From d022cafa254ac8a74e558e24758dfb6bd5f2a783 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 10 Dec 2019 16:06:28 +0100 Subject: [PATCH 1/3] Revert some minor changes --- auto_install/install.sh | 22 +++++++--------------- scripts/openvpn/pivpnDebug.sh | 31 ++++++++----------------------- scripts/uninstall.sh | 10 +++++----- server_config.txt | 4 ++-- 4 files changed, 22 insertions(+), 45 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 5b989f6..323b7b6 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -227,7 +227,7 @@ updatePackageCache(){ #update package lists echo ":::" echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n" - $SUDO "${UPDATE_PKG_CACHE}" &> /dev/null + $SUDO ${UPDATE_PKG_CACHE} &> /dev/null echo " done!" fi } @@ -282,16 +282,7 @@ installDependentPackages(){ done if command -v debconf-apt-progress &> /dev/null; then - set +e - $SUDO debconf-apt-progress -- "${PKG_INSTALL}" "${argArray1[@]}" - res="$?"; - set -e - ### apt-get install above returns 100 after an otherwise successfull installation of iptables-persistent, - ### everything else was aready installed. - ### Prevent from exiting the installation script in this case, exit for any other error code. - if [[ "$res" -ne 100 ]]; then - exit "$res"; - fi; + $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" else ${PKG_INSTALL} "${argArray1[@]}" fi @@ -710,7 +701,7 @@ askWhichVPN(){ pivpnDEV="tun0" pivpnNET="10.8.0.0" fi - vpnGw="${pivpnNET/.0/.1}" + vpnGw="${pivpnNET/.0.0/.0.1}" echo "VPN=${VPN}" >> /tmp/setupVars.conf } @@ -745,7 +736,7 @@ installWireGuard(){ printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 - $SUDO "${UPDATE_PKG_CACHE}" &> /dev/null + $SUDO ${UPDATE_PKG_CACHE} &> /dev/null PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms) installDependentPackages PIVPN_DEPS[@] @@ -831,7 +822,7 @@ installWireGuard(){ echo "::: Adding Debian repository... " echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null - $SUDO "${UPDATE_PKG_CACHE}" &> /dev/null + $SUDO ${UPDATE_PKG_CACHE} &> /dev/null PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms) installDependentPackages PIVPN_DEPS[@] @@ -1317,6 +1308,7 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null ${SUDOE} ./easyrsa gen-crl ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem if ! getent passwd openvpn; then + mkdir -p /var/lib/openvpn ${SUDOE} adduser --system --home /var/lib/openvpn/ --no-create-home --group --disabled-login ${debianOvpnUserGroup%:*} fi ${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem @@ -1439,7 +1431,7 @@ confNetwork(){ exit 1; fi ### If there is already a "*nat" section just add our POSTROUTING MASQUERADE - if grep -q "*nat" /etc/ufw/before.rules; then + if $SUDO grep -q "*nat" /etc/ufw/before.rules; then $SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules else $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules diff --git a/scripts/openvpn/pivpnDebug.sh b/scripts/openvpn/pivpnDebug.sh index f5cc4bb..bc14f8f 100755 --- a/scripts/openvpn/pivpnDebug.sh +++ b/scripts/openvpn/pivpnDebug.sh @@ -133,30 +133,15 @@ else fi fi - if [ "$OLD_UFW" -eq 1 ]; then - FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')" - if [ "$FORWARD_POLICY" = "ACCEPT" ]; then - echo ":: [OK] Ufw forwarding policy is accept" - else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw - ufw reload > /dev/null - echo "Done" - fi - fi + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" else - if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" - else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then - ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" - fi + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" fi fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 1647531..f4f6eb5 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -181,16 +181,16 @@ removeAll(){ if [ "$VPN" = "wireguard" ]; then rm -f /etc/wireguard/wg0.conf - rm -f /etc/wireguard/configs - rm -f /etc/wireguard/keys + rm -rf /etc/wireguard/configs + rm -rf /etc/wireguard/keys ### FIXME SC2154 - rm -f "$install_home/configs" + rm -rf "$install_home/configs" elif [ "$VPN" = "openvpn" ]; then rm -f /var/log/*openvpn* rm -f /etc/openvpn/server.conf rm -f /etc/openvpn/crl.pem - rm -f /etc/openvpn/easy-rsa - rm -f "$install_home/ovpns" + rm -rf /etc/openvpn/easy-rsa + rm -rf "$install_home/ovpns" fi echo ":::" diff --git a/server_config.txt b/server_config.txt index 9ca16a4..71da0c8 100644 --- a/server_config.txt +++ b/server_config.txt @@ -23,8 +23,8 @@ tls-version-min 1.2 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 cipher AES-256-CBC auth SHA256 -user nobody -group nogroup +user openvpn +group openvpn persist-key persist-tun crl-verify /etc/openvpn/crl.pem From c20e7d21502044c2dc80e80504405c98e78668b5 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 10 Dec 2019 16:49:40 +0100 Subject: [PATCH 2/3] Use ${pivpnNET} and ${subnetClass} when adding ufw nat rules --- auto_install/install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 323b7b6..738f544 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1432,10 +1432,10 @@ confNetwork(){ fi ### If there is already a "*nat" section just add our POSTROUTING MASQUERADE if $SUDO grep -q "*nat" /etc/ufw/before.rules; then - $SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules + $SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules else - $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules - fi + $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules + fi # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) $SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null $SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null From 5f82a0740e384b58a311f785c0ad11ed3ae644f6 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 10 Dec 2019 19:07:08 +0100 Subject: [PATCH 3/3] Use variable, create openvpn home, add shellcheck reminder --- auto_install/install.sh | 4 ++-- scripts/uninstall.sh | 13 +++++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 738f544..f348939 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -19,6 +19,7 @@ debianOvpnUserGroup="openvpn:openvpn" ### PKG Vars ### PKG_MANAGER="apt-get" PKG_CACHE="/var/lib/apt/lists/" +### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086 UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" @@ -1308,8 +1309,7 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null ${SUDOE} ./easyrsa gen-crl ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem if ! getent passwd openvpn; then - mkdir -p /var/lib/openvpn - ${SUDOE} adduser --system --home /var/lib/openvpn/ --no-create-home --group --disabled-login ${debianOvpnUserGroup%:*} + ${SUDOE} adduser --system --home /var/lib/openvpn/ --group --disabled-login ${debianOvpnUserGroup%:*} fi ${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index f4f6eb5..bcfbf94 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -5,6 +5,7 @@ ### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least. PKG_MANAGER="apt-get" +subnetClass="24" setupVars="/etc/pivpn/setupVars.conf" if [ ! -f "${setupVars}" ]; then @@ -72,9 +73,9 @@ removeAll(){ ### FIXME: SC2154 ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null ### FIXME: SC2154 - ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null - sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/24 -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules - iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE + ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null + sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules + iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE ufw reload &> /dev/null elif [ "$USING_UFW" -eq 0 ]; then @@ -84,11 +85,11 @@ removeAll(){ fi if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then - iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT + iptables -D FORWARD -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT fi - iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE + iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE iptables-save > /etc/iptables/rules.v4 fi