Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
2022-08-05 21:11:22 +00:00
|
|
|
PLAT="$(grep -sEe '^NAME\=' /etc/os-release \
|
|
|
|
| sed -E -e "s/NAME\=[\'\"]?([^ ]*).*/\1/")"
|
2022-07-26 13:20:35 +00:00
|
|
|
|
2020-05-25 14:24:50 +00:00
|
|
|
# dual protocol, VPN type supplied as $1
|
2022-07-27 12:53:36 +00:00
|
|
|
VPN="${1}"
|
2020-05-25 14:24:50 +00:00
|
|
|
setupVars="/etc/pivpn/${VPN}/setupVars.conf"
|
|
|
|
ERR=0
|
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
err() {
|
|
|
|
echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')]: $*" >&2
|
|
|
|
}
|
|
|
|
|
|
|
|
if [[ ! -f "${setupVars}" ]]; then
|
|
|
|
err "::: Missing setup vars file!"
|
|
|
|
exit 1
|
2020-05-25 14:24:50 +00:00
|
|
|
fi
|
|
|
|
|
2021-11-02 16:01:08 +00:00
|
|
|
# SC1090 disabled as setupVars file differs from system to system
|
|
|
|
# shellcheck disable=SC1090
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
source "${setupVars}"
|
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "${VPN}" == "wireguard" ]]; then
|
|
|
|
VPN_PRETTY_NAME="WireGuard"
|
|
|
|
VPN_SERVICE="wg-quick@wg0"
|
2022-07-26 13:20:35 +00:00
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "${PLAT}" == 'Alpine' ]]; then
|
|
|
|
VPN_SERVICE='wg-quick'
|
|
|
|
fi
|
|
|
|
elif [[ "${VPN}" == "openvpn" ]]; then
|
|
|
|
VPN_SERVICE="openvpn"
|
|
|
|
VPN_PRETTY_NAME="OpenVPN"
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
fi
|
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "$(< /proc/sys/net/ipv4/ip_forward)" -eq 1 ]]; then
|
|
|
|
echo ":: [OK] IP forwarding is enabled"
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
else
|
2022-07-27 12:53:36 +00:00
|
|
|
ERR=1
|
2022-08-09 08:09:25 +00:00
|
|
|
read -r \
|
2022-07-27 12:53:36 +00:00
|
|
|
-p ":: [ERR] IP forwarding is not enabled, attempt fix now? [Y/n] " \
|
|
|
|
REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
|
|
|
|
sysctl -p
|
|
|
|
echo "Done"
|
|
|
|
fi
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
fi
|
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "${USING_UFW}" -eq 0 ]]; then
|
|
|
|
# Disabled SC Warnings for SC2154, values
|
|
|
|
# for variables are sourced from setupVars
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if iptables \
|
|
|
|
-t nat \
|
|
|
|
-C POSTROUTING \
|
|
|
|
-s "${pivpnNET}/${subnetClass}" \
|
|
|
|
-o "${IPv4dev}" \
|
|
|
|
-j MASQUERADE \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-nat-rule" &> /dev/null; then
|
|
|
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] Iptables MASQUERADE rule is not set, "
|
|
|
|
echo -n "attempt fix now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
iptables \
|
|
|
|
-t nat \
|
|
|
|
-I POSTROUTING \
|
|
|
|
-s "${pivpnNET}/${subnetClass}" \
|
|
|
|
-o "${IPv4dev}" \
|
|
|
|
-j MASQUERADE \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-nat-rule"
|
|
|
|
|
|
|
|
iptables-save > /etc/iptables/rules.v4
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [[ "${INPUT_CHAIN_EDITED}" -eq 1 ]]; then
|
|
|
|
# Disabled SC Warnings for SC2154, values
|
|
|
|
# for variables are sourced from setupVars
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if iptables \
|
|
|
|
-C INPUT \
|
|
|
|
-i "${IPv4dev}" \
|
|
|
|
-p "${pivpnPROTO}" \
|
|
|
|
--dport "${pivpnPORT}" \
|
|
|
|
-j ACCEPT \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-input-rule" &> /dev/null; then
|
|
|
|
echo ":: [OK] Iptables INPUT rule set"
|
|
|
|
else
|
|
|
|
ERR=1
|
2022-08-09 08:09:25 +00:00
|
|
|
read -r \
|
2022-07-27 12:53:36 +00:00
|
|
|
-p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " \
|
|
|
|
REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
iptables \
|
|
|
|
-I INPUT 1 \
|
|
|
|
-i "${IPv4dev}" \
|
|
|
|
-p "${pivpnPROTO}" \
|
|
|
|
--dport "${pivpnPORT}" \
|
|
|
|
-j ACCEPT \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-input-rule"
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
iptables-save > /etc/iptables/rules.v4
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [[ "${FORWARD_CHAIN_EDITED}" -eq 1 ]]; then
|
|
|
|
# Disabled SC Warnings for SC2154, values
|
|
|
|
# for variables are sourced from setupVars
|
|
|
|
# shellcheck disable=SC2154
|
|
|
|
if iptables \
|
|
|
|
-C FORWARD \
|
|
|
|
-s "${pivpnNET}/${subnetClass}" \
|
|
|
|
-i "${pivpnDEV}" \
|
|
|
|
-o "${IPv4dev}" \
|
|
|
|
-j ACCEPT \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-forward-rule" &> /dev/null; then
|
|
|
|
echo ":: [OK] Iptables FORWARD rule set"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] Iptables FORWARD rule is not set, "
|
|
|
|
echo -n "attempt fix now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
iptables \
|
|
|
|
-I FORWARD 1 \
|
|
|
|
-d "${pivpnNET}/${subnetClass}" \
|
|
|
|
-i "${IPv4dev}" \
|
|
|
|
-o "${pivpnDEV}" \
|
|
|
|
-m conntrack \
|
|
|
|
--ctstate RELATED,ESTABLISHED \
|
|
|
|
-j ACCEPT \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-forward-rule"
|
|
|
|
|
|
|
|
iptables \
|
|
|
|
-I FORWARD 2 \
|
|
|
|
-s "${pivpnNET}/${subnetClass}" \
|
|
|
|
-i "${pivpnDEV}" \
|
|
|
|
-o "${IPv4dev}" \
|
|
|
|
-j ACCEPT \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-forward-rule"
|
|
|
|
|
|
|
|
iptables-save > /etc/iptables/rules.v4
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
else
|
2022-07-27 12:53:36 +00:00
|
|
|
if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then
|
|
|
|
echo ":: [OK] Ufw is enabled"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] Ufw is not enabled, "
|
|
|
|
echo -n "try to enable now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
ufw enable
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if iptables \
|
|
|
|
-t nat \
|
|
|
|
-C POSTROUTING \
|
|
|
|
-s "${pivpnNET}/${subnetClass}" \
|
|
|
|
-o "${IPv4dev}" \
|
|
|
|
-j MASQUERADE \
|
|
|
|
-m comment \
|
|
|
|
--comment "${VPN}-nat-rule" &> /dev/null; then
|
|
|
|
echo ":: [OK] Iptables MASQUERADE rule set"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] Iptables MASQUERADE rule is not set, "
|
|
|
|
echo -n "attempt fix now? [Y/n] "
|
|
|
|
read -r REPLY
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
sed_pattern='/delete these required/i'
|
|
|
|
sed_pattern="${sed_pattern} *nat\n:POSTROUTING ACCEPT [0:0]\n"
|
|
|
|
sed_pattern="${sed_pattern} -I POSTROUTING"
|
|
|
|
sed_pattern="${sed_pattern} -s ${pivpnNET}/${subnetClass}"
|
|
|
|
sed_pattern="${sed_pattern} -o ${IPv4dev}"
|
|
|
|
sed_pattern="${sed_pattern} -j MASQUERADE"
|
|
|
|
sed_pattern="${sed_pattern} -m comment"
|
|
|
|
sed_pattern="${sed_pattern} --comment ${VPN}-nat-rule\n"
|
|
|
|
sed_pattern="${sed_pattern}COMMIT\n"
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
sed "${sed_pattern}" -i /etc/ufw/before.rules
|
|
|
|
ufw reload
|
|
|
|
echo "Done"
|
|
|
|
unset sed_pattern
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if iptables \
|
|
|
|
-C ufw-user-input \
|
|
|
|
-p "${pivpnPROTO}" \
|
|
|
|
--dport "${pivpnPORT}" \
|
|
|
|
-j ACCEPT &> /dev/null; then
|
|
|
|
echo ":: [OK] Ufw input rule set"
|
|
|
|
else
|
|
|
|
ERR=1
|
2022-08-09 08:09:25 +00:00
|
|
|
read -r \
|
2022-07-27 12:53:36 +00:00
|
|
|
-p ":: [ERR] Ufw input rule is not set, attempt fix now? [Y/n] " \
|
|
|
|
REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}"
|
|
|
|
ufw reload
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if iptables \
|
|
|
|
-C ufw-user-forward \
|
|
|
|
-i "${pivpnDEV}" \
|
|
|
|
-o "${IPv4dev}" \
|
|
|
|
-s "${pivpnNET}/${subnetClass}" \
|
|
|
|
-j ACCEPT &> /dev/null; then
|
|
|
|
echo ":: [OK] Ufw forwarding rule set"
|
|
|
|
else
|
|
|
|
ERR=1
|
2022-08-09 08:09:25 +00:00
|
|
|
read -r \
|
2022-07-27 12:53:36 +00:00
|
|
|
-p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " \
|
|
|
|
REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
ufw route insert 1 allow in on "${pivpnDEV}" \
|
|
|
|
from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any
|
|
|
|
ufw reload
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
fi
|
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "${PLAT}" == 'Alpine' ]]; then
|
2022-08-05 21:11:22 +00:00
|
|
|
if [[ "$(rc-service "${VPN_SERVICE}" status \
|
|
|
|
| sed -E -e 's/.*status\: (.*)/\1/')" == 'started' ]]; then
|
2022-07-27 12:53:36 +00:00
|
|
|
echo ":: [OK] ${VPN_PRETTY_NAME} is running"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] ${VPN_PRETTY_NAME} is not running, "
|
|
|
|
echo -n "try to start now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
rc-service -s "${VPN_SERVICE}" restart
|
|
|
|
rc-service -N "${VPN_SERVICE}" start
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
2022-08-05 21:11:22 +00:00
|
|
|
if rc-update show default \
|
|
|
|
| grep -sEe "\s*${VPN_SERVICE} .*" &> /dev/null; then
|
2022-07-27 12:53:36 +00:00
|
|
|
echo -n ":: [OK] ${VPN_PRETTY_NAME} is enabled "
|
|
|
|
echo "(it will automatically start on reboot)"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, "
|
|
|
|
echo -n "try to enable now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
rc-update add "${VPN_SERVICE}" default
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
else
|
2022-07-27 12:53:36 +00:00
|
|
|
if systemctl is-active -q "${VPN_SERVICE}"; then
|
|
|
|
echo ":: [OK] ${VPN_PRETTY_NAME} is running"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] ${VPN_PRETTY_NAME} is not running, "
|
|
|
|
echo -n "try to start now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
systemctl start "${VPN_SERVICE}"
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
if systemctl is-enabled -q "${VPN_SERVICE}"; then
|
|
|
|
echo ":: [OK] ${VPN_PRETTY_NAME} is enabled "
|
|
|
|
echo "(it will automatically start on reboot)"
|
|
|
|
else
|
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] ${VPN_PRETTY_NAME} is not enabled, "
|
|
|
|
echo -n "try to enable now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
systemctl enable "${VPN_SERVICE}"
|
|
|
|
echo "Done"
|
|
|
|
fi
|
|
|
|
fi
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
|
|
|
|
if netstat -antu | grep -wqE "${pivpnPROTO}.*${pivpnPORT}"; then
|
2022-07-27 12:53:36 +00:00
|
|
|
echo -n ":: [OK] ${VPN_PRETTY_NAME} is listening "
|
|
|
|
echo "on port ${pivpnPORT}/${pivpnPROTO}"
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
else
|
2022-07-27 12:53:36 +00:00
|
|
|
ERR=1
|
|
|
|
echo -n ":: [ERR] ${VPN_PRETTY_NAME} is not listening, "
|
|
|
|
echo -n "try to restart now? [Y/n] "
|
|
|
|
read -r REPLY
|
|
|
|
|
|
|
|
if [[ "${REPLY}" =~ ^[Yy]$ ]] || [[ -z "${REPLY}" ]]; then
|
|
|
|
if [[ "${PLAT}" == 'Alpine' ]]; then
|
|
|
|
rc-service -s "${VPN_SERVICE}" restart
|
|
|
|
rc-service -N "${VPN_SERVICE}" start
|
|
|
|
else
|
|
|
|
systemctl restart "${VPN_SERVICE}"
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "Done"
|
|
|
|
fi
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
fi
|
|
|
|
|
2022-07-27 12:53:36 +00:00
|
|
|
if [[ "${ERR}" -eq 1 ]]; then
|
|
|
|
echo -e "[INFO] Run \e[1mpivpn -d\e[0m again to see if we detect issues"
|
Merge test (#929)
* added link to server status dashboard
* Replaced Header with bold instead
* More safeguards, some fixes, standardized some code, WireGuard update script, removed redundant code
- Add curl as a dependency for those who run the script without 'curl URL | bash'.
- Use POSIX 'command -v' instead of 'hash'.
- Check if packages have actually been installed and abort execution if they have not.
- Fixed issue with getStaticIPv4Settings() that prevented existing network settings
to be used as static IP settings when running the script unattended with empty
$IPv4addr and $IPv4gw variables.
- Exit if processing wireguard-linux-compat fails.
- Exit if 50unattended-upgrades fails to extract.
- Exit clientSTAT.sh if the wg0 interface is not available.
- Moved the Self Check to a single script since dedicated versions were very similar.
- Add 'pivpn -wg' to update WireGuard for users running Raspbian with armv6l kernel.
* Fixed cosmetic issue with spinner, added missing spinner to some APT commands
* Detect current netmask, validate user input when configuring a static IP
* Inform the user when updating the package cache, which can be slow on some RPis
* Invalidate $IPv4Addr and $IPv4gw when the user claims those settings are not correct
* Restart pihole in the more appropriate restartServices() function
* Improve static IP selection, validate public DNS name of the server
- Default to 'No' when asking if the RPi has DHCP reservation, considered
that the user may not be fully aware, furthermore, setting a static IP
anyways doesn't do harm.
- Validate existing IPv4 settings (address, gateway, DNS) to avoid filling
'/etc/dhcpcd.conf' with invalid data.
- Validate public DNS name of the server inside askPublicIPOrDNS() function
* Check DH parameters, fix 'pivpn -c', improvements when dealing with external repositories
- Added a basic sanity check to downloaded DH paramenters, which doubles as a
check for missing .pem file.
- Fix 'pivpn -c' showing the month number instead of the day of the month when
using WireGuard.
- Removing APT keys is risky, it would break APT update/upgrade if the user
already was already using the unstable repo.
- Replaced 'Checking for $i... installed' in favor of a more clear 'Checking for
$i... already installed'.
- Check whether the OpenVPN repo and the Debian unstable repo are already used.
* Improvements to getStaticIPv4Settings()
- Use a regular expression to extract IPs from the 'ip' command. With this,
there is a little need to validate output. Even though the regex will match
invalid IPs like 192.168.23.444, 'ip' can't return them, and even if it did,
the script would not have reached this function due to previous functions
using the network with broken routes and addresses.
- Get the IP address from the selected interface rather then from the 'ip route'
command as it's not guaranteed that such IP is the same of the interface the
user decided to use (though on a Raspberry Pi inside a home LAN, most likely
it is, but it also maskes easier to get the IP in the CIDR notation with a
single 'ip | grep' pipe).
* Moved command substitution to specific functions to avoid unnecessary execution
- Moved $availableInterfaces and $CurrentIPv4gw from the script header to
their relevant function, considered that if the OS is not Raspbian a static
IP is not set, so those variables are not used.
* Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919
- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can
still generate his own if he wishes).
https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2020-01-31 15:40:09 +00:00
|
|
|
fi
|