dickolsson · January 1, 2018 17:05
diff --git a/install_iprvpn_owrt.sh b/install_iprvpn_owrt.sh
 #!/bin/sh
 #
 # Version: 1
 # Tested on Barrier Breaker 15.05.01
 #
 # Install IPredator VPN on OpenWrt


 # Requirements
 # - newly flashed OpenWrt device

 # Variables
 FILE_OVPN_AUTH="/etc/openvpn/IPredator.auth"
 FILE_OVPN_CA="/etc/openvpn/IPredator.se.ca.crt"
 FILE_OVPN_CONF="/etc/config/openvpn"
 FILE_OVPN_TAKEY="/etc/openvpn/IPredator.se.ta.key"
 FILE_FW_RULES="/etc/config/firewall"

 FILE_NET_CONF="/etc/config/network"

 REBOOT_DELAY=5
 SOFTWARE_LIST="openvpn-openssl"

 # Updates software repository and installs the software defined in
 # $SOFTWARE_LIST.
 install_dependencies() {
 	log "Installing dependencies."

 	opkg update
 	opkg install $SOFTWARE_LIST

 	return 0
 }

 echo_line(){
 	echo "---------------------------------------------------------------"
 }

 log(){
 	echo_line
 	echo $1
 	echo_line
 }


 # Overwrites the OpenVPN config with the IPredator one.
 write_ipr_ovpn_conf() {
 	log "Writing OpenVPN configuration to $FILE_OVPN_CONF."

 	rm $FILE_OVPN_CONF
 	cat >> $FILE_OVPN_CONF << 'EOF'
 config openvpn 'IPredator'
   option enabled '1'
   option client '1'
   option dev 'tun1337'
   option proto 'udp'
   list auth_user_pass '/etc/openvpn/IPredator.auth'
   option resolv_retry 'infinite'
   option float '1'
   option nobind '1'
   option persist_key '1'
   option persist_tun '1'
   option ca '/etc/openvpn/IPredator.se.ca.crt'
   option ns_cert_type 'server'
   list tls_auth '/etc/openvpn/IPredator.se.ta.key'
   option cipher 'AES-256-CBC'
   option comp_lzo 'yes'
   option passtos '1'
   option tls_version_min '1.2'
   option remote 'ipv6.openvpn.ipredator.se 1194'
   option tls_client '1'
   option verb '3'
 EOF
 }


 # Creates a file with the IPredator CA file.
 write_ipr_ca() {
 	log "Writing IPredator CA to $FILE_OVPN_CA."

 	cat >> $FILE_OVPN_CA << 'EOF'
 -----BEGIN CERTIFICATE-----
 MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
 VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
 BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
 ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
 JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
 NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
 EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
 ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
 HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
 aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
 ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
 DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
 bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
 d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
 Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
 /AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
 pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
 Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
 bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
 IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
 ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
 ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
 DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
 /n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
 M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
 tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
 CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
 BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
 -----END CERTIFICATE-----
 EOF
 }


 # Write IPredator ta.key file.
 write_ipr_takey() {
 	log "Writing OpenVPN static key to $FILE_OVPN_TAKEY."

 	cat >> $FILE_OVPN_TAKEY << 'EOF'
 #
 # 2048 bit OpenVPN static key
 #
 -----BEGIN OpenVPN Static key V1-----
 03f7b2056b9dc67aa79c59852cb6b35a
 a3a15c0ca685ca76890bbb169e298837
 2bdc904116f5b66d8f7b3ea6a5ff05cb
 fc4f4889d702d394710e48164b28094f
 a0e1c7888d471da39918d747ca4bbc2f
 285f676763b5b8bee9bc08e4b5a69315
 d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
 56c4c44dbca35041b67e2374788f8977
 7ad4ab8e06cd59e7164200dfbadb942a
 351a4171ab212c23bee1920120f81205
 efabaa5e34619f13adbe58b6c83536d3
 0d34e6466feabdd0e63b39ad9bb1116b
 37fafb95759ab9a15572842f70e7cba9
 69700972a01b21229eba487745c091dd
 5cd6d77bdc7a54a756ffe440789fd39e
 97aa9abe2749732b7262f82e4097bee3
 -----END OpenVPN Static key V1-----
 EOF
 }

 # Creates the file holding IPredator user credentials.
 write_ipr_auth() {
 	log "Please enter your IPredator username:"
 	read IPRUSER

 	log "Please enter your IPredator password:"
 	read IPRPW

 	log "Writing authentication details to $FILE_OVPN_AUTH."

 	rm -f $FILE_OVPN_AUTH
 	cat >> $FILE_OVPN_AUTH << EOF
 $IPRUSER
 $IPRPW
 EOF
 }


 # Set restrictive permissions on the created IPredator OpenVPN files.
 set_ipr_ovpn_permissions() {
 	log "Setting permissions on OpenVPN files."

 	set_permission $FILE_OVPN_AUTH
 	set_permission $FILE_OVPN_CONF
 	set_permission $FILE_OVPN_CA
 	set_permission $FILE_OVPN_TAKEY
 	set_permission $FILE_FW_RULES
 }

 set_permission() {
 	chown root:root $1
 	chmod 600 $1
 }


 # Creates the IPredator device used for firewalling.
 create_ipr_device() {
 	log "Creating IPredator network device."

 	cat >> $FILE_NET_CONF << 'EOF'
 config interface 'IPredator'
 	option ifname 'tun1337'
 	option proto 'none'
 EOF
 }

 # Deletes the current firewall ruleset in $FILE_FW_RULES.
 clear_old_fwrules() {
 	log "Removing old firewall configuration."

 	rm $FILE_FW_RULES
 }

 # Set restrictive firewall rules so no internet access when OpenVPN is down.
 set_ipr_fwrules() {
 	log "Writing new firewall rules to $FILE_FW_RULES."

 	clear_old_fwrules

 	cat >> $FILE_FW_RULES << 'EOF'
 config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

 config zone
    option name 'lan'
    option network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

 config zone
    option name 'wan'
    option output 'ACCEPT'
    option forward 'REJECT'
    option network 'wan'
    option input 'ACCEPT'

 config zone
    option name 'ipr'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'IPredator'

 config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

 config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

 config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

 config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

 config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

 config include
    option path '/etc/firewall.user'

 config forwarding
    option dest 'ipr'
    option src 'lan'
 EOF
 }

 apply_changes() {
 	log "Configuration of the system and firewall is done."
 	log "Your system will reboot in 5 seconds."

 	sleep $REBOOT_DELAY
 	reboot
 }

 verify_root() {
 	if [ "$(id -u)" != "0" ]; then
 		echo "This script must be run as root." 1>&2
 		exit 1
 	fi
 }

 #VERIFY UID=0
 install_ipr_vpn() {
 	log "      	Setup IPredator VPN on a basic OpenWrt router"

 	verify_root
 	install_dependencies
 	write_ipr_ovpn_conf
 	write_ipr_ca
 	write_ipr_takey
 	write_ipr_auth
 	set_ipr_ovpn_permissions
 	create_ipr_device
 	set_ipr_fwrules

 	apply_changes
 }

 # Invoke the main function to setup IPredator VPN.
 install_ipr_vpn
	#!/bin/sh
	#
	# Version: 1
	# Tested on Barrier Breaker 15.05.01
	#
	# Install IPredator VPN on OpenWrt


	# Requirements
	# - newly flashed OpenWrt device

	# Variables
	FILE_OVPN_AUTH="/etc/openvpn/IPredator.auth"
	FILE_OVPN_CA="/etc/openvpn/IPredator.se.ca.crt"
	FILE_OVPN_CONF="/etc/config/openvpn"
	FILE_OVPN_TAKEY="/etc/openvpn/IPredator.se.ta.key"
	FILE_FW_RULES="/etc/config/firewall"

	FILE_NET_CONF="/etc/config/network"

	REBOOT_DELAY=5
	SOFTWARE_LIST="openvpn-openssl"

	# Updates software repository and installs the software defined in
	# $SOFTWARE_LIST.
	install_dependencies() {
	log "Installing dependencies."

	opkg update
	opkg install $SOFTWARE_LIST

	return 0
	}

	echo_line(){
	echo "---------------------------------------------------------------"
	}

	log(){
	echo_line
	echo $1
	echo_line
	}


	# Overwrites the OpenVPN config with the IPredator one.
	write_ipr_ovpn_conf() {
	log "Writing OpenVPN configuration to $FILE_OVPN_CONF."

	rm $FILE_OVPN_CONF
	cat >> $FILE_OVPN_CONF << 'EOF'
	config openvpn 'IPredator'
	option enabled '1'
	option client '1'
	option dev 'tun1337'
	option proto 'udp'
	list auth_user_pass '/etc/openvpn/IPredator.auth'
	option resolv_retry 'infinite'
	option float '1'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/openvpn/IPredator.se.ca.crt'
	option ns_cert_type 'server'
	list tls_auth '/etc/openvpn/IPredator.se.ta.key'
	option cipher 'AES-256-CBC'
	option comp_lzo 'yes'
	option passtos '1'
	option tls_version_min '1.2'
	option remote 'ipv6.openvpn.ipredator.se 1194'
	option tls_client '1'
	option verb '3'
	EOF
	}


	# Creates a file with the IPredator CA file.
	write_ipr_ca() {
	log "Writing IPredator CA to $FILE_OVPN_CA."

	cat >> $FILE_OVPN_CA << 'EOF'
	-----BEGIN CERTIFICATE-----
	MIIFJzCCBA+gAwIBAgIJAKee4ZMMpvhzMA0GCSqGSIb3DQEBBQUAMIG9MQswCQYD
	VQQGEwJTRTESMBAGA1UECBMJQnJ5Z2dsYW5kMQ8wDQYDVQQHEwZPZWxkYWwxJDAi
	BgNVBAoTG1JveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbjESMBAGA1UECxMJSW50
	ZXJuZXR6MScwJQYDVQQDEx5Sb3lhbCBTd2VkaXNoIEJlZXIgU3F1YWRyb24gQ0Ex
	JjAkBgkqhkiG9w0BCQEWF2hvc3RtYXN0ZXJAaXByZWRhdG9yLnNlMB4XDTEyMDgw
	NDIxMTAyNVoXDTIyMDgwMjIxMTAyNVowgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQI
	EwlCcnlnZ2xhbmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dl
	ZGlzaCBCZWVyIFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMT
	HlJveWFsIFN3ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYX
	aG9zdG1hc3RlckBpcHJlZGF0b3Iuc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
	ggEKAoIBAQCp5M22fZtwtIh6Mu9IwC3N2tEFqyNTEP1YyXasjf+7VNISqSpFy+tf
	DsHAkiE9Wbv8KFM9bOoVK1JjdDsetxArm/RNsUWm/SNyVbmY+5ezX/n95S7gQdMi
	bA74/ID2+KsCXUY+HNNUQqFpyK67S09A6r0ZwPNUDbLgGnmCZRMDBPCHCbiK6e68
	d75v6f/0nY4AyAAAyqwAELIAn6sy4rzoPbalxcO33eW0fUG/ir41qqo8BQrWKyEd
	Q9gy8tGEqbLQ+B30bhIvBh10YtWq6fgFZJzWP6K8bBJGRvioFOyQHCaVH98UjwOm
	/AqMTg7LwNrpRJGcKLHzUf3gNSHQGHfzAgMBAAGjggEmMIIBIjAdBgNVHQ4EFgQU
	pRqJxaYdvv3XGEECUqj7DJJ8ptswgfIGA1UdIwSB6jCB54AUpRqJxaYdvv3XGEEC
	Uqj7DJJ8ptuhgcOkgcAwgb0xCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlCcnlnZ2xh
	bmQxDzANBgNVBAcTBk9lbGRhbDEkMCIGA1UEChMbUm95YWwgU3dlZGlzaCBCZWVy
	IFNxdWFkcm9uMRIwEAYDVQQLEwlJbnRlcm5ldHoxJzAlBgNVBAMTHlJveWFsIFN3
	ZWRpc2ggQmVlciBTcXVhZHJvbiBDQTEmMCQGCSqGSIb3DQEJARYXaG9zdG1hc3Rl
	ckBpcHJlZGF0b3Iuc2WCCQCnnuGTDKb4czAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
	DQEBBQUAA4IBAQB8nxZJaTvMMoSG47jD2w31zt9o6nSx8XJKop/0rMMHKBe1QBUw
	/n3clGwYxBW8mTnrXHhmJkwJzA0Vh525+dkF28E0I+DSigKUXEewIZtKjADYSxaG
	M+4272enbJ86JeXUhN8oF9TT+LKgMBgtt9yX5o63Ek6QOKwovH5kemDOVJmwae9p
	tXQEWfCPDFMc7VfSxS4BDBVinRWeMWZs+2AWeWu2CMsjcx7+B+kPbBCzfANanFDD
	CZEQON4pEpfK2XErhOudKEJGCl7psH+9Ex//pqsUS43nVN/4sqydiwbi+wQuUI3P
	BYtvqPnWdjIdf2ayAQQCWliAx9+P03vbef6y
	-----END CERTIFICATE-----
	EOF
	}


	# Write IPredator ta.key file.
	write_ipr_takey() {
	log "Writing OpenVPN static key to $FILE_OVPN_TAKEY."

	cat >> $FILE_OVPN_TAKEY << 'EOF'
	#
	# 2048 bit OpenVPN static key
	#
	-----BEGIN OpenVPN Static key V1-----
	03f7b2056b9dc67aa79c59852cb6b35a
	a3a15c0ca685ca76890bbb169e298837
	2bdc904116f5b66d8f7b3ea6a5ff05cb
	fc4f4889d702d394710e48164b28094f
	a0e1c7888d471da39918d747ca4bbc2f
	285f676763b5b8bee9bc08e4b5a69315
	d2ff6b9f4b38e6e2e8bcd05c8ac33c5c
	56c4c44dbca35041b67e2374788f8977
	7ad4ab8e06cd59e7164200dfbadb942a
	351a4171ab212c23bee1920120f81205
	efabaa5e34619f13adbe58b6c83536d3
	0d34e6466feabdd0e63b39ad9bb1116b
	37fafb95759ab9a15572842f70e7cba9
	69700972a01b21229eba487745c091dd
	5cd6d77bdc7a54a756ffe440789fd39e
	97aa9abe2749732b7262f82e4097bee3
	-----END OpenVPN Static key V1-----
	EOF
	}

	# Creates the file holding IPredator user credentials.
	write_ipr_auth() {
	log "Please enter your IPredator username:"
	read IPRUSER

	log "Please enter your IPredator password:"
	read IPRPW

	log "Writing authentication details to $FILE_OVPN_AUTH."

	rm -f $FILE_OVPN_AUTH
	cat >> $FILE_OVPN_AUTH << EOF
	$IPRUSER
	$IPRPW
	EOF
	}


	# Set restrictive permissions on the created IPredator OpenVPN files.
	set_ipr_ovpn_permissions() {
	log "Setting permissions on OpenVPN files."

	set_permission $FILE_OVPN_AUTH
	set_permission $FILE_OVPN_CONF
	set_permission $FILE_OVPN_CA
	set_permission $FILE_OVPN_TAKEY
	set_permission $FILE_FW_RULES
	}

	set_permission() {
	chown root:root $1
	chmod 600 $1
	}


	# Creates the IPredator device used for firewalling.
	create_ipr_device() {
	log "Creating IPredator network device."

	cat >> $FILE_NET_CONF << 'EOF'
	config interface 'IPredator'
	option ifname 'tun1337'
	option proto 'none'
	EOF
	}

	# Deletes the current firewall ruleset in $FILE_FW_RULES.
	clear_old_fwrules() {
	log "Removing old firewall configuration."

	rm $FILE_FW_RULES
	}

	# Set restrictive firewall rules so no internet access when OpenVPN is down.
	set_ipr_fwrules() {
	log "Writing new firewall rules to $FILE_FW_RULES."

	clear_old_fwrules

	cat >> $FILE_FW_RULES << 'EOF'
	config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

	config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

	config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan'
	option input 'ACCEPT'

	config zone
	option name 'ipr'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'IPredator'

	config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

	config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

	config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

	config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

	config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

	config include
	option path '/etc/firewall.user'

	config forwarding
	option dest 'ipr'
	option src 'lan'
	EOF
	}

	apply_changes() {
	log "Configuration of the system and firewall is done."
	log "Your system will reboot in 5 seconds."

	sleep $REBOOT_DELAY
	reboot
	}

	verify_root() {
	if [ "$(id -u)" != "0" ]; then
	echo "This script must be run as root." 1>&2
	exit 1
	fi
	}

	#VERIFY UID=0
	install_ipr_vpn() {
	log " Setup IPredator VPN on a basic OpenWrt router"

	verify_root
	install_dependencies
	write_ipr_ovpn_conf
	write_ipr_ca
	write_ipr_takey
	write_ipr_auth
	set_ipr_ovpn_permissions
	create_ipr_device
	set_ipr_fwrules

	apply_changes
	}

	# Invoke the main function to setup IPredator VPN.
	install_ipr_vpn