Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added back Debian 10 support

Browse source
This commit is contained in:
Orazio 2019-10-14 15:06:34 +02:00
parent 5e16322f9e
commit 1777d5c239
3 changed files with 60 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
auto_install/install.sh
View file

@ -91,7 +91,7 @@ distroCheck(){
fi fi
case ${PLAT} in case ${PLAT} in
Raspbian) Debian|Raspbian)
case ${OSCN} in case ${OSCN} in
buster) buster)
;; ;;
@ -525,6 +525,7 @@ installWireGuard(){
# Otherwhise compile and build the kernel module via DKMS (so it will # Otherwhise compile and build the kernel module via DKMS (so it will
# be recompiled on kernel upgrades) # be recompiled on kernel upgrades)
if [ "$(uname -m)" = "armv7l" ]; then if [ "$(uname -m)" = "armv7l" ]; then
echo "::: Installing WireGuard from Debian package... " echo "::: Installing WireGuard from Debian package... "
# dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes # dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes
# from config file, for use with mobile clients # from config file, for use with mobile clients
@ -532,20 +533,22 @@ installWireGuard(){
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
# Do not upgrade packages from the unstable repository except for wireguard # Do not upgrade packages from the unstable repository except for wireguard
echo "::: Adding Debian repository... " echo "::: Adding Debian repository... "
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee -a /etc/apt/sources.list.d/unstable.list > /dev/null echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
echo "Package: * echo "Package: *
Pin: release a=unstable Pin: release a=unstable
Pin-Priority: 1 Pin-Priority: 1
Package: wireguard wireguard-dkms wireguard-tools Package: wireguard wireguard-dkms wireguard-tools
Pin: release a=unstable Pin: release a=unstable
Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/null Pin-Priority: 500" | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138 $SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null $SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(wireguard) PIVPN_DEPS=(wireguard)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
elif [ "$(uname -m)" = "armv6l" ]; then elif [ "$(uname -m)" = "armv6l" ]; then
echo "::: Installing WireGuard from source... " echo "::: Installing WireGuard from source... "
PIVPN_DEPS=(libmnl-dev libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode) PIVPN_DEPS=(libmnl-dev libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode)
installDependentPackages PIVPN_DEPS[@] installDependentPackages PIVPN_DEPS[@]
@ -553,8 +556,8 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
# Delete any leftover code # Delete any leftover code
$SUDO rm -rf /usr/src/wireguard-* $SUDO rm -rf /usr/src/wireguard-*
echo -n "::: Downloading source code... " echo "::: Downloading source code... "
wget -O- "${WG_SOURCE}" | $SUDO tar Jxf - --directory /usr/src wget -qO- "${WG_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
echo "done!" echo "done!"
cd /usr/src cd /usr/src
@ -565,7 +568,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
# We install the userspace tools manually since DKMS only compiles and # We install the userspace tools manually since DKMS only compiles and
# installs the kernel module # installs the kernel module
echo -n "::: Compiling WireGuard tools... " echo "::: Compiling WireGuard tools... "
if $SUDO make tools; then if $SUDO make tools; then
echo "done!" echo "done!"
else else
@ -573,7 +576,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1 exit 1
fi fi
echo -n "::: Installing WireGuard tools... " echo "::: Installing WireGuard tools... "
if $SUDO make install tools; then if $SUDO make install tools; then
echo "done!" echo "done!"
else else
@ -581,7 +584,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1 exit 1
fi fi
echo -n "::: Adding WireGuard modules via DKMS... " echo "::: Adding WireGuard modules via DKMS... "
if $SUDO dkms add wireguard/"${WG_SNAPSHOT}"; then if $SUDO dkms add wireguard/"${WG_SNAPSHOT}"; then
echo "done!" echo "done!"
else else
@ -590,7 +593,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1 exit 1
fi fi
echo -n "::: Compiling WireGuard modules via DKMS... " echo "::: Compiling WireGuard modules via DKMS... "
if $SUDO dkms build wireguard/"${WG_SNAPSHOT}"; then if $SUDO dkms build wireguard/"${WG_SNAPSHOT}"; then
echo "done!" echo "done!"
else else
@ -599,7 +602,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1 exit 1
fi fi
echo -n "::: Installing WireGuard modules via DKMS... " echo "::: Installing WireGuard modules via DKMS... "
if $SUDO dkms install wireguard/"${WG_SNAPSHOT}"; then if $SUDO dkms install wireguard/"${WG_SNAPSHOT}"; then
echo "done!" echo "done!"
else else
@ -607,6 +610,17 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
$SUDO dkms remove wireguard/"${WG_SNAPSHOT}" --all $SUDO dkms remove wireguard/"${WG_SNAPSHOT}" --all
exit 1 exit 1
fi fi
elif [ "$(uname -m)" = "x86_64" ] || [ "$(uname -m)" = "i686" ]; then
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
echo "Package: *
Pin: release a=unstable
Pin-Priority: 90" | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(qrencode wireguard)
installDependentPackages PIVPN_DEPS[@]
fi fi
} }
@ -862,9 +876,9 @@ askEncryption(){
fi fi
if ([ "$pivpnENCRYPT" -ge "3072" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then if ([ "$pivpnENCRYPT" -ge "3072" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
DOWNLOAD_DH_PARAM=true DOWNLOAD_DH_PARAM=1
else else
DOWNLOAD_DH_PARAM=false DOWNLOAD_DH_PARAM=0
fi fi
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
@ -885,7 +899,7 @@ confOpenVPN(){
fi fi
# Get easy-rsa # Get easy-rsa
wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
# fix ownership # fix ownership
$SUDO chown -R root:root /etc/openvpn/easy-rsa $SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki $SUDO mkdir /etc/openvpn/easy-rsa/pki
@ -916,9 +930,9 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
# Build the server # Build the server
EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if [[ ${DOWNLOAD_DH_PARAM} == true ]]; then if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
# Downloading parameters # Downloading parameters
${SUDOE} curl "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" ${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
else else
# Generate Diffie-Hellman key exchange # Generate Diffie-Hellman key exchange
${SUDOE} ./easyrsa gen-dh ${SUDOE} ./easyrsa gen-dh
@ -989,6 +1003,13 @@ confOVPN(){
} }
confWireGuard(){ confWireGuard(){
if [ -d /etc/wireguard ]; then
$SUDO rm -r /etc/wireguard
$SUDO mkdir /etc/wireguard
$SUDO chown root:root /etc/wireguard
$SUDO chmod 700 /etc/wireguard
fi
whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}" whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}"
$SUDO mkdir /etc/wireguard/configs $SUDO mkdir /etc/wireguard/configs
$SUDO touch /etc/wireguard/configs/clients.txt $SUDO touch /etc/wireguard/configs/clients.txt
@ -1072,7 +1093,7 @@ confNetwork(){
fi fi
case ${PLAT} in case ${PLAT} in
Raspbian) Debian|Raspbian)
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
;; ;;
esac esac
@ -1104,7 +1125,7 @@ if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openv
# Restart the logging service # Restart the logging service
case ${PLAT} in case ${PLAT} in
Raspbian) Debian|Raspbian)
$SUDO systemctl restart rsyslog.service || true $SUDO systemctl restart rsyslog.service || true
;; ;;
esac esac
@ -1153,11 +1174,15 @@ askUnattendedUpgrades(){
confUnattendedUpgrades(){ confUnattendedUpgrades(){
cd /etc/apt/apt.conf.d cd /etc/apt/apt.conf.d
wget -q -O- "$UNATTUPG_CONFIG" | $SUDO tar xz if [ "$PLAT" = "Raspbian" ]; then
wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz
$SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades $SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
$SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE" $SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
fi
if [ "$VPN" = "WireGuard" ] && [ "$(uname -m)" = "armv7l" ]; then # On architectures different from armv6l, where we install wireguard from source, enable
# automatic updates via the unstable repository
if [ "$VPN" = "WireGuard" ] && [ "$(uname -m)" != "armv6l" ]; then
sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades
fi fi
@ -1183,7 +1208,7 @@ installScripts() {
FOLDER=$(tr '[:upper:]' '[:lower:]' <<< "$VPN") FOLDER=$(tr '[:upper:]' '[:lower:]' <<< "$VPN")
$SUDO cp /etc/.pivpn/scripts/$FOLDER/*.sh /opt/pivpn/ $SUDO cp /etc/.pivpn/scripts/$FOLDER/*.sh /opt/pivpn/
$SUDO chmod 0755 /opt/pivpn/*.sh $SUDO chmod 0755 /opt/pivpn/*.sh
$SUDO cp /etc/.pivpn/$FOLDER/pivpn /usr/local/bin/pivpn $SUDO cp /etc/.pivpn/$FOLDER/scripts/pivpn /usr/local/bin/pivpn
$SUDO chmod 0755 /usr/local/bin/pivpn $SUDO chmod 0755 /usr/local/bin/pivpn
$SUDO cp /etc/.pivpn/scripts/$FOLDER/bash-completion /etc/bash_completion.d/pivpn $SUDO cp /etc/.pivpn/scripts/$FOLDER/bash-completion /etc/bash_completion.d/pivpn
. /etc/bash_completion.d/pivpn . /etc/bash_completion.d/pivpn
@ -1285,7 +1310,7 @@ main(){
echo "::: Restarting services..." echo "::: Restarting services..."
# Start services # Start services
case ${PLAT} in case ${PLAT} in
Raspbian) Debian|Raspbian)
if [ "$VPN" = "OpenVPN" ]; then if [ "$VPN" = "OpenVPN" ]; then
$SUDO systemctl enable openvpn.service $SUDO systemctl enable openvpn.service
$SUDO systemctl start openvpn.service $SUDO systemctl start openvpn.service

14
scripts/openvpn/removeOVPN.sh
View file

@ -1,10 +1,16 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# PiVPN: revoke client script # PiVPN: revoke client script
install_user=$(</etc/pivpn/install_user) setupVars="/etc/pivpn/setupVars.conf"
PLAT=$(</etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/pki/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc() { helpFunc() {
echo "::: Revoke a client ovpn profile" echo "::: Revoke a client ovpn profile"
echo ":::" echo ":::"
@ -56,7 +62,7 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then
done <${INDEX} done <${INDEX}
printf "\n" printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:" echo -n "::: Please enter the Name of the client to be revoked from the list above: "
read -r NAME read -r NAME
if [[ -z "${NAME}" ]]; then if [[ -z "${NAME}" ]]; then
@ -104,8 +110,6 @@ fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
install_home=$(grep -m1 "^${install_user}:" /etc/passwd | cut -d: -f6)
install_home=${install_home%/} # remove possible trailing slash
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"

3
scripts/wireguard/pivpnDEBUG.sh
View file

@ -24,6 +24,7 @@ printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::" echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cd /etc/wireguard/keys cd /etc/wireguard/keys
cp ../wg0.conf ../wg0.tmp cp ../wg0.conf ../wg0.tmp
# Replace every key in the server configuration with just it's file name
for k in *; do for k in *; do
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
done done
@ -148,7 +149,7 @@ else
fi fi
fi fi
# grep -w (whole word) is used so port 111940 with now match when looking for 1194 # grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp" echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
else else