mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-18 19:00:15 +00:00
Some changes from pull request 963
- Make sure to install WireGuard only if platform is Raspbian or an x86 Debian/Ubuntu - Install WireGuard from bullseye repository instead of unstable - Reduced WireGuard package priority to the minimum that allows upgrades
This commit is contained in:
parent
f749d6b722
commit
0a30365d65
4 changed files with 144 additions and 376 deletions
|
@ -14,10 +14,18 @@
|
||||||
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
|
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
setupVars="/etc/pivpn/setupVars.conf"
|
||||||
pivpnFilesDir="/etc/.pivpn"
|
pivpnFilesDir="/etc/.pivpn"
|
||||||
|
|
||||||
piholeSetupVars="/etc/pihole/setupVars.conf"
|
piholeSetupVars="/etc/pihole/setupVars.conf"
|
||||||
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
|
dnsmasqConfig="/etc/dnsmasq.d/02-pivpn.conf"
|
||||||
|
|
||||||
### PKG Vars ###
|
dhcpcdFile="/etc/dhcpcd.conf"
|
||||||
|
subnetClass="24"
|
||||||
|
debianOvpnUserGroup="openvpn:openvpn"
|
||||||
|
|
||||||
|
# OpenVPN GPG fingerprint (you can look it up at https://keyserver.ubuntu.com)
|
||||||
|
OPENVPN_KEY_ID="0x30ebf4e73cce63eee124dd278e6da8b4e158c569"
|
||||||
|
|
||||||
|
######## PKG Vars ########
|
||||||
PKG_MANAGER="apt-get"
|
PKG_MANAGER="apt-get"
|
||||||
PKG_CACHE="/var/lib/apt/lists/"
|
PKG_CACHE="/var/lib/apt/lists/"
|
||||||
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
|
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
|
||||||
|
@ -33,32 +41,26 @@ BASE_DEPS=(git tar wget curl grep dnsutils whiptail net-tools bsdmainutils)
|
||||||
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
|
# PiVPN we won't prompt to remove packages that may have been installed by the user for other reasons
|
||||||
INSTALLED_PACKAGES=()
|
INSTALLED_PACKAGES=()
|
||||||
|
|
||||||
|
######## URLs ########
|
||||||
easyrsaVer="3.0.6"
|
easyrsaVer="3.0.6"
|
||||||
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
|
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
|
||||||
|
|
||||||
subnetClass="24"
|
|
||||||
dhcpcdFile="/etc/dhcpcd.conf"
|
|
||||||
debianOvpnUserGroup="openvpn:openvpn"
|
|
||||||
|
|
||||||
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
|
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
|
||||||
UNATTUPG_RELEASE="1.16"
|
UNATTUPG_RELEASE="1.16"
|
||||||
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
|
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
|
||||||
|
|
||||||
# GPG fingerprints (you can look them up at https://keyserver.ubuntu.com)
|
######## Undocumented Flags. Shhh ########
|
||||||
OPENVPN_REPO_KEY="0x30ebf4e73cce63eee124dd278e6da8b4e158c569"
|
runUnattended=false
|
||||||
DEBIAN_STRETCH_KEY="0xe1cf20ddffe4b89e802658f1e0b11894f66aec98"
|
skipSpaceCheck=false
|
||||||
DEBIAN_BUSTER_KEY="0x80d15823b7fd1561f9f7bcdddc30d7c23cbbabee"
|
reconfigure=false
|
||||||
|
|
||||||
|
######## SCRIPT ########
|
||||||
|
|
||||||
# Find the rows and columns. Will default to 80x24 if it can not be detected.
|
# Find the rows and columns. Will default to 80x24 if it can not be detected.
|
||||||
screen_size=$(stty size 2>/dev/null || echo 24 80)
|
screen_size=$(stty size 2>/dev/null || echo 24 80)
|
||||||
rows=$(echo "$screen_size" | awk '{print $1}')
|
rows=$(echo "$screen_size" | awk '{print $1}')
|
||||||
columns=$(echo "$screen_size" | awk '{print $2}')
|
columns=$(echo "$screen_size" | awk '{print $2}')
|
||||||
|
|
||||||
######## Undocumented Flags. Shhh ########
|
|
||||||
runUnattended=false
|
|
||||||
skipSpaceCheck=false
|
|
||||||
reconfigure=false
|
|
||||||
|
|
||||||
# Divide by two so the dialogs take up half of the screen, which looks nice.
|
# Divide by two so the dialogs take up half of the screen, which looks nice.
|
||||||
r=$(( rows / 2 ))
|
r=$(( rows / 2 ))
|
||||||
c=$(( columns / 2 ))
|
c=$(( columns / 2 ))
|
||||||
|
@ -66,8 +68,6 @@ c=$(( columns / 2 ))
|
||||||
r=$(( r < 20 ? 20 : r ))
|
r=$(( r < 20 ? 20 : r ))
|
||||||
c=$(( c < 70 ? 70 : c ))
|
c=$(( c < 70 ? 70 : c ))
|
||||||
|
|
||||||
######## SCRIPT ############
|
|
||||||
|
|
||||||
main(){
|
main(){
|
||||||
|
|
||||||
######## FIRST CHECK ########
|
######## FIRST CHECK ########
|
||||||
|
@ -252,6 +252,15 @@ distroCheck(){
|
||||||
OSCN=${VER_MAP["${VER}"]}
|
OSCN=${VER_MAP["${VER}"]}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
||||||
|
DPKG_ARCH="$(dpkg --print-architecture)"
|
||||||
|
if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then
|
||||||
|
X86_SYSTEM=1
|
||||||
|
else
|
||||||
|
X86_SYSTEM=0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
case ${PLAT} in
|
case ${PLAT} in
|
||||||
Debian|Raspbian|Ubuntu)
|
Debian|Raspbian|Ubuntu)
|
||||||
case ${OSCN} in
|
case ${OSCN} in
|
||||||
|
@ -986,6 +995,11 @@ installPiVPN(){
|
||||||
askWhichVPN
|
askWhichVPN
|
||||||
|
|
||||||
if [ "$VPN" = "openvpn" ]; then
|
if [ "$VPN" = "openvpn" ]; then
|
||||||
|
|
||||||
|
pivpnDEV="tun0"
|
||||||
|
pivpnNET="10.8.0.0"
|
||||||
|
vpnGw="${pivpnNET/.0.0/.0.1}"
|
||||||
|
|
||||||
installOpenVPN
|
installOpenVPN
|
||||||
askCustomProto
|
askCustomProto
|
||||||
askCustomPort
|
askCustomPort
|
||||||
|
@ -997,64 +1011,83 @@ installPiVPN(){
|
||||||
confOVPN
|
confOVPN
|
||||||
confNetwork
|
confNetwork
|
||||||
confLogging
|
confLogging
|
||||||
|
|
||||||
elif [ "$VPN" = "wireguard" ]; then
|
elif [ "$VPN" = "wireguard" ]; then
|
||||||
|
|
||||||
|
# Since WireGuard only uses UDP, askCustomProto() is never called so we
|
||||||
|
# set the protocol here.
|
||||||
|
pivpnPROTO="udp"
|
||||||
|
pivpnDEV="wg0"
|
||||||
|
pivpnNET="10.6.0.0"
|
||||||
|
vpnGw="${pivpnNET/.0.0/.0.1}"
|
||||||
|
|
||||||
installWireGuard
|
installWireGuard
|
||||||
askCustomPort
|
askCustomPort
|
||||||
askClientDNS
|
askClientDNS
|
||||||
askPublicIPOrDNS
|
askPublicIPOrDNS
|
||||||
confWireGuard
|
confWireGuard
|
||||||
confNetwork
|
confNetwork
|
||||||
|
|
||||||
|
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
|
||||||
|
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
|
||||||
|
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
askWhichVPN(){
|
askWhichVPN(){
|
||||||
if [ "${runUnattended}" = 'true' ]; then
|
if [ "${runUnattended}" = 'true' ]; then
|
||||||
if [ -z "$VPN" ]; then
|
if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
|
||||||
echo ":: No VPN protocol specified, using WireGuard"
|
if [ -z "$VPN" ]; then
|
||||||
VPN="wireguard"
|
echo ":: No VPN protocol specified, using WireGuard"
|
||||||
else
|
VPN="wireguard"
|
||||||
VPN="${VPN,,}"
|
|
||||||
if [ "$VPN" = "wireguard" ]; then
|
|
||||||
echo "::: WireGuard will be installed"
|
|
||||||
elif [ "$VPN" = "openvpn" ]; then
|
|
||||||
echo "::: OpenVPN will be installed"
|
|
||||||
else
|
else
|
||||||
echo ":: $VPN is not a supported VPN protocol, please specify 'wireguard' or 'openvpn'"
|
VPN="${VPN,,}"
|
||||||
exit 1
|
if [ "$VPN" = "wireguard" ]; then
|
||||||
|
echo "::: WireGuard will be installed"
|
||||||
|
elif [ "$VPN" = "openvpn" ]; then
|
||||||
|
echo "::: OpenVPN will be installed"
|
||||||
|
else
|
||||||
|
echo ":: $VPN is not a supported VPN protocol, please specify 'wireguard' or 'openvpn'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
elif [ "$X86_SYSTEM" -eq 0 ]; then
|
||||||
|
if [ -z "$VPN" ]; then
|
||||||
|
echo ":: No VPN protocol specified, using OpenVPN"
|
||||||
|
VPN="openvpn"
|
||||||
|
else
|
||||||
|
VPN="${VPN,,}"
|
||||||
|
if [ "$VPN" = "openvpn" ]; then
|
||||||
|
echo "::: OpenVPN will be installed"
|
||||||
|
else
|
||||||
|
echo ":: $VPN is not a supported VPN protocol on $DPKG_ARCH $PLAT, only 'openvpn' is"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2)
|
if [ "$PLAT" = "Raspbian" ] || [ "$X86_SYSTEM" -eq 1 ]; then
|
||||||
VPNChooseOptions=(WireGuard "" on
|
chooseVPNCmd=(whiptail --backtitle "Setup PiVPN" --title "Installation mode" --separate-output --radiolist "WireGuard is a new kind of VPN that provides near-istantaneous connection speed, high performance, modern cryptography.\\n\\nIt's the recommended choice expecially if you use mobile devices where WireGuard is easier on battery than OpenVPN.\\n\\nOpenVPN is still available if you need the traditional, flexible, trusted VPN protocol. Or if you need features like TCP and custom search domain.\\n\\nChoose a VPN (press space to select):" "${r}" "${c}" 2)
|
||||||
OpenVPN "" off)
|
VPNChooseOptions=(WireGuard "" on
|
||||||
|
OpenVPN "" off)
|
||||||
|
|
||||||
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
|
if VPN=$("${chooseVPNCmd[@]}" "${VPNChooseOptions[@]}" 2>&1 >/dev/tty) ; then
|
||||||
echo "::: Using VPN: $VPN"
|
echo "::: Using VPN: $VPN"
|
||||||
VPN="${VPN,,}"
|
VPN="${VPN,,}"
|
||||||
else
|
else
|
||||||
echo "::: Cancel selected, exiting...."
|
echo "::: Cancel selected, exiting...."
|
||||||
exit 1
|
exit 1
|
||||||
|
fi
|
||||||
|
elif [ "$X86_SYSTEM" -eq 0 ]; then
|
||||||
|
echo "::: Using VPN: OpenVPN"
|
||||||
|
VPN="openvpn"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$VPN" = "wireguard" ]; then
|
|
||||||
# Since WireGuard only uses UDP, askCustomProto() is never called so we
|
|
||||||
# set the protocol here (it's not actually required to save the value, but
|
|
||||||
# it might be useful for the user when port forwarding).
|
|
||||||
pivpnPROTO="udp"
|
|
||||||
echo "pivpnPROTO=${pivpnPROTO}" >> /tmp/setupVars.conf
|
|
||||||
pivpnDEV="wg0"
|
|
||||||
pivpnNET="10.6.0.0"
|
|
||||||
elif [ "$VPN" = "openvpn" ]; then
|
|
||||||
pivpnDEV="tun0"
|
|
||||||
pivpnNET="10.8.0.0"
|
|
||||||
fi
|
|
||||||
vpnGw="${pivpnNET/.0.0/.0.1}"
|
|
||||||
|
|
||||||
echo "VPN=${VPN}" >> /tmp/setupVars.conf
|
echo "VPN=${VPN}" >> /tmp/setupVars.conf
|
||||||
echo "pivpnDEV=${pivpnDEV}" >> /tmp/setupVars.conf
|
|
||||||
echo "pivpnNET=${pivpnNET}" >> /tmp/setupVars.conf
|
|
||||||
echo "subnetClass=${subnetClass}" >> /tmp/setupVars.conf
|
|
||||||
}
|
}
|
||||||
|
|
||||||
installOpenVPN(){
|
installOpenVPN(){
|
||||||
|
@ -1063,32 +1096,29 @@ installOpenVPN(){
|
||||||
echo "::: Installing OpenVPN from Debian package... "
|
echo "::: Installing OpenVPN from Debian package... "
|
||||||
|
|
||||||
# Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems
|
# Use x86-only OpenVPN APT repo on x86 Debian/Ubuntu systems
|
||||||
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Ubuntu" ]; then
|
if [ "$PLAT" != "Raspbian" ] && [ "$X86_SYSTEM" -eq 1 ]; then
|
||||||
local DPKG_ARCH="$(dpkg --print-architecture)"
|
# gnupg is used by apt-key to import the openvpn GPG key into the
|
||||||
if [ "$DPKG_ARCH" = "amd64" ] || [ "$DPKG_ARCH" = "i386" ]; then
|
# APT keyring
|
||||||
# gnupg is used by apt-key to import the openvpn GPG key into the
|
PIVPN_DEPS=(gnupg)
|
||||||
# APT keyring
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
PIVPN_DEPS=(gnupg)
|
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
|
||||||
|
|
||||||
# We will download the repository key regardless of whether the user
|
# We will download the repository key regardless of whether the user
|
||||||
# has already enabled the openvpn repository or not, just to make sure
|
# has already enabled the openvpn repository or not, just to make sure
|
||||||
# we have the right key
|
# we have the right key
|
||||||
echo "::: Adding repository key..."
|
echo "::: Adding repository key..."
|
||||||
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_REPO_KEY"; then
|
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$OPENVPN_KEY_ID"; then
|
||||||
echo "::: Failed to import OpenVPN GPG key"
|
echo "::: Failed to import OpenVPN GPG key"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
|
||||||
|
|
||||||
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
|
|
||||||
echo "::: Adding OpenVPN repository... "
|
|
||||||
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Updating package cache..."
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if ! grep -qR "deb http.\?://build.openvpn.net/debian/openvpn/stable.\? $OSCN main" /etc/apt/sources.list*; then
|
||||||
|
echo "::: Adding OpenVPN repository... "
|
||||||
|
echo "deb https://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/pivpn-openvpn-repo.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "::: Updating package cache..."
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
# grepcidr is used to redact IPs in the debug log whereas expect is used
|
||||||
|
@ -1145,147 +1175,40 @@ installWireGuard(){
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If this Raspberry Pi uses armv7l we can use the package from the repo
|
|
||||||
# https://lists.zx2c4.com/pipermail/wireguard/2017-November/001885.html
|
|
||||||
# Otherwhise compile and build the kernel module via DKMS (so it will
|
|
||||||
# be recompiled on kernel upgrades)
|
|
||||||
|
|
||||||
if [ "$(uname -m)" = "armv7l" ]; then
|
|
||||||
|
|
||||||
echo "::: Installing WireGuard from Debian package... "
|
|
||||||
# dirmngr is used by apt-key to import the debian GPG keys for the unstable
|
|
||||||
# repo into the APT keyring.
|
|
||||||
PIVPN_DEPS=(dirmngr)
|
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
|
||||||
|
|
||||||
echo "::: Adding repository keys..."
|
|
||||||
if ! $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys "$DEBIAN_STRETCH_KEY" "$DEBIAN_BUSTER_KEY"; then
|
|
||||||
echo "::: Failed to import Debian GPG keys"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# This regular expression should match combinations like http[s]://mirror.example.com/debian[/] unstable main
|
|
||||||
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
|
||||||
echo "::: Adding Debian repository... "
|
|
||||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Do not upgrade packages from the unstable repository except for wireguard
|
|
||||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
|
||||||
|
|
||||||
echo "::: Updating package cache..."
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
|
||||||
|
|
||||||
# qrencode is used to generate qrcodes from config file, for use with mobile clients
|
|
||||||
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
|
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
|
||||||
|
|
||||||
elif [ "$(uname -m)" = "armv6l" ]; then
|
|
||||||
|
|
||||||
echo "::: Installing WireGuard from source... "
|
|
||||||
PIVPN_DEPS=(checkinstall dkms libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode jq)
|
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
|
||||||
|
|
||||||
# Delete any leftover code
|
|
||||||
$SUDO rm -rf /usr/src/wireguard-*
|
|
||||||
|
|
||||||
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
|
|
||||||
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
|
||||||
|
|
||||||
echo "::: Downloading wireguard-tools source code... "
|
|
||||||
wget -qO- "${WG_TOOLS_SOURCE}" | $SUDO tar xJ --directory /usr/src
|
|
||||||
echo "done!"
|
|
||||||
|
|
||||||
## || exits if cd fails.
|
|
||||||
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
|
|
||||||
|
|
||||||
# We install the userspace tools manually since DKMS only compiles and
|
|
||||||
# installs the kernel module
|
|
||||||
echo "::: Compiling WireGuard tools... "
|
|
||||||
if $SUDO make; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Use checkinstall to install userspace tools so if the user wants to uninstall
|
|
||||||
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
|
|
||||||
# files from the file system
|
|
||||||
echo "::: Installing WireGuard tools... "
|
|
||||||
if $SUDO checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
|
||||||
INSTALLED_PACKAGES+=("wireguard-tools")
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}" >> /tmp/setupVars.conf
|
|
||||||
|
|
||||||
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
|
|
||||||
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
|
||||||
|
|
||||||
echo "::: Downloading wireguard-linux-compat source code... "
|
|
||||||
wget -qO- "${WG_MODULE_SOURCE}" | $SUDO tar xJ --directory /usr/src
|
|
||||||
echo "done!"
|
|
||||||
|
|
||||||
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
|
||||||
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
|
||||||
cd /usr/src && \
|
|
||||||
$SUDO mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
|
||||||
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
|
||||||
$SUDO mv src/* . && \
|
|
||||||
$SUDO rmdir src || exit 1
|
|
||||||
|
|
||||||
echo "::: Adding WireGuard modules via DKMS... "
|
|
||||||
if $SUDO dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Compiling WireGuard modules via DKMS... "
|
|
||||||
if $SUDO dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Installing WireGuard modules via DKMS... "
|
|
||||||
if $SUDO dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
|
||||||
INSTALLED_PACKAGES+=("wireguard-dkms")
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
$SUDO dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "WG_MODULE_SNAPSHOT=${WG_MODULE_SNAPSHOT}" >> /tmp/setupVars.conf
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
elif [ "$PLAT" = "Debian" ]; then
|
|
||||||
|
|
||||||
echo "::: Installing WireGuard from Debian package... "
|
echo "::: Installing WireGuard from Debian package... "
|
||||||
if ! grep -qR 'deb http.\?://.*/debian.\? unstable main' /etc/apt/sources.list*; then
|
|
||||||
echo "::: Adding Debian repository... "
|
# This regular expression should match combinations like http[s]://mirror.example.com/raspbian[/] bullseye main
|
||||||
echo "deb https://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/pivpn-unstable.list > /dev/null
|
if ! grep -qR 'deb http.\?://.*/raspbian.\? bullseye main' /etc/apt/sources.list*; then
|
||||||
|
echo "::: Adding Raspbian repository... "
|
||||||
|
echo "deb http://raspbian.raspberrypi.org/raspbian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-unstable > /dev/null
|
# Do not upgrade packages from the bullseye repository except for wireguard
|
||||||
|
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
|
||||||
|
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
# qrencode is used to generate qrcodes from config file, for use with mobile clients
|
||||||
|
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms qrencode)
|
||||||
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
|
elif [ "$PLAT" = "Debian" ]; then
|
||||||
|
|
||||||
|
echo "::: Installing WireGuard from Debian package... "
|
||||||
|
if ! grep -qR 'deb http.\?://.*/debian.\? bullseye main' /etc/apt/sources.list*; then
|
||||||
|
echo "::: Adding Debian repository... "
|
||||||
|
echo "deb https://deb.debian.org/debian/ bullseye main" | $SUDO tee /etc/apt/sources.list.d/pivpn-bullseye.list > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf 'Package: *\nPin: release n=bullseye\nPin-Priority: -1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release n=bullseye\nPin-Priority: 100\n' | $SUDO tee /etc/apt/preferences.d/pivpn-limit-bullseye > /dev/null
|
||||||
|
|
||||||
|
echo "::: Updating package cache..."
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
|
PIVPN_DEPS=(linux-headers-amd64 wireguard wireguard-tools wireguard-dkms qrencode)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
elif [ "$PLAT" = "Ubuntu" ]; then
|
elif [ "$PLAT" = "Ubuntu" ]; then
|
||||||
|
@ -1299,7 +1222,7 @@ installWireGuard(){
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
PIVPN_DEPS=(qrencode wireguard wireguard-tools wireguard-dkms linux-headers-generic)
|
PIVPN_DEPS=(linux-headers-generic wireguard wireguard-tools wireguard-dkms qrencode)
|
||||||
installDependentPackages PIVPN_DEPS[@]
|
installDependentPackages PIVPN_DEPS[@]
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
@ -2233,10 +2156,12 @@ confUnattendedUpgrades(){
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Enable automatic updates via the unstable repository when installing from debian package
|
# Enable automatic updates via the bullseye repository when installing from debian package
|
||||||
if [ "$VPN" = "wireguard" ] && [ "$PLAT" != "Ubuntu" ] && [ "$(uname -m)" != "armv6l" ]; then
|
if [ "$VPN" = "wireguard" ]; then
|
||||||
if ! grep -q '"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"; then
|
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
|
||||||
$SUDO sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' "${aptConfDir}/50unattended-upgrades"
|
if ! grep -q "\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"; then
|
||||||
|
$SUDO sed -i "/Unattended-Upgrade::Origins-Pattern {/a\"o=$PLAT,n=bullseye\";" "${aptConfDir}/50unattended-upgrades"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
|
@ -98,37 +98,18 @@ removeAll(){
|
||||||
case $yn in
|
case $yn in
|
||||||
[Yy]* ) if [ "${i}" = "wireguard" ]; then
|
[Yy]* ) if [ "${i}" = "wireguard" ]; then
|
||||||
|
|
||||||
# On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian
|
# On Debian and Raspbian, remove the bullseye repo. On Ubuntu, remove the PPA.
|
||||||
# there is no wireguard package). On Ubuntu, remove the PPA.
|
if [ "$PLAT" = "Debian" ] || [ "$PLAT" = "Raspbian" ]; then
|
||||||
### FIXME: unconditionally rm'ing unstable.list isn't a good idea, it appears. What if someone else put it there manually?
|
rm -f /etc/apt/sources.list.d/pivpn-bullseye.list
|
||||||
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
|
rm -f /etc/apt/preferences.d/pivpn-limit-bullseye
|
||||||
rm -f /etc/apt/sources.list.d/pivpn-unstable.list
|
|
||||||
rm -f /etc/apt/preferences.d/pivpn-limit-unstable
|
|
||||||
elif [ "$PLAT" = "Ubuntu" ]; then
|
elif [ "$PLAT" = "Ubuntu" ]; then
|
||||||
add-apt-repository ppa:wireguard/wireguard -r -y
|
add-apt-repository ppa:wireguard/wireguard -r -y
|
||||||
fi
|
fi
|
||||||
echo "::: Updating package cache..."
|
echo "::: Updating package cache..."
|
||||||
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
${UPDATE_PKG_CACHE} &> /dev/null & spinner $!
|
||||||
|
|
||||||
elif [ "${i}" = "wireguard-dkms" ]; then
|
|
||||||
|
|
||||||
# On armv6l Raspbian we manually remove the kernel module and skip the apt
|
|
||||||
# uninstallation (since it's not an actual package).
|
|
||||||
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
|
|
||||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
rm -rf /usr/src/wireguard-"${WG_MODULE_SNAPSHOT}"
|
|
||||||
break
|
|
||||||
fi
|
|
||||||
|
|
||||||
elif [ "${i}" = "wireguard-tools" ]; then
|
|
||||||
|
|
||||||
if [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv6l" ]; then
|
|
||||||
rm -rf /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
elif [ "${i}" = "unattended-upgrades" ]; then
|
elif [ "${i}" = "unattended-upgrades" ]; then
|
||||||
|
|
||||||
### REALLY???
|
|
||||||
rm -rf /var/log/unattended-upgrades
|
rm -rf /var/log/unattended-upgrades
|
||||||
rm -rf /etc/apt/apt.conf.d/*periodic
|
rm -rf /etc/apt/apt.conf.d/*periodic
|
||||||
rm -rf /etc/apt/apt.conf.d/*unattended-upgrades
|
rm -rf /etc/apt/apt.conf.d/*unattended-upgrades
|
||||||
|
|
|
@ -54,11 +54,6 @@ updateScripts(){
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
|
||||||
updateWireGuard(){
|
|
||||||
$SUDO /opt/pivpn/wgUPDATE.sh
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
|
|
||||||
backup(){
|
backup(){
|
||||||
$SUDO /opt/pivpn/backup.sh
|
$SUDO /opt/pivpn/backup.sh
|
||||||
}
|
}
|
||||||
|
@ -78,7 +73,6 @@ showHelp(){
|
||||||
echo "::: -h, help Show this help dialog"
|
echo "::: -h, help Show this help dialog"
|
||||||
echo "::: -u, uninstall Uninstall pivpn from your system!"
|
echo "::: -u, uninstall Uninstall pivpn from your system!"
|
||||||
echo "::: -up, update Updates PiVPN Scripts"
|
echo "::: -up, update Updates PiVPN Scripts"
|
||||||
echo "::: -wg, wgupdate Updates WireGuard"
|
|
||||||
echo "::: -bk, backup Backup VPN configs and user profiles"
|
echo "::: -bk, backup Backup VPN configs and user profiles"
|
||||||
exit 0
|
exit 0
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,132 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
setupVars="/etc/pivpn/setupVars.conf"
|
|
||||||
|
|
||||||
if [ ! -f "${setupVars}" ]; then
|
|
||||||
echo "::: Missing setup vars file!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
source "${setupVars}"
|
|
||||||
|
|
||||||
if [ "$(uname -m)" != "armv6l" ]; then
|
|
||||||
echo "On your system, WireGuard updates via the package manager"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
CURRENT_WG_TOOLS_SNAPSHOT="${WG_TOOLS_SNAPSHOT}"
|
|
||||||
WG_TOOLS_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-tools"."version"')"
|
|
||||||
|
|
||||||
if dpkg --compare-versions "${WG_TOOLS_SNAPSHOT}" gt "${CURRENT_WG_TOOLS_SNAPSHOT}"; then
|
|
||||||
|
|
||||||
read -r -p "A new wireguard-tools update is available (${WG_TOOLS_SNAPSHOT}), install? [Y/n]: "
|
|
||||||
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
|
||||||
echo "::: Upgrading wireguard-tools from ${CURRENT_WG_TOOLS_SNAPSHOT} to ${WG_TOOLS_SNAPSHOT}..."
|
|
||||||
|
|
||||||
WG_TOOLS_SOURCE="https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${WG_TOOLS_SNAPSHOT}.tar.xz"
|
|
||||||
echo "::: Downloading wireguard-tools source code... "
|
|
||||||
wget -qO- "${WG_TOOLS_SOURCE}" | tar xJ --directory /usr/src
|
|
||||||
echo "done!"
|
|
||||||
|
|
||||||
## || exits if cd fails.
|
|
||||||
cd /usr/src/wireguard-tools-"${WG_TOOLS_SNAPSHOT}/src" || exit 1
|
|
||||||
|
|
||||||
# We install the userspace tools manually since DKMS only compiles and
|
|
||||||
# installs the kernel module
|
|
||||||
echo "::: Compiling WireGuard tools... "
|
|
||||||
if make; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Use checkinstall to install userspace tools so if the user wants to uninstall
|
|
||||||
# PiVPN we can just do apt remove wireguard-tools, instead of manually removing
|
|
||||||
# files from the file system
|
|
||||||
echo "::: Installing WireGuard tools... "
|
|
||||||
if checkinstall --pkgname wireguard-tools --pkgversion "${WG_TOOLS_SNAPSHOT}" -y; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Removing old source code ..."
|
|
||||||
rm -rf /usr/src/wireguard-tools-"${CURRENT_WG_TOOLS_SNAPSHOT}"
|
|
||||||
|
|
||||||
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_TOOLS_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_TOOLS_SNAPSHOT}/" -i "${setupVars}"
|
|
||||||
|
|
||||||
echo "::: Upgrade completed!"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "::: You are running the lastest version of wireguard-tools (${CURRENT_WG_TOOLS_SNAPSHOT})"
|
|
||||||
fi
|
|
||||||
|
|
||||||
CURRENT_WG_MODULE_SNAPSHOT="${WG_MODULE_SNAPSHOT}"
|
|
||||||
WG_MODULE_SNAPSHOT="$(curl -s https://build.wireguard.com/distros.json | jq -r '."upstream-linuxcompat"."version"')"
|
|
||||||
|
|
||||||
if dpkg --compare-versions "${WG_MODULE_SNAPSHOT}" gt "${CURRENT_WG_MODULE_SNAPSHOT}"; then
|
|
||||||
|
|
||||||
read -r -p "A new wireguard-dkms update is available (${WG_MODULE_SNAPSHOT}), install? [Y/n]: "
|
|
||||||
|
|
||||||
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
|
|
||||||
echo "::: Upgrading wireguard-dkms from ${CURRENT_WG_MODULE_SNAPSHOT} to ${WG_MODULE_SNAPSHOT}..."
|
|
||||||
|
|
||||||
WG_MODULE_SOURCE="https://git.zx2c4.com/wireguard-linux-compat/snapshot/wireguard-linux-compat-${WG_MODULE_SNAPSHOT}.tar.xz"
|
|
||||||
echo "::: Downloading wireguard-linux-compat source code... "
|
|
||||||
wget -qO- "${WG_MODULE_SOURCE}" | tar xJ --directory /usr/src
|
|
||||||
echo "done!"
|
|
||||||
|
|
||||||
# Rename wireguard-linux-compat folder and move the source code to the parent folder
|
|
||||||
# such that dkms picks up the module when referencing wireguard/"${WG_MODULE_SNAPSHOT}"
|
|
||||||
cd /usr/src && \
|
|
||||||
mv wireguard-linux-compat-"${WG_MODULE_SNAPSHOT}" wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
|
||||||
cd wireguard-"${WG_MODULE_SNAPSHOT}" && \
|
|
||||||
mv src/* . && \
|
|
||||||
rmdir src || exit 1
|
|
||||||
|
|
||||||
echo "::: Adding WireGuard module via DKMS... "
|
|
||||||
if dkms add wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Compiling WireGuard module via DKMS... "
|
|
||||||
if dkms build wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Installing WireGuard module via DKMS... "
|
|
||||||
if dkms install wireguard/"${WG_MODULE_SNAPSHOT}"; then
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
dkms remove wireguard/"${WG_MODULE_SNAPSHOT}" --all
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "::: Removing old kernel module and source code..."
|
|
||||||
if dkms remove wireguard/"${CURRENT_WG_MODULE_SNAPSHOT}" --all; then
|
|
||||||
rm -rf /usr/src/wireguard-"${CURRENT_WG_MODULE_SNAPSHOT}"
|
|
||||||
echo "done!"
|
|
||||||
else
|
|
||||||
echo "failed!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
sed "s/WG_TOOLS_SNAPSHOT=${CURRENT_WG_MODULE_SNAPSHOT}/WG_TOOLS_SNAPSHOT=${WG_MODULE_SNAPSHOT}/" -i "${setupVars}"
|
|
||||||
|
|
||||||
echo "::: Upgrade completed!"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "::: You are running the lastest version of wireguard-dkms (${CURRENT_WG_MODULE_SNAPSHOT})"
|
|
||||||
fi
|
|
Loading…
Reference in a new issue