From 58fcaafcf1b7f1b7adcf26b471ac7cb4bf28575c Mon Sep 17 00:00:00 2001 From: Giraffe1966 <35208168+Giraffe1966@users.noreply.github.com> Date: Mon, 2 Jul 2018 17:34:26 -0400 Subject: [PATCH 01/10] Fix issue #552. --- auto_install/install.sh | 80 ----------------------------------------- 1 file changed, 80 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 8c4d07d..194cd5b 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -502,85 +502,6 @@ stopServices() { $SUDO echo " done." } -checkForDependencies() { - #Running apt-get update/upgrade with minimal output can cause some issues with - #requiring user input (e.g password for phpmyadmin see #218) - #We'll change the logic up here, to check to see if there are any updates available and - # if so, advise the user to run apt-get update/upgrade at their own discretion - #Check to see if apt-get update has already been run today - # it needs to have been run at least once on new installs! - - timestamp=$(stat -c %Y /var/cache/apt/) - timestampAsDate=$(date -d @"$timestamp" "+%b %e") - today=$(date "+%b %e") - - case ${PLAT} in - Ubuntu|Debian|Devuan) - case ${OSCN} in - trusty|jessie|wheezy|stretch) - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - - echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null - echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." - $SUDO apt-get -qq update & spinner $! - echo " done!" - ;; - esac - ;; - esac - if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then - if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" || $OSCN == "stretch" ]]; then - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - - echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null - echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." - $SUDO apt-get -qq update & spinner $! - echo " done!" - fi - fi - - if [ ! "$today" == "$timestampAsDate" ]; then - #update package lists - echo ":::" - echo -n "::: apt-get update has not been run today. Running now..." - $SUDO apt-get -qq update & spinner $! - echo " done!" - fi - echo ":::" - echo -n "::: Checking apt-get for upgraded packages...." - updatesToInstall=$($SUDO apt-get -s -o Debug::NoLocking=true upgrade | grep -c ^Inst) - echo " done!" - echo ":::" - if [[ $updatesToInstall -eq "0" ]]; then - echo "::: Your pi is up to date! Continuing with PiVPN installation..." - else - echo "::: There are $updatesToInstall updates availible for your pi!" - echo "::: We recommend you run 'sudo apt-get upgrade' after installing PiVPN! " - echo ":::" - fi - echo ":::" - echo "::: Checking dependencies:" - - dependencies=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail net-tools) - for i in "${dependencies[@]}"; do - echo -n "::: Checking for $i..." - if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then - echo -n " Not found! Installing...." - #Supply answers to the questions so we don't prompt user - if [[ $i = "iptables-persistent" ]]; then - echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections - echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections - fi - if [[ $i == "expect" ]] || [[ $i == "openvpn" ]]; then - ($SUDO apt-get --yes --quiet --no-install-recommends install "$i" > /dev/null || echo "Installation Failed!" && fixApt) & spinner $! - else - ($SUDO apt-get --yes --quiet install "$i" > /dev/null || echo "Installation Failed!" && fixApt) & spinner $! - fi - echo " done!" - else - echo " already installed!" - fi - done -} - getGitFiles() { # Setup git repos for base files echo ":::" @@ -1282,7 +1203,6 @@ main() { # Install the packages (we do this first because we need whiptail) addSoftwareRepo - #checkForDependencies update_package_cache # Notify user of package availability From e4067949d583aad42590ba2cfd8046322ed58f17 Mon Sep 17 00:00:00 2001 From: Marvin Lehmann Date: Wed, 18 Jul 2018 23:01:36 +0200 Subject: [PATCH 02/10] Use latest DH parameter service API More information at https://2ton.com.au/safeprimes/ --- auto_install/install.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 78a838f..6023b55 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -850,7 +850,7 @@ EOF if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then + if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then DOWNLOAD_DH_PARAM=true else DOWNLOAD_DH_PARAM=false @@ -861,8 +861,7 @@ EOF if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]; then # Downloading parameters - RANDOM_INDEX=$(( RANDOM % 128 )) - ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" + ${SUDOE} curl "https://2ton.com.au/getprimes/random/dhparam/${ENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" else # Generate Diffie-Hellman key exchange ${SUDOE} ./easyrsa gen-dh From a8b3428744ab5d620d0772097195664971a45f28 Mon Sep 17 00:00:00 2001 From: Alexis Espinosa Perez Date: Wed, 15 Aug 2018 11:06:12 -0500 Subject: [PATCH 03/10] Create TWO_POINT_FOUR file when running unattended --- auto_install/install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/auto_install/install.sh b/auto_install/install.sh index 78a838f..34a953b 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -848,6 +848,10 @@ EOF fi fi + if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + $SUDO touch /etc/pivpn/TWO_POINT_FOUR + fi + if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then From 18bfa927dafaab8e33e4be39c8140558e9feae4d Mon Sep 17 00:00:00 2001 From: redfast00 Date: Wed, 15 Aug 2018 21:15:24 +0200 Subject: [PATCH 04/10] Fix typo, fix #429 --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 7f98a97..67093e9 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -235,7 +235,7 @@ chooseInterface() { # Temporary Whiptail options storage local chooseInterfaceOptions # Loop sentinel variable - local firstLoop=1 + local firstloop=1 if [[ $(echo "${availableInterfaces}" | wc -l) -eq 1 ]]; then pivpnInterface="${availableInterfaces}" From cb169bcb0c8f08f8ce5687ad483b89f8cf9e693c Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:06:52 +0200 Subject: [PATCH 05/10] Update install.sh --- auto_install/install.sh | 202 +++++++++++++++++++++++----------------- 1 file changed, 116 insertions(+), 86 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 9b27da7..eb459de 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -24,13 +24,16 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail net-tools) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" -easyrsaVer="3.0.1-pivpn1" -easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" +easyrsaVer="3.0.4" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" + +# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config +UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -80,37 +83,41 @@ Would you like to continue anyway?" ${r} ${c}) then # Compatibility distro_check() { - # if lsb_release command is on their system - if hash lsb_release 2>/dev/null; then + # if lsb_release command is on their system + if hash lsb_release 2>/dev/null; then - PLAT=$(lsb_release -si) - OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie + PLAT=$(lsb_release -si) + OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie - else # else get info from os-release + else # else get info from os-release - PLAT=$(grep "^NAME" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"' | awk '{print $1}') - VER=$(grep "VERSION_ID" /etc/os-release | awk -F "=" '{print $2}' | tr -d '"') - declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["16.04"]="xenial" ["14.04"]="trusty") - OSCN=${VER_MAP["${VER}"]} + source /etc/os-release + PLAT=$(awk '{print $1}' <<< "$NAME") + VER="$VERSION_ID" + declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") + OSCN=${VER_MAP["${VER}"]} + fi - fi + if [[ ${OSCN} != "bionic" ]]; then + PIVPN_DEPS+=(dhcpcd5) + fi - case ${PLAT} in - Ubuntu|Raspbian|Debian|Devuan) - case ${OSCN} in - trusty|xenial|jessie|stretch) - ;; + case ${PLAT} in + Ubuntu|Raspbian|Debian|Devuan) + case ${OSCN} in + trusty|xenial|jessie|stretch) + ;; + *) + maybeOS_Support + ;; + esac + ;; *) - maybeOS_Support - ;; - esac - ;; - *) - noOS_Support - ;; - esac + noOS_Support + ;; + esac - echo "${PLAT}" > /tmp/DET_PLATFORM + echo "${PLAT}" > /tmp/DET_PLATFORM } ####### FUNCTIONS ########## @@ -143,7 +150,7 @@ chooseUser() { # Explain the local user whiptail --msgbox --backtitle "Parsing User List" --title "Local Users" "Choose a local user that will hold your ovpn configurations." ${r} ${c} # First, let's check if there is a user available. - numUsers=$(awk -F':' 'BEGIN {count=0} $3>=500 && $3<=60000 { count++ } END{ print count }' /etc/passwd) + numUsers=$(awk -F':' 'BEGIN {count=0} $3>=1000 && $3<=60000 { count++ } END{ print count }' /etc/passwd) if [ "$numUsers" -eq 0 ] then # We don't have a user, let's ask to add one. @@ -163,7 +170,7 @@ chooseUser() { exit 1 fi fi - availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd) + availableUsers=$(awk -F':' '$3>=1000 && $3<=60000 {print $1}' /etc/passwd) local userArray=() local firstloop=1 @@ -696,11 +703,42 @@ confOpenVPN() { if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ - "1024" "Use 1024-bit encryption (testing only)" OFF \ - "2048" "Use 2048-bit encryption (recommended level)" ON \ - "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + + if [[ ${useUpdateVars} == false ]]; then + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then + APPLY_TWO_POINT_FOUR=false + else + if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno --defaultyes "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then + APPLY_TWO_POINT_FOUR=true + $SUDO touch /etc/pivpn/TWO_POINT_FOUR + else + APPLY_TWO_POINT_FOUR=false + fi + fi + fi + + if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + $SUDO touch /etc/pivpn/TWO_POINT_FOUR + fi + + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "RSA encryption strength" --radiolist \ + "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ + "1024" "Use 1024-bit encryption (testing only)" OFF \ + "2048" "Use 2048-bit encryption (recommended level)" ON \ + "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + + else + + declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA encryption strength" --radiolist \ + "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "256" "Use 256-bit encryption (recommended level)" ON \ + "384" "Use 384-bit encryption" OFF \ + "521" "Use 521-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) + + fi exitstatus=$? if [ $exitstatus != 0 ]; then @@ -720,6 +758,8 @@ confOpenVPN() { $SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO mkdir /etc/openvpn/easy-rsa/pki + cd /etc/openvpn/easy-rsa || exit + # Write out new vars file set +e IFS= read -d '' String <<"EOF" @@ -729,17 +769,19 @@ if [ -z "$EASYRSA_CALLER" ]; then fi set_var EASYRSA "/etc/openvpn/easy-rsa" set_var EASYRSA_PKI "$EASYRSA/pki" -set_var EASYRSA_KEY_SIZE 2048 -set_var EASYRSA_ALGO rsa -set_var EASYRSA_CURVE secp384r1 +set_var EASYRSA_CRL_DAYS 3650 EOF - - echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null + echo "${String}" | $SUDO tee vars >/dev/null set -e - # Edit the KEY_SIZE variable in the vars file to set user chosen key size - cd /etc/openvpn/easy-rsa || exit - $SUDO sed -i "s/\(KEY_SIZE\).*/\1 ${ENCRYPT}/" vars + # Set certificate type + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + echo "set_var EASYRSA_ALGO rsa" >> vars + echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" >> vars + else + echo "set_var EASYRSA_ALGO ec" >> vars + echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" >> vars + fi # Remove any previous keys ${SUDOE} ./easyrsa --batch init-pki @@ -750,30 +792,14 @@ EOF printf "\n::: CA Complete.\n" if [[ ${useUpdateVars} == false ]]; then - whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} + fi fi # Build the server ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass - if [[ ${useUpdateVars} == false ]]; then - - if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then - APPLY_TWO_POINT_FOUR=false - else - if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then - APPLY_TWO_POINT_FOUR=true - $SUDO touch /etc/pivpn/TWO_POINT_FOUR - else - APPLY_TWO_POINT_FOUR=false - fi - fi - fi - - if [[ ${runUnattended} == true ]] && [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - $SUDO touch /etc/pivpn/TWO_POINT_FOUR - fi - if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then @@ -781,6 +807,8 @@ EOF else DOWNLOAD_DH_PARAM=false fi + else + DOWNLOAD_DH_PARAM=false fi fi @@ -803,18 +831,17 @@ EOF ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem ${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem - # Write config file for server using the template .txt file + # Write config file for server using the template.txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel - $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf + #If they enabled 2.4 use tls-crypt instead of tls-auth to encrypt control channel $SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf fi if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 disable dh parameters, use a specific curve instead - $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none\necdh-curve secp384r1/" /etc/openvpn/server.conf + #If they enabled 2.4 disable dh parameters since the key exchange will use the matching curve from the ECDSA certificate + $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none/" /etc/openvpn/server.conf else # Otherwise set the user encryption key size $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf @@ -836,20 +863,24 @@ EOF } confUnattendedUpgrades() { + cd /etc/apt/apt.conf.d + if [[ $UNATTUPG == "unattended-upgrades" ]]; then $SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $! if [[ $PLAT == "Ubuntu" ]]; then # Ubuntu 50unattended-upgrades should already just have security enabled # so we just need to configure the 10periodic file - cat << EOT | $SUDO tee /etc/apt/apt.conf.d/10periodic >/dev/null + cat << EOT | $SUDO tee 10periodic >/dev/null APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; EOT else - $SUDO sed -i '/\(o=Raspbian,n=jessie\)/c\"o=Raspbian,n=jessie,l=Raspbian-Security";\' /etc/apt/apt.conf.d/50unattended-upgrades - cat << EOT | $SUDO tee /etc/apt/apt.conf.d/02periodic >/dev/null + wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz + $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades + $SUDO rm -rf unattended-upgrades-1.4 + cat << EOT | $SUDO tee 02periodic >/dev/null APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; @@ -907,12 +938,12 @@ confNetwork() { } confOVPN() { - if ! IPv4pub=$(dig +short myip.opendns.com @resolver1.opendns.com) - then - echo "dig failed, now trying to curl eth0.me" - if ! IPv4pub=$(curl eth0.me) + IPv4pub=$(dig +short myip.opendns.com @208.67.222.222) + if [ $? -ne 0 ] || [ -z "$IPv4pub" ]; then + echo "dig failed, now trying to curl whatismyip.akamai.com" + if ! IPv4pub=$(curl -s http://whatismyip.akamai.com) then - echo "eth0.me failed, please check your internet connection/DNS" + echo "whatismyip.akamai.com failed, please check your internet connection/DNS" exit $? fi fi @@ -922,8 +953,7 @@ confOVPN() { $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then - #If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required - $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt + #If they enabled 2.4 remove key-direction options since it's not required $SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt fi @@ -986,16 +1016,16 @@ if \$programname == 'ovpn-server' then ~" | $SUDO tee /etc/rsyslog.d/30-openvpn. echo "/var/log/openvpn.log { - rotate 4 - weekly - missingok - notifempty - compress - delaycompress - sharedscripts - postrotate - invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true - endscript + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true + endscript }" | $SUDO tee /etc/logrotate.d/openvpn > /dev/null # Restart the logging service From ece1d0c81c1c77c648ec3c484aed7c81d7ebc41f Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:07:15 +0200 Subject: [PATCH 06/10] Update server_config.txt --- server_config.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/server_config.txt b/server_config.txt index 0f34b3d..93143b1 100644 --- a/server_config.txt +++ b/server_config.txt @@ -23,7 +23,6 @@ tls-version-min 1.2 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 cipher AES-256-CBC auth SHA256 -comp-lzo user nobody group nogroup persist-key From ad41def1d74e75697c6fb2718a1cab32b7d6f9ec Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:43:08 +0200 Subject: [PATCH 07/10] Update Default.txt --- Default.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/Default.txt b/Default.txt index 1503e25..db28693 100644 --- a/Default.txt +++ b/Default.txt @@ -12,5 +12,4 @@ tls-version-min 1.2 verify-x509-name SRVRNAME name cipher AES-256-CBC auth SHA256 -comp-lzo verb 3 From e2cde58cc8bb662369c0b1827508151fc3d8fca4 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 12:45:46 +0200 Subject: [PATCH 08/10] Update makeOVPN.sh --- scripts/makeOVPN.sh | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index e4d8962..d5db7e4 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -121,17 +121,6 @@ function keyPASS() { expect eof EOF - #Convert key to aes128 - KEY_FILE="pki/private/${NAME}${KEY}" - expect << EOF - set timeout -1 - spawn openssl rsa -in ${KEY_FILE} -aes128 -out ${KEY_FILE} - expect "Enter pass phrase" { send "${PASSWD}\r" } - expect "Enter PEM pass phrase" { send "${PASSWD}\r" } - expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" } - expect eof -EOF - cd pki || exit } From 30f8508055928b479db81a093c4b05839fdcb56d Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 4 Sep 2018 14:38:21 +0200 Subject: [PATCH 09/10] Update install.sh --- auto_install/install.sh | 57 ++++++++++++++++++++++++----------------- 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index eb459de..3cb6310 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -30,7 +30,7 @@ PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whipta pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" easyrsaVer="3.0.4" -easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" +easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" # Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/1.4.tar.gz" @@ -466,22 +466,28 @@ notify_package_updates_available() { } install_dependent_packages() { - # Install packages passed in via argument array - # No spinner - conflicts with set -e - declare -a argArray1=("${!1}") + # Install packages passed in via argument array + # No spinner - conflicts with set -e + declare -a argArray1=("${!1}") - echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections - echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections + echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections - if command -v debconf-apt-progress &> /dev/null; then - $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" - else - for i in "${argArray1[@]}"; do - echo -n "::: Checking for $i..." - $SUDO package_check_install "${i}" &> /dev/null - echo " installed!" - done - fi + if command -v debconf-apt-progress &> /dev/null; then + + # Use appropriate argument if the package manager uses https otherwise the installation will silently fail + if grep -q https /etc/apt/sources.list; then + $SUDO debconf-apt-progress -- ${PKG_INSTALL} -y apt-transport-https "${argArray1[@]}" + else + $SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}" + fi + else + for i in "${argArray1[@]}"; do + echo -n "::: Checking for $i..." + $SUDO package_check_install "${i}" &> /dev/null + echo " installed!" + done + fi } unattendedUpgrades() { @@ -708,7 +714,7 @@ confOpenVPN() { if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then APPLY_TWO_POINT_FOUR=false else - if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno --defaultyes "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then + if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then APPLY_TWO_POINT_FOUR=true $SUDO touch /etc/pivpn/TWO_POINT_FOUR else @@ -776,11 +782,11 @@ EOF # Set certificate type if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then - echo "set_var EASYRSA_ALGO rsa" >> vars - echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" >> vars + echo "set_var EASYRSA_ALGO rsa" | $SUDO tee -a vars + echo "set_var EASYRSA_KEY_SIZE ${ENCRYPT}" | $SUDO tee -a vars else - echo "set_var EASYRSA_ALGO ec" >> vars - echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" >> vars + echo "set_var EASYRSA_ALGO ec" | $SUDO tee -a vars + echo "set_var EASYRSA_CURVE ${ECDSA_MAP["${ENCRYPT}"]}" | $SUDO tee -a vars fi # Remove any previous keys @@ -877,9 +883,14 @@ confUnattendedUpgrades() { APT::Periodic::Unattended-Upgrade "1"; EOT else - wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz - $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades - $SUDO rm -rf unattended-upgrades-1.4 + # Fix Raspbian config + if [[ $PLAT == "Raspbian" ]]; then + wget -q -O - "$UNATTUPG_CONFIG" | $SUDO tar xz + $SUDO cp unattended-upgrades-1.4/data/50unattended-upgrades.Raspbian 50unattended-upgrades + $SUDO rm -rf unattended-upgrades-1.4 + fi + + # Add the remaining settings for all other distributions cat << EOT | $SUDO tee 02periodic >/dev/null APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; From 375faa6398c04fbf8942bedfe4eb76d28cfd76ff Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 12 Oct 2018 21:06:11 +0200 Subject: [PATCH 10/10] Update install.sh --- auto_install/install.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 3cb6310..f743d05 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -949,13 +949,11 @@ confNetwork() { } confOVPN() { - IPv4pub=$(dig +short myip.opendns.com @208.67.222.222) - if [ $? -ne 0 ] || [ -z "$IPv4pub" ]; then - echo "dig failed, now trying to curl whatismyip.akamai.com" - if ! IPv4pub=$(curl -s http://whatismyip.akamai.com) - then - echo "whatismyip.akamai.com failed, please check your internet connection/DNS" - exit $? + if ! IPv4pub=$(dig +short myip.opendns.com @208.67.222.222) || ! valid_ip "$IPv4pub"; then + echo "dig failed, now trying to curl checkip.amazonaws.com" + if ! IPv4pub=$(curl -s https://checkip.amazonaws.com) || ! valid_ip "$IPv4pub"; then + echo "checkip.amazonaws.com failed, please check your internet connection/DNS" + exit 1 fi fi $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER