diff --git a/README.md b/README.md index 5099cc40..19137cef 100644 --- a/README.md +++ b/README.md @@ -8,13 +8,13 @@ It will replicate all the services on the network, and it can be deleted without Especially focused above security in every ISO/OSI pile level. -Applications are multiples, from bypass the European ECHELON, an enormous sniffer from some ISP, or the great firewall in China, to create very secure not logged chat, to dynamic traditional services that will move from an host to another in a total transparent mode to the final user. +Applications are multiples, from bypass the European [ECHELON](https://en.wikipedia.org/wiki/ECHELON), an enormous sniffer from some ISP, or the great firewall in China, to create very secure not logged chat, to dynamic traditional services that will move from an host to another in a total transparent mode to the final user. I'm an addicted of privacy and security and I'm very tired about the modern slavery network transmitted by weapons from the European elite. -**Vatican and Aristocracy are totally guilty about the recent destroy of democracy.** +*Vatican and Aristocracy are totally guilty about the recent destroy of democracy.* -### Install procedure +#### VPS election First of all you've got to rent a VPS in one service provider, there are a lot on Internet a great resource to find the correct one is this website: @@ -26,6 +26,7 @@ Some that I use or I've used: - [AlphaVPS - Cheap and Reliable Hosting and Servers](https://alphavps.com/) - [VPS Hosting in Europe and USA. Join VPS2DAY now!](https://www.vps2day.com/) - [Liveinhost Web Services – The Best Web Hosting | Fast Professional Website Hosting Services](https://www.liveinhost.com/) +- [Scaleway Dedibox | The Reference for Dedicated Servers | Scaleway](https://www.scaleway.com/en/dedibox/) Try to understand that we've got to build a network of VPS interconnected site to site between everyone with IPsec and every host is plug and play, I mean that we can add or remove VPS just running the software in this repository. First of all it is important to understand that we can use this design in two different application, one will use registered domains the other will use free dns services. Goal for everyone is security trough simplicity, open source design and the correct use and implementation of robust compliance protocols and daemons. The system operative is [OpenBSD](https://www.openbsd.org/) but later we will use also [Alpine Linux](https://alpinelinux.org/). At that point the goal will be interoperability and the search of near perfect TCP/IP throughput. Another goal will be the use of ARM64 mobile devices also based up Alpine, my favorite one is: @@ -42,8 +43,8 @@ Many times we've got to resolve problems like the one where OpenBSD isn't listed First of all install a classic Linux, like Debian for example. Next ssh to the new machine with the credentials provided. Next download the latest stable `miniroot` image into the root and write it to the start of our virtual disk, in linux normally it will be `vda`. ```sh -# wget https://cdn.openbsd.org/pub/OpenBSD/6.8/amd64/miniroot68.img -# dd if=miniroot68.img of=/dev/vda bs=4M +# wget https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/miniroot69.img +# dd if=miniroot69.img of=/dev/vda bs=4M ``` After the successful write to the virtual disk we've got to reboot the machine but we will do it in a particular way using the `proc` filesystem: @@ -53,7 +54,9 @@ First of all install a classic Linux, like Debian for example. Next ssh to the n # echo b > /proc/sysrq-trigger ``` -Next reopen the KVM web console and the installation process of OpenBSD will start. Interrupt it choosing for the (S)hell option and: +#### Semi automatic system installation + +Open the `KVM` web console and the installation process of OpenBSD will start. Interrupt it choosing for the (S)hell option and: ```shell # dhclient vio0 @@ -62,11 +65,165 @@ Next reopen the KVM web console and the installation process of OpenBSD will sta # reboot ``` +The default `root` password in our `install.conf` file is `123456789`. But it is encrypted as `$2b$10$4tPKeRmxVyffVkrQMve70.CiPmE28khH9UXiuSYpzAKbZrOfQq0Pm`. + +The default `uid 1000` user is `taglio`, my nickname and unix user. You can update `installation/install-vps` file with your. I also specify my `ed25519` ssh key that I've got generated with `ssh-keygen -t ed25519 -C "taglio@telecom.lobby"`as you can appreciate in the configuration file: + +`Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG4yMhKX37SXV8LGDuVe4r1PBSS5HOWb6jFpNiG3cvW taglio@telecom.lobby` + +*Please update this file with your specifications forking my repository*. + After the reboot login in the new node and change the password and upgrade the system with `syspatch`. +#### [![OpenBSD MESH IPSec guerrila host](https://img.youtube.com/vi/6-M4IxeSctI/0.jpg)](https://www.youtube.com/watch?v=6-M4IxeSctI "OpenBSD MESH IPSec guerrila host") + #### First steps -Next that we will have a running fresh and patched OpenBSD system let's start to configure our guerrilla MESH node. Install the git package: +First of all I want to underline that we use some values in the `DNS` master zone of the domain where we want to attach our new `VPS` host. *It's not exactly all automatic*. + +``` shell +root@ganesha:/var/nsd/zones/master# cat telecomlobby.com.zone | grep ipsec && cat telecomlobby.com.zone | grep gre +ipsec20591 IN TXT "uk:ganesha;us:saraswati;jp:shiva;es:indra;fr:uma;bg:neo;" +gre7058 IN TXT "216" +gre18994 IN TXT "3" +root@ganesha:/var/nsd/zones/master# +``` + +We use the [TXT record](https://en.wikipedia.org/wiki/TXT_record) to add some more information to the process of automatically add the new host to our MESH network. Hostname are: + +```shell +root@ganesha:/var/nsd/zones/master# echo ipsec${RANDOM} && echo gre${RANDOM} && echo gre${RANDOM} +ipsec6150 +gre9262 +gre1331 +root@ganesha:/var/nsd/zones/master# +``` + +```$RANDOM``` is a special variable in `ksh` used to generate random numbers between 0 and 32767. + +The string specified by `TXT` value of `ipsec` is `;` separated values and contain [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) [country codes](https://en.wikipedia.org/wiki/Country_code) followed by `:` and the name of the host machine. + +The string specified by `TXT` values of the two `gre` are integer, the first between 0 and 255 indicating last /30 network allocated by a `gre` point to point and the second is a counter indicating the number of MESH guerrilla OpenBSD hosts. + +Remember to update those `TXT` to archive the connection process. + +It's important also to configure DNS resolution and also [RDNS](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) of the assigned IPv4 address in our master zone. Depending on the provider adding the reverse dns resolution host it could be writing to the support office or simply use a web mask. + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/417997.png)](https://asciinema.org/a/417997) + +Next we've got to update the master zone of the principle public domain, in my case `telecomlobby.com`. + +The first value to update is the IPv4 of the new machine: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ dig de.telecomlobby.com A +short +45.63.116.141 +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ssh ganesha.telecom.lobby +Host key fingerprint is SHA256:mZiIJWncSs+jJUjAho8NNQeO1wSHKVpFORP5wZdDaNo ++--[ED25519 256]--+ +|+.=BB= o.. | +|=*+O= = + | +|+OO +B o . | +|+=oB..Eo o | +|. + * o S | +| + . | +| . | +| | +| | ++----[SHA256]-----+ +OpenBSD 6.9 (GENERIC) #2: Sat May 22 12:49:54 MDT 2021 + root@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC +real mem = 1056813056 (1007MB) +avail mem = 1009553408 (962MB) +10:49AM up 2 days, 23:46, 2 users, load averages: 0.01, 0.02, 0.00 +ID Pri State DeadTime Address Iface Uptime +192.168.13.59 1 FULL/P2P 00:00:34 10.10.10.201 gre4 02:55:38 +192.168.13.81 1 FULL/P2P 00:00:30 10.10.10.217 gre3 06:51:01 +192.168.13.1 1 FULL/P2P 00:00:36 10.10.10.225 gre2 06:45:49 +192.168.13.34 1 FULL/P2P 00:00:33 10.10.10.230 gre1 06:51:03 +192.168.13.33 1 FULL/P2P 00:00:36 10.10.10.250 gre0 1d06h55m +Go 'way! You're bothering me! + +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ doas su +doas (taglio@ganesha.telecom.lobby) password: +root@ganesha:/home/taglio# cd /var/nsd/zones/master +root@ganesha:/var/nsd/zones/master# cat telecomlobby.com.zone | grep vpnc +vpnc IN A 45.32.144.15 +vpnc IN A 78.141.201.0 +vpnc IN A 155.138.247.27 +vpnc IN A 139.180.206.19 +vpncN IN A 94.72.143.163 +vpnc IN TXT "RT-01.cat.telecomlobby.com" +root@ganesha:/var/nsd/zones/master# + +``` + +As you can see theres some values about the `vpnc` and `vpncN` host: + +- `vpnc IN A` in the list of public IPv4 that are connected through IPsec in our MESH network. +- `vpncN IN A` in the new host to add to. + +Upgrade the configuration to reflect to new one and test it: + +``` shell +riccardo@trimurti:~$ dig @8.8.8.8 vpnc.telecomlobby.com A +short +45.32.144.15 +78.141.201.0 +155.138.247.27 +139.180.206.19 +94.72.143.163 +riccardo@trimurti:~$ dig @8.8.8.8 vpncN.telecomlobby.com A +short +45.63.116.141 +riccardo@trimurti:~$ +``` + +In my configuration I've got also a dynamic IPv4 [EdgeOS](https://dl.ubnt.com/guides/edgemax/EdgeOS_UG.pdf) endpoint and another with fixed IPv4 [RouterOS](https://es.wikipedia.org/wiki/MikroTik) one. In EdgeOS I've got to update the black hole routing table excluding the new ip: + +```shell +taglio@indra# set protocols static interface-route 45.63.116.141/32 next-hop-interface pppoe0 +[edit] +taglio@indra# commit +[edit] +taglio@indra# save +Saving configuration to '/config/config.boot'... +Done +[edit] +taglio@indra# exit +``` + +In the RouterOS one I've got to update the address list relative to the host presents in my IPSec network: + +```shell +[admin@uma.telecom.lobby] /ip firewall address-list> add list=servers comment=durpa address=45.63.116.141/32 +[admin@uma.telecom.lobby] /ip firewall address-list> +``` + +#### Update the IPSec CA server + +Now start to configure the `CA server` about the `IPsec` public and private key. + +In my network layout I've got a [Mikrotik](https://mikrotik.com/) `VPS` that administrate the `IPsec` certificate repositories. + +[![Mikrotik CA certificate](https://img.youtube.com/vi/A7O_Pe91a6Y/0.jpg)](https://youtu.be/A7O_Pe91a6Y "Mikrotik CA certificate") + +Download the [p12](https://en.wikipedia.org/wiki/PKCS_12) combined certificate and private key and upload into the new host `/tmp` directory. + +``` shell +sftp> get cert_export_de.telecomlobby.com.p12 +Fetching /cert_export_de.telecomlobby.com.p12 to cert_export_de.telecomlobby.com.p12 +/cert_export_de.telecomlobby.c 100% 3880 74.6KB/s 00:00 +sftp> ^D +riccardo@trimurti:~/Work/redama$ mv cert_export_de.telecomlobby.com.p12 de.telecomlobby.com.p12 +riccardo@trimurti:~/Work/redama/durpa$ scp de.telecomlobby.com.p12 taglio@de.telecomlobby.com:/tmp +de.telecomlobby.com.p12 100% 3880 106.4KB/s 00:00 +riccardo@trimurti:~/Work/redama/durpa$ +``` + +The p12 file have to be protected by the password `123456789`. + +#### Login and start the connection process + +Install the git package: ```shell neo# pkg_add git @@ -76,9 +233,15 @@ neo$ git clone https://github.com/noplacenoaddress/OpenBSD.git Next let's start to configure the system with our script `setup_node`, you've got to go ahead to every point pressing `1` or to type different variables: +- the type of IPv6 address: + - `static`: + - [IPv6 address](https://en.wikipedia.org/wiki/IPv6) without prefixlen. + - The [prefixlen](https://www.ciscopress.com/articles/article.asp?p=2803866&seqNum=2). + - The [IPv6 default route](https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-16-10/iri-xe-16-10-book/ip6-route-static-xe.pdf). + - `dynamic`, using [slaacd (8)](https://www.openbsd.org/papers/florian_slaacd_bsdcan2018.pdf) - `hostname`, the name of the machine. +- `landomainname`, the interior domain name that in my case is `telecom.lobby` - `routerid`, the OSPFD router id and the IP of the `vether0` interface. -- `publichost`, the DNS of the public ip of the `vio0` interface. ```shell root@neo:/home/taglio/Sources/Git/OpenBSD# sh setup_node @@ -86,6 +249,43 @@ changing installurl Go ahead type 1 ``` +After some points the program give us the root ssh `ed25519` key of the new host. That is [EdDSA](https://en.wikipedia.org/wiki/EdDSA) in [public key cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography). Update the repository: + +``` shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ sed -i '/durpa.telecom.lobby/d' src/etc/ssh/remote_install/authorized_keys +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHfCxPKwUqEG9JaEaK6uqFDfDMFYFTblLEWPekGh8CAn root@durpa.telecom.lobby" >> src/etc/ssh/remote_install/authorized_keys +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ +``` + +Use the script `git_openbsd.sh` using values depending in your forked repository to update the git. + +Next update every host using `git pull` using the `console` script and launch the `newhost` option using the same script: + + ``` shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -G +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ ./console -I telecom.lobby -N + ``` + +The `console` script depend on a `TXT` record in the master `nsd` for the LAN domain name: + +```shell +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ host -t txt openbsd.telecom.lobby +openbsd.telecom.lobby descriptive text "ganesha;saraswati;shiva;varuna;" +riccardo@trimurti:~/Work/telecom.lobby/OpenBSD$ +``` + +Those are the host names of every OpenBSD guy connected to our network, remember to update it! + +[![OpenBSD MESH IPSec guerrila host](https://asciinema.org/a/418749.png)](https://asciinema.org/a/418749) + +#### Remote upgrade + +![](https://redama.es/Imagenes/varuna_shell.png) + +If the VPS provider got the option to install OpenBSD, a custom ISO or hasn't the solution is always the same, use `sysupgrade`. + +The upgrade our git repository and launch the `upgrade.sh` script. Remember to wait a couple of days after the [release announce](https://www.openbsd.org/69.html) is published by [Theo de Raddt](https://www.theos.com/deraadt/). + #### Registered domains application Start with two VPS, one master in DNS service and the other slave. All the others services will be replicated. Some providers doesn't permit the installation of OpenBSD as a default option so install Linux and then rewrite the disc with `dd` as explained: diff --git a/TODO.md b/TODO.md new file mode 100644 index 00000000..8030558a --- /dev/null +++ b/TODO.md @@ -0,0 +1,15 @@ +- arp sentinel + +- ``` shell + if [[ $# -eq 0 ]]; then + print $0 "have to be used with the following options \ + \n \ + \ninstall -> fresh install OpenBSD VPS \ + \nupgrade -> upgrade OpenBSD VPS \ + \nreset -> reset OpenBSD VPS \ + \n" + + exit 1 + fi + ``` + diff --git a/clean_last b/clean_last new file mode 100755 index 00000000..35cbcb58 --- /dev/null +++ b/clean_last @@ -0,0 +1,45 @@ +#!/bin/ksh + +set -o errexit +set -o nounset + +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/Bin +BACKUPS="/root/Backups" + +uid=$(id -u) +datarelease=$(date +"%d%m%Y%H%m%S") + + + + +function backup { + CURRENTBACKUP="$BACKUPS/$datarelease" + mkdir -p "$CURRENTBACKUP/$1/" + case $1 in + "etc") + tar -cvf "$CURRENTBACKUP/$1/etc.tar" /etc + ;; + esac +} + + +if [[ $uid -ne 0 ]]; then + print $0 "you've got to run $0 as UID=0 \n" + exit 1 +fi +backup "etc" +last=$(basename $(cat /etc/iked.conf | grep "iked.conf." | tail -n 1 | awk '{print $2}' | sed 's/"//g' | sed 's/iked.conf.//')) +filename=$(find /etc -name "*$last" -maxdepth 1 -type f) +sed -i "/$last/d" /etc/iked.conf +/bin/rm -r "$filename" +rcctl restart iked +for file in $(grep "$last" /etc/* | grep hostname | cut -d : -f1); do + interface=$(echo $file | cut -d . -f2) + if [[ $interface == gre? ]]; then + ospfinterface=$interface + fi + ifconfig $interface destroy + /bin/rm -r $file +done +sed -i "/interface $ospfinterface/,/}/d" /etc/ospfd.conf +rcctl restart ospfd diff --git a/console b/console new file mode 100755 index 00000000..38c1598f --- /dev/null +++ b/console @@ -0,0 +1,43 @@ +#!/usr/bin/bash + +#GLOBAL VAR + +uid=$(id -u) +userna=$(id -nu $uid) +userhome="/home/taglio" +proghome="$userhome/Sources/Git/OpenBSD" + +if [[ $uid -ne 1000 ]]; then + echo -e $0 "you've got to run $0 as UID=1000 \n" + exit 1 +fi + +if [[ $# -eq 0 ]]; then + echo -e $0 "have to be used with the following options \ + \n-I -> local domain name [x]\ + \n-N -> newhost [o]\ + \n-G -> git pull [o]\ + \n" + + exit 1 +fi + +localdomainname=$2 + + +case $3 in + "-G") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh $vpnc_host.$localdomainname git -C "$proghome" pull + done + ;; + "-N") + for vpnc_host in $(dig openbsd.$localdomainname TXT +short | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + echo -e "Connecting to $vpnc_host" + ssh -t $vpnc_host.$localdomainname doas sh "/home/taglio/Sources/Git/OpenBSD/setup_node" -U newhost + done + ;; + *) + ;; +esac diff --git a/data/GRE-TABLE.sql b/data/GRE-TABLE.sql new file mode 100644 index 00000000..f77f7730 --- /dev/null +++ b/data/GRE-TABLE.sql @@ -0,0 +1,33 @@ +CREATE TABLE [GRE] ( + [HOST-SRCID] NVARCHAR(30) , + [PTP] NVARCHAR(5) PRIMARY KEY, + [PTP-NETWORK] NVARCHAR(16), + [PTP-LATENCY] INTEGER, + [INTERFACE] NVARCHAR(13), + [COST] INTEGER, + [HOPCOST] INTEGER +); + +INSERT INTO GRE (HOST-SRCID, PTP, PTP-NETWORK, PTP-LATENCY, INTERFACE, COST, HOPCOST) +VALUES + ("indra@ca.telecomlobby.com", "ES-FR", "10.10.10.252/30", 24, "tun0", 12, 0), + ("indra@ca.telecomlobby.com", "ES-UK", "10.10.10.228/30", 35, "tun3", 17, 0), + ("indra@ca.telecomlobby.com", "ES-US", "10.10.10.236/30", 139, "tun1", 70, 0), + ("indra@ca.telecomlobby.com", "ES-JP", "10.10.10.232/30", 267, "tun2", 133, 0), + ("uma@ca.telecomlobby.com", "FR-ES", "10.10.10.252/30", 24, "gre-tunnel1", 12, 0), + ("uma@ca.telecomlobby.com", "FR-UK", "10.10.10.248/30", 6, "gre-tunnel2", 3, 13), + ("uma@ca.telecomlobby.com", "FR-US", "10.10.10.244/30", 109, "gre-tunnel4", 55, 65), + ("uma@ca.telecomlobby.com", "FR-JP", "10.10.10.240/30", 231, "gre-tunnel3", 115, 125), + ("ganesha@ca.telecomlobby.com", "UK-ES", "10.10.10.228/30", 35, "gre1", 17, 0), + ("ganesha@ca.telecomlobby.com", "UK-FR", "10.10.10.248/30", 6, "gre0", 3, 13), + ("ganesha@ca.telecomlobby.com", "UK-US", "10.10.10.225/30", 105, "gre2", 52, 62), + ("ganesha@ca.telecomlobby.com", "UK-JP", "10.10.10.114/30", 244, "gre3", 122, 132), + ("shiva@ca.telecomlobby.com", "JP-ES", "10.10.10.232/30", 267, "gre12", 133, 0), + ("shiva@ca.telecomlobby.com", "JP-FR", "10.10.10.240/30", 231, "gre0", 115, 125), + ("shiva@ca.telecomlobby.com", "JP-US", "10.10.10.118/30", 151, "gre2", 75, 0), + ("shiva@ca.telecomlobby.com", "JP-UK", "10.10.10.114/30", 244, "gre3", 122, 132), + ("saraswati@ca.telecomlobby.com", "US-ES", "10.10.10.236/30", 139, "gre1", 70, 0), + ("saraswati@ca.telecomlobby.com", "US-FR", "10.10.10.244/30", 109, "gre0", 55, 65), + ("saraswati@ca.telecomlobby.com", "US-UK", "10.10.10.225/30", 105, "gre2", 52, 62), + ("saraswati@ca.telecomlobby.com", "US-JP", "10.10.10.118/30", 151, "gre3", 75, 0); + diff --git a/data/gre.db b/data/gre.db new file mode 100644 index 00000000..23c5a267 Binary files /dev/null and b/data/gre.db differ diff --git a/installation/autodisklabel b/installation/autodisklabel new file mode 100644 index 00000000..b1d564f4 --- /dev/null +++ b/installation/autodisklabel @@ -0,0 +1,2 @@ +/ 250M-95% +swap 250M-5% diff --git a/installation/disklabel b/installation/disklabel deleted file mode 100644 index 6f234706..00000000 --- a/installation/disklabel +++ /dev/null @@ -1,2 +0,0 @@ -/ 3G -swap 512M diff --git a/installation/disklabel-vps b/installation/disklabel-vps deleted file mode 100644 index 43034904..00000000 --- a/installation/disklabel-vps +++ /dev/null @@ -1,2 +0,0 @@ -/ 13G -swap 512M diff --git a/installation/install-vps.conf b/installation/install-vps.conf index 5c24506f..efb1f708 100644 --- a/installation/install-vps.conf +++ b/installation/install-vps.conf @@ -8,24 +8,26 @@ IPv6 address for vio0 = autoconf Which network interface do you wish to configure = done Default IPv4 route = DNS domain name = telecom.lobby -Password for root = 123456789 +Password for root = $2b$10$4tPKeRmxVyffVkrQMve70.CiPmE28khH9UXiuSYpzAKbZrOfQq0Pm #Public ssh key for root account = ssh key stored in /root/.ssh/authorized_keys Start sshd(8) by default = yes Do you expect to run the X Window System = no Setup a user = taglio Full name for user = Riccardo Giuntoli -Password for user = 123456789 -#Public ssh key for user = ssh key stored in ~/.ssh/authorized_keys +Password for user = ********* +Public ssh key for user = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG4yMhKX37SXV8LGDuVe4r1PBSS5HOWb6jFpNiG3cvW taglio@telecom.lobby Allow root ssh login = no -What timezone are you in = Europe/Sofia +What timezone are you in = UTC Which disk is the root disk = sd0 # see disklabel.min, disklabel, or disklabel.lax -URL to autopartitioning template for disklabel = https://raw.githubusercontent.com/redeltaglio/OpenBSD/master/installation/disklabel-vps +# URL to autopartitioning template for disklabel = https://raw.githubusercontent.com/redeltaglio/OpenBSD/master/installation/autodisklabel Unable to connect using https. Use http instead = yes Location of sets = http HTTP proxy URL = none HTTP Server = cdn.openbsd.org -Server directory = pub/OpenBSD/6.8/amd64 -Set name(s) = -x* +Server directory = pub/OpenBSD/6.9/amd64 +#Set name(s) = -x* # or minimum sets (disklabel.min) -#Set name(s) = -comp* -game* -x* +Set name(s) = -comp* -x* +Continue without verification = yes + diff --git a/io b/io deleted file mode 100644 index e69de29b..00000000 diff --git a/setup_node b/setup_node index 027ec372..0cbe9390 100755 --- a/setup_node +++ b/setup_node @@ -3,48 +3,95 @@ # $Telecomlobby: setup_node,v 0.1 11/3/2021 21:01:04 taglio$ # #unbound: https://blog.c6h12o6.org/post/unbound-dnssec-dns-over-tls/ -#sshd: https://github.com/vedetta-com/vedetta/blob/master/src/usr/local/share/doc/vedetta/OpenSSH_Principals.md +#sshd: https:/github.com/vedetta-com/vedetta/blob/master/$basedir/src/usr/local/share/doc/vedetta/OpenSSH_Principals.md +#smptd: https://github.com/vedetta-com/caesonia +#smtpd: https://www.vultr.com/docs/an-openbsd-e-mail-server-using-opensmtpd-dovecot-rspamd-and-rainloop +#smtpd: https://prefetch.eu/blog/2020/email-server/ +#smtpd: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ +#smtpd: https://unixsheikh.com/tutorials/arch-linux-mail-server-tutorial-part-2-opensmtpd-dovecot-dkimproxy-and-lets-encrypt.html +#smtpd: https://wiki.archlinux.org/title/OpenSMTPD +#smtpd: https://git.sr.ht/~guidocella/personal-email-server-guide +##### +# +#TODO +# +# +# +##### set -o errexit set -o nounset -PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/Bin -UID=$(id -u) +PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/Bin:/home/taglio/Sources/Git/OpenBSD +BACKUPS="/root/Backups" + +#GLOBAL VAR + +uid=$(id -u) +app=$(basename $0) +egressinterface=$(ifconfig egress | cut -d : -f1 | head -n1) +publicip=$(ifconfig $egressinterface | grep inet |grep -v inet6 | cut -d ' ' -f2) +publicnetmask=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $4}') +publicbcast=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $6}') +publichost=$(dig -x $publicip +short @8.8.8.8 | sed 's/.$//') +domainname=$(print $publichost | sed 's/^[^.]*.//') +defaultv4router=$(route -n show | awk '/default/{print $2}' | head -n 1) +macdefaultv4router=$(arp -an | grep -w $defaultv4router | awk '{print $2}') +dyndns=$(host -t a cat-01.hopto.org | cut -d ' ' -f4) +basedir="/home/taglio/Sources/Git/OpenBSD" +tmpdir=$(mktemp -d) +datarelease=$(date +"%d%m%Y%H%m%S") +userna=$(id -nu $uid) +ipv6ctrl= +ipv6egress= +ipv6prefix= +ipv6defrouter= +sha256ctrl=0 + +umask 002 -if [[ $UID -ne 0 ]]; then +if [[ $uid -ne 0 ]]; then print $0 "you've got to run $0 as UID=0 \n" exit 1 fi - +if [[ $# -eq 0 ]]; then + print $0 "have to be used with the following options \ + \n \ + \n-I -> install \ + \n-U -> upgrade \ + \n-D -> daemons \ + \n" + + exit 1 +fi function error_exit { echo "${app}: ${1:-"Unknown Error"}" 1>&2 exit 1 } -app=$(basename $0) -backups="/root/Backups" -publicip=$(ifconfig egress | grep inet |grep -v inet6 | cut -d ' ' -f2) -dyndns=$(host -t a cat-01.hopto.org | cut -d ' ' -f4) -basedir=$(pwd) - function pidof { ps axc -o pid,command | awk "\$2~/^`echo $1`\$/ {print \$1}" } function pkg { - phase=$1 + typeset var phase=$1 case $phase in "shell") - pkg_add colorls nano wget fping iperf uptimed oidentd + pkg_add colorls nano wget fping iperf uptimed oidentd sqlite3 \ + nmap tor ipcalc gnupg-- rspamd-- + ;; + "smtpd") + pkg_add opensmtpd-filter-rspamd \ + dovecot dovecot-pigeonhole ;; esac } function cleanold { - directory=$1 + typeset var directory=$1 for file in $directory*.old; do if [[ -e "$file" ]]; then mv $file $backups @@ -57,33 +104,491 @@ function cleanold { done } +function custom { + for file in $(find $1 -type f -maxdepth $2); do + (: "${hostname?}") 2>/dev/null && sed -i "s/\/HOSTNAME\//$hostname/g" $file + (: "${landomainname?}") 2>/dev/null && sed -i "s/\/LANDOMAINNAME\//$landomainname/g" $file + (: "${routerid?}") 2>/dev/null && sed -i "s/\/ROUTERID\//$routerid/g" $file + (: "${publichost?}") 2>/dev/null && sed -i "s/\/PUBLICHOST\//$publichost/g" $file + (: "${domainname?}") 2>/dev/null && sed -i "s/\/DOMAINNAME\//$domainname/g" $file + (: "${srcid?}") 2>/dev/null && sed -i "s/\/SRCID\//$srcid/g" $file + (: "${publichostname?}") 2>/dev/null && sed -i "s/\/PUBLICHOSTNAME\//$publichostname/g" $file + (: "${publicip?}") 2>/dev/null && sed -i "s/\/PUBLICIP\//$publicip/g" $file + (: "${dyndns?}") 2>/dev/null && sed -i "s/\/DYNDNS\//$dyndns/g" $file + (: "${publicnetmask?}") 2>/dev/null && sed -i "s/\/PUBLICNETMASK\//$publicnetmask/g" $file + (: "${publicbcast?}") 2>/dev/null && sed -i "s/\/PUBLICBCAST\//$publicbcast/g" $file + (: "${ipv6egress?}") 2>/dev/null && sed -i "s/\/PUBV6\//${ipv6egress}/g" $file + (: "${ipv6prefix?}") 2>/dev/null && sed -i "s/\/PREFIX\//${ipv6prefix}/g" $file + (: "${defaultv4router?}") 2>/dev/null && sed -i "s/\/ROUTEV4\//${defaultv4router}/g" $file + (: "${ipv6defrouter?}") 2>/dev/null && sed -i "s/\/ROUTEV6\//${ipv6defrouter}/g" $file + + done +} +function sha256compare { + if [[ -e $1 ]]; then + oldsha256=$(sha256 $1 | awk '{print $4}') + else + oldsha256="" + fi + newsha256=$(sha256 $2 | awk '{print $4}') + if [ "$oldsha256" != "$newsha256" ]; then + sha256ctrl=1 + else + sha256ctrl=0 + fi +} + + +function backup { + CURRENTBACKUP="$BACKUPS/$datarelease" + mkdir -p "$CURRENTBACKUP/$1/" + case $1 in + "static") + + cp -p /etc/{hostname.$egressinterface,mygate} "$CURRENTBACKUP/$1/" + ;; + "basic") + mkdir -p "$CURRENTBACKUP/$1/{$uidna,root,etc}" + for file in $(find "/home/$uidna" -type f -maxdepth 1 -name ".*"); do + cp -p $file "$CURRENTBACKUP/$1/$uidna" + done + for file in $(find "/root" -type f -maxdepth 1 -name ".*"); do + cp -p $file "$CURRENTBACKUP/$1/root" + done + cp -p /etc/{dhclient.conf,resolv.conf.tail,doas.conf,myname,sysctl.conf,hostname.vether0,daily.local,rc.local} "$CURRENTBACKUP/$1/etc" + ;; + "users") + for file in $(find "/home/$uidna/Bin" -type f -maxdepth 1 ); do + cp -p $file "$CURRENTBACKUP/$1" + done + ;; + "scripts") + for file in $(find "/root/Bin" -type f -maxdepth 1 ); do + cp -p $file "$CURRENTBACKUP/$1" + done + ;; + "unbound") + mkdir -p "$CURRENTBACKUP/$1/{etc,db}" + for file in $(find "/var/unbound/etc" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/etc" + done + for file in $(find "/var/unbound/db" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/db" + done + ;; + "ssh") + for file in $(find "/etc/ssh" -type f -maxdepth 2); do + cp -p $file "$CURRENTBACKUP/$1/" + done + ;; + "ipsec") + cp -Rp /etc/iked/ "$CURRENTBACKUP/$1/" + cp -p /etc/{iked.conf,iked.conf.*} "$CURRENTBACKUP/$1/" + ;; + "gre") + configuration "gre" + ;; + "pf") + for file in $(find "/etc" -type f -maxdepth 1 -name "pf.*"); do + cp -p $file "$CURRENTBACKUP/$1/" + done + + ;; + "ospf") + configuration "ospf" + ;; + "ntpd") + configuration "ntpd" + ;; + "remote") + if [[ -d /etc/ssh/remote_install ]]; then + for file in $(find "/etc/ssh/remote_install" -type f -maxdepth 1); do + cp -p $file "$CURRENTBACKUP/$1/" + done + fi + ;; + "relayd") + configuration "relayd" + ;; + "all") + sh setup_node -I + ;; + esac +} + + +function upgrade { + case $1 in + "unbound") + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/unbound.conf /var/unbound/etc/unbound.conf + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/stub-zone.conf /var/unbound/etc/stub-zone.conf + rcctl restart unbound || error_exit "$LINENO: ERROR: UNBOUND failed." + ;; + "ssh") + if [[ ! -d "$basedir/../OpenBSD-private-CA" ]]; then + echo "OpenBSD-private-CA not found cloning it..." + cd .. + doas -u taglio git clone https://github.com/redeltaglio/OpenBSD-private-CA.git + cd OpenBSD-private-CA + sh setup_host + else + cd "$basedir/../OpenBSD-private-CA" + doas -u taglio git pull + sh setup_host + fi + ;; + "ipsec") + sha256compare "/etc/iked/ca/ca.crt" "$basedir/src/etc/iked/ca/ca.crt" + if [[ $sha256ctrl -eq 1 ]]; then + echo "ca.crt upgrade" + install -o root -g wheel -m 0644 $basedir/src/etc/ca/ca.crt /etc/iked/ca/ + fi + tmpdir=$(mktemp -d) + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -nocerts -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/local.key" + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "$tmpdir/$publichost.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "/etc/iked/certs/$publichost.crt" > "$tmpdir/local.pub" + sha256compare "/etc/iked/private/local.key" "$tmpdir/local.key" + if [[ $sha256ctrl -eq 1 ]]; then + echo "local.key upgrade" + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -nocerts -passin pass:123456789 -passout pass:123456789 -out /etc/iked/private/local.key + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "/etc/iked/certs/$publichost.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "/etc/iked/certs/$publichost.crt" > /etc/iked/local.pub + fi + rm -rf $tmpdir + for file in $(find $basedir/src/etc/iked/pubkeys/ufqdn/ -name "*@*"); do + filename=$(basename $file) + sha256compare "$file" "/etc/iked/pubkeys/ufqdn/$filename" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$filename upgrade" + install -o root -g wheel -m 0644 $file /etc/iked/pubkeys/ufqdn/ + fi + done + rm -rf $tmpdir + tmpdir=$(mktemp -d) + cp $basedir/src/etc/iked.conf $tmpdir + if [[ $(grep -c hostname /tmp/config.ini) -eq 1 ]]; then + srcid=$(cat /tmp/config.ini | grep hostname |cut -d \# -f2) + else + srcid=$(hostname -s) + fi + if [[ "$srcid" == "varuna" ]]; then + srcid="neo" + fi + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + vpnc_host=$(dig -x $vpnc_ip +short @8.8.8.8 | sed 's/.$//') + if [[ -e "/etc/iked.conf.$vpnc_host" ]]; then + echo include \"/etc/iked.conf.$vpnc_host\" >> "$tmpdir/iked.conf" + if grep -q "ecp384" "/etc/iked.conf.$vpnc_host"; then + cp $basedir/src/etc/iked.conf.mikrotik "$tmpdir/iked.conf.$vpnc_host" + elif grep -q "ecp256" "/etc/iked.conf.$vpnc_host"; then + cp $basedir/src/etc/iked.conf.edgeos "$tmpdir/iked.conf.$vpnc_host" + else + cp $basedir/src/etc/iked.conf.openbsd "$tmpdir/iked.conf.$vpnc_host" + fi + sed -i "s/\/POP\//$vpnc_host/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/POPIP\//$vpnc_ip/g" "$tmpdir/iked.conf.$vpnc_host" + type=$(cat "/etc/iked.conf.$vpnc_host" | head -n 1 | awk '{print $3}') + sed -i "s/\/TYPE\//$type/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICIP\//$publicip/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICHOST\//$publichost/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/SRCID\//$srcid/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/DOMAINNAME\//$domainname/g" "$tmpdir/iked.conf.$vpnc_host" + encx=$(cat "/etc/iked.conf.$vpnc_host" | awk -F'enc' '{print substr($2,0,1)}' | tail -n 1) + sed -i "s/\/X\//$encx/g" "$tmpdir/iked.conf.$vpnc_host" + sha256compare "/etc/iked.conf.$vpnc_host" "$tmpdir/iked.conf.$vpnc_host" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$vpnc_host upgrade" + install -o root -g wheel -m 0640 "$tmpdir/iked.conf.$vpnc_host" /etc/ + fi + fi + done + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + if [[ -e "/etc/iked.conf.$vpnc_host" ]]; then + echo include \"/etc/iked.conf.${vpnc_host}\" >> "$tmpdir/iked.conf" + fi + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + cp $basedir/src/etc/iked.conf.edgeos "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/POP\//$vpnc_host/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/POPIP\//$vpnc_ip/g" "$tmpdir/iked.conf.$vpnc_host" + type=$(cat "/etc/iked.conf.$vpnc_host" | head -n 1 | awk '{print $3}') + sed -i "s/\/TYPE\//$type/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICIP\//$publicip/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/PUBLICHOST\//$publichost/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/SRCID\//$srcid/g" "$tmpdir/iked.conf.$vpnc_host" + sed -i "s/\/DOMAINNAME\//$domainname/g" "$tmpdir/iked.conf.$vpnc_host" + encx=$(cat "/etc/iked.conf.$vpnc_host" | awk -F'enc' '{print substr($2,0,1)}' | tail -n 1) + sed -i "s/\/X\//$encx/g" "$tmpdir/iked.conf.$vpnc_host" + sha256compare "/etc/iked.conf.$vpnc_host" "$tmpdir/iked.conf.$vpnc_host" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$vpnc_host upgrade" + install -o root -g wheel -m 0640 "$tmpdir/iked.conf.$vpnc_host" /etc/ + fi + sha256compare "/etc/iked.conf.$vpnc_host" "$tmpdir/iked.conf.$vpnc_host" + if [[ $sha256ctrl -eq 1 ]]; then + echo "$vpnc_host upgrade" + install -o root -g wheel -m 0640 "$tmpdir/iked.conf.$vpnc_host" /etc/ + fi + done + sha256compare "/etc/iked.conf" "$tmpdir/iked.conf" + if [[ $sha256ctrl -eq 1 ]]; then + echo "iked.conf upgrade" + install -o root -g wheel -m 0600 "$tmpdir/iked.conf" /etc/iked.conf + fi + iked -n + if [[ $sha256ctrl -eq 1 ]]; then + rcctl restart iked || error_exit "$LINENO: ERROR: IKED failed." + fi + + ;; + "gre") + configuration "gre" + ;; + "pf") + tmpdir=$(mktemp -d) + for file in $(find $basedir/src/etc/ -name "pf.*" -type f -maxdepth 1); do + cp $file $tmpdir + done + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + done + for vpnc_ip in $(dig vpncN.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + done + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + if [[ ! -z $vpnc_ip ]]; then + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + fi + done + sha256compare "/etc/pf.conf.table.ipsec" "$tmpdir/pf.conf.table.ipsec" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.table.ipsec upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.table.ipsec" /etc/ + pfctl -nf /etc/pf.conf + pfctl -f /etc/pf.conf + fi + sha256compare "/etc/pf.conf.table.nsd" "$tmpdir/pf.conf.table.nsd" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.table.nsd upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.table.nsd" /etc/ + pfctl -nf /etc/pf.conf + pfctl -f /etc/pf.conf + fi + for file in $(find /etc -maxdepth 1 -name "iked.conf.*") ; do + tagged=$(echo $file | sed "s/\/etc\/iked.conf.//") + count=$(dig $tagged A +short @8.8.8.8 | wc -l) + if [[ $count -gt 1 ]]; then + iptagged=$(dig $tagged A +short @8.8.8.8 | tail -n 1) + else + iptagged=$(dig $tagged A +short @8.8.8.8) + fi + sed -i "s/\/TAGGED\//${tagged}/g" $tmpdir/pf.conf.macro.enc.{in,out} + sed -i "s/\/IPTAGGED\//${iptagged}/g" $tmpdir/pf.conf.macro.enc.{in,out} + cat $basedir/src/openbsd/pf.conf.openbsd | head -n 1 >> $tmpdir/pf.conf.macro.enc.in + cat $basedir/src/openbsd/pf.conf.openbsd | tail -n 1 >> $tmpdir/pf.conf.macro.enc.out + done + sed -i '$d' $tmpdir/pf.conf.macro.enc.{in,out} + sha256compare "/etc/pf.conf.macro.enc.in" "$tmpdir/pf.conf.macro.enc.in" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.macro.enc.in upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.macro.enc.in" /etc/ + fi + sha256compare "/etc/pf.conf.macro.enc.out" "$tmpdir/pf.conf.macro.enc.out" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf.macro.enc.out upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf.macro.enc.out" /etc/ + fi + landomainname=$(cat /etc/myname | sed 's/^[^.]*.//') + custom "$tmpdir" "1" + sha256compare "/etc/pf.conf" "$tmpdir/pf.conf" + if [[ $sha256ctrl -eq 1 ]]; then + echo "pf.conf upgrade" + install -o root -g wheel -m 0640 "$tmpdir/pf.conf" /etc/ + fi + if [[ $sha256ctrl -eq 1 ]]; then + pfctrl=$(pfctl -nf /etc/pf.conf) + if [[ -z $pfctrl ]]; then + echo "PF ruleset OK" + fi + ctrl= + while [ -z $ctrl ] + do + echo 'The load PF rules and enable it type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + if [[ $(pfctl -si | head -n 1 | grep -c "Disabled") -eq 1 ]]; then + pfctl -f /etc/pf.conf + ctrl= + while [ -z $ctrl ] + do + echo 'Your connection will be close type 1 to continue ' + read ctrl + pfctl -e && exit 1 + done + elif [[ $(pfctl -si | head -n 1 | grep -c "Disabled") -eq 0 ]]; then + pfctl -f /etc/pf.conf + fi + fi + done + fi + ;; + "ospf") + configuration "ospf" + ;; + "ntpd") + configuration "ntpd" + ;; + "remote") + tmpdir=$(mktemp -d) + if [[ -d "/etc/ssh/remote_install" ]]; then + cp $basedir/src/etc/ssh/remote_install/* $tmpdir + custom "$tmpdir" "1" + sha256compare "/etc/ssh/remote_install/remote_install.conf" "$tmpdir/remote_install.conf" + if [[ $sha256ctrl -eq 1 ]]; then + echo "remote_install.conf upgrade" + install -o root -g wheel -m 0640 "$tmpdir/remote_install.conf" /etc/ssh/remote_install + fi + sha256compare "/etc/ssh/remote_install/authorized_keys" "$tmpdir/authorized_keys" + if [[ $sha256ctrl -eq 1 ]]; then + echo "authorized_keys upgrade" + install -o root -g wheel -m 0640 "$tmpdir/authorized_keys" /etc/ssh/remote_install + fi + else + mkdir /etc/ssh/remote_install + for file in $(find $basedir/src/etc/ssh/remote_install/ -type f); do + filename=$(basename $file) + if [[ "$filename" != "rc.local" ]]; then + install -o root -g wheel -m 0640 $file /etc/ssh/remote_install/ + fi + done + custom "/etc/ssh/remote_install" "1" + + fi + sha256compare "$basedir/src/usr/local/sbin/remote-install" "/usr/local/sbin/remote-install" + if [[ $sha256ctrl -eq 1 ]]; then + echo "remote-install upgrade" + install -o root -g wheel -m 0750 $basedir/src/usr/local/sbin/remote-install /usr/local/sbin/ + fi + if [[ $(grep -c remote_install.conf /etc/rc.local) -eq 0 ]]; then + cat $basedir/src/etc/ssh/remote_install/rc.local >> /etc/rc.local + fi + pidof_remote=$(pidof "remote") + if [[ -z $pidof_remote ]]; then + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + else + kill -9 $(cat /var/run/sshd-remote-install.pid) + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + fi + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.acmefirst /etc/httpd.conf + custom "/etc/" "1" + httpd -n + pidof_httpd=$(pidof "httpd") + if [[ -z $pidof_remote ]]; then + rcctl enable httpd + rcctl start httpd || error_exit "$LINENO: ERROR: HTTPD failed." + else + rcctl restart httpd + fi + + ;; + "remoteinstall") + echo "connecting to remote OpenBSD MESH hosts..." + cat /dev/null > /etc/ssh/ssh_known_hosts + for file in $(find /etc -maxdepth 1 -name "iked.conf.*" -type f); do + if [[ $(grep -c "brainpool512" $file) -eq 1 ]]; then + remotehost=$(echo $file | sed "s/\/etc\/iked.conf.//") + ssh-keyscan -t ed25519 -p 31137 $remotehost >> /etc/ssh/ssh_known_hosts + ssh -p 31137 $remotehost -v + fi + done + sleep 31 + ctrl= + while [ -z $ctrl ] + do + echo 'Have you add the root ssh key to admin user onto mikrotik ?' + cat /root/.ssh/id_rsa.pub + echo 'Type 1 to continue ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + echo "ok" + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + ;; + "relayd") + configuration "relayd" + ;; + "newhost") + + sh "$basedir/$app" -U pf + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/remote_install/authorized_keys /etc/ssh/remote_install/ + ;; + esac +} function configuration { phase=$1 if [[ $# -eq 2 ]]; then subphase=$2 fi case $phase in + "static") + ifconfig $egressinterface -inet6 + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.egress "/etc/hostname.$egressinterface" + install -o root -g wheel -m 0640 $basedir/src/etc/mygate /etc/ + if [[ ! -z $ipv6egress ]]; then + rcctl stop slaacd + rcctl disable slaacd + tmphostname=$(mktemp) + cat "/etc/hostname.$egressinterface" | sed '/^inet6/d' > $tmphostname + echo "inet6 -autoconf" >> $tmphostname + echo "inet6 -soii" >> $tmphostname + echo "inet6 -temporary" >> $tmphostname + echo "inet6 $ipv6egress/$ipv6prefix" >> $tmphostname + cat $tmphostname > "/etc/hostname.$egressinterface" + echo $ipv6defrouter >> /etc/mygate + fi + echo "arp -s $defaultv4router $macdefaultv4router" > /etc/rc.local + arp -s $defaultv4router $macdefaultv4router + custom "/etc" "1" + cd /tmp + nohup sh /etc/netstart & + cd $basedir + ;; "basic") echo "dot files" - for file in src/home/taglio/.*; do + for file in $basedir/src/home/taglio/.*; do if [[ -e "$file" ]]; then install -o taglio -g wheel -m 0640 $file /home/taglio/ fi done cleanold "/home/taglio/" - for file in src/root/.*; do + for file in $basedir/src/root/.*; do if [[ -e "$file" ]]; then install -o root -g wheel -m 0640 $file /root/ fi done cleanold "/root/" - echo "dhclient, resolv.conf.tail and doas.conf" - install -o root -g wheel -m 0644 src/etc/{dhclient.conf,resolv.conf.tail,doas.conf} /etc/ - install -o root -g wheel -m 0640 src/etc/hostname.vio0 /etc/ + echo "timezone from public ip \n" + tmp=$(mktemp) + curl "http://ipinfo.io/$publicip" > $tmp + iptmz=$(cat $tmp | grep timezone | cut -d \" -f4) + rm -rf {/etc/localtime,$tmp} + ln -fs "/usr/share/zoneinfo/$iptmz" /etc/localtime + echo "installing automatic update \n" + if [[ ! -e "/etc/daily.local" ]]; then + install -o root -g wheel -m 0640 $basedir/src/etc/daily.local /etc/ + elif ! grep -q "pkg_add" "/etc/daily.local"; then + cat $basedir/src/etc/daily.local >> "/etc/daily.local" + fi + echo "dhclient, resolv.conf.tail, doas.conf, myname and sysctl.conf \n" + install -o root -g wheel -m 0644 $basedir/src/etc/{dhclient.conf,resolv.conf.tail,doas.conf,myname,sysctl.conf} /etc/ + cat $basedir/src/etc/rc.local >> /etc/rc.local echo "vether" - install -o root -g wheel -m 0644 src/etc/hostname.vether0 /etc/ - echo "configuring iperf uptimed and oidentd" + install -o root -g wheel -m 0644 $basedir/src/etc/hostname.vether0 /etc/ + echo "configuring iperf uptimed and oidentd \n" pidof_uptimed=$(pidof "uptimed") if [[ -z $pidof_uptimed ]]; then rcctl enable uptimed @@ -91,14 +596,18 @@ function configuration { else rcctl restart uptimed || error_exit "$LINENO: ERROR: UPTIMED failed." fi - install -o root -g wheel -m 0640 src/etc/rc.local /etc/ - cleanold "/etc/" + custom "/etc" "1" cd /tmp - nohup $SH /etc/netstart vio0 & - nohup $SH /etc/netstart vether0 & + nohup sh /etc/netstart vether0 & cd $basedir sh /etc/rc.local - ;; + if [[ ! -e /root/.ssh/id_ed25519 ]]; then + cat /dev/zero | ssh-keygen -t ed25519 -N "" -C "root@$hostname.$landomainname" -f /root/.ssh/id_ed25519 + cat /dev/zero | ssh-keygen -N "" -C "root@$hostname.$landomainname" -f /root/.ssh/id_rsa + fi + echo "Add your new id_ed25519.pub to the repository and update others hosts and the CA server" + cat /root/.ssh/id_ed25519.pub + ;; "users") echo "vmail, dsync, _iperfd, wwwuser" if ! getent passwd vmail 1>&-; then @@ -113,23 +622,22 @@ function configuration { if ! getent passwd wwwftp 1>&-; then useradd -u 2003 -g =uid -c "WWW Ftpd user" -d /var/www/htdocs -s /root/Bin/fake_shell.sh wwwftp fi - for file in src/home/taglio/Bin/*; do + for file in $basedir/src/home/taglio/Bin/*; do if [[ -e "$file" ]]; then install -o taglio -g wheel -m 0750 $file /home/taglio/Bin/ - mv $file $backups fi done - if [[ ! -e /home/taglio/.ssh/id_ed25519 ]]; then - doas -u taglio ssh-keygen -t ed25519 -N "" -f /home/taglio/.ssh/id_ed25519 - fi;; + + + ;; "scripts") - for file in src/root/Bin/*.sh; do + for file in $basedir/src/root/Bin/*.sh; do if [[ -e "$file" ]]; then install -o root -g wheel -m 0700 $file /root/Bin/ fi done cleanold "/root/Bin/" - ;; + ;; "unbound") pidof_unbound=$(pidof "unbound") if [[ -z $pidof_unbound ]]; then @@ -137,239 +645,863 @@ function configuration { fi case $subphase in "local") - unbound-anchor -a /var/unbound/db/root.key + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/db/root.key /var/unbound/db/ wget --no-check-certificate https://192.0.47.9/domain/named.root -O /var/unbound/db/root.hints - install -o _unbound -g _unbound -m 0750 src/var/unbound/db/ca-certificates.crt /var/unbound/db/ - chown_unbound:_unbound /var/unbound/db/* - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/unbound-local.conf /var/unbound/etc/unbound.conf - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/remote-control.conf /var/unbound/etc/ - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/forward-zone.conf /var/unbound/etc/ + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/db/ca-certificates.crt /var/unbound/db/ + chown _unbound:_unbound /var/unbound/db/* + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/unbound-local.conf /var/unbound/etc/unbound.conf + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/remote-control.conf /var/unbound/etc/ + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/forward-zone.conf /var/unbound/etc/ + custom "/var" "2" if [[ -z $pidof_unbound ]]; then rcctl start unbound || error_exit "$LINENO: ERROR: UNBOUND failed." else rcctl restart unbound || error_exit "$LINENO: ERROR: UNBOUND failed." fi - cleanold "/var/unbound/etc/" - ;; - "network") - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/unbound.conf /var/unbound/etc/unbound.conf - install -o _unbound -g _unbound -m 0750 src/var/unbound/etc/stub-zone.conf /var/unbound/etc/stub-zone.conf + ;; + "ipsec") + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/unbound.conf /var/unbound/etc/unbound.conf + install -o _unbound -g _unbound -m 0750 $basedir/src/var/unbound/etc/stub-zone.conf /var/unbound/etc/stub-zone.conf rcctl restart unbound || error_exit "$LINENO: ERROR: UNBOUND failed." - cleanold "/var/unbound/etc/" - ;; + ;; esac - ;; + ;; "ssh") - for file in src/etc/ssh/*; do - if [[ -e "$file" ]]; then - install -o root -g wheel -m 0650 $file /etc/ssh/ - fi - done - rcctl restart sshd || error_exit "$LINENO: ERROR: UNBOUND failed." - cleanold "/etc/ssh/";; + publickey=$(ssh-keyscan -t ed25519 ::1 | sed "s/::1/[$publicip,$routerid]/") + sshfp=$(ssh-keyscan -D -t ed25519 ::1 | sed "s/::1/$hostname/") + if [[ ! -d /etc/ssh/ca ]]; then + mkdir -p /etc/ssh/ca/principals + fi + case $subphase in + "public") + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/sshd_public /etc/ssh/sshd_config + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/ssh_config /etc/ssh/ + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/ssh_known_hosts /etc/ssh + install -o root -g wheel -m 0640 $basedir/src/etc/ssh/authorized_keys /etc/ssh/ + workstahost=$(cat /etc/ssh/authorized_keys | cut -d @ -f2) + if [[ ! -d "/tmp/$workstahost.$landomainname" ]]; then + mkdir "/tmp/$workstahost.$landomainname" + else + rm -rf "/tmp/$workstahost.$landomainname" + mkdir "/tmp/$workstahost.$landomainname" + fi + custom "/etc/ssh" "2" + custom "/etc" "1" + rcctl restart sshd || error_exit "$LINENO: ERROR: SSHD failed." + ;; + "ipsec") + ;; + esac + if [[ ! -d "/tmp/ca.$landomainname" ]]; then + mkdir "/tmp/ca.$landomainname" + else + rm -rf "/tmp/ca.$landomainname" + mkdir "/tmp/ca.$landomainname" + fi + echo $sshfp > "/tmp/ca.$landomainname/$landomainname.zone" + ;; "ipsec") - iked_ca_reset.sh - install -o root -g wheel -m 0640 src/etc/iked/ca/ca.crt /etc/iked/ca/ - ssl_pk12_cert_pub_priv_extract.sh "/tmp/$subphase.p12" + if [[ -e "/etc/iked.conf" ]]; then + rm -rf /etc/{iked,iked.conf,iked.conf.*} + else + rm -rf /etc/iked + fi + mkdir -p /etc/iked/{ca,certs,crls,export,private,pubkeys} + mkdir -p /etc/iked/pubkeys/{ipv4,ipv6,fqdn,ufqdn} + cd $basedir + install -o root -g wheel -m 0644 $basedir/src/etc/iked/ca/ca.crt /etc/iked/ca/ + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -nocerts -passin pass:123456789 -passout pass:123456789 -out /etc/iked/private/local.key + openssl pkcs12 -nodes -in "/tmp/$publichost.p12" -clcerts -nokeys -passin pass:123456789 -passout pass:123456789 -out "/etc/iked/certs/$publichost.crt" + openssl x509 -pubkey -noout -passin pass:123456789 -in "/etc/iked/certs/$publichost.crt" > /etc/iked/local.pub + for file in $(find $basedir/src/etc/iked/pubkeys/ufqdn/ -name "*@*"); do + install -o root -g wheel -m 0644 $file /etc/iked/pubkeys/ufqdn/ + done rcctl enable iked rcctl set iked flags "-vv" - for file in src/etc/iked.conf* ; do - if [[ -e "$file" ]]; then - install -o root -g wheel -m 0640 $file /etc/ + typeset -i i + i=0 + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf /etc/ + custom "/etc" "1" + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8) + do + vpnc_host=$(dig -x $vpnc_ip +short @8.8.8.8 | sed 's/.$//') + vpnc_ips[i]="$vpnc_ip" + vpnc_hosts[i]="$vpnc_host" + if [ ! -d "/tmp/$vpnc_host" ]; then + mkdir "/tmp/$vpnc_host" + else + rm -rf "/tmp/$vpnc_host" + mkdir "/tmp/$vpnc_host" fi + + echo include \"/etc/iked.conf.$vpnc_host\" >> /etc/iked.conf + if [[ $(nc -w1 $vpnc_ip 22 | grep -c "ROSSSH") -eq 1 ]]; then + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf.mikrotik "/etc/iked.conf.$vpnc_host" + if [[ -e "/tmp/$vpnc_host/$vpnc_host.rsc" ]]; then + rm -rf "/tmp/$vpnc_host/$vpnc_host.rsc" + fi + cp $basedir/src/mikrotik/ipsec.rsc "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/POPIP\//$vpnc_ip/g" "/tmp/$vpnc_host/$vpnc_host.rsc" + sed -i "s/\/POP\//$vpnc_host/g" "/tmp/$vpnc_host/$vpnc_host.rsc" + elif [[ $(nc -w1 $vpnc_ip 22 | grep -c "ROSSSH") -eq 0 ]]; then + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf.openbsd "/etc/iked.conf.$vpnc_host" + cp $basedir/src/openbsd/iked.conf.openbsd "/tmp/$vpnc_host/iked.conf.$publichost" + x=$((RANDOM%2+1)) + case $x in + 1) + sed -i "s/\/TYPE\//active/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/TYPE\//passive/g" "/tmp/$vpnc_host/iked.conf.$publichost" + + ;; + 2) + sed -i "s/\/TYPE\//passive/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/TYPE\//active/g" "/tmp/$vpnc_host/iked.conf.$publichost" + ;; + esac + sed -i "s/\/POPIP\//$vpnc_ip/g" "/tmp/$vpnc_host/iked.conf.$publichost" + sed -i "s/\/POP\//$vpnc_host/g" "/tmp/$vpnc_host/iked.conf.$publichost" + srcid=$(hostname -s) + if [[ "$srcid" == "varuna" ]]; then + srcid="neo" + fi + sed -i "s/\/POPID\//$srcid/g" "/tmp/$vpnc_host/iked.conf.$publichost" + fi + sed -i "s/\/POPIP\//$vpnc_ip/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/POP\//$vpnc_host/g" "/etc/iked.conf.$vpnc_host" + sed -i "s/\/X\//$i/g" "/etc/iked.conf.$vpnc_host" + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.enc-X- "/etc/hostname.enc$i" + sed -i "s/\/POP\//$vpnc_host/g" "/etc/hostname.enc$i" + sh /etc/netstart "enc$i" + i=$i+1 done - install -o root -g wheel -m 0640 src/etc/iked.conf /etc/ - rcctl start iked - cleanold "/etc/";; - "gre") - for file in src/etc/hostname.gre? ; do - if [[ -e "$file" ]]; then - install -o root -g wheel -m 0700 $file /etc/ - sh /etc/netstart $(echo $file | awk -F. '{print $2}') + dyndnshost=$(dig vpnc.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + if [[ ! -d "/tmp/$dyndnshost" ]]; then + mkdir "/tmp/$dyndnshost" + else + rm -rf "/tmp/$dyndnshost" + mkdir "/tmp/$dyndnshost" + fi + echo include \"/etc/iked.conf.$dyndnshost\" >> /etc/iked.conf + install -o root -g wheel -m 0640 $basedir/src/etc/iked.conf.edgeos "/etc/iked.conf.$dyndnshost" + sed -i "s/\/POPIP\//$(dig $dyndnshost A +short | tail -n 1)/g" "/etc/iked.conf.$dyndnshost" + sed -i "s/\/POP\//$dyndnshost/g" "/etc/iked.conf.$dyndnshost" + sed -i "s/\/X\//$i/g" "/etc/iked.conf.$dyndnshost" + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.enc-X- "/etc/hostname.enc$i" + sed -i "s/\/POP\//$dyndnshost/g" "/etc/hostname.enc$i" + sh /etc/netstart "enc$i" + cp $basedir/src/edgeos/ipsec.conf "/tmp/$dyndnshost/" + cp "/etc/iked/certs/$publichost.crt" "/tmp/$dyndnshost/" + find /etc/ -type f -name "iked.*" | xargs -I {} + custom "/tmp" "2" + custom "/etc" "1" + rcctl start iked || error_exit "$LINENO: ERROR: IKED failed." + ;; + "gre") + if [[ -e "/etc/hostname.gre0" ]]; then + rm -rf /etc/hostname.gre? + fi + typeset -i i + typeset -i lasttun + lasttun=$(dig gre18994.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + lasttun=$lasttun+1 + i=0 + for file in $(find /etc -maxdepth 1 -name "iked.conf.*") ; do + install -o root -g wheel -m 0640 $basedir/src/etc/hostname.gre-X- "/etc/hostname.gre$i" + pophost=$(echo $file | sed "s/\/etc\/iked.conf.//") + sed -i "s/\/POPHOST\//$pophost/g" "/etc/hostname.gre$i" + if [ "$pophost" == "uk.telecomlobby.com" ]; then + sed -i "s/\/GROUP\//nsd/g" "/etc/hostname.gre$i" + else + sed -i "s/\/GROUP\//gre/g" "/etc/hostname.gre$i" fi + sed -i "s/\/PUBLICIP\//$publicip/g" "/etc/hostname.gre$i" + sed -i "s/\/X\//$i/g" "/etc/hostname.gre$i" + count=$(dig $pophost A +short @8.8.8.8 | wc -l) + if [[ $count -gt 1 ]]; then + popip=$(dig $pophost A +short @8.8.8.8 | tail -n 1) + else + popip=$(dig $pophost A +short @8.8.8.8) + fi + sed -i "s/\/POPIP\//$popip/g" "/etc/hostname.gre$i" + if [ $i -eq 0 ]; then + typeset -i lastnet + lastnet=$(dig gre7058.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + else + lastnet=$lastnet-4 + fi + typeset -i grepopip + grepopip=$lastnet-2 + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/etc/hostname.gre$i" + typeset -i grelocalip + grelocalip=$lastnet-3 + sed -i "s/\/GRELOCALIP\//10.10.10.$grelocalip/g" "/etc/hostname.gre$i" + if grep -q "ecp384" $file; then + cat $basedir/src/mikrotik/gre.rsc >> "/tmp/$pophost/$pophost.rsc" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip\/32/g" "/tmp/$pophost/$pophost.rsc" + sed -i "s/\/HOSTNAME\//$hostname/g" "/tmp/$pophost/$pophost.rsc" + sed -i "s/\/PUBLICIP\//$publicip/g" "/tmp/$pophost/$pophost.rsc" + elif grep -q "ecp256" $file; then + cp $basedir/src/edgeos/scripts/ES-SRCID-_netwatch.sh "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + cp $basedir/src/edgeos/scripts/ES-SRCID--updown.sh "/tmp/$pophost/ES-$publichostname-updown.sh" + cp $basedir/src/edgeos/gre.sh "/tmp/$pophost/" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/tmp/$pophost/gre.sh" + sed -i "s/\/PUBLICHOSTNAME\//$publichostname/g" "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "/tmp/$pophost/ES-${publichostname}_netwatch.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "/tmp/$pophost/ES-$publichostname-updown.sh" + sed -i "s/\/TUN\//tun$lasttun/g" "/tmp/$pophost/gre.sh" + else + cp $basedir/src/openbsd/hostname.gre.openbsd "/tmp/$pophost/hostname.gre$lasttun" + cp $basedir/src/openbsd/hostname.enc.openbsd "/tmp/$pophost/hostname.enc$lasttun" + sed -i "s/\/PUBLICHOST\//$publichost/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/PUBLICHOST\//$publichost/g" "/tmp/$pophost/hostname.enc$lasttun" + sed -i "s/\/X\//$lasttun/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/X\//$lasttun/g" "/tmp/$pophost/iked.conf.$publichost" + sed -i "s/\/POPIP\//$popip/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/PUBLICIP\//$publicip/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/GREPOPIP\//10.10.10.$grepopip/g" "/tmp/$pophost/hostname.gre$lasttun" + sed -i "s/\/GRELOCALIP\//10.10.10.$grelocalip/g" "/tmp/$pophost/hostname.gre$lasttun" + fi + i=$i+1 + done + lastnet=$lastnet-4 + echo "update gre7058.$domainname TXT to $lastnet \ + \n gre18994.$domainname TXT to $lasttun \n" + custom "/etc" "1" + for file in /etc/hostname.gre? ; do + sh /etc/netstart $(echo $file | awk -F. '{print $2}') done - cleanold "/etc/";; + ;; "pf") - for file in src/etc/pf.* ; do + for file in $basedir/src/etc/pf.* ; do if [[ -e "$file" ]]; then - install -o root -g wheel -m 0700 $file /etc/ + install -o root -g wheel -m 0640 $file /etc/ fi done - cleanold "/etc/" - pfctl -nf /etc/pf.conf || error_exit "$LINENO: ERROR: PF failed." - pfctl -f /etc/pf.conf;; + for vpnc_ip in $(dig vpnc.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> /etc/pf.conf.table.ipsec + done + for vpnc_ip in $(dig vpncN.$domainname A +short @8.8.8.8); do + echo "$vpnc_ip/32" >> "$tmpdir/pf.conf.table.ipsec" + done + for vpnc_host in $(dig vpnc.telecomlobby.com TXT +short @8.8.8.8 | sed 's/\"//g'); do + vpnc_ip=$(dig $vpnc_host A +short @8.8.8.8 | tail -n 1) + if [[ ! -z $vpnc_ip ]]; then + echo "$vpnc_ip/32" >> /etc/pf.conf.table.ipsec + fi + done + for file in $(find /tmp -name "*.rsc"); do + cat $basedir/src/mikrotik/firewall.rsc >> "$file" + sed -i "s/\/HOSTNAME\//${hostname}/g" $file + done + for file in $(find /etc -maxdepth 1 -name "iked.conf.*") ; do + tagged=$(echo $file | sed "s/\/etc\/iked.conf.//") + count=$(dig $tagged A +short @8.8.8.8 | wc -l) + if [[ $count -gt 1 ]]; then + iptagged=$(dig $tagged A +short @8.8.8.8 | tail -n 1) + else + iptagged=$(dig $tagged A +short @8.8.8.8) + fi + sed -i "s/\/TAGGED\//${tagged}/g" /etc/pf.conf.macro.enc.{in,out} + sed -i "s/\/IPTAGGED\//${iptagged}/g" /etc/pf.conf.macro.enc.{in,out} + cat $basedir/src/openbsd/pf.conf.openbsd | head -n 1 >> /etc/pf.conf.macro.enc.in + cat $basedir/src/openbsd/pf.conf.openbsd | tail -n 1 >> /etc/pf.conf.macro.enc.out + done + sed -i '$d' /etc/pf.conf.macro.enc.{in,out} + + custom "/etc" "1" + pfctrl=$(pfctl -nf /etc/pf.conf) + if [[ -z $pfctrl ]]; then + echo "PF ruleset OK" + fi + ;; "ospf") rcctl enable ospfd - install -o root -g wheel -m 0600 src/etc/ospfd.conf /etc/ - cleanold "/etc/" - rcctl start ospfd || error_exit "$LINENO: ERROR: OSPFD failed.";; + install -o root -g wheel -m 0600 $basedir/src/etc/ospfd.conf /etc/ + sed -i "s/\/ROUTERID\//$routerid/g" /etc/ospfd.conf + for file in $(find /etc/ -name "hostname.gre?" -maxdepth 1); do + x=$(basename $file | cut -d . -f2 | sed "s/gre//g") + sed -i "s/\/X\//$x/g" /etc/ospfd.conf + ospfmd5=$(tr -cd '[:alnum:],.' < /dev/urandom | fold -w 15 | head -n 1) + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" /etc/ospfd.conf + pophost=$(cat /etc/`basename $file` | head -n 1 | cut -d ' ' -f2 | sed "s/\"//g") + #popip=$(dig -x $pophost +short @8.8.8.8) + typeset -i latency=$(ping -c4 $popip | tail -1| awk '{print $4}' | cut -d '/' -f 2 | cut -d . -f1) + typeset -i metric=$(expr $latency / 2) + sed -i "s/\/METRIC\//${metric}/g" /etc/ospfd.conf + cat $basedir/src/openbsd/ospfd.conf.openbsd >> /etc/ospfd.conf + if [[ $(ls "/tmp/$pophost/" | grep -c "hostname") -eq 2 ]]; then + typeset -i lasttun + lasttun=$(dig gre18994.$domainname TXT +short @8.8.8.8 | sed 's/\"//g') + lasttun=$lasttun+1 + cp $basedir/src/openbsd/ospfd.conf.openbsd "/tmp/$pophost/ospfd.conf" + sed -i "s/\/X\//$lasttun/g" "/tmp/$pophost/ospfd.conf" + sed -i "s/\/METRIC\//${metric}/g" "/tmp/$pophost/ospfd.conf" + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" "/tmp/$pophost/ospfd.conf" + elif [[ $(ls "/tmp/$pophost/" | grep -c "rsc") -eq 2 ]]; then + pophostname=$(echo $pophost | cut -d . -f1) + cp $basedir/src/mikrotik/ospfd.rsc "/tmp/$pophost" + sed -i "s/\/HOSTNAME\//${hostname}/g" "/tmp/$pophost/ospfd.rsc" + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" "/tmp/$pophost/ospfd.rsc" + sed -i "s/\/METRIC\//${metric}/g" "/tmp/$pophost/ospfd.rsc" + typeset -u pophostname=$pophostname + sed -i "s/\/POPHOSTNAME\//${pophostname}/g" "/tmp/$pophost/ospfd.rsc" + greip=$(ifconfig `basename $file | cut -d . -f2` | grep inet | cut -d ' ' -f2 | tail -n 1) + grenetwork=$(ipcalc -c $greip / 30 | grep network | awk '{ print $3 }') + sed -i "s/\/GRENETWORK\//${grenetwork}/g" "/tmp/$pophost/ospfd.rsc" + cat "/tmp/$pophost/ospfd.rsc" >> "/tmp/$pophost/$pophost.rsc" + elif [[ $(ls "/tmp/$pophost/" | grep -c "netwatch") -eq 1 ]]; then + tunif=$(cat "/tmp/$pophost/gre.sh" | awk '{ print $4 }' | grep tun | head -n 1) + cp $basedir/src/edgeos/ospf.sh "/tmp/$pophost/" + sed -i "s/\/TUNIF\//${tunif}/g" "/tmp/$pophost/ospf.sh" + sed -i "s/\/OSPFMD5\//${ospfmd5}/g" "/tmp/$pophost/ospf.sh" + sed -i "s/\/METRIC\//${metric}/g" "/tmp/$pophost/ospf.sh" + fi + done + cat /etc/ospfd.conf | sed -n -e :a -e '1,12!{P;N;D;};N;ba' > /tmp/ospfd.conf + mv /tmp/ospfd.conf /etc/ospfd.conf + echo "}" >> /etc/ospfd.conf + chmod 600 /etc/ospfd.conf + custom "/etc" "1" + pidof_ospfd=$(pidof "ospfd") + if [[ -z $pidof_ospfd ]]; then + rcctl start ospfd || error_exit "$LINENO: ERROR: OSPFD failed." + else + rcctl restart ospfd || error_exit "$LINENO: ERROR: OSPFD failed." + fi + ;; "ntpd") - install -o root -g wheel -m 0644 src/etc/ntpd.conf /etc/ + install -o root -g wheel -m 0644 $basedir/src/etc/ntpd.conf /etc/ cleanold "/etc/" - rcctl restart ntpd || error_exit "$LINENO: ERROR: NTPD failed.";; + rcctl restart ntpd || error_exit "$LINENO: ERROR: NTPD failed." + ;; + "remote") + + for file in $(find /tmp -type d -maxdepth 1); do + filename=$(basename $file) + typeset -i dots=$(echo $filename| tr -cd '.' | wc -c) + if [[ $dots -eq 2 ]]; then + if [[ $(ls $file/ | grep -c "hostname") -eq 2 ]]; then + tar -cvf "/tmp/$filename.tar" -C /tmp -s /tmp// $file + sha256 -q "$file.tar" > "/tmp/$filename.sha256" + if [[ ! -d "/var/www/htdocs/$publichost" ]]; then + mkdir "/var/www/htdocs/$publichost" + fi + mv "/tmp/$filename.tar" "/var/www/htdocs/$publichost" + mv "/tmp/$filename.sha256" "/var/www/htdocs/$publichost" + rm -rf $file + fi + fi + done + if [[ ! -d /etc/ssh/remote_install ]]; then + mkdir /etc/ssh/remote_install + else + rm -rf /etc/ssh/remote_install + mkdir /etc/ssh/remote_install + fi + for file in $(find $basedir/src/etc/ssh/remote_install/ -type f); do + filename=$(basename $file) + if [[ "$filename" != "rc.local" ]]; then + install -o root -g wheel -m 0640 $file /etc/ssh/remote_install/ + elif [[ "$filename" == "rc.local" ]]; then + cat $file >> /etc/rc.local + fi + done + custom "/etc/ssh/remote_install" "1" + install -o root -g wheel -m 0750 $basedir/src/usr/local/sbin/remote-install /usr/local/sbin/ + pidof_remote=$(pidof "remote") + if [[ -z $pidof_remote ]]; then + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + else + kill -9 $(cat /var/run/sshd-remote-install.pid) + /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf + fi + install -o root -g wheel -m 0640 $basedir/src/etc/httpd.conf.acmefirst /etc/httpd.conf + custom "/etc/" "1" + httpd -n + pidof_httpd=$(pidof "httpd") + if [[ -z $pidof_remote ]]; then + rcctl enable httpd + rcctl start httpd || error_exit "$LINENO: ERROR: HTTPD failed." + else + rcctl restart httpd + fi + echo "connecting to remote OpenBSD MESH hosts..." + for file in $(find /etc -maxdepth 1 -name "iked.conf.*" -type f); do + if [[ $(grep -c "brainpool512" $file) -eq 1 ]]; then + remotehost=$(echo $file | sed "s/\/etc\/iked.conf.//") + ssh -p 31137 $remotehost -v + fi + done + sleep 31 + + + + ;; + + "relayd") + + install -o root -g wheel -m 0640 $basedir/src/etc/relayd.conf /etc/ + custom "/etc" "1" + sed -i "s/\/PUBV6\//${ipv6egress}/g" /etc/relayd.conf + rcctl enable relayd + ;; + "smtpd") + pkg "smtpd" + ;; esac } -echo "changing installurl" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - install -o root -g wheel -m 0644 src/etc/installurl /etc/ - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo "adding basic shell packages" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - pkg "shell" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo "installing automatic update \n" -if [[ ! -e "/etc/daily.local" ]]; then - install -o root -g wheel -m 0640 src/etc/daily.local /etc/ -elif ! grep -q "pkg_add" "/etc/daily.local"; then - cat src/etc/daily.local >> "/etc/daily.local" -fi -rcctl disable sndiod -rcctl stop sndiod -rcctl disable check_quotas -echo "configuring users" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - if [ ! -d /root/Bin ]; then - mkdir /root/Bin - chmod 700 /root/Bin +case $1 in + "-I") + configini= + if [[ ! -e "/tmp/config.ini" ]]; then + touch "/tmp/config.ini" + else + echo "Type 1 to use /tmp/config.ini " + read configini fi - if [ ! -d /root/Backups ]; then - mkdir /root/Backups - chmod 700 /root/Backups + + echo "changing IPv4 from dynamic to static on $egressinterface and do a perfect IPv6" + if [[ $configini -eq 1 ]]; then + ipv6ctrl=$(cat /tmp/config.ini | grep ipv6ctrl |cut -d \# -f2) + case $ipv6ctrl in + "static") + ipv6egress=$(cat /tmp/config.ini | grep ipv6egress |cut -d \# -f2) + ipv6prefix=$(cat /tmp/config.ini | grep ipv6prefix |cut -d \# -f2) + ipv6defrouter=$(cat /tmp/config.ini | grep ipv6defrouter |cut -d \# -f2) + ;; + "dynamic") + ;; + esac + configuration "static" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + echo "static#$ctrl" > /tmp/config.ini + while [ -z $ipv6ctrl ] + do + echo -n 'Is the IPv6 address on the egress interface static or dynamic?\n' + read ipv6ctrl + echo "ipv6ctrl#$ipv6ctrl" >> /tmp/config.ini + case $ipv6ctrl in + "static") + echo -n 'Type the IPv6 address without prefixlen ' + read ipv6egress + echo -n 'Type the prefixlen ' + read ipv6prefix + echo -n 'Type the IPv6 default route ' + read ipv6defrouter + echo "ipv6egress#$ipv6egress" >> /tmp/config.ini + echo "ipv6prefix#$ipv6prefix" >> /tmp/config.ini + echo "ipv6defrouter#$ipv6defrouter" >> /tmp/config.ini + ;; + "dynamic") + ipv6egress=$(slaacctl show interface | grep 2001 | awk 'NR>2' | head -n 1 | cut -d , -f1) + ipv6prefix=$(slaacctl show interface | grep 2001 | awk 'NR>2' | head -n 1 | cut -d \/ -f2) + ipv6defrouter=$(netstat -rn -f inet6 | awk 'NR>8' | head -n 1 | awk '{print $2}') + ;; + *) + echo -n "Please type static or dynamic \n" + continue + ;; + esac + done + configuration "static" + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done fi - if [ ! -d /home/taglio/Bin ]; then - mkdir /home/taglio/Bin - chown taglio:wheel /home/taglio/Bin + echo "changing installurl" + if [[ $configini -eq 1 ]]; then + install -o root -g wheel -m 0644 $basedir/src/etc/installurl /etc/ + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + install -o root -g wheel -m 0644 $basedir/src/etc/installurl /etc/ + echo "installurl#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + fi + echo "adding basic shell packages" + if [[ $configini -eq 1 ]]; then + pkg "shell" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + pkg "shell" + echo "shell#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done fi - - configuration "users" - configuration "scripts" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done - -hostname= -while [ -z $hostname ] -do - echo -n 'Type the hostname ' - read hostname - echo $hostname > conf/hostname - find . -type f | xargs -I {} sed -i "s/\/HOSTNAME\//$hostname/g" {} -done -routerid= -while [ -z $routerid ] -do - echo -n 'Type the routerid ' - read routerid - echo $routerid > conf/routerid - find . -type f | xargs -I {} sed -i "s/\/ROUTERID\//$routerid/g" {} -done -publichost= -while [ -z $publichost ] -do - echo -n 'Type the publichost ' - read publichost - echo $publichost > conf/publichost - find . -type f | xargs -I {} sed -i "s/\/PUBLICHOST\//$publichost/g" {} -done -echo $publicip > conf/publicip -echo $dyndns > conf/dyndns -find . -type f | xargs -I {} sed -i "s/\/PUBLICIP\//$publicip/g" {} -find . -type f | xargs -I {} sed -i "s/\/DYNDNS\//$dyndns/g" {} -publickey=$(ssh-keyscan -t ed25519 ::1 | sed "s/::1/[$publicip,$routerid]/") -if grep -q "$publickey" src/etc/ssh/ssh_known_hosts; then - echo $publickey >> src/etc/ssh/ssh_known_hosts -fi -sshfp=$(ssh-keyscan -D -t ed25519 ::1 | sed "s/::1/$hostname/") -echo $sshfp > conf/sshfp -echo "configuring basic" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "basic" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo "configuring unbound" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "unbound" "local" - else - error_exit "$LINENO: EXIT FROM USER." - fi - -done -echo -n "configuring ssh \ - \nplease add \ - \n${publickey} \ - \nto ~/.ssh/known_hosts \ - \nto the others nodes \ - \nplease add \ - \n${sshfp} \ - \nto /var/nsd/zones/master/telecom.lobby.zone in cyberanarkhia \ - \n" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "ssh" - else - error_exit "$LINENO: EXIT FROM USER." - fi -done -echo -n "configuring ipsec \ - \nplease add ${publicip}/32 to \ - \n/etc/pf.conf/table.ipsec \ - \nto the others nodes and reload them! \ - \n" -ctrl= -while [ -z $ctrl ] -do - echo -n 'Go ahead type 1 ' - read ctrl - if [[ "$ctrl" -eq 1 ]]; then - configuration "ipsec" $publichost - else - error_exit "$LINENO: EXIT FROM USER." - fi -done + rcctl disable sndiod + rcctl disable check_quotas + rcctl stop sndiod + + echo "configuring users" + if [[ $configini -eq 1 ]]; then + if [ ! -d /root/Bin ]; then + mkdir /root/Bin + chmod 700 /root/Bin + fi + if [ ! -d /root/Backups ]; then + mkdir /root/Backups + chmod 700 /root/Backups + fi + if [ ! -d /home/taglio/Bin ]; then + mkdir /home/taglio/Bin + chown taglio:wheel /home/taglio/Bin + fi + + configuration "users" + configuration "scripts" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + if [ ! -d /root/Bin ]; then + mkdir /root/Bin + chmod 700 /root/Bin + fi + if [ ! -d /root/Backups ]; then + mkdir /root/Backups + chmod 700 /root/Backups + fi + if [ ! -d /home/taglio/Bin ]; then + mkdir /home/taglio/Bin + chown taglio:wheel /home/taglio/Bin + fi + + configuration "users" + configuration "scripts" + echo "users#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + fi + if [[ $configini -eq 1 ]]; then + hostname=$(cat /tmp/config.ini | grep hostname |cut -d \# -f2) + else + hostname= + while [ -z $hostname ] + do + echo 'Type the hostname ' + read hostname + echo "hostname#$hostname" >> /tmp/config.ini + done + fi + if [[ $configini -eq 1 ]]; then + landomainname=$(cat /tmp/config.ini | grep landomainname |cut -d \# -f2) + else + landomainname= + while [ -z $landomainname ] + do + echo 'Type the LAN domain name ' + read landomainname + echo "landomainname#$landomainname" >> /tmp/config.ini + done + fi + if [[ $configini -eq 1 ]]; then + routerid=$(cat /tmp/config.ini | grep routerid |cut -d \# -f2) + else + routerid= + while [ -z $routerid ] + do + echo 'Type the routerid ' + read routerid + echo "routerid#$routerid" >> /tmp/config.ini + done + fi + srcid=$(print $publichost | cut -d . -f1) + typeset -u publichostname=$srcid + domainname=$(print $publichost | sed "s/$srcid.//") + for a in $(dig ipsec20591.$domainname TXT +short @8.8.8.8 | sed "s/\"//g" | tr \; '\n' | sed '$d'); do + b=$(echo $a | cut -d : -f1) + if [ "$b" = "$srcid" ]; then + srcid=$(echo $a | cut -d : -f2) + fi + done + + echo "configuring basic" + if [[ $configini -eq 1 ]]; then + configuration "basic" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "basic" + echo "basic#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + + done + fi + echo "configuring unbound \n" + if [[ $configini -eq 1 ]]; then + sleep 3 + configuration "unbound" "local" + else + ctrl= + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "unbound" "local" + echo "unbound#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + fi + echo "configuring ssh \n" + if [[ $configini -eq 1 ]]; then + configuration "ssh" "public" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "ssh" "public" + echo "ssh#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + echo "configuring ipsec \ + \nplease add ${publicip}/32 to \ + \n/etc/pf.conf/table.ipsec \ + \nto the others nodes and reload them! \ + \n" + if [[ $configini -eq 1 ]]; then + configuration "ipsec" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "ipsec" + echo "ipsec#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + if [[ $configini -eq 1 ]]; then + configuration "gre" + else + echo "configuring gre interfaces \ + \n" + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "gre" + echo "gre#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + echo "configuring PF firewall and others environments \n" + if [[ $configini -eq 1 ]]; then + configuration "pf" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "pf" + echo "pf#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + + echo "configuring OSPF routing protocol \n" + if [[ $configini -eq 1 ]]; then + configuration "ospf" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "ospf" + echo "ospf#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + + echo "preparing archives, signing them, starting httpd default host and start the remote install procedure \n" + if [[ $configini -eq 1 ]]; then + configuration "remote" + else + ctrl= + while [ -z $ctrl ] + do + echo 'Go ahead type 1 ' + read ctrl + if [[ "$ctrl" -eq 1 ]]; then + configuration "remote" + echo "remote#$ctrl" >> /tmp/config.ini + else + error_exit "$LINENO: EXIT FROM USER." + fi + done + fi + sh "$basedir/$app" -U unbound_ipsec + sh "$basedir/$app" -U ssh_ipsec + echo "You successfully installed and connected a new OpenBSD MESH guerrilla host" + ;; + "-U") + if [[ $# -ne 2 ]]; then + print $0 "UPGRADE option must be followed by: \ + \n \ + \nall -> redo the installation and reset all the system \ + \nstatic \ + \nbasic \ + \nusers \ + \nscripts \ + \nunbound_ipsec\ + \nssh_ipsec\ + \nipsec \ + \ngre \ + \npf \ + \nospf \ + \nremote \ + \nremoteinstall \ + \nrelayd \ + \nnewhost \ + \n" + exit 1 + fi + case $2 in + "static") + backup "static" + configuration "static" + ;; + "basic") + pkg "shell" + backup "basic" + configuration "basic" + ;; + "static") + backup "static" + configuration "static" + ;; + "users") + backup "users" + configuration "users" + ;; + "scripts") + backup "scripts" + configuration "scripts" + ;; + "unbound_ipsec") + backup "unbound" + upgrade "unbound" + ;; + "ssh_ipsec") + backup "ssh" + upgrade "ssh" + ;; + "ipsec") + backup "ipsec" + upgrade "ipsec" + ;; + "gre") + upgrade "gre" + ;; + "pf") + backup "pf" + upgrade "pf" + ;; + "ospf") + upgrade "ospf" + ;; + "remote") + backup "remote" + upgrade "remote" + ;; + "remoteinstall") + upgrade "remoteinstall" + ;; + "relayd") + upgrade "relayd" + ;; + "newhost") + upgrade "newhost" + ;; + "all") + sh setup_node -I + + ;; + esac + ;; + "-D") + if [[ $# -ne 2 ]]; then + print $0 "DAEMONS option must be followed by: \ + \n \ + \nnsd \ + \nhttpd \ + \nsmtpd \ + \nimapd \ + \n" + exit 1 + fi + case $2 in + "smtpd") + echo "configuring smtpd" + configuration "smtpd" + ;; + esac + + ;; + *) + exit 1 + ;; +esac diff --git a/src/edgeos/gre.sh b/src/edgeos/gre.sh new file mode 100644 index 00000000..991c31f4 --- /dev/null +++ b/src/edgeos/gre.sh @@ -0,0 +1,16 @@ +#!/bin/vbash + +set interface tunnel /TUN/ +set interface tunnel /TUN/ address /GREPOPIP/ +set interface tunnel /TUN/ description /PUBLICHOST/ +set interface tunnel /TUN/ encapsulation gre +set interface tunnel /TUN/ firewall +set interface tunnel /TUN/ firewall local +set interface tunnel /TUN/ firewall local name GRE +set interface tunnel /TUN/ local-ip 0.0.0.0 +set interface tunnel /TUN/ mtu 1392 +set interface tunnel /TUN/ multicast enable +set interface tunnel /TUN/ remote-ip /PUBLICIP/ +set interface tunnel /TUN/ ttl 255 + + diff --git a/src/edgeos/ipsec.conf b/src/edgeos/ipsec.conf new file mode 100644 index 00000000..9001ee55 --- /dev/null +++ b/src/edgeos/ipsec.conf @@ -0,0 +1,18 @@ +conn telecomlobby-/PUBLICHOSTNAME/ + left=%defaultroute + leftsourceip=%config4 + leftauth=pubkey + leftid=%indra@ca./DOMAINNAME/ + leftprotoport=gre + leftupdown=/config/ipsec/ES/PUBLICHOSTNAME/-updown.sh + ike=aes256-sha2_256-ecp256! + esp=aes256-sha2_256-ecp256! + + + right=/PUBLICIP/ + rightsubnet=/PUBLICIP/ + rightauth=pubkey + rightid=%/PUBLICHOST/ + rightcert=/etc/ipsec.d/certs//PUBLICHOST/.crt + rightprotoport=gre + diff --git a/src/edgeos/ipsec/ES--SRCID--updown.sh b/src/edgeos/ipsec/ES--SRCID--updown.sh new file mode 100644 index 00000000..4b218092 --- /dev/null +++ b/src/edgeos/ipsec/ES--SRCID--updown.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +set -o nounset +set -o errexit + +TUN_IFACE="tun0" +BACKUP_ROUTE="tun3" + +case "${PLUTO_VERB}" in + up-host) + echo "Putting interface ${TUN_IFACE} up" + ifconfig $TUN_IFACE up + echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" + echo "Accepting gre keepalive" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" + echo "Adding default route to table 3" + ip route del table 2 default + ip route add table 2 default nexthop dev ${TUN_IFACE} + + ;; + down-host) + ifconfig $TUN_IFACE down + ip route add table 2 default nexthop dev ${BACKUP_ROUTE} + ;; +esac + diff --git a/src/edgeos/ospf.sh b/src/edgeos/ospf.sh new file mode 100644 index 00000000..3c23438a --- /dev/null +++ b/src/edgeos/ospf.sh @@ -0,0 +1,13 @@ +#!/bin/vbash + +set interfaces tunnel /TUN/ ip ospf authentication md5 +set interfaces tunnel /TUN/ ip ospf authentication md5 key-id 1 md5-key /OSPFMD5/ +set interfaces tunnel /TUN/ ip ospf cost /METRIC/ +set interfaces tunnel /TUN/ dead-interval 40 +set interfaces tunnel /TUN/ hello-interval 10 +set interfaces tunnel /TUN/ network point-to-point +set interfaces tunnel /TUN/ priority 1 +set interfaces tunnel /TUN/ retransmit-interval 5 +set interfaces tunnel /TUN/ transmit-delay 1 + + diff --git a/src/edgeos/scripts/ES-SRCID--updown.sh b/src/edgeos/scripts/ES-SRCID--updown.sh new file mode 100644 index 00000000..d26b7363 --- /dev/null +++ b/src/edgeos/scripts/ES-SRCID--updown.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +set -o nounset +set -o errexit + +TUN_IFACE="/TUN/" + +case "${PLUTO_VERB}" in + up-host) + echo "Putting interface ${TUN_IFACE} up" + ifconfig $TUN_IFACE up + echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" + echo "Accepting gre keepalive" + sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" + ;; + down-host) + ifconfig $TUN_IFACE down + ;; +esac + diff --git a/src/edgeos/scripts/ES-SRCID-_netwatch.sh b/src/edgeos/scripts/ES-SRCID-_netwatch.sh new file mode 100644 index 00000000..613b4c1a --- /dev/null +++ b/src/edgeos/scripts/ES-SRCID-_netwatch.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +ROUTER_IP=/GREPOPIP/ +IPSEC="telecomlobby-/PUBLICHOSTNAME/" +GRE="/TUN/" + +PING_RESULT=$(/usr/bin/fping -I$GRE $ROUTER_IP 2>&1) +ALIVE="alive" +STATUS=$(/usr/sbin/ipsec status $IPSEC) +ESTABLISHED="INSTALLED" + +if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then + /usr/sbin/ipsec stroke down-nb $IPSEC + /usr/sbin/ipsec down $IPSEC + /usr/sbin/ipsec up $IPSEC +fi + diff --git a/src/etc/acme-client.conf b/src/etc/acme-client.conf index 788eb7ca..25efa1f3 100644 --- a/src/etc/acme-client.conf +++ b/src/etc/acme-client.conf @@ -11,66 +11,10 @@ authority letsencrypt-staging { account key "/etc/ssl/letsencrypt-staging-privkey.pem" } -domain www.telecomlobby.com { - alternative names { \ - telecomlobby.com \ - rnmnetwork.telecomlobby.com \ - taglio.telecomlobby.com \ - technomafia.telecomlobby.com \ - brainhack.telecomlobby.com \ - electronicharassment.telecomlobby.com \ - brainwashing.telecomlobby.com \ - neuroscience.telecomlobby.com \ - unspider.telecomlobby.com \ - elf.telecomlobby.com \ - riccardogiuntoli.telecomlobby.com \ - mindgames.telecomlobby.com \ - gangstalking.telecomlobby.com \ - targetindividual.telecomlobby.com \ - es.telecomlobby.com \ - it.telecomlobby.com \ - va.telecomlobby.com \ - united.telecomlobby.com \ - redama.es \ - www.redama.es \ - internet.redama.es \ - radioenlace.redama.es \ - catalunya.redama.es \ - wifi4eu.redama.es \ - wifi.redama.es \ - mensajeria.redama.es \ - redama.cat \ - internet.redama.cat \ - radioenllac.redama.cat \ - catalunya.redama.cat \ - wifi4eu.redama.cat \ - wifi.redama.cat \ - missatgeria.redama.cat \ - redama.pe \ - www.redama.pe \ - internet.redama.pe \ - radioenlace.redama.pe \ - catalunya.redama.pe \ - wifi4eu.redama.pe \ - wifi.redama.pe \ - mensajeria.redama.pe } - domain key "/etc/ssl/private/www.telecomlobby.com.key" - domain certificate "/etc/ssl/www.telecomlobby.com.crt" - domain full chain certificate "/etc/ssl/www.telecomlobby.com.pem" - sign with letsencrypt -} - -domain uk.telecomlobby.com { - alternative names { \ - mail.telecomlobby.com \ - autoconfig.telecomlobby.com \ - mta-sts.telecomlobby.com \ - wkd.telecomlobby.com } - domain key "/etc/ssl/private/uk.telecomlobby.com.key" - domain certificate "/etc/ssl/uk.telecomlobby.com.crt" - domain full chain certificate "/etc/ssl/uk.telecomlobby.com.pem" +domain /PUBHOST/ { + domain key "/etc/ssl/private//PUBHOST/.key" + domain certificate "/etc/ssl//PUBHOST/.crt" + domain full chain certificate "/etc/ssl//PUBHOST/.pem" sign with letsencrypt } - - diff --git a/lets-encrypt-r3.pem b/src/etc/acme/lets-encrypt-r3.pem similarity index 100% rename from lets-encrypt-r3.pem rename to src/etc/acme/lets-encrypt-r3.pem diff --git a/src/etc/daily.local b/src/etc/daily.local index ee221bfc..be7ca5c4 100644 --- a/src/etc/daily.local +++ b/src/etc/daily.local @@ -1,3 +1,3 @@ next_part "Checking packages:" -pkg_add -su +pkg_add -u diff --git a/src/etc/dhclient.conf b/src/etc/dhclient.conf index 4658d834..60c620e9 100644 --- a/src/etc/dhclient.conf +++ b/src/etc/dhclient.conf @@ -7,7 +7,7 @@ send host-name "/HOSTNAME/"; supersede host-name "/HOSTNAME/"; -supersede domain-name "telecom.lobby"; -supersede domain-search "telecom.lobby"; +supersede domain-name "/LANDOMAINAME/"; +supersede domain-search "/LANDOMAINAME/"; supersede domain-name-servers 127.0.0.1; diff --git a/src/etc/doas.conf b/src/etc/doas.conf index 133ac29e..690b0017 100644 --- a/src/etc/doas.conf +++ b/src/etc/doas.conf @@ -4,7 +4,7 @@ permit persist keepenv :wheel #permit nopass taglio as root cmd chown args "-R wwwftp:www /var/www/htdocs/*telecomlobby.com" -#permit nopass taglio as root cmd chmod args "-R g+wrx,o-rwx /var/www/htdocs/*telecomlobby.com" +permit nopass taglio as root cmd sh args /home/taglio/Sources/Git/OpenBSD/setup_node -U newhost permit nopass root as _iperfd cmd \ /usr/local/bin/iperf args \ -s -B /ROUTERID/ -D -N diff --git a/src/etc/hostname.egress b/src/etc/hostname.egress new file mode 100644 index 00000000..242454d2 --- /dev/null +++ b/src/etc/hostname.egress @@ -0,0 +1,5 @@ +-inet +-inet6 +inet /PUBLICIP/ /PUBLICNETMASK/ /PUBLICBCAST/ +inet6 autoconf -temporary -soii + diff --git a/src/etc/hostname.enc-X- b/src/etc/hostname.enc-X- new file mode 100644 index 00000000..0b5374a5 --- /dev/null +++ b/src/etc/hostname.enc-X- @@ -0,0 +1,2 @@ +description "/POP/" +up diff --git a/src/etc/hostname.gre-X- b/src/etc/hostname.gre-X- new file mode 100644 index 00000000..0768b3a0 --- /dev/null +++ b/src/etc/hostname.gre-X- @@ -0,0 +1,7 @@ +description "/POPHOST/" +keepalive 5 2 +mtu 1392 +group /GROUP/ +!ifconfig gre/X/ /GRELOCALIP/ /GREPOPIP/ netmask 0xfffffffc up +!ifconfig gre/X/ tunnel /PUBLICIP/ /POPIP/ + diff --git a/src/etc/hostname.gre0 b/src/etc/hostname.gre0 deleted file mode 100644 index fd6c22e2..00000000 --- a/src/etc/hostname.gre0 +++ /dev/null @@ -1,6 +0,0 @@ -description "fr.telecomlobby.com" -keepalive 5 2 -mtu 1392 -!ifconfig gre0 10.10.10.249 10.10.10.250 netmask 0xfffffffc up -!ifconfig gre0 tunnel 78.141.201.0 45.32.144.15 - diff --git a/src/etc/hostname.gre1 b/src/etc/hostname.gre1 deleted file mode 100644 index 1ba7533e..00000000 --- a/src/etc/hostname.gre1 +++ /dev/null @@ -1,6 +0,0 @@ -description "RT-01.cat.telecomlobby.com" -mtu 1392 -keepalive 5 2 -!ifconfig gre1 10.10.10.229 10.10.10.230 netmask 0xfffffffc up -!ifconfig gre1 tunnel 78.141.201.0 81.44.32.47 - diff --git a/src/etc/hostname.gre2 b/src/etc/hostname.gre2 deleted file mode 100644 index bd96bc36..00000000 --- a/src/etc/hostname.gre2 +++ /dev/null @@ -1,6 +0,0 @@ -description "us.telecomlobby.com" -mtu 1392 -keepalive 5 2 -group nsd -!ifconfig gre2 10.10.10.226 10.10.10.225 netmask 0xfffffffc up -!ifconfig gre2 tunnel 78.141.201.0 155.138.247.27 diff --git a/src/etc/hostname.gre3 b/src/etc/hostname.gre3 deleted file mode 100644 index 05d0bcb7..00000000 --- a/src/etc/hostname.gre3 +++ /dev/null @@ -1,6 +0,0 @@ -description "jp.telecomlobby.com" -keepalive 5 2 -mtu 1392 -group nsd -!ifconfig gre3 10.10.10.116 10.10.10.115 netmask 0xfffffffc up -!ifconfig gre3 tunnel 78.141.201.0 139.180.206.19 diff --git a/src/etc/hostname.pflog0 b/src/etc/hostname.pflog0 new file mode 100644 index 00000000..e31ee94e --- /dev/null +++ b/src/etc/hostname.pflog0 @@ -0,0 +1 @@ +up diff --git a/src/etc/hostname.vether0 b/src/etc/hostname.vether0 index a2875be4..1d657ae5 100644 --- a/src/etc/hostname.vether0 +++ b/src/etc/hostname.vether0 @@ -1,4 +1,4 @@ -inet -inet6 lladdr random -inet /ROUTERID/ +inet /ROUTERID//32 diff --git a/src/etc/hostname.vio0 b/src/etc/hostname.vio0 deleted file mode 100644 index 4fd7a8f5..00000000 --- a/src/etc/hostname.vio0 +++ /dev/null @@ -1,6 +0,0 @@ --inet --inet6 -dhcp -inet6 -autoconfprivacy -inet6 -soii -inet6 autoconf diff --git a/src/etc/httpd.conf.acmefirst b/src/etc/httpd.conf.acmefirst new file mode 100644 index 00000000..b1418783 --- /dev/null +++ b/src/etc/httpd.conf.acmefirst @@ -0,0 +1,9 @@ +server "/PUBLICHOST/" { + listen on egress port 80 + root "htdocs//PUBLICHOST/" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } +} + diff --git a/src/etc/iked.conf b/src/etc/iked.conf index 12d2746d..66757cc4 100644 --- a/src/etc/iked.conf +++ b/src/etc/iked.conf @@ -2,16 +2,5 @@ # # See iked.conf(5) for syntax and examples. -include "/etc/iked.conf.fr.telecomlobby.com" -include "/etc/iked.conf.RT-01.cat.telecomlobby.com" -include "/etc/iked.conf.us.telecomlobby.com" -include "/etc/iked.conf.uk.telecomlobby.com" - - - - - - - - +set dpd_check_interval 15 diff --git a/src/etc/iked.conf.RT-01.cat.telecomlobby.com b/src/etc/iked.conf.RT-01.cat.telecomlobby.com deleted file mode 100644 index f1fc8374..00000000 --- a/src/etc/iked.conf.RT-01.cat.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "RT-01.cat.telecomlobby.com" passive transport \ - proto gre \ - from /PUBLICIP/ to /DYNDNS/ \ - local /PUBLICHOST/ peer any \ - ikesa auth hmac-sha2-256 enc aes-256 group ecp256 \ - childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked.conf.edgeos b/src/etc/iked.conf.edgeos new file mode 100644 index 00000000..0ad6254c --- /dev/null +++ b/src/etc/iked.conf.edgeos @@ -0,0 +1,9 @@ +ikev2 "/POP/" passive transport \ + proto gre \ + from /PUBLICIP/ to /POPIP/ \ + local /PUBLICHOST/ peer any \ + ikesa auth hmac-sha2-256 enc aes-256 group ecp256 \ + childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ + srcid "/SRCID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /POP/ tap enc/X/ diff --git a/src/etc/iked.conf.fr.telecomlobby.com b/src/etc/iked.conf.fr.telecomlobby.com deleted file mode 100644 index a6b11b66..00000000 --- a/src/etc/iked.conf.fr.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "fr.telecomlobby.com" active transport \ - proto gre \ - from /PUBLICIP/ to 45.32.144.15 \ - local /PUBLICHOST/ peer fr.telecomlobby.com \ - ikesa auth hmac-sha2-256 enc aes-256 group ecp384 \ - childsa auth hmac-sha2-256 enc aes-256 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked.conf.mikrotik b/src/etc/iked.conf.mikrotik new file mode 100644 index 00000000..18bf955b --- /dev/null +++ b/src/etc/iked.conf.mikrotik @@ -0,0 +1,9 @@ +ikev2 "/POP/" active transport \ + proto gre \ + from /PUBLICIP/ to /POPIP/ \ + local /PUBLICHOST/ peer /POP/ \ + ikesa auth hmac-sha2-256 enc aes-256 group ecp384 \ + childsa auth hmac-sha2-256 enc aes-256 \ + srcid "/SRCID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /POP/ tap enc/X/ diff --git a/src/etc/iked.conf.openbsd b/src/etc/iked.conf.openbsd new file mode 100644 index 00000000..b5e29a5b --- /dev/null +++ b/src/etc/iked.conf.openbsd @@ -0,0 +1,9 @@ +ikev2 "/POP/" /TYPE/ transport \ + proto gre \ + from /PUBLICIP/ to /POPIP/ \ + local /PUBLICHOST/ peer /POP/ \ + ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ + childsa enc chacha20-poly1305 group curve25519 \ + srcid "/SRCID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /POP/ tap enc/X/ diff --git a/src/etc/iked.conf.uk.telecomlobby.com b/src/etc/iked.conf.uk.telecomlobby.com deleted file mode 100644 index a208c8b8..00000000 --- a/src/etc/iked.conf.uk.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "uk.telecomlobby.com" passive transport \ - proto gre \ - from /PUBLICIP/ to 78.141.201.0 \ - local /PUBLICHOST/ peer uk.telecomlobby.com \ - ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ - childsa enc chacha20-poly1305 group curve25519 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked.conf.us.telecomlobby.com b/src/etc/iked.conf.us.telecomlobby.com deleted file mode 100644 index 0d680a5e..00000000 --- a/src/etc/iked.conf.us.telecomlobby.com +++ /dev/null @@ -1,8 +0,0 @@ -ikev2 "us.telecomlobby.com" active transport \ - proto gre \ - from /PUBLICIP/ to 155.138.247.27 \ - local /PUBLICHOST/ peer us.telecomlobby.com \ - ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ - childsa enc chacha20-poly1305 group curve25519 \ - srcid "/HOSTNAME/@ca.telecomlobby.com" \ - ikelifetime 86400 lifetime 3600 diff --git a/src/etc/iked/pubkeys/ufqdn/ganesha@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/ganesha@ca.telecomlobby.com new file mode 100644 index 00000000..05d60dd6 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/ganesha@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvnF3R2FKEWEfwpp/A/fI +6HFJ9Gb7ihzuWwGQDnLpXc3xRt4Dw+cECxUeWb1tfuHkt+YhWG+mkAwHqlF+9ze5 +wTJ4Vly8FE1CKJ0BMFx/6ME1QPXeWG2Ivo8KdemXbRZFhuu5VLIaS7G0jGF+Mhui +nNZwVhNoMPMYG1T8XB777WYZY4piujEuXajxRuHxHT4h7NATlOK1vxzhOLuqSPAV +IL+SO7vyznmdLF1erzXtEkwizssvw+ZWbaN7h72YsrarnZ8QqdmkOdo9Y4V0zzMi +4Bqmt2F3hjI54c/ccJeUZqhFSP4WkoHaLj+c3ICnaP2RAz5t+77xMTwxiCB1PaSl +6wIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/indra@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/indra@ca.telecomlobby.com new file mode 100644 index 00000000..e2343480 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/indra@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo9tIpLBAtVaCgTJvdTkG +WCWeqYUrbuqmAcTGkvqAsW5eu8+AcpR6wHP5uONyh8+8bUAC8gDW2vcMBAsaPxqN ++uU99y2a0kmAPqGmsdwvQ6b1a5MBmKELeeRKy/MPaKqPPn8GoMsXKDWEUCYp3gvF +CGh1ICSFVrqy/tHEynruCMRYdGGLgNgtD9j5XkREttRFtyI+ZSlFnmcrvmQFAD3f +7EkeYZLmbA5Xz5N/NyjCnLnH2bzpcKoDcPt+GeP3FQstLXBsMuCYbXi8CyXu//4n +cH4b02yqyET6/XknlcuLkZtA2ZBu19zMEZKx0YRTbVZ7a6n1y+2yeJmlzXUUwerq +GwIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com new file mode 100644 index 00000000..f5c0a1af --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/neo@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+Kx0GzhOwejOeZTm0E8 +jUoYBEtMshlxp63RBjt3B3r0zp+VAe8YuH11ycUq3ZYF523TSu9iQpZyOoE0lsv6 +b9YAGGT3FT2LjCQDSY6/JbaMXP/iQf11cYACktlekC24uhYmMHkArFeC83Au7jmi +sMAIB0Cl5OarPV0DGe9ocukoYunA0rfQqfU6QRl6tKS3eGm3C/o+5p6thPNpBABi +W2/x3bWf8Q41GfI0XgYfbozb6Wtilm+Vr2TbyziJAnEv92/VjViDv9iYrc/lvtAm +vmDdW8z5CC3gIgR60Q3YW+RXheEKdVuyHcVsboQetLtdtiv1pfolxYVkRGORwfLh +jQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/saraswati@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/saraswati@ca.telecomlobby.com new file mode 100644 index 00000000..eede1c13 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/saraswati@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx4T/28bKmqsFVZdc50hM +X4tUF6pwCsNs0eOX7S7k7vhMWW8Gw8X6IUQmWH0hzvxe/Ie9qdarMpRgknX/nEB5 +KitIc+NKbHl/N0wU+Qa5v2pb/vlA3lGwZb50mwJ0ULvA4nYiVPq5OuMdUdFdbzkM +3TESz+pA/qZYUzI79JqZu+Kd5txsQqQ4iffRJfEFaMmjXK+1lO94vBLnrIGGrDLy +skKwkx9ntnw1CRCOUMhXwUpvma3du4/wnzjBNEZBFcwIawp/NlbFKRTpKEd0zoKq +yQk51eMnsM2/PCL4ZEzsiPGh5EvkrF3HYcu+m9UbW3V8Hh7rxCoAM37QwfkEdvZE +dQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/shiva@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/shiva@ca.telecomlobby.com new file mode 100644 index 00000000..e30b77ef --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/shiva@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0kSelCwnNbBZ+FO5gnyF +qLKgmREQ2062aoqTmH3FrvEMV4NrLDY2SxVPz1BPlxCjuvzDi47HFpDh1/Q56N13 +4tHoRxn3e4g7FQFe0CcaDu3xUsm6vHsuRKxieHFfSENEa9f0/ZaOUM5kQtuN59R1 +U1sH085yed9g2MzWNDSag22gAzgdrLjLv6eL2V69QGfCwcvKTGxyFUeUkpOOQicI +ro6S7VOzINi2cl3A3B+Xed02FB29vsRUFNqpuYlw7p8Xrh88nWYeqGcq0xc8nkQ2 +tj7xyfJYor+H+81ssH2Dp98/dvHDrqHb5f+1/LmdNApn7CSHSsuh8D437MSnoZ9G +LQIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/iked/pubkeys/ufqdn/uma@ca.telecomlobby.com b/src/etc/iked/pubkeys/ufqdn/uma@ca.telecomlobby.com new file mode 100644 index 00000000..f74aea36 --- /dev/null +++ b/src/etc/iked/pubkeys/ufqdn/uma@ca.telecomlobby.com @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArq1WqHI24Q2rtgCdJOsP +/pvi7JCWlqHuwUmQuUZH/XAv6ZMlcenacqZAj2qN7P+8eCIzonp61HGnDbkeV2ZF +zNW7Ri3DS7ZXf8FDvvQnDwJw15xW3F49KLXNhWfi80lJfKQKvigAIvKjtqrAQQrt +B5p49sJIp7VubxP5JIXjnqcSFeYk9MKxTlB8pQsfDuJx4ozvu+2Zfj93fFysSA2A +y25k4OZhFZs8ga98os2g3cEdO3v/3xQoUoA+O/vYNHX/gy+xK5Vzty8oYSom9cp8 +Pxm5wijQYjR+kKAh3fnxu4vQ+vyZ3ZPQS8YGAK4UAzZgxjY/6pWK3cNNIU+RELFq +IwIDAQAB +-----END PUBLIC KEY----- diff --git a/src/etc/mygate b/src/etc/mygate new file mode 100644 index 00000000..5023f03d --- /dev/null +++ b/src/etc/mygate @@ -0,0 +1 @@ +/ROUTEV4/ diff --git a/src/etc/myname b/src/etc/myname index 7ba194ef..e9b32017 100644 --- a/src/etc/myname +++ b/src/etc/myname @@ -1 +1 @@ -ganesha.telecom.lobby +/HOSTNAME/./LANDOMAINNAME/ diff --git a/src/etc/ospfd.conf b/src/etc/ospfd.conf index 33b8ebc2..5483c9f5 100644 --- a/src/etc/ospfd.conf +++ b/src/etc/ospfd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: ospfd.conf,v 1.2 2018/08/07 07:06:20 claudio Exp $ +# $OpenBSD: ospfd.conf router-id "/ROUTERID/" @@ -6,62 +6,21 @@ no redistribute connected # areas area 0.0.0.0 { - interface gre0 { + interface gre/X/ { type p2p auth-type crypt - auth-md 1 "oRcEZMsomYfaMHv" + auth-md 1 "/OSPFMD5/" auth-md-keyid 1 - metric 13 + metric /METRIC/ auth-md-keyid 1 router-dead-time 40 hello-interval 10 retransmit-interval 5 transmit-delay 1 } - interface gre1 { - type p2p - auth-type crypt - auth-md 1 "8nnQgl8H5ygb4PA" - auth-md-keyid 1 - metric 17 - auth-md-keyid 1 - router-dead-time 40 - hello-interval 10 - retransmit-interval 5 - transmit-delay 1 - } - interface gre2 { - type p2p - auth-type crypt - auth-md 1 "kbduTVvkfdfqoyJ" - auth-md-keyid 1 - metric 62 - auth-md-keyid 1 - router-dead-time 40 - hello-interval 10 - retransmit-interval 5 - transmit-delay 1 - } - interface gre3 { - type p2p - auth-type crypt - auth-md 1 "voNbLgsqOoKnnjX" - auth-md-keyid 1 - metric 132 - auth-md-keyid 1 - router-dead-time 40 - hello-interval 10 - retransmit-interval 5 - transmit-delay 1 - - } interface vether0 { metric 1 passive } - interface wg0 { - metric 1 - passive - } -} + diff --git a/src/etc/pf.conf b/src/etc/pf.conf index 543f75ea..114abb83 100644 --- a/src/etc/pf.conf +++ b/src/etc/pf.conf @@ -21,11 +21,12 @@ #OPTIONS set block-policy drop -set skip on {lo0, enc0} +set skip on lo0 set block-policy drop set loginterface egress set loginterface gre set loginterface vether +set loginterface enc #VARIABLES ext_if="vio0" @@ -37,6 +38,9 @@ table const persist counters file "/etc/pf.conf.table.locals" table const persist counters file "/etc/pf.conf.table.ipsec" table const persist counters file "/etc/pf.conf.table.reserved" table const persist counters file "/etc/pf.conf.table.nsd" +table const persist counters file "/etc/pf.conf.table.unbound" +table const persist counters file "/etc/pf.conf.table.cdn" + table persist const {224.0.0.5, 224.0.0.6} @@ -44,11 +48,11 @@ table persist table persist #DEFAULT POLICY -block in log +block log block quick log from block quick log from block log proto {tcp,udp} user _iperfd -pass out + pass quick on $ext_if to $ext_if:broadcast @@ -58,23 +62,36 @@ pass quick on $ext_if to $ext_if:broadcast #NAT -match out on $ext_if from to ! received-on gre nat-to $pub +match out on $ext_if from to ! received-on gre nat-to $pub tag /LANDOMAINNAME/ #match out on $ext_if from wg:network to ! nat-to $ext_if #INGRESS -pass in on $ext_if inet6 proto icmp6 icmp6-type { routeradv neighbrsol neighbradv } -pass in on $ext_if proto icmp from any to $pub icmp-type echoreq -pass in on $ext_if proto icmp6 from any to $pub_v6 icmp6-type echoreq +#PUB + +#routeradv 134 +#neighbrsol 135 +#neighbradv 136 +#echoreq 128 + +pass in on $ext_if inet6 proto icmp6 icmp6-type { 128, 133, 134, 135, 136 } +pass in on $ext_if proto icmp from any to $pub icmp-type echoreq +pass in on $ext_if proto tcp from to $pub port { ssh, 31137 } modulate state pass in on $ext_if proto tcp from any to $pub port { smtp, smtps } modulate state (max-src-conn 2, max-src-conn-rate 8/30, overload ) pass in on $ext_if proto tcp from any to $pub_v6 port { smtp, smtps } modulate state (max-src-conn 2, max-src-conn-rate 8/30, overload ) pass in on $ext_if proto tcp from any to { $pub , $pub_v6 } port auth modulate state -pass in on $ext_if proto {tcp udp} from any to { $pub , $pub_v6 } port domain modulate state -pass in on $ext_if proto tcp from any to { $pub , $pub_v6 } port {www, https} modulate state -pass in on $ext_if proto udp from any to { $pub , $pub_v6 } port 65131 modulate state +pass in on $ext_if proto {tcp udp} from any to { $pub , $pub_v6 } port domain +pass in on $ext_if proto tcp from any to { $pub , $pub_v6 } port {www, https} modulate state +pass in on $ext_if proto udp from any to { $pub , $pub_v6 } port 65131 pass in on $ext_if proto udp from to $pub port {isakmp, ipsec-nat-t} pass in on $ext_if proto esp from to $pub +#ENC + +#include "/etc/pf.conf.macro.enc.in" + +pass quick on enc proto gre + #GRE pass in quick on gre from to ! @@ -82,18 +99,22 @@ pass in on gre proto gre no state pass in on gre proto icmp from to gre icmp-type echoreq pass in on gre proto ospf pass in on gre proto icmp from to vether0 icmp-type echoreq -pass in on gre proto tcp from to vether0 port {ftp, ssh, http, imaps, 31337} +pass in on gre inet proto icmp from to icmp-type echoreq +pass in on gre inet proto tcp from to port ssh modulate state +pass in on gre proto tcp from to vether0 port {ftp, ssh, http, imaps, 31337} modulate state +pass in on gre proto udp from to 172.16.17.106 port {domain, ntp} +pass in on gre proto tcp from to 172.16.17.106 port http modulate state pass in on gre proto udp from to vether0 port 5353 user _tor modulate state pass in on gre proto tcp from to vether0 port \ {9900, 9901, 9902, 9903, 9904, 9905, 9906, 9007, 9008, 9009, 9010, 9011, 9012, 9013, 9050} user _tor modulate state -pass in on gre proto tcp from to vether0 port {http, submission} modulate state -pass in on gre proto tcp from to vether0 port 5001 user _iperfd modulate state -pass in on nsd proto {tcp, udp} from nsd:peer to port domain modulate state +pass in on gre proto tcp from to vether0 port {http, submission} +pass in on gre proto tcp from to vether0 port 5001 user _iperfd +pass in on nsd proto {tcp, udp} from nsd:peer to nsd port domain #VETHER -pass in on vether0 proto icmp from to vether0 icmp-type echoreq modulate state +pass in on vether0 proto icmp from to vether0 icmp-type echoreq pass in on vether0 proto tcp from to vether0 port {ftp, ssh, http, submission, imaps, 31337} modulate state -pass in on vether0 proto udp from to vether0 port 5353 user _tor modulate state +pass in on vether0 proto udp from to vether0 port 5353 user _tor pass in on vether0 proto tcp from to vether0 port \ {9900, 9901, 9902, 9903, 9904, 9905, 9906, 9007, 9008, 9009, 9010, 9011, 9012, 9013, 9050} user _tor modulate state pass in on vether0 proto tcp from to vether0 port {http, submission} modulate state @@ -101,5 +122,48 @@ pass in on vether0 proto tcp from to vether0 port 5001 user _iperfd mod #OUTGRESS -block out log quick on $ext_if proto gre from $pub to -block out log quick on gre from gre to + +#PUB + +pass out quick on $ext_if tagged /LANDOMAINNAME/ +pass out quick on $ext_if inet6 proto icmp6 icmp6-type { 128, 133, 134, 135, 136 } +pass out quick on $ext_if proto icmp from $pub to any icmp-type echoreq +pass out quick on $ext_if proto tcp from $pub to port {ssh, 31137} modulate state +pass out quick on $ext_if proto tcp from $pub to any port { smtp, smtps } modulate state +pass out quick on $ext_if proto tcp from $pub_v6 to any port { smtp, smtps } modulate state +pass out quick on $ext_if proto {tcp, udp} from $pub to 8.8.8.8 port domain +pass out quick on $ext_if proto tcp from $pub to any port https user _rspamd modulate state +pass out quick on $ext_if proto tcp from $pub_v6 to any port https user _rspamd modulate state +pass out quick on $ext_if proto tcp from $pub to any port {http, https} modulate state +pass out quick on $ext_if proto {tcp, udp} from $pub to port domain-s +pass out quick on $ext_if proto {tcp, udp} from $pub_v6 to port domain-s +pass out quick on $ext_if proto {tcp, udp} from $pub port domain user _unbound +pass out quick on $ext_if proto {tcp, udp} from $pub to port domain user _nsd +pass out quick on $ext_if proto {tcp, udp} from $pub_v6 to port domain user _nsd +pass out quick on $ext_if proto tcp from $pub to port {http, https} modulate state +pass out quick on $ext_if proto tcp from $pub_v6 to port {http, https} modulate state +pass out quick on $ext_if proto udp from $pub to port {isakmp, ipsec-nat-t} +pass out quick on $ext_if proto esp from $pub to + +#ENC + +#include "/etc/pf.conf.macro.enc.out" + +pass out quick on enc proto gre + +#VETHER + +pass out quick on vether0 proto ospf + +#GRE + +pass out quick on gre proto udp from gre to 172.16.17.106 port {domain, ntp} +pass out quick on gre proto udp from to 172.16.17.106 port {domain, ntp} +pass out quick on gre proto tcp from to 172.16.17.106 port http modulate state +pass out quick on gre proto tcp from gre to 172.16.17.106 port http +pass out on gre proto gre no state +pass out quick on gre proto ospf +pass out quick on gre proto icmp from gre to icmp-type echoreq +pass out quick on gre inet proto icmp from to icmp-type echoreq +pass out quick on gre inet proto tcp from to port ssh modulate state +pass out quick on nsd proto {tcp, udp} from nsd to nsd:peer port domain diff --git a/src/etc/pf.conf.macro.enc.in b/src/etc/pf.conf.macro.enc.in new file mode 100644 index 00000000..ecbd2836 --- /dev/null +++ b/src/etc/pf.conf.macro.enc.in @@ -0,0 +1 @@ +pass in quick on enc proto gre from /IPTAGGED/ to $pub tagged /TAGGED/ diff --git a/src/etc/pf.conf.macro.enc.out b/src/etc/pf.conf.macro.enc.out new file mode 100644 index 00000000..4fc1a79b --- /dev/null +++ b/src/etc/pf.conf.macro.enc.out @@ -0,0 +1 @@ +pass out quick on enc proto gre from $pub to /IPTAGGED/ tagged /TAGGED/ diff --git a/src/etc/pf.conf.macro.public b/src/etc/pf.conf.macro.public index d1f07ee6..bb7c375f 100644 --- a/src/etc/pf.conf.macro.public +++ b/src/etc/pf.conf.macro.public @@ -1,5 +1,5 @@ -pub="78.141.201.0" -pub_v6="2001:19f0:7401:8c01:5400:2ff:fe79:3b4d" +pub="/PUBLICIP/" +pub_v6="/PUBV6///PREFIX/" diff --git a/src/etc/pf.conf.table.cdn b/src/etc/pf.conf.table.cdn new file mode 100644 index 00000000..79c82cdc --- /dev/null +++ b/src/etc/pf.conf.table.cdn @@ -0,0 +1,14 @@ +# /sbin/pfctl -t cdn -T kill -f /etc/pf.conf.table.cdn +# /sbin/pfctl -t cdn -T add -f /etc/pf.conf.table.cdn +# /sbin/pfctl -t cdn -T show +# + +151.101.130.217 +151.101.194.217 +151.101.2.217 +151.101.66.217 +2a04:4e42:600::729 +2a04:4e42::729 +2a04:4e42:200::729 +2a04:4e42:400::729 + diff --git a/src/etc/pf.conf.table.ipsec b/src/etc/pf.conf.table.ipsec index 23b0f810..9efa909f 100644 --- a/src/etc/pf.conf.table.ipsec +++ b/src/etc/pf.conf.table.ipsec @@ -1,7 +1,5 @@ -# /sbin/pfctl -t ipsec -T replace -f /etc/pf.conf.table.ipsec +# /sbin/pfctl -t ipsec -T kill -f /etc/pf.conf.table.ipsec +# /sbin/pfctl -t ipsec -T add -f /etc/pf.conf.table.ipsec +# /sbin/pfctl -t ipsec -T show # -fr.telecomlobby.com -uk.telecomlobby.com -us.telecomlobby.com -jp.telecomlobby.com -cat-01.telecomlobby.com + diff --git a/src/etc/pf.conf.table.locals b/src/etc/pf.conf.table.locals index 09986a11..c65bcf6e 100644 --- a/src/etc/pf.conf.table.locals +++ b/src/etc/pf.conf.table.locals @@ -1,3 +1,11 @@ -# /sbin/pfctl -t locals -T replace -f /etc/pf.conf.table.locals +# /sbin/pfctl -t locals -T kill -f /etc/pf.conf.table.locals +# /sbin/pfctl -t locals -T add -f /etc/pf.conf.table.locals +# /sbin/pfctl -t locals -T show # +# +172.16.19.0/24 +172.16.17.0/24 +172.16.18.0/24 +10.10.10.0/24 +192.168.13.0/24 diff --git a/src/etc/pf.conf.table.nsd b/src/etc/pf.conf.table.nsd index b184f549..b7799f8b 100644 --- a/src/etc/pf.conf.table.nsd +++ b/src/etc/pf.conf.table.nsd @@ -1,4 +1,35 @@ -# /sbin/pfctl -t nsd -T replace -f /etc/pf.conf.table.nsd -# -10.10.10.116/32 -10.10.10.226/32 +# /sbin/pfctl -t nsd -T kill -f /etc/pf.conf.table.nsd +# /sbin/pfctl -t nsd -T add -f /etc/pf.conf.table.nsd +# /sbin/pfctl -t nsd -T show + +194.69.254.2 +108.61.224.67 +116.203.6.3 +107.191.99.111 +185.22.172.112 +103.6.87.125 +192.184.93.99 +119.252.20.56 +31.220.30.73 +185.34.136.178 +185.136.176.247 +45.77.29.133 +116.203.0.64 +167.88.161.228 +199.195.249.208 +104.244.78.122 +2001:19f0:6400:8642::3 +2a01:4f8:1c0c:8115::3 +2604:180:2:4cf::3 +2a00:1838:20:2::cd5e:68e9 +2403:2500:4000::f3e +2604:180:1:92a::3 +2401:1400:1:1201::1:7853:1a5 +2a04:bdc7:100:1b::3 +2a00:dcc7:d3ff:88b2::1 +2a06:fdc0:fade:2f7::1 +2001:19f0:7001:381::3 +2a01:4f8:1c0c:8122::3 +2605:6400:20:d5e::3 +2605:6400:10:65::3 +2605:6400:30:fd6e::3 diff --git a/src/etc/pf.conf.table.reserved b/src/etc/pf.conf.table.reserved index 70963887..56435aab 100644 --- a/src/etc/pf.conf.table.reserved +++ b/src/etc/pf.conf.table.reserved @@ -1,4 +1,6 @@ -# /sbin/pfctl -t reserved -T replace -f /etc/pf.conf.table.reserved +# /sbin/pfctl -t reserved -T kill -f /etc/pf.conf.table.reserved +# /sbin/pfctl -t reserved -T add -f /etc/pf.conf.table.reserved +# /sbin/pfctl -t reserved -T show # # https://www.iana.org/assignments/iana-ipv4-special-registry/ 0.0.0.0/8 diff --git a/src/etc/pf.conf.table.unbound b/src/etc/pf.conf.table.unbound new file mode 100644 index 00000000..51e83d1f --- /dev/null +++ b/src/etc/pf.conf.table.unbound @@ -0,0 +1,17 @@ +# /sbin/pfctl -t unbound -T kill -f /etc/pf.conf.table.unbound +# /sbin/pfctl -t unbound -T add -f /etc/pf.conf.table.unbound +# /sbin/pfctl -t unbound -T show +# + +2606:4700:4700::1111 # CloudFlare primary +2606:4700:4700::1001 # CloudFlare secondary +2620:fe::fe # Quad9 primary +2620:fe::9 # Quad9 secondary +2001:4860:4860::8888 # Google primary +2001:4860:4860::8844 # Google secondary +1.1.1.1 # CloudFlare primary +1.0.0.1 # CloudFlare secondary +9.9.9.9 # Quad9 primary +149.112.112.112 # Quad9 secondary +8.8.8.8 # Google primary +8.8.4.4 # Google secondary diff --git a/src/etc/pf.conf.table.users b/src/etc/pf.conf.table.users index 26c1d51f..0f040f9d 100644 --- a/src/etc/pf.conf.table.users +++ b/src/etc/pf.conf.table.users @@ -1,3 +1,10 @@ -# /sbin/pfctl -t users -T replace -f /etc/pf.conf.table.users +# /sbin/pfctl -t users -T kill -f /etc/pf.conf.table.users +# /sbin/pfctl -t users -T add -f /etc/pf.conf.table.users +# /sbin/pfctl -t users -T show # +172.16.19.0/24 +172.16.16.0/24 +172.16.18.0/24 +172.16.17.106/32 +140.82.54.216/32 diff --git a/src/etc/rc b/src/etc/rc new file mode 100644 index 00000000..ae059465 --- /dev/null +++ b/src/etc/rc @@ -0,0 +1,629 @@ +# $OpenBSD: rc,v 1.549 2021/03/13 21:11:56 deraadt Exp $ + +# System startup script run by init on autoboot or after single-user. +# Output and error are redirected to console by init, and the console is the +# controlling terminal. + +# Turn off Strict Bourne shell. +set +o sh + +# Subroutines (have to come first). + +# Strip in- and whole-line comments from a file. +# Strip leading and trailing whitespace if IFS is set. +# Usage: stripcom /path/to/file +stripcom() { + local _file=$1 _line + + [[ -s $_file ]] || return + + while read _line ; do + _line=${_line%%#*} + [[ -n $_line ]] && print -r -- "$_line" + done <$_file +} + +# Update resource limits based on login.conf settings. +# Usage: update_limit -flag capability +update_limit() { + local _flag=$1 # ulimit flag + local _cap=$2 _val # login.conf capability and its value + local _suffix + + for _suffix in {,-max,-cur}; do + _val=$(getcap -f /etc/login.conf -s ${_cap}${_suffix} daemon 2>/dev/null) + [[ -n $_val ]] || continue + [[ $_val == infinity ]] && _val=unlimited + + case $_suffix in + -cur) ulimit -S $_flag $_val + ;; + -max) ulimit -H $_flag $_val + ;; + *) ulimit $_flag $_val + return + ;; + esac + done +} + +# Apply sysctl.conf(5) settings. +sysctl_conf() { + # do not use a pipe as limits would only be applied to the subshell + set -- $(stripcom /etc/sysctl.conf) + while [[ $# > 0 ]] ; do + sysctl "$1" + + case "$1" in + kern.maxproc=*) + update_limit -p maxproc + ;; + kern.maxfiles=*) + update_limit -n openfiles + ;; + esac + shift + done +} + +# Apply mixerctl.conf(5) settings. +mixerctl_conf() { + stripcom /etc/mixerctl.conf | + while read _line; do + mixerctl -q "$_line" 2>/dev/null + done +} + +# Apply wsconsctl.conf(5) settings. +wsconsctl_conf() { + [[ -x /sbin/wsconsctl ]] || return + + stripcom /etc/wsconsctl.conf | + while read _line; do + eval "wsconsctl $_line" + done +} + +# Push the old seed into the kernel, create a future seed and create a seed +# file for the boot-loader. +random_seed() { + dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none + chmod 600 /var/db/host.random + dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none + dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none + chmod 600 /etc/random.seed +} + +# Populate net.inet.(tcp|udp).baddynamic with the contents of /etc/services so +# as to avoid randomly allocating source ports that correspond to well-known +# services. +# Usage: fill_baddynamic tcp|udp +fill_baddynamic() { + local _service=$1 + local _sysctl="net.inet.${_service}.baddynamic" + + stripcom /etc/services | + { + _ban= + while IFS=" /" read _name _port _srv _junk; do + [[ $_srv == $_service ]] || continue + + _ban="${_ban:+$_ban,}+$_port" + + # Flush before argv gets too long + if ((${#_ban} > 1024)); then + sysctl -q "$_sysctl=$_ban" + _ban= + fi + done + [[ -n $_ban ]] && sysctl -q "$_sysctl=$_ban" + } +} + +# Start daemon using the rc.d daemon control scripts. +# Usage: start_daemon daemon1 daemon2 daemon3 +start_daemon() { + local _daemon + + for _daemon; do + eval "_do=\${${_daemon}_flags}" + [[ $_do != NO ]] && /etc/rc.d/${_daemon} start + done +} + +# Generate keys for isakmpd, iked and sshd if they don't exist yet. +make_keys() { + local _isakmpd_key=/etc/isakmpd/private/local.key + local _isakmpd_pub=/etc/isakmpd/local.pub + local _iked_key=/etc/iked/private/local.key + local _iked_pub=/etc/iked/local.pub + + if [[ ! -f $_isakmpd_key ]]; then + echo -n "openssl: generating isakmpd/iked RSA keys... " + if openssl genrsa -out $_isakmpd_key 2048 >/dev/null 2>&1 && + chmod 600 $_isakmpd_key && + openssl rsa -out $_isakmpd_pub -in $_isakmpd_key \ + -pubout >/dev/null 2>&1; then + echo done. + else + echo failed. + fi + fi + + if [[ ! -f $_iked_key ]]; then + # Just copy the generated isakmpd key + cp $_isakmpd_key $_iked_key + chmod 600 $_iked_key + cp $_isakmpd_pub $_iked_pub + fi + + ssh-keygen -A + + if [[ ! -f /etc/soii.key ]]; then + openssl rand -hex 16 > /etc/soii.key && + chmod 600 /etc/soii.key && sysctl -q \ + "net.inet6.ip6.soiikey=$(&1 | tee /dev/tty | + mail -Es "$(hostname) rc.$_suffix output" root >/dev/null + fi + rm -f /etc/rc.$_suffix.run +} + +# Check filesystems, optionally by using a fsck(8) flag. +# Usage: do_fsck [-flag] +do_fsck() { + fsck -p "$@" + case $? in + 0) ;; + 2) exit 1 + ;; + 4) echo "Rebooting..." + reboot + echo "Reboot failed; help!" + exit 1 + ;; + 8) echo "Automatic file system check failed; help!" + exit 1 + ;; + 12) echo "Boot interrupted." + exit 1 + ;; + 130) # Interrupt before catcher installed. + exit 1 + ;; + *) echo "Unknown error; help!" + exit 1 + ;; + esac +} + +# End subroutines. + +stty status '^T' + +# Set shell to ignore SIGINT (2), but not children; shell catches SIGQUIT (3) +# and returns to single user after fsck. +trap : 2 +trap : 3 # Shouldn't be needed. + +export HOME=/ +export INRC=1 +export PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# /etc/myname contains my symbolic name. +if [[ -f /etc/myname ]]; then + hostname "$(stripcom /etc/myname)" +fi + +# Must set the domainname before rc.conf, so YP startup choices can be made. +if [[ -s /etc/defaultdomain ]]; then + domainname "$(stripcom /etc/defaultdomain)" +fi + +# Get local functions from rc.subr to load rc.conf into scope. +FUNCS_ONLY=1 . /etc/rc.d/rc.subr +_rc_parse_conf + +# If executed with the 'shutdown' parameter by the halt, reboot or shutdown: +# - update seed files +# - execute the rc.d scripts specified by $pkg_scripts in reverse order +# - bring carp interfaces down gracefully +if [[ $1 == shutdown ]]; then + if echo 2>/dev/null >>/var/db/host.random || + echo 2>/dev/null >>/etc/random.seed; then + random_seed + else + echo warning: cannot write random seed to disk + fi + + # If we are in secure level 0, assume single user mode. + if (($(sysctl -n kern.securelevel) == 0)); then + echo 'single user: not running shutdown scripts' + else + set -A _d -- $pkg_scripts + _i=${#_d[*]} + if ((_i)); then + echo -n 'stopping package daemons:' + while ((--_i >= 0)); do + [[ -x /etc/rc.d/${_d[_i]} ]] && + /etc/rc.d/${_d[_i]} stop + done + echo '.' + fi + + if /etc/rc.d/vmd check > /dev/null; then + echo -n 'stopping VMs' + /etc/rc.d/vmd stop > /dev/null + echo '.' + fi + + [[ -f /etc/rc.shutdown ]] && sh /etc/rc.shutdown + fi + + ifconfig | while read _if _junk; do + [[ $_if == carp+([0-9]): ]] && ifconfig ${_if%:} down + done + + exit 0 +fi + +# If bootblocks failed to give us random, try to cause some churn +(dmesg; sysctl hw.{uuid,serialno,sensors} ) >/dev/random 2>&1 + +# Add swap block-devices. +swapctl -A -t blk + +# Run filesystem check unless a /fastboot file exists. +if [[ -e /fastboot ]]; then + echo "Fast boot: skipping disk checks." +elif [[ $1 == autoboot ]]; then + echo "Automatic boot in progress: starting file system checks." + do_fsck +fi + +# From now on, allow user to interrupt (^C) the boot process. +trap "echo 'Boot interrupted.'; exit 1" 3 + +# Unmount all filesystems except root. +umount -a >/dev/null 2>&1 + +# Mount all filesystems except those of type NFS and VND. +mount -a -t nonfs,vnd + +# Re-mount the root filesystem read/writeable. (root on nfs requires this, +# others aren't hurt.) +mount -uw / +chmod og-rwx /bsd +ln -fh /bsd /bsd.booted + +rm -f /fastboot + +# Set flags on ttys. +ttyflags -a + +# Set keyboard encoding. +if [[ -x /sbin/kbd && -s /etc/kbdtype ]]; then + kbd "$(/dev/null 2>&1; then + RULES="$RULES + pass out inet6 proto icmp6 all icmp6-type neighbrsol + pass in inet6 proto icmp6 all icmp6-type neighbradv + pass out inet6 proto icmp6 all icmp6-type routersol + pass in inet6 proto icmp6 all icmp6-type routeradv + pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server + pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client" + fi + + RULES="$RULES + pass in proto carp keep state (no-sync) + pass out proto carp !received-on any keep state (no-sync)" + + if (($(sysctl -n vfs.mounts.nfs 2>/dev/null)+0 > 0)); then + # Don't kill NFS. + RULES="set reassemble yes no-df + $RULES + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any + pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" + fi + + print -- "$RULES" | pfctl -f - + pfctl -e +fi + +fill_baddynamic udp +fill_baddynamic tcp + +sysctl_conf + +start_daemon slaacd >/dev/null 2>&1 + +echo 'starting network' + +# Set carp interlock by increasing the demotion counter. +# Prevents carp from preempting until the system is booted. +ifconfig -g carp carpdemote 128 + +sh /etc/netstart + +mount -s /usr >/dev/null 2>&1 +mount -s /var >/dev/null 2>&1 + +start_daemon dhcpleased unwind resolvd >/dev/null 2>&1 + +# Load pf rules and bring up pfsync interface. +if [[ $pf != NO ]]; then + if [[ -f /etc/pf.conf ]]; then + pfctl -f /etc/pf.conf + fi + if [[ -f /etc/hostname.pfsync0 ]]; then + sh /etc/netstart pfsync0 + fi +fi + +random_seed + +reorder_libs + +# Clean up left-over files. +rm -f /etc/nologin /var/spool/lock/LCK.* +(cd /var/run && { rm -rf -- *; install -c -m 664 -g utmp /dev/null utmp; }) +(cd /var/authpf && rm -rf -- *) + +# Save a copy of the boot messages. +dmesg >/var/run/dmesg.boot + +make_keys + +echo -n 'starting early daemons:' +start_daemon syslogd ldattach pflogd nsd unbound +start_daemon iscsid isakmpd iked sasyncd ldapd npppd ntpd +echo '.' + +# Load IPsec rules. +if [[ $ipsec != NO && -f /etc/ipsec.conf ]]; then + ipsecctl -f /etc/ipsec.conf +fi + +echo -n 'starting RPC daemons:' +start_daemon portmap ypldap +rm -f /var/run/ypbind.lock +if [[ -n $(domainname) ]]; then + start_daemon ypserv ypbind +fi +start_daemon mountd nfsd lockd statd amd +echo '.' + +# Check and mount remaining file systems and enable additional swap. +mount -a +swapctl -A -t noblk +do_fsck -N +mount -a -N + +# Build kvm(3) and /dev databases. +kvm_mkdb +dev_mkdb + +# /var/crash should be a directory or a symbolic link to the crash directory +# if core dumps are to be saved. +if [[ -d /var/crash ]]; then + savecore $savecore_flags /var/crash +fi + +# Store ACPI tables in /var/db/acpi to be used by sendbug(1). +if [[ -x /usr/sbin/acpidump ]]; then + acpidump -q -o /var/db/acpi/ +fi + +if [[ $check_quotas == YES ]]; then + echo -n 'checking quotas:' + quotacheck -a + echo ' done.' + quotaon -a +fi + +# Set proper permission for the tty device files. +chmod 666 /dev/tty[pqrstuvwxyzPQRST]* +chown root:wheel /dev/tty[pqrstuvwxyzPQRST]* + +# Check for the password temp/lock file. +if [[ -f /etc/ptmp ]]; then + logger -s -p auth.err \ + 'password file may be incorrect -- /etc/ptmp exists' +fi + +echo clearing /tmp + +# Prune quickly with one rm, then use find to clean up /tmp/[lqv]* +# (not needed with mfs /tmp, but doesn't hurt there...). +(cd /tmp && rm -rf [a-km-pr-uw-zA-Z]*) +(cd /tmp && + find . -maxdepth 1 ! -name . ! -name lost+found ! -name quota.user \ + ! -name quota.group ! -name vi.recover -execdir rm -rf -- {} \;) + +# Create Unix sockets directories for X if needed and make sure they have +# correct permissions. +[[ -d /usr/X11R6/lib ]] && mkdir -m 1777 /tmp/.{X11,ICE}-unix + +[[ -f /etc/rc.securelevel ]] && sh /etc/rc.securelevel + +# rc.securelevel did not specifically set -1 or 2, so select the default: 1. +(($(sysctl -n kern.securelevel) == 0)) && sysctl kern.securelevel=1 + + +# Patch /etc/motd. +if [[ ! -f /etc/motd ]]; then + install -c -o root -g wheel -m 664 /dev/null /etc/motd +fi +if T=$(mktemp /tmp/_motd.XXXXXXXXXX); then + sysctl -n kern.version | sed 1q >$T + sed -n '/^$/,$p' >$T + cmp -s $T /etc/motd || cp $T /etc/motd + rm -f $T +fi + +if [[ $accounting == YES ]]; then + [[ ! -f /var/account/acct ]] && touch /var/account/acct + echo 'turning on accounting' + accton /var/account/acct +fi + +if [[ -x /sbin/ldconfig ]]; then + echo 'creating runtime link editor directory cache.' + [[ -d /usr/local/lib ]] && shlib_dirs="/usr/local/lib $shlib_dirs" + [[ -d /usr/X11R6/lib ]] && shlib_dirs="/usr/X11R6/lib $shlib_dirs" + ldconfig $shlib_dirs +fi + +echo 'preserving editor files.'; /usr/libexec/vi.recover + +# If rc.sysmerge exists, run it just once, and make sure it is deleted. +run_upgrade_script sysmerge + +echo -n 'starting network daemons:' +start_daemon ldomd sshd switchd snmpd ldpd ripd ospfd ospf6d bgpd ifstated +start_daemon relayd dhcpd dhcrelay mrouted dvmrpd radiusd eigrpd route6d +start_daemon rad hostapd lpd smtpd slowcgi httpd ftpd +start_daemon ftpproxy ftpproxy6 tftpd tftpproxy identd inetd rarpd bootparamd +start_daemon rbootd mopd vmd spamd spamlogd sndiod +echo '.' + +# If rc.firsttime exists, run it just once, and make sure it is deleted. +run_upgrade_script firsttime + +# Run rc.d(8) scripts from packages. +if [[ -n $pkg_scripts ]]; then + echo -n 'starting package daemons:' + for _daemon in $pkg_scripts; do + if [[ -x /etc/rc.d/$_daemon ]]; then + start_daemon $_daemon + else + echo -n " ${_daemon}(absent)" + fi + done + echo '.' +fi + +[[ -f /etc/rc.local ]] && sh /etc/rc.local + +# Disable carp interlock. +ifconfig -g carp -carpdemote 128 + +mixerctl_conf + +echo -n 'starting local daemons:' +start_daemon apmd sensorsd hotplugd watchdogd cron wsmoused xenodm +echo '.' + +# Re-link the kernel, placing the objects in a random order. +# Replace current with relinked kernel and inform root about it. +/usr/libexec/reorder_kernel & + +date +exit 0 + diff --git a/src/etc/rc.local b/src/etc/rc.local index fc30e8a9..915ace0a 100644 --- a/src/etc/rc.local +++ b/src/etc/rc.local @@ -1,6 +1,6 @@ if [ -x /usr/local/sbin/oidentd ]; then echo -n ' oidentd'; /usr/local/sbin/oidentd -m fi -doas -u _iperfd /usr/local/bin/iperf \ - -s -B /ROUTERID/ \ - -D -N +#doas -u _iperfd /usr/local/bin/iperf \ +# -s -B /ROUTERID/ \ +# -D -N diff --git a/src/etc/relayd.conf b/src/etc/relayd.conf new file mode 100644 index 00000000..1b8bedee --- /dev/null +++ b/src/etc/relayd.conf @@ -0,0 +1,47 @@ +# $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ + +# Macros + +ext_ip1="/PUBLICIP/" +ext_ip2="/PUBV6/" + +table { 127.0.0.1, ::1 } + +# Global Options + +log connection errors + + +# Redirections + +redirect "http" { + listen on $ext_ip1 port http + listen on $ext_ip2 port http + forward to check tcp +} + +# Relays + +http protocol "https" { + match request header append "X-Forwarded-For" value "$REMOTE_ADDR" + match request header append "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT" + match request header set "Connection" value "close" + tcp { sack, backlog 128 } + tls ciphers "HIGH:!AES128:!kRSA:!aNULL" + tls ecdhe "P-384,P-256,X25519" + tls keypair /PUBLICHOST/ +} + +# a relay for each IP + +relay "https" { + listen on $ext_ip1 port https tls + protocol "https" + forward to check tcp +} + +relay "https2" { + listen on $ext_ip2 port https tls + protocol "https" + forward to check tcp +} diff --git a/src/etc/ssh/authorized_keys b/src/etc/ssh/authorized_keys new file mode 100644 index 00000000..6f187b3b --- /dev/null +++ b/src/etc/ssh/authorized_keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKG4yMhKX37SXV8LGDuVe4r1PBSS5HOWb6jFpNiG3cvW taglio@telecom.lobby diff --git a/src/etc/ssh/remote_install/authorized_keys b/src/etc/ssh/remote_install/authorized_keys new file mode 100644 index 00000000..945df9eb --- /dev/null +++ b/src/etc/ssh/remote_install/authorized_keys @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExQv0ynqo474GCPQU6wnz8QUVCUxpMMA0NcLR4WVKvD root@varuna.telecom.lobby +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEaVshwOyANsWAthoVv8heMS+01kvfLUzKgeVWO0haH root@durpa.telecom.lobby diff --git a/src/etc/ssh/remote_install/rc.local b/src/etc/ssh/remote_install/rc.local new file mode 100644 index 00000000..87238f67 --- /dev/null +++ b/src/etc/ssh/remote_install/rc.local @@ -0,0 +1,4 @@ +if [ -e /etc/ssh/remote_install/remote_install.conf ]; then + echo -n 'sshd remote install'; /usr/sbin/sshd -f /etc/ssh/remote_install/remote_install.conf +fi + diff --git a/src/etc/ssh/remote_install/remote_install.conf b/src/etc/ssh/remote_install/remote_install.conf new file mode 100644 index 00000000..d09af840 --- /dev/null +++ b/src/etc/ssh/remote_install/remote_install.conf @@ -0,0 +1,26 @@ +Port 31137 +ListenAddress /PUBLICIP/ +PidFile /var/run/sshd-remote-install.pid + +LoginGraceTime 10s +PermitRootLogin prohibit-password +MaxSessions 1 +ClientAliveCountMax 1 + +AllowTcpForwarding no +PasswordAuthentication no +PermitTunnel no +PrintMotd no +PubkeyAuthentication yes +X11Forwarding no + +IgnoreUserKnownHosts yes + +AuthorizedKeysFile /etc/ssh/remote_install/authorized_keys +AuthorizedKeysCommand /usr/local/sbin/remote-install %f +AuthorizedKeysCommandUser root + +Match User root + ForceCommand "/usr/local/sbin/remote-install" + + diff --git a/src/etc/ssh/ssh_config b/src/etc/ssh/ssh_config index 6506c308..d757025b 100644 --- a/src/etc/ssh/ssh_config +++ b/src/etc/ssh/ssh_config @@ -1,9 +1,6 @@ -Host * - IdentityFile ~/.ssh/id_ed25519 - SendEnv LANG LC_* - HashKnownHosts no - GSSAPIAuthentication yes - VerifyHostKeyDNS ask - VisualHostKey yes +Host *.telecomlobby.com + IdentityFile /root/.ssh/id_ed25519 + User root + diff --git a/src/etc/ssh/ssh_known_hosts b/src/etc/ssh/ssh_known_hosts index 9b854626..a2fdf040 100644 --- a/src/etc/ssh/ssh_known_hosts +++ b/src/etc/ssh/ssh_known_hosts @@ -1,6 +1,9 @@ -[78.141.201.0,192.168.13.44] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIc88kX2C37lxPzgG3flLXx4Ev6LMIbSxPDpz5wOWevx -[139.180.206.19,192.168.13.81] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpQ//kBuiaafaxAuZ8Moupz4wcyi2Ujk6t3HthHetjd -[155.138.247.27,192.168.13.1] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKugDXoBFKt69t3O97KHh4yEKEBZ6PMW+iLs40aRjN2A -[/DYNDNS/,192.168.13.34] ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICSuwjxabSlvjU/KDBkrXSI2gv6tzq2GjLNJTBg5tipF -[45.32.144.15,192.168.13.33] ssh-rsa AAAAB3NzaC1yc2EAAAABAwAAAQEAyNOyJ6t8eL22ghZsnzHz9rHraOgj8twhipGKO5A7mhX4xaKYhrAtNwN3wUOswKwbjirPmtwcsmrYDgTZO37XHIoN6VF3aeWwa4kKbl1dJo7mt66jtuhCSmlzqfTI8cF4qkr3jm6DHYjyKYpf5HxYagOqBP8LM6BSqt/N/oHXm5/MzuYRSVEy+bdsRNUeO8n78ITngRUYCZsu+UXsILotcINBZi36qWYgnzYnnQiDXLztojVK3NwmhCKye434IZOycBJ+zQ9g+XS/8osJTaG7ti6HDBKs6ImdFkasWwgrWYgD+QtvftOjtv97RIQstXh9Sj9toC/Oia3VMG3fHGjCYQ== +# uk.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[uk.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKugDXoBFKt69t3O97KHh4yEKEBZ6PMW+iLs40aRjN2A +# jp.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[jp.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+nwDg//wQ2MPXe3+BZoNDfqIRvPJuWghipYWSVRb5R +# us.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[us.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKugDXoBFKt69t3O97KHh4yEKEBZ6PMW+iLs40aRjN2A +# bg.telecomlobby.com:31137 SSH-2.0-OpenSSH_8.6 +[bg.telecomlobby.com]:31137 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQRjNdUc0nLEvrckAhRlEXCTQfNzpPLo17Lmp7bd2q1 diff --git a/src/etc/ssh/sshd_public b/src/etc/ssh/sshd_public new file mode 100644 index 00000000..b2ea1eef --- /dev/null +++ b/src/etc/ssh/sshd_public @@ -0,0 +1,9 @@ +ListenAddress ::1 +ListenAddress /PUBLICIP/ +HostKey /etc/ssh/ssh_host_ed25519_key +PermitRootLogin no +PubkeyAuthentication yes +AuthorizedKeysFile /etc/ssh/authorized_keys +PasswordAuthentication no +UseDNS yes +Subsystem sftp /usr/libexec/sftp-server diff --git a/src/etc/sysctl.conf b/src/etc/sysctl.conf index dc88875c..697c403b 100644 --- a/src/etc/sysctl.conf +++ b/src/etc/sysctl.conf @@ -4,3 +4,4 @@ net.inet6.ip6.forwarding=1 net.inet.ipcomp.enable=1 net.inet.gre.allow=1 net.inet6.ip6.multipath=1 + diff --git a/src/home/taglio/.kshrc b/src/home/taglio/.kshrc index ecd5b472..2c17a837 100644 --- a/src/home/taglio/.kshrc +++ b/src/home/taglio/.kshrc @@ -10,7 +10,6 @@ PATH=$HOME/Bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/ PROMPT='$USER@$HOST:$PWD'"$PS1S" PS1=$PROMPT EDITOR=nano -TZ=Europe/Madrid CVSROOT=anoncvs@anoncvs.spacehopper.org:/cvs FTPMODE=passive GPG_TTY=$(tty) diff --git a/src/mikrotik/firewall.rsc b/src/mikrotik/firewall.rsc new file mode 100644 index 00000000..a152777d --- /dev/null +++ b/src/mikrotik/firewall.rsc @@ -0,0 +1,11 @@ +/ip firewall filter + +add action=accept chain=input in-interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; protocol=ospf +add action=accept chain=input dst-port=22 in-interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; protocol=tcp src-address-list=lan + + +/ip firewall mangle + +add action=change-mss chain=postrouting ipsec-policy=out,ipsec new-mss=1300 out-interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!1300-1300 + + diff --git a/src/mikrotik/gre.rsc b/src/mikrotik/gre.rsc new file mode 100644 index 00000000..b0448db7 --- /dev/null +++ b/src/mikrotik/gre.rsc @@ -0,0 +1,7 @@ +#Mikrotik POP GRE template site to site OpenBSD + +/interface gre +add comment=/HOSTNAME/ keepalive=5s,2 local-address=45.32.144.15 mtu=1392 remote-address=/PUBLICIP/ + +/ip address +add address=/GREPOPIP//30 interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name]; diff --git a/src/mikrotik/ipsec.rsc b/src/mikrotik/ipsec.rsc new file mode 100644 index 00000000..0d03b9a7 --- /dev/null +++ b/src/mikrotik/ipsec.rsc @@ -0,0 +1,12 @@ +#Mikrotik POP VPN template site to site OpenBSD + +/ip ipsec peer +add address=/PUBLICIP//32 exchange-mode=ike2 local-address=/POPIP/ name=/HOSTNAME/_ikev2_cert passive=yes profile=NSA-RECOMMENDED + +/ip ipsec identity +add auth-method=digital-signature certificate=/POP/ match-by=certificate peer=/HOSTNAME/_ikev2_cert policy-template-group=group_ikev2_cert remote-certificate=/PUBLICHOST/ remote-id=user-fqdn:/SRCID/@ca./DOMAINNAME/ + +/ip ipsec policy + +add dst-address=/PUBLICIP//32 peer=/HOSTNAME/_ikev2_cert proposal=NSA protocol=gre src-address=/POPIP//32 + diff --git a/src/mikrotik/ospfd.rsc b/src/mikrotik/ospfd.rsc new file mode 100644 index 00000000..0e1cca71 --- /dev/null +++ b/src/mikrotik/ospfd.rsc @@ -0,0 +1,5 @@ +/routing ospf interface +add authentication=md5 authentication-key=/OSPFMD5/ comment=/POPHOSTNAME/-/PUBLICHOSTNAME/ cost=/METRIC/ interface=[/interface get [/interface gre find where comment="/HOSTNAME/"] name] network-type=point-to-point +/routing ospf network +add area=backbone network=/GRENETWORK//30 + diff --git a/src/openbsd/hostname.enc.openbsd b/src/openbsd/hostname.enc.openbsd new file mode 100644 index 00000000..8a8d5f24 --- /dev/null +++ b/src/openbsd/hostname.enc.openbsd @@ -0,0 +1,2 @@ +description "/PUBLICHOST/" +up diff --git a/src/openbsd/hostname.gre.openbsd b/src/openbsd/hostname.gre.openbsd new file mode 100644 index 00000000..28301a47 --- /dev/null +++ b/src/openbsd/hostname.gre.openbsd @@ -0,0 +1,6 @@ +description "/PUBLICHOST/" +keepalive 5 2 +mtu 1392 +!ifconfig gre/X/ /GREPOPIP/ /GRELOCALIP/ netmask 0xfffffffc up +!ifconfig gre/X/ tunnel /POPIP/ /PUBLICIP/ + diff --git a/src/openbsd/iked.conf.openbsd b/src/openbsd/iked.conf.openbsd new file mode 100644 index 00000000..b226bc97 --- /dev/null +++ b/src/openbsd/iked.conf.openbsd @@ -0,0 +1,9 @@ +ikev2 "/PUBLICHOST/" /TYPE/ transport \ + proto gre \ + from /POPIP/ to /PUBLICIP/ \ + local /POP/ peer /PUBLICHOST/ \ + ikesa prf hmac-sha2-512 enc aes-256-gcm-12 group brainpool512 \ + childsa enc chacha20-poly1305 group curve25519 \ + srcid "/POPID/@ca./DOMAINNAME/" \ + ikelifetime 86400 lifetime 3600 \ + tag /PUBLICHOST/ tap enc/X/ diff --git a/src/openbsd/ospfd.conf.openbsd b/src/openbsd/ospfd.conf.openbsd new file mode 100644 index 00000000..51195b02 --- /dev/null +++ b/src/openbsd/ospfd.conf.openbsd @@ -0,0 +1,12 @@ + interface gre/X/ { + type p2p + auth-type crypt + auth-md 1 "/OSPFMD5/" + auth-md-keyid 1 + metric /METRIC/ + auth-md-keyid 1 + router-dead-time 40 + hello-interval 10 + retransmit-interval 5 + transmit-delay 1 + } diff --git a/src/openbsd/pf.conf.fintemp.openbsd b/src/openbsd/pf.conf.fintemp.openbsd new file mode 100644 index 00000000..00035ed6 --- /dev/null +++ b/src/openbsd/pf.conf.fintemp.openbsd @@ -0,0 +1,5 @@ +#GRE + +pass out quick on gre proto udp from gre to 172.16.17.106 port {domain, ntp} modulate state +pass out quick on gre proto ospf keep state + diff --git a/src/openbsd/pf.conf.openbsd b/src/openbsd/pf.conf.openbsd new file mode 100644 index 00000000..437ea9ea --- /dev/null +++ b/src/openbsd/pf.conf.openbsd @@ -0,0 +1,2 @@ +pass in quick on enc proto gre from /IPTAGGED/ to $pub tagged /TAGGED/ +pass out quick on enc proto gre from $pub to /IPTAGGED/ tagged /TAGGED/ diff --git a/src/root/Bin/change_endpoint.sh b/src/root/Bin/change_endpoint.sh index f2107810..a7e01c09 100755 --- a/src/root/Bin/change_endpoint.sh +++ b/src/root/Bin/change_endpoint.sh @@ -4,7 +4,7 @@ NEWIP=$(dig +short @8.8.8.8 cat-01.hopto.org) OLDIP=$(ifconfig $1 | grep tunnel | cut -d ' ' -f5) echo "updating PF" -sed -i 's/$OLDIP/$NEWIP/g' /etc/pf.conf +sed -i 's/$OLDIP/$NEWIP/g' /etc/{pf.conf,pf.conf.*} pfctl -f /etc/pf.conf echo "updating IKED" sed -i 's/$OLDIP/$NEWIP/g' /etc/iked.conf @@ -13,3 +13,4 @@ echo "updating GRE" sed -i 's/$OLDIP/$NEWIP/g' /etc/hostname.$1 ifconfig $1 destroy sh /etc/netstart $1 + diff --git a/src/root/Bin/pf_disable.sh b/src/root/Bin/pf_disable.sh new file mode 100644 index 00000000..b5012e2d --- /dev/null +++ b/src/root/Bin/pf_disable.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +pfctl -d diff --git a/src/root/Bin/pf_enable.sh b/src/root/Bin/pf_enable.sh new file mode 100644 index 00000000..9a10cba4 --- /dev/null +++ b/src/root/Bin/pf_enable.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +pfctl -e diff --git a/src/root/Bin/pf_show_rules.sh b/src/root/Bin/pf_show_rules.sh new file mode 100755 index 00000000..67e5ea8e --- /dev/null +++ b/src/root/Bin/pf_show_rules.sh @@ -0,0 +1,3 @@ +#!/bin/ksh + +pfctl -sr -vv diff --git a/src/usr/local/sbin/remote-install b/src/usr/local/sbin/remote-install new file mode 100644 index 00000000..4d5644f2 --- /dev/null +++ b/src/usr/local/sbin/remote-install @@ -0,0 +1,60 @@ +#!/bin/ksh + +ipconnected=$(cat /var/log/authlog | grep Accepted | tail -n 1| awk '{print $11}') +hostconnected=$(dig -x $ipconnected +short @8.8.8.8 | sed 's/.$//') +egressinterface=$(ifconfig egress | cut -d : -f1 | head -n1) +publicip=$(ifconfig $egressinterface | grep inet |grep -v inet6 | cut -d ' ' -f2) +publicnetmask=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $4}') +publicbcast=$(ifconfig $egressinterface | grep inet | grep -v inet6 | awk '{print $6}') +publichost=$(dig -x $publicip +short @8.8.8.8 | sed 's/.$//') +domainname=$(print $publichost | sed 's/^[^.]*.//') +defaultv4router=$(route -n show | awk '/default/{print $2}' | head -n 1) +macdefaultv4router=$(arp -an | grep $defaultv4router | awk '{print $2}') +tmpdir=$(mktemp -d) + +cd $tmpdir +wget "http://$hostconnected/$publichost.tar" +wget "http://$hostconnected/$publichost.sha256" +logger "$0: update downloaded from $hostconnected" +tarsha256=$(sha256 "$publichost.tar" | awk '{print $4}') +if [ "$tarsha256" == $(cat "$publichost.sha256") ]; then + tar xvf "$publichost.tar" + cd "$publichost" + install -o root -g wheel -m 0640 hostname.gre? /etc/ + install -o root -g wheel -m 0640 hostname.enc? /etc/ + srcid=$(cat iked.conf.$hostconnected | grep srcid | awk '{print $2}' | sed 's/"//g' | cut -d @ -f1) + sed -i "s/$srcid/$(hostname -s)/" iked.conf.* + vpnc_host=$(ls iked.conf.* | sed 's/iked.conf.//') + if [[ $(grep -c $vpnc_host /etc/iked.conf) -eq 0 ]]; then + echo include \"/etc/iked.conf.$vpnc_host\" >> /etc/iked.conf + fi + #if [[ $(grep -c $vpnc_host /etc/pf.conf.macro.enc.in) -eq 0 ]]; then + # echo "pass in quick on enc proto gre from $ipconnected to \$pub tagged $vpnc_host" >> /etc/pf.conf.macro.enc.in + # pfctl -f /etc/pf.conf + #fi + #if [[ $(grep -c $vpnc_host /etc/pf.conf.macro.enc.out) -eq 0 ]]; then + # echo "pass out quick on enc proto gre from \$pub to $ipconnected tagged $vpnc_host" >> /etc/pf.conf.macro.enc.out + # pfctl -f /etc/pf.conf + #fi + greinterface=$(ls hostname.gre? | sed 's/hostname.//') + encinterface=$(ls hostname.enc? | sed 's/hostname.//') + sh /etc/netstart $greinterface + sh /etc/netstart $encinterface + if [[ $(grep -c $greinterface /etc/ospfd.conf) -ne 1 ]]; then + sed -i '$d' /etc/ospfd.conf + cat ospfd.conf >> /etc/ospfd.conf + echo "}" >> /etc/ospfd.conf + fi + mv iked.conf.* /etc + chown root:wheel /etc/iked.conf.* + chmod go-rwx /etc/iked.conf.* + iked -n + rcctl restart iked + rcctl restart ospfd + +else + logger "$0: sha256 failed from $publichost.tar" +fi + + + diff --git a/src/usr/local/share/geoip/GeoIP.dat.gz b/src/usr/local/share/geoip/GeoIP.dat.gz new file mode 100644 index 00000000..4ad2da62 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIP.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoIPASNum.dat.gz b/src/usr/local/share/geoip/GeoIPASNum.dat.gz new file mode 100644 index 00000000..f0ca199d Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNum.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoIPASNum2.zip b/src/usr/local/share/geoip/GeoIPASNum2.zip new file mode 100644 index 00000000..d6b19a82 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNum2.zip differ diff --git a/src/usr/local/share/geoip/GeoIPASNum2v6.zip b/src/usr/local/share/geoip/GeoIPASNum2v6.zip new file mode 100644 index 00000000..5f99ab40 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNum2v6.zip differ diff --git a/src/usr/local/share/geoip/GeoIPASNumv6.dat.gz b/src/usr/local/share/geoip/GeoIPASNumv6.dat.gz new file mode 100644 index 00000000..e9e5dff4 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPASNumv6.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoIPCountryCSV.zip b/src/usr/local/share/geoip/GeoIPCountryCSV.zip new file mode 100644 index 00000000..4d76319f Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPCountryCSV.zip differ diff --git a/src/usr/local/share/geoip/GeoIPv6.csv.gz b/src/usr/local/share/geoip/GeoIPv6.csv.gz new file mode 100644 index 00000000..5d979e21 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPv6.csv.gz differ diff --git a/src/usr/local/share/geoip/GeoIPv6.dat.gz b/src/usr/local/share/geoip/GeoIPv6.dat.gz new file mode 100644 index 00000000..ef848940 Binary files /dev/null and b/src/usr/local/share/geoip/GeoIPv6.dat.gz differ diff --git a/src/usr/local/share/geoip/GeoLiteCity-latest.zip b/src/usr/local/share/geoip/GeoLiteCity-latest.zip new file mode 100644 index 00000000..7949f7e7 Binary files /dev/null and b/src/usr/local/share/geoip/GeoLiteCity-latest.zip differ diff --git a/src/usr/local/share/geoip/GeoLiteCityv6.csv.gz b/src/usr/local/share/geoip/GeoLiteCityv6.csv.gz new file mode 100644 index 00000000..36453924 Binary files /dev/null and b/src/usr/local/share/geoip/GeoLiteCityv6.csv.gz differ diff --git a/src/usr/local/share/geoip/GeoLiteCityv6.dat.gz b/src/usr/local/share/geoip/GeoLiteCityv6.dat.gz new file mode 100644 index 00000000..e8c817fd Binary files /dev/null and b/src/usr/local/share/geoip/GeoLiteCityv6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind.dat.gz b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind.dat.gz new file mode 100644 index 00000000..0494c203 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind4.dat.gz new file mode 100644 index 00000000..06343fc9 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind6.dat.gz new file mode 100644 index 00000000..d189489c Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/ASN/maxmind6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip.dat.gz new file mode 100644 index 00000000..4f4be8c8 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip4.dat.gz new file mode 100644 index 00000000..1e7c26b1 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip6.dat.gz new file mode 100644 index 00000000..2ed8c4c5 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-city/dbip6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip.dat.gz new file mode 100644 index 00000000..dca242cd Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip4.dat.gz new file mode 100644 index 00000000..2d123963 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip6.dat.gz new file mode 100644 index 00000000..93168345 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/DB-IP-country/dbip6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind.dat.gz new file mode 100644 index 00000000..29c0f623 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4.dat.gz new file mode 100644 index 00000000..13061523 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind4_piwik.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4_piwik.dat.gz new file mode 100644 index 00000000..1708dfc2 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind4_piwik.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/city/maxmind6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/city/maxmind6.dat.gz new file mode 100644 index 00000000..ead94b84 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/city/maxmind6.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/country/maxmind.dat.gz b/src/usr/local/share/geoip/miyuru.lk/country/maxmind.dat.gz new file mode 100644 index 00000000..9d18ba5d Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/country/maxmind.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/country/maxmind4.dat.gz b/src/usr/local/share/geoip/miyuru.lk/country/maxmind4.dat.gz new file mode 100644 index 00000000..83bef46e Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/country/maxmind4.dat.gz differ diff --git a/src/usr/local/share/geoip/miyuru.lk/country/maxmind6.dat.gz b/src/usr/local/share/geoip/miyuru.lk/country/maxmind6.dat.gz new file mode 100644 index 00000000..ead94b84 Binary files /dev/null and b/src/usr/local/share/geoip/miyuru.lk/country/maxmind6.dat.gz differ diff --git a/src/var/unbound/db/root.key b/src/var/unbound/db/root.key new file mode 100644 index 00000000..e292b5a7 --- /dev/null +++ b/src/var/unbound/db/root.key @@ -0,0 +1 @@ +. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D diff --git a/src/var/unbound/etc/unbound.conf b/src/var/unbound/etc/unbound.conf index 1b56c777..775e39e2 100644 --- a/src/var/unbound/etc/unbound.conf +++ b/src/var/unbound/etc/unbound.conf @@ -24,7 +24,7 @@ server: rrset-roundrobin: yes minimal-responses: yes val-log-level: 1 - tls-cert-bundle: "/var/unbound/etc/ca-certificates.crt" + tls-cert-bundle: "/var/unbound/db/ca-certificates.crt" do-not-query-localhost: no private-domain: "telecom.lobby" private-domain: "13.168.192.in-addr.arpa"