Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # Version: 1
- # Tested on Barrier Breaker 15.05.01
- #
- # Install IPredator VPN on OpenWrt
- # Requirements
- # - newly flashed OpenWrt device
- # Variables
- FILE_OVPN_AUTH="/etc/openvpn/IPredator.auth"
- FILE_OVPN_CA="/etc/openvpn/IPredator.se.ca.crt"
- FILE_OVPN_CONF="/etc/config/openvpn"
- FILE_OVPN_TAKEY="/etc/openvpn/IPredator.se.ta.key"
- FILE_FW_RULES="/etc/config/firewall"
- FILE_NET_CONF="/etc/config/network"
- REBOOT_DELAY=5
- SOFTWARE_LIST="openvpn-openssl"
- # Updates software repository and installs the software defined in
- # $SOFTWARE_LIST.
- install_dependencies() {
- log "Installing dependencies."
- opkg update
- opkg install $SOFTWARE_LIST
- return 0
- }
- echo_line(){
- echo "---------------------------------------------------------------"
- }
- log(){
- echo_line
- echo $1
- echo_line
- }
- # Overwrites the OpenVPN config with the IPredator one.
- write_ipr_ovpn_conf() {
- log "Writing OpenVPN configuration to $FILE_OVPN_CONF."
- rm $FILE_OVPN_CONF
- cat >> $FILE_OVPN_CONF << 'EOF'
- config openvpn 'IPredator'
- option enabled '1'
- option client '1'
- option dev 'tun1337'
- option proto 'udp'
- list auth_user_pass '/etc/openvpn/IPredator.auth'
- option resolv_retry 'infinite'
- option float '1'
- option nobind '1'
- option persist_key '1'
- option persist_tun '1'
- option ca '/etc/openvpn/IPredator.se.ca.crt'
- option ns_cert_type 'server'
- list tls_auth '/etc/openvpn/IPredator.se.ta.key'
- option cipher 'AES-256-CBC'
- option comp_lzo 'yes'
- option passtos '1'
- option tls_version_min '1.2'
- option remote 'ipv6.openvpn.ipredator.se 1194'
- option tls_client '1'
- option verb '3'
- EOF
- }
- # Creates a file with the IPredator CA file.
- write_ipr_ca() {
- log "Writing IPredator CA to $FILE_OVPN_CA."
- cat >> $FILE_OVPN_CA << 'EOF'
- -----BEGIN CERTIFICATE-----
- MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
- VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
- BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
- ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
- JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
- NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
- EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
- ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
- HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
- aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
- ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
- DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
- bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
- d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
- Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
- /AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
- pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
- Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
- bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
- IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
- ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
- ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
- DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
- /n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
- M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
- tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
- CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
- BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
- -----END CERTIFICATE-----
- EOF
- }
- # Write IPredator ta.key file.
- write_ipr_takey() {
- log "Writing OpenVPN static key to $FILE_OVPN_TAKEY."
- cat >> $FILE_OVPN_TAKEY << 'EOF'
- #
- # 2048 bit OpenVPN static key
- #
- -----BEGIN OpenVPN Static key V1-----
- 03f7b2056b9dc67aa79c59852cb6b35a
- a3a15c0ca685ca76890bbb169e298837
- 2bdc904116f5b66d8f7b3ea6a5ff05cb
- fc4f4889d702d394710e48164b28094f
- a0e1c7888d471da39918d747ca4bbc2f
- 285f676763b5b8bee9bc08e4b5a69315
- d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
- 56c4c44dbca35041b67e2374788f8977
- 7ad4ab8e06cd59e7164200dfbadb942a
- 351a4171ab212c23bee1920120f81205
- efabaa5e34619f13adbe58b6c83536d3
- 0d34e6466feabdd0e63b39ad9bb1116b
- 37fafb95759ab9a15572842f70e7cba9
- 69700972a01b21229eba487745c091dd
- 5cd6d77bdc7a54a756ffe440789fd39e
- 97aa9abe2749732b7262f82e4097bee3
- -----END OpenVPN Static key V1-----
- EOF
- }
- # Creates the file holding IPredator user credentials.
- write_ipr_auth() {
- log "Please enter your IPredator username:"
- read IPRUSER
- log "Please enter your IPredator password:"
- read IPRPW
- log "Writing authentication details to $FILE_OVPN_AUTH."
- rm -f $FILE_OVPN_AUTH
- cat >> $FILE_OVPN_AUTH << EOF
- $IPRUSER
- $IPRPW
- EOF
- }
- # Set restrictive permissions on the created IPredator OpenVPN files.
- set_ipr_ovpn_permissions() {
- log "Setting permissions on OpenVPN files."
- set_permission $FILE_OVPN_AUTH
- set_permission $FILE_OVPN_CONF
- set_permission $FILE_OVPN_CA
- set_permission $FILE_OVPN_TAKEY
- set_permission $FILE_FW_RULES
- }
- set_permission() {
- chown root:root $1
- chmod 600 $1
- }
- # Creates the IPredator device used for firewalling.
- create_ipr_device() {
- log "Creating IPredator network device."
- cat >> $FILE_NET_CONF << 'EOF'
- config interface 'IPredator'
- option ifname 'tun1337'
- option proto 'none'
- EOF
- }
- # Deletes the current firewall ruleset in $FILE_FW_RULES.
- clear_old_fwrules() {
- log "Removing old firewall configuration."
- rm $FILE_FW_RULES
- }
- # Set restrictive firewall rules so no internet access when OpenVPN is down.
- set_ipr_fwrules() {
- log "Writing new firewall rules to $FILE_FW_RULES."
- clear_old_fwrules
- cat >> $FILE_FW_RULES << 'EOF'
- config defaults
- option syn_flood '1'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- config zone
- option name 'lan'
- option network 'lan'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- config zone
- option name 'wan'
- option output 'ACCEPT'
- option forward 'REJECT'
- option network 'wan'
- option input 'ACCEPT'
- config zone
- option name 'ipr'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- option mtu_fix '1'
- option network 'IPredator'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'wan'
- option proto 'udp'
- option dest_port '68'
- option target 'ACCEPT'
- option family 'ipv4'
- config rule
- option name 'Allow-Ping'
- option src 'wan'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-DHCPv6'
- option src 'wan'
- option proto 'udp'
- option src_ip 'fe80::/10'
- option src_port '547'
- option dest_ip 'fe80::/10'
- option dest_port '546'
- option family 'ipv6'
- option target 'ACCEPT'
- config rule
- option name 'Allow-ICMPv6-Input'
- option src 'wan'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- list icmp_type 'router-solicitation'
- list icmp_type 'neighbour-solicitation'
- list icmp_type 'router-advertisement'
- list icmp_type 'neighbour-advertisement'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
- config rule
- option name 'Allow-ICMPv6-Forward'
- option src 'wan'
- option dest '*'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
- config include
- option path '/etc/firewall.user'
- config forwarding
- option dest 'ipr'
- option src 'lan'
- EOF
- }
- apply_changes() {
- log "Configuration of the system and firewall is done."
- log "Your system will reboot in 5 seconds."
- sleep $REBOOT_DELAY
- reboot
- }
- verify_root() {
- if [ "$(id -u)" != "0" ]; then
- echo "This script must be run as root." 1>&2
- exit 1
- fi
- }
- #VERIFY UID=0
- install_ipr_vpn() {
- log " Setup IPredator VPN on a basic OpenWrt router"
- verify_root
- install_dependencies
- write_ipr_ovpn_conf
- write_ipr_ca
- write_ipr_takey
- write_ipr_auth
- set_ipr_ovpn_permissions
- create_ipr_device
- set_ipr_fwrules
- apply_changes
- }
- # Invoke the main function to setup IPredator VPN.
- install_ipr_vpn
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement