Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2025-02-01 01:09:47 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'test' into bitwarden

Browse source
This commit is contained in:
4s3ti 2019-08-08 10:34:17 +02:00 committed by GitHub
commit 18b7e16694
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 83 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
auto_install/install.sh
View file

@ -21,7 +21,9 @@ PKG_CACHE="/var/lib/apt/lists/"
UPDATE_PKG_CACHE="${PKG_MANAGER} update" UPDATE_PKG_CACHE="${PKG_MANAGER} update"
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install" PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true" PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq) PIVPN_DEPS=(openvpn git tar wget grep iptables-persistent dnsutils expect whiptail net-tools grepcidr jq)
### ### ### ###
pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnGitUrl="https://github.com/pivpn/pivpn.git"
@ -769,7 +771,9 @@ confOpenVPN() {
# Ask user for desired level of encryption # Ask user for desired level of encryption
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]]; then
if [[ ${PLAT} == "Raspbian" ]] && [[ ${OSCN} != "stretch" ]] && [[ ${OSCN} != "buster" ]] ; then
APPLY_TWO_POINT_FOUR=false APPLY_TWO_POINT_FOUR=false
else else
if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then if (whiptail --backtitle "Setup OpenVPN" --title "Installation mode" --yesno "OpenVPN 2.4 brings support for stronger authentication and key exchange using Elliptic Curves, along with encrypted control channel.\n\nIf your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
@ -795,7 +799,6 @@ confOpenVPN() {
else else
declare -A ECDSA_MAP=(["256"]="prime256v1" ["384"]="secp384r1" ["521"]="secp521r1")
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \ ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "ECDSA certificate size" --radiolist \
"Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \ "Choose the desired size of your certificate (press space to select):\n This is a certificate that will be generated on your system. The larger the certificate, the more time this will take. For most applications, it is recommended to use 256 bits. You can increase the number of bits if you care about, however, consider that 256 bits are already as secure as 3072 bit RSA." ${r} ${c} 3 \
"256" "Use a 256-bit certificate (recommended level)" ON \ "256" "Use a 256-bit certificate (recommended level)" ON \
@ -979,8 +982,21 @@ confNetwork() {
$SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules $SUDO sed "/delete these required/i *nat\n:POSTROUTING ACCEPT [0:0]\n-I POSTROUTING -s 10.8.0.0/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n" -i /etc/ufw/before.rules
# Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic) # Insert rules at the beginning of the chain (in case there are other rules that may drop the traffic)
$SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null $SUDO ufw insert 1 allow "$PORT"/"$PROTO" >/dev/null
# https://askubuntu.com/a/712202
INSTALLED_UFW=$(dpkg-query --showformat='${Version}' --show ufw)
MINIMUM_UFW=0.34
if $SUDO dpkg --compare-versions "$INSTALLED_UFW" ge "$MINIMUM_UFW"; then
# Don't forward everything, just the traffic originated from the VPN subnet # Don't forward everything, just the traffic originated from the VPN subnet
$SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null $SUDO ufw route insert 1 allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
echo 0 > /tmp/OLD_UFW
else
# This ufw version does not support route command, fallback to policy change
$SUDO sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
echo 1 > /tmp/OLD_UFW
fi
$SUDO ufw reload >/dev/null $SUDO ufw reload >/dev/null
echo "::: UFW configuration completed." echo "::: UFW configuration completed."
fi fi
@ -1043,6 +1059,7 @@ confNetwork() {
echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED echo "$FORWARD_CHAIN_EDITED" > /tmp/FORWARD_CHAIN_EDITED
$SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW $SUDO cp /tmp/noUFW /etc/pivpn/NO_UFW
$SUDO cp /tmp/OLD_UFW /etc/pivpn/OLD_UFW
$SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED $SUDO cp /tmp/INPUT_CHAIN_EDITED /etc/pivpn/INPUT_CHAIN_EDITED
$SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED $SUDO cp /tmp/FORWARD_CHAIN_EDITED /etc/pivpn/FORWARD_CHAIN_EDITED
} }

13
scripts/makeOVPN.sh
View file

@ -283,12 +283,12 @@ if [ ! -f "${CA}" ]; then
fi fi
echo "CA public Key found: $CA" echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists #Confirm the tls key file exists
if [ ! -f "${TA}" ]; then if [ ! -f "${TA}" ]; then
echo "[ERROR]: tls-auth Key not found: $TA" echo "[ERROR]: tls Private Key not found: $TA"
exit exit
fi fi
echo "tls-auth Private Key found: $TA" echo "tls Private Key found: $TA"
#Ready to make a new .ovpn file #Ready to make a new .ovpn file
{ {
@ -310,7 +310,7 @@ echo "tls-auth Private Key found: $TA"
cat "private/${NAME}${KEY}" cat "private/${NAME}${KEY}"
echo "</key>" echo "</key>"
#Finally, append the TA Private Key #Finally, append the tls Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>" echo "<tls-crypt>"
cat "${TA}" cat "${TA}"
@ -323,6 +323,11 @@ echo "tls-auth Private Key found: $TA"
} > "${NAME}${FILEEXT}" } > "${NAME}${FILEEXT}"
if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then
mkdir "/home/$INSTALL_USER/ovpns"
chmod 0777 -R "/home/$INSTALL_USER/ovpns"
fi
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"

28
scripts/pivpnDebug.sh
View file

@ -5,6 +5,10 @@ PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO) PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')" REMOTE="$(grep 'remote ' /etc/openvpn/easy-rsa/pki/Default.txt | awk '{print $2}')"
NO_UFW=$(cat /etc/pivpn/NO_UFW)
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
INPUT_CHAIN_EDITED="$(cat /etc/pivpn/INPUT_CHAIN_EDITED)"
FORWARD_CHAIN_EDITED="$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)"
ERR=0 ERR=0
echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::" echo -e "::::\t\t\e[4mPiVPN debug\e[0m\t\t ::::"
@ -46,7 +50,7 @@ else
fi fi
fi fi
if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then if [ "$NO_UFW" -eq 1 ]; then
if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then if iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE &> /dev/null; then
echo ":: [OK] Iptables MASQUERADE rule set" echo ":: [OK] Iptables MASQUERADE rule set"
@ -61,7 +65,9 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
fi fi
fi fi
if [ "$(cat /etc/pivpn/INPUT_CHAIN_EDITED)" -eq 1 ]; then
if [ "$INPUT_CHAIN_EDITED" -eq 1 ]; then
if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then if iptables -C INPUT -i "$IPv4dev" -p "$PROTO" --dport "$PORT" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables INPUT rule set" echo ":: [OK] Iptables INPUT rule set"
else else
@ -75,7 +81,8 @@ if [ "$(cat /etc/pivpn/NO_UFW)" -eq 1 ]; then
fi fi
fi fi
if [ "$(cat /etc/pivpn/FORWARD_CHAIN_EDITED)" -eq 1 ]; then if [ "$FORWARD_CHAIN_EDITED" -eq 1 ]; then
if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then if iptables -C FORWARD -s 10.8.0.0/24 -i tun0 -o "$IPv4dev" -j ACCEPT &> /dev/null; then
echo ":: [OK] Iptables FORWARD rule set" echo ":: [OK] Iptables FORWARD rule set"
else else
@ -126,6 +133,20 @@ else
fi fi
fi fi
if [ "$OLD_UFW" -eq 1 ]; then
FORWARD_POLICY="$(iptables -S FORWARD | grep '^-P' | awk '{print $3}')"
if [ "$FORWARD_POLICY" = "ACCEPT" ]; then
echo ":: [OK] Ufw forwarding policy is accept"
else
ERR=1
read -r -p ":: [ERR] Ufw forwarding policy is not 'ACCEPT', attempt fix now? [Y/n] " REPLY
if [[ ${REPLY} =~ ^[Yy]$ ]]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"ACCEPT\"/" /etc/default/ufw
ufw reload > /dev/null
echo "Done"
fi
fi
else
if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then if iptables -C ufw-user-forward -i tun0 -o "${IPv4dev}" -s 10.8.0.0/24 -j ACCEPT &> /dev/null; then
echo ":: [OK] Ufw forwarding rule set" echo ":: [OK] Ufw forwarding rule set"
else else
@ -137,6 +158,7 @@ else
echo "Done" echo "Done"
fi fi
fi fi
fi
fi fi

6
scripts/uninstall.sh
View file

@ -4,6 +4,7 @@
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
PLAT=$(cat /etc/pivpn/DET_PLATFORM) PLAT=$(cat /etc/pivpn/DET_PLATFORM)
NO_UFW=$(cat /etc/pivpn/NO_UFW) NO_UFW=$(cat /etc/pivpn/NO_UFW)
OLD_UFW=$(cat /etc/pivpn/NO_UFW)
PORT=$(cat /etc/pivpn/INSTALL_PORT) PORT=$(cat /etc/pivpn/INSTALL_PORT)
PROTO=$(cat /etc/pivpn/INSTALL_PROTO) PROTO=$(cat /etc/pivpn/INSTALL_PROTO)
IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)" IPv4dev="$(cat /etc/pivpn/pivpnINTERFACE)"
@ -95,9 +96,14 @@ echo ":::"
sysctl -p sysctl -p
if [[ $NO_UFW -eq 0 ]]; then if [[ $NO_UFW -eq 0 ]]; then
sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules sed -z "s/*nat\n:POSTROUTING ACCEPT \[0:0\]\n-I POSTROUTING -s 10.8.0.0\/24 -o $IPv4dev -j MASQUERADE\nCOMMIT\n\n//" -i /etc/ufw/before.rules
ufw delete allow "$PORT"/"$PROTO" >/dev/null ufw delete allow "$PORT"/"$PROTO" >/dev/null
if [ "$OLD_UFW" -eq 1 ]; then
sed -i "s/\(DEFAULT_FORWARD_POLICY=\).*/\1\"DROP\"/" /etc/default/ufw
else
ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null ufw route delete allow in on tun0 from 10.8.0.0/24 out on "$IPv4dev" to any >/dev/null
fi
ufw reload >/dev/null ufw reload >/dev/null
else else
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o "${IPv4dev}" -j MASQUERADE