diff --git a/README.md b/README.md index adfb217..a645b28 100644 --- a/README.md +++ b/README.md @@ -14,11 +14,10 @@ Basic features: - Provide Internet - DHCP server and RA - DNS server -- IPv6 (NAT only for now) +- IPv6 (behind NATed LAN, like IPv4) - Creating Wifi hotspot: - Channel selecting - Choose encryptions: WPA2/WPA, WPA2, WPA, No encryption - - Hidden SSID - Create AP on the same interface you are getting Internet (require same channel) - Transparent proxy (redsocks) - DNS proxy @@ -64,49 +63,38 @@ Internet----(eth0/wlan0)-Linux-(virtual interface)-----VM/container ### Provide Internet to an interface ``` -# lnxrouter -i eth1 +sudo lnxrouter -i eth1 ``` ### Provide an interface's Internet to another interface ``` -# lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 +sudo lnxrouter -i eth1 -o vpn0 --dhcp-dns 1.1.1.1 ``` +> Read _Notice 1_ ### Create Wifi hotspot ``` -# lnxrouter --ap wlan0 MyAccessPoint --password MyPassPhrase +sudo lnxrouter --ap wlan0 MyAccessPoint -p MyPassPhrase ``` ### LAN without Internet ``` -# lnxrouter -n -i eth1 -# lnxrouter -n --ap wlan0 MyAccessPoint --password MyPassPhrase +sudo lnxrouter -n -i eth1 +sudo lnxrouter -n --ap wlan0 MyAccessPoint -p MyPassPhrase ``` -### Transparent proxy with Tor +> Read _Notice 1_ -``` -# lnxrouter -i eth1 --tp 9040 --dns 9053 -``` - -In `torrc` - -``` -TransPort 0.0.0.0:9040 -DNSPort 0.0.0.0:9053 -TransPort [::]:9040 -DNSPort [::]:9053 -``` ### Internet for LXC Create a bridge ``` -# brctl addbr lxcbr5 +sudo brctl addbr lxcbr5 ``` In LXC container `config` @@ -119,22 +107,52 @@ lxc.network.hwaddr = xx:xx:xx:xx:xx:xx ``` ``` -# lnxrouter -i lxcbr5 +sudo lnxrouter -i lxcbr5 ``` +### Transparent proxy with Tor + +``` +sudo lnxrouter -i eth1 --tp 9040 --dns 9053 -g 192.168.55.1 --p6 fd00:5:6:7:: +``` + +In `torrc` + +``` +TransPort 192.168.55.1:9040 +DNSPort 192.168.55.1:9053 +TransPort [fd00:5:6:7::1]:9040 +DNSPort [fd00:5:6:7::1]:9053 +``` + +### Clients-in-sandbox network + +To not give our infomation to clients: + +``` +sudo lnxrouter -i eth1 \ + --tp 9040 --dns 9053 \ + --random-mac \ + --ban-priv \ + --catch-dns --log-dns # optional +``` + +> This script comes with no warrenty, use on your own risk + + ### Use as transparent proxy for LXD Create a bridge ``` -# brctl addbr lxdbr5 +sudo brctl addbr lxdbr5 ``` -Create and add LXD profile +Create and add a new LXD profile overriding container's `eth0` ``` -$ lxc profile create profile5 -$ lxc profile edit profile5 +lxc profile create profile5 +lxc profile edit profile5 ### profile content ### config: {} @@ -147,33 +165,31 @@ devices: type: nic name: profile5 -$ lxc profile add profile5 +lxc profile add profile5 ``` -That should make one container have 2 profiles. `profile5` will override container's`eth0`. - ``` -# lnxrouter -i lxdbr5 --tp 9040 --dns 9053 +sudo lnxrouter -i lxdbr5 --tp 9040 --dns 9053 ``` To remove that new profile from container ``` -$ lxc profile remove profile5 +lxc profile remove profile5 ``` #### To not use profile -Add device `eth0` to container overriding default `eth0` +Add new `eth0` to container overriding default `eth0` ``` -$ lxc config device add eth0 nic name=eth0 nictype=bridged parent=lxdbr5 +lxc config device add eth0 nic name=eth0 nictype=bridged parent=lxdbr5 ``` To remove the customized `eth0` to restore default `eth0` ``` -$ lxc config device remove eth0 +lxc config device remove eth0 ``` ### Use as transparent proxy for VirtualBox @@ -181,7 +197,7 @@ $ lxc config device remove eth0 On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP disabled. ``` -# lnxrouter -i vboxnet5 --tp 9040 --dns 9053 +sudo lnxrouter -i vboxnet5 --tp 9040 --dns 9053 ``` ### Use as transparent proxy for firejail @@ -189,12 +205,12 @@ On VirtualBox's global settings, create a host-only network `vboxnet5` with DHCP Create a bridge ``` -# brctl addbr firejail5 +sudo brctl addbr firejail5 ``` ``` -# lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 -$ firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd +sudo lnxrouter -i firejail5 -g 192.168.55.1 --tp 9040 --dns 9053 +firejail --net=firejail5 --dns=192.168.55.1 --blacklist=/var/run/nscd ``` ### CLI usage and other features @@ -220,7 +236,8 @@ Options: --no4 Disable IPv4 Internet (not forwarding IPv4) (See Notice 1). Usually used with '-6' - --p6 Set IPv6 prefix (length 64) (example: fd00:1:2:3::) + --p6 Set IPv6 LAN address prefix (length 64) + (example: fd00:1:2:3::) Using this enables '-6' --dns || DNS server's upstream DNS. @@ -256,6 +273,7 @@ Options: Create Wifi access point -p, --password Wifi password + --qr Show Wifi QR code in terminal --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface @@ -314,9 +332,13 @@ Options: - iw - iwconfig (you only need this if 'iw' can not recognize your adapter) - haveged (optional) + - qrencode (opional) ## TODO +- WPA3 +- Global IPv6 +- Refactor clients(neighbors) listing - Explictly ban forwarding if not needed ## Donate diff --git a/lnxrouter b/lnxrouter index 4acafff..5364d07 100644 --- a/lnxrouter +++ b/lnxrouter @@ -33,7 +33,8 @@ Options: --no4 Disable IPv4 Internet (not forwarding IPv4) (See Notice 1). Usually used with '-6' - --p6 Set IPv6 prefix (length 64) (example: fd00:1:2:3::) + --p6 Set IPv6 LAN address prefix (length 64) + (example: fd00:1:2:3::) Using this enables '-6' --dns || DNS server's upstream DNS. @@ -69,6 +70,7 @@ Options: Create Wifi access point -p, --password Wifi password + --qr Show Wifi QR code in terminal --hidden Hide access point (not broadcast SSID) --no-virt Do not create virtual interface @@ -172,6 +174,7 @@ NO_HAVEGED=0 HOSTAPD_DEBUG_ARGS= USE_PSK=0 ISOLATE_CLIENTS=0 +QR=0 LIST_RUNNING=0 STOP_ID= @@ -187,7 +190,7 @@ while [[ -n "$1" ]]; do exit 0 ;; --version) - echo $VERSION + echo "$VERSION" exit 0 ;; -i) @@ -240,6 +243,7 @@ while [[ -n "$1" ]]; do --p6) shift PREFIX6="$1" + IPV6=1 shift ;; --mac) @@ -315,6 +319,10 @@ while [[ -n "$1" ]]; do PASSPHRASE="$1" shift ;; + --qr) + shift + QR=1 + ;; --hidden) @@ -437,8 +445,8 @@ sep_ip_port() { local PORT local INPUT INPUT="$1" - if (echo $INPUT | grep '\.' >/dev/null 2>&1) ;then - if (echo $INPUT | grep ':' >/dev/null 2>&1) ;then + if (echo "$INPUT" | grep '\.' >/dev/null 2>&1) ;then + if (echo "$INPUT" | grep ':' >/dev/null 2>&1) ;then # ipv4 + port IP="$(echo $INPUT | cut -d: -f1)" PORT="$(echo $INPUT | cut -d: -f2)" @@ -446,8 +454,8 @@ sep_ip_port() { # ipv4 IP="$INPUT" fi - elif (echo $INPUT | grep '\]' >/dev/null 2>&1) ;then - if (echo $INPUT | grep '\]\:' >/dev/null 2>&1) ;then + elif (echo "$INPUT" | grep '\]' >/dev/null 2>&1) ;then + if (echo "$INPUT" | grep '\]\:' >/dev/null 2>&1) ;then # ipv6 + port IP="$(echo $INPUT | cut -d']' -f1 | cut -d'[' -f2)" PORT="$(echo $INPUT | cut -d']' -f2 |cut -d: -f2)" @@ -476,7 +484,7 @@ get_phy_device() { # only for wifi interface for x in /sys/class/ieee80211/*; do [[ ! -e "$x" ]] && continue if [[ "${x##*/}" = "$1" ]]; then - echo $1 + echo "$1" return 0 elif [[ -e "$x/device/net/$1" ]]; then echo ${x##*/} @@ -601,7 +609,7 @@ alloc_new_iface() { # only for wifi if ! is_interface ${v_iface_name} && [[ ! -f $COMMON_CONFDIR/ifaces/${v_iface_name} ]]; then mkdir -p $COMMON_CONFDIR/ifaces touch $COMMON_CONFDIR/ifaces/${v_iface_name} - echo ${v_iface_name} + echo "${v_iface_name}" return fi i=$((i + 1)) @@ -626,7 +634,7 @@ get_new_macaddr() { NEWMAC="${OLDMAC%:*}:$(printf %02x $(( ($LAST_BYTE + $i) % 256 )))" (get_all_macaddrs | grep "$NEWMAC" > /dev/null 2>&1) || break done - echo $NEWMAC + echo "$NEWMAC" } generate_random_mac() { @@ -1094,7 +1102,7 @@ list_running_conf() { local x for x in $TMPDIR/lnxrouter.*; do if [[ -f $x/pid && -f $x/subn_iface && -d /proc/$(cat $x/pid) ]]; then - echo $x + echo "$x" fi done } @@ -1126,7 +1134,7 @@ get_confdir_from_pid() { local IFACE x for x in $(list_running_conf); do if [[ $(cat $x/pid) == "$1" ]]; then - echo $x + echo "$x" break fi done @@ -1138,8 +1146,8 @@ print_client_by_mac() { if [[ -f $CONFDIR/dnsmasq.leases ]]; then line=$(grep " $mac " $CONFDIR/dnsmasq.leases | tail -n 1) - ipaddr=$(echo $line | cut -d' ' -f3) - hostname=$(echo $line | cut -d' ' -f4) + ipaddr=$(echo "$line" | cut -d' ' -f3) + hostname=$(echo "$line" | cut -d' ' -f4) fi [[ -z "$ipaddr" ]] && ipaddr="*" @@ -1155,9 +1163,9 @@ print_clients_in_leases() { if [[ -f $CONFDIR/dnsmasq.leases ]]; then while read line do - mac=$(echo $line | cut -d' ' -f2) - ipaddr=$(echo $line | cut -d' ' -f3) - hostname=$(echo $line | cut -d' ' -f4) + mac=$(echo "$line" | cut -d' ' -f2) + ipaddr=$(echo "$line" | cut -d' ' -f3) + hostname=$(echo "$line" | cut -d' ' -f4) printf "%-20s %-18s %s\n" "MAC" "IP" "Hostname" printf "%-20s %-18s %s\n" "$mac" "$ipaddr" "$hostname" @@ -1489,7 +1497,7 @@ else SUBNET_IFACE=${TARGET_IFACE} fi -echo $SUBNET_IFACE > $CONFDIR/subn_iface +echo "$SUBNET_IFACE" > $CONFDIR/subn_iface if [[ $WIFI_IFACE ]]; then @@ -1637,7 +1645,7 @@ if [[ $NO_DNSMASQ -eq 0 ]]; then fi if [[ $DNS ]]; then - DNS_count=$(echo $DNS | awk -F, '{print NF}') + DNS_count=$(echo "$DNS" | awk -F, '{print NF}') for (( i=1;i<=DNS_count;i++ )); do sep_ip_port "$(echo $DNS | cut -d, -f$i)" DNS_IP DNS_PORT [[ "$DNS_PORT" ]] && DNS_PORT_D="#$DNS_PORT" @@ -1684,7 +1692,7 @@ if [[ $WIFI_IFACE ]]; then if [[ $NO_HAVEGED -eq 0 ]]; then haveged_watchdog & HAVEGED_WATCHDOG_PID=$! - echo $HAVEGED_WATCHDOG_PID > $CONFDIR/haveged_watchdog.pid + echo "$HAVEGED_WATCHDOG_PID" > $CONFDIR/haveged_watchdog.pid echo "haveged_watchdog PID: $HAVEGED_WATCHDOG_PID" fi @@ -1700,7 +1708,7 @@ if [[ $WIFI_IFACE ]]; then # hostapd '-P' works only when use '-B' (run in background) $STDBUF_PATH hostapd $HOSTAPD_DEBUG_ARGS -P $CONFDIR/hostapd.pid $CONFDIR/hostapd.conf & HOSTAPD_PID=$! - echo $HOSTAPD_PID > $CONFDIR/hostapd.pid + echo "$HOSTAPD_PID" > $CONFDIR/hostapd.pid echo "hostapd PID: $HOSTAPD_PID" #while [[ ! -f $CONFDIR/hostapd.pid ]]; do # sleep 1 @@ -1794,12 +1802,31 @@ if [[ $NO_DNSMASQ -eq 0 ]]; then fi +show_qr() { + local T S P H + S="$SSID" + if [[ -n "$PASSPHRASE" ]]; then + T="WPA" + P="$PASSPHRASE" + else + T="nopass" + fi + [[ "$HIDDEN" -eq 1 ]] && H="true" + echo "Scan QR code on phone to connect to WiFi" + qrencode -m 2 -t ANSIUTF8 "WIFI:T:${T};S:${S};P:${P};H:${H};" + echo "Use this command to save QR code to image file:" + echo " qrencode -m 2 -o \"WIFI:T:${T};S:${S};P:${P};H:${H};\"" +} + echo echo "== Setting up completed, now linux-router is working ==" + +[[ "$QR" -eq 1 ]] && show_qr + # need loop to keep this script running bash -c "while :; do sleep 8000 ; done " & KEEP_RUNNING_PID=$! -echo $KEEP_RUNNING_PID > $CONFDIR/keep_running.pid +echo "$KEEP_RUNNING_PID" > $CONFDIR/keep_running.pid wait $KEEP_RUNNING_PID clean_exit