Some changes from pull request 963

- Make sure to install WireGuard only if platform is Raspbian or an x86 Debian/Ubuntu
  - Install WireGuard from bullseye repository instead of unstable
  - Reduced WireGuard package priority to the minimum that allows upgrades
This commit is contained in:
Orazio 2020-03-04 12:48:14 +01:00
parent f749d6b722
commit 0a30365d65
4 changed files with 144 additions and 376 deletions

View file

@ -14,10 +14,18 @@
pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnGitUrl="https://github.com/pivpn/pivpn.git"
setupVars="/etc/pivpn/setupVars.conf" setupVars="/etc/pivpn/setupVars.conf"
pivpnFilesDir="/etc/.pivpn" pivpnFilesDir="/etc/.pivpn"
piholeSetupVars="/etc/pihole/setupVars.conf" piholeSetupVars="/etc/pihole/setupVars.conf"
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf" dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
### PKG Vars ### dhcpcdFile="/etc/dhcpcd.conf"
subnetClass="24"
debianOvpnUserGroup="openvpn:openvpn"
# OpenVPN GPG fingerprint (you can look it up at https://keyserver.ubuntu.com)
OPENVPN_KEY_ID="0x30ebf4e73cce63eee124dd278e6da8b4e158c569"
######## PKG Vars ########
PKG_MANAGER="apt-get" PKG_MANAGER="apt-get"
PKG_CACHE="/var/lib/apt/lists/" PKG_CACHE="/var/lib/apt/lists/"
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086 ### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
@ -33,32 +41,26 @@ BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons # PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
INSTALLED_PACKAGES=() INSTALLED_PACKAGES=()
######## URLs ########
easyrsaVer="3.0.6" easyrsaVer="3.0.6"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz" easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
subnetClass="24"
dhcpcdFile="/etc/dhcpcd.conf"
debianOvpnUserGroup="openvpn:openvpn"
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
UNATTUPG_RELEASE="1.16" UNATTUPG_RELEASE="1.16"
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz" UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
# GPG fingerprints (you can look them up at https://keyserver.ubuntu.com) ######## Undocumented Flags. Shhh ########
OPENVPN_REPO_KEY="0x30ebf4e73cce63eee124dd278e6da8b4e158c569" runUnattended=false
DEBIAN_STRETCH_KEY="0xe1cf20ddffe4b89e802658f1e0b11894f66aec98" skipSpaceCheck=false
DEBIAN_BUSTER_KEY="0x80d15823b7fd1561f9f7bcdddc30d7c23cbbabee" reconfigure=false
######## SCRIPT ########
# Find the rows and columns. Will default to 80x24 if it can not be detected. # Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80) screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo "$screen_size" | awk '{print $1}') rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo "$screen_size" | awk '{print $2}') columns=$(echo "$screen_size" | awk '{print $2}')
######## Undocumented Flags. Shhh ########
runUnattended=false
skipSpaceCheck=false
reconfigure=false
# Divide by two so the dialogs take up half of the screen, which looks nice. # Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 )) r=$(( rows / 2 ))
c=$(( columns / 2 )) c=$(( columns / 2 ))
@ -66,8 +68,6 @@ c=$(( columns / 2 ))
r=$(( r < 20 ? 20 : r )) r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c )) c=$(( c < 70 ? 70 : c ))
######## SCRIPT ############
main(){ main(){
######## FIRST CHECK ######## ######## FIRST CHECK ########
@ -252,6 +252,15 @@ distroCheck(){
OSCN=${VER_MAP["${VER}"]} OSCN=${VER_MAP["${VER}"]}
fi fi
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
DPKG_ARCH="$(dpkg --print-architecture)"
if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then
X86_SYSTEM=1
else
X86_SYSTEM=0
fi
fi
case ${PLAT} in case ${PLAT} in
Debian|Raspbian|Ubuntu) Debian|Raspbian|Ubuntu)
case ${OSCN} in case ${OSCN} in
@ -986,6 +995,11 @@ installPiVPN(){
askWhichVPN askWhichVPN
if [ "$VPN" = "openvpn" ]; then if [ "$VPN" = "openvpn" ]; then
pivpnDEV="tun0"
pivpnNET="10.8.0.0"
vpnGw="${pivpnNET/.0.0/.0.1}"
installOpenVPN installOpenVPN
askCustomProto askCustomProto
askCustomPort askCustomPort
@ -997,64 +1011,83 @@ installPiVPN(){
confOVPN confOVPN
confNetwork confNetwork
confLogging confLogging
elif [ "$VPN" = "wireguard" ]; then elif [ "$VPN" = "wireguard" ]; then
# Since WireGuard only uses UDP, askCustomProto() is never called so we
# set the protocol here.
pivpnPROTO="udp"
pivpnDEV="wg0"
pivpnNET="10.6.0.0"
vpnGw="${pivpnNET/.0.0/.0.1}"
installWireGuard installWireGuard
askCustomPort askCustomPort
askClientDNS askClientDNS
askPublicIPOrDNS askPublicIPOrDNS
confWireGuard confWireGuard
confNetwork confNetwork
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
fi fi
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
} }
askWhichVPN(){ askWhichVPN(){
if [ "${runUnattended}" = 'true' ]; then if [ "${runUnattended}" = 'true' ]; then
if [ -z "$VPN" ]; then if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
echo ":: No VPN protocol specified, using WireGuard" if [ -z "$VPN" ]; then
VPN="wireguard" echo ":: No VPN protocol specified, using WireGuard"
else VPN="wireguard"
VPN="${VPN,,}"
if [ "$VPN" = "wireguard" ]; then
echo "::: WireGuard will be installed"
elif [ "$VPN" = "openvpn" ]; then
echo "::: OpenVPN will be installed"
else else
echo ":: $VPN is not a supported VPN protocol, please specify 'wireguard' or 'openvpn'" VPN="${VPN,,}"
exit 1 if [ "$VPN" = "wireguard" ]; then
echo "::: WireGuard will be installed"
elif [ "$VPN" = "openvpn" ]; then
echo "::: OpenVPN will be installed"
else
echo ":: $VPN is not a supported VPN protocol, please specify 'wireguard' or 'openvpn'"
exit 1
fi
fi
elif [ "$X86_SYSTEM" -eq 0 ]; then
if [ -z "$VPN" ]; then
echo ":: No VPN protocol specified, using OpenVPN"
VPN="openvpn"
else
VPN="${VPN,,}"
if [ "$VPN" = "openvpn" ]; then
echo "::: OpenVPN will be installed"
else
echo ":: $VPN is not a supported VPN protocol on $DPKG_ARCH $PLAT, only 'openvpn' is"
exit 1
fi
fi fi
fi fi
else else
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2) if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
VPNChooseOptions=(WireGuard "" on chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2)
OpenVPN "" off) VPNChooseOptions=(WireGuard "" on
OpenVPN "" off)
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
echo "::: Using VPN: $VPN" echo "::: Using VPN: $VPN"
VPN="${VPN,,}" VPN="${VPN,,}"
else else
echo "::: Cancel selected, exiting...." echo "::: Cancel selected, exiting...."
exit 1 exit 1
fi
elif [ "$X86_SYSTEM" -eq 0 ]; then
echo "::: Using VPN: OpenVPN"
VPN="openvpn"
fi fi
fi fi
if [ "$VPN" = "wireguard" ]; then
# Since WireGuard only uses UDP, askCustomProto() is never called so we
# set the protocol here (it's not actually required to save the value, but
# it might be useful for the user when port forwarding).
pivpnPROTO="udp"
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
pivpnDEV="wg0"
pivpnNET="10.6.0.0"
elif [ "$VPN" = "openvpn" ]; then
pivpnDEV="tun0"
pivpnNET="10.8.0.0"
fi
vpnGw="${pivpnNET/.0.0/.0.1}"
echo "VPN=${VPN}" >> /tmp/setupVars.conf echo "VPN=${VPN}" >> /tmp/setupVars.conf
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
} }
installOpenVPN(){ installOpenVPN(){
@ -1063,32 +1096,29 @@ installOpenVPN(){
echo "::: Installing OpenVPN from Debian package... " echo "::: Installing OpenVPN from Debian package... "
# Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems # Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then if [ "$PLAT" != "Raspbian" ] && [ "$X86_SYSTEM" -eq 1 ]; then
local DPKG_ARCH="$(dpkg --print-architecture)" # gnupg is used by apt-key to import the openvpn GPG key into the
if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then # APT keyring
# gnupg is used by apt-key to import the openvpn GPG key into the PIVPN_DEPS=(gnupg)
# APT keyring installDependentPackages PIVPN_DEPS[@]
PIVPN_DEPS=(gnupg)
installDependentPackages PIVPN_DEPS[@]
# We will download the repository key regardless of whether the user # We will download the repository key regardless of whether the user
# has already enabled the openvpn repository or not, just to make sure # has already enabled the openvpn repository or not, just to make sure
# we have the right key # we have the right key
echo "::: Adding repository key..." echo "::: Adding repository key..."
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_REPO_KEY"; then if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then
echo "::: Failed to import OpenVPN GPG key" echo "::: Failed to import OpenVPN GPG key"
exit 1 exit 1
fi
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
echo "::: Adding OpenVPN repository... "
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
fi
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi fi
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
echo "::: Adding OpenVPN repository... "
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
fi
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
fi fi
# grepcidr is used to redact IPs in the debug log whereas expect is used # grepcidr is used to redact IPs in the debug log whereas expect is used
@ -1145,147 +1175,40 @@ installWireGuard(){
fi fi
fi fi
# If this Raspberry Pi uses armv7l we can use the package from the repo
# https://lists.zx2c4.com/pipermail/wireguard/2017-November/001885.html
# Otherwhise compile and build the kernel module via DKMS (so it will
# be recompiled on kernel upgrades)
if [ "$(uname -m)" = "armv7l" ]; then
echo "::: Installing WireGuard from Debian package... "
# dirmngr is used by apt-key to import the debian GPG keys for the unstable
# repo into the APT keyring.
PIVPN_DEPS=(dirmngr)
installDependentPackages PIVPN_DEPS[@]
echo "::: Adding repository keys..."
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$DEBIAN_STRETCH_KEY" "$DEBIAN_BUSTER_KEY"; then
echo "::: Failed to import Debian GPG keys"
exit 1
fi
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
fi
# Do not upgrade packages from the unstable repository except for wireguard
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
# qrencode is used to generate qrcodes from config file, for use with mobile clients
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@]
elif [ "$(uname -m)" = "armv6l" ]; then
echo "::: Installing WireGuard from source... "
PIVPN_DEPS=(checkinstall dkms libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode jq)
installDependentPackages PIVPN_DEPS[@]
# Delete any leftover code
$SUDO rm -rf /usr/src/wireguard-*
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-tools source code... "
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
echo "done!"
## || exits if cd fails.
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
# We install the userspace tools manually since DKMS only compiles and
# installs the kernel module
echo "::: Compiling WireGuard tools... "
if $SUDO make; then
echo "done!"
else
echo "failed!"
exit 1
fi
# Use checkinstall to install userspace tools so if the user wants to uninstall
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
# files from the file system
echo "::: Installing WireGuard tools... "
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
INSTALLED_PACKAGES+=("wireguard-tools")
echo "done!"
else
echo "failed!"
exit 1
fi
echo "WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}" >> /tmp/setupVars.conf
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-linux-compat source code... "
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
echo "done!"
# Rename wireguard-linux-compat folder and move the source code to the parent folder
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
cd /usr/src && \
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
$SUDO mv src/* . && \
$SUDO rmdir src || exit 1
echo "::: Adding WireGuard modules via DKMS... "
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Compiling WireGuard modules via DKMS... "
if $SUDO dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Installing WireGuard modules via DKMS... "
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
INSTALLED_PACKAGES+=("wireguard-dkms")
echo "done!"
else
echo "failed!"
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "WG_MODULE_SNAPSHOT=${WG_MODULE_SNAPSHOT}" >> /tmp/setupVars.conf
fi
elif [ "$PLAT" = "Debian" ]; then
echo "::: Installing WireGuard from Debian package... " echo "::: Installing WireGuard from Debian package... "
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
echo "::: Adding Debian repository... " # This regular expression should match combinations like http[s]://mirror.example.com/raspbian[/] bullseye main
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null if ! grep -qR 'deb http.\?://.*/raspbian.\? bullseye main' /etc/apt/sources.list*; then
echo "::: Adding Raspbian repository... "
echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
fi fi
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null # Do not upgrade packages from the bullseye repository except for wireguard
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
echo "::: Updating package cache..." echo "::: Updating package cache..."
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms) # qrencode is used to generate qrcodes from config file, for use with mobile clients
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@]
elif [ "$PLAT" = "Debian" ]; then
echo "::: Installing WireGuard from Debian package... "
if ! grep -qR 'deb http.\?://.*/debian.\? bullseye main' /etc/apt/sources.list*; then
echo "::: Adding Debian repository... "
echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
fi
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
echo "::: Updating package cache..."
# shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(linux-headers-amd64 wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
elif [ "$PLAT" = "Ubuntu" ]; then elif [ "$PLAT" = "Ubuntu" ]; then
@ -1299,7 +1222,7 @@ installWireGuard(){
# shellcheck disable=SC2086 # shellcheck disable=SC2086
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $! $SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic) PIVPN_DEPS=(linux-headers-generic wireguard wireguard-tools wireguard-dkms qrencode)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
fi fi
@ -2233,10 +2156,12 @@ confUnattendedUpgrades(){
fi fi
# Enable automatic updates via the unstable repository when installing from debian package # Enable automatic updates via the bullseye repository when installing from debian package
if [ "$VPN" = "wireguard" ] && [ "$PLAT" != "Ubuntu" ] && [ "$(uname -m)" != "armv6l" ]; then if [ "$VPN" = "wireguard" ]; then
if ! grep -q '"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"; then if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades" if ! grep -q "\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"; then
$SUDO sed -i "/Unattended-Upgrade::Origins-Pattern {/a\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"
fi
fi fi
fi fi
} }

View file

@ -98,37 +98,18 @@ removeAll(){
case $yn in case $yn in
[Yy]* ) if [ "${i}" = "wireguard" ]; then [Yy]* ) if [ "${i}" = "wireguard" ]; then
# On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian # On Debian and Raspbian, remove the bullseye repo. On Ubuntu, remove the PPA.
# there is no wireguard package). On Ubuntu, remove the PPA. if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
### FIXME: unconditionally rm'ing unstable.list isn't a good idea, it appears. What if someone else put it there manually? rm -f /etc/apt/sources.list.d/pivpn-bullseye.list
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then rm -f /etc/apt/preferences.d/pivpn-limit-bullseye
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
elif [ "$PLAT" = "Ubuntu" ]; then elif [ "$PLAT" = "Ubuntu" ]; then
add-apt-repository ppa:wireguard/wireguard -r -y add-apt-repository ppa:wireguard/wireguard -r -y
fi fi
echo "::: Updating package cache..." echo "::: Updating package cache..."
${UPDATE_PKG_CACHE} &> /dev/null & spinner $! ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
elif [ "${i}" = "wireguard-dkms" ]; then
# On armv6l Raspbian we manually remove the kernel module and skip the apt
# uninstallation (since it's not an actual package).
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
rm -rf /usr/src/wireguard-"${WG_MODULE_SNAPSHOT}"
break
fi
elif [ "${i}" = "wireguard-tools" ]; then
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
fi
elif [ "${i}" = "unattended-upgrades" ]; then elif [ "${i}" = "unattended-upgrades" ]; then
### REALLY???
rm -rf /var/log/unattended-upgrades rm -rf /var/log/unattended-upgrades
rm -rf /etc/apt/apt.conf.d/*periodic rm -rf /etc/apt/apt.conf.d/*periodic
rm -rf /etc/apt/apt.conf.d/*unattended-upgrades rm -rf /etc/apt/apt.conf.d/*unattended-upgrades

View file

@ -54,11 +54,6 @@ updateScripts(){
exit 0 exit 0
} }
updateWireGuard(){
$SUDO /opt/pivpn/wgUPDATE.sh
exit 0
}
backup(){ backup(){
$SUDO /opt/pivpn/backup.sh $SUDO /opt/pivpn/backup.sh
} }
@ -78,7 +73,6 @@ showHelp(){
echo "::: -h, help Show this help dialog" echo "::: -h, help Show this help dialog"
echo "::: -u, uninstall Uninstall pivpn from your system!" echo "::: -u, uninstall Uninstall pivpn from your system!"
echo "::: -up, update Updates PiVPN Scripts" echo "::: -up, update Updates PiVPN Scripts"
echo "::: -wg, wgupdate Updates WireGuard"
echo "::: -bk, backup Backup VPN configs and user profiles" echo "::: -bk, backup Backup VPN configs and user profiles"
exit 0 exit 0
} }

View file

@ -1,132 +0,0 @@
#!/bin/bash
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
if [ "$(uname -m)" != "armv6l" ]; then
echo "On your system, WireGuard updates via the package manager"
exit 0
fi
CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-tools source code... "
wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
echo "done!"
## || exits if cd fails.
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
# We install the userspace tools manually since DKMS only compiles and
# installs the kernel module
echo "::: Compiling WireGuard tools... "
if make; then
echo "done!"
else
echo "failed!"
exit 1
fi
# Use checkinstall to install userspace tools so if the user wants to uninstall
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
# files from the file system
echo "::: Installing WireGuard tools... "
if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
echo "done!"
else
echo "failed!"
exit 1
fi
echo "::: Removing old source code ..."
rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
echo "::: Upgrade completed!"
fi
else
echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
fi
CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
echo "::: Downloading wireguard-linux-compat source code... "
wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
echo "done!"
# Rename wireguard-linux-compat folder and move the source code to the parent folder
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
cd /usr/src && \
mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
mv src/* . && \
rmdir src || exit 1
echo "::: Adding WireGuard module via DKMS... "
if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Compiling WireGuard module via DKMS... "
if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Installing WireGuard module via DKMS... "
if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
echo "done!"
else
echo "failed!"
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
exit 1
fi
echo "::: Removing old kernel module and source code..."
if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
echo "done!"
else
echo "failed!"
exit 1
fi
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
echo "::: Upgrade completed!"
fi
else
echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
fi