#!/bin/sh## Version: 1# Tested on Barrier Breaker 15.05.01## Install IPreda

1. #!/bin/sh
2. #
3. # Version: 1
4. # Tested on Barrier Breaker 15.05.01
5. #
6. # Install IPredator VPN on OpenWrt
7.  
8.  
9. # Requirements
10. # - newly flashed OpenWrt device
11.  
12. # Variables
13. FILE_OVPN_AUTH="/etc/openvpn/IPredator.auth"
14. FILE_OVPN_CA="/etc/openvpn/IPredator.se.ca.crt"
15. FILE_OVPN_CONF="/etc/config/openvpn"
16. FILE_OVPN_TAKEY="/etc/openvpn/IPredator.se.ta.key"
17. FILE_FW_RULES="/etc/config/firewall"
18.  
19. FILE_NET_CONF="/etc/config/network"
20.  
21. REBOOT_DELAY=5
22. SOFTWARE_LIST="openvpn-openssl"
23.  
24. # Updates software repository and installs the software defined in
25. # $SOFTWARE_LIST.
26. install_dependencies() {
27. log "Installing dependencies."
28.  
29. opkg update
30. opkg install $SOFTWARE_LIST
31.  
32. return 0
33. }
34.  
35. echo_line(){
36. echo "---------------------------------------------------------------"
37. }
38.  
39. log(){
40. echo_line
41. echo $1
42. echo_line
43. }
44.  
45.  
46. # Overwrites the OpenVPN config with the IPredator one.
47. write_ipr_ovpn_conf() {
48. log "Writing OpenVPN configuration to $FILE_OVPN_CONF."
49.  
50. rm $FILE_OVPN_CONF
51. cat >> $FILE_OVPN_CONF << 'EOF'
52. config openvpn 'IPredator'
53. option enabled '1'
54. option client '1'
55. option dev 'tun1337'
56. option proto 'udp'
57. list auth_user_pass '/etc/openvpn/IPredator.auth'
58. option resolv_retry 'infinite'
59. option float '1'
60. option nobind '1'
61. option persist_key '1'
62. option persist_tun '1'
63. option ca '/etc/openvpn/IPredator.se.ca.crt'
64. option ns_cert_type 'server'
65. list tls_auth '/etc/openvpn/IPredator.se.ta.key'
66. option cipher 'AES-256-CBC'
67. option comp_lzo 'yes'
68. option passtos '1'
69. option tls_version_min '1.2'
70. option remote 'ipv6.openvpn.ipredator.se 1194'
71. option tls_client '1'
72. option verb '3'
73. EOF
74. }
75.  
76.  
77. # Creates a file with the IPredator CA file.
78. write_ipr_ca() {
79. log "Writing IPredator CA to $FILE_OVPN_CA."
80.  
81. cat >> $FILE_OVPN_CA << 'EOF'
82. -----BEGIN CERTIFICATE-----
83. MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
84. VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
85. BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
86. ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
87. JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
88. NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
89. EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
90. ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
91. HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
92. aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
93. ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
94. DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
95. bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
96. d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
97. Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
98. /AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
99. pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
100. Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
101. bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
102. IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
103. ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
104. ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
105. DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
106. /n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
107. M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
108. tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
109. CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
110. BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
111. -----END CERTIFICATE-----
112. EOF
113. }
114.  
115.  
116. # Write IPredator ta.key file.
117. write_ipr_takey() {
118. log "Writing OpenVPN static key to $FILE_OVPN_TAKEY."
119.  
120. cat >> $FILE_OVPN_TAKEY << 'EOF'
121. #
122. # 2048 bit OpenVPN static key
123. #
124. -----BEGIN OpenVPN Static key V1-----
125. 03f7b2056b9dc67aa79c59852cb6b35a
126. a3a15c0ca685ca76890bbb169e298837
127. 2bdc904116f5b66d8f7b3ea6a5ff05cb
128. fc4f4889d702d394710e48164b28094f
129. a0e1c7888d471da39918d747ca4bbc2f
130. 285f676763b5b8bee9bc08e4b5a69315
131. d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
132. 56c4c44dbca35041b67e2374788f8977
133. 7ad4ab8e06cd59e7164200dfbadb942a
134. 351a4171ab212c23bee1920120f81205
135. efabaa5e34619f13adbe58b6c83536d3
136. 0d34e6466feabdd0e63b39ad9bb1116b
137. 37fafb95759ab9a15572842f70e7cba9
138. 69700972a01b21229eba487745c091dd
139. 5cd6d77bdc7a54a756ffe440789fd39e
140. 97aa9abe2749732b7262f82e4097bee3
141. -----END OpenVPN Static key V1-----
142. EOF
143. }
144.  
145. # Creates the file holding IPredator user credentials.
146. write_ipr_auth() {
147. log "Please enter your IPredator username:"
148. read IPRUSER
149.  
150. log "Please enter your IPredator password:"
151. read IPRPW
152.  
153. log "Writing authentication details to $FILE_OVPN_AUTH."
154.  
155. rm -f $FILE_OVPN_AUTH
156. cat >> $FILE_OVPN_AUTH << EOF
157. $IPRUSER
158. $IPRPW
159. EOF
160. }
161.  
162.  
163. # Set restrictive permissions on the created IPredator OpenVPN files.
164. set_ipr_ovpn_permissions() {
165. log "Setting permissions on OpenVPN files."
166.  
167. set_permission $FILE_OVPN_AUTH
168. set_permission $FILE_OVPN_CONF
169. set_permission $FILE_OVPN_CA
170. set_permission $FILE_OVPN_TAKEY
171. set_permission $FILE_FW_RULES
172. }
173.  
174. set_permission() {
175. chown root:root $1
176. chmod 600 $1
177. }
178.  
179.  
180. # Creates the IPredator device used for firewalling.
181. create_ipr_device() {
182. log "Creating IPredator network device."
183.  
184. cat >> $FILE_NET_CONF << 'EOF'
185. config interface 'IPredator'
186. option ifname 'tun1337'
187. option proto 'none'
188. EOF
189. }
190.  
191. # Deletes the current firewall ruleset in $FILE_FW_RULES.
192. clear_old_fwrules() {
193. log "Removing old firewall configuration."
194.  
195. rm $FILE_FW_RULES
196. }
197.  
198. # Set restrictive firewall rules so no internet access when OpenVPN is down.
199. set_ipr_fwrules() {
200. log "Writing new firewall rules to $FILE_FW_RULES."
201.  
202. clear_old_fwrules
203.  
204. cat >> $FILE_FW_RULES << 'EOF'
205. config defaults
206. option syn_flood '1'
207. option input 'ACCEPT'
208. option output 'ACCEPT'
209. option forward 'REJECT'
210.  
211. config zone
212. option name 'lan'
213. option network 'lan'
214. option input 'ACCEPT'
215. option output 'ACCEPT'
216. option forward 'REJECT'
217.  
218. config zone
219. option name 'wan'
220. option output 'ACCEPT'
221. option forward 'REJECT'
222. option network 'wan'
223. option input 'ACCEPT'
224.  
225. config zone
226. option name 'ipr'
227. option input 'REJECT'
228. option output 'ACCEPT'
229. option forward 'REJECT'
230. option masq '1'
231. option mtu_fix '1'
232. option network 'IPredator'
233.  
234. config rule
235. option name 'Allow-DHCP-Renew'
236. option src 'wan'
237. option proto 'udp'
238. option dest_port '68'
239. option target 'ACCEPT'
240. option family 'ipv4'
241.  
242. config rule
243. option name 'Allow-Ping'
244. option src 'wan'
245. option proto 'icmp'
246. option icmp_type 'echo-request'
247. option family 'ipv4'
248. option target 'ACCEPT'
249.  
250. config rule
251. option name 'Allow-DHCPv6'
252. option src 'wan'
253. option proto 'udp'
254. option src_ip 'fe80::/10'
255. option src_port '547'
256. option dest_ip 'fe80::/10'
257. option dest_port '546'
258. option family 'ipv6'
259. option target 'ACCEPT'
260.  
261. config rule
262. option name 'Allow-ICMPv6-Input'
263. option src 'wan'
264. option proto 'icmp'
265. list icmp_type 'echo-request'
266. list icmp_type 'echo-reply'
267. list icmp_type 'destination-unreachable'
268. list icmp_type 'packet-too-big'
269. list icmp_type 'time-exceeded'
270. list icmp_type 'bad-header'
271. list icmp_type 'unknown-header-type'
272. list icmp_type 'router-solicitation'
273. list icmp_type 'neighbour-solicitation'
274. list icmp_type 'router-advertisement'
275. list icmp_type 'neighbour-advertisement'
276. option limit '1000/sec'
277. option family 'ipv6'
278. option target 'ACCEPT'
279.  
280. config rule
281. option name 'Allow-ICMPv6-Forward'
282. option src 'wan'
283. option dest '*'
284. option proto 'icmp'
285. list icmp_type 'echo-request'
286. list icmp_type 'echo-reply'
287. list icmp_type 'destination-unreachable'
288. list icmp_type 'packet-too-big'
289. list icmp_type 'time-exceeded'
290. list icmp_type 'bad-header'
291. list icmp_type 'unknown-header-type'
292. option limit '1000/sec'
293. option family 'ipv6'
294. option target 'ACCEPT'
295.  
296. config include
297. option path '/etc/firewall.user'
298.  
299. config forwarding
300. option dest 'ipr'
301. option src 'lan'
302. EOF
303. }
304.  
305. apply_changes() {
306. log "Configuration of the system and firewall is done."
307. log "Your system will reboot in 5 seconds."
308.  
309. sleep $REBOOT_DELAY
310. reboot
311. }
312.  
313. verify_root() {
314. if [ "$(id -u)" != "0" ]; then
315. echo "This script must be run as root." 1>&2
316. exit 1
317. fi
318. }
319.  
320. #VERIFY UID=0
321. install_ipr_vpn() {
322. log " Setup IPredator VPN on a basic OpenWrt router"
323.  
324. verify_root
325. install_dependencies
326. write_ipr_ovpn_conf
327. write_ipr_ca
328. write_ipr_takey
329. write_ipr_auth
330. set_ipr_ovpn_permissions
331. create_ipr_device
332. set_ipr_fwrules
333.  
334. apply_changes
335. }
336.  
337. # Invoke the main function to setup IPredator VPN.
338. install_ipr_vpn