From cfaf9027730e47f48e59e1cba244545820ab5cc0 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 21:26:22 -0400 Subject: [PATCH 01/12] Store install-cni-plugins.sh once --- {AdguardHome => cni-plugins}/install-cni-plugins.sh | 1 + nextdns/install-cni-plugins.sh | 5 ----- run-pihole/install-cni-plugins.sh | 5 ----- 3 files changed, 1 insertion(+), 10 deletions(-) rename {AdguardHome => cni-plugins}/install-cni-plugins.sh (99%) delete mode 100644 nextdns/install-cni-plugins.sh delete mode 100644 run-pihole/install-cni-plugins.sh diff --git a/AdguardHome/install-cni-plugins.sh b/cni-plugins/install-cni-plugins.sh similarity index 99% rename from AdguardHome/install-cni-plugins.sh rename to cni-plugins/install-cni-plugins.sh index 21a924f..32e7f65 100644 --- a/AdguardHome/install-cni-plugins.sh +++ b/cni-plugins/install-cni-plugins.sh @@ -1,4 +1,5 @@ #!/bin/sh + curl -L https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz -o /tmp/cni.tgz mkdir -p /mnt/data/podman/cni/ tar xf /tmp/cni.tgz -C /mnt/data/podman/cni/ diff --git a/nextdns/install-cni-plugins.sh b/nextdns/install-cni-plugins.sh deleted file mode 100644 index 21a924f..0000000 --- a/nextdns/install-cni-plugins.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -curl -L https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz -o /tmp/cni.tgz -mkdir -p /mnt/data/podman/cni/ -tar xf /tmp/cni.tgz -C /mnt/data/podman/cni/ -rm /tmp/cni.tgz diff --git a/run-pihole/install-cni-plugins.sh b/run-pihole/install-cni-plugins.sh deleted file mode 100644 index 43cd50c..0000000 --- a/run-pihole/install-cni-plugins.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -curl -L https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz -o /tmp/cni.tgz -mkdir -p /mnt/data/podman/cni/ -tar xf /tmp/cni.tgz -C /mnt/data/podman/cni/ -rm /tmp/cni.tgz \ No newline at end of file From 1f980e53559fb6fdb79154a6f32398019bd6e074 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 21:28:31 -0400 Subject: [PATCH 02/12] Newlines in on-boot-script --- on-boot-script/examples/unifi-os-files/udm.sh | 1 + on-boot-script/install-unifios.sh | 3 ++- on-boot-script/install.sh | 4 +++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/on-boot-script/examples/unifi-os-files/udm.sh b/on-boot-script/examples/unifi-os-files/udm.sh index dc77802..0c217c5 100644 --- a/on-boot-script/examples/unifi-os-files/udm.sh +++ b/on-boot-script/examples/unifi-os-files/udm.sh @@ -1,2 +1,3 @@ #!/bin/sh + ssh -o StrictHostKeyChecking=no root@127.0.1.1 '/mnt/data/on_boot.sh' diff --git a/on-boot-script/install-unifios.sh b/on-boot-script/install-unifios.sh index b6ef7f2..bc41eee 100644 --- a/on-boot-script/install-unifios.sh +++ b/on-boot-script/install-unifios.sh @@ -1,4 +1,5 @@ #!/bin/sh + echo "#!/bin/sh ssh -o StrictHostKeyChecking=no root@127.0.1.1 '/mnt/data/on_boot.sh'" > /etc/init.d/udm.sh chmod u+x /etc/init.d/udm.sh @@ -14,4 +15,4 @@ ExecStart=/etc/init.d/udm.sh WantedBy=multi-user.target" > /etc/systemd/system/udmboot.service systemctl enable udmboot -systemctl start udmboot \ No newline at end of file +systemctl start udmboot diff --git a/on-boot-script/install.sh b/on-boot-script/install.sh index e8474a9..93f38c6 100644 --- a/on-boot-script/install.sh +++ b/on-boot-script/install.sh @@ -1,3 +1,5 @@ +#!/bin/sh + podman cp install-unifios.sh unifi-os:/root/install-unifios.sh podman exec unifi-os chmod +x /root/install-unifios.sh -podman exec unifi-os sh -c /root/install-unifios.sh \ No newline at end of file +podman exec unifi-os sh -c /root/install-unifios.sh From 0cfb15cbc3bacae735abb650680b9ff9171e9aaf Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 21:30:34 -0400 Subject: [PATCH 03/12] Update example on_boot.sh for directory --- .../examples/udm-files/on_boot.d/10-wpa_supplicant.sh | 7 +++++++ on-boot-script/examples/udm-files/on_boot.sh | 10 +++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) create mode 100644 on-boot-script/examples/udm-files/on_boot.d/10-wpa_supplicant.sh diff --git a/on-boot-script/examples/udm-files/on_boot.d/10-wpa_supplicant.sh b/on-boot-script/examples/udm-files/on_boot.d/10-wpa_supplicant.sh new file mode 100644 index 0000000..29a75ca --- /dev/null +++ b/on-boot-script/examples/udm-files/on_boot.d/10-wpa_supplicant.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +## create files like this with different numbers for execution order +## ala /etc/profile.d + +## example command to run, please replace with your own. +podman start wpa_supplicant-udmpro diff --git a/on-boot-script/examples/udm-files/on_boot.sh b/on-boot-script/examples/udm-files/on_boot.sh index 2287082..f41f6f4 100644 --- a/on-boot-script/examples/udm-files/on_boot.sh +++ b/on-boot-script/examples/udm-files/on_boot.sh @@ -1,5 +1,9 @@ #!/bin/sh -## example command to run, please replace with your own. -podman start wpa_supplicant-udmpro - +if [ -d /mnt/data/on_boot.d ]; then + for i in /mnt/data/on_boot.d/*.sh; do + if [ -r $i ]; then + . $i + fi + done +fi From 58b448199a5f45b300e565c8700193ede11e824f Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 21:34:07 -0400 Subject: [PATCH 04/12] Update README.md examples --- on-boot-script/README.md | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/on-boot-script/README.md b/on-boot-script/README.md index 35398b0..5747949 100644 --- a/on-boot-script/README.md +++ b/on-boot-script/README.md @@ -13,16 +13,7 @@ vi /mnt/data/on_boot.sh chmod u+x /mnt/data/on_boot.sh ``` -Example: see examples/udm-files/on_boot.sh -``` -#!/bin/sh -podman start wpa_supplicant-udmpro - -iptables -t nat -C PREROUTING -p udp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x || iptables -t nat -A PREROUTING -p udp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x -iptables -t nat -C PREROUTING -p tcp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x || iptables -t nat -A PREROUTING -p tcp ! --source 10.0.0.x ! --destination 10.0.0.x --dport 53 -j DNAT --to 10.0.0.x -iptables -t nat -C POSTROUTING -j MASQUERADE || iptables -t nat -A POSTROUTING -j MASQUERADE -``` - +Example: see examples/udm-files/on_boot.sh, examples/udm-files/on_boot.d/*.sh # 2. Make the unifios docker container execute this script on startup, this has to be done after every firmware update. It does persist through reboots. From 7fdf07f9dcc6571dd85e5b97e5ca4ebe88f03542 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 21:57:55 -0400 Subject: [PATCH 05/12] Store 20-dns.conflist once --- .../udm-files => cni-plugins}/20-dns.conflist | 0 nextdns/udm-files/20-dns.conflist | 23 ------------------- run-pihole/udm-files/20-dns.conflist | 23 ------------------- 3 files changed, 46 deletions(-) rename {AdguardHome/udm-files => cni-plugins}/20-dns.conflist (100%) delete mode 100644 nextdns/udm-files/20-dns.conflist delete mode 100644 run-pihole/udm-files/20-dns.conflist diff --git a/AdguardHome/udm-files/20-dns.conflist b/cni-plugins/20-dns.conflist similarity index 100% rename from AdguardHome/udm-files/20-dns.conflist rename to cni-plugins/20-dns.conflist diff --git a/nextdns/udm-files/20-dns.conflist b/nextdns/udm-files/20-dns.conflist deleted file mode 100644 index a6f26dd..0000000 --- a/nextdns/udm-files/20-dns.conflist +++ /dev/null @@ -1,23 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "dns", - "plugins": [ - { - "type": "macvlan", - "mode": "bridge", - "master": "br5", - "ipam": { - "type": "static", - "addresses": [ - { - "address": "10.0.5.3/24", - "gateway": "10.0.5.1" - } - ], - "routes": [ - {"dst": "0.0.0.0/0"} - ] - } - } - ] -} diff --git a/run-pihole/udm-files/20-dns.conflist b/run-pihole/udm-files/20-dns.conflist deleted file mode 100644 index a6f26dd..0000000 --- a/run-pihole/udm-files/20-dns.conflist +++ /dev/null @@ -1,23 +0,0 @@ -{ - "cniVersion": "0.4.0", - "name": "dns", - "plugins": [ - { - "type": "macvlan", - "mode": "bridge", - "master": "br5", - "ipam": { - "type": "static", - "addresses": [ - { - "address": "10.0.5.3/24", - "gateway": "10.0.5.1" - } - ], - "routes": [ - {"dst": "0.0.0.0/0"} - ] - } - } - ] -} From 119be55165dc87e82eaeec53faba10e9b45d3a01 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 22:08:12 -0400 Subject: [PATCH 06/12] Add modularized nextdns config w/IPv6 support --- nextdns/udm-files/on_boot.d/20-nextdns.sh | 79 +++++++++++++++++++++++ nextdns/udm-files/on_boot.sh | 25 ------- 2 files changed, 79 insertions(+), 25 deletions(-) create mode 100644 nextdns/udm-files/on_boot.d/20-nextdns.sh delete mode 100644 nextdns/udm-files/on_boot.sh diff --git a/nextdns/udm-files/on_boot.d/20-nextdns.sh b/nextdns/udm-files/on_boot.d/20-nextdns.sh new file mode 100644 index 0000000..be1be72 --- /dev/null +++ b/nextdns/udm-files/on_boot.d/20-nextdns.sh @@ -0,0 +1,79 @@ +#!/bin/sh + +## configuration variables: +VLAN=5 +IPV4_IP="10.0.5.3" +IPV4_GW="10.0.5.1/24" + +# if you want IPv6 support, generate a ULA, select an IP for nextdns and an +# appropriate gateway address on the same /64 network. Make sure that the +# 20-dns.conflist is updated appropriately. It will need the IP and GW added +# along with a ::/0 route. Also make sure that additional --dns options are +# passed to podman with your nextdns IPv6 DNS IPs when deploying the nextdns +# container for the first time. +IPV6_IP="" +IPV6_GW="" + +# set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic +# re-routed through nextdns. separate interfaces with spaces. +#e.g. "br0" or "br0 br1" +FORCED_INTFC="" + +# uncomment after after the container has been deployed +#PODMAN_START=1 + +## nextdns network configuration and startup: + +mkdir -p /opt/cni +ln -s /mnt/data/podman/cni/ /opt/cni/bin +ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist + +# set VLAN bridge promiscuous +ip link set br${VLAN} promisc on + +# create macvlan bridge and add IPv4 IP +ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge +ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute + +# (optional) add IPv6 IP to VLAN bridge macvlan bridge +if [ -n "${IPV6_GW}" ]; then + ip -6 addr add ${IPV6_GW} dev br${VLAN} + ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute +fi + +# set macvlan bridge promiscuous and bring it up +ip link set br${VLAN}.mac promisc on +ip link set br${VLAN}.mac up + +# add IPv4 route to nextdns +ip route add ${IPV4_IP}/32 dev br${VLAN}.mac + +# (optional) add IPv6 route to nextdns +if [ -n "${IPV6_IP}" ]; then + ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac +fi + +# Start the container +if [ "${PODMAN_START}" == "1" ]; then + podman start nextdns +fi + +# (optional) IPv4 force DNS (TCP/UDP 53) through nextdns +for intfc in ${FORCED_INTFC}; do + for proto in udp tcp; do + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" + iptables -t nat -C ${prerouting_rule} || iptables -t nat -A ${prerouting_rule} + + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" + iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} + + # (optional) IPv6 force DNS (TCP/UDP 53) through nextdns + if [ -n "${IPV6_IP}" ]; then + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" + ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} + + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV6_IP} -p ${proto} --dport 53 -j MASQUERADE" + ip6tables -t nat -C ${postrouting_rule} || ip6tables -t nat -A ${postrouting_rule} + fi + done +done diff --git a/nextdns/udm-files/on_boot.sh b/nextdns/udm-files/on_boot.sh deleted file mode 100644 index 64d1201..0000000 --- a/nextdns/udm-files/on_boot.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -mkdir -p /opt/cni -ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist - -# Assumes your Podman network made in the controller is on VLAN 5 -# Adjust the IP to match the address in your cni configuration -ip link set br5 promisc on - -ip link add br5.mac link br5 type macvlan mode bridge -ip addr add 10.0.5.1/24 dev br5.mac noprefixroute -ip link set br5.mac promisc on -ip link set br5.mac up - -ip route add 10.0.5.3/32 dev br5.mac - -# Remove the # on the line below when Docker container is deployed. -#podman start nextdns - -# optional if you dont want to force everything through nextdns. also add anymore bridges for other networks (br5, 10 etc), un comment if you want to use them -# iptables -t nat -C PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE -# iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE From 1388fea99ef13e68307fd01ea1de79d1a7725be7 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 22:19:14 -0400 Subject: [PATCH 07/12] Make nextdns script more generic --- .../on_boot.d/{20-nextdns.sh => 10-dns.sh} | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) rename nextdns/udm-files/on_boot.d/{20-nextdns.sh => 10-dns.sh} (70%) diff --git a/nextdns/udm-files/on_boot.d/20-nextdns.sh b/nextdns/udm-files/on_boot.d/10-dns.sh similarity index 70% rename from nextdns/udm-files/on_boot.d/20-nextdns.sh rename to nextdns/udm-files/on_boot.d/10-dns.sh index be1be72..216d119 100644 --- a/nextdns/udm-files/on_boot.d/20-nextdns.sh +++ b/nextdns/udm-files/on_boot.d/10-dns.sh @@ -5,24 +5,27 @@ VLAN=5 IPV4_IP="10.0.5.3" IPV4_GW="10.0.5.1/24" -# if you want IPv6 support, generate a ULA, select an IP for nextdns and an -# appropriate gateway address on the same /64 network. Make sure that the -# 20-dns.conflist is updated appropriately. It will need the IP and GW added -# along with a ::/0 route. Also make sure that additional --dns options are -# passed to podman with your nextdns IPv6 DNS IPs when deploying the nextdns -# container for the first time. +# if you want IPv6 support, generate a ULA, select an IP for the dns server +# and an appropriate gateway address on the same /64 network. Make sure that +# the 20-dns.conflist is updated appropriately. It will need the IP and GW +# added along with a ::/0 route. Also make sure that additional --dns options +# are passed to podman with your IPv6 DNS IPs when deploying the container for +# the first time. IPV6_IP="" IPV6_GW="" # set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic -# re-routed through nextdns. separate interfaces with spaces. -#e.g. "br0" or "br0 br1" +# re-routed through the DNS container. separate interfaces with spaces. +# e.g. "br0" or "br0 br1" etc. FORCED_INTFC="" # uncomment after after the container has been deployed #PODMAN_START=1 -## nextdns network configuration and startup: +# container name; e.g. nextdns, pihole, AdguardHome, etc. +CONTAINER=nextdns + +## network configuration and startup: mkdir -p /opt/cni ln -s /mnt/data/podman/cni/ /opt/cni/bin @@ -45,20 +48,20 @@ fi ip link set br${VLAN}.mac promisc on ip link set br${VLAN}.mac up -# add IPv4 route to nextdns +# add IPv4 route to DNS container ip route add ${IPV4_IP}/32 dev br${VLAN}.mac -# (optional) add IPv6 route to nextdns +# (optional) add IPv6 route to DNS container if [ -n "${IPV6_IP}" ]; then ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac fi # Start the container if [ "${PODMAN_START}" == "1" ]; then - podman start nextdns + podman start ${CONTAINER} fi -# (optional) IPv4 force DNS (TCP/UDP 53) through nextdns +# (optional) IPv4 force DNS (TCP/UDP 53) through DNS container for intfc in ${FORCED_INTFC}; do for proto in udp tcp; do prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" @@ -67,7 +70,7 @@ for intfc in ${FORCED_INTFC}; do postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} - # (optional) IPv6 force DNS (TCP/UDP 53) through nextdns + # (optional) IPv6 force DNS (TCP/UDP 53) through DNS container if [ -n "${IPV6_IP}" ]; then prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} From c48519a40d9a44197cad656e729056bd895cd07b Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 22:23:43 -0400 Subject: [PATCH 08/12] Use common setup script for each dns service --- AdguardHome/udm-files/on_boot.sh | 24 ------------------ .../on_boot.d/10-dns.sh | 2 +- run-pihole/udm-files/on_boot.sh | 25 ------------------- 3 files changed, 1 insertion(+), 50 deletions(-) delete mode 100644 AdguardHome/udm-files/on_boot.sh rename {nextdns/udm-files => dns-common}/on_boot.d/10-dns.sh (98%) delete mode 100644 run-pihole/udm-files/on_boot.sh diff --git a/AdguardHome/udm-files/on_boot.sh b/AdguardHome/udm-files/on_boot.sh deleted file mode 100644 index 10b8537..0000000 --- a/AdguardHome/udm-files/on_boot.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh - -mkdir -p /opt/cni -ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist - -# Create a new bridge interface so the host can talk to containers inside the podman macvlan network -# Assumes your Podman network made in the controller is on VLAN 5 -# Adjust the IP to match the address in your cni configuration -ip link set br5 promisc on - -ip link add br5.mac link br5 type macvlan mode bridge -ip addr add 10.0.5.1/24 dev br5.mac noprefixroute -ip link set br5.mac promisc on -ip link set br5.mac up - -ip route add 10.0.5.3/32 dev br5.mac -#Remove the # on the line below when Docker container is deployed. -#podman start AdguardHome - -# Uncomment and adjust these rules if you want to use DNAT to force DNS to this container. -# iptables -t nat -C PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 - diff --git a/nextdns/udm-files/on_boot.d/10-dns.sh b/dns-common/on_boot.d/10-dns.sh similarity index 98% rename from nextdns/udm-files/on_boot.d/10-dns.sh rename to dns-common/on_boot.d/10-dns.sh index 216d119..b78459c 100644 --- a/nextdns/udm-files/on_boot.d/10-dns.sh +++ b/dns-common/on_boot.d/10-dns.sh @@ -22,7 +22,7 @@ FORCED_INTFC="" # uncomment after after the container has been deployed #PODMAN_START=1 -# container name; e.g. nextdns, pihole, AdguardHome, etc. +# container name; e.g. nextdns, pihole, adguardhome, etc. CONTAINER=nextdns ## network configuration and startup: diff --git a/run-pihole/udm-files/on_boot.sh b/run-pihole/udm-files/on_boot.sh deleted file mode 100644 index 228e873..0000000 --- a/run-pihole/udm-files/on_boot.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh - -mkdir -p /opt/cni -ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist - -# Create a new bridge interface so the host can talk to containers inside the podman macvlan network -# Assumes your Podman network made in the controller is on VLAN 5 -# Adjust the IP to match the address in your cni configuration -ip link set br5 promisc on - -ip link add br5.mac link br5 type macvlan mode bridge -ip addr add 10.0.5.1/24 dev br5.mac noprefixroute -ip link set br5.mac promisc on -ip link set br5.mac up - -ip route add 10.0.5.3/32 dev br5.mac -# Remove the # on the line below when Docker container is deployed. -#podman start pihole - -# Uncomment and adjust these rules if you want to use DNAT to force DNS to this container. -# iptables -t nat -C PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p udp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 || iptables -t nat -A PREROUTING -i br0 -p tcp ! --source 10.0.5.3 ! --destination 10.0.5.3 --dport 53 -j DNAT --to 10.0.5.3 -# iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p tcp --dport 53 -j MASQUERADE -# iptables -t nat -C POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE || iptables -t nat -A POSTROUTING -o br0 -d 10.0.5.3 -p udp --dport 53 -j MASQUERADE From 8cb0e6fd07c7567e6bb83e8ecdc1d0bd9b54acb5 Mon Sep 17 00:00:00 2001 From: exodious Date: Sun, 21 Jun 2020 22:36:03 -0400 Subject: [PATCH 09/12] Add missing newlines --- nextdns/docker/Dockerfile | 2 +- python/install_pip.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nextdns/docker/Dockerfile b/nextdns/docker/Dockerfile index eef87fe..6700c53 100644 --- a/nextdns/docker/Dockerfile +++ b/nextdns/docker/Dockerfile @@ -8,4 +8,4 @@ RUN apk add --no-cache ca-certificates \ && rm /tmp/nextdns.tar.gz EXPOSE 53/tcp 53/udp ENTRYPOINT ["/opt/nextdns/nextdns","run", "-config-file", "/etc/nextdns/nextdns.conf"] -CMD [] \ No newline at end of file +CMD [] diff --git a/python/install_pip.sh b/python/install_pip.sh index 1825298..870716b 100644 --- a/python/install_pip.sh +++ b/python/install_pip.sh @@ -8,4 +8,4 @@ python get-pip.py ln -s $(podman inspect unifi-os -f {{.GraphDriver.Data.MergedDir}})/usr/local/bin/pip3 /usr/bin/pip rm /usr/lib64/libssl.so.1.1 -rm /usr/lib64/libcrypto.so.1.1 \ No newline at end of file +rm /usr/lib64/libcrypto.so.1.1 From 28b05959239950af069339657b74f2aa89b73f91 Mon Sep 17 00:00:00 2001 From: John Dorman Date: Sun, 28 Jun 2020 02:59:55 -0700 Subject: [PATCH 10/12] Readme updates and ipv6 support --- AdguardHome/README.md | 54 ++++----- AdguardHome/udm-files/on_boot.sh | 0 README.md | 3 + cni-plugins/20-dnsipv6.conflist | 27 +++++ dns-common/on_boot.d/10-dns.sh | 14 +-- dns-common/on_boot.d/10-dnsipv6.sh | 76 ++++++++++++ nextdns/README.md | 48 ++++---- on-boot-script/README.md | 109 +++++++++--------- on-boot-script/install.sh | 45 +++++++- python/{on_boot.sh => on_boot.d/20-python.sh} | 0 run-pihole/README.md | 62 +++++----- 11 files changed, 285 insertions(+), 153 deletions(-) delete mode 100644 AdguardHome/udm-files/on_boot.sh create mode 100644 cni-plugins/20-dnsipv6.conflist create mode 100644 dns-common/on_boot.d/10-dnsipv6.sh rename python/{on_boot.sh => on_boot.d/20-python.sh} (100%) diff --git a/AdguardHome/README.md b/AdguardHome/README.md index 0cec860..e621e6e 100644 --- a/AdguardHome/README.md +++ b/AdguardHome/README.md @@ -5,43 +5,33 @@ 2. Persists through reboots and firmware updates. ### Requirements -1. You have setup the on boot script described [here](https://github.com/boostchicken/udmpro-utilities/tree/master/on-boot-script) -2. AdguardHome persists through firmware updates as it will store the configuration in a folder (you need to create this) -It needs 2 folders, a Work and Configuration folder. Plese create the 2 folder in "/mnt/data/". In my example I created "AdguardHome-Confdir" and "AdguardHome-Workdir" -The on-boot script needs to be setup after firmware update of UDM. When on-boot script is recreated, everything should work. +1. You have setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) +2. AdguardHome persists through firmware updates as it will store the configuration in a folder (you need to create this). It needs 2 folders, a Work and Configuration folder. Please create the 2 folder in "/mnt/data/". In my example I created "AdguardHome-Confdir" and "AdguardHome-Workdir" +3. The on-boot script needs to be setup after firmware update of UDM. When on-boot script is recreated, everything should work. ### Customization -* Feel free to change [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/20-dns.conflist) to change the IP address of the container. Make sure to update all ip references and the iptables rules in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/on_boot.sh). The IP address can be anywhere from x.x.x.3 to x.x.x.254. .1 is reserved for the gateway and .2 is reserved for the macvlan bridge. -* If you don't want to use vlan5, just replace br5 with br(vlanid) in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/on_boot.sh) and [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/20-dns.conflist), also update all the ips accordingly +* Feel free to change [20-dns.conflist](../cni-plugins/20-dns.conflist) to change the IP address of the container. +* Update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with your own values +* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and [10-dnsipv6.sh](../dns-common/on_boot.d/10-dnsipv6.sh). Also, please provide IPv6 servers to podman using --dns arguments. ### Steps 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. -2. Install the CNI plugins with by executing [install-cni-plugins.sh](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/install-cni-plugins.sh) on your UDM -3. Copy [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/20-dns.conflist) to /mnt/data/podman/cni (or a place of your choosing and update [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/on_boot.sh) symlink). This will create your podman macvlan network -4. Update your on_boot.sh to include the commands in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/AdguardHome/udm-files/on_boot.sh). You can leave out the iptables rules if you don't want to DNAT all DNS calls to your AdGuard instance -5. Execute on_boot.sh +2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM +3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network +4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment (specifically the container name) +5. Execute /mnt/data/on_boot.d/10-dns.sh 6. Run the AdguardHome docker container, be sure to make the directories for your persistent AdguardHome configuration. They are mounted as volumes in the command below. -``` -podman run -d --network dns --restart always \ - --name adguardhome \ - -v "/mnt/data/AdguardHome-Confdir/:/opt/adguardhome/conf/" \ - -v "/mnt/data/AdguardHome-Workdir/:/opt/adguardhome/work/" \ - --dns=127.0.0.1 --dns=1.1.1.1 \ - --hostname adguardhome \ - adguard/adguardhome:arm64-latest -``` + ```shell script + podman run -d --network dns --restart always \ + --name adguardhome \ + -v "/mnt/data/AdguardHome-Confdir/:/opt/adguardhome/conf/" \ + -v "/mnt/data/AdguardHome-Workdir/:/opt/adguardhome/work/" \ + --dns=127.0.0.1 --dns=1.1.1.1 \ + --hostname adguardhome \ + adguard/adguardhome:arm64-latest + ``` -7. Change on_boot.sh line 17 -From -``` -#podman start AdguardHome -``` -To -``` -podman start AdguardHome -``` -This makes sure that the AdguardHome container will start after reboot of UDM. -8. Browse to 10.0.5.3:3000 and follow the setup wizard -9. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. -10. Access the AdguardHome like you would normally. +7. Browse to 10.0.5.3:3000 and follow the setup wizard +8. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. +9. Access the AdguardHome like you would normally. diff --git a/AdguardHome/udm-files/on_boot.sh b/AdguardHome/udm-files/on_boot.sh deleted file mode 100644 index e69de29..0000000 diff --git a/README.md b/README.md index c08d2d8..b57a4a4 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,9 @@ A collection of things to enhance the capabilities of your Unifi Dream Machine o ### on-boot-script Run any commands when your UDM starts. +### dns-common +Configurations for DNS containers, both IPv4 and IPv6 + ### run-pihole Run pihole on your UDM with podman. Utilizes macvlan cni plugins to completely isolate the network stack diff --git a/cni-plugins/20-dnsipv6.conflist b/cni-plugins/20-dnsipv6.conflist new file mode 100644 index 0000000..5d9654a --- /dev/null +++ b/cni-plugins/20-dnsipv6.conflist @@ -0,0 +1,27 @@ +{ + "cniVersion": "0.4.0", + "name": "dns", + "plugins": [ + { + "type": "macvlan", + "mode": "bridge", + "master": "br5", + "ipam": { + "type": "static", + "addresses": [ + { + "address": "10.0.5.3/24", + "gateway": "10.0.5.1" + }, + { + "address": "fd62:89a2:fda9:e23:0:0:0:2", + "gateway": "fd62:89a2:fda9:e23:0:0:0:1" + } + ], + "routes": [ + {"dst": "0.0.0.0/0"},{"dst": "::/0"} + ] + } + } + ] +} diff --git a/dns-common/on_boot.d/10-dns.sh b/dns-common/on_boot.d/10-dns.sh index b78459c..32642b7 100644 --- a/dns-common/on_boot.d/10-dns.sh +++ b/dns-common/on_boot.d/10-dns.sh @@ -11,17 +11,14 @@ IPV4_GW="10.0.5.1/24" # added along with a ::/0 route. Also make sure that additional --dns options # are passed to podman with your IPv6 DNS IPs when deploying the container for # the first time. -IPV6_IP="" -IPV6_GW="" +IPV6_IP="fd62:89a2:fda9:e23:0:0:0:2" +IPV6_GW="fd62:89a2:fda9:e23:0:0:0:1" # set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic # re-routed through the DNS container. separate interfaces with spaces. # e.g. "br0" or "br0 br1" etc. FORCED_INTFC="" -# uncomment after after the container has been deployed -#PODMAN_START=1 - # container name; e.g. nextdns, pihole, adguardhome, etc. CONTAINER=nextdns @@ -29,7 +26,7 @@ CONTAINER=nextdns mkdir -p /opt/cni ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist +ln -s /mnt/data/podman/cni/20-dnsipv6.conflist /etc/cni/net.d/20-dnsipv6.conflist # set VLAN bridge promiscuous ip link set br${VLAN} promisc on @@ -56,10 +53,7 @@ if [ -n "${IPV6_IP}" ]; then ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac fi -# Start the container -if [ "${PODMAN_START}" == "1" ]; then - podman start ${CONTAINER} -fi +podman container exists ${CONTAINER} && podman start ${CONTAINER} # (optional) IPv4 force DNS (TCP/UDP 53) through DNS container for intfc in ${FORCED_INTFC}; do diff --git a/dns-common/on_boot.d/10-dnsipv6.sh b/dns-common/on_boot.d/10-dnsipv6.sh new file mode 100644 index 0000000..9b99b89 --- /dev/null +++ b/dns-common/on_boot.d/10-dnsipv6.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +## configuration variables: +VLAN=5 +IPV4_IP="10.0.5.3" +IPV4_GW="10.0.5.1/24" + +# if you want IPv6 support, generate a ULA, select an IP for the dns server +# and an appropriate gateway address on the same /64 network. Make sure that +# the 20-dns.conflist is updated appropriately. It will need the IP and GW +# added along with a ::/0 route. Also make sure that additional --dns options +# are passed to podman with your IPv6 DNS IPs when deploying the container for +# the first time. +IPV6_IP="" +IPV6_GW="" + +# set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic +# re-routed through the DNS container. separate interfaces with spaces. +# e.g. "br0" or "br0 br1" etc. +FORCED_INTFC="" + +# container name; e.g. nextdns, pihole, adguardhome, etc. +CONTAINER=nextdns + +## network configuration and startup: + +mkdir -p /opt/cni +ln -s /mnt/data/podman/cni/ /opt/cni/bin +ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist + +# set VLAN bridge promiscuous +ip link set br${VLAN} promisc on + +# create macvlan bridge and add IPv4 IP +ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge +ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute + +# (optional) add IPv6 IP to VLAN bridge macvlan bridge +if [ -n "${IPV6_GW}" ]; then + ip -6 addr add ${IPV6_GW} dev br${VLAN} + ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute +fi + +# set macvlan bridge promiscuous and bring it up +ip link set br${VLAN}.mac promisc on +ip link set br${VLAN}.mac up + +# add IPv4 route to DNS container +ip route add ${IPV4_IP}/32 dev br${VLAN}.mac + +# (optional) add IPv6 route to DNS container +if [ -n "${IPV6_IP}" ]; then + ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac +fi + +podman container exists ${CONTAINER} && podman start ${CONTAINER} + +# (optional) IPv4 force DNS (TCP/UDP 53) through DNS container +for intfc in ${FORCED_INTFC}; do + for proto in udp tcp; do + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" + iptables -t nat -C ${prerouting_rule} || iptables -t nat -A ${prerouting_rule} + + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" + iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} + + # (optional) IPv6 force DNS (TCP/UDP 53) through DNS container + if [ -n "${IPV6_IP}" ]; then + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" + ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} + + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV6_IP} -p ${proto} --dport 53 -j MASQUERADE" + ip6tables -t nat -C ${postrouting_rule} || ip6tables -t nat -A ${postrouting_rule} + fi + done +done diff --git a/nextdns/README.md b/nextdns/README.md index b5a6d53..d90b284 100644 --- a/nextdns/README.md +++ b/nextdns/README.md @@ -7,24 +7,25 @@ 4. If you are already using PiHole and want to test NextDNS out, you can just stop your PiHole container and start this one in its place using the same IP/CNI config. ### Requirements -1. You have already setup the on boot script described [here](https://github.com/boostchicken/udmpro-utilities/tree/master/on-boot-script) +1. You have already setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) 2. NextDNS persists through firmware updates. The on-boot script does not. If you update your firmware, setup on-boot again and everything should work. ### Customization -* Feel free to change [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/20-dns.conflist) to change the IP address of the container. Make sure to update all ip references and the iptables rules in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh). The IP address can be anywhere from x.x.x.3 to x.x.x.254. .1 is reserved for the gateway and .2 is reserved for the macvlan bridge. -* If you don't want to use vlan5, just replace br5 with br(vlanid) in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh) and [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/20-dns.conflist), also update all the ips accordingly +* Feel free to change [20-dns.conflist](../cni-plugins/20-dns.conflist) to change the IP address of the container. * The NextDNS docker image is not supported by NextDNS. It is built out of this repo. If you make any enhancements please contribute back via a Pull Request. -* If you want to inject custom DNS names into NextDNS use --add-host docker commands. The /etc/resolv.conf and /etc/hosts is generated from that and --dns. +* If you want to inject custom DNS names into NextDNS use --add-host docker commands. The /etc/resolv.conf and /etc/hosts is generated from that and --dns. +* Edit [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) and update its values to reflect your environment (specifically the container name) +* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and [10-dnsipv6.sh](../dns-common/on_boot.d/10-dnsipv6.sh). Also, please provide IPv6 servers to podman using --dns arguments. ### Docker -The offical repo is boostchicken/nextdns-udm. Latest will always refer to the latest builds, there are also tags for each NextDNS release (e.g. 1.6.4). +The official repo is boostchicken/nextdns-udm. Latest will always refer to the latest builds, there are also tags for each NextDNS release (e.g. 1.6.4). The Dockerfile is included, you can build it locally on your UDM if you don't want to pull from Docker Hub or make customizations -``` +```shell script podman build . -t nextdns-udm:latest ``` Building from another device is possible. You must have [buildx](https://github.com/docker/buildx/) installed to do cross platform builds. This is useful if you want to mirror to a private repo -``` +```shell script docker buildx build --platform linux/arm64 -t nextdns-udm:latest . ``` @@ -32,22 +33,21 @@ docker buildx build --platform linux/arm64 -t nextdns-udm:latest . If you have already installed PiHole, skip right to step 6. 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. -2. Install the CNI plugins with by executing [install-cni-plugins.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/install-cni-plugins.sh) on your UDM -3. Copy [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/20-dns.conflist) to /mnt/data/podman/cni (or a place of your choosing and update [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh) symlink). This will create your podman macvlan network -4. Update your on_boot.sh to include the commands in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/on_boot.sh). You can leave out the iptables rules if you don't want to DNAT all DNS calls to NextDNS -5. Execute on_boot.sh -6. Create /mnt/data/nextdns and copy [nextdns.conf](https://github.com/boostchicken/udm-utilities/blob/master/nextdns/udm-files/nextdns.conf) to it. +2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM +3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network +4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment (specifically the container name) +5. Execute /mnt/data/on_boot.d/10-dns.sh +6. Create /mnt/data/nextdns and copy [nextdns.conf](udm-files/nextdns.conf) to it. 7. Run the NextDNS docker container. Mounting dbus and running in privileged is only required for mDNS. Also, please change the --dns arguments to whatever was provided by NextDNS. -``` - podman run -d -it --privileged --network dns --restart always \ - --name nextdns \ - -v "/mnt/data/nextdns/:/etc/nextdns/" \ - -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket \ - --mount type=bind,source=/config/dnsmasq.lease,target=/tmp/dnsmasq.leases \ - --dns=45.90.28.163 --dns=45.90.30.163 \ - --hostname nextdns \ - boostchicken/nextdns-udm:latest -``` -Note: + ```shell script + podman run -d -it --privileged --network dns --restart always \ + --name nextdns \ + -v "/mnt/data/nextdns/:/etc/nextdns/" \ + -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket \ + --mount type=bind,source=/config/dnsmasq.lease,target=/tmp/dnsmasq.leases \ + --dns=45.90.28.163 --dns=45.90.30.163 \ + --hostname nextdns \ + boostchicken/nextdns-udm:latest + ``` 8. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. -9. Uncomment ```podman start nextdns``` in on_boot.sh + diff --git a/on-boot-script/README.md b/on-boot-script/README.md index 5747949..560d751 100644 --- a/on-boot-script/README.md +++ b/on-boot-script/README.md @@ -1,66 +1,69 @@ # UDM / UDMPro Boot Script ### Features 1. Allows you to run a shell script at S95 anytime your UDM starts / reboots +1. Persists through reboot +1. Must be re-done after firmware updates -### Compatiblity +### Compatibility 1. Should work on any UDM/UDMPro after 1.6.3 -2. Tested and confirmed on 1.6.6, 1.7.0, 1.7.2rc4 - +2. Tested and confirmed on 1.6.6, 1.7.0, 1.7.2rc4, 1.7.3rc1 ## Steps -# 1. Make your script on the UDM/UDMPRO -``` -vi /mnt/data/on_boot.sh -chmod u+x /mnt/data/on_boot.sh -``` -Example: see examples/udm-files/on_boot.sh, examples/udm-files/on_boot.d/*.sh -# 2. Make the unifios docker container execute this script on startup, this has to be done after every firmware update. It does persist through reboots. +### Automated Setup -## Automatic +1. Copy [install.sh](install.sh) to your UDM and execute it +1. Copy any shell scripts you want to run to /mnt/data/on_boot.d and make sure they are executable and have the correct shebang (#!/bin/sh) + Examples: + * Start a DNS Container [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) + * Start wpa_supplicant [on_boot.d/10-wpa_supplicant.sh](examples/udm-files/on_boot.d/10-wpa_supplicant.sh) -1. Copy install.sh and install-unifios.sh to your UDM -2. Execute install.sh +### Manual Setup -## Manual -``` -podman exec -it unifi-os sh -``` -### make a script that sshs to the udm and runs on our boot script -Example: examples/unifi-os-files/udm.sh -``` -echo "#!/bin/sh -ssh -o StrictHostKeyChecking=no root@127.0.1.1 '/mnt/data/on_boot.sh'" > /etc/init.d/udm.sh # 127.0.1.1 always points to the UDM -``` -#### make said script executable -``` -chmod u+x /etc/init.d/udm.sh -``` -### make a service that runs on startup, after we have networking -Example: examples/unifi-os-files/udmboot.service -``` -echo "[Unit] -Description=Run On Startup UDM -After=network.target +1. Copy on_boot.sh and make on_boot.d and add scripts to on_boot.d + ```shell script + mkdir -p /mnt/data/on_boot.d + vi /mnt/data/on_boot.sh + chmod u+x /mnt/data/on_boot.sh + ``` + Example: [on_boot.sh](examples/udm-files/on_boot.sh) -[Service] -ExecStart=/etc/init.d/udm.sh +1. Enter the container shell + ```shell script + unifi-os shell + ``` +1. make a script that sshs to the udm and runs on our boot script. 127.0.1.1 always points to the UDM + ```shell script + echo "#!/bin/sh + ssh -o StrictHostKeyChecking=no root@127.0.1.1 '/mnt/data/on_boot.sh'" > /etc/init.d/udm.sh + chmod u+x /etc/init.d/udm.sh + ``` + Example: [udm.sh](examples/unifi-os-files/udm.sh) +1. make a service that runs on startup, after we have networking + ```shell script + echo "[Unit] + Description=Run On Startup UDM + After=network.target + + [Service] + ExecStart=/etc/init.d/udm.sh + + [Install] + WantedBy=multi-user.target" > /etc/systemd/system/udmboot.service + ``` + Example: [udmboot.service](examples/unifi-os-files/udmboot.service) -[Install] -WantedBy=multi-user.target" > /etc/systemd/system/udmboot.service -``` - -### enable it and test -``` -systemctl enable udmboot -systemctl start udmboot -``` -### back to the udm -``` -exit -``` -# reboot your udm/udmpro and make sure it worked -``` -reboot -exit -``` +1. enable it and test + ```shell script + systemctl enable udmboot + systemctl start udmboot + ``` +1. back to the udm + ```shell script + exit + ``` +1. reboot your udm/udmpro and make sure it worked + ```shell script + reboot + exit + ``` diff --git a/on-boot-script/install.sh b/on-boot-script/install.sh index 93f38c6..4439081 100644 --- a/on-boot-script/install.sh +++ b/on-boot-script/install.sh @@ -1,5 +1,44 @@ #!/bin/sh -podman cp install-unifios.sh unifi-os:/root/install-unifios.sh -podman exec unifi-os chmod +x /root/install-unifios.sh -podman exec unifi-os sh -c /root/install-unifios.sh +echo "Creating on boot script on device" +echo "#!/bin/sh + +if [ -d /mnt/data/on_boot.d ]; then + for i in /mnt/data/on_boot.d/*.sh; do + if [ -r $i ]; then + . $i + fi + done +fi +" > /mnt/data/20-python.sh +chmod u+x /mnt/data/on_boot.sh +mkdir -p /mnt/data/on_boot.d + +echo "Creating script to modify unifios container" +echo '#!/bin/sh + +echo "#!/bin/sh +ssh -o StrictHostKeyChecking=no root@127.0.1.1 ''/mnt/data/on_boot.sh''" > /etc/init.d/udm.sh +chmod u+x /etc/init.d/udm.sh + +echo "[Unit] +Description=Run On Startup UDM +After=network.target + +[Service] +ExecStart=/etc/init.d/udm.sh + +[Install] +WantedBy=multi-user.target" > /etc/systemd/system/udmboot.service + +systemctl enable udmboot +systemctl start udmboot +' > /tmp/install-unifios.sh + +podman cp /tmp/install-unifios.sh unifi-os:/root/install-unifios.sh +podman exec -it unifi-os chmod +x /root/install-unifios.sh +echo "Executing container modifications" +podman exec -it unifi-os sh -c /root/install-unifios.sh +rm /tmp/install-unifios.sh + +echo "Installed on_boot hook. Populate /mnt/data/on_boot.d with scripts to run" \ No newline at end of file diff --git a/python/on_boot.sh b/python/on_boot.d/20-python.sh similarity index 100% rename from python/on_boot.sh rename to python/on_boot.d/20-python.sh diff --git a/run-pihole/README.md b/run-pihole/README.md index ba97831..8fc256c 100644 --- a/run-pihole/README.md +++ b/run-pihole/README.md @@ -5,45 +5,45 @@ 2. Persists through reboots and firmware updates. ### Requirements -1. You have setup the on boot script described [here](https://github.com/boostchicken/udmpro-utilities/tree/master/on-boot-script) +1. You have successfully setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) 2. PiHole persists through firmware updates. The on-boot script does not. If you update your firmware, setup on-boot again and everything should work. ### Customization -* Feel free to change [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/20-dns.conflist) to change the IP address of the container. Make sure to update all ip references and the iptables rules in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/on_boot.sh). The IP address can be anywhere from x.x.x.3 to x.x.x.254. .1 is reserved for the gateway and .2 is reserved for the macvlan bridge. -* If you don't want to use vlan5, just replace br5 with br(vlanid) in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/on_boot.sh) and [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/20-dns.conflist), also update all the ips accordingly +* Feel free to change [20-dns.conflist](../cni-plugins/20-dns.conflist) to change the IP address of the container. +* Update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with your own values +* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and [10-dnsipv6.sh](../dns-common/on_boot.d/10-dnsipv6.sh) and change the docker command to IPv6=True. Also, please provide IPv6 servers to podman using --dns arguments. ### Steps 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. -2. Install the CNI plugins with by executing [install-cni-plugins.sh](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/install-cni-plugins.sh) on your UDM -3. Copy [20-dns.conflist](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/20-dns.conflist) to /mnt/data/podman/cni (or a place of your choosing and update [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/on_boot.sh) symlink). This will create your podman macvlan network -4. Update your on_boot.sh to include the commands in [on_boot.sh](https://github.com/boostchicken/udm-utilities/blob/master/run-pihole/udm-files/on_boot.sh). You can leave out the iptables rules if you don't want to DNAT all DNS calls to your PiHole -5. Execute on_boot.sh +2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM +3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network +4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment (specifically the container name) +5. Execute /mnt/data/on_boot.d/10-dns.sh 6. Run the pihole docker container, be sure to make the directories for your persistent pihole configuration. They are mounted as volumes in the command below. -``` - podman run -d --network dns --restart always \ - --name pihole \ - -e TZ="America/Los Angeles" \ - -v "/mnt/data/etc-pihole/:/etc/pihole/" \ - -v "/mnt/data/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" \ - --dns=127.0.0.1 --dns=1.1.1.1 \ - --hostname pi.hole \ - -e VIRTUAL_HOST="pi.hole" \ - -e PROXY_LOCATION="pi.hole" \ - -e ServerIP="10.0.5.3" \ - -e IPv6="False" \ - pihole/pihole:latest -``` - -The below errors are expected and acceptable -``` -ERRO[0022] unable to get systemd connection to add healthchecks: dial unix /run/systemd/private: connect: no such file or directory -ERRO[0022] unable to get systemd connection to start healthchecks: dial unix /run/systemd/private: connect: no such file or directory -``` + ```shell script + podman run -d --network dns --restart always \ + --name pihole \ + -e TZ="America/Los Angeles" \ + -v "/mnt/data/etc-pihole/:/etc/pihole/" \ + -v "/mnt/data/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/" \ + --dns=127.0.0.1 --dns=1.1.1.1 \ + --hostname pi.hole \ + -e VIRTUAL_HOST="pi.hole" \ + -e PROXY_LOCATION="pi.hole" \ + -e ServerIP="10.0.5.3" \ + -e IPv6="False" \ + pihole/pihole:latest + ``` + + The below errors are expected and acceptable + ``` + ERRO[0022] unable to get systemd connection to add healthchecks: dial unix /run/systemd/private: connect: no such file or directory + ERRO[0022] unable to get systemd connection to start healthchecks: dial unix /run/systemd/private: connect: no such file or directory + ``` 7. Set pihole password -``` -podman exec -it pihole pihole -a -p YOURNEWPASSHERE -``` + ```shell script + podman exec -it pihole pihole -a -p YOURNEWPASSHERE + ``` 8. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. 9. Access the pihole like you would normally. -9. Uncomment ```podman start pihole``` in on_boot.sh From e4e028e65432dd5d412b723601f438844f13aaac Mon Sep 17 00:00:00 2001 From: John Dorman Date: Sun, 28 Jun 2020 03:04:51 -0700 Subject: [PATCH 11/12] Readme updates and ipv6 support --- AdguardHome/README.md | 4 ++-- dns-common/on_boot.d/10-dns.sh | 5 ++--- dns-common/on_boot.d/10-dnsipv6.sh | 5 ++--- nextdns/README.md | 2 +- run-pihole/README.md | 2 +- 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/AdguardHome/README.md b/AdguardHome/README.md index e621e6e..8de6684 100644 --- a/AdguardHome/README.md +++ b/AdguardHome/README.md @@ -6,7 +6,7 @@ ### Requirements 1. You have setup the on boot script described [here](https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script) -2. AdguardHome persists through firmware updates as it will store the configuration in a folder (you need to create this). It needs 2 folders, a Work and Configuration folder. Please create the 2 folder in "/mnt/data/". In my example I created "AdguardHome-Confdir" and "AdguardHome-Workdir" +2. AdguardHome persists through firmware updates as it will store the configuration in a folder (you need to create this). It needs 2 folders, a Work and Configuration folder. Please create the 2 folders in "/mnt/data/". In my example I created "AdguardHome-Confdir" and "AdguardHome-Workdir" 3. The on-boot script needs to be setup after firmware update of UDM. When on-boot script is recreated, everything should work. ### Customization @@ -18,7 +18,7 @@ 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. 2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM 3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network -4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment (specifically the container name) +4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment 5. Execute /mnt/data/on_boot.d/10-dns.sh 6. Run the AdguardHome docker container, be sure to make the directories for your persistent AdguardHome configuration. They are mounted as volumes in the command below. diff --git a/dns-common/on_boot.d/10-dns.sh b/dns-common/on_boot.d/10-dns.sh index 32642b7..5e7db6a 100644 --- a/dns-common/on_boot.d/10-dns.sh +++ b/dns-common/on_boot.d/10-dns.sh @@ -11,8 +11,8 @@ IPV4_GW="10.0.5.1/24" # added along with a ::/0 route. Also make sure that additional --dns options # are passed to podman with your IPv6 DNS IPs when deploying the container for # the first time. -IPV6_IP="fd62:89a2:fda9:e23:0:0:0:2" -IPV6_GW="fd62:89a2:fda9:e23:0:0:0:1" +IPV6_IP="" +IPV6_GW="" # set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic # re-routed through the DNS container. separate interfaces with spaces. @@ -37,7 +37,6 @@ ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute # (optional) add IPv6 IP to VLAN bridge macvlan bridge if [ -n "${IPV6_GW}" ]; then - ip -6 addr add ${IPV6_GW} dev br${VLAN} ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute fi diff --git a/dns-common/on_boot.d/10-dnsipv6.sh b/dns-common/on_boot.d/10-dnsipv6.sh index 9b99b89..b0afc5e 100644 --- a/dns-common/on_boot.d/10-dnsipv6.sh +++ b/dns-common/on_boot.d/10-dnsipv6.sh @@ -11,8 +11,8 @@ IPV4_GW="10.0.5.1/24" # added along with a ::/0 route. Also make sure that additional --dns options # are passed to podman with your IPv6 DNS IPs when deploying the container for # the first time. -IPV6_IP="" -IPV6_GW="" +IPV6_IP="fd62:89a2:fda9:e23:0:0:0:2" +IPV6_GW="fd62:89a2:fda9:e23:0:0:0:1" # set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic # re-routed through the DNS container. separate interfaces with spaces. @@ -37,7 +37,6 @@ ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute # (optional) add IPv6 IP to VLAN bridge macvlan bridge if [ -n "${IPV6_GW}" ]; then - ip -6 addr add ${IPV6_GW} dev br${VLAN} ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute fi diff --git a/nextdns/README.md b/nextdns/README.md index d90b284..db7a99e 100644 --- a/nextdns/README.md +++ b/nextdns/README.md @@ -35,7 +35,7 @@ If you have already installed PiHole, skip right to step 6. 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. 2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM 3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network -4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment (specifically the container name) +4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment 5. Execute /mnt/data/on_boot.d/10-dns.sh 6. Create /mnt/data/nextdns and copy [nextdns.conf](udm-files/nextdns.conf) to it. 7. Run the NextDNS docker container. Mounting dbus and running in privileged is only required for mDNS. Also, please change the --dns arguments to whatever was provided by NextDNS. diff --git a/run-pihole/README.md b/run-pihole/README.md index 8fc256c..c51e053 100644 --- a/run-pihole/README.md +++ b/run-pihole/README.md @@ -17,7 +17,7 @@ 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. 2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM 3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network -4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment (specifically the container name) +4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment 5. Execute /mnt/data/on_boot.d/10-dns.sh 6. Run the pihole docker container, be sure to make the directories for your persistent pihole configuration. They are mounted as volumes in the command below. From bf8e9b75b50b86e4c6e1f7886deab4fe89575578 Mon Sep 17 00:00:00 2001 From: John Dorman Date: Sun, 28 Jun 2020 06:02:14 -0700 Subject: [PATCH 12/12] Final updates and Ipv6 --- AdguardHome/README.md | 11 ++--- cni-plugins/20-dnsipv6.conflist | 4 +- dns-common/on_boot.d/10-dns.sh | 57 ++++++++++++++++------- dns-common/on_boot.d/10-dnsipv6.sh | 75 ------------------------------ nextdns/README.md | 15 +++--- on-boot-script/install.sh | 5 +- run-pihole/README.md | 11 ++--- 7 files changed, 62 insertions(+), 116 deletions(-) delete mode 100644 dns-common/on_boot.d/10-dnsipv6.sh diff --git a/AdguardHome/README.md b/AdguardHome/README.md index 8de6684..d13d1df 100644 --- a/AdguardHome/README.md +++ b/AdguardHome/README.md @@ -12,15 +12,14 @@ ### Customization * Feel free to change [20-dns.conflist](../cni-plugins/20-dns.conflist) to change the IP address of the container. * Update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with your own values -* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and [10-dnsipv6.sh](../dns-common/on_boot.d/10-dnsipv6.sh). Also, please provide IPv6 servers to podman using --dns arguments. +* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with the IPv6 addresses. Also, please provide IPv6 servers to podman using --dns arguments. ### Steps 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. -2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM -3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network -4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment -5. Execute /mnt/data/on_boot.d/10-dns.sh -6. Run the AdguardHome docker container, be sure to make the directories for your persistent AdguardHome configuration. They are mounted as volumes in the command below. +1. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment +1. Execute /mnt/data/on_boot.d/10-dns.sh +1. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network +1. Run the AdguardHome docker container, be sure to make the directories for your persistent AdguardHome configuration. They are mounted as volumes in the command below. ```shell script podman run -d --network dns --restart always \ diff --git a/cni-plugins/20-dnsipv6.conflist b/cni-plugins/20-dnsipv6.conflist index 5d9654a..7e781d5 100644 --- a/cni-plugins/20-dnsipv6.conflist +++ b/cni-plugins/20-dnsipv6.conflist @@ -14,8 +14,8 @@ "gateway": "10.0.5.1" }, { - "address": "fd62:89a2:fda9:e23:0:0:0:2", - "gateway": "fd62:89a2:fda9:e23:0:0:0:1" + "address": "fd62:89a2:fda9:e23::2/64", + "gateway": "fd62:89a2:fda9:e23::1" } ], "routes": [ diff --git a/dns-common/on_boot.d/10-dns.sh b/dns-common/on_boot.d/10-dns.sh index 5e7db6a..981673a 100644 --- a/dns-common/on_boot.d/10-dns.sh +++ b/dns-common/on_boot.d/10-dns.sh @@ -10,7 +10,12 @@ IPV4_GW="10.0.5.1/24" # the 20-dns.conflist is updated appropriately. It will need the IP and GW # added along with a ::/0 route. Also make sure that additional --dns options # are passed to podman with your IPv6 DNS IPs when deploying the container for -# the first time. +# the first time. You will also need to configure your VLAN to have a static +# IPv6 block. + +# IPv6 Also works with Prefix Delegation from your provider. The gateway is the +# IP of br(VLAN) and you can pick any ip address within that subnet that dhcpv6 +# isn't serving IPV6_IP="" IPV6_GW="" @@ -23,10 +28,22 @@ FORCED_INTFC="" CONTAINER=nextdns ## network configuration and startup: +CNI_PATH=/mnt/data/podman/cni +if [ ! -f "$CNI_PATH"/macvlan ] +then + mkdir -p $CNI_PATH + curl -L https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-arm64-v0.8.6.tgz | tar -xz -C $CNI_PATH +fi mkdir -p /opt/cni -ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dnsipv6.conflist /etc/cni/net.d/20-dnsipv6.conflist +ln -s $CNI_PATH /opt/cni/bin + +for file in "$CNI_PATH"/*.conflist +do + if [ -f "$file" ]; then + ln -s "$file" "/etc/cni/net.d/$(basename "$file")" + fi +done # set VLAN bridge promiscuous ip link set br${VLAN} promisc on @@ -52,24 +69,30 @@ if [ -n "${IPV6_IP}" ]; then ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac fi -podman container exists ${CONTAINER} && podman start ${CONTAINER} +if podman container exists ${CONTAINER}; then + podman start ${CONTAINER} +else + echo "Container $CONTAINER not found, make sure you set the proper name, if you have you can ignore this error" +fi # (optional) IPv4 force DNS (TCP/UDP 53) through DNS container for intfc in ${FORCED_INTFC}; do - for proto in udp tcp; do - prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" - iptables -t nat -C ${prerouting_rule} || iptables -t nat -A ${prerouting_rule} + if [ -d "/sys/class/net/${intfc}" ]; then + for proto in udp tcp; do + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" + iptables -t nat -C ${prerouting_rule} || iptables -t nat -A ${prerouting_rule} - postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" - iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" + iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} - # (optional) IPv6 force DNS (TCP/UDP 53) through DNS container - if [ -n "${IPV6_IP}" ]; then - prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" - ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} + # (optional) IPv6 force DNS (TCP/UDP 53) through DNS container + if [ -n "${IPV6_IP}" ]; then + prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" + ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} - postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV6_IP} -p ${proto} --dport 53 -j MASQUERADE" - ip6tables -t nat -C ${postrouting_rule} || ip6tables -t nat -A ${postrouting_rule} - fi - done + postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV6_IP} -p ${proto} --dport 53 -j MASQUERADE" + ip6tables -t nat -C ${postrouting_rule} || ip6tables -t nat -A ${postrouting_rule} + fi + done + fi done diff --git a/dns-common/on_boot.d/10-dnsipv6.sh b/dns-common/on_boot.d/10-dnsipv6.sh deleted file mode 100644 index b0afc5e..0000000 --- a/dns-common/on_boot.d/10-dnsipv6.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/sh - -## configuration variables: -VLAN=5 -IPV4_IP="10.0.5.3" -IPV4_GW="10.0.5.1/24" - -# if you want IPv6 support, generate a ULA, select an IP for the dns server -# and an appropriate gateway address on the same /64 network. Make sure that -# the 20-dns.conflist is updated appropriately. It will need the IP and GW -# added along with a ::/0 route. Also make sure that additional --dns options -# are passed to podman with your IPv6 DNS IPs when deploying the container for -# the first time. -IPV6_IP="fd62:89a2:fda9:e23:0:0:0:2" -IPV6_GW="fd62:89a2:fda9:e23:0:0:0:1" - -# set this to the interface(s) on which you want DNS TCP/UDP port 53 traffic -# re-routed through the DNS container. separate interfaces with spaces. -# e.g. "br0" or "br0 br1" etc. -FORCED_INTFC="" - -# container name; e.g. nextdns, pihole, adguardhome, etc. -CONTAINER=nextdns - -## network configuration and startup: - -mkdir -p /opt/cni -ln -s /mnt/data/podman/cni/ /opt/cni/bin -ln -s /mnt/data/podman/cni/20-dns.conflist /etc/cni/net.d/20-dns.conflist - -# set VLAN bridge promiscuous -ip link set br${VLAN} promisc on - -# create macvlan bridge and add IPv4 IP -ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge -ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute - -# (optional) add IPv6 IP to VLAN bridge macvlan bridge -if [ -n "${IPV6_GW}" ]; then - ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute -fi - -# set macvlan bridge promiscuous and bring it up -ip link set br${VLAN}.mac promisc on -ip link set br${VLAN}.mac up - -# add IPv4 route to DNS container -ip route add ${IPV4_IP}/32 dev br${VLAN}.mac - -# (optional) add IPv6 route to DNS container -if [ -n "${IPV6_IP}" ]; then - ip -6 route add ${IPV6_IP}/128 dev br${VLAN}.mac -fi - -podman container exists ${CONTAINER} && podman start ${CONTAINER} - -# (optional) IPv4 force DNS (TCP/UDP 53) through DNS container -for intfc in ${FORCED_INTFC}; do - for proto in udp tcp; do - prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV4_IP} ! -d ${IPV4_IP} --dport 53 -j DNAT --to ${IPV4_IP}" - iptables -t nat -C ${prerouting_rule} || iptables -t nat -A ${prerouting_rule} - - postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV4_IP} -p ${proto} --dport 53 -j MASQUERADE" - iptables -t nat -C ${postrouting_rule} || iptables -t nat -A ${postrouting_rule} - - # (optional) IPv6 force DNS (TCP/UDP 53) through DNS container - if [ -n "${IPV6_IP}" ]; then - prerouting_rule="PREROUTING -i ${intfc} -p ${proto} ! -s ${IPV6_IP} ! -d ${IPV6_IP} --dport 53 -j DNAT --to ${IPV6_IP}" - ip6tables -t nat -C ${prerouting_rule} || ip6tables -t nat -A ${prerouting_rule} - - postrouting_rule="POSTROUTING -o ${intfc} -d ${IPV6_IP} -p ${proto} --dport 53 -j MASQUERADE" - ip6tables -t nat -C ${postrouting_rule} || ip6tables -t nat -A ${postrouting_rule} - fi - done -done diff --git a/nextdns/README.md b/nextdns/README.md index db7a99e..4e13b4c 100644 --- a/nextdns/README.md +++ b/nextdns/README.md @@ -15,7 +15,7 @@ * The NextDNS docker image is not supported by NextDNS. It is built out of this repo. If you make any enhancements please contribute back via a Pull Request. * If you want to inject custom DNS names into NextDNS use --add-host docker commands. The /etc/resolv.conf and /etc/hosts is generated from that and --dns. * Edit [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) and update its values to reflect your environment (specifically the container name) -* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and [10-dnsipv6.sh](../dns-common/on_boot.d/10-dnsipv6.sh). Also, please provide IPv6 servers to podman using --dns arguments. +* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with the IPv6 addresses. Also, please provide IPv6 servers to podman using --dns arguments. ### Docker The official repo is boostchicken/nextdns-udm. Latest will always refer to the latest builds, there are also tags for each NextDNS release (e.g. 1.6.4). @@ -33,12 +33,11 @@ docker buildx build --platform linux/arm64 -t nextdns-udm:latest . If you have already installed PiHole, skip right to step 6. 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. -2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM -3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network -4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment -5. Execute /mnt/data/on_boot.d/10-dns.sh -6. Create /mnt/data/nextdns and copy [nextdns.conf](udm-files/nextdns.conf) to it. -7. Run the NextDNS docker container. Mounting dbus and running in privileged is only required for mDNS. Also, please change the --dns arguments to whatever was provided by NextDNS. +2. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment +3. Execute /mnt/data/on_boot.d/10-dns.sh +4. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network +5. Create /mnt/data/nextdns and copy [nextdns.conf](udm-files/nextdns.conf) to it. +6. Run the NextDNS docker container. Mounting dbus and running in privileged is only required for mDNS. Also, please change the --dns arguments to whatever was provided by NextDNS. ```shell script podman run -d -it --privileged --network dns --restart always \ --name nextdns \ @@ -49,5 +48,5 @@ If you have already installed PiHole, skip right to step 6. --hostname nextdns \ boostchicken/nextdns-udm:latest ``` -8. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. +7. Update your DNS Servers to 10.0.5.3 (or your custom ip) in all your DHCP configs. diff --git a/on-boot-script/install.sh b/on-boot-script/install.sh index 4439081..042d7ea 100644 --- a/on-boot-script/install.sh +++ b/on-boot-script/install.sh @@ -1,7 +1,7 @@ #!/bin/sh echo "Creating on boot script on device" -echo "#!/bin/sh +echo '#!/bin/sh if [ -d /mnt/data/on_boot.d ]; then for i in /mnt/data/on_boot.d/*.sh; do @@ -10,7 +10,8 @@ if [ -d /mnt/data/on_boot.d ]; then fi done fi -" > /mnt/data/20-python.sh +' > /mnt/data/on_boot.sh + chmod u+x /mnt/data/on_boot.sh mkdir -p /mnt/data/on_boot.d diff --git a/run-pihole/README.md b/run-pihole/README.md index c51e053..1c47582 100644 --- a/run-pihole/README.md +++ b/run-pihole/README.md @@ -11,15 +11,14 @@ ### Customization * Feel free to change [20-dns.conflist](../cni-plugins/20-dns.conflist) to change the IP address of the container. * Update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with your own values -* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and [10-dnsipv6.sh](../dns-common/on_boot.d/10-dnsipv6.sh) and change the docker command to IPv6=True. Also, please provide IPv6 servers to podman using --dns arguments. +* If you want IPv6 support use [20-dnsipv6.conflist](../cni-plugins/20-dnsipv6.conflist) and update [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) with the IPv6 addresses. Also, please provide IPv6 servers to podman using --dns arguments. ### Steps 1. On your controller, make a Corporate network with no DHCP server and give it a VLAN. For this example we are using VLAN 5. -2. Install the CNI plugins with by executing [install-cni-plugins.sh](../cni-plugins/install-cni-plugins.sh) on your UDM -3. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network -4. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment -5. Execute /mnt/data/on_boot.d/10-dns.sh -6. Run the pihole docker container, be sure to make the directories for your persistent pihole configuration. They are mounted as volumes in the command below. +2. Copy [10-dns.sh](../dns-common/on_boot.d/10-dns.sh) to /mnt/data/on_boot.d and update its values to reflect your environment +3. Execute /mnt/data/on_boot.d/10-dns.sh +4. Copy [20-dns.conflist](../cni-plugins/20-dns.conflist) to /mnt/data/podman/cni. This will create your podman macvlan network +5. Run the pihole docker container, be sure to make the directories for your persistent pihole configuration. They are mounted as volumes in the command below. ```shell script podman run -d --network dns --restart always \