Merge branch 'test' into bitwarden

2025-01-19 11:04:28 +00:00 · 2019-08-08 10:34:17 +02:00 · 2019-08-08 10:34:17 +02:00 · 18b7e16694
commit 18b7e16694
parent b60a06791d c2c3fc4229
4 changed files with 83 additions and 33 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -21,7 +21,9 @@ PKG_CACHE="/var/lib/apt/lists/"
 UPDATE_PKG_CACHE="${PKG_MANAGER} update"
 PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
 PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
+
 PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq)
+
 ###          ###

 pivpnGitUrl="https://github.com/pivpn/pivpn.git"
@ -769,7 +771,9 @@ confOpenVPN() {
        # Ask user for desired level of encryption

        if [[ ${useUpdateVars} == false ]]; then
-            if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]]; then
+
+            if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then
+
                APPLY_TWO_POINT_FOUR=false
            else
                if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
@ -795,7 +799,6 @@ confOpenVPN() {

        else

-            declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
            ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \
            "Choose the desired size of your certificate (press space to select):\n   This is a certificate that will be generated on your system.  The larger the certificate, the more time this will take.  For most applications, it is recommended to use 256 bits.  You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
            "256" "Use a 256-bit certificate (recommended level)" ON \
@ -979,8 +982,21 @@ confNetwork() {
            $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
            # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
            $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
-            # Don't forward everything, just the traffic originated from the VPN subnet
-            $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
+
+            # https://askubuntu.com/a/712202
+            INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw)
+            MINIMUM_UFW=0.34
+
+            if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then
+                # Don't forward everything, just the traffic originated from the VPN subnet
+                $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
+                echo 0 > /tmp/OLD_UFW
+            else
+                # This ufw version does not support route command, fallback to policy change
+                $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
+                echo 1 > /tmp/OLD_UFW
+            fi
+
            $SUDO ufw reload >/dev/null
            echo "::: UFW configuration completed."
        fi
@ -1043,6 +1059,7 @@ confNetwork() {
    echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED

    $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
+    $SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW
    $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
    $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
 }
--- a/scripts/makeOVPN.sh
+++ b/scripts/makeOVPN.sh
@ -283,12 +283,12 @@ if [ ! -f "${CA}" ]; then
 fi
 echo "CA public Key found: $CA"

-#Confirm the tls-auth ta key file exists
+#Confirm the tls key file exists
 if [ ! -f "${TA}" ]; then
-    echo "[ERROR]: tls-auth Key not found: $TA"
+    echo "[ERROR]: tls Private Key not found: $TA"
    exit
 fi
-echo "tls-auth Private Key found: $TA"
+echo "tls Private Key found: $TA"

 #Ready to make a new .ovpn file
 {
@ -310,7 +310,7 @@ echo "tls-auth Private Key found: $TA"
    cat "private/${NAME}${KEY}"
    echo "</key>"

-    #Finally, append the TA Private Key
+    #Finally, append the tls Private Key
    if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
      echo "<tls-crypt>"
      cat "${TA}"
@ -323,6 +323,11 @@ echo "tls-auth Private Key found: $TA"

 } > "${NAME}${FILEEXT}"

+if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then
+    mkdir "/home/$INSTALL_USER/ovpns"
+    chmod 0777 -R "/home/$INSTALL_USER/ovpns"
+fi
+
 # Copy the .ovpn profile to the home directory for convenient remote access
 cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
 chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
--- a/scripts/pivpnDebug.sh
+++ b/scripts/pivpnDebug.sh
@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT)
 PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
 IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
 REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
+NO_UFW=$(cat /etc/pivpn/NO_UFW)
+OLD_UFW=$(cat /etc/pivpn/NO_UFW)
+INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
+FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
 ERR=0

 echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
@ -46,7 +50,7 @@ else
    fi
 fi

-if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
+if [ "$NO_UFW" -eq 1 ]; then

    if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
        echo ":: [OK] Iptables MASQUERADE rule set"
@ -61,7 +65,9 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
        fi
    fi

-    if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
+
+    if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
+
        if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
            echo ":: [OK] Iptables INPUT rule set"
        else
@ -75,7 +81,8 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
        fi
    fi

-    if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then
+    if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
+
        if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
            echo ":: [OK] Iptables FORWARD rule set"
        else
@ -126,15 +133,30 @@ else
        fi
    fi

-    if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
-        echo ":: [OK] Ufw forwarding rule set"
+    if [ "$OLD_UFW" -eq 1 ]; then
+        FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
+        if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
+            echo ":: [OK] Ufw forwarding policy is accept"
+        else
+            ERR=1
+            read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
+            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
+                sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
+                ufw reload > /dev/null
+                echo "Done"
+            fi
+        fi
    else
-        ERR=1
-        read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
-        if [[ ${REPLY} =~ ^[Yy]$ ]]; then
-            ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
-            ufw reload
-            echo "Done"
+        if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
+            echo ":: [OK] Ufw forwarding rule set"
+        else
+            ERR=1
+            read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY
+            if [[ ${REPLY} =~ ^[Yy]$ ]]; then
+                ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any
+                ufw reload
+                echo "Done"
+            fi
        fi
    fi

--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@ -4,6 +4,7 @@
 INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
 PLAT=$(cat /etc/pivpn/DET_PLATFORM)
 NO_UFW=$(cat /etc/pivpn/NO_UFW)
+OLD_UFW=$(cat /etc/pivpn/NO_UFW)
 PORT=$(cat /etc/pivpn/INSTALL_PORT)
 PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
 IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
@ -95,23 +96,28 @@ echo ":::"
    sysctl -p

    if [[ $NO_UFW -eq 0 ]]; then
-      sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
-      ufw delete allow "$PORT"/"$PROTO" >/dev/null
-      ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
-      ufw reload >/dev/null
-  else
-      iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE

-      if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
-          iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
-      fi
+        sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
+        ufw delete allow "$PORT"/"$PROTO" >/dev/null
+        if [ "$OLD_UFW" -eq 1 ]; then
+            sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw
+        else
+            ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
+        fi
+        ufw reload >/dev/null
+    else
+        iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE

-      if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
-          iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-          iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
-      fi
+        if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
+            iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT
+        fi

-      iptables-save > /etc/iptables/rules.v4
+        if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
+            iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+            iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT
+        fi
+
+        iptables-save > /etc/iptables/rules.v4
    fi

    echo ":::"