matthewtran.com/scripts/setup_router.py

#!/usr/bin/env python3

import hashlib
import subprocess

ETH     = "enp5s0"
IPV4    = "192.168.1.69"
IPV6    = "69"
WG_IPV4 = "192.168.2.1"
WG_IPV6 = "fd32:76a6:ec61:577a::1"

def run(cmds):
    # ssh-keygen -t ed25519
    subprocess.run(["ssh", "root@OpenWrt.lan", ";".join(cmds)], check=True)

def mac():
    return open(f"/sys/class/net/{ETH}/address", "r").read().strip()

def duid():
    # adapted from https://github.com/mss/nm-duid
    id = bytes.fromhex(open("/etc/machine-id", "r").read().strip())
    return "0004" + hashlib.sha256(id).digest()[:16].hex()

def key():
    priv = subprocess.check_output(["wg", "genkey"]).strip()
    pub = subprocess.check_output(["wg", "pubkey"], input=priv).strip()
    return (pub.decode("utf-8"), priv.decode("utf-8"))

if __name__ == "__main__":
    # prevent access using WAN addresses
    run([
        "uci set dropbear.main.Interface='lan'",
    ])

    # static IP
    run([
        "uci add dhcp host",
        "uci set dhcp.@host[-1].name='matt-ryzen'",
        f"uci set dhcp.@host[-1].mac='{mac()}'",
        f"uci set dhcp.@host[-1].ip='{IPV4}'",
        f"uci set dhcp.@host[-1].duid='{duid()}'",
        f"uci set dhcp.@host[-1].hostid='{IPV6}'",
        "uci commit dhcp",
        "service dnsmasq restart",
        "service odhcpd restart",
    ])

    # forward traffic
    PORTS = {
        "http"        : "80",
        "https"       : "443",
        "git"         : "2222",
        "monerod"     : "18080-18081",
        "p2pool"      : "3333",
        "p2pool2"     : "37888-37889",
        "minecraft"   : "25565",
        "minecraft_be": "19132-19133",
        "terraria"    : "7777",
    }
    for name in PORTS:
        run([
            # IPv4 port forward
            "uci add firewall redirect",
            f"uci set firewall.@redirect[-1].name='{name}'",
            "uci set firewall.@redirect[-1].target='DNAT'",
            "uci set firewall.@redirect[-1].family='IPv4'",
            "uci set firewall.@redirect[-1].src='wan'",
            f"uci set firewall.@redirect[-1].src_dport='{PORTS[name]}'",
            "uci set firewall.@redirect[-1].dest='lan'",
            f"uci set firewall.@redirect[-1].dest_ip='{IPV4}'",
            f"uci set firewall.@redirect[-1].dest_port='{PORTS[name]}'",

            # IPv6 traffic rules
            "uci add firewall rule",
            f"uci set firewall.@rule[-1].name='allow-{name}'",
            "uci set firewall.@rule[-1].src='wan'",
            "uci set firewall.@rule[-1].dest='lan'",
            f"uci set firewall.@rule[-1].dest_ip='::{IPV6}/-64'", # xfinity provides /64 => /-64 match
            f"uci set firewall.@rule[-1].dest_port='{PORTS[name]}'",
            "uci set firewall.@rule[-1].target='ACCEPT'",
        ])
    run([
        "uci commit firewall",
        "service firewall restart",
    ])

    # wireguard setup
    pub, priv = key()
    run([
        # install packages
        "opkg update",
        "opkg install luci-proto-wireguard",

        # create interface
        "uci set network.wg0=interface",
        "uci set network.wg0.proto='wireguard'",
        f"uci set network.wg0.private_key='{priv}'",
        "uci set network.wg0.listen_port='51820'",
        f"uci add_list network.wg0.addresses='{WG_IPV4}/24'",
        f"uci add_list network.wg0.addresses='{WG_IPV6}/64'",
        "uci commit network",

        # allow traffic
        "uci del firewall.@zone[0].network",
        "uci add_list firewall.@zone[0].network='lan'",
        "uci add_list firewall.@zone[0].network='wg0'",
        "uci add firewall rule",
        "uci set firewall.@rule[-1].name='allow-wireguard'",
        "uci add_list firewall.@rule[-1].proto='udp'",
        "uci set firewall.@rule[-1].src='wan'",
        "uci set firewall.@rule[-1].dest_port='51820'",
        "uci set firewall.@rule[-1].target='ACCEPT'",
        "uci commit firewall",
    ])