Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-19 03:10:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #882 from orazioedoardo/test

Browse source 
Revert some minor changes
This commit is contained in:
Orazio 2019-12-12 12:25:06 +01:00 committed by GitHub
commit 0aaf8473a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 33 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
auto_install/install.sh
View file

@ -19,6 +19,7 @@ debianOvpnUserGroup="openvpn:openvpn"
### PKG Vars ### ### PKG Vars ###
PKG_MANAGER="apt-get" PKG_MANAGER="apt-get"
PKG_CACHE="/var/lib/apt/lists/" PKG_CACHE="/var/lib/apt/lists/"
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
UPDATE_PKG_CACHE="${PKG_MANAGER} update" UPDATE_PKG_CACHE="${PKG_MANAGER} update"
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
@ -227,7 +228,7 @@ updatePackageCache(){
#update package lists #update package lists
echo ":::" echo ":::"
echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n" echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n"
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null $SUDO ${UPDATE_PKG_CACHE} &> /dev/null
echo " done!" echo " done!"
fi fi
} }
@ -282,16 +283,7 @@ installDependentPackages(){
done done
if command -v debconf-apt-progress &> /dev/null; then if command -v debconf-apt-progress &> /dev/null; then
set +e $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
$SUDO debconf-apt-progress -- "${PKG_INSTALL}" "${argArray1[@]}"
res="$?";
set -e
### apt-get install above returns 100 after an otherwise successfull installation of iptables-persistent,
### everything else was aready installed.
### Prevent from exiting the installation script in this case, exit for any other error code.
if [[ "$res" -ne 100 ]]; then
exit "$res";
fi;
else else
${PKG_INSTALL} "${argArray1[@]}" ${PKG_INSTALL} "${argArray1[@]}"
fi fi
@ -710,7 +702,7 @@ askWhichVPN(){
pivpnDEV="tun0" pivpnDEV="tun0"
pivpnNET="10.8.0.0" pivpnNET="10.8.0.0"
fi fi
vpnGw="${pivpnNET/.0/.1}" vpnGw="${pivpnNET/.0.0/.0.1}"
echo "VPN=${VPN}" >> /tmp/setupVars.conf echo "VPN=${VPN}" >> /tmp/setupVars.conf
} }
@ -745,7 +737,7 @@ installWireGuard(){
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null $SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms) PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
@ -831,7 +823,7 @@ installWireGuard(){
echo "::: Adding Debian repository... " echo "::: Adding Debian repository... "
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null $SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms) PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
@ -1317,7 +1309,7 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
${SUDOE} ./easyrsa gen-crl ${SUDOE} ./easyrsa gen-crl
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
if ! getent passwd openvpn; then if ! getent passwd openvpn; then
${SUDOE} adduser --system --home /var/lib/openvpn/ --no-create-home --group --disabled-login ${debianOvpnUserGroup%:*} ${SUDOE} adduser --system --home /var/lib/openvpn/ --group --disabled-login ${debianOvpnUserGroup%:*}
fi fi
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem ${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
@ -1439,11 +1431,11 @@ confNetwork(){
exit 1; exit 1;
fi fi
### If there is already a "*nat" section just add our POSTROUTING MASQUERADE ### If there is already a "*nat" section just add our POSTROUTING MASQUERADE
if grep -q "*nat" /etc/ufw/before.rules; then if $SUDO grep -q "*nat" /etc/ufw/before.rules; then
$SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules $SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules
else else
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
fi fi
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null $SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null $SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null

31
scripts/openvpn/pivpnDebug.sh
View file

@ -133,30 +133,15 @@ else
fi fi
fi fi
if [ "$OLD_UFW" -eq 1 ]; then if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')" echo ":: [OK] Ufw forwarding rule set"
if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
echo ":: [OK] Ufw forwarding policy is accept"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
ufw reload > /dev/null
echo "Done"
fi
fi
else else
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then ERR=1
echo ":: [OK] Ufw forwarding rule set" read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
else if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ERR=1 ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY ufw reload
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then echo "Done"
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi fi
fi fi

23
scripts/uninstall.sh
View file

@ -5,6 +5,7 @@
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least. ### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
PKG_MANAGER="apt-get" PKG_MANAGER="apt-get"
subnetClass="24"
setupVars="/etc/pivpn/setupVars.conf" setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then if [ ! -f "${setupVars}" ]; then
@ -72,9 +73,9 @@ removeAll(){
### FIXME: SC2154 ### FIXME: SC2154
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
### FIXME: SC2154 ### FIXME: SC2154
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/24 -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
ufw reload &> /dev/null ufw reload &> /dev/null
elif [ "$USING_UFW" -eq 0 ]; then elif [ "$USING_UFW" -eq 0 ]; then
@ -84,11 +85,11 @@ removeAll(){
fi fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT iptables -D FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
fi fi
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4 iptables-save > /etc/iptables/rules.v4
fi fi
@ -181,16 +182,16 @@ removeAll(){
if [ "$VPN" = "wireguard" ]; then if [ "$VPN" = "wireguard" ]; then
rm -f /etc/wireguard/wg0.conf rm -f /etc/wireguard/wg0.conf
rm -f /etc/wireguard/configs rm -rf /etc/wireguard/configs
rm -f /etc/wireguard/keys rm -rf /etc/wireguard/keys
### FIXME SC2154 ### FIXME SC2154
rm -f "$install_home/configs" rm -rf "$install_home/configs"
elif [ "$VPN" = "openvpn" ]; then elif [ "$VPN" = "openvpn" ]; then
rm -f /var/log/*openvpn* rm -f /var/log/*openvpn*
rm -f /etc/openvpn/server.conf rm -f /etc/openvpn/server.conf
rm -f /etc/openvpn/crl.pem rm -f /etc/openvpn/crl.pem
rm -f /etc/openvpn/easy-rsa rm -rf /etc/openvpn/easy-rsa
rm -f "$install_home/ovpns" rm -rf "$install_home/ovpns"
fi fi
echo ":::" echo ":::"

4
server_config.txt
View file

@ -23,8 +23,8 @@ tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC cipher AES-256-CBC
auth SHA256 auth SHA256
user nobody user openvpn
group nogroup group openvpn
persist-key persist-key
persist-tun persist-tun
crl-verify /etc/openvpn/crl.pem crl-verify /etc/openvpn/crl.pem