diff --git a/auto_install/install.sh b/auto_install/install.sh index 9e31d1f..beae514 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -21,7 +21,9 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" + PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq) + ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" @@ -769,7 +771,9 @@ confOpenVPN() { # Ask user for desired level of encryption if [[ ${useUpdateVars} == false ]]; then - if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]]; then + + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then + APPLY_TWO_POINT_FOUR=false else if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then @@ -795,7 +799,6 @@ confOpenVPN() { else - declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "256" "Use a 256-bit certificate (recommended level)" ON \ @@ -979,8 +982,21 @@ confNetwork() { $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null - # Don't forward everything, just the traffic originated from the VPN subnet - $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + + # https://askubuntu.com/a/712202 + INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw) + MINIMUM_UFW=0.34 + + if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then + # Don't forward everything, just the traffic originated from the VPN subnet + $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + echo 0 > /tmp/OLD_UFW + else + # This ufw version does not support route command, fallback to policy change + $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + echo 1 > /tmp/OLD_UFW + fi + $SUDO ufw reload >/dev/null echo "::: UFW configuration completed." fi @@ -1043,6 +1059,7 @@ confNetwork() { echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index e39df1b..8c8af49 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -283,12 +283,12 @@ if [ ! -f "${CA}" ]; then fi echo "CA public Key found: $CA" -#Confirm the tls-auth ta key file exists +#Confirm the tls key file exists if [ ! -f "${TA}" ]; then - echo "[ERROR]: tls-auth Key not found: $TA" + echo "[ERROR]: tls Private Key not found: $TA" exit fi -echo "tls-auth Private Key found: $TA" +echo "tls Private Key found: $TA" #Ready to make a new .ovpn file { @@ -310,7 +310,7 @@ echo "tls-auth Private Key found: $TA" cat "private/${NAME}${KEY}" echo "" - #Finally, append the TA Private Key + #Finally, append the tls Private Key if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then echo "" cat "${TA}" @@ -323,6 +323,11 @@ echo "tls-auth Private Key found: $TA" } > "${NAME}${FILEEXT}" +if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then + mkdir "/home/$INSTALL_USER/ovpns" + chmod 0777 -R "/home/$INSTALL_USER/ovpns" +fi + # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index b63079a..25a4bf1 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" +NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" ERR=0 echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" @@ -46,7 +50,7 @@ else fi fi -if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then +if [ "$NO_UFW" -eq 1 ]; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then echo ":: [OK] Iptables MASQUERADE rule set" @@ -61,7 +65,9 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then + if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables INPUT rule set" else @@ -75,7 +81,8 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then + if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables FORWARD rule set" else @@ -126,15 +133,30 @@ else fi fi - if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" + if [ "$OLD_UFW" -eq 1 ]; then + FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + if [ "$FORWARD_POLICY" = "ACCEPT" ]; then + echo ":: [OK] Ufw forwarding policy is accept" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + ufw reload > /dev/null + echo "Done" + fi + fi else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]]; then - ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" + fi fi fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index bcb304e..9ca8cbc 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,6 +4,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" @@ -95,23 +96,28 @@ echo ":::" sysctl -p if [[ $NO_UFW -eq 0 ]]; then - sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules - ufw delete allow "$PORT"/"$PROTO" >/dev/null - ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null - ufw reload >/dev/null - else - iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE - if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then - iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT - fi + sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + ufw delete allow "$PORT"/"$PROTO" >/dev/null + if [ "$OLD_UFW" -eq 1 ]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw + else + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + fi + ufw reload >/dev/null + else + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE - if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then - iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT - fi + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then + iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + fi - iptables-save > /etc/iptables/rules.v4 + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then + iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + fi + + iptables-save > /etc/iptables/rules.v4 fi echo ":::"