feat: openwrt config

README.md

@@ -54,6 +54,12 @@ tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --acce
 
 ### 5. Configure `NAT`, `DHCP`.
 
+Once tailscale is up and manually configured (see the config files for guide).
+We can use automated way of maintaining config.
+
+```
+just deploy-config nevaroo 10.0.48.0 fd9b:5314:0:3000::
+```
 
 # TODO
 

justfile

@@ -20,3 +20,21 @@ destroy:
   #!/usr/bin/env sh
   cd {{justfile_directory()}}/terraform
   tofu  destroy
+
+deploy-config node ipv4_subnet ipv6_subnet:
+  #!/usr/bin/env sh
+  echo "Configuring {{node}}.network.tjo.cloud"
+  echo " - IPv4: {{ipv4_subnet}}"
+  echo " - IPv6: {{ipv6_subnet}}"
+
+  for file in {{justfile_directory()}}/openwrt/etc/config/*
+  do
+    echo "Deploying /etc/config/$(basename $file)"
+    export IPV4_SUBNET="{{ipv4_subnet}}"
+    export IPV6_SUBNET="{{ipv6_subnet}}"
+    export HOSTNAME="{{node}}.network.tjo.cloud"
+    cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
+  done
+
+  echo "Reloading network configuration"
+  tailscale ssh "root@{{node}}-network-tjo-cloud" "/etc/init.d/network reload"

openwrt/etc/config/dhcp

@@ -1,21 +1,17 @@
 config dnsmasq
 	option domainneeded '1'
-	option boguspriv '1'
-	option filterwin2k '0'
 	option localise_queries '1'
 	option rebind_protection '1'
 	option rebind_localhost '1'
 	option expandhosts '1'
-	option nonegcache '0'
 	option cachesize '1000'
 	option authoritative '1'
 	option readethers '1'
 	option leasefile '/tmp/dhcp.leases'
 	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
-	option nonwildcard '1'
 	option localservice '1'
 	option ednspacket_max '1232'
-  list interface 'lan'
+	list interface 'lan'
 
 config dhcp 'lan'
 	option interface 'lan'
@@ -25,7 +21,6 @@ config dhcp 'lan'
 	option dhcpv4 'server'
 	option dhcpv6 'server'
 	option ra 'server'
-	option ra_slaac '1'
 	list ra_flags 'managed-config'
 	list ra_flags 'other-config'
 

openwrt/etc/config/firewall

@@ -1,8 +1,8 @@
 config defaults
-	option syn_flood '1'
 	option input 'REJECT'
 	option output 'ACCEPT'
 	option forward 'REJECT'
+	option synflood_protect '1'
 
 config zone
 	option name 'lan'
@@ -10,7 +10,6 @@ config zone
 	option output 'ACCEPT'
 	option forward 'ACCEPT'
 	list network 'lan'
-	list network 'tailscale'
 
 config zone
 	option name 'wan'
@@ -118,3 +117,20 @@ config rule
 	option dest_port '500'
 	option proto 'udp'
 	option target 'ACCEPT'
+
+config zone
+	option name 'tailscale'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+	option masq '1'
+	option mtu_fix '1'
+	list network 'tailscale'
+
+config forwarding
+	option src 'tailscale'
+	option dest 'lan'
+
+config forwarding
+	option src 'lan'
+	option dest 'tailscale'

openwrt/etc/config/network

@@ -24,10 +24,20 @@ config interface 'lan'
 config interface 'wan'
 	option device 'eth0'
 	option proto 'dhcp'
+	option peerdns '0'
+	list dns '1.1.1.1'         # cloudflare primary
+	list dns '9.9.9.9'         # quad9 primary
+	list dns '1.0.0.1'         # cloudflare backup
+	list dns '149.112.112.112' # quad9 backup
 
 config interface 'wan6'
 	option device 'eth0'
 	option proto 'dhcpv6'
+	option peerdns '0'
+	list dns '2606:4700:4700::1111' # cloudflare primary
+	list dns '2620:fe::fe'          # quad9 primary
+	list dns '2606:4700:4700::1001' # cloudflare backup
+	list dns '2620:fe::9'           # quad9 backup
 
 # TAILSCALE
 config interface 'tailscale'

openwrt/etc/config/system

@@ -0,0 +1,14 @@
+config system
+	option hostname '${HOSTNAME}'
+	option timezone 'UTC'
+	option ttylogin '0'
+	option log_size '64'
+	option urandom_seed '0'
+
+config timeserver 'ntp'
+	option enabled '1'
+	option enable_server '0'
+	list server '0.openwrt.pool.ntp.org'
+	list server '1.openwrt.pool.ntp.org'
+	list server '2.openwrt.pool.ntp.org'
+	list server '3.openwrt.pool.ntp.org'