ivan4th · April 16, 2023 05:32
diff --git a/config.boot b/config.boot
 firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group CV {
            address 195.82.146.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    modify PBR {
        rule 10 {
            action modify
            description "fuck rkn"
            destination {
                group {
                    address-group CV
                }
            }
            modify {
                table 42
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
 }
 interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
            out {
                modify PBR
            }
        }
        mac .........
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        description Local
        firewall {
            in {
                modify PBR
            }
        }
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
    wireguard wg0 {
        address 10.10.200.8/24
        listen-port 51820
        mtu 1500
        peer ......... {
            allowed-ips 0.0.0.0/0
            endpoint .........:1194
        }
        private-key /config/auth/wg.key
        route-allowed-ips false
    }
 }
 protocols {
    static {
        table 42 {
            route 0.0.0.0/0 {
                next-hop 10.10.200.6 {
                }
            }
        }
    }
 }
 service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                start 192.168.2.200 {
                    stop 192.168.2.254
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5011 {
            description "masquerade for WG"
            log disable
            outbound-interface wg0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
 }
 system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password .........
                public-keys ......... {
                    key .........
                    type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    package {
        repository wheezy {
            components "main contrib non-free"
            distribution wheezy
            password ""
            url http://archive.debian.org/debian
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    task-scheduler {
        task uplist {
            crontab-spec "4 5 * * *"
            executable {
                path /config/scripts/update-lists
            }
        }
        task vpnping {
            executable {
                path /config/scripts/vpnping.sh
            }
            interval 2m
        }
    }
    time-zone Europe/Moscow
 }
diff --git a/config.diff b/config.diff
 --- /config/config.boot.2019-05-15-1228.pre-migration
 +++ /config/config.boot
 @@ -1,10 +1,29 @@
 firewall {
     all-ping enable
     broadcast-ping disable
 +    group {
 +        address-group CV {
 +            address 195.82.146.0/24
 +        }
 +    }
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
 +    modify PBR {
 +        rule 10 {
 +            action modify
 +            description "fuck rkn"
 +            destination {
 +                group {
 +                    address-group CV
 +                }
 +            }
 +            modify {
 +                table 42
 +            }
 +        }
 +    }
     name WAN_IN {
         default-action drop
         description "WAN to internal"
 @@ -60,6 +79,9 @@
             local {
                 name WAN_LOCAL
             }
 +            out {
 +                modify PBR
 +            }
         }
         mac 84:1b:5e:2d:10:45
         speed auto
 @@ -89,6 +111,11 @@
     switch switch0 {
         address 192.168.2.1/24
         description Local
 +        firewall {
 +            in {
 +                modify PBR
 +            }
 +        }
         mtu 1500
         switch-port {
             interface eth1 {
 @@ -102,7 +129,28 @@
             vlan-aware disable
         }
     }
 +    wireguard wg0 {
 +        address 10.10.200.8/24
 +        listen-port 51820
 +        mtu 1500
 +        peer ......... {
 +            allowed-ips 0.0.0.0/0
 +            endpoint .........:1194
 +        }
 +        private-key /config/auth/wg.key
 +        route-allowed-ips false
 +    }
 }
 +protocols {
 +    static {
 +        table 42 {
 +            route 0.0.0.0/0 {
 +                next-hop 10.10.200.6 {
 +                }
 +            }
 +        }
 +    }
 +}
 service {
     dhcp-server {
         disabled false
 @@ -113,11 +161,20 @@
                 default-router 192.168.2.1
                 dns-server 192.168.2.1
                 lease 86400
 -                start 192.168.2.38 {
 -                    stop 192.168.2.243
 +                start 192.168.2.200 {
 +                    stop 192.168.2.254
                 }
             }
         }
 +        static-arp disable
         use-dnsmasq disable
     }
     dns {
 @@ -137,6 +194,13 @@
             outbound-interface eth0
             type masquerade
         }
 +        rule 5011 {
 +            description "masquerade for WG"
 +            log disable
 +            outbound-interface wg0
 +            protocol all
 +            type masquerade
 +        }
     }
     ssh {
         port 22
 @@ -149,10 +213,16 @@
         user ubnt {
             authentication {
                 encrypted-password .........
 +                public-keys ......... {
 +                    key .........
 +                    type ssh-rsa
 +                }
             }
             level admin
         }
     }
 +    name-server 8.8.8.8
 +    name-server 8.8.4.4
     ntp {
         server 0.ubnt.pool.ntp.org {
         }
 @@ -163,6 +233,15 @@
         server 3.ubnt.pool.ntp.org {
         }
     }
 +    package {
 +        repository wheezy {
 +            components "main contrib non-free"
 +            distribution wheezy
 +            password ""
 +            url http://archive.debian.org/debian
 +            username ""
 +        }
 +    }
     syslog {
         global {
             facility all {
 @@ -173,10 +252,24 @@
             }
         }
     }
 -    time-zone UTC
 +    task-scheduler {
 +        task uplist {
 +            crontab-spec "4 5 * * *"
 +            executable {
 +                path /config/scripts/update-lists
 +            }
 +        }
 +        task vpnping {
 +            executable {
 +                path /config/scripts/vpnping.sh
 +            }
 +            interval 2m
 +        }
 +    }
 +    time-zone Europe/Moscow
 }
diff --git a/ipset-size.txt b/ipset-size.txt
 root@ubnt:~# ipset save CV|wc -l
 405325
 root@ubnt:~# free
             total       used       free     shared    buffers     cached
 Mem:        254804     248480       6324          0      11228     131620
 -/+ buffers/cache:     105632     149172
 Swap:            0          0          0
 root@ubnt:~# ipset flush CV
 root@ubnt:~# ipset save CV|wc -l
 1
 root@ubnt:~# free
             total       used       free     shared    buffers     cached
 Mem:        254804     223728      31076          0      11228     131628
 -/+ buffers/cache:      80872     173932
 Swap:            0          0          0
diff --git a/iptables.txt b/iptables.txt
 # on the VPN server, run
 iptables -A POSTROUTING -s 10.10.200.0/24 -o eth0 -j MASQUERADE
 # install or dpkg-reconfigure iptables-persistent after that
diff --git a/notes.txt b/notes.txt
 WireGuard extension for EdgeOS: https://github.com/Lochnair/vyatta-wireguard
diff --git a/skazodolb b/skazodolb
 #!/bin/bash
 # This scripts loads the IP list that was generated
 # by update-lists.sh
 # Full path: /config/scripts/post-config.d/skazodolb
 set -u -e
 if [[ ! -f /var/lib/rkg/list.gz ]]; then
  exit 0
 fi

 # replace the current CV ipset corresponding to the address group
 # with the same name in a non-disruptive way
 ipset destroy CV1 2>/dev/null || true
 ipset create CV1 hash:net family inet hashsize 8192 maxelem 1000000
 gunzip -dc /var/lib/rkg/list.gz | ipset restore -!
 ipset swap CV1 CV
 ipset destroy CV1
diff --git a/update-lists.sh b/update-lists.sh
 #!/bin/bash
 # This scripts downloads the lists, makes them suitable
 # to be used as input for "ipset restore" command and
 # gzips them to save disk space.
 # Full path: /config/scripts/update-lists
 set -u -e
 mkdir -p /var/lib/rkg
 (
  if [[ -f /etc/rkg-extra.lst ]]; then
    cat /etc/rkg-extra.lst
  fi
  curl -s https://antifilter.download/list/{ip,ipresolve,subnet}.lst
 ) | sed 's/^\(.*\)/add CV1 \1/' |
  gzip > /var/lib/rkg/list.gz.new
 mv /var/lib/rkg/list.gz.new /var/lib/rkg/list.gz
 /config/scripts/post-config.d/skazodolb
diff --git a/vpnping.sh b/vpnping.sh
 #!/bin/bash
 # This scripts pings the WireGuard endpoint to initiate
 # the connection. This is needed so as to make the router
 # accessible from the VPN server even if no traffic is
 # passed through wg0.
 # Full path: /config/scripts/vpnping.sh
 set -u -e
 ping -c1 10.10.200.6
diff --git a/wg0 b/wg0
 # /etc/network/interfaces.d/wg0 on the VPN server
 auto wg0
 iface wg0 inet static
  address 10.10.200.6
  netmask 255.255.255.0
  mtu 1500
  pre-up ip link add $IFACE type wireguard
  pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
  post-down ip link del $IFACE
diff --git a/wg0.conf b/wg0.conf
 # /etc/wireguard/wg0.conf on the VPN server
 [Interface]
 ListenPort = 1194
 PrivateKey = ..............

 # msk
 [Peer]
 PublicKey = ..............
 AllowedIPs = 10.10.200.8/32
	firewall {
	all-ping enable
	broadcast-ping disable
	group {
	address-group CV {
	address 195.82.146.0/24
	}
	}
	ipv6-receive-redirects disable
	ipv6-src-route disable
	ip-src-route disable
	log-martians enable
	modify PBR {
	rule 10 {
	action modify
	description "fuck rkn"
	destination {
	group {
	address-group CV
	}
	}
	modify {
	table 42
	}
	}
	}
	name WAN_IN {
	default-action drop
	description "WAN to internal"
	rule 10 {
	action accept
	description "Allow established/related"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	}
	name WAN_LOCAL {
	default-action drop
	description "WAN to router"
	rule 10 {
	action accept
	description "Allow established/related"
	state {
	established enable
	related enable
	}
	}
	rule 20 {
	action drop
	description "Drop invalid state"
	state {
	invalid enable
	}
	}
	}
	receive-redirects disable
	send-redirects enable
	source-validation disable
	syn-cookies enable
	}
	interfaces {
	ethernet eth0 {
	address dhcp
	description Internet
	duplex auto
	firewall {
	in {
	name WAN_IN
	}
	local {
	name WAN_LOCAL
	}
	out {
	modify PBR
	}
	}
	mac .........
	speed auto
	}
	ethernet eth1 {
	description Local
	duplex auto
	speed auto
	}
	ethernet eth2 {
	description Local
	duplex auto
	speed auto
	}
	ethernet eth3 {
	description Local
	duplex auto
	speed auto
	}
	ethernet eth4 {
	description Local
	duplex auto
	speed auto
	}
	loopback lo {
	}
	switch switch0 {
	address 192.168.2.1/24
	description Local
	firewall {
	in {
	modify PBR
	}
	}
	mtu 1500
	switch-port {
	interface eth1 {
	}
	interface eth2 {
	}
	interface eth3 {
	}
	interface eth4 {
	}
	vlan-aware disable
	}
	}
	wireguard wg0 {
	address 10.10.200.8/24
	listen-port 51820
	mtu 1500
	peer ......... {
	allowed-ips 0.0.0.0/0
	endpoint .........:1194
	}
	private-key /config/auth/wg.key
	route-allowed-ips false
	}
	}
	protocols {
	static {
	table 42 {
	route 0.0.0.0/0 {
	next-hop 10.10.200.6 {
	}
	}
	}
	}
	}
	service {
	dhcp-server {
	disabled false
	hostfile-update disable
	shared-network-name LAN {
	authoritative enable
	subnet 192.168.2.0/24 {
	default-router 192.168.2.1
	dns-server 192.168.2.1
	lease 86400
	start 192.168.2.200 {
	stop 192.168.2.254
	}
	}
	}
	static-arp disable
	use-dnsmasq disable
	}
	dns {
	forwarding {
	cache-size 150
	listen-on switch0
	}
	}
	gui {
	http-port 80
	https-port 443
	older-ciphers enable
	}
	nat {
	rule 5010 {
	description "masquerade for WAN"
	outbound-interface eth0
	type masquerade
	}
	rule 5011 {
	description "masquerade for WG"
	log disable
	outbound-interface wg0
	protocol all
	type masquerade
	}
	}
	ssh {
	port 22
	protocol-version v2
	}
	}
	system {
	host-name ubnt
	login {
	user ubnt {
	authentication {
	encrypted-password .........
	public-keys ......... {
	key .........
	type ssh-rsa
	}
	}
	level admin
	}
	}
	name-server 8.8.8.8
	name-server 8.8.4.4
	ntp {
	server 0.ubnt.pool.ntp.org {
	}
	server 1.ubnt.pool.ntp.org {
	}
	server 2.ubnt.pool.ntp.org {
	}
	server 3.ubnt.pool.ntp.org {
	}
	}
	package {
	repository wheezy {
	components "main contrib non-free"
	distribution wheezy
	password ""
	url http://archive.debian.org/debian
	username ""
	}
	}
	syslog {
	global {
	facility all {
	level notice
	}
	facility protocols {
	level debug
	}
	}
	}
	task-scheduler {
	task uplist {
	crontab-spec "4 5 * * *"
	executable {
	path /config/scripts/update-lists
	}
	}
	task vpnping {
	executable {
	path /config/scripts/vpnping.sh
	}
	interval 2m
	}
	}
	time-zone Europe/Moscow
	}
	--- /config/config.boot.2019-05-15-1228.pre-migration
	+++ /config/config.boot
	@@ -1,10 +1,29 @@
	firewall {
	all-ping enable
	broadcast-ping disable
	+ group {
	+ address-group CV {
	+ address 195.82.146.0/24
	+ }
	+ }
	ipv6-receive-redirects disable
	ipv6-src-route disable
	ip-src-route disable
	log-martians enable
	+ modify PBR {
	+ rule 10 {
	+ action modify
	+ description "fuck rkn"
	+ destination {
	+ group {
	+ address-group CV
	+ }
	+ }
	+ modify {
	+ table 42
	+ }
	+ }
	+ }
	name WAN_IN {
	default-action drop
	description "WAN to internal"
	@@ -60,6 +79,9 @@
	local {
	name WAN_LOCAL
	}
	+ out {
	+ modify PBR
	+ }
	}
	mac 84:1b:5e:2d:10:45
	speed auto
	@@ -89,6 +111,11 @@
	switch switch0 {
	address 192.168.2.1/24
	description Local
	+ firewall {
	+ in {
	+ modify PBR
	+ }
	+ }
	mtu 1500
	switch-port {
	interface eth1 {
	@@ -102,7 +129,28 @@
	vlan-aware disable
	}
	}
	+ wireguard wg0 {
	+ address 10.10.200.8/24
	+ listen-port 51820
	+ mtu 1500
	+ peer ......... {
	+ allowed-ips 0.0.0.0/0
	+ endpoint .........:1194
	+ }
	+ private-key /config/auth/wg.key
	+ route-allowed-ips false
	+ }
	}
	+protocols {
	+ static {
	+ table 42 {
	+ route 0.0.0.0/0 {
	+ next-hop 10.10.200.6 {
	+ }
	+ }
	+ }
	+ }
	+}
	service {
	dhcp-server {
	disabled false
	@@ -113,11 +161,20 @@
	default-router 192.168.2.1
	dns-server 192.168.2.1
	lease 86400
	- start 192.168.2.38 {
	- stop 192.168.2.243
	+ start 192.168.2.200 {
	+ stop 192.168.2.254
	}
	}
	}
	+ static-arp disable
	use-dnsmasq disable
	}
	dns {
	@@ -137,6 +194,13 @@
	outbound-interface eth0
	type masquerade
	}
	+ rule 5011 {
	+ description "masquerade for WG"
	+ log disable
	+ outbound-interface wg0
	+ protocol all
	+ type masquerade
	+ }
	}
	ssh {
	port 22
	@@ -149,10 +213,16 @@
	user ubnt {
	authentication {
	encrypted-password .........
	+ public-keys ......... {
	+ key .........
	+ type ssh-rsa
	+ }
	}
	level admin
	}
	}
	+ name-server 8.8.8.8
	+ name-server 8.8.4.4
	ntp {
	server 0.ubnt.pool.ntp.org {
	}
	@@ -163,6 +233,15 @@
	server 3.ubnt.pool.ntp.org {
	}
	}
	+ package {
	+ repository wheezy {
	+ components "main contrib non-free"
	+ distribution wheezy
	+ password ""
	+ url http://archive.debian.org/debian
	+ username ""
	+ }
	+ }
	syslog {
	global {
	facility all {
	@@ -173,10 +252,24 @@
	}
	}
	}
	- time-zone UTC
	+ task-scheduler {
	+ task uplist {
	+ crontab-spec "4 5 * * *"
	+ executable {
	+ path /config/scripts/update-lists
	+ }
	+ }
	+ task vpnping {
	+ executable {
	+ path /config/scripts/vpnping.sh
	+ }
	+ interval 2m
	+ }
	+ }
	+ time-zone Europe/Moscow
	}
	root@ubnt:~# ipset save CV\|wc -l
	405325
	root@ubnt:~# free
	total used free shared buffers cached
	Mem: 254804 248480 6324 0 11228 131620
	-/+ buffers/cache: 105632 149172
	Swap: 0 0 0
	root@ubnt:~# ipset flush CV
	root@ubnt:~# ipset save CV\|wc -l
	1
	root@ubnt:~# free
	total used free shared buffers cached
	Mem: 254804 223728 31076 0 11228 131628
	-/+ buffers/cache: 80872 173932
	Swap: 0 0 0
	# on the VPN server, run
	iptables -A POSTROUTING -s 10.10.200.0/24 -o eth0 -j MASQUERADE
	# install or dpkg-reconfigure iptables-persistent after that
	#!/bin/bash
	# This scripts loads the IP list that was generated
	# by update-lists.sh
	# Full path: /config/scripts/post-config.d/skazodolb
	set -u -e
	if [[ ! -f /var/lib/rkg/list.gz ]]; then
	exit 0
	fi

	# replace the current CV ipset corresponding to the address group
	# with the same name in a non-disruptive way
	ipset destroy CV1 2>/dev/null \|\| true
	ipset create CV1 hash:net family inet hashsize 8192 maxelem 1000000
	gunzip -dc /var/lib/rkg/list.gz \| ipset restore -!
	ipset swap CV1 CV
	ipset destroy CV1
	#!/bin/bash
	# This scripts downloads the lists, makes them suitable
	# to be used as input for "ipset restore" command and
	# gzips them to save disk space.
	# Full path: /config/scripts/update-lists
	set -u -e
	mkdir -p /var/lib/rkg
	(
	if [[ -f /etc/rkg-extra.lst ]]; then
	cat /etc/rkg-extra.lst
	fi
	curl -s https://antifilter.download/list/{ip,ipresolve,subnet}.lst
	) \| sed 's/^\(.*\)/add CV1 \1/' \|
	gzip > /var/lib/rkg/list.gz.new
	mv /var/lib/rkg/list.gz.new /var/lib/rkg/list.gz
	/config/scripts/post-config.d/skazodolb
	#!/bin/bash
	# This scripts pings the WireGuard endpoint to initiate
	# the connection. This is needed so as to make the router
	# accessible from the VPN server even if no traffic is
	# passed through wg0.
	# Full path: /config/scripts/vpnping.sh
	set -u -e
	ping -c1 10.10.200.6
	# /etc/network/interfaces.d/wg0 on the VPN server
	auto wg0
	iface wg0 inet static
	address 10.10.200.6
	netmask 255.255.255.0
	mtu 1500
	pre-up ip link add $IFACE type wireguard
	pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
	post-down ip link del $IFACE
	# /etc/wireguard/wg0.conf on the VPN server
	[Interface]
	ListenPort = 1194
	PrivateKey = ..............

	# msk
	[Peer]
	PublicKey = ..............
	AllowedIPs = 10.10.200.8/32