Altes Script - Let's Encrypt für IKEv2 und LuCI-SSL
ACHTUNG: LuCI ist auf der WAN-Seite erreichbar.
LEDE TP-Link TL-WR1043N Firmware
================================
https://downloads.lede-project.org/snapshots/targets/ar71xx/generic/
Reset to factory
================
mount_root
mtd -r erase rootfs_data
reboot -f
--> Download and flash newest firmware
install-1.sh
==========
#!/bin/bash
#Change root-password
#====================
passwd
#SSH on WAN port 22000
#=====================
uci set dropbear.@dropbear[0].Port=22000
uci commit dropbear
/etc/init.d/dropbear reload
uci add firewall rule
uci set firewall.@rule[-1].name=Allow-Inbound-SSH
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22000
uci set firewall.@rule[-1].enabled=1
uci commit firewall
/etc/init.d/firewall reload
printf '\n\n Set SSH WAN port to 22000 \n\n'
#https://forum.openwrt.org/viewtopic.php?id=50840
#Update opkg
#===========
opkg update
#Install and enable LUCI
#=======================
opkg install luci-ssl
/etc/init.d/uhttpd start
/etc/init.d/uhttpd enable
#https://wiki.openwrt.org/doc/howto/luci.essentials#configuration
printf '\n\n LUCI installed \n\n'
LAN, WAN & WLAN config over LUCI: https://192.168.1.1
===========================
-> port 80 has to be reachable from web for letsencrypt
install-2.sh
==========
#!/bin/bash
DOMAIN=lede.example.com ## this domain must actually point to your router
VPN_USERNAME=kirchberger
VPN_PASSWORD=klosterTest123!
#Update opkg
#===========
opkg update
#Install letsencrypt
#===================
opkg install curl ca-certificates ca-bundle openssl-util
uci set uhttpd.main.redirect_https=0
##add https firewall rule
uci set firewall.https=rule
uci set firewall.https.target=ACCEPT
uci set firewall.https.src=wan
uci set firewall.https.proto=tcp
uci set firewall.https.dest_port=443
uci set firewall.https.name='https web configuration'
##add http firewall rule
uci set firewall.http=rule
uci set firewall.http.target=ACCEPT
uci set firewall.http.src=wan
uci set firewall.http.proto=tcp
uci set firewall.http.dest_port=80
uci set firewall.http.name='http web configuration'
uci commit
/etc/init.d/firewall reload
/etc/init.d/uhttpd reload
#https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT
#https://forum.openwrt.org/viewtopic.php?id=65090
curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > acme.sh
chmod a+x "acme.sh"
./acme.sh --install
./acme.sh --issue -d $DOMAIN -w /www
printf '\n\n Letsencrypt installed \n\n'
cp /root/.acme.sh/$DOMAIN/$DOMAIN.key /etc/uhttpd.key
cp /root/.acme.sh/$DOMAIN/$DOMAIN.cer /etc/uhttpd.crt
uci set firewall.http.enabled=0
uci commit
/etc/init.d/uhttpd reload
printf '\n\n Letsencrypt cert installed for LUCI \n\n'
#strongswan IKEv2 VPN
#====================
opkg install strongswan-full
rm /etc/ipsec.d/certs/fullchain.pem
rm /etc/ipsec.d/private/privkey.pem
rm /etc/ipsec.d/cacerts/chain.pem
ln -s /root/.acme.sh/$DOMAIN/fullchain.cer /etc/ipsec.d/certs/fullchain.pem
ln -s /root/.acme.sh/$DOMAIN/$DOMAIN.key /etc/ipsec.d/private/privkey.pem
ln -s /root/.acme.sh/$DOMAIN/ca.cer /etc/ipsec.d/cacerts/chain.pem
#uci set firewall.esp=rule
#uci set firewall.esp.target=ACCEPT
#uci set firewall.esp.src=wan
#uci set firewall.esp.proto=esp
#uci set firewall.esp.name='IPSec ESP'
uci set firewall.esp=rule
uci set firewall.esp.target=ACCEPT
uci set firewall.esp.src=wan
uci set firewall.esp.proto=ah
uci set firewall.esp.name='IPSec AH'
uci set firewall.ike=rule
uci set firewall.ike.target=ACCEPT
uci set firewall.ike.src=wan
uci set firewall.ike.proto=udp
uci set firewall.ike.dest_port=500
uci set firewall.ike.name='IPSec ESP IKE'
uci set firewall.nat_t=rule
uci set firewall.nat_t.target=ACCEPT
uci set firewall.nat_t.src=wan
uci set firewall.nat_t.proto=udp
uci set firewall.nat_t.dest_port=4500
uci set firewall.nat_t.name='IPSec NAT-T'
uci commit
/etc/init.d/firewall restart
#https://forum.openwrt.org/viewtopic.php?id=52661
echo "config setup
uniqueids=no
# charondebug = ike 3, cfg 3
conn %default
dpdaction=clear
dpddelay=35s
dpdtimeout=2000s
keyexchange=ikev2
ike=aes256-sha1-modp1024,aes256-sha256-modp2048! # For Windows7/10: aes256-sha1-modp1024, For Apple Mac & iOS: aes256-sha256-modp2048
auto=add
rekey=no
reauth=no
fragmentation=yes
compress=yes
### left - local (server) side
# filename of certificate chain located in /etc/strongswan/ipsec.d/certs/
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes
### right - remote (client) side
eap_identity=%identity
rightsourceip=10.1.1.0/24,2a00:1450:400c:c05::/112
rightdns=8.8.8.8,2001:4860:4860::8888
conn ikev2-mschapv2
rightauth=eap-mschapv2
conn ikev2-mschapv2-apple
rightauth=eap-mschapv2
leftid=$DOMAIN
" > /etc/ipsec.conf
echo "# filename of private key located in /etc/strongswan/ipsec.d/private/
: RSA privkey.pem
# syntax is \`username : EAP \"plaintextpassword\"\`
$VPN_USERNAME : EAP \"$VPN_PASSWORD\"
" > /etc/ipsec.secrets
ipsec restart
# config from
# https://adamroe.me/blog/strongswan-letsencrypt-rhel-centos
printf '\n\n Strongswan VPN installed and cert links set \n\n'
# log ipsec
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
echo "#!/bin/sh
DOMAIN=$DOMAIN ## this domain must actually point to your router
uci set firewall.http.enabled=1
uci commit firewall
/etc/init.d/firewall reload
\"/root/.acme.sh\"/acme.sh --cron --home \"/root/.acme.sh\"
uci set firewall.http.enabled=0
uci commit firewall
/etc/init.d/firewall reload
cp /root/.acme.sh/\$DOMAIN/\$DOMAIN.key /etc/uhttpd.key
cp /root/.acme.sh/\$DOMAIN/\$DOMAIN.cer /etc/uhttpd.crt
/etc/init.d/uhttpd restart
ipsec reload
" > /etc/cert-update-script.sh
chmod a+x /etc/cert-update-script.sh
printf '\n\n END SCRIPT \n\n'
exit
*******************************************************************
Replace crontab -e with:
========================
###################################################################
#minute (0-59), #
#| hour (0-23), #
#| | day of the month (1-31), #
#| | | month of the year (1-12), #
#| | | | day of the week (0-6 with 0=Sunday)#
#| | | | | commands #
###################################################################
57 0 * * * sh /etc/cert-update-script.sh >> /var/log/cert-update-script.log
Kommentare