1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-23 21:30:15 +00:00

Merge branch 'test' of https://github.com/pivpn/pivpn into unbound

This commit is contained in:
corbolais 2019-12-12 14:41:43 +01:00
commit 1594d951af
4 changed files with 89 additions and 73 deletions

View file

@ -14,9 +14,12 @@
setupVars=/etc/pivpn/setupVars.conf
pivpnFilesDir="/etc/.pivpn"
debianOvpnUserGroup="openvpn:openvpn"
### PKG Vars ###
PKG_MANAGER="apt-get"
PKG_CACHE="/var/lib/apt/lists/"
### FIXME: quoting UPDATE_PKG_CACHE and PKG_INSTALL hangs the script, shellcheck SC2086
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
@ -33,6 +36,8 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git"
easyrsaVer="3.0.6"
easyrsaRel="https://github.com/OpenVPN/easy-rsa/releases/download/v${easyrsaVer}/EasyRSA-unix-v${easyrsaVer}.tgz"
subnetClass="24"
# Raspbian's unattended-upgrades package downloads Debian's config, so this is the link for the proper config
UNATTUPG_RELEASE="1.14"
UNATTUPG_CONFIG="https://github.com/mvo5/unattended-upgrades/archive/${UNATTUPG_RELEASE}.tar.gz"
@ -223,7 +228,7 @@ updatePackageCache(){
#update package lists
echo ":::"
echo -ne "::: ${PKG_MANAGER} update has not been run today. Running now...\\n"
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
echo " done!"
fi
}
@ -278,16 +283,7 @@ installDependentPackages(){
done
if command -v debconf-apt-progress &> /dev/null; then
set +e
$SUDO debconf-apt-progress -- "${PKG_INSTALL}" "${argArray1[@]}"
res="$?";
set -e
### apt-get install above returns 100 after an otherwise successfull installation of iptables-persistent,
### everything else was aready installed.
### Prevent from exiting the installation script in this case, exit for any other error code.
if [[ "$res" -ne 100 ]]; then
exit "$res";
fi;
$SUDO debconf-apt-progress -- ${PKG_INSTALL} "${argArray1[@]}"
else
${PKG_INSTALL} "${argArray1[@]}"
fi
@ -706,6 +702,7 @@ askWhichVPN(){
pivpnDEV="tun0"
pivpnNET="10.8.0.0"
fi
vpnGw="${pivpnNET/.0.0/.0.1}"
echo "VPN=${VPN}" >> /tmp/setupVars.conf
}
@ -740,7 +737,7 @@ installWireGuard(){
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 1\n\nPackage: wireguard wireguard-dkms wireguard-tools\nPin: release a=unstable\nPin-Priority: 500\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(raspberrypi-kernel-headers wireguard wireguard-tools wireguard-dkms)
installDependentPackages PIVPN_DEPS[@]
@ -826,7 +823,7 @@ installWireGuard(){
echo "::: Adding Debian repository... "
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO "${UPDATE_PKG_CACHE}" &> /dev/null
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(linux-headers-amd64 qrencode wireguard wireguard-tools wireguard-dkms)
installDependentPackages PIVPN_DEPS[@]
@ -991,8 +988,10 @@ askClientDNS(){
fi
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider
for your VPN Clients (press space to select). To use your own, select Custom."
"${r}" "${c}" 6)
for your VPN Clients (press space to select). To use your own, select
Custom.\\n\\nIn case you have a local resolver running, i.e. unbound, select
\"PiVPN-is-local-DNS\" and make sure your resolver is listening on
\"$vpnGw\", allowing requests from \"${pivpnNET}/${subnetClass}\"." ${r} ${c} 6)
DNSChooseOptions=(Google "" on
OpenDNS "" off
Level3 "" off
@ -1000,6 +999,7 @@ askClientDNS(){
Norton "" off
FamilyShield "" off
CloudFlare "" off
PiVPN-is-local-DNS "" off
Custom "" off)
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
@ -1014,7 +1014,8 @@ askClientDNS(){
["DNS.WATCH"]="84.200.69.80 84.200.70.40"
["Norton"]="199.85.126.10 199.85.127.10"
["FamilyShield"]="208.67.222.123 208.67.220.123"
["CloudFlare"]="1.1.1.1 1.0.0.1")
["CloudFlare"]="1.1.1.1 1.0.0.1"
["PiVPN-is-local-DNS"]="$vpnGw")
pivpnDNS1=$(awk '{print $1}' <<< "${DNS_MAP["${DNSchoices}"]}")
pivpnDNS2=$(awk '{print $2}' <<< "${DNS_MAP["${DNSchoices}"]}")
@ -1307,7 +1308,10 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
# Generate an empty Certificate Revocation List
${SUDOE} ./easyrsa gen-crl
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem
if ! getent passwd openvpn; then
${SUDOE} adduser --system --home /var/lib/openvpn/ --group --disabled-login ${debianOvpnUserGroup%:*}
fi
${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem
# Write config file for server using the template.txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -1399,7 +1403,7 @@ confWireGuard(){
echo "[Interface]
PrivateKey = $($SUDO cat /etc/wireguard/keys/server_priv)
Address = 10.6.0.1/24
Address = ${vpnGw}/${subnetClass}
ListenPort = ${pivpnPORT}" | $SUDO tee /etc/wireguard/wg0.conf &> /dev/null
echo "::: Server config generated."
}
@ -1418,10 +1422,23 @@ confNetwork(){
USING_UFW=1
echo "::: Detected UFW is enabled."
echo "::: Adding UFW rules..."
$SUDO sed "/delete these required/i *nat\\n:POSTROUTING ACCEPT [0:0]\\n-I POSTROUTING -s ${pivpnNET}\\/24 -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n" -i /etc/ufw/before.rules
### Basic safeguard: if file is empty, there's been something weird going on.
### Note: no safeguard against imcomplete content as a result of previous failures.
if test -s /etc/ufw/before.rules; then
$SUDO cp -f /etc/ufw/before.rules /etc/ufw/before.rules.pre-pivpn
else
echo "$0: ERR: Sorry, won't touch empty file \"/etc/ufw/before.rules\".";
exit 1;
fi
### If there is already a "*nat" section just add our POSTROUTING MASQUERADE
if $SUDO grep -q "*nat" /etc/ufw/before.rules; then
$SUDO sed "/^*nat/{n;s/\(:POSTROUTING ACCEPT .*\)/\1\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE/}" -i /etc/ufw/before.rules
else
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s ${pivpnNET}\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
fi
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO ufw insert 1 allow "${pivpnPORT}"/"${pivpnPROTO}" >/dev/null
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any >/dev/null
$SUDO ufw route insert 1 allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any >/dev/null
$SUDO ufw reload >/dev/null
echo "::: UFW configuration completed."
@ -1434,7 +1451,7 @@ confNetwork(){
# Now some checks to detect which rules we need to add. On a newly installed system all policies
# should be ACCEPT, so the only required rule would be the MASQUERADE one.
$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
$SUDO iptables -t nat -I POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
# Count how many rules are in the INPUT and FORWARD chain. When parsing input from
# iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found
@ -1460,8 +1477,8 @@ confNetwork(){
fi
if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then
$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
$SUDO iptables -I FORWARD 1 -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$SUDO iptables -I FORWARD 2 -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
FORWARD_CHAIN_EDITED=1
else
FORWARD_CHAIN_EDITED=0

View file

@ -133,30 +133,15 @@ else
fi
fi
if [ "$OLD_UFW" -eq 1 ]; then
FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
echo ":: [OK] Ufw forwarding policy is accept"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
ufw reload > /dev/null
echo "Done"
fi
fi
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
ERR=1
read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]] || [[ -z ${REPLY} ]]; then
ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
ufw reload
echo "Done"
fi
fi

View file

@ -1,7 +1,11 @@
#!/usr/bin/env bash
# PiVPN: Uninstall Script
### FIXME: global: config storage, refactor all scripts to adhere to the storage
### FIXME: use variables where appropriate, reduce magic numbers by 99.9%, at least.
PKG_MANAGER="apt-get"
subnetClass="24"
setupVars="/etc/pivpn/setupVars.conf"
if [ ! -f "${setupVars}" ]; then
@ -9,12 +13,13 @@ if [ ! -f "${setupVars}" ]; then
exit 1
fi
# shellcheck disable=SC1090
source "${setupVars}"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
rows=$(echo $screen_size | awk '{print $1}')
columns=$(echo $screen_size | awk '{print $2}')
rows=$(echo "$screen_size" | awk '{print $1}')
columns=$(echo "$screen_size" | awk '{print $2}')
# Divide by two so the dialogs take up half of the screen, which looks nice.
r=$(( rows / 2 ))
@ -23,18 +28,19 @@ c=$(( columns / 2 ))
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
### FIXME: introduce global lib
spinner(){
local pid=$1
local delay=0.50
local spinstr='/-\|'
while [ "$(ps a | awk '{print $1}' | grep "$pid")" ]; do
while ps a | awk '{print $1}' | grep "$pid"; do
local temp=${spinstr#?}
printf " [%c] " "$spinstr"
local spinstr=$temp${spinstr%"$temp"}
sleep $delay
printf "\b\b\b\b\b\b"
printf "\\b\\b\\b\\b\\b\\b"
done
printf " \b\b\b\b"
printf " \\b\\b\\b\\b"
}
removeAll(){
@ -52,6 +58,7 @@ removeAll(){
# Removing firewall rules.
echo "::: Removing firewall rules..."
### FIXME: introduce global config space!
if [ "$VPN" = "wireguard" ]; then
pivpnPROTO="udp"
pivpnDEV="wg0"
@ -63,10 +70,12 @@ removeAll(){
if [ "$USING_UFW" -eq 1 ]; then
### FIXME: SC2154
ufw delete allow "${pivpnPORT}"/"${pivpnPROTO}" > /dev/null
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/24" out on "${IPv4dev}" to any > /dev/null
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s ${pivpnNET}\/24 -o ${IPv4dev} -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
### FIXME: SC2154
ufw route delete allow in on "${pivpnDEV}" from "${pivpnNET}/${subnetClass}" out on "${IPv4dev}" to any > /dev/null
sed -z "s/*nat\\n:POSTROUTING ACCEPT \\[0:0\\]\\n-I POSTROUTING -s ${pivpnNET}\\/${subnetClass} -o ${IPv4dev} -j MASQUERADE\\nCOMMIT\\n\\n//" -i /etc/ufw/before.rules
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
ufw reload &> /dev/null
elif [ "$USING_UFW" -eq 0 ]; then
@ -76,11 +85,11 @@ removeAll(){
fi
if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
iptables -D FORWARD -d "${pivpnNET}/24" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s "${pivpnNET}/24" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
iptables -D FORWARD -d "${pivpnNET}/${subnetClass}" -i "${IPv4dev}" -o "${pivpnDEV}" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s "${pivpnNET}/${subnetClass}" -i "${pivpnDEV}" -o "${IPv4dev}" -j ACCEPT
fi
iptables -t nat -D POSTROUTING -s "${pivpnNET}/24" -o "${IPv4dev}" -j MASQUERADE
iptables -t nat -D POSTROUTING -s "${pivpnNET}/${subnetClass}" -o "${IPv4dev}" -j MASQUERADE
iptables-save > /etc/iptables/rules.v4
fi
@ -100,6 +109,7 @@ removeAll(){
# On Debian and armv7l Raspbian, remove the unstable repo (on armv6l Raspbian
# there is no wireguard package). On Ubuntu, remove the PPA.
### FIXME: unconditionally rm'ing unstable.list isn't a good idea, it appears. What if someone else put it there manually?
if [ "$PLAT" = "Debian" ] || { [ "$PLAT" = "Raspbian" ] && [ "$(uname -m)" = "armv7l" ]; }; then
rm /etc/apt/sources.list.d/unstable.list
rm /etc/apt/preferences.d/limit-unstable
@ -126,27 +136,30 @@ removeAll(){
elif [ "${i}" = "unattended-upgrades" ]; then
### REALLY???
rm -rf /var/log/unattended-upgrades
rm -rf /etc/apt/apt.conf.d/*periodic
rm -rf /etc/apt/apt.conf.d/*unattended-upgrades
elif [ "${i}" = "openvpn" ]; then
deluser openvpn
fi
printf ":::\tRemoving %s..." "$i"; $PKG_MANAGER -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n";
printf ":::\\tRemoving %s..." "$i"; $PKG_MANAGER -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\\n";
break
;;
[Nn]* ) printf ":::\tSkipping %s\n" "$i";
[Nn]* ) printf ":::\\tSkipping %s\\n" "$i";
break
;;
* ) printf "::: You must answer yes or no!\n";;
* ) printf "::: You must answer yes or no!\\n";;
esac
done
done
# Take care of any additional package cleaning
printf "::: Auto removing remaining dependencies..."
$PKG_MANAGER -y autoremove &> /dev/null & spinner $!; printf "done!\n";
$PKG_MANAGER -y autoremove &> /dev/null & spinner $!; printf "done!\\n";
printf "::: Auto cleaning remaining dependencies..."
$PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\n";
$PKG_MANAGER -y autoclean &> /dev/null & spinner $!; printf "done!\\n";
echo ":::"
# Removing pivpn files
@ -160,7 +173,7 @@ removeAll(){
rm -rf /opt/pivpn
rm -rf /etc/.pivpn
rm -rf /etc/pivpn
rm -rf /var/log/*pivpn*
rm -f /var/log/*pivpn*
rm -f /usr/local/bin/pivpn
rm -f /etc/bash_completion.d/pivpn
@ -171,26 +184,27 @@ removeAll(){
rm -f /etc/wireguard/wg0.conf
rm -rf /etc/wireguard/configs
rm -rf /etc/wireguard/keys
rm -rf $install_home/configs
### FIXME SC2154
rm -rf "$install_home/configs"
elif [ "$VPN" = "openvpn" ]; then
rm -rf /var/log/*openvpn*
rm -f /var/log/*openvpn*
rm -f /etc/openvpn/server.conf
rm -f /etc/openvpn/crl.pem
rm -rf /etc/openvpn/easy-rsa
rm -rf $install_home/ovpns
rm -rf "$install_home/ovpns"
fi
echo ":::"
printf "::: Finished removing PiVPN from your system.\n"
printf "::: Reinstall by simpling running\n:::\n:::\tcurl -L https://install.pivpn.io | bash\n:::\n::: at any time!\n:::\n"
printf "::: Finished removing PiVPN from your system.\\n"
printf "::: Reinstall by simpling running\\n:::\\n:::\\tcurl -L https://install.pivpn.io | bash\\n:::\\n::: at any time!\\n:::\\n"
}
askreboot(){
printf "It is \e[1mstrongly\e[0m recommended to reboot after un-installation.\n"
printf "It is \\e[1mstrongly\\e[0m recommended to reboot after un-installation.\\n"
read -p "Would you like to reboot now? [y/n]: " -n 1 -r
echo
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
printf "\nRebooting system...\n"
printf "\\nRebooting system...\\n"
sleep 3
shutdown -r now
fi
@ -204,6 +218,6 @@ while true; do
case $yn in
[Yy]* ) removeAll; askreboot; break;;
[Nn]* ) printf "::: Not removing anything, exiting...\n"; break;;
[Nn]* ) printf "::: Not removing anything, exiting...\\n"; break;;
esac
done

View file

@ -23,8 +23,8 @@ tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem