diff --git a/image-extras/common/root/autoprovision-stage2.sh b/image-extras/common/root/autoprovision-stage2.sh index c127e07..a7e0a9c 100755 --- a/image-extras/common/root/autoprovision-stage2.sh +++ b/image-extras/common/root/autoprovision-stage2.sh @@ -33,7 +33,7 @@ installPackages() # CUSTOMIZE # install some more packages that don't need any extra steps #opkg install lua luci ppp-mod-pppoe screen mc unzip logrotate - opkg install logrotate curl sing-box dnscrypt-proxy2 + opkg install logrotate curl sing-box dnscrypt-proxy2 dnsmasqfull() { if opkg list-installed | grep -q dnsmasq-full; then diff --git a/image-extras/tplink_archer-c7-v5/etc/uci-defaults/99defaults b/image-extras/tplink_archer-c7-v5/etc/uci-defaults/99defaults deleted file mode 100644 index 1237e73..0000000 --- a/image-extras/tplink_archer-c7-v5/etc/uci-defaults/99defaults +++ /dev/null @@ -1,116 +0,0 @@ -# Beware! This script will be in /rom/etc/uci-defaults/ as part of the image. -# Uncomment lines to apply: -wlan_name="office" -wlan_password="fuckingwep" -root_password="AsD7fg" -lan_ip_address="192.168.77.4" -hostname="gw-elmash" -# dhcp server 1 disable, 0 enable -dhcpsrv="1" - -# log potential errors -exec >/tmp/setup.log 2>&1 - -if [ -n "$root_password" ]; then - (echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null -fi - -# Configure LAN -# More options: https://openwrt.org/docs/guide-user/base-system/basic-networking -if [ -n "$lan_ip_address" ]; then - uci set network.lan.ipaddr="$lan_ip_address" - uci commit network -fi - -# Configure WLAN -# More options: https://openwrt.org/docs/guide-user/network/wifi/basic#wi-fi_interfaces -if [ -n "$wlan_name" -a -n "$wlan_password" -a ${#wlan_password} -ge 8 ]; then - uci set wireless.@wifi-device[0].disabled='0' - uci set wireless.@wifi-device[0].channel='11' - uci set wireless.@wifi-device[0].txpower='15' - uci set wireless.@wifi-device[0].disabled='0' - uci set wireless.@wifi-device[0].country='RU' - uci set wireless.@wifi-iface[0].mode='ap' - uci set wireless.@wifi-iface[0].encryption='psk2' - uci set wireless.@wifi-iface[0].ssid="$wlan_name" - uci set wireless.@wifi-iface[0].key="$wlan_password" - #uci set wireless.@wifi-iface[0].macfilter='allow' - #uci add_list wireless.@wifi-iface[0].maclist='' - uci commit wireless -fi - -# Configure system -uci set system.@system[0].hostname="$hostname" -uci set system.@system[0].timezone='<+05>-5' -uci set system.ntp.enable_server='1' -uci set system.ntp.interface='lan' -uci set system.@system[0].zonename='Asia/Yekaterinburg' -commit system -/etc/init.d/system restart - -# Configure ssh dropbear -USER_NAME="admin" -USER_SSHPUB="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSZsnOKXMTO7GTdrDUzuemE2h+SAIwMBbsrLVtx/CFoYidtT5qQ4ukAJG5JvRIkmZUl0t2C69z0nEEZXInTycsqQW7IlYpiy9yTlImd9QmyckZcHptTtEzyNdcCDOXOcW2Q0YEykpOoccTCkk2PHa3Xufel67jTwXfaqAVzaN5fXy6uO2I1ab5HHwCFX8zTuagBXKSYDMlHxrz9friu8ipuiPsEgl5n1LOvasypnZkpjhb5XnJi7tyRHfbzx+X+DIZc/ZW21BPtcExSXn+mmVhTD0vQh9MGG/hnfdvCXGPSKGGHMPiZEL9vzN3PvBYVchp/8DDSKtRZtJnBpNhdtl+8LjGsOgDPN51otOxcDtIQgOiMGbgX6fzMB7EN642b3f8tlFp3aVswtH3isBz6AgeVO+qqI/nW6Io7mayNXrDXVIULh0Ol4TKTZ61KGLCUhX/ZL9ifXdXWlTVeXzidaxIZ7BGF5SaTRlHJhRfqVc8fZI9BBaPFFSqxBYzybYkGzU= jeka@x220" -USER_SHELL="/bin/ash" -SUDO_USER="root" -SUDO_GROUP="sudo" -groupadd -r "${SUDO_GROUP}" -useradd -m -G "${SUDO_GROUP}" -s "${USER_SHELL}" "${USER_NAME}" -passwd -l "${SUDO_USER}" -cat << EOI > /etc/sudoers.d/00-custom -%${SUDO_GROUP} ALL=(ALL) ALL -EOI -USER_HOME="$(eval echo ~"${USER_NAME}")" -mkdir -p "${USER_HOME}"/.ssh -cat << EOI > "${USER_HOME}"/.ssh/authorized_keys -${USER_SSHPUB} -EOI -uci set dropbear.@dropbear[0].PasswordAuth="1" -uci set dropbear.@dropbear[0].RootPasswordAuth="1" -uci set dropbear.@dropbear[0].GatewayPorts='on' -uci commit dropbear -/etc/init.d/dropbear restart - -# Configure uhttpd -uci set uhttpd.main.listen_http='0.0.0.0:8080' -uci set uhttpd.main.listen_https='0.0.0.0:4431' -commit uhttpd -/etc/init.d/uhttpd restart - -# DHCP server on/off -uci set dhcp.lan.ignore="$dhcpsrv" -uci add host -uci set dhcp.@host[-1].name='jeka-office' -uci set dhcp.@host[-1].mac='4c:cc:6a:01:5d:30' -uci set dhcp.@host[-1].ip='192.168.77.35' -uci add host -uci set dhcp.@host[-1].name='fs1370dn' -uci set dhcp.@host[-1].mac='00:C0:EE:9E:01:55' -uci set dhcp.@host[-1].ip='192.168.77.33' -uci add host -uci set dhcp.@host[-1].name='kyoceraigor' -uci set dhcp.@host[-1].mac='00:17:C8:21:A7:F2' -uci set dhcp.@host[-1].ip='192.168.77.30' -uci add host -uci set dhcp.@host[-1].name='kyocerascanner' -uci set dhcp.@host[-1].mac='00:C0:EE:BB:85:2C' -uci set dhcp.@host[-1].ip='192.168.77.31' -uci add host -uci set dhcp.@host[-1].name='natasha-office' -uci set dhcp.@host[-1].mac='50:46:5D:09:D0:69' -uci set dhcp.@host[-1].ip='192.168.77.36' -uci add host -uci set dhcp.@host[-1].name='klipper' -uci set dhcp.@host[-1].mac='B8:27:EB:B9:82:6D' -uci set dhcp.@host[-1].ip='192.168.77.44' -uci commit dhcp -/etc/init.d/dnsmasq restart - -# Configure network -/etc/init.d/network restart - -# Configure firewall -/etc/init.d/firewall restart - -echo "All done!" - diff --git a/image-extras/tplink_archer-c7-v5/usr/bin/getdomains-check.sh b/image-extras/tplink_archer-c7-v5/usr/bin/getdomains-check.sh deleted file mode 100644 index 2d4dc02..0000000 --- a/image-extras/tplink_archer-c7-v5/usr/bin/getdomains-check.sh +++ /dev/null @@ -1,496 +0,0 @@ -#!/bin/sh - -HIRKN=/etc/init.d/hirkn -GETDOMAINS=/etc/init.d/getdomains -DUMP=/tmp/dump.txt - -checkpoint_true() { - printf "\033[32;1m[\342\234\223] $1\033[0m\n" -} - -checkpoint_false() { - printf "\033[31;1m[x] $1\033[0m\n" -} - -output_21() { - if [ "$VERSION_ID" -eq 21 ]; then - echo "You are using OpenWrt 21.02. This check does not support it" - fi -} - -# System Details -MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2) -RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}') -printf "\033[34;1mModel:$MODEL\033[0m\n" -printf "\033[34;1mVersion: $RELEASE\033[0m\n" - -VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}') -RAM=$(free -m | grep Mem: | awk '{print $2}') -if [[ "$VERSION_ID" -ge 22 && "$RAM" -lt 150000 ]] -then - echo "Your router has less than 256MB of RAM. I recommend using only the vpn_domains list" -fi - -# Check packages -CURL=$(opkg list-installed | grep -c curl) -if [ $CURL -eq 2 ]; then - checkpoint_true "Curl package" -else - checkpoint_false "Curl package" - echo "Install: opkg install curl" -fi - -DNSMASQ=$(opkg list-installed | grep dnsmasq-full | awk -F "-" '{print $3}' | tr -d '.' ) -if [ $DNSMASQ -ge 287 ]; then - checkpoint_true "Dnsmasq-full package" -else - checkpoint_false "Dnsmasq-full package" - echo "If you don't use vpn_domains set, it's OK" - echo "Check version: opkg list-installed | grep dnsmasq-full" - echo "Required version >= 2.87. For openwrt 22.03 follow manual: https://t.me/itdoginfo/12" - if [ "$VERSION_ID" -eq 21 ]; then - echo "You are using OpenWrt 21.02. This check does not support it" - echo "Manual for openwrt 21.02: https://t.me/itdoginfo/8" - fi -fi - -# Chek xray package -if opkg list-installed | grep -q xray-core; then - checkpoint_false "Xray-core package detected" -fi - -if opkg list-installed | grep -q luci-app-xray; then - checkpoint_false "luci-app-xray package detected. Not compatible. For delete: opkg remove luci-app-xray --force-removal-of-dependent-packages" -fi - -# Check dnsmasq -DNSMASQ_RUN=$(service dnsmasq status | grep -c 'running') -if [ $DNSMASQ_RUN -eq 1 ]; then - checkpoint_true "Dnsmasq service" -else - checkpoint_false "Dnsmasq service" - echo "Check config /etc/config/dhcp" - output_21 -fi - - -# Check internet connection -if curl -Is https://community.antifilter.download/ | grep -q 200; then - checkpoint_true "Check Internet" - else - checkpoint_false "Check Internet" - if [ $CURL -lt 2 ]; then - echo "Install curl: opkg install curl" - else - echo "Check internet connection. If ok, check date on router. Details: https://cli.co/2EaW4rO" - echo "For more info run: curl -Is https://community.antifilter.download/" - fi -fi - -# Check IPv6 - -if curl -6 -s https://ifconfig.io | egrep -q "(::)?[0-9a-fA-F]{1,4}(::?[0-9a-fA-F]{1,4}){1,7}(::)?"; then - checkpoint_false "IPv6 detected. This script does not currently work with IPv6" -fi - -# Tunnels -WIREGUARD=$(opkg list-installed | grep -c wireguard-tools ) -if [ $WIREGUARD -eq 1 ]; then - checkpoint_true "Wireguard-tools package" - WG=true -else - checkpoint_false "Wireguard-tools package" - echo "If you don't use WG it's OK" -fi - -if [ "$WG" == true ]; then - WG_PING=$(ping -c 1 -q -I wg0 itdog.info | grep -c "1 packets received") - if [ $WG_PING -eq 1 ]; then - checkpoint_true "Wireguard" - else - checkpoint_false "Wireguard" - WG_TRACE=$(traceroute -i wg0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - if [ $WG_TRACE -eq 1 ]; then - echo "Tunnel to wg server is work, but routing to internet doesn't work. Check server configuration. Details: https://cli.co/RSCvOxI" - else - echo "Bad news: WG tunnel isn't work, check your WG configuration. Details: https://cli.co/hGUUXDs" - echo "If you don't use WG, but OpenVPN for example, it's OK" - fi - fi - - # Check WG route_allowed_ips - if uci show network | grep -q ".route_allowed_ips='1'"; then - checkpoint_false "Wireguard route_allowed_ips" - echo "All traffic goes into the tunnel. Read more at: https://cli.co/SaxBzH7" - else - checkpoint_true "Wireguard route_allowed_ips" - fi - - # Check route table - ROUTE_TABLE=$(ip route show table vpn | grep -c "default dev wg0 scope link" ) - if [ $ROUTE_TABLE -eq 1 ]; then - checkpoint_true "Route table WG" - else - checkpoint_false "Route table VPN" - echo "Details: https://cli.co/Atxr6U3" - fi -fi - -if opkg list-installed | grep -q openvpn; then - checkpoint_true "OpenVPN package" - OVPN=true -else - checkpoint_false "OpenVPN package" - echo "If you don't use OpenVPN it's OK" -fi - -# Check OpenVPN -if [ "$OVPN" == true ]; then - if ping -c 1 -q -I tun0 itdog.info | grep -q "1 packets received"; then - checkpoint_true "OpenVPN" - else - checkpoint_false "OpenVPN" - if traceroute -i tun0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then - echo "Tunnel to OpenVPN server is work, but routing to internet doesn't work. Check server configuration." - else - echo "Bad news: OpenVPN tunnel isn't work, check your OpenVPN configuration." - fi - fi - - # Check OpenVPN redirect-gateway - if grep -q redirect-gateway /etc/openvpn/*; then - checkpoint_false "OpenVPN redirect-gateway" - echo "All traffic goes into the tunnel. Read more at: https://cli.co/vzTNq_3" - else - checkpoint_true "OpenVPN redirect-gateway" - fi - - # Check route table - if ip route show table vpn | grep -q "default dev tun0 scope link"; then - checkpoint_true "Route table OpenVPN" - else - checkpoint_false "Route table OpenVPN" - echo "Details: https://cli.co/Atxr6U3" - fi -fi - -if opkg list-installed | grep -q sing-box; then - checkpoint_true "Sing-box package" - - # Check route table - if ip route show table vpn | grep -q "default dev tun0 scope link"; then - checkpoint_true "Route table Sing-box" - else - checkpoint_false "Route table Sing-box. Try service network restart. Details: https://cli.co/n7xAbc1" - fi - - IP_EXTERNAL=$(curl -s ifconfig.me) - IFCONFIG=$(nslookup -type=a ifconfig.me | awk '/^Address: / {print $2}') - - ip route add $IFCONFIG via 172.19.0.1 dev tun0 - IP_VPN=$(curl -s ifconfig.me) - ip route del $IFCONFIG via 172.19.0.1 dev tun0 - - if [ "$IP_EXTERNAL" != $IP_VPN ]; then - checkpoint_true "Sing-box. VPN IP: $IP_VPN" - else - checkpoint_false "Sing-box. Check config: https://cli.co/Badmn3K" - fi -else - checkpoint_false "Sing-box package" - echo "If you don't use sing-box it's OK" -fi - -if which tun2socks | grep -q tun2socks; then - checkpoint_true "tun2socks package" - - # Check route table - if ip route show table vpn | grep -q "default dev tun0 scope link"; then - checkpoint_true "Route table tun2socks" - else - checkpoint_false "Route table tun2socks. Try service network restart. Details: https://cli.co/n7xAbc1" - fi - - IP_EXTERNAL=$(curl -s ifconfig.me) - IFCONFIG=$(nslookup -type=a ifconfig.me | awk '/^Address: / {print $2}') - - ip route add $IFCONFIG via 172.16.250.1 dev tun0 - IP_VPN=$(curl -s ifconfig.me) - ip route del $IFCONFIG via 172.16.250.1 dev tun0 - - if [ "$IP_EXTERNAL" != $IP_VPN ]; then - checkpoint_true "tun2socks. VPN IP: $IP_VPN" - else - checkpoint_false "tun2socks. Check config: https://cli.co/VNZISEM" - fi -else - checkpoint_false "tun2socks package" - echo "If you don't use tun2socks it's OK" -fi - -# Check sets - -# vpn_domains set -vpn_domain_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_domain_ipset_string=$(uci show firewall.@ipset[$vpn_domain_ipset_id] | grep -c "name='vpn_domains'\|match='dst_net'") -vpn_domain_rule_id=$(uci show firewall | grep -E '@rule.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_domain_rule_string=$(uci show firewall.@rule[$vpn_domain_rule_id] | grep -c "name='mark_domains'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_domains'\|set_mark='0x1'\|target='MARK'\|family='ipv4'") - -if [ $((vpn_domain_ipset_string + vpn_domain_rule_string)) -eq 10 ]; then - checkpoint_true "vpn_domains set" - - # force resolve for vpn_domains. All list - nslookup terraform.io 127.0.0.1 > /dev/null - nslookup pochta.ru 127.0.0.1 > /dev/null - nslookup 2gis.ru 127.0.0.1 > /dev/null - - VPN_DOMAINS_IP=$(nft list ruleset | grep -A 10 vpn_domains | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - if [ $VPN_DOMAINS_IP -ge 1 ]; then - checkpoint_true "IPs in vpn_domains" - else - checkpoint_false "IPs in vpn_domains" - echo "If you don't use vpn_domains, it's OK" - echo "But if you want use, check configs" - output_21 - fi -else - checkpoint_false "vpn_domains set" - echo "If you don't use vpn_domains set, it's OK" - echo "But if you want use, check config: https://cli.co/AwUGeM6" -fi - -# vpn_ip set -vpn_ip_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_ip_ipset_string=$(uci show firewall.@ipset[$vpn_ip_ipset_id] | grep -c "name='vpn_ip'\|match='dst_net'\|loadfile='/tmp/lst/ip.lst'") -vpn_ip_rule_id=$(uci show firewall | grep -E '@rule.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_ip_rule_string=$(uci show firewall.@rule[$vpn_ip_rule_id] | grep -c "name='mark_ip'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_ip'\|set_mark='0x1'\|target='MARK'\|family='ipv4'") - -if [ $((vpn_ip_ipset_string + vpn_ip_rule_string)) -eq 11 ]; then - checkpoint_true "vpn_ip set" - VPN_IP_IP=$(nft list ruleset | grep -A 10 vpn_ip | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - if [ $VPN_IP_IP -ge 1 ]; then - checkpoint_true "IPs in vpn_ip" - else - checkpoint_false "IPs in vpn_ip" - echo "But if you want use, check configs" - output_21 - fi -else - checkpoint_false "vpn_ip set" - echo "If you don't use vpn_ip set, it's OK" - echo "But if you want use, check config: https://cli.co/AwUGeM6" -fi - -# vpn_subnet set -vpn_subnet_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_subnet_ipset_string=$(uci show firewall.@ipset[$vpn_subnet_ipset_id] | grep -c "name='vpn_subnets'\|match='dst_net'\|loadfile='/tmp/lst/subnet.lst'") -vpn_subnet_rule_id=$(uci show firewall | grep -E '@rule.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_subnet_rule_string=$(uci show firewall.@rule[$vpn_subnet_rule_id] | grep -c "name='mark_subnet'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_subnets'\|set_mark='0x1'\|target='MARK'\|family='ipv4'") - -if [ $((vpn_subnet_ipset_string + vpn_subnet_rule_string)) -eq 11 ]; then - checkpoint_true "vpn_subnet set" - VPN_IP_SUBNET=$(nft list ruleset | grep -A 10 vpn_subnet | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - if [ $VPN_IP_SUBNET -ge 1 ]; then - checkpoint_true "IPs in vpn_subnet" - else - checkpoint_false "IPs in vpn_subnet" - echo "But if you want use, check configs" - output_21 - fi -else - checkpoint_false "vpn_subnet set" - echo "If you don't use vpn_subnet set, it's OK" - echo "But if you want use, check config: https://cli.co/AwUGeM6" -fi - -# vpn_community set -vpn_community_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_community_ipset_string=$(uci show firewall.@ipset[$vpn_community_ipset_id] | grep -c "name='vpn_community'\|match='dst_net'\|loadfile='/tmp/lst/community.lst'") -vpn_community_rule_id=$(uci show firewall | grep -E '@rule.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1) -vpn_community_rule_string=$(uci show firewall.@rule[$vpn_community_rule_id] | grep -c "name='mark_community'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_community'\|set_mark='0x1'\|target='MARK'\|family='ipv4'") - -if [ $((vpn_community_ipset_string + vpn_community_rule_string)) -eq 11 ]; then - checkpoint_true "vpn_community set" - VPN_COMMUNITY_IP=$(nft list ruleset | grep -A 10 vpn_community | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - if [ $VPN_COMMUNITY_IP -ge 1 ]; then - checkpoint_true "IPs in vpn_community" - else - checkpoint_false "IPs in vpn_community" - echo "But if you want use, check configs" - output_21 - fi -else - checkpoint_false "vpn_community set" - echo "If you don't use vpn_community set, it's OK" - echo "But if you want use, check config: https://cli.co/AwUGeM6" - output_21 -fi - -# hirkn script -if [ -s "$HIRKN" ]; then - checkpoint_true "Script hirkn" - if crontab -l | grep -q $HIRKN; then - checkpoint_true "Script hirkn in crontab" - else - checkpoint_false "Script hirkn in crontab" - echo "Script is not enabled in crontab. Check: crontab -l" - fi -else - checkpoint_false "Script hirkn" - echo "Script don't exists in $HIRKN. If you don't use old hirkn script, it's OK" -fi - -# getdomains script -if [ -s "$GETDOMAINS" ]; then - checkpoint_true "Script getdomains" - if crontab -l | grep -q $GETDOMAINS; then - checkpoint_true "Script getdomains in crontab" - else - checkpoint_false "Script getdomains in crontab" - echo "Script is not enabled in crontab. Check: crontab -l" - fi -else - checkpoint_false "Script getdomains" - echo "Script don't exists in $GETDOMAINS. If you don't use getdomains, it's OK" -fi - -# DNS - -# DNSCrypt -if opkg list-installed | grep -q dnscrypt-proxy2; then - checkpoint_true "Dnscrypt-proxy2 package" - if service dnscrypt-proxy status | grep -q 'running'; then - checkpoint_true "DNSCrypt service" - else - checkpoint_false "DNSCrypt service" - echo "Check config: https://cli.co/wN-tc_S" - output_21 - fi - - DNSMASQ_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.53#53\|noresolv='1'") - if [ $DNSMASQ_STRING -eq 2 ]; then - checkpoint_true "Dnsmasq config for DNSCrypt" - else - checkpoint_false "Dnsmasq config for DNSCrypt" - echo "Check config: https://cli.co/rooc0uz" - fi -else - checkpoint_false "Dnscrypt-proxy2 package" - echo "If you don't use Dnscrypt, it's OK" -fi - -# Stubby -if opkg list-installed | grep -q stubby; then - checkpoint_true "Stubby package" - if service stubby status | grep -q 'running'; then - checkpoint_true "Stubby service" - else - checkpoint_false "Stubby service" - echo "Check config: https://cli.co/HbDBT2V" - output_21 - fi - - STUBBY_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.1#5453\|noresolv='1'") - if [ $STUBBY_STRING -eq 2 ]; then - checkpoint_true "Dnsmasq config for Stubby" - else - checkpoint_false "Dnsmasq config for Stubby" - echo "Check config: https://cli.co/HbDBT2V" - fi -else - checkpoint_false "Stubby package" - echo "If you don't use Stubby, it's OK" -fi - -# Create dump -if [[ "$1" == dump ]]; then - printf "\033[36;1mCreate dump without private variables\033[0m\n" - date > $DUMP - $HIRKN start >> $DUMP 2>&1 - $GETDOMAINS start >> $DUMP 2>&1 - uci show firewall >> $DUMP - uci show network | sed -r 's/(.*private_key=|.*preshared_key=|.*public_key=|.*endpoint_host=|.*wan.ipaddr=|.*wan.netmask=|.*wan.gateway=|.*wan.dns|.*.macaddr=).*/\1REMOVED/' >> $DUMP - - echo "Dump is here: $DUMP" - echo "For download Linux/Mac use:" - echo "scp root@IP_ROUTER:$DUMP ." - echo "For Windows use PSCP or WSL" -fi - -# Check DNS -if [[ "$1" == dns ]]; then - printf "\033[36;1mCheck DNS servers\033[0m\n" - DNS_SERVERS="1.1.1.1 8.8.8.8 8.8.4.4" - DOH_DNS_SERVERS="cloudflare-dns.com 1.1.1.1 mozilla.cloudflare-dns.com security.cloudflare-dns.com" - DOMAINS="instagram.com facebook.com" - - echo "1. Block DNS traffic (Port 53/udp is available)" - - for i in $DNS_SERVERS; - do - if nslookup -type=a -timeout=2 -retry=1 itdog.info $i | grep -q "timed out"; then - checkpoint_false "$i" - else - checkpoint_true "$i" - fi - done - - echo "2. DoH available" - - for i in $DOH_DNS_SERVERS; - do - if curl --connect-timeout 5 -s -H "accept: application/dns-json" "https://$i/dns-query?name=itdog.info&type=A" | awk -F"data\":\"" '/data":"/{print $2}' | grep -q -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then - checkpoint_true "$i" - else - checkpoint_false "$i" - fi - done - - echo "3. The response not contains an address from 127.0.0.0/8" - - for i in $DOMAINS; - do - if nslookup -type=a -timeout=2 -retry=1 $i | awk '/^Address: / {print $2}' | grep -q -E '127\.[0-9]{1,3}\.'; then - checkpoint_false "$i" - else - checkpoint_true "$i" - fi - done - - echo "4. One IP for two different domains" - - FIRSTIP=$(nslookup -type=a instagram.com | awk '/^Address: / {print $2}') - SECONDIP=$(nslookup -type=a facebook.com | awk '/^Address: / {print $2}') - - if [ "$FIRSTIP" = "$SECONDIP" ] ; then - checkpoint_false "IP addresses are the same" - else - checkpoint_true "Different IP addresses" - fi - - echo "5. The response is not blank" - - for i in $DOMAINS; - do - if nslookup -type=a -timeout=2 -retry=1 $i | awk '/^Address: / {print $2}' | grep -q -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then - checkpoint_true "$i" - else - checkpoint_false "$i" - fi - done - - echo "6. Сomparing response from unencrypted DNS and DoH (DNS poisoning)" - - DOHIP=$(curl -s -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=facebook.com&type=A" | awk -F"data\":\"" '/data":"/{print $2}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') - OPENIP=$(nslookup -type=a -timeout=2 facebook.com 1.1.1.1 | awk '/^Address: / {print $2}') - - if [ "$DOHIP" = "$OPENIP" ]; then - checkpoint_true "IPs match" - else - checkpoint_false "IPs not match" - fi -fi - -# Info -echo -e "\nTelegram channel: https://t.me/itdoginfo" -echo "Telegram chat: https://t.me/itdogchat" \ No newline at end of file diff --git a/image-extras/tplink_archer-c7-v5/usr/bin/getdomains-install.sh b/image-extras/tplink_archer-c7-v5/usr/bin/getdomains-install.sh deleted file mode 100644 index 2f8da95..0000000 --- a/image-extras/tplink_archer-c7-v5/usr/bin/getdomains-install.sh +++ /dev/null @@ -1,596 +0,0 @@ -#!/bin/sh - -#set -x - -check_repo() { - printf "\033[32;1mChecking OpenWrt repo availability...\033[0m\n" - opkg update | grep -q "Failed to download" && printf "\033[32;1mopkg failed. Check internet or date. Command for force ntp sync: ntpd -p ptbtime1.ptb.de\033[0m\n" && exit 1 -} - -route_vpn () { - if [ "$TUNNEL" == wg ]; then -cat << EOF > /etc/hotplug.d/iface/30-rknroute -#!/bin/sh - -ip route add table vpn default dev wg0 -EOF - elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then -cat << EOF > /etc/hotplug.d/iface/30-rknroute -#!/bin/sh - -sleep 5 -ip route add table vpn default dev tun0 -EOF - fi -} - -add_mark() { - grep -q "99 vpn" /etc/iproute2/rt_tables || echo '99 vpn' >> /etc/iproute2/rt_tables - - if ! uci show network | grep -q mark0x1; then - printf "\033[32;1mConfigure mark rule\033[0m\n" - uci add network rule - uci set network.@rule[-1].name='mark0x1' - uci set network.@rule[-1].mark='0x1' - uci set network.@rule[-1].priority='100' - uci set network.@rule[-1].lookup='vpn' - uci commit - fi -} - -add_tunnel() { - echo "We can automatically configure only Wireguard. OpenVPN, Sing-box(Shadowsocks2022, VMess, VLESS, etc) and tun2socks will need to be configured manually" - echo "Select a tunnel:" - echo "1) WireGuard" - echo "2) OpenVPN" - echo "3) Sing-box" - echo "4) tun2socks" - echo "5) Skip this step" - - while true; do - read -r -p '' TUNNEL - case $TUNNEL in - - 1) - TUNNEL=wg - break - ;; - - 2) - TUNNEL=ovpn - break - ;; - - 3) - TUNNEL=singbox - break - ;; - - 4) - TUNNEL=tun2socks - break - ;; - - 5) - echo "Skip" - TUNNEL=0 - break - ;; - - *) - echo "Choose from the following options" - ;; - esac - done - - if [ "$TUNNEL" == 'wg' ]; then - printf "\033[32;1mConfigure WireGuard\033[0m\n" - if opkg list-installed | grep -q wireguard-tools; then - echo "Wireguard already installed" - else - echo "Installed wg..." - opkg install wireguard-tools - fi - - route_vpn - - read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY - - while true; do - read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP - if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then - break - else - echo "This IP is not valid. Please repeat" - fi - done - - read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY - read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY - read -r -p "Enter Enpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT - - read -r -p "Enter Enpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT - WG_ENDPOINT_PORT=${WG_ENDPOINT_PORT:-51820} - if [ "$WG_ENDPOINT_PORT" = '51820' ]; then - echo $WG_ENDPOINT_PORT - fi - - uci set network.wg0=interface - uci set network.wg0.proto='wireguard' - uci set network.wg0.private_key=$WG_PRIVATE_KEY - uci set network.wg0.listen_port='51820' - uci set network.wg0.addresses=$WG_IP - - if ! uci show network | grep -q wireguard_wg0; then - uci add network wireguard_wg0 - fi - uci set network.@wireguard_wg0[0]=wireguard_wg0 - uci set network.@wireguard_wg0[0].name='wg0_client' - uci set network.@wireguard_wg0[0].public_key=$WG_PUBLIC_KEY - uci set network.@wireguard_wg0[0].preshared_key=$WG_PRESHARED_KEY - uci set network.@wireguard_wg0[0].route_allowed_ips='0' - uci set network.@wireguard_wg0[0].persistent_keepalive='25' - uci set network.@wireguard_wg0[0].endpoint_host=$WG_ENDPOINT - uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0' - uci set network.@wireguard_wg0[0].endpoint_port=$WG_ENDPOINT_PORT - uci commit - fi - - if [ "$TUNNEL" == 'ovpn' ]; then - if opkg list-installed | grep -q openvpn-openssl; then - echo "OpenVPN already installed" - else - echo "Installed openvpn" - opkg install openvpn-openssl - fi - printf "\033[32;1mConfigure route for OpenVPN\033[0m\n" - route_vpn - fi - - if [ "$TUNNEL" == 'singbox' ]; then - if opkg list-installed | grep -q sing-box; then - echo "Sing-box already installed" - else - AVAILABLE_SPACE=$(df / | awk 'NR>1 { print $4 }') - if [[ "$AVAILABLE_SPACE" -gt 2000 ]]; then - echo "Installed sing-box" - opkg install sing-box - else - printf "\033[31;1mNo free space for a sing-box. Sing-box is not installed.\033[0m\n" - exit 1 - fi - fi - if grep -q "option enabled '0'" /etc/config/sing-box; then - sed -i "s/ option enabled \'0\'/ option enabled \'1\'/" /etc/config/sing-box - fi - if grep -q "option user 'sing-box'" /etc/config/sing-box; then - sed -i "s/ option user \'sing-box\'/ option user \'root\'/" /etc/config/sing-box - fi - if grep -q "tun0" /etc/sing-box/config.json; then - printf "\033[32;1mConfig /etc/sing-box/config.json already exists\033[0m\n" - else -cat << 'EOF' > /etc/sing-box/config.json -{ - "log": { - "level": "debug" - }, - "inbounds": [ - { - "type": "tun", - "interface_name": "tun0", - "domain_strategy": "ipv4_only", - "inet4_address": "172.16.250.1/30", - "auto_route": false, - "strict_route": false, - "sniff": true - } - ], - "outbounds": [ - { - "type": "$TYPE", - "server": "$HOST", - "server_port": $PORT, - "method": "$METHOD", - "password": "$PASS" - } - ], - "route": { - "auto_detect_interface": true - } -} -EOF - printf "\033[32;1mCreate template config in /etc/sing-box/config.json. Edit it manually. Official doc: https://sing-box.sagernet.org/configuration/outbound/\033[0m\n" - printf "\033[32;1mOfficial doc: https://sing-box.sagernet.org/configuration/outbound/\033[0m\n" - printf "\033[32;1mManual with example SS: https://cli.co/Badmn3K \033[0m\n" - - fi - printf "\033[32;1mConfigure route for Sing-box\033[0m\n" - route_vpn - fi -} - -dnsmasqfull() { - if opkg list-installed | grep -q dnsmasq-full; then - printf "\033[32;1mdnsmasq-full already installed\033[0m\n" - else - printf "\033[32;1mInstalled dnsmasq-full\033[0m\n" - cd /tmp/ && opkg download dnsmasq-full - opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/ - - [ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp -fi -} - -remove_forwarding() { - if [ ! -z "$forward_id" ]; then - while uci -q delete firewall.@forwarding[$forward_id]; do :; done - fi -} - -add_zone() { - if [ "$TUNNEL" == 0 ]; then - printf "\033[32;1mZone setting skipped\033[0m\n" - elif uci show firewall | grep -q "@zone.*name='$TUNNEL'"; then - printf "\033[32;1mZone already exist\033[0m\n" - else - printf "\033[32;1mCreate zone\033[0m\n" - - # Delete exists zone - zone_tun_id=$(uci show firewall | grep -E '@zone.*tun0' | awk -F '[][{}]' '{print $2}' | head -n 1) - if [ "$zone_tun_id" == 0 ] || [ "$zone_tun_id" == 1 ]; then - printf "\033[32;1mtun0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n" - exit 1 - fi - if [ ! -z "$zone_tun_id" ]; then - while uci -q delete firewall.@zone[$zone_tun_id]; do :; done - fi - - zone_wg_id=$(uci show firewall | grep -E '@zone.*wg0' | awk -F '[][{}]' '{print $2}' | head -n 1) - if [ "$zone_wg_id" == 0 ] || [ "$zone_wg_id" == 1 ]; then - printf "\033[32;1mwg0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n" - exit 1 - fi - if [ ! -z "$zone_wg_id" ]; then - while uci -q delete firewall.@zone[$zone_wg_id]; do :; done - fi - - uci add firewall zone - uci set firewall.@zone[-1].name="$TUNNEL" - if [ "$TUNNEL" == wg ]; then - uci set firewall.@zone[-1].network='wg0' - elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then - uci set firewall.@zone[-1].device='tun0' - fi - if [ "$TUNNEL" == wg ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then - uci set firewall.@zone[-1].forward='REJECT' - uci set firewall.@zone[-1].output='ACCEPT' - uci set firewall.@zone[-1].input='REJECT' - elif [ "$TUNNEL" == singbox ]; then - uci set firewall.@zone[-1].forward='ACCEPT' - uci set firewall.@zone[-1].output='ACCEPT' - uci set firewall.@zone[-1].input='ACCEPT' - fi - uci set firewall.@zone[-1].masq='1' - uci set firewall.@zone[-1].mtu_fix='1' - uci set firewall.@zone[-1].family='ipv4' - uci commit firewall - fi - - if [ "$TUNNEL" == 0 ]; then - printf "\033[32;1mForwarding setting skipped\033[0m\n" - elif uci show firewall | grep -q "@forwarding.*name='$TUNNEL-lan'"; then - printf "\033[32;1mForwarding already configured\033[0m\n" - else - printf "\033[32;1mConfigured forwarding\033[0m\n" - # Delete exists forwarding - if [[ $TUNNEL != "wg" ]]; then - forward_id=$(uci show firewall | grep -E "@forwarding.*dest='wg'" | awk -F '[][{}]' '{print $2}' | head -n 1) - remove_forwarding - fi - - if [[ $TUNNEL != "ovpn" ]]; then - forward_id=$(uci show firewall | grep -E "@forwarding.*dest='ovpn'" | awk -F '[][{}]' '{print $2}' | head -n 1) - remove_forwarding - fi - - if [[ $TUNNEL != "singbox" ]]; then - forward_id=$(uci show firewall | grep -E "@forwarding.*dest='singbox'" | awk -F '[][{}]' '{print $2}' | head -n 1) - remove_forwarding - fi - - if [[ $TUNNEL != "tun2socks" ]]; then - forward_id=$(uci show firewall | grep -E "@forwarding.*dest='tun2socks'" | awk -F '[][{}]' '{print $2}' | head -n 1) - remove_forwarding - fi - - uci add firewall forwarding - uci set firewall.@forwarding[-1]=forwarding - uci set firewall.@forwarding[-1].name="$TUNNEL-lan" - uci set firewall.@forwarding[-1].dest="$TUNNEL" - uci set firewall.@forwarding[-1].src='lan' - uci set firewall.@forwarding[-1].family='ipv4' - uci commit firewall - fi -} - -show_manual() { - if [ "$TUNNEL" == tun2socks ]; then - printf "\033[42;1mZone for tun2socks cofigured. But you need to set up the tunnel yourself.\033[0m\n" - echo "Use this manual: https://cli.co/VNZISEM" - elif [ "$TUNNEL" == ovpn ]; then - printf "\033[42;1mZone for OpenVPN cofigured. But you need to set up the tunnel yourself.\033[0m\n" - echo "Use this manual: https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/" - fi -} - -add_set() { - if uci show firewall | grep -q "@ipset.*name='vpn_domains'"; then - printf "\033[32;1mSet already exist\033[0m\n" - else - printf "\033[32;1mCreate set\033[0m\n" - uci add firewall ipset - uci set firewall.@ipset[-1].name='vpn_domains' - uci set firewall.@ipset[-1].match='dst_net' - uci commit - fi - if uci show firewall | grep -q "@rule.*name='mark_domains'"; then - printf "\033[32;1mRule for set already exist\033[0m\n" - else - printf "\033[32;1mCreate rule set\033[0m\n" - uci add firewall rule - uci set firewall.@rule[-1]=rule - uci set firewall.@rule[-1].name='mark_domains' - uci set firewall.@rule[-1].src='lan' - uci set firewall.@rule[-1].dest='*' - uci set firewall.@rule[-1].proto='all' - uci set firewall.@rule[-1].ipset='vpn_domains' - uci set firewall.@rule[-1].set_mark='0x1' - uci set firewall.@rule[-1].target='MARK' - uci set firewall.@rule[-1].family='ipv4' - uci commit - fi -} - -add_dns_resolver() { - echo "Configure DNSCrypt2 or Stubby? It does matter if your ISP is spoofing DNS requests" - DISK=$(df -m / | awk 'NR==2{ print $2 }') - if [[ "$DISK" -lt 32 ]]; then - printf "\033[31;1mYour router a disk have less than 32MB. It is not recommended to install DNSCrypt, it takes 10MB\033[0m\n" - fi - echo "Select:" - echo "1) No [Default]" - echo "2) DNSCrypt2 (10.7M)" - echo "3) Stubby (36K)" - - while true; do - read -r -p '' DNS_RESOLVER - case $DNS_RESOLVER in - - 1) - echo "Skiped" - break - ;; - - 2) - DNS_RESOLVER=DNSCRYPT - break - ;; - - 3) - DNS_RESOLVER=STUBBY - break - ;; - - *) - echo "Choose from the following options" - ;; - esac - done - - if [ "$DNS_RESOLVER" == 'DNSCRYPT' ]; then - if opkg list-installed | grep -q dnscrypt-proxy2; then - printf "\033[32;1mDNSCrypt2 already installed\033[0m\n" - else - printf "\033[32;1mInstalled dnscrypt-proxy2\033[0m\n" - opkg install dnscrypt-proxy2 - if grep -q "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml; then - sed -i "s/^# server_names =.*/server_names = [\'google\', \'cloudflare\', \'scaleway-fr\', \'yandex\']/g" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml - fi - - printf "\033[32;1mDNSCrypt restart\033[0m\n" - service dnscrypt-proxy restart - printf "\033[32;1mDNSCrypt needs to load the relays list. Please wait\033[0m\n" - sleep 30 - - if [ -f /etc/dnscrypt-proxy2/relays.md ]; then - uci set dhcp.@dnsmasq[0].noresolv="1" - uci -q delete dhcp.@dnsmasq[0].server - uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53" - uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/' - uci commit dhcp - - printf "\033[32;1mDnsmasq restart\033[0m\n" - - /etc/init.d/dnsmasq restart - else - printf "\033[31;1mDNSCrypt not download list on /etc/dnscrypt-proxy2. Repeat install DNSCrypt by script.\033[0m\n" - fi - fi - - fi - - if [ "$DNS_RESOLVER" == 'STUBBY' ]; then - printf "\033[32;1mConfigure Stubby\033[0m\n" - - if opkg list-installed | grep -q stubby; then - printf "\033[32;1mStubby already installed\033[0m\n" - else - printf "\033[32;1mInstalled stubby\033[0m\n" - opkg install stubby - - printf "\033[32;1mConfigure Dnsmasq for Stubby\033[0m\n" - uci set dhcp.@dnsmasq[0].noresolv="1" - uci -q delete dhcp.@dnsmasq[0].server - uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453" - uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/' - uci commit dhcp - - printf "\033[32;1mDnsmasq restart\033[0m\n" - - /etc/init.d/dnsmasq restart - fi - fi -} - -add_packages() { - if opkg list-installed | grep -q "curl -"; then - printf "\033[32;1mCurl already installed\033[0m\n" - else - printf "\033[32;1mInstall curl\033[0m\n" - opkg install curl - fi - - if opkg list-installed | grep -q nano; then - printf "\033[32;1mNano already installed\033[0m\n" - else - printf "\033[32;1mInstall nano\033[0m\n" - opkg install nano - fi -} - -add_getdomains() { - echo "Choose you country" - echo "Select:" - echo "1) Russia inside. You are inside Russia" - echo "2) Russia outside. You are outside of Russia, but you need access to Russian resources" - echo "3) Ukraine. uablacklist.net list" - echo "4) Skip script creation" - - while true; do - read -r -p '' COUNTRY - case $COUNTRY in - - 1) - COUNTRY=russia_inside - break - ;; - - 2) - COUNTRY=russia_outside - break - ;; - - 3) - COUNTRY=ukraine - break - ;; - - 4) - echo "Skiped" - COUNTRY=0 - break - ;; - - *) - echo "Choose from the following options" - ;; - esac - done - - if [ "$COUNTRY" == 'russia_inside' ]; then - EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst - elif [ "$COUNTRY" == 'russia_outside' ]; then - EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/outside-dnsmasq-nfset.lst - elif [ "$COUNTRY" == 'ukraine' ]; then - EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Ukraine/inside-dnsmasq-nfset.lst - fi - - if [ "$COUNTRY" != '0' ]; then - printf "\033[32;1mCreate script /etc/init.d/getdomains\033[0m\n" - -cat << EOF > /etc/init.d/getdomains -#!/bin/sh /etc/rc.common - -START=99 - -start () { - $EOF_DOMAINS -EOF -cat << 'EOF' >> /etc/init.d/getdomains - count=0 - while true; do - if curl -m 3 github.com; then - curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst - break - else - echo "GitHub is not available. Check the internet availability [$count]" - count=$((count+1)) - fi - done - - if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then - /etc/init.d/dnsmasq restart - fi -} -EOF - - chmod +x /etc/init.d/getdomains - /etc/init.d/getdomains enable - - if crontab -l | grep -q /etc/init.d/getdomains; then - printf "\033[32;1mCrontab already configured\033[0m\n" - - else - crontab -l | { cat; echo "0 */8 * * * /etc/init.d/getdomains start"; } | crontab - - printf "\033[32;1mIgnore this error. This is normal for a new installation\033[0m\n" - /etc/init.d/cron restart - fi - - printf "\033[32;1mStart script\033[0m\n" - - /etc/init.d/getdomains start - fi -} - -# System Details -MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2) -RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}') -printf "\033[34;1mModel:$MODEL\033[0m\n" -printf "\033[34;1mVersion: $RELEASE\033[0m\n" - -VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}') - -if [ "$VERSION_ID" -ne 23 ]; then - printf "\033[31;1mScript only support OpenWrt 23.05\033[0m\n" - echo "For OpenWrt 21.02 and 22.03 you can:" - echo "1) Use ansible https://github.com/itdoginfo/ansible-openwrt-hirkn" - echo "2) Configure manually. Old manual: https://itdog.info/tochechnyj-obhod-blokirovok-rkn-na-routere-s-openwrt-s-pomoshhyu-wireguard-i-dnscrypt/" - exit 1 -fi - -printf "\033[31;1mAll actions performed here cannot be rolled back automatically.\033[0m\n" - -check_repo - -add_packages - -add_tunnel - -add_mark - -add_zone - -show_manual - -add_set - -dnsmasqfull - -add_dns_resolver - -add_getdomains - -printf "\033[32;1mRestart network\033[0m\n" -/etc/init.d/network restart - -printf "\033[32;1mDone\033[0m\n" diff --git a/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults b/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults index c08f7e5..b7d04cc 100644 --- a/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults +++ b/image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults @@ -47,7 +47,7 @@ uci set system.@system[0].timezone='<+05>-5' uci set system.ntp.enable_server='1' uci set system.ntp.interface='lan' uci set system.@system[0].zonename='Asia/Yekaterinburg' -commit system +uci commit system /etc/init.d/system restart # Configure ssh dropbear @@ -65,40 +65,329 @@ uci commit dropbear # Configure uhttpd uci set uhttpd.main.listen_http='0.0.0.0:8080' uci set uhttpd.main.listen_https='0.0.0.0:4431' -commit uhttpd +uci commit uhttpd /etc/init.d/uhttpd restart - + # DHCP server on/off -#uci set dhcp.lan.ignore="$dhcpsrv" -#uci add host -#uci set dhcp.@host[-1].name='jeka-office' -#uci set dhcp.@host[-1].mac='4c:cc:6a:01:5d:30' -#uci set dhcp.@host[-1].ip='192.168.77.35' -#uci add host -#uci set dhcp.@host[-1].name='fs1370dn' -#uci set dhcp.@host[-1].mac='00:C0:EE:9E:01:55' -#uci set dhcp.@host[-1].ip='192.168.77.33' -#uci add host -#uci set dhcp.@host[-1].name='kyoceraigor' -#uci set dhcp.@host[-1].mac='00:17:C8:21:A7:F2' -#uci set dhcp.@host[-1].ip='192.168.77.30' -#uci add host -#uci set dhcp.@host[-1].name='kyocerascanner' -#uci set dhcp.@host[-1].mac='00:C0:EE:BB:85:2C' -#uci set dhcp.@host[-1].ip='192.168.77.31' -#uci add host -#uci set dhcp.@host[-1].name='natasha-office' -#uci set dhcp.@host[-1].mac='50:46:5D:09:D0:69' -#uci set dhcp.@host[-1].ip='192.168.77.36' -#uci add host -#uci set dhcp.@host[-1].name='klipper' -#uci set dhcp.@host[-1].mac='B8:27:EB:B9:82:6D' -#uci set dhcp.@host[-1].ip='192.168.77.44' -#uci commit dhcp -#/etc/init.d/dnsmasq restart +uci set dhcp.lan.start='90' +uci set dhcp.lan.limit='100' +uci set dhcp.lan.ignore="$dhcpsrv" +uci add host +uci set dhcp.@host[-1].name='kyocera0' +uci set dhcp.@host[-1].mac='00:17:C8:76:43:91' +uci set dhcp.@host[-1].ip='192.168.47.30' +uci add host +uci set dhcp.@host[-1].name='kyocera1' +uci set dhcp.@host[-1].mac='00:17:C8:42:1C:AA' +uci set dhcp.@host[-1].ip='192.168.47.31' +uci add host +uci set dhcp.@host[-1].name='lg-webos-1F' +uci set dhcp.@host[-1].mac='A8:23:FE:7A:D4:1E' +uci set dhcp.@host[-1].ip='192.168.47.36' +uci add host +uci set dhcp.@host[-1].name='camera1' +uci set dhcp.@host[-1].mac='c0:56:e3:86:2d:22' +uci set dhcp.@host[-1].ip='192.168.47.20' +uci add host +uci set dhcp.@host[-1].name='camera2' +uci set dhcp.@host[-1].mac='c0:56:e3:87:de:b0' +uci set dhcp.@host[-1].ip='192.168.47.21' +uci add host +uci set dhcp.@host[-1].name='camera3' +uci set dhcp.@host[-1].mac='c0:56:e3:86:2d:33' +uci set dhcp.@host[-1].ip='192.168.47.22' +uci add host +uci set dhcp.@host[-1].name='camera4' +uci set dhcp.@host[-1].mac='c0:56:e3:87:df:37' +uci set dhcp.@host[-1].ip='192.168.47.23' +uci add host +uci set dhcp.@host[-1].name='camera5' +uci set dhcp.@host[-1].mac='f8:4d:fc:0b:dd:59' +uci set dhcp.@host[-1].ip='192.168.47.24' +uci add host +uci set dhcp.@host[-1].name='kodi-aramil' +uci set dhcp.@host[-1].mac='90:0E:B3:03:97:96' +uci set dhcp.@host[-1].ip='192.168.47.19' +uci add host +uci set dhcp.@host[-1].name='switch-des2110' +uci set dhcp.@host[-1].mac='00:11:95:28:7F:F4' +uci set dhcp.@host[-1].ip='192.168.47.155' +uci add host +uci set dhcp.@host[-1].name='Pap2t' +uci set dhcp.@host[-1].mac='00:0e:08:20:22:68' +uci set dhcp.@host[-1].ip='192.168.47.40' +uci add host +uci set dhcp.@host[-1].name='CiscoATA186' +uci set dhcp.@host[-1].mac='00:0D:29:51:31:E9' +uci set dhcp.@host[-1].ip='192.168.47.41' +uci add host +uci set dhcp.@host[-1].name='PBX' +uci set dhcp.@host[-1].mac='00:16:3E:5F:0F:15' +uci set dhcp.@host[-1].ip='192.168.47.7' +uci add host +uci set dhcp.@host[-1].name='Ogorod-mikrotik' +uci set dhcp.@host[-1].mac='D4:CA:6D:7F:6F:3E' +uci set dhcp.@host[-1].ip='192.168.47.38' +uci add host +uci set dhcp.@host[-1].name='Yandexstation-1F' +uci set dhcp.@host[-1].mac='70:4A:0E:62:C1:1A' +uci set dhcp.@host[-1].ip='192.168.47.33' +uci add host +uci set dhcp.@host[-1].name='esphome-pogreb' +uci set dhcp.@host[-1].mac='C4:5B:BE:63:51:4F' +uci set dhcp.@host[-1].ip='192.168.47.45' +uci add host +uci set dhcp.@host[-1].name='esphome-kotelnaya' +uci set dhcp.@host[-1].mac='4C:75:25:2A:5B:64' +uci set dhcp.@host[-1].ip='192.168.47.46' +uci add host +uci set dhcp.@host[-1].name='esphome-garage-dvor' +uci set dhcp.@host[-1].mac='40:91:51:52:C3:24' +uci set dhcp.@host[-1].ip='192.168.47.47' + +uci commit dhcp +/etc/init.d/dnsmasq restart # Configure network +# VPN BAUMANA +uci set network.vpn0=interface +uci set network.vpn0.proto='wireguard' +uci set network.vpn0.private_key='CC2sqK5H1gyertWCa7RtTobRSCO75LX5VAkHW5VjRUI=' +uci set network.vpn0.listen_port='23557' +uci add network wireguard_vpn0 +uci set network.@wireguard_vpn0[0]=wireguard_vpn0 +uci set network.@wireguard_vpn0[0].description='Site Baumana Home' +uci set network.@wireguard_vpn0[0].public_key='AFMw2q1JP16ckXnho04M7J2hheUIXtjdRcGQSrs2BHM=' +uci set network.@wireguard_vpn0[0].preshared_key='afYl4qqDwk0f0RGNscnBFRfnKG5Jm6wR3FPA60TTFII=' +uci set network.@wireguard_vpn0[0].allowed_ips='192.168.75.0/24' +uci set network.@wireguard_vpn0[0].route_allowed_ips='1' +uci set network.@wireguard_vpn0[0].persistent_keepalive='25' +uci set network.@wireguard_vpn0[0].endpoint_host='wg.npau.ru' +uci set network.@wireguard_vpn0[0].endpoint_port='23557' +# VPN ELMASH +uci set network.vpn1=interface +uci set network.vpn1.proto='wireguard' +uci set network.vpn1.private_key='yBYYOXkzZflQpfp0PdmZCKx1klz2IdjnWxxEwsmlJ1U=' +uci set network.vpn1.listen_port='23556' +uci add network wireguard_vpn1 +uci set network.@wireguard_vpn1[0]=wireguard_vpn1 +uci set network.@wireguard_vpn1[0].description='Site Elmash Office' +uci set network.@wireguard_vpn1[0].public_key='UjhGEeZkSpeeh0GfKvvtdAL9khP8hNiCpkIutlJiuFg=' +uci set network.@wireguard_vpn1[0].preshared_key='GdSszP+e86Vhs+/GD7uHpsLCnBCpyBZwMmOlxbS6OOg=' +uci set network.@wireguard_vpn1[0].allowed_ips='192.168.77.0/24' +uci set network.@wireguard_vpn1[0].route_allowed_ips='1' +uci set network.@wireguard_vpn1[0].persistent_keepalive='25' +uci set network.@wireguard_vpn1[0].endpoint_host='elmash.npau.ru' +uci set network.@wireguard_vpn1[0].endpoint_port='23556' +# VPN PIVKO +uci set network.vpn2=interface +uci set network.vpn2.proto='wireguard' +uci set network.vpn2.private_key='wKGUSB76waHrZKjxTutJJ+B50Cafl/O16X7VLCUBfls=' +uci set network.vpn2.listen_port='23558' +uci add network wireguard_vpn2 +uci set network.@wireguard_vpn2[0]=wireguard_vpn2 +uci set network.@wireguard_vpn2[0].description='Site Pivko Dvurechensk' +uci set network.@wireguard_vpn2[0].public_key='i0/zXWRpNIgk4KOwDa/qzBubFehgVmTfPv7yk2gYgBk=' +uci set network.@wireguard_vpn2[0].preshared_key='ONgqoU8Q6mT42E/RVUAhRwKarmF8H5z/7SR7df5Mn48=' +uci set network.@wireguard_vpn2[0].allowed_ips='192.168.76.0/24' +uci set network.@wireguard_vpn2[0].route_allowed_ips='1' +uci set network.@wireguard_vpn2[0].persistent_keepalive='25' +uci set network.@wireguard_vpn2[0].endpoint_host='pivko.npau.ru' +uci set network.@wireguard_vpn2[0].endpoint_port='23558' +# Antizapret +uci set network.wg0=interface +uci set network.wg0.proto='wireguard' +uci set network.wg0.listen_port='51820' +uci set network.wg0.private_key='qFTjFepaM+mUnzePCs2BF81lEszlau4bgayYAayApXo=' +uci set network.wg0.addresses='192.168.100.4/24' +uci add network wireguard_wg0 +uci set network.@wireguard_wg0[0]=wireguard_wg0 +uci set network.@wireguard_wg0[0].name='wg0_client' +uci set network.@wireguard_wg0[0].route_allowed_ips='0' +uci set network.@wireguard_wg0[0].persistent_keepalive='25' +uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0' +uci set network.@wireguard_wg0[0].endpoint_host='88.210.11.80' +uci set network.@wireguard_wg0[0].endpoint_port='51820' +uci set network.@wireguard_wg0[0].public_key='E/3AhjY3/nteAEy7uPR72kKbXwyJL3ANEhsEoMHP43o=' +uci set network.@wireguard_wg0[0].preshared_key='sqW/LnZMocBhkuDTwSBnsUGilk+KznRMXk8LJnaOEXk=' + +uci commit network /etc/init.d/network restart # Configure firewall + +# SETTINGS +uci set firewall.@defaults[0].synflood_protect='1' +uci set firewall.@defaults[0].drop_invalid='1' + +# ADD ZONE +uci add firewall zone +uci set firewall.@zone[-1].name='vpn0' +uci set firewall.@zone[-1].network='vpn0' +uci set firewall.@zone[-1].input='ACCEPT' +uci set firewall.@zone[-1].forward='ACCEPT' +uci set firewall.@zone[-1].device='vpn0' +uci set firewall.@zone[-1].output='ACCEPT' +uci add firewall zone +uci set firewall.@zone[-1].name='vpn1' +uci set firewall.@zone[-1].network='vpn1' +uci set firewall.@zone[-1].input='ACCEPT' +uci set firewall.@zone[-1].forward='ACCEPT' +uci set firewall.@zone[-1].device='vpn1' +uci set firewall.@zone[-1].output='ACCEPT' +uci add firewall zone +uci set firewall.@zone[-1].name='vpn2' +uci set firewall.@zone[-1].network='vpn2' +uci set firewall.@zone[-1].input='ACCEPT' +uci set firewall.@zone[-1].forward='ACCEPT' +uci set firewall.@zone[-1].device='vpn2' +uci set firewall.@zone[-1].output='ACCEPT' +uci add firewall zone +uci set firewall.@zone[-1].name='wg' +uci set firewall.@zone[-1].family='ipv4' +uci set firewall.@zone[-1].masq='1' +uci set firewall.@zone[-1].output='ACCEPT' +uci set firewall.@zone[-1].forward='REJECT' +uci set firewall.@zone[-1].input='REJECT' +uci set firewall.@zone[-1].mtu_fix='1' +uci set firewall.@zone[-1].network='wg0' + +# ADD FORWARDING +uci add firewall forwarding +uci set firewall.@forwarding[1].dest='lan' +uci set firewall.@forwarding[1].src='vpn0' +uci add firewall forwarding +uci set firewall.@forwarding[2].dest='vpn0' +uci set firewall.@forwarding[2].src='lan' +uci add firewall forwarding +uci set firewall.@forwarding[3].dest='lan' +uci set firewall.@forwarding[3].src='vpn1' +uci add firewall forwarding +uci set firewall.@forwarding[4].dest='vpn1' +uci set firewall.@forwarding[4].src='lan' +uci add firewall forwarding +uci set firewall.@forwarding[5].dest='lan' +uci set firewall.@forwarding[5].src='vpn2' +uci add firewall forwarding +uci set firewall.@forwarding[6].dest='vpn2' +uci set firewall.@forwarding[6].src='lan' +uci add firewall forwarding +uci set firewall.@forwarding[7].family='ipv4' +uci set firewall.@forwarding[7].src='lan' +uci set firewall.@forwarding[7].dest='wg' + +# ADD RULE +uci add firewall rule +uci set firewall.@rule[-1].target='ACCEPT' +uci set firewall.@rule[-1].proto='udp' +uci set firewall.@rule[-1].dest_port='23558' +uci set firewall.@rule[-1].name='Allow-Aramil-Pivko-Inbound' +uci set firewall.@rule[-1].src='wan' +uci add firewall rule +uci set firewall.@rule[10].target='ACCEPT' +uci set firewall.@rule[10].proto='udp' +uci set firewall.@rule[10].dest_port='51820' +uci set firewall.@rule[10].name='Allow-Wireguard-VPS' +uci set firewall.@rule[10].src='wan' +uci add firewall rule +uci set firewall.@rule[11].target='ACCEPT' +uci set firewall.@rule[11].proto='udp' +uci set firewall.@rule[11].dest_port='23557' +uci set firewall.@rule[11].name='Allow-Wireguard-Inbound' +uci set firewall.@rule[11].src='wan' +uci add firewall rule +uci set firewall.@rule[12].target='ACCEPT' +uci set firewall.@rule[12].proto='udp' +uci set firewall.@rule[12].dest_port='23556' +uci set firewall.@rule[12].name='Allow-Elmash-Aramil-Inbound' +uci set firewall.@rule[12].src='wan' +uci add firewall rule +uci set firewall.@rule[13].dest_port='5201' +uci set firewall.@rule[13].src='wan' +uci set firewall.@rule[13].name='iperf' +uci set firewall.@rule[13].target='ACCEPT' +uci add network rule +uci set network.@rule[-1].name='mark0x1' +uci set network.@rule[-1].mark='0x1' +uci set network.@rule[-1].priority='100' +uci set network.@rule[-1].lookup='vpn' + +# ADD REDIRECT +uci add firewall redirect +uci set firewall.@redirect[0].target='DNAT' +uci set firewall.@redirect[0].src='wan' +uci set firewall.@redirect[0].dest='lan' +uci set firewall.@redirect[0].dest_ip='192.168.47.9' +uci set firewall.@redirect[0].dest_port='6881' +uci set firewall.@redirect[0].proto='tcp' 'udp' +uci set firewall.@redirect[0].name='qbittorrent' +uci set firewall.@redirect[0].src_dport='6881' +uci add firewall redirect +uci set firewall.@redirect[1].dest_port='25' +uci set firewall.@redirect[1].src='wan' +uci set firewall.@redirect[1].name='smtp_25' +uci set firewall.@redirect[1].src_dport='25' +uci set firewall.@redirect[1].target='DNAT' +uci set firewall.@redirect[1].dest_ip='192.168.47.2' +uci set firewall.@redirect[1].dest='lan' +uci add firewall redirect +uci set firewall.@redirect[2].dest_port='143' +uci set firewall.@redirect[2].src='wan' +uci set firewall.@redirect[2].name='imap_143' +uci set firewall.@redirect[2].src_dport='143' +uci set firewall.@redirect[2].target='DNAT' +uci set firewall.@redirect[2].dest_ip='192.168.47.2' +uci set firewall.@redirect[2].dest='lan' +uci add firewall redirect +uci set firewall.@redirect[3].dest_port='993' +uci set firewall.@redirect[3].src='wan' +uci set firewall.@redirect[3].name='imaps_993' +uci set firewall.@redirect[3].src_dport='993' +uci set firewall.@redirect[3].target='DNAT' +uci set firewall.@redirect[3].dest_ip='192.168.47.2' +uci set firewall.@redirect[3].dest='lan' +uci add firewall redirect +uci set firewall.@redirect[4].dest_port='465' +uci set firewall.@redirect[4].src='wan' +uci set firewall.@redirect[4].src_dport='465' +uci set firewall.@redirect[4].target='DNAT' +uci set firewall.@redirect[4].dest_ip='192.168.47.2' +uci set firewall.@redirect[4].dest='lan' +uci set firewall.@redirect[4].name='smtp_465' +uci add firewall redirect +uci set firewall.@redirect[5].dest_port='4190' +uci set firewall.@redirect[5].src='wan' +uci set firewall.@redirect[5].name='mail_sieve_4190' +uci set firewall.@redirect[5].src_dport='4190' +uci set firewall.@redirect[5].target='DNAT' +uci set firewall.@redirect[5].dest_ip='192.168.47.2' +uci set firewall.@redirect[5].dest='lan' +uci add firewall redirect +uci set firewall.@redirect[6].dest_port='587' +uci set firewall.@redirect[6].src='wan' +uci set firewall.@redirect[6].name='smtp_587' +uci set firewall.@redirect[6].src_dport='587' +uci set firewall.@redirect[6].target='DNAT' +uci set firewall.@redirect[6].dest_ip='192.168.47.2' +uci set firewall.@redirect[6].dest='lan' +uci add firewall redirect +uci set firewall.@redirect[7].dest_port='80' +uci set firewall.@redirect[7].src='wan' +uci set firewall.@redirect[7].src_dport='80' +uci set firewall.@redirect[7].target='DNAT' +uci set firewall.@redirect[7].dest='lan' +uci set firewall.@redirect[7].name='NPM-80' +uci set firewall.@redirect[7].dest_ip='192.168.47.191' +uci add firewall redirect +uci set firewall.@redirect[8].dest_port='443' +uci set firewall.@redirect[8].src='wan' +uci set firewall.@redirect[8].src_dport='443' +uci set firewall.@redirect[8].target='DNAT' +uci set firewall.@redirect[8].dest='lan' +uci set firewall.@redirect[8].name='NPM-443' +uci set firewall.@redirect[8].dest_ip='192.168.47.191' + +uci commit firewall /etc/init.d/firewall restart + +echo "All done" diff --git a/tplink_archer-c7-v5.sh b/tplink_archer-c7-v5.sh deleted file mode 100755 index 8e9fa1d..0000000 --- a/tplink_archer-c7-v5.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env bash - -./build.sh ath79 generic tplink_archer-c7-v5