Commit before push.

2022-07-13 18:35:37 +01:00 · 2022-07-13 18:35:37 +01:00 · 9a1a1f100a
parent a811abcc3e
commit 9a1a1f100a
4 changed files with 213 additions and 2 deletions
--- a/001_ssh.sh
+++ b/001_ssh.sh
@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 sudo sed -i 's,^\(PasswordAuthentication \).*,\1'yes',' /etc/ssh/sshd_config
-sudo etc/init.d/ssh restart
+sudo /etc/init.d/ssh restart

+mkdir -p ~/.ssh
 bash -c "cat > ~/.ssh/config" <<'EOF'
 Host * 
 Protocol 2 
--- a/020_openwrt-tor.sh
+++ b/020_openwrt-tor.sh
@ -0,0 +1,181 @@
+opkg update
+opkg install tor tor-geoip tor-hs
+
+# Configuring tor
+cat <<EOF | tee -a /etc/tor/torrc >/dev/null
+RunAsDaemon 1
+AllowUnverifiedNodes middle,rendezvous
+Log notice syslog
+## Only run as a client, never a relay or exit
+ClientOnly
+PidFile /var/run/tor.pid
+DataDirectory /var/lib/tor
+User tor
+SocksPort 9050
+SocksPort 192.168.1.1:9050
+AutomapHostsSuffixes .onion,.exit
+AutomapHostsOnResolve 1
+VirtualAddrNetworkIPv4 10.192.0.0/10
+TransPort 192.168.1.1:9040
+DNSPort 192.168.1.1:9053
+ControlPort 9051
+EOF
+
+# Configuring firewall
+cat <<EOF | tee -a /etc/config/firewall >/dev/null
+config zone 'tor'
+    option name 'tor'
+    option network 'lan'
+    option input 'REJECT'
+    option output 'ACCEPT'
+    option forward 'REJECT'
+    option conntrack '1'
+	
+config rule
+    option name 'Allow-Tor-DHCP'
+    option src 'tor'
+    option proto 'udp'
+    option dest_port '67'
+    option target 'ACCEPT'
+    option family 'ipv4'
+
+config rule
+    option name 'Allow-Tor-DNS'
+    option src 'tor'
+    option proto 'udp'
+    option dest_port '9053'
+    option target 'ACCEPT'
+    option family 'ipv4'
+
+config rule
+    option name 'Allow-Tor-Transparent'
+    option src 'tor'
+    option proto 'tcp'
+    option dest_port '9040'
+    option target 'ACCEPT'
+    option family 'ipv4'
+
+config rule
+    option name 'Allow-Tor-SOCKS'
+    option src 'tor'
+    option proto 'tcp'
+    option dest_port '9050'
+    option target 'ACCEPT'
+    option family 'ipv4'
+EOF
+
+
+cat <<EOF | tee -a /etc/firewall.user >/dev/null
+enable_transparent_tor() {
+
+	ifname=br-lan
+
+	# Allow direct access to the Tor daemon
+	iptables -t nat -A PREROUTING -i $ifname -p tcp --dport 9050 -j ACCEPT
+
+	# provide transparent routing for TCP and DNS
+	iptables -t nat -A PREROUTING -i $ifname -p udp --dport 53 -j REDIRECT --to-ports 9053
+	iptables -t nat -A PREROUTING -i $ifname -p tcp --syn -j REDIRECT --to-ports 9040
+}
+
+enable_transparent_tor
+EOF
+
+lan_ip=$(uci get network.lan.ipaddr)
+[ -n "$lan_ip" ] && sed -i "s/192.168\..*\..*:/$lan_ip:/g" /etc/tor/torrc
+
+
+# Configuring tor hidden service
+# SSH
+cat <<EOF | tee -a /etc/config/tor-hs >/dev/null
+
+config hidden-service
+	option Name 'sshd'
+	option Description "Hidden service for ssh"
+	option Enabled 'false'
+	option IPv4 '127.0.0.1'
+	#public port=2222, local port=22
+	list PublicLocalPort '2222;22'
+
+EOF
+
+# COMMON
+cat <<EOF | tee -a /etc/config/tor-hs >/dev/null
+config tor-hs common
+	option GenConf "/etc/tor/torrc_hs"
+	option HSDir "/etc/tor/hidden_service"
+	option RestartTor "true"
+	option UpdateTorConf "true"
+EOF
+
+/etc/init.d/tor-hs enable
+/etc/init.d/tor-hs start
+
+/etc/init.d/tor restart
+/etc/init.d/rpcd restart
+
+ubus call tor_rpcd.sh list-hs '{}'
+
+
+ Secure access with client authorization.
+
+# Install packages
+opkg update
+opkg install openssl-util coreutils-base32
+ 
+# Enable Tor onion service
+cat << EOF >> /etc/tor/custom
+HiddenServiceDir /etc/tor/hidden_service
+HiddenServicePort 22 127.0.0.1:22
+EOF
+umask go=
+mkdir -p /etc/tor/hidden_service
+chown -R tor:tor /etc/tor/hidden_service
+/etc/init.d/tor restart
+ 
+# Enable client authorization
+openssl genpkey -algorithm x25519 -out /etc/tor/hidden_service.pem
+
+TOR_KEY="$(openssl pkey \
+-in /etc/tor/hidden_service.pem -outform der \
+| tail -c 32 \
+| base32 \
+| sed -e "s/=//g")"
+
+TOR_PUB="$(openssl pkey \
+-in /etc/tor/hidden_service.pem -outform der -pubout \
+| tail -c 32 \
+| base32 \
+| sed -e "s/=//g")"
+
+TOR_HOST="$(cat /etc/tor/hidden_service/hostname)"
+cat << EOF > client.auth_private
+${TOR_HOST%.onion}:descriptor:x25519:${TOR_KEY}
+EOF
+
+cat << EOF > /etc/tor/hidden_service/authorized_clients/client.auth
+descriptor:x25519:${TOR_PUB}
+EOF
+
+chown -R tor:tor /etc/tor/hidden_service
+/etc/init.d/tor restart
+ 
+# Fetch onion service hostname
+echo ${TOR_HOST}
+
+
+## Configure client authorization
+#cat << EOF >> /etc/tor/custom
+#ClientOnionAuthDir /etc/tor/onion_auth
+#EOF
+#umask go=
+#mkdir -p /etc/tor/onion_auth
+#TOR_AUTH="$(cat client.auth_private)"
+#cat << EOF > /etc/tor/onion_auth/client.auth_private
+#${TOR_AUTH}
+#EOF
+#chown -R tor:tor /etc/tor/onion_auth
+#/etc/init.d/tor restart
+ 
+# Access onion service with:
+# ssh ${TOR_AUTH%%:*}.onion
--- a/020_wireguard.sh
+++ b/020_wireguard.sh
@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 apt update
-apt install -y wireguard-dkms wireguard-tools
+apt install -y wireguard-tools
+#apt install -y wireguard-dkms


 LISTENPORT=51820
--- a/maemo_eMMC_paths.sh
+++ b/maemo_eMMC_paths.sh
@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Modify the image to use eMMC paths
+IMAGE=${1:maemo-leste-*-arm64-pinephone-*.img}
+SDCARD=/dev/mmcblk0
+EMMC=/dev/mmcblk2
+
+fdisk -u -l maemo-leste-*-arm64-pinephone-*.img.xz
+
+sudo mount -o loop,offset=<Partition 1 offset> ${IMAGE} /mnt
+
+
+cd /mnt
+
+sed -i /${SDCARD}/${EMMC}/g boot.scr
+
+sudo mkimage -A arm -O linux -T script -C none -a 0 -e 0 -d boot.txt boot.scr
+
+cd / && umount /mnt
+
+
+sudo mount -o loop,offset=<Partition 2 offset> ${IMAGE} /mnt
+
+cd /mnt
+
+sed -i /${SDCARD}/${EMMC}/g etc/fstab
+
+cd / && umount /mnt