mirror of
https://github.com/pivpn/pivpn.git
synced 2025-01-18 18:44:29 +00:00
Merge pull request #882 from orazioedoardo/test
Revert some minor changes
This commit is contained in:
commit
0aaf8473a6
4 changed files with 33 additions and 55 deletions
|
@ -19,6 +19,7 @@ debianOvpnUserGroup="openvpn:openvpn"
|
|||
### PKG Vars ###
|
||||
PKG_MANAGER="apt-get"
|
||||
PKG_CACHE="/var/lib/apt/lists/"
|
||||
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
|
||||
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
|
||||
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
|
||||
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
|
||||
|
@ -227,7 +228,7 @@ updatePackageCache(){
|
|||
#update package lists
|
||||
echo ":::"
|
||||
echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n"
|
||||
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
echo " done!"
|
||||
fi
|
||||
}
|
||||
|
@ -282,16 +283,7 @@ installDependentPackages(){
|
|||
done
|
||||
|
||||
if command -v debconf-apt-progress &> /dev/null; then
|
||||
set +e
|
||||
$SUDO debconf-apt-progress -- "${PKG_INSTALL}" "${argArray1[@]}"
|
||||
res="$?";
|
||||
set -e
|
||||
### apt-get install above returns 100 after an otherwise successfull installation of iptables-persistent,
|
||||
### everything else was aready installed.
|
||||
### Prevent from exiting the installation script in this case, exit for any other error code.
|
||||
if [[ "$res" -ne 100 ]]; then
|
||||
exit "$res";
|
||||
fi;
|
||||
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
|
||||
else
|
||||
${PKG_INSTALL} "${argArray1[@]}"
|
||||
fi
|
||||
|
@ -710,7 +702,7 @@ askWhichVPN(){
|
|||
pivpnDEV="tun0"
|
||||
pivpnNET="10.8.0.0"
|
||||
fi
|
||||
vpnGw="${pivpnNET/.0/.1}"
|
||||
vpnGw="${pivpnNET/.0.0/.0.1}"
|
||||
|
||||
echo "VPN=${VPN}" >> /tmp/setupVars.conf
|
||||
}
|
||||
|
@ -745,7 +737,7 @@ installWireGuard(){
|
|||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
|
||||
|
||||
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
|
||||
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
|
@ -831,7 +823,7 @@ installWireGuard(){
|
|||
echo "::: Adding Debian repository... "
|
||||
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
|
||||
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
|
||||
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null
|
||||
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
|
||||
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
|
||||
installDependentPackages PIVPN_DEPS[@]
|
||||
|
||||
|
@ -1317,7 +1309,7 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
|
|||
${SUDOE} ./easyrsa gen-crl
|
||||
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
|
||||
if ! getent passwd openvpn; then
|
||||
${SUDOE} adduser --system --home /var/lib/openvpn/ --no-create-home --group --disabled-login ${debianOvpnUserGroup%:*}
|
||||
${SUDOE} adduser --system --home /var/lib/openvpn/ --group --disabled-login ${debianOvpnUserGroup%:*}
|
||||
fi
|
||||
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
|
||||
|
||||
|
@ -1439,11 +1431,11 @@ confNetwork(){
|
|||
exit 1;
|
||||
fi
|
||||
### If there is already a "*nat" section just add our POSTROUTING MASQUERADE
|
||||
if grep -q "*nat" /etc/ufw/before.rules; then
|
||||
$SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules
|
||||
if $SUDO grep -q "*nat" /etc/ufw/before.rules; then
|
||||
$SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules
|
||||
else
|
||||
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
fi
|
||||
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
|
||||
fi
|
||||
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
|
||||
$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
|
||||
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null
|
||||
|
|
|
@ -133,30 +133,15 @@ else
|
|||
fi
|
||||
fi
|
||||
|
||||
if [ "$OLD_UFW" -eq 1 ]; then
|
||||
FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
|
||||
if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
|
||||
echo ":: [OK] Ufw forwarding policy is accept"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
|
||||
ufw reload > /dev/null
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw forwarding rule set"
|
||||
else
|
||||
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
|
||||
echo ":: [OK] Ufw forwarding rule set"
|
||||
else
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
ERR=1
|
||||
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
|
||||
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
|
||||
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
|
||||
ufw reload
|
||||
echo "Done"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
|
||||
|
||||
PKG_MANAGER="apt-get"
|
||||
subnetClass="24"
|
||||
setupVars="/etc/pivpn/setupVars.conf"
|
||||
|
||||
if [ ! -f "${setupVars}" ]; then
|
||||
|
@ -72,9 +73,9 @@ removeAll(){
|
|||
### FIXME: SC2154
|
||||
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
|
||||
### FIXME: SC2154
|
||||
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null
|
||||
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/24 -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
|
||||
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null
|
||||
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
|
||||
ufw reload &> /dev/null
|
||||
|
||||
elif [ "$USING_UFW" -eq 0 ]; then
|
||||
|
@ -84,11 +85,11 @@ removeAll(){
|
|||
fi
|
||||
|
||||
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
|
||||
iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
|
||||
iptables -D FORWARD -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
iptables -D FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
|
||||
fi
|
||||
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
|
||||
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
|
||||
fi
|
||||
|
@ -181,16 +182,16 @@ removeAll(){
|
|||
|
||||
if [ "$VPN" = "wireguard" ]; then
|
||||
rm -f /etc/wireguard/wg0.conf
|
||||
rm -f /etc/wireguard/configs
|
||||
rm -f /etc/wireguard/keys
|
||||
rm -rf /etc/wireguard/configs
|
||||
rm -rf /etc/wireguard/keys
|
||||
### FIXME SC2154
|
||||
rm -f "$install_home/configs"
|
||||
rm -rf "$install_home/configs"
|
||||
elif [ "$VPN" = "openvpn" ]; then
|
||||
rm -f /var/log/*openvpn*
|
||||
rm -f /etc/openvpn/server.conf
|
||||
rm -f /etc/openvpn/crl.pem
|
||||
rm -f /etc/openvpn/easy-rsa
|
||||
rm -f "$install_home/ovpns"
|
||||
rm -rf /etc/openvpn/easy-rsa
|
||||
rm -rf "$install_home/ovpns"
|
||||
fi
|
||||
|
||||
echo ":::"
|
||||
|
|
|
@ -23,8 +23,8 @@ tls-version-min 1.2
|
|||
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
|
||||
cipher AES-256-CBC
|
||||
auth SHA256
|
||||
user nobody
|
||||
group nogroup
|
||||
user openvpn
|
||||
group openvpn
|
||||
persist-key
|
||||
persist-tun
|
||||
crl-verify /etc/openvpn/crl.pem
|
||||
|
|
Loading…
Reference in a new issue