Merge pull request #794 from kiskisiit1131/bitwarden

* integrated bitwarden password manager into pivpn * adds the content of ovpn file as a secure note into bitwarden
2024-12-19 19:30:16 +00:00 · 2019-08-20 18:47:50 +02:00 · 2019-08-20 18:47:50 +02:00 · 0cb376bd66
commit 0cb376bd66
parent c2c3fc4229 9d66688341
5 changed files with 97 additions and 4 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -21,7 +21,9 @@ PKG_CACHE="/var/lib/apt/lists/"
 UPDATE_PKG_CACHE="${PKG_MANAGER} update"
 PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
 PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
-PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr)
+
+PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq)
+
 ###          ###

 pivpnGitUrl="https://github.com/pivpn/pivpn.git"
@ -29,7 +31,7 @@ pivpnFilesDir="/etc/.pivpn"
 easyrsaVer="3.0.6"
 easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"

-# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config 
+# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
 UNATTUPG_RELEASE="1.9"
 UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"

@ -98,6 +100,7 @@ distro_check() {

    if [[ ${OSCN} != "bionic" ]]; then
        PIVPN_DEPS+=(dhcpcd5)
+
    fi

    case ${PLAT} in
@ -474,6 +477,12 @@ notify_package_updates_available() {
  fi
 }

+install_bitwarden() {
+    # Install Bitwarden through NPM - this is the preferred installation method since NPM makes it easy to update the package
+    apt-get install -y nodejs npm
+    npm install -g @bitwarden/cli
+}
+
 install_dependent_packages() {
    # Install packages passed in via argument array
    # No spinner - conflicts with set -e
@ -762,7 +771,9 @@ confOpenVPN() {
        # Ask user for desired level of encryption

        if [[ ${useUpdateVars} == false ]]; then
+
            if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then
+
                APPLY_TWO_POINT_FOUR=false
            else
                if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
@ -1357,6 +1368,9 @@ main() {
    # Notify user of package availability
    notify_package_updates_available

+    # Install packages for Bitwarden
+    install_bitwarden
+
    # Install packages used by this installation script
    install_dependent_packages PIVPN_DEPS[@]

@ -1437,7 +1451,7 @@ main() {
            $SUDO systemctl start openvpn.service
            ;;
    esac
-    
+
    # Ensure that cached writes reach persistent storage
    echo "::: Flushing writes to disk..."
    sync
--- a/2
+++ b/2
@ -58,6 +58,7 @@ function helpFunc {
    echo ":::"
    echo "::: Commands:"
    echo ":::  -a, add [nopass]     Create a client ovpn profile, optional nopass"
+    echo ":::  -b,--bitwarden       Create and save a client through Bitwarden"
    echo ":::  -c, clients          List any connected clients to the server"
    echo ":::  -d, debug            Start a debugging session if having trouble"
    echo ":::  -l, list             List all valid and revoked certificates"
@ -74,6 +75,7 @@ fi
 # Handle redirecting to specific functions based on arguments
 case "$1" in
 "-a" | "add"                ) makeOVPNFunc "$@";;
+"-b" | "bitwarden"          ) makeOVPNFunc "$@";;
 "-c" | "clients"            ) listClientsFunc;;
 "-d" | "debug"              ) debugFunc;;
 "-l" | "list"               ) listOVPNFunc;;
--- a/scripts/makeOVPN.sh
+++ b/scripts/makeOVPN.sh
@ -13,11 +13,12 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 helpFunc() {
    echo "::: Create a client ovpn profile, optional nopass"
    echo ":::"
-    echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]"
+    echo "::: Usage: pivpn <-a|add> [-b|--bitwarden] [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]"
    echo ":::"
    echo "::: Commands:"
    echo ":::  [none]               Interactive mode"
    echo ":::  nopass               Create a client without a password"
+    echo ":::  -b,--bitwarden       Create and save a client through Bitwarden"
    echo ":::  -d,--days            Expire the certificate after specified number of days (default: 1080)"
    echo ":::  -n,--name            Name for the Client (default: '"$(hostname)"')"
    echo ":::  -p,--password        Password for the Client (no default)"
@ -66,6 +67,9 @@ do
        nopass)
            NO_PASS="1"
            ;;
+        -b|--bitwarden)
+            BITWARDEN="2"
+            ;;
        *)
            echo "Error: Got an unexpected argument '$1'"
            helpFunc
@ -91,6 +95,52 @@ EOF

 }

+function useBitwarden() {
+
+    # login and unlock vault
+    printf "****Bitwarden Login****"
+    printf "\n"
+    SESSION_KEY=`bw login --raw`
+    export BW_SESSION=$SESSION_KEY
+    printf "Successfully Logged in!"
+    printf "\n"
+
+    # ask user for username
+    printf "Enter the username:  "
+    read -r NAME
+
+    # check name
+    until [[ "$NAME" =~ ^[a-zA-Z0-9.@_-]+$ && ${NAME::1} != "." && ${NAME::1} != "-"  ]]
+    do
+      	echo "Name can only contain alphanumeric characters and these characters (.-@_). The name also cannot start with a dot (.) or a dash (-). Please try again."
+      	# ask user for username again
+      	printf "Enter the username: "
+      	read -r NAME
+    done
+
+
+    # ask user for length of password
+    printf "Please enter the length of characters you want your password to be (minimum 12): "
+    read -r LENGTH
+
+    # check length
+    until [[ "$LENGTH" -gt 11 && "$LENGTH" -lt 129 ]]
+    do
+      	echo "Password must be between from 12 to 128 characters, please try again."
+      	# ask user for length of password
+      	printf "Enter the length of characters you want your password to be (minimum 12): "
+      	read -r LENGTH
+    done
+
+    printf "Creating a PiVPN item for your vault..."
+    printf "\n"
+    # create a new item for your PiVPN Password
+    PASSWD=`bw generate -usln --length $LENGTH`
+    bw get template item | jq '.login.type = "1"'| jq '.name = "PiVPN"' | jq -r --arg NAME "$NAME" '.login.username = $NAME' | jq -r --arg PASSWD "$PASSWD" '.login.password = $PASSWD' |  bw encode | bw create item
+    bw logout
+
+}
+
 function keyPASS() {

    if [[ -z "${PASSWD}" ]]; then
@ -137,6 +187,11 @@ EOF

 }

+# bitWarden first
+if [[ "${BITWARDEN}" =~ "2" ]]; then
+    useBitwarden
+fi
+
 if [ -z "${NAME}" ]; then
    printf "Enter a Name for the Client:  "
    read -r NAME
@ -273,6 +328,24 @@ if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then
    chmod 0777 -R "/home/$INSTALL_USER/ovpns"
 fi

+# If user is using Bitwarden, have them login again to submit their .ovpn file to their vault
+printf "Would you like to export your .ovpn file to your Bitwarden vault? (y or n)"
+read -r RESPONSE
+if [ $RESPONSE == "y" ] || [ $RESPONSE == "Y" ]; then
+    $OVPN_FILE="$(< "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT")"
+    # Login to Bitwarden
+    printf "****Bitwarden Login****"
+    printf "\n"
+    SESSION_KEY=`bw login --raw`
+    export BW_SESSION=$SESSION_KEY
+    printf "Successfully Logged in!"
+    printf "\n"
+    # Create a Bitwarden secure note to export the .ovpn file 
+    bw get template item | jq '.name = "PiVPN OVPN File"' | jq '.type = 2' | jq -r --arg VAL "$OVPN_FILE" '.notes = $VAL' | jq ".secureNote = $(bw get template item.secureNote)" | bw encode | bw create item
+    bw logout
+    exit
+  fi
+
 # Copy the .ovpn profile to the home directory for convenient remote access
 cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
 chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
--- a/scripts/pivpnDebug.sh
+++ b/scripts/pivpnDebug.sh
@ -65,7 +65,9 @@ if [ "$NO_UFW" -eq 1 ]; then
        fi
    fi

+
    if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
+
        if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
            echo ":: [OK] Iptables INPUT rule set"
        else
@ -80,6 +82,7 @@ if [ "$NO_UFW" -eq 1 ]; then
    fi

    if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
+
        if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
            echo ":: [OK] Iptables FORWARD rule set"
        else
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -96,6 +96,7 @@ echo ":::"
    sysctl -p

    if [[ $NO_UFW -eq 0 ]]; then
+
        sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
        ufw delete allow "$PORT"/"$PROTO" >/dev/null
        if [ "$OLD_UFW" -eq 1 ]; then