Added back Debian 10 support

This commit is contained in:
Orazio 2019-10-14 15:06:34 +02:00
parent 5e16322f9e
commit 1777d5c239
3 changed files with 60 additions and 30 deletions

View file

@ -91,7 +91,7 @@ distroCheck(){
fi
case ${PLAT} in
Raspbian)
Debian|Raspbian)
case ${OSCN} in
buster)
;;
@ -525,6 +525,7 @@ installWireGuard(){
# Otherwhise compile and build the kernel module via DKMS (so it will
# be recompiled on kernel upgrades)
if [ "$(uname -m)" = "armv7l" ]; then
echo "::: Installing WireGuard from Debian package... "
# dirmngr is used to download repository keys, whereas qrencode is used to generate qrcodes
# from config file, for use with mobile clients
@ -532,20 +533,22 @@ installWireGuard(){
installDependentPackages PIVPN_DEPS[@]
# Do not upgrade packages from the unstable repository except for wireguard
echo "::: Adding Debian repository... "
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee -a /etc/apt/sources.list.d/unstable.list > /dev/null
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
echo "Package: *
Pin: release a=unstable
Pin-Priority: 1
Package: wireguard wireguard-dkms wireguard-tools
Pin: release a=unstable
Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/null
Pin-Priority: 500" | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(wireguard)
installDependentPackages PIVPN_DEPS[@]
elif [ "$(uname -m)" = "armv6l" ]; then
echo "::: Installing WireGuard from source... "
PIVPN_DEPS=(libmnl-dev libelf-dev raspberrypi-kernel-headers build-essential pkg-config qrencode)
installDependentPackages PIVPN_DEPS[@]
@ -553,8 +556,8 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
# Delete any leftover code
$SUDO rm -rf /usr/src/wireguard-*
echo -n "::: Downloading source code... "
wget -O- "${WG_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
echo "::: Downloading source code... "
wget -qO- "${WG_SOURCE}" | $SUDO tar Jxf - --directory /usr/src
echo "done!"
cd /usr/src
@ -565,7 +568,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
# We install the userspace tools manually since DKMS only compiles and
# installs the kernel module
echo -n "::: Compiling WireGuard tools... "
echo "::: Compiling WireGuard tools... "
if $SUDO make tools; then
echo "done!"
else
@ -573,7 +576,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1
fi
echo -n "::: Installing WireGuard tools... "
echo "::: Installing WireGuard tools... "
if $SUDO make install tools; then
echo "done!"
else
@ -581,7 +584,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1
fi
echo -n "::: Adding WireGuard modules via DKMS... "
echo "::: Adding WireGuard modules via DKMS... "
if $SUDO dkms add wireguard/"${WG_SNAPSHOT}"; then
echo "done!"
else
@ -590,7 +593,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1
fi
echo -n "::: Compiling WireGuard modules via DKMS... "
echo "::: Compiling WireGuard modules via DKMS... "
if $SUDO dkms build wireguard/"${WG_SNAPSHOT}"; then
echo "done!"
else
@ -599,7 +602,7 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
exit 1
fi
echo -n "::: Installing WireGuard modules via DKMS... "
echo "::: Installing WireGuard modules via DKMS... "
if $SUDO dkms install wireguard/"${WG_SNAPSHOT}"; then
echo "done!"
else
@ -607,6 +610,17 @@ Pin-Priority: 500" | $SUDO tee -a /etc/apt/preferences.d/limit-unstable > /dev/n
$SUDO dkms remove wireguard/"${WG_SNAPSHOT}" --all
exit 1
fi
elif [ "$(uname -m)" = "x86_64" ] || [ "$(uname -m)" = "i686" ]; then
echo "deb http://deb.debian.org/debian/ unstable main" | $SUDO tee /etc/apt/sources.list.d/unstable.list > /dev/null
echo "Package: *
Pin: release a=unstable
Pin-Priority: 90" | $SUDO tee /etc/apt/preferences.d/limit-unstable > /dev/null
$SUDO ${UPDATE_PKG_CACHE} &> /dev/null
PIVPN_DEPS=(qrencode wireguard)
installDependentPackages PIVPN_DEPS[@]
fi
}
@ -862,9 +876,9 @@ askEncryption(){
fi
if ([ "$pivpnENCRYPT" -ge "3072" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
DOWNLOAD_DH_PARAM=true
DOWNLOAD_DH_PARAM=1
else
DOWNLOAD_DH_PARAM=false
DOWNLOAD_DH_PARAM=0
fi
echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
@ -885,7 +899,7 @@ confOpenVPN(){
fi
# Get easy-rsa
wget -q -O - "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
wget -qO- "${easyrsaRel}" | $SUDO tar xz -C /etc/openvpn && $SUDO mv /etc/openvpn/EasyRSA-v${easyrsaVer} /etc/openvpn/easy-rsa
# fix ownership
$SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki
@ -916,9 +930,9 @@ set_var EASYRSA_KEY_SIZE ${pivpnENCRYPT}" | $SUDO tee vars >/dev/null
# Build the server
EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if [[ ${DOWNLOAD_DH_PARAM} == true ]]; then
if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
# Downloading parameters
${SUDOE} curl "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
else
# Generate Diffie-Hellman key exchange
${SUDOE} ./easyrsa gen-dh
@ -989,6 +1003,13 @@ confOVPN(){
}
confWireGuard(){
if [ -d /etc/wireguard ]; then
$SUDO rm -r /etc/wireguard
$SUDO mkdir /etc/wireguard
$SUDO chown root:root /etc/wireguard
$SUDO chmod 700 /etc/wireguard
fi
whiptail --title "Server Information" --msgbox "The Server Keys and Pre-Shared key will now be generated." "${r}" "${c}"
$SUDO mkdir /etc/wireguard/configs
$SUDO touch /etc/wireguard/configs/clients.txt
@ -1072,7 +1093,7 @@ confNetwork(){
fi
case ${PLAT} in
Raspbian)
Debian|Raspbian)
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
;;
esac
@ -1104,7 +1125,7 @@ if \$programname == 'ovpn-server' then stop" | $SUDO tee /etc/rsyslog.d/30-openv
# Restart the logging service
case ${PLAT} in
Raspbian)
Debian|Raspbian)
$SUDO systemctl restart rsyslog.service || true
;;
esac
@ -1153,11 +1174,15 @@ askUnattendedUpgrades(){
confUnattendedUpgrades(){
cd /etc/apt/apt.conf.d
wget -q -O- "$UNATTUPG_CONFIG" | $SUDO tar xz
if [ "$PLAT" = "Raspbian" ]; then
wget -qO- "$UNATTUPG_CONFIG" | $SUDO tar xz
$SUDO cp "unattended-upgrades-$UNATTUPG_RELEASE/data/50unattended-upgrades.Raspbian" 50unattended-upgrades
$SUDO rm -rf "unattended-upgrades-$UNATTUPG_RELEASE"
fi
if [ "$VPN" = "WireGuard" ] && [ "$(uname -m)" = "armv7l" ]; then
# On architectures different from armv6l, where we install wireguard from source, enable
# automatic updates via the unstable repository
if [ "$VPN" = "WireGuard" ] && [ "$(uname -m)" != "armv6l" ]; then
sed -i '/Unattended-Upgrade::Origins-Pattern {/a"o=Debian,a=unstable";' 50unattended-upgrades
fi
@ -1183,7 +1208,7 @@ installScripts() {
FOLDER=$(tr '[:upper:]' '[:lower:]' <<< "$VPN")
$SUDO cp /etc/.pivpn/scripts/$FOLDER/*.sh /opt/pivpn/
$SUDO chmod 0755 /opt/pivpn/*.sh
$SUDO cp /etc/.pivpn/$FOLDER/pivpn /usr/local/bin/pivpn
$SUDO cp /etc/.pivpn/$FOLDER/scripts/pivpn /usr/local/bin/pivpn
$SUDO chmod 0755 /usr/local/bin/pivpn
$SUDO cp /etc/.pivpn/scripts/$FOLDER/bash-completion /etc/bash_completion.d/pivpn
. /etc/bash_completion.d/pivpn
@ -1285,7 +1310,7 @@ main(){
echo "::: Restarting services..."
# Start services
case ${PLAT} in
Raspbian)
Debian|Raspbian)
if [ "$VPN" = "OpenVPN" ]; then
$SUDO systemctl enable openvpn.service
$SUDO systemctl start openvpn.service

View file

@ -1,10 +1,16 @@
#!/usr/bin/env bash
# PiVPN: revoke client script
install_user=$(</etc/pivpn/install_user)
PLAT=$(</etc/pivpn/DET_PLATFORM)
setupVars="/etc/pivpn/setupVars.conf"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
if [ ! -f "${setupVars}" ]; then
echo "::: Missing setup vars file!"
exit 1
fi
source "${setupVars}"
helpFunc() {
echo "::: Revoke a client ovpn profile"
echo ":::"
@ -56,7 +62,7 @@ if [[ -z "${CERTS_TO_REVOKE}" ]]; then
done <${INDEX}
printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:"
echo -n "::: Please enter the Name of the client to be revoked from the list above: "
read -r NAME
if [[ -z "${NAME}" ]]; then
@ -104,8 +110,6 @@ fi
cd /etc/openvpn/easy-rsa || exit
install_home=$(grep -m1 "^${install_user}:" /etc/passwd | cut -d: -f6)
install_home=${install_home%/} # remove possible trailing slash
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"

View file

@ -24,6 +24,7 @@ printf "=============================================\n"
echo -e ":::: \e[4mServer configuration shown below\e[0m ::::"
cd /etc/wireguard/keys
cp ../wg0.conf ../wg0.tmp
# Replace every key in the server configuration with just it's file name
for k in *; do
sed "s#$(cat "$k")#$k#" -i ../wg0.tmp
done
@ -148,7 +149,7 @@ else
fi
fi
# grep -w (whole word) is used so port 111940 with now match when looking for 1194
# grep -w (whole word) is used so port 11940 won't match when looking for 1194
if netstat -uanp | grep -w "${pivpnPORT}" | grep -q 'udp'; then
echo ":: [OK] WireGuard is listening on port ${pivpnPORT}/udp"
else