Altes Script - Let's Encrypt für IKEv2 und LuCI-SSL

ACHTUNG: LuCI ist auf der WAN-Seite erreichbar.

 

LEDE TP-Link TL-WR1043N Firmware
================================
https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/

Reset to factory
================

mount_root
mtd -r erase rootfs_data
reboot -f


--> Download and flash newest firmware

install-1.sh
==========

#!/bin/bash

#Change root-password
#====================
passwd


#SSH on WAN port 22000
#=====================
uci set dropbear.@dropbear[0].Port=22000
uci commit dropbear
/etc/init.d/dropbear reload

uci add firewall rule
uci set firewall.@rule[-1].name=Allow-Inbound-SSH
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22000
uci set firewall.@rule[-1].enabled=1
uci commit firewall
/etc/init.d/firewall reload

printf '\n\n Set SSH WAN port to 22000 \n\n'

#https://forum.openwrt.org/viewtopic.php?id=50840


#Update opkg
#===========
opkg update


#Install and enable LUCI
#=======================
opkg install luci-ssl

/etc/init.d/uhttpd start
/etc/init.d/uhttpd enable

#https://wiki.openwrt.org/doc/howto/luci.essentials#configuration

printf '\n\n LUCI installed \n\n'




LAN, WAN & WLAN config over LUCI: https://192.168.1.1
===========================



-> port 80 has to be reachable from web for letsencrypt

install-2.sh
==========

#!/bin/bash

DOMAIN=lede.example.com ## this domain must actually point to your router
VPN_USERNAME=kirchberger
VPN_PASSWORD=klosterTest123!

#Update opkg
#===========
opkg update

#Install letsencrypt
#===================
opkg install curl ca-certificates ca-bundle openssl-util

uci set uhttpd.main.redirect_https=0
##add https firewall rule
uci set firewall.https=rule
uci set firewall.https.target=ACCEPT
uci set firewall.https.src=wan
uci set firewall.https.proto=tcp
uci set firewall.https.dest_port=443
uci set firewall.https.name='https web configuration'
##add http firewall rule
uci set firewall.http=rule
uci set firewall.http.target=ACCEPT
uci set firewall.http.src=wan
uci set firewall.http.proto=tcp
uci set firewall.http.dest_port=80
uci set firewall.http.name='http web configuration'
uci commit
/etc/init.d/firewall reload
/etc/init.d/uhttpd reload

#https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT
#https://forum.openwrt.org/viewtopic.php?id=65090

curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > acme.sh
chmod a+x "acme.sh"
./acme.sh --install
./acme.sh --issue -d $DOMAIN -w /www

printf '\n\n Letsencrypt installed \n\n'


cp /root/.acme.sh/$DOMAIN/$DOMAIN.key /etc/uhttpd.key
cp /root/.acme.sh/$DOMAIN/$DOMAIN.cer /etc/uhttpd.crt

uci set firewall.http.enabled=0
uci commit
/etc/init.d/uhttpd reload

printf '\n\n Letsencrypt cert installed for LUCI \n\n'


#strongswan IKEv2 VPN
#====================
opkg install strongswan-full

rm /etc/ipsec.d/certs/fullchain.pem
rm /etc/ipsec.d/private/privkey.pem
rm /etc/ipsec.d/cacerts/chain.pem

ln -s /root/.acme.sh/$DOMAIN/fullchain.cer /etc/ipsec.d/certs/fullchain.pem
ln -s /root/.acme.sh/$DOMAIN/$DOMAIN.key /etc/ipsec.d/private/privkey.pem
ln -s /root/.acme.sh/$DOMAIN/ca.cer /etc/ipsec.d/cacerts/chain.pem

#uci set firewall.esp=rule
#uci set firewall.esp.target=ACCEPT
#uci set firewall.esp.src=wan
#uci set firewall.esp.proto=esp
#uci set firewall.esp.name='IPSec ESP'

uci set firewall.esp=rule
uci set firewall.esp.target=ACCEPT
uci set firewall.esp.src=wan
uci set firewall.esp.proto=ah
uci set firewall.esp.name='IPSec AH'

uci set firewall.ike=rule
uci set firewall.ike.target=ACCEPT
uci set firewall.ike.src=wan
uci set firewall.ike.proto=udp
uci set firewall.ike.dest_port=500
uci set firewall.ike.name='IPSec ESP IKE'

uci set firewall.nat_t=rule
uci set firewall.nat_t.target=ACCEPT
uci set firewall.nat_t.src=wan
uci set firewall.nat_t.proto=udp
uci set firewall.nat_t.dest_port=4500
uci set firewall.nat_t.name='IPSec NAT-T'

uci commit
/etc/init.d/firewall restart

#https://forum.openwrt.org/viewtopic.php?id=52661

echo "config setup
uniqueids=no
# charondebug = ike 3, cfg 3

conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s

keyexchange=ikev2
ike=aes256-sha1-modp1024,aes256-sha256-modp2048! # For Windows7/10: aes256-sha1-modp1024, For Apple Mac & iOS: aes256-sha256-modp2048
auto=add
rekey=no
reauth=no
fragmentation=yes
compress=yes

### left - local (server) side
# filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes

### right - remote (client) side
eap_identity=%identity
rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112
rightdns=8.8.8.8,2001:4860:4860::8888

conn ikev2-mschapv2
rightauth=eap-mschapv2

conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid=$DOMAIN
" > /etc/ipsec.conf


echo "# filename of private key located in /etc/strongswan/ipsec.d/private/
: RSA privkey.pem

# syntax is \`username : EAP \"plaintextpassword\"\`
$VPN_USERNAME : EAP \"$VPN_PASSWORD\"
" > /etc/ipsec.secrets

ipsec restart

# config from
# https://adamroe.me/blog/strongswan-letsencrypt-rhel-centos

printf '\n\n Strongswan VPN installed and cert links set \n\n'

# log ipsec
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration


echo "#!/bin/sh
DOMAIN=$DOMAIN ## this domain must actually point to your router

uci set firewall.http.enabled=1
uci commit firewall
/etc/init.d/firewall reload
\"/root/.acme.sh\"/acme.sh --cron --home \"/root/.acme.sh\"
uci set firewall.http.enabled=0
uci commit firewall
/etc/init.d/firewall reload

cp /root/.acme.sh/\$DOMAIN/\$DOMAIN.key /etc/uhttpd.key
cp /root/.acme.sh/\$DOMAIN/\$DOMAIN.cer /etc/uhttpd.crt

/etc/init.d/uhttpd restart
ipsec reload
" > /etc/cert-update-script.sh

chmod a+x /etc/cert-update-script.sh


printf '\n\n END SCRIPT \n\n'

exit

 

*******************************************************************

Replace crontab -e with:
========================

###################################################################
#minute (0-59), #
#| hour (0-23), #
#| | day of the month (1-31), #
#| | | month of the year (1-12), #
#| | | | day of the week (0-6 with 0=Sunday)#
#| | | | | commands #
###################################################################

57 0 * * * sh /etc/cert-update-script.sh >> /var/log/cert-update-script.log

 

Kommentare

Bitte rechnen Sie 7 plus 4.