From 95480f3279f6be8bf2be884e3599d047f38eddb3 Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 26 Jun 2019 10:35:56 +0200 Subject: [PATCH 01/13] Add support for Raspbian Buster --- auto_install/install.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..60903a2 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -92,7 +92,7 @@ distro_check() { source /etc/os-release PLAT=$(awk '{print $1}' <<< "$NAME") VER="$VERSION_ID" - declare -A VER_MAP=(["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") + declare -A VER_MAP=(["10"]="buster" ["9"]="stretch" ["8"]="jessie" ["18.04"]="bionic" ["16.04"]="xenial" ["14.04"]="trusty") OSCN=${VER_MAP["${VER}"]} fi @@ -103,7 +103,7 @@ distro_check() { case ${PLAT} in Ubuntu|Raspbian|Debian|Devuan) case ${OSCN} in - trusty|xenial|jessie|stretch) + trusty|xenial|jessie|stretch|buster) ;; *) maybeOS_Support @@ -479,6 +479,8 @@ install_dependent_packages() { # No spinner - conflicts with set -e declare -a argArray1=("${!1}") + $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy + $SUDO update-alternatives --set iptables /usr/sbin/ip6tables-legacy echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections @@ -753,7 +755,7 @@ confOpenVPN() { # Ask user for desired level of encryption if [[ ${useUpdateVars} == false ]]; then - if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]]; then + if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then APPLY_TWO_POINT_FOUR=false else if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then From 7a34dd3704ce33eba7f5b43806a5dcde8ba35df5 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 11:12:46 +0200 Subject: [PATCH 02/13] Improve iptables detection --- auto_install/install.sh | 39 +++++++++++++++++++++++ scripts/pivpnDebug.sh | 30 +++++++++++++++++- scripts/uninstall.sh | 68 ++++++++++++++++++++--------------------- 3 files changed, 101 insertions(+), 36 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..4b81bd1 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -974,7 +974,41 @@ confNetwork() { # else configure iptables if [[ $noUFW -eq 1 ]]; then echo 1 > /tmp/noUFW + + # Now some checks to detect which rules we need to add. On a newly installed system all policies + # should be ACCEPT, so the only required rule would be the MASQUERADE one. + $SUDO iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE + + # Count how many rules are in the INPUT and FORWARD chain. When parsing input from + # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found + # installed but not enabled). + + INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')" + FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')" + + INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')" + FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + + # If rules count is not zero, we assume we need to explicitly allow traffic. Same conclusion if + # there are no rules and the policy is not ACCEPT. Note that rules are being added to the top of the + # chain (using -I). + + if [ "$INPUT_RULES_COUNT" -ne 0 ] || [ "$INPUT_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + INPUT_CHAIN_EDITED=1 + else + INPUT_CHAIN_EDITED=0 + fi + + if [ "$FORWARD_RULES_COUNT" -ne 0 ] || [ "$FORWARD_POLICY" != "ACCEPT" ]; then + $SUDO iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + $SUDO iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + FORWARD_CHAIN_EDITED=1 + else + FORWARD_CHAIN_EDITED=0 + fi + case ${PLAT} in Ubuntu|Debian|Devuan) $SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null @@ -987,7 +1021,12 @@ confNetwork() { echo 0 > /tmp/noUFW fi + echo "$INPUT_CHAIN_EDITED" > /tmp/INPUT_CHAIN_EDITED + echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED + $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED + $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } confOVPN() { diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index 849c70d..ff912f3 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -56,11 +56,39 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then iptables -t nat -F iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE iptables-save > /etc/iptables/rules.v4 - iptables-restore < /etc/iptables/rules.v4 echo "Done" fi fi + if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables INPUT rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables INPUT rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I INPUT 1 -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + + if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then + echo ":: [OK] Iptables FORWARD rule set" + else + ERR=1 + read -r -p ":: [ERR] Iptables FORWARD rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + iptables -I FORWARD 1 -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -I FORWARD 2 -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + iptables-save > /etc/iptables/rules.v4 + echo "Done" + fi + fi + fi + else if LANG="en_US.UTF-8" ufw status | grep -qw 'active'; then diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 99192aa..60d93e7 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -1,21 +1,6 @@ #!/usr/bin/env bash # PiVPN: Uninstall Script -# Must be root to uninstall -if [[ $EUID -eq 0 ]];then - echo "::: You are root." -else - echo "::: Sudo will be used for the uninstall." - # Check if it is actually installed - # If it isn't, exit because the unnstall cannot complete - if [[ $(dpkg-query -s sudo) ]];then - export SUDO="sudo" - else - echo "::: Please install sudo or run this as root." - exit 1 - fi -fi - INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) @@ -59,7 +44,7 @@ echo ":::" while true; do read -rp "::: Do you wish to remove $i from your system? [y/n]: " yn case $yn in - [Yy]* ) printf ":::\tRemoving %s..." "$i"; $SUDO apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; + [Yy]* ) printf ":::\tRemoving %s..." "$i"; apt-get -y remove --purge "$i" &> /dev/null & spinner $!; printf "done!\n"; if [ "$i" == "openvpn" ]; then UINST_OVPN=1 ; fi if [ "$i" == "unattended-upgrades" ]; then UINST_UNATTUPG=1 ; fi break;; @@ -74,44 +59,57 @@ echo ":::" # Take care of any additional package cleaning printf "::: Auto removing remaining dependencies..." - $SUDO apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoremove &> /dev/null & spinner $!; printf "done!\n"; printf "::: Auto cleaning remaining dependencies..." - $SUDO apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; + apt-get -y autoclean &> /dev/null & spinner $!; printf "done!\n"; echo ":::" # Removing pivpn files echo "::: Removing pivpn system files..." - $SUDO rm -rf /opt/pivpn &> /dev/null - $SUDO rm -rf /etc/.pivpn &> /dev/null - $SUDO rm -rf /home/$INSTALL_USER/ovpns &> /dev/null + rm -rf /opt/pivpn &> /dev/null + rm -rf /etc/.pivpn &> /dev/null + rm -rf /home/$INSTALL_USER/ovpns &> /dev/null - $SUDO rm -rf /var/log/*pivpn* &> /dev/null - $SUDO rm -rf /var/log/*openvpn* &> /dev/null + rm -rf /var/log/*pivpn* &> /dev/null + rm -rf /var/log/*openvpn* &> /dev/null if [[ $UINST_OVPN = 1 ]]; then - $SUDO rm -rf /etc/openvpn &> /dev/null + rm -rf /etc/openvpn &> /dev/null if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then printf "::: Removing openvpn apt source..." - $SUDO rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null - $SUDO apt-get -qq update & spinner $!; printf "done!\n"; + rm -rf /etc/apt/sources.list.d/swupdate.openvpn.net.list &> /dev/null + apt-get -qq update & spinner $!; printf "done!\n"; fi fi if [[ $UINST_UNATTUPG = 1 ]]; then - $SUDO rm -rf /var/log/unattended-upgrades - $SUDO rm -rf /etc/apt/apt.conf.d/*periodic + rm -rf /var/log/unattended-upgrades + rm -rf /etc/apt/apt.conf.d/*periodic fi - $SUDO rm -rf /etc/pivpn &> /dev/null - $SUDO rm /usr/local/bin/pivpn &> /dev/null - $SUDO rm /etc/bash_completion.d/pivpn + rm -rf /etc/pivpn &> /dev/null + rm /usr/local/bin/pivpn &> /dev/null + rm /etc/bash_completion.d/pivpn # Disable IPv4 forwarding sed -i '/net.ipv4.ip_forward=1/c\#net.ipv4.ip_forward=1' /etc/sysctl.conf sysctl -p if [[ $NO_UFW -eq 0 ]]; then - $SUDO sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules - $SUDO ufw delete allow "$PORT"/"$PROTO" >/dev/null - $SUDO ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null - $SUDO ufw reload >/dev/null + sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules + ufw delete allow "$PORT"/"$PROTO" >/dev/null + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + ufw reload >/dev/null + else + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE + + if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT + fi + + if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT + fi + + iptables-save > /etc/iptables/rules.v4 fi echo ":::" From 0ad342e007c46fb96f0c73e54ad0e110b6358914 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 11:36:01 +0200 Subject: [PATCH 03/13] Fixed typo --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 60903a2..afa5f89 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -480,7 +480,7 @@ install_dependent_packages() { declare -a argArray1=("${!1}") $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy - $SUDO update-alternatives --set iptables /usr/sbin/ip6tables-legacy + $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections From bcc780546c99ff64c6dad05c3ee7e7cbb2876b14 Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 11:39:42 +0200 Subject: [PATCH 04/13] Get variable value before the file is deleted --- scripts/uninstall.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index 60d93e7..f1edea4 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -7,6 +7,8 @@ NO_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -100,11 +102,11 @@ echo ":::" else iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE - if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then iptables -D INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT fi - if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then iptables -D FORWARD -d 10.8.0.0/24 -i "$IPv4dev" -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT fi From b823737b5a20059305ed8c7a6ebe334c69167c2c Mon Sep 17 00:00:00 2001 From: Orazio Date: Mon, 1 Jul 2019 15:44:00 +0200 Subject: [PATCH 05/13] Hide client IPs in the debug log --- auto_install/install.sh | 2 +- scripts/pivpnDebug.sh | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..3f693cd 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -21,7 +21,7 @@ PKG_CACHE="/var/lib/apt/lists/" UPDATE_PKG_CACHE="${PKG_MANAGER} update" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" -PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools) +PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr) ### ### pivpnGitUrl="https://github.com/pivpn/pivpn.git" diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index 849c70d..c7b8438 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -13,8 +13,9 @@ echo -e "::::\t\t\e[4mLatest commit\e[0m\t\t ::::" git --git-dir /etc/.pivpn/.git log -n 1 printf "=============================================\n" echo -e "::::\t \e[4mInstallation settings\e[0m \t ::::" +# Use the wildcard so setupVars.conf.update.bak from the previous install is not shown for filename in /etc/pivpn/*; do - if [ "$filename" != "/etc/pivpn/setupVars.conf" ]; then + if [[ "$filename" != "/etc/pivpn/setupVars.conf"* ]]; then echo "$filename -> $(cat "$filename")" fi done @@ -151,7 +152,17 @@ fi printf "=============================================\n" echo -e ":::: \e[4mSnippet of the server log\e[0m ::::" -tail -20 /var/log/openvpn.log +tail -20 /var/log/openvpn.log > /tmp/snippet + +# Regular expession taken from https://superuser.com/a/202835, it will match invalid IPs +# like 123.456.789.012 but it's fine because the log only contains valid ones. +declare -a IPS_TO_HIDE=($(grepcidr -v 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 /tmp/snippet | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | uniq)) +for IP in "${IPS_TO_HIDE[@]}"; do + sed -i "s/$IP/REDACTED/g" /tmp/snippet +done + +cat /tmp/snippet +rm /tmp/snippet printf "=============================================\n" echo -e "::::\t\t\e[4mDebug complete\e[0m\t\t ::::" From 66dcd69fd50d822d1a6dd98b359b7ff2afddac6b Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 3 Jul 2019 10:13:22 +0200 Subject: [PATCH 06/13] Only use iptables-legacy if platform is Buster --- auto_install/install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 06daddf..4cb1a3a 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -479,8 +479,10 @@ install_dependent_packages() { # No spinner - conflicts with set -e declare -a argArray1=("${!1}") - $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy - $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + if [[ ${OSCN} == "buster" ]]; then + $SUDO update-alternatives --set iptables /usr/sbin/iptables-legacy + $SUDO update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy + fi echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections From 0189c6983e98fc8efa8cbec6f3934a03a818b2b4 Mon Sep 17 00:00:00 2001 From: Bradley Grainger Date: Thu, 4 Jul 2019 19:47:51 -0700 Subject: [PATCH 07/13] Fix typo in "separated". --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..cf06800 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -664,7 +664,7 @@ setClientDNS() { do strInvalid="Invalid" - if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), seperated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) + if OVPNDNS=$(whiptail --backtitle "Specify Upstream DNS Provider(s)" --inputbox "Enter your desired upstream DNS provider(s), separated by a comma.\n\nFor example '8.8.8.8, 8.8.4.4'" ${r} ${c} "" 3>&1 1>&2 2>&3) then OVPNDNS1=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$1}') OVPNDNS2=$(echo "$OVPNDNS" | sed 's/[, \t]\+/,/g' | awk -F, '{print$2}') From 241e06f970dc19f645e3b2baa174b7a10a9dd2da Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 13 Jul 2019 10:45:44 +0200 Subject: [PATCH 08/13] Miscellaeous fixes --- auto_install/install.sh | 5 +++-- scripts/makeOVPN.sh | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 4f9d0b5..299f53f 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -532,7 +532,7 @@ getGitFiles() { echo ":::" echo "::: Checking for existing base files..." if is_repo "${1}"; then - update_repo "${1}" + update_repo "${1}" "${2}" else make_repo "${1}" "${2}" fi @@ -565,6 +565,7 @@ update_repo() { # Pull the latest commits echo -n "::: Updating repo in $1..." $SUDO rm -rf "${1}" + cd /etc $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 if [ -z "${TESTING+x}" ]; then @@ -851,7 +852,7 @@ EOF fi # Build the server - ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass + EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass if [[ ${useUpdateVars} == false ]]; then if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 0a571b4..6e6bee6 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -147,7 +147,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then exit 1 fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then +if [[ "${NAME}" =~ [^a-zA-Z0-9\.\\-\@\_] ]]; then echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi From 1b54558769b2a646c708c09be9230c65eed8e76e Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 13 Jul 2019 12:48:53 +0200 Subject: [PATCH 09/13] Fix update option --- auto_install/install.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 299f53f..ab68e84 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -565,6 +565,8 @@ update_repo() { # Pull the latest commits echo -n "::: Updating repo in $1..." $SUDO rm -rf "${1}" + # Go back to /etc otherwhise git will complain when the current working directory has + # just been deleted (/etc/.pivpn). cd /etc $SUDO git clone -q --depth 1 --no-single-branch "${2}" "${1}" > /dev/null & spinner $! cd "${1}" || exit 1 @@ -754,6 +756,8 @@ confOpenVPN() { NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) SERVER_NAME="server_${NEW_UUID}" + declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") + if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption @@ -784,7 +788,6 @@ confOpenVPN() { else - declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "256" "Use a 256-bit certificate (recommended level)" ON \ @@ -989,8 +992,10 @@ confNetwork() { # iptables -S, '^-P' skips the policies and 'ufw-' skips ufw chains (in case ufw was found # installed but not enabled). - INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)')" - FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)')" + # Grep returns non 0 exit code where there are no matches, however that would make the script exit, + # for this reasons we use '|| true' to force exit code 0 + INPUT_RULES_COUNT="$($SUDO iptables -S INPUT | grep -vcE '(^-P|ufw-)' || true)" + FORWARD_RULES_COUNT="$($SUDO iptables -S FORWARD | grep -vcE '(^-P|ufw-)' || true)" INPUT_POLICY="$($SUDO iptables -S INPUT | grep '^-P' | awk '{print $3}')" FORWARD_POLICY="$($SUDO iptables -S FORWARD | grep '^-P' | awk '{print $3}')" From 8a6d32ced53299909032050a9bb7d3947869acaa Mon Sep 17 00:00:00 2001 From: Orazio Date: Sat, 13 Jul 2019 19:59:28 +0200 Subject: [PATCH 10/13] Fixed regular expression --- scripts/makeOVPN.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 6e6bee6..7e88ad7 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -147,7 +147,7 @@ if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then exit 1 fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\.\\-\@\_] ]]; then +if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi From 2ba8b0c262b9de2ada561d9a3f719405441015eb Mon Sep 17 00:00:00 2001 From: Iulian Onofrei <6d0847b9@opayq.com> Date: Sun, 14 Jul 2019 01:01:44 +0300 Subject: [PATCH 11/13] Fix typo in a setup message --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 59a3c3b..5580131 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -781,7 +781,7 @@ confOpenVPN() { declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1") ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ - "Choose the desired size of your certificate (press space to select):\n This is an certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ + "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "256" "Use a 256-bit certificate (recommended level)" ON \ "384" "Use a 384-bit certificate" OFF \ "521" "Use a 521-bit certificate (paranoid level)" OFF 3>&1 1>&2 2>&3) From e6a13cc65e3568cc98c6cb18ed69c84a5597b590 Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 6 Aug 2019 09:53:14 +0200 Subject: [PATCH 12/13] Handle older UFW version from Jessie --- auto_install/install.sh | 18 ++++++++++++++++-- scripts/pivpnDebug.sh | 41 ++++++++++++++++++++++++++++++----------- scripts/uninstall.sh | 7 ++++++- 3 files changed, 52 insertions(+), 14 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index cd9a60c..eec66af 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -971,8 +971,21 @@ confNetwork() { $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null - # Don't forward everything, just the traffic originated from the VPN subnet - $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + + # https://askubuntu.com/a/712202 + INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw) + MINIMUM_UFW=0.34 + + if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then + # Don't forward everything, just the traffic originated from the VPN subnet + $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + echo 0 > /tmp/OLD_UFW + else + # This ufw version does not support route command, fallback to policy change + $SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + echo 1 > /tmp/OLD_UFW + fi + $SUDO ufw reload >/dev/null echo "::: UFW configuration completed." fi @@ -1035,6 +1048,7 @@ confNetwork() { echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW + $SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED } diff --git a/scripts/pivpnDebug.sh b/scripts/pivpnDebug.sh index b63079a..818c760 100755 --- a/scripts/pivpnDebug.sh +++ b/scripts/pivpnDebug.sh @@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" +NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) +INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" +FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" ERR=0 echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" @@ -46,7 +50,7 @@ else fi fi -if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then +if [ "$NO_UFW" -eq 1 ]; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then echo ":: [OK] Iptables MASQUERADE rule set" @@ -61,7 +65,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then + if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables INPUT rule set" else @@ -75,7 +79,7 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then fi fi - if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then + if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then echo ":: [OK] Iptables FORWARD rule set" else @@ -126,15 +130,30 @@ else fi fi - if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then - echo ":: [OK] Ufw forwarding rule set" + if [ "$OLD_UFW" -eq 1 ]; then + FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')" + if [ "$FORWARD_POLICY" = "ACCEPT" ]; then + echo ":: [OK] Ufw forwarding policy is accept" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw + ufw reload > /dev/null + echo "Done" + fi + fi else - ERR=1 - read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY - if [[ ${REPLY} =~ ^[Yy]$ ]]; then - ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any - ufw reload - echo "Done" + if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then + echo ":: [OK] Ufw forwarding rule set" + else + ERR=1 + read -r -p ":: [ERR] Ufw forwarding rule is not set, attempt fix now? [Y/n] " REPLY + if [[ ${REPLY} =~ ^[Yy]$ ]]; then + ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any + ufw reload + echo "Done" + fi fi fi diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh index f1edea4..94e9eec 100755 --- a/scripts/uninstall.sh +++ b/scripts/uninstall.sh @@ -4,6 +4,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) PLAT=$(cat /etc/pivpn/DET_PLATFORM) NO_UFW=$(cat /etc/pivpn/NO_UFW) +OLD_UFW=$(cat /etc/pivpn/NO_UFW) PORT=$(cat /etc/pivpn/INSTALL_PORT) PROTO=$(cat /etc/pivpn/INSTALL_PROTO) IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" @@ -97,7 +98,11 @@ echo ":::" if [[ $NO_UFW -eq 0 ]]; then sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules ufw delete allow "$PORT"/"$PROTO" >/dev/null - ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + if [ "$OLD_UFW" -eq 1 ]; then + sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw + else + ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null + fi ufw reload >/dev/null else iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE From b71c67c78a0dbb0bf5e426c93e3dc41acf2a8f3e Mon Sep 17 00:00:00 2001 From: Orazio Date: Tue, 6 Aug 2019 10:02:28 +0200 Subject: [PATCH 13/13] Recreate ovpn folder if deleted --- scripts/makeOVPN.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 7e88ad7..c945703 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -228,12 +228,12 @@ if [ ! -f "${CA}" ]; then fi echo "CA public Key found: $CA" -#Confirm the tls-auth ta key file exists +#Confirm the tls key file exists if [ ! -f "${TA}" ]; then - echo "[ERROR]: tls-auth Key not found: $TA" + echo "[ERROR]: tls Private Key not found: $TA" exit fi -echo "tls-auth Private Key found: $TA" +echo "tls Private Key found: $TA" #Ready to make a new .ovpn file { @@ -255,7 +255,7 @@ echo "tls-auth Private Key found: $TA" cat "private/${NAME}${KEY}" echo "" - #Finally, append the TA Private Key + #Finally, append the tls Private Key if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then echo "" cat "${TA}" @@ -268,6 +268,11 @@ echo "tls-auth Private Key found: $TA" } > "${NAME}${FILEEXT}" +if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then + mkdir "/home/$INSTALL_USER/ovpns" + chmod 0777 -R "/home/$INSTALL_USER/ovpns" +fi + # Copy the .ovpn profile to the home directory for convenient remote access cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"