fix

should fix #27.

.gitignore

@@ -1,2 +1,2 @@
 notes.txt
-authorized_keys
+build/

README.md

@@ -1,34 +1,63 @@
 # What
 
-It's a script to build a customized OpenWRT firmware image on a Linux x86_64 host
-(basic familiarity with [OpenWRT](https://wiki.openwrt.org/doc/howto/user.beginner)
-is assumed).
+It's a script to build a customized
+[OpenWrt](https://openwrt.org/docs/guide-user/start)
+firmware image using
+[ImageBuilder](https://openwrt.org/docs/guide-user/additional-software/imagebuilder).
 
-If the generated image is flashed on a device it will try to automatically
-set up [extroot](http://wiki.openwrt.org/doc/howto/extroot) on **any
-(!)** storage device plugged into the USB port (`/dev/sda`). Keep in
-mind that **this will erase any inserted storage device while the
-router is in the initial setup phase**! Unfortunately there's little
-that can be done at that point to ask the user for confirmation.
+If the generated image is flashed on a router, then during its boot
+process it will try to automatically set up
+[extroot](https://openwrt.org/docs/guide-user/additional-software/extroot_configuration)
+on **any (!)** storage device plugged into the USB port (`/dev/sda`),
+including your already working extroot pendrive if you plug it in too
+late in the boot process.
 
 # Why
 
-So that e.g. customers can buy a router on their own, flash our custom
+So that e.g. customers can buy a router on their own, download and flash our custom
 firmware, plug in a pendrive, and manage their SIP (telephony) node
 from our webapp.
 
+I've extracted the generic parts from the above mentioned auto-provision
+project because I thought it's useful enough for making it public.
+
+It also serves me well on my own routers ever since then.
+
 # How
+
+You can read more about the underlying technology on the OpenWrt wiki: see e.g. the
+[ImageBuilder](https://openwrt.org/docs/guide-user/additional-software/imagebuilder)
+page, or the page that lists some other
+[ImageBuilder frontends](https://openwrt.org/docs/guide-developer/imagebuilder_frontends).
+
+As for the actual mechanism: custom scripts are baked into the boot
+process of the flashed firmware. If the extroot overlay is properly
+set up, then these scripts get hidden by it; i.e. they will only be run
+when the extroot has failed to mount early in the boot process.
+
+Keep in mind that **this will automatically erase/format any inserted
+storage device while the router is in the initial setup phase**!
+Unfortunately there's little that can be done at that point to ask the
+user for confirmation.
+
 ### Building
 
-To build issue the following command: `./build.sh architecture variant device-profile`, e.g.:
-* `./build.sh ar71xx generic TLWDR4300`
-* `./build.sh ramips mt7621 ZBT-WG3526`
+OpenWrt's ImageBuilder only works on Linux x86_64. To build a firmware, issue the following command:
+`./build.sh architecture variant device-profile`, e.g.:
 
-Results will be under `build/OpenWrt-ImageBuilder-${architecture}_${variant}-for-linux-x86_64/bin/`.
+* `./build.sh ath79 generic tplink_tl-wr1043nd-v1`
+* `./build.sh ath79 generic tplink_archer-c6-v2`
+* `./build.sh ath79 generic tplink_tl-wdr4300-v1`
+* `./build.sh bcm53xx generic dlink_dir-885l`
 
-To see a list of available targets, run this in the ImageBuilder dir: `make info`.
+Results will be under `build/openwrt-imagebuilder-${release}-${architecture}-${variant}.Linux-x86_64/bin/`.
 
-If you want to change which OpenWRT version is used, then edit the relevant variables in `build.sh` (`RELEASE`, and `RELEASE_NAME`).
+To see a list of available targets, run `make info` in the ImageBuilder dir.
+
+If you want to change which OpenWrt version is used, then try editing
+the relevant variable(s) in `build.sh`. It's not guaranteed to work
+across OpenWrt releases, therefore we keep git branches for the past
+releases.
 
 ### Setup stages
 
@@ -37,16 +66,21 @@ sources for details: [autoprovision-functions.sh](image-extras/common/root/autop
 
 #### Stage 1: setup extroot
 
-At the first boot after flashing the firmware the autoprovision script will
+When the custom firmware first boots, the autoprovision script will
 wait for anything (!) in `/dev/sda` to show up (that is >= 512M), then erase
 it and set up a `swap`, an `extroot`, and a `data`filesystem (for the remaining
 space), and then reboot.
 
 #### Stage 2: download and install some packages from the internet
 
-Once it booted into the new extroot, it will continuously attempt to install
-some OpenWRT packages until an internet connection is set up on the router
-(either by using ssh or LuCI if you could fit it into the firmware).
+Once it rebooted into the new extroot, it will continuously keep trying to install
+some OpenWrt packages until an internet connection is set up on the router. You
+need to do that manually either by using ssh or the web UI (LuCI).
+
+#### Stage 3, optional
+
+We also have a 3rd stage, written in Python, but it's commented out here.
+Search for `autoprovision-stage3.py` to see how it's done.
 
 ### Login
 
@@ -57,54 +91,62 @@ By default the root passwd is not set, so the router will start telnet with
 no password. If you want to set up a password, then edit the stage 2 script:
 [autoprovision-stage2.sh](image-extras/common/root/autoprovision-stage2.sh#L53).
 
-If a password is set, then telnet is disabled by OpenWRT and SSH will listen
+If a password is set, then telnet is disabled by OpenWrt and SSH will listen
 using the keys specified in [authorized_keys](image-extras/common/etc/dropbear/authorized_keys).
 
 Once connected, you can read the log with `logread -f`.
 
 # Status
 
-This is more of a template than something standalone. You most
+This is more of a template than something standalone, but I use it for
+my home routers as is. For more specific applications you most
 probably want to customize this script here and there; search for
 `CUSTOMIZE` for places of interest.
 
-Most importantly, **set up a password and maybe an ssh key**.
+Most importantly, **set up a password and maybe add your ssh key** by
+adding it to `image-extras/common/etc/dropbear/authorized_keys`.
 
-I've extracted this from a project of mine where OpenWRT nodes auto-provision
-themselves in 3 stages (stage 3 was a Python script for an app-level sync feature),
-but I thought it's useful enough for making it public.
-
-At the time of writing it only supports a few `ar71xx` routers out of the box,
-but it's easy to extend it.
-
-## Tested with
-
-[OpenWRT Chaos Calmer 15.05 RC1](https://downloads.openwrt.org/chaos_calmer/15.05-rc1/)
-on a TP-Link WDR4300.
+None of this script is hardware specific except `setLedAttribute`,
+which is used to provide feedback about the progress of the initial
+setup phase. At the time of writing it only works on a few routers
+(mostly `ath79` ones), but without this everything should work fine,
+if only a bit less convenient.
 
 # Troubleshooting
 
 ## Which file should I flash?
 
-You should consult the [OpenWRT documentation](https://wiki.openwrt.org/doc/howto/user.beginner).
-The produced firmware files should be somewhere around ```build/OpenWrt-ImageBuilder-15.05-ar71xx-generic.Linux-x86_64/bin/ar71xx```.
+You should consult the [OpenWrt documentation](https://openwrt.org/docs/guide-user/start).
+The produced firmware files should be somewhere around
+```./build/openwrt-imagebuilder-21.02.0-ath79-generic.Linux-x86_64/bin/targets/ath79/generic/```.
 
 In short:
 
 * You need a file with the name ```-factory.bin``` or ```-sysupgrade.bin```. The former is to
-  be used when you first install OpenWRT, the latter is when you upgrade an already installed
-  OpenWRT.
+  be used when you first install OpenWrt, the latter is when you upgrade an already installed
+  OpenWrt.
 
 * You must carefully pick the proper firmware file for your **hardware version**! I advise you
-  to look up the wiki page for your hardware on the [OpenWRT wiki](https://wiki.openwrt.org),
-  because most of them have a table of the released hardawre versions with comments on their
-  status (sometimes new hardware revisions are only supported by the latest OpenWRT, which is
+  to look up the wiki page for your hardware on the [OpenWrt wiki](https://openwrt.org),
+  because most of them have a table of the released hardware versions with comments on their
+  status (sometimes new hardware revisions are only supported by the latest OpenWrt, which is
   not released yet).
 
 ## Help! The build has finished but there's no firmware file!
 
 If the build doesn't yield a firmware file (```*-factory.bin``` and/or ```*-sysupgrade.bin```):
 when there's not enough space in the flash memory of the target device to install everything
-then the OpenWRT ImageBuilder prints a hardly visible error into its flow of output and
+then the OpenWrt ImageBuilder prints a hardly visible error into its flow of output and
 silently continues. Look into [build.sh](build.sh#L31) and try to remove some packages
 that you can live without.
+
+## Extroot is not mounted after a `sysupgrade`
+
+In short, this is an OpenWrt issue, and the solution is to mount the extroot
+somewhere, and delete `/etc/.extroot-uuid`. More details are available in
+[this issue](https://github.com/attila-lendvai/openwrt-auto-extroot/issues/12),
+and a way to deal with it can be found in
+[this blog post](https://blog.mbirth.de/archives/2014/05/26/openwrt-sysupgrade-with-extroot.html).
+You may also want to check out the
+[official OpenWrt wiki](https://openwrt.org/docs/guide-user/additional-software/extroot_configuration#system_upgrade)
+on this topic.

build.sh

@@ -1,95 +1,92 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+# Note: this runs as-is, pretty much without external
+# dependencies. The OpenWrt ImageBuilder contains the toolchain and
+# everything that is needed to build the firmware images.
 
 set -e
 
-absolutize ()
-{
-  if [ ! -d "$1" ]; then
-    echo
-    echo "ERROR: '$1' doesn't exist or not a directory!"
-    kill -INT $$
-  fi
-
-  pushd "$1" >/dev/null
-  echo `pwd`
-  popd >/dev/null
-}
-
 TARGET_ARCHITECTURE=$1
 TARGET_VARIANT=$2
 TARGET_DEVICE=$3
 
-BUILD=`dirname "$0"`"/build/"
-BUILD=`absolutize $BUILD`
+BUILD="$(dirname "${0}")/build/"
+BUILD="$(readlink -f "${BUILD}")"
 
 ###
 ### chose a release
 ###
-RELEASE_NAME="chaos_calmer"
-RELEASE="15.05"
+RELEASE="23.05.2"
 
-#RELEASE_NAME="snapshots"
-#RELEASE="trunk"
-
-if [ $RELEASE = "trunk" ]; then
-    IMGBUILDER_NAME="OpenWrt-ImageBuilder-${TARGET_ARCHITECTURE}-${TARGET_VARIANT}.Linux-x86_64"
-else
-    IMGBUILDER_NAME="OpenWrt-ImageBuilder-${RELEASE}-${TARGET_ARCHITECTURE}-${TARGET_VARIANT}.Linux-x86_64"
-fi
+IMGBUILDER_NAME="openwrt-imagebuilder-${RELEASE}-${TARGET_ARCHITECTURE}-${TARGET_VARIANT}.Linux-x86_64"
 IMGBUILDER_DIR="${BUILD}/${IMGBUILDER_NAME}"
-IMGBUILDER_ARCHIVE="${IMGBUILDER_NAME}.tar.bz2"
+IMGBUILDER_ARCHIVE="${IMGBUILDER_NAME}.tar.xz"
 
-IMGTEMPDIR="${BUILD}/openwrt-build-image-extras"
-IMGBUILDERURL="https://downloads.openwrt.org/${RELEASE_NAME}/${RELEASE}/${TARGET_ARCHITECTURE}/${TARGET_VARIANT}/${IMGBUILDER_ARCHIVE}"
+IMGTEMPDIR="${BUILD}/image-extras"
+# see this feature request:
+# FS#1670 - consistent naming convention for the imagebuilder.tar.xz URL
+# https://bugs.openwrt.org/index.php?do=details&task_id=1670
+IMGBUILDERURL="https://downloads.openwrt.org/releases/${RELEASE}/targets/${TARGET_ARCHITECTURE}/${TARGET_VARIANT}/${IMGBUILDER_ARCHIVE}"
 
 if [ -z ${TARGET_DEVICE} ]; then
     echo "Usage: $0 architecture variant device-profile"
-    echo " e.g.: $0 ar71xx generic TLWDR4300"
-    echo "       $0 ramips mt7621 ZBT-WG3526"
+    echo " e.g.: $0 ath79 generic tplink_tl-wr1043nd-v1"
+    echo "       $0 ath79 generic tplink_archer-c6-v2"
+    echo "       $0 ath79 generic tplink_tl-wdr4300-v1"
+    echo "       $0 bcm53xx generic dlink_dir-885l"
     echo " to get a list of supported devices issue a 'make info' in the OpenWRT image builder directory:"
     echo "   '${IMGBUILDER_DIR}'"
+    echo " the build results will be under '${IMGBUILDER_DIR}/bin/targets/'"
     kill -INT $$
 fi
 
 # the absolute minimum for extroot to work at all (i.e. when the disk is already set up, for example by hand).
-# this list may be smaller and/or different for your router, but it works with my ar71xx.
-PREINSTALLED_PACKAGES="block-mount kmod-usb2 kmod-usb-storage kmod-fs-ext4"
+# this list may be smaller and/or different for your router, but it works with my ath79.
+# blockdev is needed to re-read the partition table using `blockdev --rereadpt /dev/sdX`
+PREINSTALLED_PACKAGES="block-mount kmod-fs-ext4 kmod-usb-storage blockdev"
 
 # some kernel modules may also be needed for your hardware
-#PREINSTALLED_PACKAGES+=" kmod-usb-uhci kmod-usb-ohci"
+PREINSTALLED_PACKAGES+=" kmod-usb-uhci kmod-usb-ohci"
 
 # these are needed for the proper functioning of the auto extroot scripts
 PREINSTALLED_PACKAGES+=" blkid mount-utils swap-utils e2fsprogs fdisk"
 
 # the following packages are optional, feel free to (un)comment them
-PREINSTALLED_PACKAGES+=" wireless-tools firewall iptables"
+PREINSTALLED_PACKAGES+=" wireless-tools firewall4 wireguard-tools kmod-wireguard luci-proto-wireguard"
 PREINSTALLED_PACKAGES+=" kmod-usb-storage-extras kmod-mmc"
-PREINSTALLED_PACKAGES+=" ppp ppp-mod-pppoe ppp-mod-pppol2tp ppp-mod-pptp kmod-ppp kmod-pppoe"
+#PREINSTALLED_PACKAGES+=" ppp ppp-mod-pppoe ppp-mod-pppol2tp ppp-mod-pptp kmod-ppp kmod-pppoe"
 PREINSTALLED_PACKAGES+=" luci"
 
-mkdir -pv ${BUILD}
+# you exclude packages with this to shrink the image for
+# routers with smaller flash storage.
+#SAVE_SPACE_PACKAGES=" -ppp -ppp-mod-pppoe -ip6tables -odhcp6c -kmod-ipv6 -kmod-ip6tables -ath10k"
+SAVE_SPACE_PACKAGES=""
 
-rm -rf $IMGTEMPDIR
-cp -r image-extras/common/ $IMGTEMPDIR
-PER_PLATFORM_IMAGE_EXTRAS=image-extras/${TARGET_DEVICE}/
-if [ -e $PER_PLATFORM_IMAGE_EXTRAS ]; then
-    rsync -pr $PER_PLATFORM_IMAGE_EXTRAS $IMGTEMPDIR/
+PREINSTALLED_PACKAGES+=${SAVE_SPACE_PACKAGES}
+
+mkdir -pv "${BUILD}"
+
+rm -rf "${IMGTEMPDIR}"
+cp -r image-extras/common/ "${IMGTEMPDIR}"
+PER_PLATFORM_IMAGE_EXTRAS="image-extras/${TARGET_DEVICE}/"
+if [ -e "${PER_PLATFORM_IMAGE_EXTRAS}" ]; then
+    rsync -pr "${PER_PLATFORM_IMAGE_EXTRAS}" "${IMGTEMPDIR}/"
 fi
 
-if [ ! -e ${IMGBUILDER_DIR} ]; then
-    pushd ${BUILD}
+if [ ! -e "${IMGBUILDER_DIR}" ]; then
+    pushd "${BUILD}"
     # --no-check-certificate if needed
-    wget  --continue ${IMGBUILDERURL}
-    tar jvxf ${IMGBUILDER_ARCHIVE}
+    wget --continue "${IMGBUILDERURL}"
+    xz -d <"${IMGBUILDER_ARCHIVE}" | tar vx
     popd
 fi
 
-pushd ${IMGBUILDER_DIR}
+pushd "${IMGBUILDER_DIR}"
 
 make image PROFILE=${TARGET_DEVICE} PACKAGES="${PREINSTALLED_PACKAGES}" FILES=${IMGTEMPDIR}
 
-pushd bin/${TARGET_ARCHITECTURE}/
-ln -s ../../packages .
+pushd "bin/targets/${TARGET_ARCHITECTURE}/"
+ln -sf ../../../packages .
 popd
 
 popd

build/.gitignore

@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore

default.nix

@@ -0,0 +1,19 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.mkShell {
+  buildInputs = with pkgs; [
+    coreutils posix_man_pages bash-completion less
+    gitFull diffutils
+    gnumake which
+    ncurses perl python2 python3
+
+    # keep this line if you use bash
+    bashInteractive
+  ];
+
+  shellHook =
+  ''
+    alias ..='cd ..'
+    alias ...='cd ../..'
+  '';
+}

image-extras/TLMR3020/etc/config/placeholder

@@ -1 +0,0 @@
-# this is just a file to show how platform specific image extras can be specified

image-extras/common/etc/dropbear/.gitignore

@@ -0,0 +1,3 @@
+# you can put your ssh public key into authorized_keys,
+# but we don't ever want it to be committed to the repo
+authorized_keys

image-extras/common/etc/dropbear/authorized_keys

@@ -1 +0,0 @@
-# this file may contain ssh public keys for passwordless ssh root login

image-extras/common/root/autoprovision-functions.sh

@@ -10,33 +10,42 @@ rootUUID=05d615b3-bef8-460c-9a23-52db8d09e000
 dataUUID=05d615b3-bef8-460c-9a23-52db8d09e001
 swapUUID=05d615b3-bef8-460c-9a23-52db8d09e002
 
-if [ -f /lib/ar71xx.sh ]; then
-   . /lib/ar71xx.sh
+. /lib/functions.sh
 
-   # let's attempt to define some defaults...
-   autoprovisionUSBLed="tp-link:green:usb"
-   autoprovisionStatusLed="tp-link:green:qss"
+# let's attempt to define some defaults...
+autoprovisionUSBLed="green:usb"
+autoprovisionStatusLed="green:qss"
+
+echo Board name is [$(board_name)]
+
+# CUSTOMIZE
+case $(board_name) in
+    *tl-wr1043nd*)
+        autoprovisionUSBLed="green:usb"
+        autoprovisionStatusLed="green:qss"
+        ;;
+    *tl-mr3020*)
+        autoprovisionUSBLed="green:wps"
+        autoprovisionStatusLed="green:wlan"
+        ;;
+    *tl-wr2543n*)
+        autoprovisionUSBLed="green:wps"
+        autoprovisionStatusLed="green:wlan5g"
+        ;;
+    *tl-wdr3600* | *tl-wdr4300*)
+        autoprovisionUSBLed="green:wlan2g"
+        autoprovisionStatusLed="green:wlan5g"
+        ;;
+    *mynet-n750*)
+        autoprovisionUSBLed="blue:wps"
+        autoprovisionStatusLed="blue:wireless"
+        ;;
+    *archer-c7-v1*)
+        autoprovisionUSBLed="green:wlan2g"
+        autoprovisionStatusLed="green:wlan5g"
+        ;;
+esac
 
-   # CUSTOMIZE
-   case $(ar71xx_board_name) in
-       "tl-wr1043nd")
-           autoprovisionUSBLed="tp-link:green:usb"
-           autoprovisionStatusLed="tp-link:green:qss"
-           ;;
-       "tl-mr3020")
-           autoprovisionUSBLed="tp-link:green:wps"
-           autoprovisionStatusLed="tp-link:green:wlan"
-           ;;
-       "tl-wr2543n")
-           autoprovisionUSBLed="tp-link:green:wps"
-           autoprovisionStatusLed="tp-link:green:wlan5g"
-           ;;
-       "tl-wdr4300")
-           autoprovisionUSBLed="tp-link:blue:wan"
-           autoprovisionStatusLed="tp-link:blue:qss"
-           ;;
-   esac
-fi
 
 log()
 {

image-extras/common/root/autoprovision-stage1.sh

@@ -23,7 +23,7 @@ getPendriveSize()
 hasBigEnoughPendrive()
 {
     local size=$(getPendriveSize)
-    if [ $size -ge 600000 ]; then
+    if [ $size -ge 100000 ]; then
         log "Found a pendrive of size: $(($size / 2 / 1024)) MB"
         return 0
     else
@@ -31,14 +31,24 @@ hasBigEnoughPendrive()
     fi
 }
 
+rereadPartitionTable()
+{
+    log "Rereading partition table"
+    blockdev --rereadpt /dev/sda
+}
+
 setupPendrivePartitions()
 {
+    log "Erasing partition table"
     # erase partition table
-    dd if=/dev/zero of=/dev/sda bs=1M count=1
+    dd if=/dev/zero of=/dev/sda bs=1k count=256
 
+    rereadPartitionTable
+
+    log "Creating partitions"
     # sda1 is 'swap'
     # sda2 is 'root'
-    # sda3 is 'data'
+    # sda3 is 'data', if there's any space left
     fdisk /dev/sda <<EOF
 o
 n
@@ -64,7 +74,7 @@ q
 EOF
     log "Finished partitioning /dev/sda using fdisk"
 
-    sleep 2
+    rereadPartitionTable
 
     until [ -e /dev/sda1 ]
     do
@@ -73,8 +83,8 @@ EOF
     done
 
     mkswap -L swap -U $swapUUID /dev/sda1
-    mkfs.ext4 -L root -U $rootUUID /dev/sda2
-    mkfs.ext4 -L data -U $dataUUID /dev/sda3
+    mkfs.ext4 -F -L root -U $rootUUID /dev/sda2
+    mkfs.ext4 -F -L data -U $dataUUID /dev/sda3
 
     log "Finished setting up filesystems"
 }
@@ -105,9 +115,28 @@ EOF
 #    ln -s /tmp state
 #    cd -
 
+    disableStage1
+
     log "Finished setting up extroot"
 }
 
+disableStage1()
+{
+    # FIXME it would be more future-proof to transform the rc.local file
+    # instead of overwriting it.
+    cat >/etc/rc.local <<EOF
+# If you want to re-run the initialization of the extroot once again,
+# then remove the comment from before the stage1.sh script below,
+# reboot the router without the extroot pendrive, and when it's booted
+# then insert the pendrive. It will then be reformatted and
+# reinitialized.
+
+#/root/autoprovision-stage1.sh
+
+exit 0
+EOF
+}
+
 autoprovisionStage1()
 {
     signalAutoprovisionWorking

image-extras/common/root/autoprovision-stage2.sh

@@ -4,39 +4,154 @@
 
 . /root/autoprovision-functions.sh
 
+check_repo() 
+{
+    printf "\033[32;1mChecking OpenWrt repo availability...\033[0m\n"
+    opkg update | grep -q "Failed to download" && printf "\033[32;1mopkg failed. Check internet or date. Command for force ntp sync: ntpd -p ptbtime1.ptb.de\033[0m\n" && exit 1
+}
+
+route_vpn() 
+{
+cat << EOF > /etc/hotplug.d/iface/30-rknroute
+#!/bin/sh
+
+ip route add table vpn default dev wg0
+EOF
+}
+
+add_mark() 
+{
+    grep -q "99 vpn" /etc/iproute2/rt_tables || echo '99 vpn' >> /etc/iproute2/rt_tables
+    
+    if ! uci show network | grep -q mark0x1; then
+        printf "\033[32;1mConfigure mark rule\033[0m\n"
+        uci add network rule
+        uci set network.@rule[-1].name='mark0x1'
+        uci set network.@rule[-1].mark='0x1'
+        uci set network.@rule[-1].priority='100'
+        uci set network.@rule[-1].lookup='vpn'
+        uci commit
+    fi
+}
+
+dnsmasqfull() 
+{
+		if opkg list-installed | grep -q dnsmasq-full; then
+		        printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
+		else
+		        printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
+		cd /tmp/ && opkg download dnsmasq-full
+		opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
+		[ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
+                /etc/init.d/dnsmasq restart
+		fi
+}
+
+dnscrypt2() 
+{
+        if opkg list-installed | grep -q dnscrypt-proxy2; then
+            printf "\033[32;1mDNSCrypt2 already installed\033[0m\n"
+        else
+            printf "\033[32;1mInstalled dnscrypt-proxy2\033[0m\n"
+            opkg install dnscrypt-proxy2
+        if grep -q "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml; then
+            sed -i "s/^# server_names =.*/server_names = [\'google\', \'cloudflare\', \'scaleway-fr\', \'yandex\']/g" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
+        fi
+
+        printf "\033[32;1mDNSCrypt restart\033[0m\n"
+            service dnscrypt-proxy restart
+        printf "\033[32;1mDNSCrypt needs to load the relays list. Please wait\033[0m\n"
+            sleep 30
+
+        if [ -f /etc/dnscrypt-proxy2/relays.md ]; then
+                uci set dhcp.@dnsmasq[0].noresolv="1"
+                uci -q delete dhcp.@dnsmasq[0].server
+                uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
+                uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/'
+                uci commit dhcp
+                
+                printf "\033[32;1mDnsmasq restart\033[0m\n"
+
+                /etc/init.d/dnsmasq restart
+        else
+                printf "\033[31;1mDNSCrypt not download list on /etc/dnscrypt-proxy2. Repeat install DNSCrypt by script.\033[0m\n"
+        fi
+    fi
+}
+
+
+add_getdomains() 
+{
+   COUNTRY=russia_inside
+   EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst
+   if [ "$COUNTRY" != '0' ]; then
+        printf "\033[32;1mCreate script /etc/init.d/getdomains\033[0m\n"
+
+cat << EOF > /etc/init.d/getdomains
+#!/bin/sh /etc/rc.common
+
+START=99
+
+start () {
+    $EOF_DOMAINS
+EOF
+cat << 'EOF' >> /etc/init.d/getdomains
+    count=0
+    while true; do
+        if curl -m 3 github.com; then
+            curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst
+            break
+        else
+            echo "GitHub is not available. Check the internet availability [$count]"
+            count=$((count+1))
+        fi
+    done
+
+    if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then
+        /etc/init.d/dnsmasq restart
+    fi
+}
+EOF
+
+        chmod +x /etc/init.d/getdomains
+        /etc/init.d/getdomains enable
+
+        if crontab -l | grep -q /etc/init.d/getdomains; then
+            printf "\033[32;1mCrontab already configured\033[0m\n"
+
+        else
+            crontab -l | { cat; echo "0 */8 * * * /etc/init.d/getdomains start"; } | crontab -
+            printf "\033[32;1mIgnore this error. This is normal for a new installation\033[0m\n"
+            /etc/init.d/cron restart
+        fi
+
+        printf "\033[32;1mStart script\033[0m\n"
+
+        /etc/init.d/getdomains start
+    fi
+}
+
+
 installPackages()
 {
     signalAutoprovisionWaitingForUser
 
     until (opkg update)
-    do
+     do
         log "opkg update failed. No internet connection? Retrying in 15 seconds..."
         sleep 15
+        # Initiate a synchronous time update.
+        ntpd -d -q -n -p openwrt.pool.ntp.org
     done
 
     signalAutoprovisionWorking
 
     log "Autoprovisioning stage2 is about to install packages"
 
-    # switch ssh from dropbear to openssh (needed to install sshtunnel)
-    #opkg remove dropbear
-    #opkg install openssh-server openssh-sftp-server sshtunnel
-
-    #/etc/init.d/sshd enable
-    #mkdir /root/.ssh
-    #chmod 0700 /root/.ssh
-    #mv /etc/dropbear/authorized_keys /root/.ssh/
-    #rm -rf /etc/dropbear
-
     # CUSTOMIZE
     # install some more packages that don't need any extra steps
-    opkg install lua luci ppp-mod-pppoe screen mc zip unzip logrotate
-
-    # this is needed for the vlans on tp-link 3020 with only a single hw ethernet port
-    opkg install kmod-macvlan ip
-
-    # just in case if we were run in a firmware that didn't already had luci
-    /etc/init.d/uhttpd enable
+    #opkg install lua luci ppp-mod-pppoe screen mc unzip logrotate
+    opkg install logrotate curl
 }
 
 autoprovisionStage2()
@@ -50,13 +165,16 @@ autoprovisionStage2()
     else
         signalAutoprovisionWorking
 
+        log "Starting ntpd to update system time; otherwise the openwrt.org certificates are rejected as not yet valid."
+        # Added -l hoping that it may help against ntpd quitting.
+        ntpd -l -N -p openwrt.pool.ntp.org
+
         # CUSTOMIZE: with an empty argument it will set a random password and only ssh key based login will work.
         # please note that stage2 requires internet connection to install packages and you most probably want to log in
         # on the GUI to set up a WAN connection. but on the other hand you don't want to end up using a publically
         # available default password anywhere, therefore the random here...
-        #setRootPassword ""
+        #setRootPassword "AsD7fg"
 
-        installPackages
 
         crontab - <<EOF
 # */10 * * * * /root/autoprovision-stage3.py
@@ -78,4 +196,15 @@ EOF
     fi
 }
 
+installPackages
+check_repo
+route_vpn
+add_mark
+dnsmasqfull
+dnscrypt2
+add_getdomains
 autoprovisionStage2
+
+printf "\033[32;1mRestart network\033[0m\n"
+/etc/init.d/network restart
+

image-extras/common/usr/bin/getdomains-check.sh

@@ -0,0 +1,496 @@
+#!/bin/sh
+
+HIRKN=/etc/init.d/hirkn
+GETDOMAINS=/etc/init.d/getdomains
+DUMP=/tmp/dump.txt
+
+checkpoint_true() {
+    printf "\033[32;1m[\342\234\223] $1\033[0m\n"
+}
+
+checkpoint_false() {
+    printf "\033[31;1m[x] $1\033[0m\n"
+}
+
+output_21() {
+    if [ "$VERSION_ID" -eq 21 ]; then
+        echo "You are using OpenWrt 21.02. This check does not support it"
+    fi
+}
+
+# System Details
+MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
+RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
+printf "\033[34;1mModel:$MODEL\033[0m\n"
+printf "\033[34;1mVersion: $RELEASE\033[0m\n"
+
+VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
+RAM=$(free -m | grep Mem: | awk '{print $2}')
+if [[ "$VERSION_ID" -ge 22 && "$RAM" -lt 150000 ]]
+then 
+   echo "Your router has less than 256MB of RAM. I recommend using only the vpn_domains list"
+fi
+
+# Check packages
+CURL=$(opkg list-installed | grep -c curl)
+if [ $CURL -eq 2 ]; then
+    checkpoint_true "Curl package"
+else
+    checkpoint_false "Curl package"
+    echo "Install: opkg install curl"
+fi
+
+DNSMASQ=$(opkg list-installed | grep dnsmasq-full | awk -F "-" '{print $3}' | tr -d '.' )
+if [ $DNSMASQ -ge 287 ]; then
+    checkpoint_true "Dnsmasq-full package"
+else
+    checkpoint_false "Dnsmasq-full package"
+    echo "If you don't use vpn_domains set, it's OK"
+    echo "Check version: opkg list-installed | grep dnsmasq-full"
+    echo "Required version >= 2.87. For openwrt 22.03 follow manual: https://t.me/itdoginfo/12"
+    if [ "$VERSION_ID" -eq 21 ]; then
+        echo "You are using OpenWrt 21.02. This check does not support it"
+        echo "Manual for openwrt 21.02: https://t.me/itdoginfo/8"
+    fi
+fi
+
+# Chek xray package
+if opkg list-installed | grep -q xray-core; then
+    checkpoint_false "Xray-core package detected"
+fi
+
+if opkg list-installed | grep -q luci-app-xray; then
+    checkpoint_false "luci-app-xray package detected. Not compatible. For delete: opkg remove luci-app-xray --force-removal-of-dependent-packages"
+fi
+
+# Check dnsmasq
+DNSMASQ_RUN=$(service dnsmasq status | grep -c 'running')
+if [ $DNSMASQ_RUN -eq 1 ]; then
+    checkpoint_true "Dnsmasq service"
+else
+    checkpoint_false "Dnsmasq service"
+    echo "Check config /etc/config/dhcp"
+    output_21
+fi
+
+
+# Check internet connection
+if curl -Is https://community.antifilter.download/ | grep -q 200; then
+    checkpoint_true "Check Internet"
+    else
+    checkpoint_false "Check Internet"
+    if [ $CURL -lt 2 ]; then
+        echo "Install curl: opkg install curl"
+    else
+        echo "Check internet connection. If ok, check date on router. Details: https://cli.co/2EaW4rO"
+        echo "For more info run: curl -Is https://community.antifilter.download/"
+    fi
+fi
+
+# Check IPv6
+
+if curl -6 -s https://ifconfig.io | egrep -q "(::)?[0-9a-fA-F]{1,4}(::?[0-9a-fA-F]{1,4}){1,7}(::)?"; then
+    checkpoint_false "IPv6 detected. This script does not currently work with IPv6"
+fi
+
+# Tunnels
+WIREGUARD=$(opkg list-installed | grep -c wireguard-tools )
+if [ $WIREGUARD -eq 1 ]; then
+    checkpoint_true "Wireguard-tools package"
+    WG=true
+else
+    checkpoint_false "Wireguard-tools package"
+    echo "If you don't use WG it's OK"
+fi
+
+if [ "$WG" == true ]; then
+    WG_PING=$(ping -c 1 -q -I wg0 itdog.info | grep -c "1 packets received")
+    if [ $WG_PING -eq 1 ]; then
+        checkpoint_true "Wireguard"
+    else
+        checkpoint_false "Wireguard"
+        WG_TRACE=$(traceroute -i wg0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+        if [ $WG_TRACE -eq 1 ]; then
+            echo "Tunnel to wg server is work, but routing to internet doesn't work. Check server configuration. Details: https://cli.co/RSCvOxI"
+        else
+            echo "Bad news: WG tunnel isn't work, check your WG configuration. Details: https://cli.co/hGUUXDs"
+            echo "If you don't use WG, but OpenVPN for example, it's OK"
+        fi
+    fi
+
+    # Check WG route_allowed_ips
+    if uci show network | grep -q ".route_allowed_ips='1'"; then
+        checkpoint_false "Wireguard route_allowed_ips"
+        echo "All traffic goes into the tunnel. Read more at: https://cli.co/SaxBzH7"
+    else
+        checkpoint_true "Wireguard route_allowed_ips"
+    fi
+
+    # Check route table
+    ROUTE_TABLE=$(ip route show table vpn | grep -c "default dev wg0 scope link" )
+    if [ $ROUTE_TABLE -eq 1 ]; then
+        checkpoint_true "Route table WG"
+    else
+        checkpoint_false "Route table VPN"
+        echo "Details: https://cli.co/Atxr6U3"
+    fi
+fi
+
+if opkg list-installed | grep -q openvpn; then
+    checkpoint_true "OpenVPN package"
+    OVPN=true
+else
+    checkpoint_false "OpenVPN package"
+    echo "If you don't use OpenVPN it's OK"
+fi
+
+# Check OpenVPN
+if [ "$OVPN" == true ]; then
+    if ping -c 1 -q -I tun0 itdog.info | grep -q "1 packets received"; then
+        checkpoint_true "OpenVPN"
+    else
+        checkpoint_false "OpenVPN"
+        if traceroute -i tun0 itdog.info -m 1 | grep ms | awk '{print $2}' | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then
+            echo "Tunnel to OpenVPN server is work, but routing to internet doesn't work. Check server configuration."
+        else
+            echo "Bad news: OpenVPN tunnel isn't work, check your OpenVPN configuration."
+        fi
+    fi
+
+    # Check OpenVPN redirect-gateway
+    if grep -q redirect-gateway /etc/openvpn/*; then
+        checkpoint_false "OpenVPN redirect-gateway"
+        echo "All traffic goes into the tunnel. Read more at: https://cli.co/vzTNq_3"
+    else
+        checkpoint_true "OpenVPN redirect-gateway"
+    fi
+
+    # Check route table
+    if ip route show table vpn | grep -q "default dev tun0 scope link"; then
+        checkpoint_true "Route table OpenVPN"
+    else
+        checkpoint_false "Route table OpenVPN"
+        echo "Details: https://cli.co/Atxr6U3"
+    fi
+fi
+
+if opkg list-installed | grep -q sing-box; then
+    checkpoint_true "Sing-box package"
+
+    # Check route table
+    if ip route show table vpn | grep -q "default dev tun0 scope link"; then
+        checkpoint_true "Route table Sing-box"
+    else
+        checkpoint_false "Route table Sing-box. Try service network restart. Details: https://cli.co/n7xAbc1"
+    fi
+
+    IP_EXTERNAL=$(curl -s ifconfig.me)
+    IFCONFIG=$(nslookup -type=a ifconfig.me | awk '/^Address: / {print $2}')
+
+    ip route add $IFCONFIG via 172.19.0.1 dev tun0
+    IP_VPN=$(curl -s ifconfig.me)
+    ip route del $IFCONFIG via 172.19.0.1 dev tun0
+
+    if [ "$IP_EXTERNAL" != $IP_VPN ]; then
+        checkpoint_true "Sing-box. VPN IP: $IP_VPN"
+    else
+        checkpoint_false "Sing-box. Check config: https://cli.co/Badmn3K"
+    fi
+else
+    checkpoint_false "Sing-box package"
+    echo "If you don't use sing-box it's OK"
+fi
+
+if which tun2socks | grep -q tun2socks; then
+    checkpoint_true "tun2socks package"
+
+    # Check route table
+    if ip route show table vpn | grep -q "default dev tun0 scope link"; then
+        checkpoint_true "Route table tun2socks"
+    else
+        checkpoint_false "Route table tun2socks. Try service network restart. Details: https://cli.co/n7xAbc1"
+    fi
+
+    IP_EXTERNAL=$(curl -s ifconfig.me)
+    IFCONFIG=$(nslookup -type=a ifconfig.me | awk '/^Address: / {print $2}')
+
+    ip route add $IFCONFIG via 172.16.250.1 dev tun0
+    IP_VPN=$(curl -s ifconfig.me)
+    ip route del $IFCONFIG via 172.16.250.1 dev tun0
+
+    if [ "$IP_EXTERNAL" != $IP_VPN ]; then
+        checkpoint_true "tun2socks. VPN IP: $IP_VPN"
+    else
+        checkpoint_false "tun2socks. Check config: https://cli.co/VNZISEM"
+    fi
+else
+    checkpoint_false "tun2socks package"
+    echo "If you don't use tun2socks it's OK"
+fi
+
+# Check sets
+
+# vpn_domains set
+vpn_domain_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_domain_ipset_string=$(uci show firewall.@ipset[$vpn_domain_ipset_id] | grep -c "name='vpn_domains'\|match='dst_net'")
+vpn_domain_rule_id=$(uci show firewall | grep -E '@rule.*vpn_domains' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_domain_rule_string=$(uci show firewall.@rule[$vpn_domain_rule_id] | grep -c "name='mark_domains'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_domains'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
+
+if [ $((vpn_domain_ipset_string + vpn_domain_rule_string)) -eq 10 ]; then
+    checkpoint_true "vpn_domains set"
+
+    # force resolve for vpn_domains. All list
+    nslookup terraform.io 127.0.0.1 > /dev/null
+    nslookup pochta.ru 127.0.0.1 > /dev/null
+    nslookup 2gis.ru 127.0.0.1 > /dev/null
+
+    VPN_DOMAINS_IP=$(nft list ruleset | grep -A 10 vpn_domains | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+    if [ $VPN_DOMAINS_IP -ge 1 ]; then
+        checkpoint_true "IPs in vpn_domains"
+    else
+        checkpoint_false "IPs in vpn_domains"
+        echo "If you don't use vpn_domains, it's OK"
+        echo "But if you want use, check configs"
+        output_21
+    fi
+else
+    checkpoint_false "vpn_domains set"
+    echo "If you don't use vpn_domains set, it's OK"
+    echo "But if you want use, check config: https://cli.co/AwUGeM6"
+fi
+
+# vpn_ip set
+vpn_ip_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_ip_ipset_string=$(uci show firewall.@ipset[$vpn_ip_ipset_id] | grep -c "name='vpn_ip'\|match='dst_net'\|loadfile='/tmp/lst/ip.lst'")
+vpn_ip_rule_id=$(uci show firewall | grep -E '@rule.*vpn_ip' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_ip_rule_string=$(uci show firewall.@rule[$vpn_ip_rule_id] | grep -c "name='mark_ip'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_ip'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
+
+if [ $((vpn_ip_ipset_string + vpn_ip_rule_string)) -eq 11 ]; then
+    checkpoint_true "vpn_ip set"
+    VPN_IP_IP=$(nft list ruleset | grep -A 10 vpn_ip | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+    if [ $VPN_IP_IP -ge 1 ]; then
+        checkpoint_true "IPs in vpn_ip"
+    else
+        checkpoint_false "IPs in vpn_ip"
+        echo "But if you want use, check configs"
+        output_21
+    fi
+else
+    checkpoint_false "vpn_ip set"
+    echo "If you don't use vpn_ip set, it's OK"
+    echo "But if you want use, check config: https://cli.co/AwUGeM6"
+fi
+
+# vpn_subnet set
+vpn_subnet_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_subnet_ipset_string=$(uci show firewall.@ipset[$vpn_subnet_ipset_id] | grep -c "name='vpn_subnets'\|match='dst_net'\|loadfile='/tmp/lst/subnet.lst'")
+vpn_subnet_rule_id=$(uci show firewall | grep -E '@rule.*vpn_subnet' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_subnet_rule_string=$(uci show firewall.@rule[$vpn_subnet_rule_id] | grep -c "name='mark_subnet'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_subnets'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
+
+if [ $((vpn_subnet_ipset_string + vpn_subnet_rule_string)) -eq 11 ]; then
+    checkpoint_true "vpn_subnet set"
+    VPN_IP_SUBNET=$(nft list ruleset | grep -A 10 vpn_subnet | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+    if [ $VPN_IP_SUBNET -ge 1 ]; then
+        checkpoint_true "IPs in vpn_subnet"
+    else
+        checkpoint_false "IPs in vpn_subnet"
+        echo "But if you want use, check configs"
+        output_21
+    fi
+else
+    checkpoint_false "vpn_subnet set"
+    echo "If you don't use vpn_subnet set, it's OK"
+    echo "But if you want use, check config: https://cli.co/AwUGeM6"
+fi
+
+# vpn_community set
+vpn_community_ipset_id=$(uci show firewall | grep -E '@ipset.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_community_ipset_string=$(uci show firewall.@ipset[$vpn_community_ipset_id] | grep -c "name='vpn_community'\|match='dst_net'\|loadfile='/tmp/lst/community.lst'")
+vpn_community_rule_id=$(uci show firewall | grep -E '@rule.*vpn_community' | awk -F '[][{}]' '{print $2}' | head -n 1)
+vpn_community_rule_string=$(uci show firewall.@rule[$vpn_community_rule_id] | grep -c "name='mark_community'\|src='lan'\|dest='*'\|proto='all'\|ipset='vpn_community'\|set_mark='0x1'\|target='MARK'\|family='ipv4'")
+
+if [ $((vpn_community_ipset_string + vpn_community_rule_string)) -eq 11 ]; then
+    checkpoint_true "vpn_community set"
+    VPN_COMMUNITY_IP=$(nft list ruleset | grep -A 10 vpn_community | grep -c -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+    if [ $VPN_COMMUNITY_IP -ge 1 ]; then
+        checkpoint_true "IPs in vpn_community"
+    else
+        checkpoint_false "IPs in vpn_community"
+        echo "But if you want use, check configs"
+        output_21
+    fi
+else
+    checkpoint_false "vpn_community set"
+    echo "If you don't use vpn_community set, it's OK"
+    echo "But if you want use, check config: https://cli.co/AwUGeM6"
+    output_21
+fi
+
+# hirkn script
+if [ -s "$HIRKN" ]; then
+    checkpoint_true "Script hirkn"
+    if crontab -l | grep -q $HIRKN; then
+        checkpoint_true "Script hirkn in crontab"
+    else
+        checkpoint_false "Script hirkn in crontab"
+        echo "Script is not enabled in crontab. Check: crontab -l"
+    fi
+else
+    checkpoint_false "Script hirkn"
+    echo "Script don't exists in $HIRKN. If you don't use old hirkn script, it's OK"
+fi
+
+# getdomains script
+if [ -s "$GETDOMAINS" ]; then
+    checkpoint_true "Script getdomains"
+    if crontab -l | grep -q $GETDOMAINS; then
+        checkpoint_true "Script getdomains in crontab"
+    else
+        checkpoint_false "Script getdomains in crontab"
+        echo "Script is not enabled in crontab. Check: crontab -l"
+    fi
+else
+    checkpoint_false "Script getdomains"
+    echo "Script don't exists in $GETDOMAINS. If you don't use getdomains, it's OK"
+fi
+
+# DNS
+
+# DNSCrypt
+if opkg list-installed | grep -q dnscrypt-proxy2; then
+    checkpoint_true "Dnscrypt-proxy2 package"
+    if service dnscrypt-proxy status | grep -q 'running'; then
+        checkpoint_true "DNSCrypt service"
+    else
+        checkpoint_false "DNSCrypt service"
+        echo "Check config: https://cli.co/wN-tc_S"
+        output_21
+    fi
+
+    DNSMASQ_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.53#53\|noresolv='1'")
+    if [ $DNSMASQ_STRING -eq 2 ]; then
+        checkpoint_true "Dnsmasq config for DNSCrypt"
+    else
+        checkpoint_false "Dnsmasq config for DNSCrypt"
+        echo "Check config: https://cli.co/rooc0uz"
+    fi
+else
+    checkpoint_false "Dnscrypt-proxy2 package"
+    echo "If you don't use Dnscrypt, it's OK"
+fi
+
+# Stubby
+if opkg list-installed | grep -q stubby; then
+    checkpoint_true "Stubby package"
+    if service stubby status | grep -q 'running'; then
+        checkpoint_true "Stubby service"
+    else
+        checkpoint_false "Stubby service"
+        echo "Check config: https://cli.co/HbDBT2V"
+        output_21
+    fi
+
+    STUBBY_STRING=$(uci show dhcp.@dnsmasq[0] | grep -c "127.0.0.1#5453\|noresolv='1'")
+    if [ $STUBBY_STRING -eq 2 ]; then
+        checkpoint_true "Dnsmasq config for Stubby"
+    else
+        checkpoint_false "Dnsmasq config for Stubby"
+        echo "Check config: https://cli.co/HbDBT2V"
+    fi
+else
+    checkpoint_false "Stubby package"
+    echo "If you don't use Stubby, it's OK"
+fi
+
+# Create dump
+if [[ "$1" == dump ]]; then
+    printf "\033[36;1mCreate dump without private variables\033[0m\n"
+    date > $DUMP
+    $HIRKN start >> $DUMP 2>&1
+    $GETDOMAINS start >> $DUMP 2>&1
+    uci show firewall >> $DUMP
+    uci show network | sed -r 's/(.*private_key=|.*preshared_key=|.*public_key=|.*endpoint_host=|.*wan.ipaddr=|.*wan.netmask=|.*wan.gateway=|.*wan.dns|.*.macaddr=).*/\1REMOVED/' >> $DUMP
+
+    echo "Dump is here: $DUMP"
+    echo "For download Linux/Mac use:"
+    echo "scp root@IP_ROUTER:$DUMP ."
+    echo "For Windows use PSCP or WSL"
+fi
+
+# Check DNS
+if [[ "$1" == dns ]]; then
+    printf "\033[36;1mCheck DNS servers\033[0m\n"
+    DNS_SERVERS="1.1.1.1 8.8.8.8 8.8.4.4"
+    DOH_DNS_SERVERS="cloudflare-dns.com 1.1.1.1 mozilla.cloudflare-dns.com security.cloudflare-dns.com"
+    DOMAINS="instagram.com facebook.com"
+
+    echo "1. Block DNS traffic (Port 53/udp is available)"
+
+    for i in $DNS_SERVERS;
+    do
+        if nslookup -type=a -timeout=2 -retry=1 itdog.info $i | grep -q "timed out"; then
+            checkpoint_false "$i"
+        else
+            checkpoint_true "$i"
+        fi
+    done
+
+    echo "2. DoH available"
+
+    for i in $DOH_DNS_SERVERS;
+    do
+        if curl --connect-timeout 5 -s -H "accept: application/dns-json" "https://$i/dns-query?name=itdog.info&type=A" | awk -F"data\":\"" '/data":"/{print $2}' | grep -q -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then
+            checkpoint_true "$i"
+        else
+            checkpoint_false "$i"
+        fi
+    done
+
+    echo "3. The response not contains an address from 127.0.0.0/8"
+
+    for i in $DOMAINS;
+    do
+        if nslookup -type=a -timeout=2 -retry=1 $i | awk '/^Address: / {print $2}' | grep -q -E '127\.[0-9]{1,3}\.'; then
+            checkpoint_false "$i"
+        else
+            checkpoint_true "$i"
+        fi
+    done
+
+    echo "4. One IP for two different domains"
+
+    FIRSTIP=$(nslookup -type=a instagram.com | awk '/^Address: / {print $2}')
+    SECONDIP=$(nslookup -type=a facebook.com | awk '/^Address: / {print $2}')
+
+    if [ "$FIRSTIP" = "$SECONDIP" ] ; then 
+        checkpoint_false "IP addresses are the same"
+    else
+        checkpoint_true "Different IP addresses"
+    fi
+
+    echo "5. The response is not blank"
+
+    for i in $DOMAINS;
+    do
+        if nslookup -type=a -timeout=2 -retry=1 $i | awk '/^Address: / {print $2}' | grep -q -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then
+            checkpoint_true "$i"
+        else
+            checkpoint_false "$i"
+        fi
+    done
+
+    echo "6. Сomparing response from unencrypted DNS and DoH (DNS poisoning)"
+
+    DOHIP=$(curl -s -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=facebook.com&type=A" | awk -F"data\":\"" '/data":"/{print $2}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
+    OPENIP=$(nslookup -type=a -timeout=2 facebook.com 1.1.1.1 | awk '/^Address: / {print $2}')
+
+    if [ "$DOHIP" = "$OPENIP" ]; then 
+        checkpoint_true "IPs match"
+    else
+        checkpoint_false "IPs not match"
+    fi
+fi
+
+# Info
+echo -e "\nTelegram channel: https://t.me/itdoginfo"
+echo "Telegram chat: https://t.me/itdogchat"

image-extras/common/usr/bin/getdomains-install.sh

@@ -0,0 +1,596 @@
+#!/bin/sh
+
+#set -x
+
+check_repo() {
+    printf "\033[32;1mChecking OpenWrt repo availability...\033[0m\n"
+    opkg update | grep -q "Failed to download" && printf "\033[32;1mopkg failed. Check internet or date. Command for force ntp sync: ntpd -p ptbtime1.ptb.de\033[0m\n" && exit 1
+}
+
+route_vpn () {
+    if [ "$TUNNEL" == wg ]; then
+cat << EOF > /etc/hotplug.d/iface/30-rknroute
+#!/bin/sh
+
+ip route add table vpn default dev wg0
+EOF
+    elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
+cat << EOF > /etc/hotplug.d/iface/30-rknroute
+#!/bin/sh
+
+sleep 5
+ip route add table vpn default dev tun0
+EOF
+    fi
+}
+
+add_mark() {
+    grep -q "99 vpn" /etc/iproute2/rt_tables || echo '99 vpn' >> /etc/iproute2/rt_tables
+    
+    if ! uci show network | grep -q mark0x1; then
+        printf "\033[32;1mConfigure mark rule\033[0m\n"
+        uci add network rule
+        uci set network.@rule[-1].name='mark0x1'
+        uci set network.@rule[-1].mark='0x1'
+        uci set network.@rule[-1].priority='100'
+        uci set network.@rule[-1].lookup='vpn'
+        uci commit
+    fi
+}
+
+add_tunnel() {
+    echo "We can automatically configure only Wireguard. OpenVPN, Sing-box(Shadowsocks2022, VMess, VLESS, etc) and tun2socks will need to be configured manually"
+    echo "Select a tunnel:"
+    echo "1) WireGuard"
+    echo "2) OpenVPN"
+    echo "3) Sing-box"
+    echo "4) tun2socks"
+    echo "5) Skip this step"
+
+    while true; do
+    read -r -p '' TUNNEL
+        case $TUNNEL in 
+
+        1) 
+            TUNNEL=wg
+            break
+            ;;
+
+        2)
+            TUNNEL=ovpn
+            break
+            ;;
+
+        3) 
+            TUNNEL=singbox
+            break
+            ;;
+
+        4) 
+            TUNNEL=tun2socks
+            break
+            ;;
+
+        5)
+            echo "Skip"
+            TUNNEL=0
+            break
+            ;;
+
+        *)
+            echo "Choose from the following options"
+            ;;
+        esac
+    done
+
+    if [ "$TUNNEL" == 'wg' ]; then
+        printf "\033[32;1mConfigure WireGuard\033[0m\n"
+        if opkg list-installed | grep -q wireguard-tools; then
+            echo "Wireguard already installed"
+        else
+            echo "Installed wg..."
+            opkg install wireguard-tools
+        fi
+
+        route_vpn
+
+        read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY
+
+        while true; do
+            read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP
+            if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
+                break
+            else
+                echo "This IP is not valid. Please repeat"
+            fi
+        done
+
+        read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY
+        read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY
+        read -r -p "Enter Enpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT
+
+        read -r -p "Enter Enpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT
+        WG_ENDPOINT_PORT=${WG_ENDPOINT_PORT:-51820}
+        if [ "$WG_ENDPOINT_PORT" = '51820' ]; then
+            echo $WG_ENDPOINT_PORT
+        fi
+        
+        uci set network.wg0=interface
+        uci set network.wg0.proto='wireguard'
+        uci set network.wg0.private_key=$WG_PRIVATE_KEY
+        uci set network.wg0.listen_port='51820'
+        uci set network.wg0.addresses=$WG_IP
+
+        if ! uci show network | grep -q wireguard_wg0; then
+            uci add network wireguard_wg0
+        fi
+        uci set network.@wireguard_wg0[0]=wireguard_wg0
+        uci set network.@wireguard_wg0[0].name='wg0_client'
+        uci set network.@wireguard_wg0[0].public_key=$WG_PUBLIC_KEY
+        uci set network.@wireguard_wg0[0].preshared_key=$WG_PRESHARED_KEY
+        uci set network.@wireguard_wg0[0].route_allowed_ips='0'
+        uci set network.@wireguard_wg0[0].persistent_keepalive='25'
+        uci set network.@wireguard_wg0[0].endpoint_host=$WG_ENDPOINT
+        uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
+        uci set network.@wireguard_wg0[0].endpoint_port=$WG_ENDPOINT_PORT
+        uci commit
+    fi
+
+    if [ "$TUNNEL" == 'ovpn' ]; then
+        if opkg list-installed | grep -q openvpn-openssl; then
+            echo "OpenVPN already installed"
+        else
+            echo "Installed openvpn"
+            opkg install openvpn-openssl
+        fi
+        printf "\033[32;1mConfigure route for OpenVPN\033[0m\n"
+        route_vpn
+    fi
+
+    if [ "$TUNNEL" == 'singbox' ]; then
+        if opkg list-installed | grep -q sing-box; then
+            echo "Sing-box already installed"
+        else
+            AVAILABLE_SPACE=$(df / | awk 'NR>1 { print $4 }')
+            if  [[ "$AVAILABLE_SPACE" -gt 2000 ]]; then
+                echo "Installed sing-box"
+                opkg install sing-box
+            else
+                printf "\033[31;1mNo free space for a sing-box. Sing-box is not installed.\033[0m\n"
+                exit 1
+            fi
+        fi
+        if grep -q "option enabled '0'" /etc/config/sing-box; then
+            sed -i "s/	option enabled \'0\'/	option enabled \'1\'/" /etc/config/sing-box
+        fi
+        if grep -q "option user 'sing-box'" /etc/config/sing-box; then
+            sed -i "s/	option user \'sing-box\'/	option user \'root\'/" /etc/config/sing-box
+        fi
+        if grep -q "tun0" /etc/sing-box/config.json; then
+        printf "\033[32;1mConfig /etc/sing-box/config.json already exists\033[0m\n"
+        else
+cat << 'EOF' > /etc/sing-box/config.json
+{
+  "log": {
+    "level": "debug"
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "interface_name": "tun0",
+      "domain_strategy": "ipv4_only",
+      "inet4_address": "172.16.250.1/30",
+      "auto_route": false,
+      "strict_route": false,
+      "sniff": true 
+   }
+  ],
+  "outbounds": [
+    {
+      "type": "$TYPE",
+      "server": "$HOST",
+      "server_port": $PORT,
+      "method": "$METHOD",
+      "password": "$PASS"
+    }
+  ],
+  "route": {
+    "auto_detect_interface": true
+  }
+}
+EOF
+        printf "\033[32;1mCreate template config in /etc/sing-box/config.json. Edit it manually. Official doc: https://sing-box.sagernet.org/configuration/outbound/\033[0m\n"
+        printf "\033[32;1mOfficial doc: https://sing-box.sagernet.org/configuration/outbound/\033[0m\n"
+        printf "\033[32;1mManual with example SS: https://cli.co/Badmn3K \033[0m\n"
+
+        fi
+        printf "\033[32;1mConfigure route for Sing-box\033[0m\n"
+        route_vpn
+    fi
+}
+
+dnsmasqfull() {
+    if opkg list-installed | grep -q dnsmasq-full; then
+        printf "\033[32;1mdnsmasq-full already installed\033[0m\n"
+    else
+        printf "\033[32;1mInstalled dnsmasq-full\033[0m\n"
+        cd /tmp/ && opkg download dnsmasq-full
+        opkg remove dnsmasq && opkg install dnsmasq-full --cache /tmp/
+
+        [ -f /etc/config/dhcp-opkg ] && cp /etc/config/dhcp /etc/config/dhcp-old && mv /etc/config/dhcp-opkg /etc/config/dhcp
+fi
+}
+
+remove_forwarding() {
+    if [ ! -z "$forward_id" ]; then
+        while uci -q delete firewall.@forwarding[$forward_id]; do :; done
+    fi
+}
+
+add_zone() {
+    if  [ "$TUNNEL" == 0 ]; then
+        printf "\033[32;1mZone setting skipped\033[0m\n"
+    elif uci show firewall | grep -q "@zone.*name='$TUNNEL'"; then
+        printf "\033[32;1mZone already exist\033[0m\n"
+    else
+        printf "\033[32;1mCreate zone\033[0m\n"
+
+        # Delete exists zone
+        zone_tun_id=$(uci show firewall | grep -E '@zone.*tun0' | awk -F '[][{}]' '{print $2}' | head -n 1)
+        if [ "$zone_tun_id" == 0 ] || [ "$zone_tun_id" == 1 ]; then
+            printf "\033[32;1mtun0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n"
+            exit 1
+        fi
+        if [ ! -z "$zone_tun_id" ]; then
+            while uci -q delete firewall.@zone[$zone_tun_id]; do :; done
+        fi
+
+        zone_wg_id=$(uci show firewall | grep -E '@zone.*wg0' | awk -F '[][{}]' '{print $2}' | head -n 1)
+        if [ "$zone_wg_id" == 0 ] || [ "$zone_wg_id" == 1 ]; then
+            printf "\033[32;1mwg0 zone has an identifier of 0 or 1. That's not ok. Fix your firewall. lan and wan zones should have identifiers 0 and 1. \033[0m\n"
+            exit 1
+        fi
+        if [ ! -z "$zone_wg_id" ]; then
+            while uci -q delete firewall.@zone[$zone_wg_id]; do :; done
+        fi
+
+        uci add firewall zone
+        uci set firewall.@zone[-1].name="$TUNNEL"
+        if [ "$TUNNEL" == wg ]; then
+            uci set firewall.@zone[-1].network='wg0'
+        elif [ "$TUNNEL" == singbox ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
+            uci set firewall.@zone[-1].device='tun0'
+        fi
+        if [ "$TUNNEL" == wg ] || [ "$TUNNEL" == ovpn ] || [ "$TUNNEL" == tun2socks ]; then
+            uci set firewall.@zone[-1].forward='REJECT'
+            uci set firewall.@zone[-1].output='ACCEPT'
+            uci set firewall.@zone[-1].input='REJECT'
+        elif [ "$TUNNEL" == singbox ]; then
+            uci set firewall.@zone[-1].forward='ACCEPT'
+            uci set firewall.@zone[-1].output='ACCEPT'
+            uci set firewall.@zone[-1].input='ACCEPT'
+        fi
+        uci set firewall.@zone[-1].masq='1'
+        uci set firewall.@zone[-1].mtu_fix='1'
+        uci set firewall.@zone[-1].family='ipv4'
+        uci commit firewall
+    fi
+    
+    if [ "$TUNNEL" == 0 ]; then
+        printf "\033[32;1mForwarding setting skipped\033[0m\n"
+    elif uci show firewall | grep -q "@forwarding.*name='$TUNNEL-lan'"; then
+        printf "\033[32;1mForwarding already configured\033[0m\n"
+    else
+        printf "\033[32;1mConfigured forwarding\033[0m\n"
+        # Delete exists forwarding
+        if [[ $TUNNEL != "wg" ]]; then
+            forward_id=$(uci show firewall | grep -E "@forwarding.*dest='wg'" | awk -F '[][{}]' '{print $2}' | head -n 1)
+            remove_forwarding
+        fi
+
+        if [[ $TUNNEL != "ovpn" ]]; then
+            forward_id=$(uci show firewall | grep -E "@forwarding.*dest='ovpn'" | awk -F '[][{}]' '{print $2}' | head -n 1)
+            remove_forwarding
+        fi
+
+        if [[ $TUNNEL != "singbox" ]]; then
+            forward_id=$(uci show firewall | grep -E "@forwarding.*dest='singbox'" | awk -F '[][{}]' '{print $2}' | head -n 1)
+            remove_forwarding
+        fi
+
+        if [[ $TUNNEL != "tun2socks" ]]; then
+            forward_id=$(uci show firewall | grep -E "@forwarding.*dest='tun2socks'" | awk -F '[][{}]' '{print $2}' | head -n 1)
+            remove_forwarding
+        fi
+
+        uci add firewall forwarding
+        uci set firewall.@forwarding[-1]=forwarding
+        uci set firewall.@forwarding[-1].name="$TUNNEL-lan"
+        uci set firewall.@forwarding[-1].dest="$TUNNEL"
+        uci set firewall.@forwarding[-1].src='lan'
+        uci set firewall.@forwarding[-1].family='ipv4'
+        uci commit firewall
+    fi
+}
+
+show_manual() {
+    if [ "$TUNNEL" == tun2socks ]; then
+        printf "\033[42;1mZone for tun2socks cofigured. But you need to set up the tunnel yourself.\033[0m\n"
+        echo "Use this manual: https://cli.co/VNZISEM"
+    elif [ "$TUNNEL" == ovpn ]; then
+        printf "\033[42;1mZone for OpenVPN cofigured. But you need to set up the tunnel yourself.\033[0m\n"
+        echo "Use this manual: https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/"
+    fi
+}
+
+add_set() {
+    if uci show firewall | grep -q "@ipset.*name='vpn_domains'"; then
+        printf "\033[32;1mSet already exist\033[0m\n"
+    else
+        printf "\033[32;1mCreate set\033[0m\n"
+        uci add firewall ipset
+        uci set firewall.@ipset[-1].name='vpn_domains'
+        uci set firewall.@ipset[-1].match='dst_net'
+        uci commit
+    fi
+    if uci show firewall | grep -q "@rule.*name='mark_domains'"; then
+        printf "\033[32;1mRule for set already exist\033[0m\n"
+    else
+        printf "\033[32;1mCreate rule set\033[0m\n"
+        uci add firewall rule
+        uci set firewall.@rule[-1]=rule
+        uci set firewall.@rule[-1].name='mark_domains'
+        uci set firewall.@rule[-1].src='lan'
+        uci set firewall.@rule[-1].dest='*'
+        uci set firewall.@rule[-1].proto='all'
+        uci set firewall.@rule[-1].ipset='vpn_domains'
+        uci set firewall.@rule[-1].set_mark='0x1'
+        uci set firewall.@rule[-1].target='MARK'
+        uci set firewall.@rule[-1].family='ipv4'
+        uci commit
+    fi
+}
+
+add_dns_resolver() {
+    echo "Configure DNSCrypt2 or Stubby? It does matter if your ISP is spoofing DNS requests"
+    DISK=$(df -m / | awk 'NR==2{ print $2 }')
+    if [[ "$DISK" -lt 32 ]]; then 
+        printf "\033[31;1mYour router a disk have less than 32MB. It is not recommended to install DNSCrypt, it takes 10MB\033[0m\n"
+    fi
+    echo "Select:"
+    echo "1) No [Default]"
+    echo "2) DNSCrypt2 (10.7M)"
+    echo "3) Stubby (36K)"
+
+    while true; do
+    read -r -p '' DNS_RESOLVER
+        case $DNS_RESOLVER in 
+
+        1) 
+            echo "Skiped"
+            break
+            ;;
+
+        2)
+            DNS_RESOLVER=DNSCRYPT
+            break
+            ;;
+
+        3) 
+            DNS_RESOLVER=STUBBY
+            break
+            ;;
+
+        *)
+            echo "Choose from the following options"
+            ;;
+        esac
+    done
+
+    if [ "$DNS_RESOLVER" == 'DNSCRYPT' ]; then
+        if opkg list-installed | grep -q dnscrypt-proxy2; then
+            printf "\033[32;1mDNSCrypt2 already installed\033[0m\n"
+        else
+            printf "\033[32;1mInstalled dnscrypt-proxy2\033[0m\n"
+            opkg install dnscrypt-proxy2
+            if grep -q "# server_names" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml; then
+                sed -i "s/^# server_names =.*/server_names = [\'google\', \'cloudflare\', \'scaleway-fr\', \'yandex\']/g" /etc/dnscrypt-proxy2/dnscrypt-proxy.toml
+            fi
+
+            printf "\033[32;1mDNSCrypt restart\033[0m\n"
+            service dnscrypt-proxy restart
+            printf "\033[32;1mDNSCrypt needs to load the relays list. Please wait\033[0m\n"
+            sleep 30
+
+            if [ -f /etc/dnscrypt-proxy2/relays.md ]; then
+                uci set dhcp.@dnsmasq[0].noresolv="1"
+                uci -q delete dhcp.@dnsmasq[0].server
+                uci add_list dhcp.@dnsmasq[0].server="127.0.0.53#53"
+                uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/'
+                uci commit dhcp
+                
+                printf "\033[32;1mDnsmasq restart\033[0m\n"
+
+                /etc/init.d/dnsmasq restart
+            else
+                printf "\033[31;1mDNSCrypt not download list on /etc/dnscrypt-proxy2. Repeat install DNSCrypt by script.\033[0m\n"
+            fi
+    fi
+
+    fi
+
+    if [ "$DNS_RESOLVER" == 'STUBBY' ]; then
+        printf "\033[32;1mConfigure Stubby\033[0m\n"
+
+        if opkg list-installed | grep -q stubby; then
+            printf "\033[32;1mStubby already installed\033[0m\n"
+        else
+            printf "\033[32;1mInstalled stubby\033[0m\n"
+            opkg install stubby
+
+            printf "\033[32;1mConfigure Dnsmasq for Stubby\033[0m\n"
+            uci set dhcp.@dnsmasq[0].noresolv="1"
+            uci -q delete dhcp.@dnsmasq[0].server
+            uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#5453"
+            uci add_list dhcp.@dnsmasq[0].server='/use-application-dns.net/'
+            uci commit dhcp
+
+            printf "\033[32;1mDnsmasq restart\033[0m\n"
+
+            /etc/init.d/dnsmasq restart
+        fi
+    fi
+}
+
+add_packages() {
+    if opkg list-installed | grep -q "curl -"; then
+        printf "\033[32;1mCurl already installed\033[0m\n"
+    else
+        printf "\033[32;1mInstall curl\033[0m\n"
+        opkg install curl
+    fi
+
+    if opkg list-installed | grep -q nano; then
+        printf "\033[32;1mNano already installed\033[0m\n"
+    else
+        printf "\033[32;1mInstall nano\033[0m\n"
+        opkg install nano
+    fi
+}
+
+add_getdomains() {
+    echo "Choose you country"
+    echo "Select:"
+    echo "1) Russia inside. You are inside Russia"
+    echo "2) Russia outside. You are outside of Russia, but you need access to Russian resources"
+    echo "3) Ukraine. uablacklist.net list"
+    echo "4) Skip script creation"
+
+    while true; do
+    read -r -p '' COUNTRY
+        case $COUNTRY in 
+
+        1) 
+            COUNTRY=russia_inside
+            break
+            ;;
+
+        2)
+            COUNTRY=russia_outside
+            break
+            ;;
+
+        3) 
+            COUNTRY=ukraine
+            break
+            ;;
+
+        4) 
+            echo "Skiped"
+            COUNTRY=0
+            break
+            ;;
+
+        *)
+            echo "Choose from the following options"
+            ;;
+        esac
+    done
+
+    if [ "$COUNTRY" == 'russia_inside' ]; then
+        EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/inside-dnsmasq-nfset.lst
+    elif [ "$COUNTRY" == 'russia_outside' ]; then
+        EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Russia/outside-dnsmasq-nfset.lst
+    elif [ "$COUNTRY" == 'ukraine' ]; then
+        EOF_DOMAINS=DOMAINS=https://raw.githubusercontent.com/itdoginfo/allow-domains/main/Ukraine/inside-dnsmasq-nfset.lst
+    fi
+
+    if [ "$COUNTRY" != '0' ]; then
+        printf "\033[32;1mCreate script /etc/init.d/getdomains\033[0m\n"
+
+cat << EOF > /etc/init.d/getdomains
+#!/bin/sh /etc/rc.common
+
+START=99
+
+start () {
+    $EOF_DOMAINS
+EOF
+cat << 'EOF' >> /etc/init.d/getdomains
+    count=0
+    while true; do
+        if curl -m 3 github.com; then
+            curl -f $DOMAINS --output /tmp/dnsmasq.d/domains.lst
+            break
+        else
+            echo "GitHub is not available. Check the internet availability [$count]"
+            count=$((count+1))
+        fi
+    done
+
+    if dnsmasq --conf-file=/tmp/dnsmasq.d/domains.lst --test 2>&1 | grep -q "syntax check OK"; then
+        /etc/init.d/dnsmasq restart
+    fi
+}
+EOF
+
+        chmod +x /etc/init.d/getdomains
+        /etc/init.d/getdomains enable
+
+        if crontab -l | grep -q /etc/init.d/getdomains; then
+            printf "\033[32;1mCrontab already configured\033[0m\n"
+
+        else
+            crontab -l | { cat; echo "0 */8 * * * /etc/init.d/getdomains start"; } | crontab -
+            printf "\033[32;1mIgnore this error. This is normal for a new installation\033[0m\n"
+            /etc/init.d/cron restart
+        fi
+
+        printf "\033[32;1mStart script\033[0m\n"
+
+        /etc/init.d/getdomains start
+    fi
+}
+
+# System Details
+MODEL=$(grep machine /proc/cpuinfo | cut -d ':' -f 2)
+RELEASE=$(grep OPENWRT_RELEASE /etc/os-release | awk -F '"' '{print $2}')
+printf "\033[34;1mModel:$MODEL\033[0m\n"
+printf "\033[34;1mVersion: $RELEASE\033[0m\n"
+
+VERSION_ID=$(grep VERSION_ID /etc/os-release | awk -F '"' '{print $2}' | awk -F. '{print $1}')
+
+if [ "$VERSION_ID" -ne 23 ]; then
+    printf "\033[31;1mScript only support OpenWrt 23.05\033[0m\n"
+    echo "For OpenWrt 21.02 and 22.03 you can:"
+    echo "1) Use ansible https://github.com/itdoginfo/ansible-openwrt-hirkn"
+    echo "2) Configure manually. Old manual: https://itdog.info/tochechnyj-obhod-blokirovok-rkn-na-routere-s-openwrt-s-pomoshhyu-wireguard-i-dnscrypt/"
+    exit 1
+fi
+
+printf "\033[31;1mAll actions performed here cannot be rolled back automatically.\033[0m\n"
+
+check_repo
+
+add_packages
+
+add_tunnel
+
+add_mark
+
+add_zone
+
+show_manual
+
+add_set
+
+dnsmasqfull
+
+add_dns_resolver
+
+add_getdomains
+
+printf "\033[32;1mRestart network\033[0m\n"
+/etc/init.d/network restart
+
+printf "\033[32;1mDone\033[0m\n"

image-extras/tplink_tl-wdr3600-v1/etc/uci-defaults/99-defaults

@@ -0,0 +1,439 @@
+#!/bin/sh
+#
+# Beware! This script will be in /rom/etc/uci-defaults/ as part of the image.
+# Uncomment lines to apply:
+wlan_name="office"
+wlan_password="fuckingwep"
+root_password="AsD7fg"
+lan_ip_address="192.168.47.1"
+wan_mac_address="1c:61:b4:08:74:b4"
+hostname="gw-aramil"
+# dhcp server 1 disable, 0 enable
+dhcpsrv="0"
+ 
+# log potential errors
+exec >/tmp/setup.log 2>&1
+ 
+if [ -n "$root_password" ]; then
+  (echo "$root_password"; sleep 1; echo "$root_password") | passwd > /dev/null
+fi
+ 
+# Configure LAN
+# More options: https://openwrt.org/docs/guide-user/base-system/basic-networking
+if [ -n "$lan_ip_address" ]; then
+  uci set network.lan.ipaddr="$lan_ip_address"
+  uci set network.@device[1].macaddr="$wan_mac_address"
+  uci commit network
+fi
+ 
+# Configure WLAN
+# More options: https://openwrt.org/docs/guide-user/network/wifi/basic#wi-fi_interfaces
+#wireless.radio0=wifi-device
+#wireless.radio0.type='mac80211'
+#wireless.radio0.path='platform/ahb/18100000.wmac'
+#wireless.radio0.channel='11'
+#wireless.radio0.band='2g'
+#wireless.radio0.htmode='HT20'
+#wireless.radio0.disabled='0'
+#wireless.radio0.txpower='15'
+#wireless.radio0.country='RU'
+#wireless.default_radio0=wifi-iface
+#wireless.default_radio0.device='radio0'
+#wireless.default_radio0.network='lan'
+#wireless.default_radio0.mode='ap'
+#wireless.default_radio0.ssid='fta-bgn'
+#wireless.default_radio0.encryption='psk2'
+#wireless.default_radio0.key='fuckingwep'
+#wireless.radio1=wifi-device
+#wireless.radio1.type='mac80211'
+#wireless.radio1.path='pci0000:00/0000:00:00.0'
+#wireless.radio1.channel='36'
+#wireless.radio1.band='5g'
+#wireless.radio1.htmode='HT20'
+#wireless.radio1.cell_density='0'
+#wireless.default_radio1=wifi-iface
+#wireless.default_radio1.device='radio1'
+#wireless.default_radio1.network='lan'
+#wireless.default_radio1.mode='ap'
+#wireless.default_radio1.ssid='fta-nac'
+#wireless.default_radio1.encryption='psk2'
+#wireless.default_radio1.key='fuckingwep'
+
+if [ -n "$wlan_name" -a -n "$wlan_password" -a ${#wlan_password} -ge 8 ]; then
+  uci set wireless.@wifi-device[0].disabled='0'
+  uci set wireless.@wifi-device[0].channel='11'
+  uci set wireless.@wifi-device[0].txpower='15'
+  uci set wireless.@wifi-device[0].disabled='0'
+  uci set wireless.@wifi-device[0].country='RU'
+  uci set wireless.@wifi-iface[0].mode='ap'
+  uci set wireless.@wifi-iface[0].encryption='psk2'
+  uci set wireless.@wifi-iface[0].ssid="$wlan_name"
+  uci set wireless.@wifi-iface[0].key="$wlan_password"
+  #uci set wireless.@wifi-iface[0].macfilter='allow'                                    
+  #uci add_list wireless.@wifi-iface[0].maclist=''
+  uci commit wireless
+fi
+
+# Configure system
+uci set system.@system[0].hostname="$hostname"
+uci set system.@system[0].timezone='<+05>-5'
+uci set system.ntp.enable_server='1'
+uci set system.ntp.interface='lan'
+uci set system.@system[0].zonename='Asia/Yekaterinburg'
+uci commit system
+/etc/init.d/system restart
+
+# Configure ssh dropbear
+SSHPUB="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSZsnOKXMTO7GTdrDUzuemE2h+SAIwMBbsrLVtx/CFoYidtT5qQ4ukAJG5JvRIkmZUl0t2C69z0nEEZXInTycsqQW7IlYpiy9yTlImd9QmyckZcHptTtEzyNdcCDOXOcW2Q0YEykpOoccTCkk2PHa3Xufel67jTwXfaqAVzaN5fXy6uO2I1ab5HHwCFX8zTuagBXKSYDMlHxrz9friu8ipuiPsEgl5n1LOvasypnZkpjhb5XnJi7tyRHfbzx+X+DIZc/ZW21BPtcExSXn+mmVhTD0vQh9MGG/hnfdvCXGPSKGGHMPiZEL9vzN3PvBYVchp/8DDSKtRZtJnBpNhdtl+8LjGsOgDPN51otOxcDtIQgOiMGbgX6fzMB7EN642b3f8tlFp3aVswtH3isBz6AgeVO+qqI/nW6Io7mayNXrDXVIULh0Ol4TKTZ61KGLCUhX/ZL9ifXdXWlTVeXzidaxIZ7BGF5SaTRlHJhRfqVc8fZI9BBaPFFSqxBYzybYkGzU= jeka@x220"
+cat << EOI > /etc/dropbear/authorized_keys
+${SSHPUB}
+EOI
+chmod 600 /etc/dropbear/authorized_keys
+uci set dropbear.@dropbear[0].PasswordAuth="1"
+uci set dropbear.@dropbear[0].RootPasswordAuth="1"
+uci set dropbear.@dropbear[0].GatewayPorts='on'
+uci commit dropbear
+/etc/init.d/dropbear restart
+
+# Configure uhttpd
+uci set uhttpd.main.listen_http='0.0.0.0:8080'
+uci set uhttpd.main.listen_https='0.0.0.0:4431'
+uci commit uhttpd
+/etc/init.d/uhttpd restart
+
+# DHCP server on/off
+uci set dhcp.lan.start='90'
+uci set dhcp.lan.limit='100'
+uci set dhcp.lan.ignore="$dhcpsrv"
+uci add dhcp host
+uci set dhcp.@host[-1].name='kyocera0'
+uci set dhcp.@host[-1].mac='00:17:C8:76:43:91'
+uci set dhcp.@host[-1].ip='192.168.47.30'
+uci add dhcp host
+uci set dhcp.@host[-1].name='kyocera1'
+uci set dhcp.@host[-1].mac='00:17:C8:42:1C:AA'
+uci set dhcp.@host[-1].ip='192.168.47.31'
+uci add dhcp host
+uci set dhcp.@host[-1].name='lg-webos-1F'
+uci set dhcp.@host[-1].mac='A8:23:FE:7A:D4:1E'
+uci set dhcp.@host[-1].ip='192.168.47.36'
+uci add dhcp host
+uci set dhcp.@host[-1].name='camera1'
+uci set dhcp.@host[-1].mac='c0:56:e3:86:2d:22'
+uci set dhcp.@host[-1].ip='192.168.47.20'
+uci add dhcp host
+uci set dhcp.@host[-1].name='camera2'
+uci set dhcp.@host[-1].mac='c0:56:e3:87:de:b0'
+uci set dhcp.@host[-1].ip='192.168.47.21'
+uci add dhcp host
+uci set dhcp.@host[-1].name='camera3'
+uci set dhcp.@host[-1].mac='c0:56:e3:86:2d:33'
+uci set dhcp.@host[-1].ip='192.168.47.22'
+uci add dhcp host
+uci set dhcp.@host[-1].name='camera4'
+uci set dhcp.@host[-1].mac='c0:56:e3:87:df:37'
+uci set dhcp.@host[-1].ip='192.168.47.23'
+uci add dhcp host
+uci set dhcp.@host[-1].name='camera5'
+uci set dhcp.@host[-1].mac='f8:4d:fc:0b:dd:59'
+uci set dhcp.@host[-1].ip='192.168.47.24'
+uci add dhcp host
+uci set dhcp.@host[-1].name='kodi-aramil'
+uci set dhcp.@host[-1].mac='90:0E:B3:03:97:96'
+uci set dhcp.@host[-1].ip='192.168.47.19'
+uci add dhcp host
+uci set dhcp.@host[-1].name='switch-des2110'
+uci set dhcp.@host[-1].mac='00:11:95:28:7F:F4'
+uci set dhcp.@host[-1].ip='192.168.47.155'
+uci add dhcp host
+uci set dhcp.@host[-1].name='Pap2t'
+uci set dhcp.@host[-1].mac='00:0e:08:20:22:68'
+uci set dhcp.@host[-1].ip='192.168.47.40'
+uci add dhcp host
+uci set dhcp.@host[-1].name='CiscoATA186'
+uci set dhcp.@host[-1].mac='00:0D:29:51:31:E9'
+uci set dhcp.@host[-1].ip='192.168.47.41'
+uci add dhcp host
+uci set dhcp.@host[-1].name='PBX'
+uci set dhcp.@host[-1].mac='00:16:3E:5F:0F:15'
+uci set dhcp.@host[-1].ip='192.168.47.7'
+uci add dhcp host
+uci set dhcp.@host[-1].name='Ogorod-mikrotik'
+uci set dhcp.@host[-1].mac='D4:CA:6D:7F:6F:3E'
+uci set dhcp.@host[-1].ip='192.168.47.38'
+uci add dhcp host
+uci set dhcp.@host[-1].name='Yandexstation-1F'
+uci set dhcp.@host[-1].mac='70:4A:0E:62:C1:1A'
+uci set dhcp.@host[-1].ip='192.168.47.33'
+uci add dhcp host
+uci set dhcp.@host[-1].name='esphome-pogreb'
+uci set dhcp.@host[-1].mac='C4:5B:BE:63:51:4F'
+uci set dhcp.@host[-1].ip='192.168.47.45'
+uci add dhcp host
+uci set dhcp.@host[-1].name='esphome-kotelnaya'
+uci set dhcp.@host[-1].mac='4C:75:25:2A:5B:64'
+uci set dhcp.@host[-1].ip='192.168.47.46'
+uci add dhcp host
+uci set dhcp.@host[-1].name='esphome-garage-dvor'
+uci set dhcp.@host[-1].mac='40:91:51:52:C3:24'
+uci set dhcp.@host[-1].ip='192.168.47.47'
+
+uci commit dhcp
+/etc/init.d/dnsmasq restart
+
+# Configure network
+# VPN BAUMANA
+uci set network.vpn0=interface
+uci set network.vpn0.proto='wireguard'
+uci set network.vpn0.private_key='CC2sqK5H1gyertWCa7RtTobRSCO75LX5VAkHW5VjRUI='
+uci set network.vpn0.listen_port='23557'
+uci add network wireguard_vpn0
+uci set network.@wireguard_vpn0[0]=wireguard_vpn0
+uci set network.@wireguard_vpn0[0].description='Site Baumana Home'
+uci set network.@wireguard_vpn0[0].public_key='AFMw2q1JP16ckXnho04M7J2hheUIXtjdRcGQSrs2BHM='
+uci set network.@wireguard_vpn0[0].preshared_key='afYl4qqDwk0f0RGNscnBFRfnKG5Jm6wR3FPA60TTFII='
+uci set network.@wireguard_vpn0[0].allowed_ips='192.168.75.0/24'
+uci set network.@wireguard_vpn0[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn0[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn0[0].endpoint_host='wg.npau.ru'
+uci set network.@wireguard_vpn0[0].endpoint_port='23557'
+# VPN ELMASH
+uci set network.vpn1=interface
+uci set network.vpn1.proto='wireguard'
+uci set network.vpn1.private_key='yBYYOXkzZflQpfp0PdmZCKx1klz2IdjnWxxEwsmlJ1U='
+uci set network.vpn1.listen_port='23556'
+uci add network wireguard_vpn1
+uci set network.@wireguard_vpn1[0]=wireguard_vpn1
+uci set network.@wireguard_vpn1[0].description='Site Elmash Office'
+uci set network.@wireguard_vpn1[0].public_key='UjhGEeZkSpeeh0GfKvvtdAL9khP8hNiCpkIutlJiuFg='
+uci set network.@wireguard_vpn1[0].preshared_key='GdSszP+e86Vhs+/GD7uHpsLCnBCpyBZwMmOlxbS6OOg='
+uci set network.@wireguard_vpn1[0].allowed_ips='192.168.77.0/24'
+uci set network.@wireguard_vpn1[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn1[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn1[0].endpoint_host='elmash.npau.ru'
+uci set network.@wireguard_vpn1[0].endpoint_port='23556'
+# VPN PIVKO
+uci set network.vpn2=interface
+uci set network.vpn2.proto='wireguard'
+uci set network.vpn2.private_key='wKGUSB76waHrZKjxTutJJ+B50Cafl/O16X7VLCUBfls='
+uci set network.vpn2.listen_port='23558'
+uci add network wireguard_vpn2
+uci set network.@wireguard_vpn2[0]=wireguard_vpn2
+uci set network.@wireguard_vpn2[0].description='Site Pivko Dvurechensk'
+uci set network.@wireguard_vpn2[0].public_key='i0/zXWRpNIgk4KOwDa/qzBubFehgVmTfPv7yk2gYgBk='
+uci set network.@wireguard_vpn2[0].preshared_key='ONgqoU8Q6mT42E/RVUAhRwKarmF8H5z/7SR7df5Mn48='
+uci set network.@wireguard_vpn2[0].allowed_ips='192.168.76.0/24'
+uci set network.@wireguard_vpn2[0].route_allowed_ips='1'
+uci set network.@wireguard_vpn2[0].persistent_keepalive='25'
+uci set network.@wireguard_vpn2[0].endpoint_host='pivko.npau.ru'
+uci set network.@wireguard_vpn2[0].endpoint_port='23558'
+# Antizapret
+uci set network.wg0=interface
+uci set network.wg0.proto='wireguard'
+uci set network.wg0.listen_port='51820'
+uci set network.wg0.private_key='qFTjFepaM+mUnzePCs2BF81lEszlau4bgayYAayApXo='
+uci set network.wg0.addresses='192.168.100.4/24'
+uci add network wireguard_wg0
+uci set network.@wireguard_wg0[0]=wireguard_wg0
+uci set network.@wireguard_wg0[0].name='wg0_client'
+uci set network.@wireguard_wg0[0].route_allowed_ips='0'
+uci set network.@wireguard_wg0[0].persistent_keepalive='25'
+uci set network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
+uci set network.@wireguard_wg0[0].endpoint_host='88.210.11.80'
+uci set network.@wireguard_wg0[0].endpoint_port='51820'
+uci set network.@wireguard_wg0[0].public_key='E/3AhjY3/nteAEy7uPR72kKbXwyJL3ANEhsEoMHP43o='
+uci set network.@wireguard_wg0[0].preshared_key='sqW/LnZMocBhkuDTwSBnsUGilk+KznRMXk8LJnaOEXk='
+
+uci commit network
+/etc/init.d/network restart
+
+# Configure firewall
+
+# SETTINGS
+uci set firewall.@defaults[0].synflood_protect='1'
+uci set firewall.@defaults[0].drop_invalid='1'
+
+# ADD ZONE
+uci add firewall zone
+uci set firewall.@zone[-1].name='vpn0'
+uci set firewall.@zone[-1].network='vpn0'
+uci set firewall.@zone[-1].input='ACCEPT'
+uci set firewall.@zone[-1].forward='ACCEPT'
+uci set firewall.@zone[-1].device='vpn0'
+uci set firewall.@zone[-1].output='ACCEPT'
+uci add firewall zone
+uci set firewall.@zone[-1].name='vpn1'
+uci set firewall.@zone[-1].network='vpn1'
+uci set firewall.@zone[-1].input='ACCEPT'
+uci set firewall.@zone[-1].forward='ACCEPT'
+uci set firewall.@zone[-1].device='vpn1'
+uci set firewall.@zone[-1].output='ACCEPT'
+uci add firewall zone
+uci set firewall.@zone[-1].name='vpn2'
+uci set firewall.@zone[-1].network='vpn2'
+uci set firewall.@zone[-1].input='ACCEPT'
+uci set firewall.@zone[-1].forward='ACCEPT'
+uci set firewall.@zone[-1].device='vpn2'
+uci set firewall.@zone[-1].output='ACCEPT'
+uci add firewall zone
+uci set firewall.@zone[-1].name='wg'
+uci set firewall.@zone[-1].family='ipv4'
+uci set firewall.@zone[-1].masq='1'
+uci set firewall.@zone[-1].output='ACCEPT'
+uci set firewall.@zone[-1].forward='REJECT'
+uci set firewall.@zone[-1].input='REJECT'
+uci set firewall.@zone[-1].mtu_fix='1'
+uci set firewall.@zone[-1].network='wg0'
+
+# ADD FORWARDING 
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].dest='lan'
+uci set firewall.@forwarding[-1].src='vpn0'
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].dest='vpn0'
+uci set firewall.@forwarding[-1].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].dest='lan'
+uci set firewall.@forwarding[-1].src='vpn1'
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].dest='vpn1'
+uci set firewall.@forwarding[-1].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].dest='lan'
+uci set firewall.@forwarding[-1].src='vpn2'
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].dest='vpn2'
+uci set firewall.@forwarding[-1].src='lan'
+uci add firewall forwarding
+uci set firewall.@forwarding[-1].family='ipv4'
+uci set firewall.@forwarding[-1].src='lan'
+uci set firewall.@forwarding[-1].dest='wg'
+
+# ADD RULE
+uci add firewall rule
+uci set firewall.@rule[-1].target='ACCEPT'
+uci set firewall.@rule[-1].proto='udp'
+uci set firewall.@rule[-1].dest_port='23558'
+uci set firewall.@rule[-1].name='Allow-Aramil-Pivko-Inbound'
+uci set firewall.@rule[-1].src='wan'
+uci add firewall rule
+uci set firewall.@rule[-1].target='ACCEPT'
+uci set firewall.@rule[-1].proto='udp'
+uci set firewall.@rule[-1].dest_port='51820'
+uci set firewall.@rule[-1].name='Allow-Wireguard-VPS'
+uci set firewall.@rule[-1].src='wan'
+uci add firewall rule
+uci set firewall.@rule[-1].target='ACCEPT'
+uci set firewall.@rule[-1].proto='udp'
+uci set firewall.@rule[-1].dest_port='23557'
+uci set firewall.@rule[-1].name='Allow-Wireguard-Inbound'
+uci set firewall.@rule[-1].src='wan'
+uci add firewall rule
+uci set firewall.@rule[-1].target='ACCEPT'
+uci set firewall.@rule[-1].proto='udp'
+uci set firewall.@rule[-1].dest_port='23556'
+uci set firewall.@rule[-1].name='Allow-Elmash-Aramil-Inbound'
+uci set firewall.@rule[-1].src='wan'
+uci add firewall rule
+uci set firewall.@rule[-1].dest_port='5201'
+uci set firewall.@rule[-1].src='wan'
+uci set firewall.@rule[-1].name='iperf'
+uci set firewall.@rule[-1].target='ACCEPT'
+uci add network rule
+uci set network.@rule[-1].name='mark0x1'
+uci set network.@rule[-1].mark='0x1'
+uci set network.@rule[-1].priority='100'
+uci set network.@rule[-1].lookup='vpn'
+uci add firewall ipset
+uci set firewall.@ipset[-1].name='vpn_domains'
+uci set firewall.@ipset[-1].match='dst_net'
+uci add firewall rule
+uci set firewall.@rule[-1]=rule
+uci set firewall.@rule[-1].name='mark_domains'
+uci set firewall.@rule[-1].src='lan'
+uci set firewall.@rule[-1].dest='*'
+uci set firewall.@rule[-1].proto='all'
+uci set firewall.@rule[-1].ipset='vpn_domains'
+uci set firewall.@rule[-1].set_mark='0x1'
+uci set firewall.@rule[-1].target='MARK'
+uci set firewall.@rule[-1].family='ipv4'
+
+# ADD REDIRECT
+uci add firewall redirect
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].dest='lan'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.9'
+uci set firewall.@redirect[-1].dest_port='6881'
+uci set firewall.@redirect[-1].proto='tcp' 'udp'
+uci set firewall.@redirect[-1].name='qbittorrent'
+uci set firewall.@redirect[-1].src_dport='6881'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='25'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].name='smtp_25'
+uci set firewall.@redirect[-1].src_dport='25'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.2'
+uci set firewall.@redirect[-1].dest='lan'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='143'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].name='imap_143'
+uci set firewall.@redirect[-1].src_dport='143'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.2'
+uci set firewall.@redirect[-1].dest='lan'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='993'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].name='imaps_993'
+uci set firewall.@redirect[-1].src_dport='993'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.2'
+uci set firewall.@redirect[-1].dest='lan'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='465'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].src_dport='465'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.2'
+uci set firewall.@redirect[-1].dest='lan'
+uci set firewall.@redirect[-1].name='smtp_465'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='4190'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].name='mail_sieve_4190'
+uci set firewall.@redirect[-1].src_dport='4190'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.2'
+uci set firewall.@redirect[-1].dest='lan'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='587'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].name='smtp_587'
+uci set firewall.@redirect[-1].src_dport='587'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.2'
+uci set firewall.@redirect[-1].dest='lan'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='80'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].src_dport='80'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest='lan'
+uci set firewall.@redirect[-1].name='NPM-80'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.191'
+uci add firewall redirect
+uci set firewall.@redirect[-1].dest_port='443'
+uci set firewall.@redirect[-1].src='wan'
+uci set firewall.@redirect[-1].src_dport='443'
+uci set firewall.@redirect[-1].target='DNAT'
+uci set firewall.@redirect[-1].dest='lan'
+uci set firewall.@redirect[-1].name='NPM-443'
+uci set firewall.@redirect[-1].dest_ip='192.168.47.191'
+
+uci commit firewall
+/etc/init.d/firewall restart
+
+echo "All done"

manifest.scm

@@ -0,0 +1,19 @@
+;; This is the complete list of Guix packages necessary for building.
+;;
+;; The following shell command will run the tests:
+;;
+;; guix shell -m manifest.scm --pure -- ./build.sh ath79 generic tplink_tl-wdr4300-v1
+;;
+;; TODO ...ideally. some dependencies are not listed, and it fails when using --pure
+
+(specifications->manifest
+ '("coreutils"
+   "bash"
+   "make"
+   "perl"
+   "gcc-toolchain"
+   "git"
+   "git:gui"
+   ;; "man-pages"
+   "less"
+   "time"))

tplink_tl-wdr3600-v1.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+./build.sh ath79 generic tplink_tl-wdr3600-v1