diff --git a/001_ssh.sh b/001_ssh.sh index a639ee2..d6bafa8 100755 --- a/001_ssh.sh +++ b/001_ssh.sh @@ -1,7 +1,8 @@ #!/usr/bin/env bash sudo sed -i 's,^\(PasswordAuthentication \).*,\1'yes',' /etc/ssh/sshd_config -sudo etc/init.d/ssh restart +sudo /etc/init.d/ssh restart +mkdir -p ~/.ssh bash -c "cat > ~/.ssh/config" <<'EOF' Host * Protocol 2 diff --git a/020_openwrt-tor.sh b/020_openwrt-tor.sh new file mode 100644 index 0000000..ec0f561 --- /dev/null +++ b/020_openwrt-tor.sh @@ -0,0 +1,181 @@ +opkg update +opkg install tor tor-geoip tor-hs + +# Configuring tor +cat </dev/null +RunAsDaemon 1 +AllowUnverifiedNodes middle,rendezvous +Log notice syslog +## Only run as a client, never a relay or exit +ClientOnly +PidFile /var/run/tor.pid +DataDirectory /var/lib/tor +User tor +SocksPort 9050 +SocksPort 192.168.1.1:9050 +AutomapHostsSuffixes .onion,.exit +AutomapHostsOnResolve 1 +VirtualAddrNetworkIPv4 10.192.0.0/10 +TransPort 192.168.1.1:9040 +DNSPort 192.168.1.1:9053 +ControlPort 9051 +EOF + +# Configuring firewall +cat </dev/null +config zone 'tor' + option name 'tor' + option network 'lan' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + option conntrack '1' + +config rule + option name 'Allow-Tor-DHCP' + option src 'tor' + option proto 'udp' + option dest_port '67' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Tor-DNS' + option src 'tor' + option proto 'udp' + option dest_port '9053' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Tor-Transparent' + option src 'tor' + option proto 'tcp' + option dest_port '9040' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-Tor-SOCKS' + option src 'tor' + option proto 'tcp' + option dest_port '9050' + option target 'ACCEPT' + option family 'ipv4' +EOF + + +cat </dev/null +enable_transparent_tor() { + + ifname=br-lan + + # Allow direct access to the Tor daemon + iptables -t nat -A PREROUTING -i $ifname -p tcp --dport 9050 -j ACCEPT + + # provide transparent routing for TCP and DNS + iptables -t nat -A PREROUTING -i $ifname -p udp --dport 53 -j REDIRECT --to-ports 9053 + iptables -t nat -A PREROUTING -i $ifname -p tcp --syn -j REDIRECT --to-ports 9040 +} + +enable_transparent_tor +EOF + +lan_ip=$(uci get network.lan.ipaddr) +[ -n "$lan_ip" ] && sed -i "s/192.168\..*\..*:/$lan_ip:/g" /etc/tor/torrc + + +# Configuring tor hidden service +# SSH +cat </dev/null + +config hidden-service + option Name 'sshd' + option Description "Hidden service for ssh" + option Enabled 'false' + option IPv4 '127.0.0.1' + #public port=2222, local port=22 + list PublicLocalPort '2222;22' + +EOF + +# COMMON +cat </dev/null +config tor-hs common + option GenConf "/etc/tor/torrc_hs" + option HSDir "/etc/tor/hidden_service" + option RestartTor "true" + option UpdateTorConf "true" +EOF + +/etc/init.d/tor-hs enable +/etc/init.d/tor-hs start + +/etc/init.d/tor restart +/etc/init.d/rpcd restart + +ubus call tor_rpcd.sh list-hs '{}' + + + Secure access with client authorization. + +# Install packages +opkg update +opkg install openssl-util coreutils-base32 + +# Enable Tor onion service +cat << EOF >> /etc/tor/custom +HiddenServiceDir /etc/tor/hidden_service +HiddenServicePort 22 127.0.0.1:22 +EOF +umask go= +mkdir -p /etc/tor/hidden_service +chown -R tor:tor /etc/tor/hidden_service +/etc/init.d/tor restart + +# Enable client authorization +openssl genpkey -algorithm x25519 -out /etc/tor/hidden_service.pem + +TOR_KEY="$(openssl pkey \ +-in /etc/tor/hidden_service.pem -outform der \ +| tail -c 32 \ +| base32 \ +| sed -e "s/=//g")" + +TOR_PUB="$(openssl pkey \ +-in /etc/tor/hidden_service.pem -outform der -pubout \ +| tail -c 32 \ +| base32 \ +| sed -e "s/=//g")" + +TOR_HOST="$(cat /etc/tor/hidden_service/hostname)" +cat << EOF > client.auth_private +${TOR_HOST%.onion}:descriptor:x25519:${TOR_KEY} +EOF + +cat << EOF > /etc/tor/hidden_service/authorized_clients/client.auth +descriptor:x25519:${TOR_PUB} +EOF + +chown -R tor:tor /etc/tor/hidden_service +/etc/init.d/tor restart + +# Fetch onion service hostname +echo ${TOR_HOST} + + +## Configure client authorization +#cat << EOF >> /etc/tor/custom +#ClientOnionAuthDir /etc/tor/onion_auth +#EOF +#umask go= +#mkdir -p /etc/tor/onion_auth +#TOR_AUTH="$(cat client.auth_private)" +#cat << EOF > /etc/tor/onion_auth/client.auth_private +#${TOR_AUTH} +#EOF +#chown -R tor:tor /etc/tor/onion_auth +#/etc/init.d/tor restart + +# Access onion service with: +# ssh ${TOR_AUTH%%:*}.onion diff --git a/020_wireguard.sh b/020_wireguard.sh index 7a90493..6a801fc 100755 --- a/020_wireguard.sh +++ b/020_wireguard.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash apt update -apt install -y wireguard-dkms wireguard-tools +apt install -y wireguard-tools +#apt install -y wireguard-dkms LISTENPORT=51820 diff --git a/maemo_eMMC_paths.sh b/maemo_eMMC_paths.sh new file mode 100644 index 0000000..8d9efa9 --- /dev/null +++ b/maemo_eMMC_paths.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# Modify the image to use eMMC paths +IMAGE=${1:maemo-leste-*-arm64-pinephone-*.img} +SDCARD=/dev/mmcblk0 +EMMC=/dev/mmcblk2 + +fdisk -u -l maemo-leste-*-arm64-pinephone-*.img.xz + +sudo mount -o loop,offset= ${IMAGE} /mnt + + +cd /mnt + +sed -i /${SDCARD}/${EMMC}/g boot.scr + +sudo mkimage -A arm -O linux -T script -C none -a 0 -e 0 -d boot.txt boot.scr + +cd / && umount /mnt + + +sudo mount -o loop,offset= ${IMAGE} /mnt + +cd /mnt + +sed -i /${SDCARD}/${EMMC}/g etc/fstab + +cd / && umount /mnt