAC}"
WG_TUNNEL_INNER_PEER_IP6="${WG_TUNNEL_INNER_SUBNET6}ffff:ffff:ffff:ffff"
WG_TUNNEL_REMOTE_SUBNET6="2001:470:5168:201::/64"

# Generate new Wireguard private key for this node
WG_PRIVKEY="$(wg genkey)"

# Static variables used to configure the VXLAN interface
VXLAN_LOCAL_IP="${WG_TUNNEL_INNER_LOCAL_IP6}"
VXLAN_PEER_IP="${WG_TUNNEL_INNER_PEER_IP6}"
VXLAN_ID="101"

# Before adding new config, clear old firewall zones and rules
while uci -q delete firewall.@rule[0]; do :; done
while uci -q delete firewall.@zone[0]; do :; done
while uci -q delete firewall.@forwarding[0]; do :; done

# Batch-add most UCI configuration next
uci -q batch <<EOUCI
set system.@system[0].hostname='${NEW_HOSTNAME}'

# -- Create firewall zones -- #

# WAN zone (allow input for management from regular home network)
add firewall zone
set firewall.@zone[-1].name='wan'
set firewall.@zone[-1].input='ACCEPT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='wan'

# Retro LAN zone (default deny any traffic and add firewall rule for forwardings)
add firewall zone
set firewall.@zone[-1].name='retro_lan'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='REJECT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='cghmn_vxlan'
add_list firewall.@zone[-1].network='retro_lan'

# Outer transport tunnel zone outside of Retro LAN
add firewall zone
set firewall.@zone[-1].name='tunnel'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='cghmn_wg'
add_list firewall.@zone[-1].network='cghmn_vxlan'

# PPP client zone
add firewall zone
set firewall.@zone[-1].name='ppp_client'
set firewall.@zone[-1].input='ACCEPT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
set firewall.@zone[-1].masq='1'
add_list firewall.@zone[-1].network='ppp_daemon'

# -- Create network forwarding -- #

# Allow forwarding from local PPP clients to the Retro LAN and WAN
add firewall forwarding
set firewall.@forwarding[-1].src='ppp_client'
add_list firewall.@forwarding[-1].dest='retro_lan'
add_list firewall.@forwarding[-1].dest='wan'

# -- Create firewall rules -- #

# Allow VXLAN packages on transport network
add firewall rule
set firewall.@rule[-1].name='Allow incoming VXLAN packets'
set firewall.@rule[-1].proto='udp'
set firewall.@rule[-1].src='tunnel'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].family='ipv6'
set firewall.@rule[-1].dest_port='4789'
set firewall.@rule[-1].src_ip='${WG_TUNNEL_INNER_PEER_IP6}'

# -- Create interfaces -- #

# Delete predefined interfaces
delete network.wan
delete network.wan6
delete network.lan

# Create WAN interface on default WAN network port
set network.wan=interface
set network.wan.proto='dhcp'
set network.wan.device='eth0.2'

# Create Wireguard tunnel interface
set network.cghmn_wg=interface
set network.cghmn_wg.proto='wireguard'
set network.cghmn_wg.private_key='${WG_PRIVKEY}'
set network.cghmn_wg.mtu='1634'
add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'
add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'

# Create VXLAN interface on Wireguard tunnel
set network.cghmn_vxlan=interface
set network.cghmn_vxlan.proto='vxlan6'
set network.cghmn_vxlan.srcportmin='4789'
set network.cghmn_vxlan.mtu='1500'
set network.cghmn_vxlan.learning='0'
set network.cghmn_vxlan.ip6addr='${VXLAN_LOCAL_IP}'
set network.cghmn_vxlan.peer6addr='${VXLAN_PEER_IP}'
set network.cghmn_vxlan.vid='${VXLAN_ID}'

# Create unmanaged Retro LAN bridge interface
set network.retro_lan=interface
set network.retro_lan.proto='none'
set network.retro_lan.device='br-retrolan'

# Create PPP interface for local vmodem dialin
set network.ppp_daemon=interface
set network.ppp_daemon.proto='none'
set network.ppp_daemon.device='ppp0'

# -- Configure actual network interfaces -- #

# Create and configure Retro LAN Linux bridge spanning the VXLAN and default LAN network port
add network device
set network.@device[-1].type='bridge'
set network.@device[-1].name='br-retrolan'
add_list network.@device[-1].ports='cghmn_vxlan'
add_list network.@device[-1].ports='eth0.1'

# -- Add Wireguard remote peer -- #

# Remote CGHMN Wireguard peer
add network wireguard_cghmn_wg
set network.@wireguard_cghmn_wg[-1].description='CGHMN Server'
set network.@wireguard_cghmn_wg[-1].persistent_keepalive='15'
set network.@wireguard_cghmn_wg[-1].route_allowed_ips='1'
set network.@wireguard_cghmn_wg[-1].public_key='${WG_PEER_PUBKEY}'
set network.@wireguard_cghmn_wg[-1].endpoint_host='${WG_PEER_ADDRESS}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET6}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET4}'

# -- Set some WiFi defaults -- #
delete wireless.default_radio0
set wireless.radio0.band='2g'
set wireless.radio0.channel='1'
set wireless.radio0.legacy_rates='1'
set wireless.wifinet0=wifi-iface
set wireless.wifinet0.device='radio0'
set wireless.wifinet0.mode='ap'
set wireless.wifinet0.ssid='retronet'
set wireless.wifinet0.encryption='psk-mixed'
set wireless.wifinet0.key='${FULL_MAC}'
set wireless.wifinet0.network='retro_lan'
set wireless.wifinet0.disabled='1'

# -- DNSmasq config -- #
set dhcp.@dnsmasq[0].localservice='0'

set system.@system[0].cghmn_is_configured=1
EOUCI

# Enable the vmodem init script
service vmodem-cghmn enable || true
added initial config files for mt300n 3 weeks ago			`#!/bin/sh`
			`# Set router defaults runing first boot`

			`# Ensure this script is only run once`
			`if CONFIGED=$(uci get system.@system[0].cghmn_is_configured 2>/dev/null) && [ "$CONFIGED" = "1" ]; then`
			`exit 0`
			`fi`

			`# Get last four letters of eth0 MAC`
			`FULL_MAC=$(ip link show eth0 \| awk '/link\/ether/ { gsub(":",""); print substr($2,0,4) ":" substr($2,5,4) ":" substr($2,9,4) }')`
			`MAC_LASTFOUR=$(echo "${FULL_MAC}" \| awk -F':' '{ print $3 }')`
			`NEW_HOSTNAME="CGHMN-Node-$MAC_LASTFOUR"`

			`# Turn last four letters of MAC into IPv4 address suffix`
			`LOCAL_IP4_FROM_MAC=$(printf "%d.%d" $(echo "${MAC_LASTFOUR}" \| awk '{ print "0x" substr($0,0,2) " 0x" substr($0,3,2) }'))`

			`# Static variables used to configure the Wireguard tunnel`
			`WG_PEER_ADDRESS="insert.target.server.domain"`
			`WG_PEER_PUBKEY="VAVFX88DKGoO2naiWml1jepF7MVrIjDAbMhhYq5S1nQ="`

			`# Wireguard IPv4 variables`
			`WG_TUNNEL_INNER_SUBNET4="10.234."`
			`WG_TUNNEL_INNER_SUBNET4_SIZE="16"`
			`WG_TUNNEL_INNER_LOCAL_IP4="${WG_TUNNEL_INNER_SUBNET4}${LOCAL_IP4_FROM_MAC}"`
			`WG_TUNNEL_INNER_PEER_IP4="${WG_TUNNEL_INNER_SUBNET4}.0.1"`
			`WG_TUNNEL_REMOTE_SUBNET4="10.201.0.0/23"`

			`# Wireguard IPv6 variables`
			`WG_TUNNEL_INNER_SUBNET6="fd38:f85d:a2fd::"`
			`WG_TUNNEL_INNER_SUBNET6_SIZE="64"`
			`WG_TUNNEL_INNER_LOCAL_IP6="${WG_TUNNEL_INNER_SUBNET6}${FULL_MAC}"`
			`WG_TUNNEL_INNER_PEER_IP6="${WG_TUNNEL_INNER_SUBNET6}ffff:ffff:ffff:ffff"`
			`WG_TUNNEL_REMOTE_SUBNET6="2001:470:5168:201::/64"`

			`# Generate new Wireguard private key for this node`
			`WG_PRIVKEY="$(wg genkey)"`

			`# Static variables used to configure the VXLAN interface`
			`VXLAN_LOCAL_IP="${WG_TUNNEL_INNER_LOCAL_IP6}"`
			`VXLAN_PEER_IP="${WG_TUNNEL_INNER_PEER_IP6}"`
			`VXLAN_ID="101"`

			`# Before adding new config, clear old firewall zones and rules`
			`while uci -q delete firewall.@rule[0]; do :; done`
			`while uci -q delete firewall.@zone[0]; do :; done`
			`while uci -q delete firewall.@forwarding[0]; do :; done`

			`# Batch-add most UCI configuration next`
			`uci -q batch <<EOUCI`
			`set system.@system[0].hostname='${NEW_HOSTNAME}'`

			`# -- Create firewall zones -- #`

			`# WAN zone (allow input for management from regular home network)`
			`add firewall zone`
			`set firewall.@zone[-1].name='wan'`
			`set firewall.@zone[-1].input='ACCEPT'`
			`set firewall.@zone[-1].output='ACCEPT'`
			`set firewall.@zone[-1].forward='REJECT'`
			`add_list firewall.@zone[-1].network='wan'`

			`# Retro LAN zone (default deny any traffic and add firewall rule for forwardings)`
			`add firewall zone`
			`set firewall.@zone[-1].name='retro_lan'`
			`set firewall.@zone[-1].input='REJECT'`
			`set firewall.@zone[-1].output='REJECT'`
			`set firewall.@zone[-1].forward='REJECT'`
			`add_list firewall.@zone[-1].network='cghmn_vxlan'`
			`add_list firewall.@zone[-1].network='retro_lan'`

			`# Outer transport tunnel zone outside of Retro LAN`
			`add firewall zone`
			`set firewall.@zone[-1].name='tunnel'`
			`set firewall.@zone[-1].input='REJECT'`
			`set firewall.@zone[-1].output='ACCEPT'`
			`set firewall.@zone[-1].forward='REJECT'`
			`add_list firewall.@zone[-1].network='cghmn_wg'`
			`add_list firewall.@zone[-1].network='cghmn_vxlan'`

			`# PPP client zone`
			`add firewall zone`
			`set firewall.@zone[-1].name='ppp_client'`
			`set firewall.@zone[-1].input='ACCEPT'`
			`set firewall.@zone[-1].output='ACCEPT'`
			`set firewall.@zone[-1].forward='REJECT'`
			`set firewall.@zone[-1].masq='1'`
			`add_list firewall.@zone[-1].network='ppp_daemon'`

			`# -- Create network forwarding -- #`

			`# Allow forwarding from local PPP clients to the Retro LAN and WAN`
			`add firewall forwarding`
			`set firewall.@forwarding[-1].src='ppp_client'`
			`add_list firewall.@forwarding[-1].dest='retro_lan'`
			`add_list firewall.@forwarding[-1].dest='wan'`

			`# -- Create firewall rules -- #`

			`# Allow VXLAN packages on transport network`
			`add firewall rule`
			`set firewall.@rule[-1].name='Allow incoming VXLAN packets'`
			`set firewall.@rule[-1].proto='udp'`
			`set firewall.@rule[-1].src='tunnel'`
			`set firewall.@rule[-1].target='ACCEPT'`
			`set firewall.@rule[-1].family='ipv6'`
			`set firewall.@rule[-1].dest_port='4789'`
			`set firewall.@rule[-1].src_ip='${WG_TUNNEL_INNER_PEER_IP6}'`

			`# -- Create interfaces -- #`

			`# Delete predefined interfaces`
			`delete network.wan`
			`delete network.wan6`
			`delete network.lan`

			`# Create WAN interface on default WAN network port`
			`set network.wan=interface`
			`set network.wan.proto='dhcp'`
			`set network.wan.device='eth0.2'`

			`# Create Wireguard tunnel interface`
			`set network.cghmn_wg=interface`
			`set network.cghmn_wg.proto='wireguard'`
			`set network.cghmn_wg.private_key='${WG_PRIVKEY}'`
			`set network.cghmn_wg.mtu='1634'`
			`add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'`
			`add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'`

			`# Create VXLAN interface on Wireguard tunnel`
			`set network.cghmn_vxlan=interface`
			`set network.cghmn_vxlan.proto='vxlan6'`
			`set network.cghmn_vxlan.srcportmin='4789'`
			`set network.cghmn_vxlan.mtu='1500'`
			`set network.cghmn_vxlan.learning='0'`
			`set network.cghmn_vxlan.ip6addr='${VXLAN_LOCAL_IP}'`
			`set network.cghmn_vxlan.peer6addr='${VXLAN_PEER_IP}'`
			`set network.cghmn_vxlan.vid='${VXLAN_ID}'`

			`# Create unmanaged Retro LAN bridge interface`
			`set network.retro_lan=interface`
			`set network.retro_lan.proto='none'`
			`set network.retro_lan.device='br-retrolan'`

			`# Create PPP interface for local vmodem dialin`
			`set network.ppp_daemon=interface`
			`set network.ppp_daemon.proto='none'`
			`set network.ppp_daemon.device='ppp0'`

			`# -- Configure actual network interfaces -- #`

			`# Create and configure Retro LAN Linux bridge spanning the VXLAN and default LAN network port`
			`add network device`
			`set network.@device[-1].type='bridge'`
			`set network.@device[-1].name='br-retrolan'`
			`add_list network.@device[-1].ports='cghmn_vxlan'`
			`add_list network.@device[-1].ports='eth0.1'`

			`# -- Add Wireguard remote peer -- #`

			`# Remote CGHMN Wireguard peer`
			`add network wireguard_cghmn_wg`
			`set network.@wireguard_cghmn_wg[-1].description='CGHMN Server'`
			`set network.@wireguard_cghmn_wg[-1].persistent_keepalive='15'`
			`set network.@wireguard_cghmn_wg[-1].route_allowed_ips='1'`
			`set network.@wireguard_cghmn_wg[-1].public_key='${WG_PEER_PUBKEY}'`
			`set network.@wireguard_cghmn_wg[-1].endpoint_host='${WG_PEER_ADDRESS}'`
			`add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'`
			`add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'`
			`add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET6}'`
			`add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET4}'`

			`# -- Set some WiFi defaults -- #`
			`delete wireless.default_radio0`
			`set wireless.radio0.band='2g'`
			`set wireless.radio0.channel='1'`
			`set wireless.radio0.legacy_rates='1'`
			`set wireless.wifinet0=wifi-iface`
			`set wireless.wifinet0.device='radio0'`
			`set wireless.wifinet0.mode='ap'`
			`set wireless.wifinet0.ssid='retronet'`
			`set wireless.wifinet0.encryption='psk-mixed'`
			`set wireless.wifinet0.key='${FULL_MAC}'`
			`set wireless.wifinet0.network='retro_lan'`
			`set wireless.wifinet0.disabled='1'`

			`# -- DNSmasq config -- #`
			`set dhcp.@dnsmasq[0].localservice='0'`

			`set system.@system[0].cghmn_is_configured=1`
			`EOUCI`

			`# Enable the vmodem init script`
			`service vmodem-cghmn enable \|\| true`