jonlundy · August 29, 2015 14:13
diff --git a/generate.sh b/generate.sh
 #!/bin/bash

 [ $# -ge 6 ] || {
 	echo "Usage: $0 <NICK> <MAIL> <GPG> <AS> <ENDPOINT> <IPV4> [PORT]" >&2
 	exit 1
 }

 # You may want to change variables below and check if "/etc/bird/bird-dn42.conf"
 # is included in your bird-config (same for bird6 with bird6-dn42.conf)

 # NO WARRANTY, REALLY READ THIS FILE BEFORE EXECUTING IT!

 GPG="gpg"

 LOCAL_ROUTER='bird' # or 'quagga'
 LOCAL_NICK="prauscher"
 LOCAL_AS="64720"
 LOCAL_TUNNEL="rajesh.prauscher.de"
 LOCAL_IPV4="172.22.120.2"
 LOCAL_IPV6="fe80::$(printf "%x" $(( $RANDOM + 1 )) )"
 LOCAL_PORT=52301
 while grep -h -R "^lport $LOCAL_PORT" $(dirname "$0") > /dev/null; do
 	LOCAL_PORT=$(( $LOCAL_PORT + 1 ))
 done

 REMOTE_NICK="$1"
 REMOTE_AS="$4"
 REMOTE_TUNNEL="$5"
 REMOTE_IPV4="$6"
 REMOTE_IPV6="fe80::$(printf "%x" $(( $RANDOM + 32768 )) )"
 REMOTE_PORT="${7:-$LOCAL_PORT}"

 MAIL="$2"
 KEYID="$3"

 # sanity checks

 echo "$REMOTE_NICK" | grep -E "^[a-zA-Z0-9]{3,8}$" > /dev/null || {
 	echo "REMOTE_NICK $REMOTE_NICK does not match ^[a-zA-Z0-9]{3,8}$"
 	exit 101
 }

 echo "$REMOTE_AS" | grep -E "^[0-9]{1,10}$" > /dev/null || {
 	echo "REMOTE_AS $REMOTE_AS does not match ^[0-9]{1,10}$"
 	exit 102
 }

 [ $UID -eq 0 ] || {
 	echo "need to run as root"
 	exit 103
 }

 # generate openvpn-key
 openvpn --genkey --secret /tmp/$$.key

 # write our config
 CONFIG="$(dirname $0)/${LOCAL_PORT:${#LOCAL_PORT}-2}-as$REMOTE_AS-$REMOTE_NICK.conf"
 cat > "$CONFIG" <<EOT
 mode p2p
 remote $REMOTE_TUNNEL
 lport $LOCAL_PORT
 rport $REMOTE_PORT
 proto udp
 dev-type tun
 dev dn42$NICK
 tun-ipv6

 comp-lzo
 <secret>
 $(cat /tmp/$$.key)
 </secret>
 user nobody
 group nogroup
 persist-key
 persist-tun
 status /tmp/dn42-openvpn-$REMOTE_NICK.status
 log-append /tmp/dn42-openvpn-$REMOTE_NICK.log
 ifconfig $LOCAL_IPV4 $REMOTE_IPV4
 ifconfig-ipv6 $LOCAL_IPV6/64 $REMOTE_IPV6
 EOT
 openvpn --config "$CONFIG" &

 if [ "$LOCAL_ROUTER" == "bird" ]; then
 	cat >> /etc/bird/bird-dn42.conf <<EOT
 protocol bgp dn42_$REMOTE_NICK from dn42_peer {
 	neighbor $REMOTE_IPV4 as $REMOTE_AS;
 }
 EOT
 	birdc configure
 	cat >> /etc/bird/bird6-dn42.conf <<EOT
 protocol bgp dn42_$REMOTE_NICK from dn42_peer {
 	neighbor $REMOTE_IPV6 % "dn42$REMOTE_NICK" as $REMOTE_AS;
 }
 EOT
 	birdc6 configure
 else if [ "$LOCAL_ROUTER" == "quagga" ]; then
 	cat >> /usr/bin/vtysh <<EOT
 conf t
 router bgp $LOCAL_AS
  neighbor $REMOTE_IPV4 remote-as $REMOTE_AS
  neighbor $REMOTE_IPV6 remote-as $REMOTE_AS
  no neighbor $REMOTE_IPV6 activate
  address-family ipv6
   neighbor $REMOTE_IPV6 activate
 end
 wr
 EOT
 fi

 # write peer config
 $GPG --keyserver pgp.mit.edu --recv-keys "$KEYID"

 sendmail "$MAIL" <<EOT
 To: $MAIL
 Subject: DN42 peering with $LOCAL_NICK
 Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; boundary="BOUNDARY"
 Mime-Version: 1.0

 multipart mail
 --BOUNDARY
 Content-Type: application/pgp-encrypted
 Content-Transfer-Encoding: 7bit

 Version: 1

 --BOUNDARY
 Content-Type: application/octet-stream; name="encrypted.asc"
 Content-Description: This is a digitally encrypted message part
 Content-Transfer-Encoding: 7bit

 $($GPG --batch --armor --trust-model always --recipient "$MAIL" --encrypt <<EOC
 Content-Type: multipart/mixed; boundary="INNERBOUNDARY"

 multipart mail
 --INNERBOUNDARY
 Content-Type: text/plain
 Content-Transfer-Encoding: 7bit

 Hello,

 your configuration file is ready now. Please use the attached file to
 establish the tunnel and then configure your router for BGP with the endpoints:

 * $LOCAL_IPV4 for IPv4
 * $LOCAL_IPV6 % 'dn42$LOCAL_NICK' for IPv6

 Greetings,

 $LOCAL_NICK (via a robot)

 --INNERBOUNDARY
 Content-Disposition: attachment; filename="dn42-$LOCAL_NICK.ovpn"
 Content-Transfer-Encoding: 7bit
 Content-Type: application/x-openvpn-profile; name="dn42-$LOCAL_NICK.ovpn"; charset="UTF-8"

 mode p2p
 remote $LOCAL_TUNNEL
 lport $REMOTE_PORT
 rport $LOCAL_PORT
 proto udp
 dev-type tun
 dev dn42$LOCAL_NICK
 tun-ipv6

 comp-lzo
 <secret>
 $(cat /tmp/$$.key)
 </secret>
 user nobody
 group nogroup
 persist-key
 persist-tun
 status /tmp/dn42-openvpn-$LOCAL_NICK.status
 log-append /tmp/dn42-openvpn-$LOCAL_NICK.log
 ifconfig $REMOTE_IPV4 $LOCAL_IPV4
 ifconfig-ipv6 $REMOTE_IPV6/64 $LOCAL_IPV6

 --INNERBOUNDARY--
 EOC
 )
 --BOUNDARY--
 EOT

 rm /tmp/$$.key
	#!/bin/bash

	[ $# -ge 6 ] \|\| {
	echo "Usage: $0 <NICK> <MAIL> <GPG> <AS> <ENDPOINT> <IPV4> [PORT]" >&2
	exit 1
	}

	# You may want to change variables below and check if "/etc/bird/bird-dn42.conf"
	# is included in your bird-config (same for bird6 with bird6-dn42.conf)

	# NO WARRANTY, REALLY READ THIS FILE BEFORE EXECUTING IT!

	GPG="gpg"

	LOCAL_ROUTER='bird' # or 'quagga'
	LOCAL_NICK="prauscher"
	LOCAL_AS="64720"
	LOCAL_TUNNEL="rajesh.prauscher.de"
	LOCAL_IPV4="172.22.120.2"
	LOCAL_IPV6="fe80::$(printf "%x" $(( $RANDOM + 1 )) )"
	LOCAL_PORT=52301
	while grep -h -R "^lport $LOCAL_PORT" $(dirname "$0") > /dev/null; do
	LOCAL_PORT=$(( $LOCAL_PORT + 1 ))
	done

	REMOTE_NICK="$1"
	REMOTE_AS="$4"
	REMOTE_TUNNEL="$5"
	REMOTE_IPV4="$6"
	REMOTE_IPV6="fe80::$(printf "%x" $(( $RANDOM + 32768 )) )"
	REMOTE_PORT="${7:-$LOCAL_PORT}"

	MAIL="$2"
	KEYID="$3"

	# sanity checks

	echo "$REMOTE_NICK" \| grep -E "^[a-zA-Z0-9]{3,8}$" > /dev/null \|\| {
	echo "REMOTE_NICK $REMOTE_NICK does not match ^[a-zA-Z0-9]{3,8}$"
	exit 101
	}

	echo "$REMOTE_AS" \| grep -E "^[0-9]{1,10}$" > /dev/null \|\| {
	echo "REMOTE_AS $REMOTE_AS does not match ^[0-9]{1,10}$"
	exit 102
	}

	[ $UID -eq 0 ] \|\| {
	echo "need to run as root"
	exit 103
	}

	# generate openvpn-key
	openvpn --genkey --secret /tmp/$$.key

	# write our config
	CONFIG="$(dirname $0)/${LOCAL_PORT:${#LOCAL_PORT}-2}-as$REMOTE_AS-$REMOTE_NICK.conf"
	cat > "$CONFIG" <<EOT
	mode p2p
	remote $REMOTE_TUNNEL
	lport $LOCAL_PORT
	rport $REMOTE_PORT
	proto udp
	dev-type tun
	dev dn42$NICK
	tun-ipv6

	comp-lzo
	<secret>
	$(cat /tmp/$$.key)
	</secret>
	user nobody
	group nogroup
	persist-key
	persist-tun
	status /tmp/dn42-openvpn-$REMOTE_NICK.status
	log-append /tmp/dn42-openvpn-$REMOTE_NICK.log
	ifconfig $LOCAL_IPV4 $REMOTE_IPV4
	ifconfig-ipv6 $LOCAL_IPV6/64 $REMOTE_IPV6
	EOT
	openvpn --config "$CONFIG" &

	if [ "$LOCAL_ROUTER" == "bird" ]; then
	cat >> /etc/bird/bird-dn42.conf <<EOT
	protocol bgp dn42_$REMOTE_NICK from dn42_peer {
	neighbor $REMOTE_IPV4 as $REMOTE_AS;
	}
	EOT
	birdc configure
	cat >> /etc/bird/bird6-dn42.conf <<EOT
	protocol bgp dn42_$REMOTE_NICK from dn42_peer {
	neighbor $REMOTE_IPV6 % "dn42$REMOTE_NICK" as $REMOTE_AS;
	}
	EOT
	birdc6 configure
	else if [ "$LOCAL_ROUTER" == "quagga" ]; then
	cat >> /usr/bin/vtysh <<EOT
	conf t
	router bgp $LOCAL_AS
	neighbor $REMOTE_IPV4 remote-as $REMOTE_AS
	neighbor $REMOTE_IPV6 remote-as $REMOTE_AS
	no neighbor $REMOTE_IPV6 activate
	address-family ipv6
	neighbor $REMOTE_IPV6 activate
	end
	wr
	EOT
	fi

	# write peer config
	$GPG --keyserver pgp.mit.edu --recv-keys "$KEYID"

	sendmail "$MAIL" <<EOT
	To: $MAIL
	Subject: DN42 peering with $LOCAL_NICK
	Content-Type: multipart/encrypted; protocol="application/pgp-encrypted"; boundary="BOUNDARY"
	Mime-Version: 1.0

	multipart mail
	--BOUNDARY
	Content-Type: application/pgp-encrypted
	Content-Transfer-Encoding: 7bit

	Version: 1

	--BOUNDARY
	Content-Type: application/octet-stream; name="encrypted.asc"
	Content-Description: This is a digitally encrypted message part
	Content-Transfer-Encoding: 7bit

	$($GPG --batch --armor --trust-model always --recipient "$MAIL" --encrypt <<EOC
	Content-Type: multipart/mixed; boundary="INNERBOUNDARY"

	multipart mail
	--INNERBOUNDARY
	Content-Type: text/plain
	Content-Transfer-Encoding: 7bit

	Hello,

	your configuration file is ready now. Please use the attached file to
	establish the tunnel and then configure your router for BGP with the endpoints:

	* $LOCAL_IPV4 for IPv4
	* $LOCAL_IPV6 % 'dn42$LOCAL_NICK' for IPv6

	Greetings,

	$LOCAL_NICK (via a robot)

	--INNERBOUNDARY
	Content-Disposition: attachment; filename="dn42-$LOCAL_NICK.ovpn"
	Content-Transfer-Encoding: 7bit
	Content-Type: application/x-openvpn-profile; name="dn42-$LOCAL_NICK.ovpn"; charset="UTF-8"

	mode p2p
	remote $LOCAL_TUNNEL
	lport $REMOTE_PORT
	rport $LOCAL_PORT
	proto udp
	dev-type tun
	dev dn42$LOCAL_NICK
	tun-ipv6

	comp-lzo
	<secret>
	$(cat /tmp/$$.key)
	</secret>
	user nobody
	group nogroup
	persist-key
	persist-tun
	status /tmp/dn42-openvpn-$LOCAL_NICK.status
	log-append /tmp/dn42-openvpn-$LOCAL_NICK.log
	ifconfig $REMOTE_IPV4 $LOCAL_IPV4
	ifconfig-ipv6 $REMOTE_IPV6/64 $LOCAL_IPV6

	--INNERBOUNDARY--
	EOC
	)
	--BOUNDARY--
	EOT

	rm /tmp/$$.key